Rule: Ensure a log metric filter and alarm exist for AWS Config configuration changes
In this rule, it is necessary to have a log metric filter and alarm set up for AWS Config configuration changes.
| Rule | Ensure a log metric filter and alarm exist for AWS Config configuration changes |
| Framework | cis_v150 |
| Severity | ✔ Low |
Rule Description:
The rule ensures that a log metric filter and alarm are set up for AWS Config configuration changes, specifically for the CIS Benchmark version 1.5.0 (cis_v150). This is important for monitoring and alerting on any configuration changes made within your AWS environment.
Remediation:
To remediate this rule, follow the step-by-step guide below:
Step 1: Create a Log Metric Filter
- 1.On the AWS Management Console, navigate to the CloudWatch service.
- 2.In the left-hand navigation panel, click on "Logs" and select "Log groups".
- 3.Identify or create the appropriate log group that matches the resource you want to monitor for configuration changes. Note the name of the log group.
- 4.Click on the log group name to open the log group details.
- 5.In the top-right corner, click on the "Create Metric Filter" button.
- 6.In the "Filter pattern" section, enter the following pattern:
"{($.eventName = CreateConfigRule || $.eventName = PutConfigRule || $.eventName = DeleteConfigRule) && $.aws:configRuleName = cis_v150}" - 7.In the "Test pattern" section, you should see sample log events that match the pattern. Confirm that the correct logs are matched.
- 8.Click on the "Assign metric" button.
- 9.Choose "Create new metric" and provide a meaningful name for the metric.
- 10.Click on the "Create filter" button to save the log metric filter.
Step 2: Create an Alarm
- 1.In the CloudWatch console, navigate to the "Alarms" section.
- 2.Click on the "Create alarm" button.
- 3.Under the "Select metric" section, choose the metric that you created in the previous step.
- 4.Configure the threshold and conditions for the alarm based on your requirements. For example, you may set the threshold to "1" and choose a specific period for evaluation.
- 5.Specify the actions to be taken when the alarm state is triggered. This can include sending notifications to certain users or triggering automated actions.
- 6.Review the configuration and click on the "Create alarm" button to save the alarm.
Troubleshooting:
If you encounter any issues during the remediation process, consider the following troubleshooting steps:
- 1.
Log group does not exist: Ensure that you have identified or created the correct log group that matches the resource you want to monitor. Double-check the log group name used in the filter pattern.
- 2.
Incorrect filter pattern: Review the filter pattern used in the log metric filter. Ensure that the pattern matches the desired events (
,CreateConfigRule
, orPutConfigRule
) and includes the specificDeleteConfigRule
set toaws:configRuleName
.cis_v150 - 3.
No matching log events: If the "Test pattern" section does not display any matching log events, verify that the correct events have been generated. Ensure that AWS Config is properly configured to capture the desired configuration change events.
- 4.
Alarm configuration issues: Double-check the alarm thresholds, conditions, and actions. Ensure that you have configured them correctly to trigger the desired response.
If all troubleshooting steps fail, consider reviewing the AWS Config documentation, seeking guidance from AWS support, or consulting with an experienced AWS professional for further assistance.
Additional Information:
The creation of a log metric filter and alarm for monitoring AWS Config configuration changes related to CIS Benchmark version 1.5.0 (cis_v150) helps in maintaining compliance, security, and visibility over your AWS environment. This helps in early detection of any unauthorized or unexpected configuration changes, allowing you to take necessary actions promptly.