Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Ensure a Log Metric Filter and Alarm Exist for CloudTrail Configuration Changes Rule

This rule ensures the presence of a log metric filter and alarm for CloudTrail configuration changes.

RuleEnsure a log metric filter and alarm exist for CloudTrail configuration changes
Frameworkcis_v150
Severity
Low

Rule Description:

To meet the CIS benchmark version 1.5.0 requirement, it is mandatory to have a log metric filter and alarm in place for CloudTrail configuration changes. This ensures that any modifications made to CloudTrail settings are promptly detected and alerted upon, aiding in proactive security monitoring and response.

Troubleshooting Steps:

If the log metric filter and alarm for CloudTrail configuration changes are not present or not functioning correctly, follow these troubleshooting steps:

  1. 1.

    Verify CloudTrail service: Ensure that CloudTrail is enabled for the AWS account using the AWS Management Console or AWS CLI. If it is not enabled, enable it in the desired region(s).

  2. 2.

    Verify CloudTrail trails: Check if the CloudTrail trail(s) are correctly configured and active, covering all required regions and resources.

  3. 3.

    Verify IAM permissions: Ensure that the IAM user or role executing the CloudTrail configuration has sufficient permissions to create and modify log metric filters and alarms. Refer to the AWS documentation for the necessary IAM policy permissions.

  4. 4.

    Check CloudWatch Logs: Validate if the CloudTrail logs are being delivered correctly to CloudWatch Logs. This can be confirmed by checking the existence and freshness of CloudTrail log groups in the respective region(s).

  5. 5.

    Verify log metric filter: Review the configuration of the log metric filter responsible for detecting CloudTrail configuration changes. Ensure that the filter pattern accurately captures the desired events, such as "ModifyTrail" or "CreateTrail" API calls. Verify that the log metric filter is associated with the correct log group.

  6. 6.

    Validate CloudWatch Metric Filters: Ensure that the CloudTrail configuration change log metric filter is correctly associated with a CloudWatch metric filter. Validate that the filter pattern is correctly defined, including any required query expressions or regular expressions.

  7. 7.

    Verify CloudWatch Alarm: Check if the CloudWatch alarm for CloudTrail configuration changes exists and is associated with the appropriate metric filter. Validate the alarm thresholds, actions taken upon triggering, and the desired notification mechanism.

  8. 8.

    Review log retention: Ensure that the CloudWatch log retention period is configured to retain the logs for a sufficient duration, aligning with compliance and investigation requirements.

  9. 9.

    Check alarm notification: Verify that the alarm notification is properly configured and that the designated recipients or monitoring systems are receiving the alert notifications.

Necessary Codes:

No specific code snippets are required for this rule.

Step-by-Step Guide for Remediation:

Follow these steps to create a log metric filter and alarm for CloudTrail configuration changes:

  1. 1.

    Open the AWS Management Console and navigate to the CloudWatch service.

  2. 2.

    In the left navigation pane, click on "Logs" and select the appropriate log group containing the CloudTrail logs.

  3. 3.

    Click on the log group name to access the log details.

  4. 4.

    On the top right, click on "Create metric filter" to define a new metric filter.

  5. 5.

    In the "Filter pattern" section, provide a filter pattern that accurately captures the CloudTrail configuration change events. For example, use the filter pattern:

    {($.eventName = ModifyTrail) || ($.eventName = CreateTrail)}
    .

  6. 6.

    Click on "Test pattern" to validate the filter pattern against existing log data. Adjust the filter if needed until successful validation.

  7. 7.

    Define a name for the log metric filter in the "Filter name" field.

  8. 8.

    In the "Metric details" section, select "Create new metric" and provide a name for the custom metric.

  9. 9.

    Choose an appropriate namespace for the metric or create a new namespace.

  10. 10.

    Complete any additional required fields, such as dimensions or metric value extraction, based on your specific needs.

  11. 11.

    Review the summary and click "Create filter" to create the log metric filter.

  12. 12.

    Once the log metric filter is created, access the CloudWatch service dashboard.

  13. 13.

    In the left navigation pane, click on "Alarms" and then "Create alarm".

  14. 14.

    Search for the metric filter name created in step 7 and select it.

  15. 15.

    Configure the alarm threshold and actions based on your requirements. For example, set the threshold to ">=1 for 1 period(s)" to trigger an alarm if any CloudTrail configuration change is detected.

  16. 16.

    Specify the actions to be taken when the alarm triggers, such as sending a notification to an email address or triggering an AWS Lambda function.

  17. 17.

    Review the alarm configuration and click "Create alarm" to create the CloudWatch alarm.

  18. 18.

    Test the alarm by making a CloudTrail configuration change and verify that the notification is received and logged as expected.

Conclusion:

By following the above steps, you can ensure the presence of a log metric filter and alarm for CloudTrail configuration changes, meeting the requirements of the CIS benchmark version 1.5.0.

Is your System Free of Underlying Vulnerabilities?
Find Out Now