Ensure Log Metric Filter and Alarm Rule

Rule Description

Troubleshooting Steps (if any)

2. 1.

   Ensure IAM policy change logging is enabled: Check if IAM policy changes are being logged by verifying the CloudTrail configuration and log delivery settings. Make sure CloudTrail is activated and configured correctly for your AWS account.

4. 2.

   Verify log metric filter configuration: Double-check the log metric filter settings to ensure the correct filter pattern is used to track IAM policy changes related to GDPR. Ensure that the correct CloudTrail log group is selected and that the filter pattern aligns with GDPR-specific IAM policy changes.

6. 3.

   Review IAM policy permissions: Confirm that the IAM user or role you are using to create the log metric filter and alarm has the necessary permissions. Required permissions include "cloudwatch:PutMetricFilter" and "cloudwatch:PutMetricAlarm" as well as access to the CloudTrail logs.

8. 4.

   Check alarm configuration: Examine the alarm configuration parameters such as threshold, evaluation period, and actions to ensure they are correctly set. Make sure the alarm triggers based on the desired conditions when IAM policy changes occur.

Necessary Codes (if any)

Step-by-Step Guide for Remediation

Step 1: Enable CloudTrail

2. 1.
   Open the AWS Management Console and navigate to the CloudTrail service.
4. 2.
   Create a new trail or select an existing trail that captures the IAM policy changes.
6. 3.
   Configure the trail settings, including the storage location and delivery frequency.
8. 4.
   Enable logging of management events and specifically include IAM policy changes in the trail configuration.
10. 5.
    Save the trail settings.

Step 2: Create a Log Metric Filter

2. 1.
   Open the AWS Management Console and go to the CloudWatch service.
4. 2.
   In the CloudWatch dashboard, navigate to the "Logs" section and select the CloudTrail log group.
6. 3.
   Click on the "Create metric filter" button.
8. 4.
   Define a filter pattern that matches IAM policy changes related to GDPR. For example, you can use the filter pattern:

   {($.eventName = PutGroupPolicy) || ($.eventName = PutUserPolicy) || ($.eventName = PutRolePolicy)} && ($.additionalEventData.policyType = "IdentityPolicy") && ($.additionalEventData.compliance.relatedEventName = "EnableMfaForUser")
   

10. 5.
    Select the log groups to apply the filter to, such as the CloudTrail logs specific to GDPR-related activities.
12. 6.
    Configure the filter details, including the metric namespace and metric name for the filter.
14. 7.
    Save the metric filter.

Step 3: Create a Log Metric Filter Alarm

2. 1.
   In the CloudWatch dashboard, select the "Alarms" section.
4. 2.
   Click on the "Create alarm" button.
6. 3.
   In the alarm configuration wizard, select the previously created metric filter as the alarm source.
8. 4.
   Set the conditions for the alarm based on the desired policy change thresholds, such as the number of policy changes within a specific time period.
10. 5.
    Specify the actions to be taken when the alarm triggers, such as sending notifications via email or triggering an automated response.
12. 6.
    Review and save the alarm configuration.