Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: Ensure a Log Metric Filter and Alarm Exist for CloudTrail Configuration Changes

This rule ensures the presence of a log metric filter and alarm for CloudTrail configuration changes.

RuleEnsure a log metric filter and alarm exist for CloudTrail configuration changes
FrameworkGeneral Data Protection Regulation (GDPR)
Severity
Low

Rule/Policy: Ensure a log metric filter and alarm exist for CloudTrail configuration changes for General Data Protection Regulation (GDPR)

Description:

This rule ensures that a log metric filter and alarm are in place to monitor any changes made to the CloudTrail configuration related to the General Data Protection Regulation (GDPR). The GDPR is a regulation in the European Union (EU) intended to protect the personal data and privacy of EU citizens. By creating this log metric filter and alarm, you can monitor and respond to any unauthorized or suspicious changes to your CloudTrail configuration that might impact compliance with GDPR.

Troubleshooting Steps:

  1. 1.
    Verify that AWS CloudTrail is enabled in your AWS account. If not, enable CloudTrail by following the AWS documentation.
  2. 2.
    Ensure that you have the required access permissions to configure log metric filters and alarms in CloudTrail. Check your IAM user or role permissions and make sure you have the necessary permissions.
  3. 3.
    Check the existing CloudTrail configuration and verify that the log metric filter and alarm for GDPR-related changes are not already in place. If they are, ensure they are correctly configured and actively monitoring.

Necessary Codes:

There are no specific codes required for this rule.

Step-by-Step Guide for Remediation:

Step 1: Configure CloudTrail Log Metric Filter

  1. 1.
    Log in to the AWS Management Console.
  2. 2.
    Navigate to the CloudTrail service.
  3. 3.
    Select the appropriate CloudTrail trail from the list.
  4. 4.
    Click on the "Configure" button.
  5. 5.
    Scroll down to the "CloudWatch Logs" section and click on the "Add new CloudWatch log group" button if no log group is configured already. Otherwise, select the existing log group.
  6. 6.
    In the "Metric Filters" section, click on the "Add new metric filter" button.
  7. 7.
    Provide a name for the metric filter, such as "GDPR-CloudTrail-Config-Changes-Filter".
  8. 8.
    In the filter pattern field, enter the following pattern:
    { ($.eventName = "UpdateTrail") && ($.requestParameters.name = "GDPR-Trail") }
    
    Note: Update the
    GDPR-Trail
    with the actual name of your CloudTrail trail that is used for GDPR compliance.
  9. 9.
    Specify the log group for the metric filter.
  10. 10.
    Click on the "Assign metric" button.
  11. 11.
    Choose a new or existing namespace for the metric.
  12. 12.
    Enter a metric name, such as "GDPR-CloudTrail-Config-Changes-Metric".
  13. 13.
    Click on the "Create filter" button to save the metric filter configuration.

Step 2: Create CloudWatch Alarm

  1. 1.
    Navigate to the CloudWatch service in the AWS Management Console.
  2. 2.
    From the left navigation pane, click on "Alarms".
  3. 3.
    Click on the "Create alarm" button.
  4. 4.
    In the "Create Alarm Wizard", search for the metric created in Step 1.
  5. 5.
    Select the metric filter that matches the name used in Step 1, e.g., "GDPR-CloudTrail-Config-Changes-Metric".
  6. 6.
    Set the conditions for the alarm based on your requirements. For example, you can set the threshold to "Whenever GDPR-CloudTrail-Config-Changes-Metric is Greater/Equal to 1 within 5 minutes".
  7. 7.
    Provide a descriptive name for the alarm, such as "GDPR-CloudTrail-Config-Changes-Alarm".
  8. 8.
    Define the actions to be taken when the alarm state is triggered, such as sending a notification or invoking an AWS Lambda function for further processing.
  9. 9.
    Click on the "Create alarm" button to save the alarm configuration.

Summary:

By following the above steps, you will configure a CloudTrail log metric filter and alarm to monitor any changes made to the CloudTrail configuration related to GDPR. This will help ensure compliance with GDPR regulations and provide timely notifications to investigate any unauthorized or suspicious changes.

Is your System Free of Underlying Vulnerabilities?
Find Out Now