Rule: Ensure a Log Metric Filter for Network Access Control Lists
This rule ensures the existence of a log metric filter for changes made to Network Access Control Lists (NACL)
| Rule | Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) |
| Framework | General Data Protection Regulation (GDPR) |
| Severity | ✔ Low |
Rule Description:
This rule ensures that a log metric filter and alarm are in place to detect any changes made to Network Access Control Lists (NACL) in compliance with the General Data Protection Regulation (GDPR). NACLs are an important component of network security as they act as a firewall at the subnet level, controlling inbound and outbound traffic. Monitoring changes to NACLs helps maintain data privacy and security, ensuring compliance with GDPR regulations.
Troubleshooting Steps:
If any issues arise related to this rule, follow these troubleshooting steps to resolve them:
- 1.Verify if the log metric filter is configured correctly.
- 2.Check if the alarm associated with the metric filter is properly set up.
- 3.Ensure that the NACL changes are being logged in the appropriate log group.
- 4.Review the alarm configuration for accuracy, including the threshold and notification settings.
- 5.Check the CloudWatch Logs for any errors or inconsistencies related to NACL changes.
If the troubleshooting steps do not resolve the issue, consult the AWS documentation or seek assistance from AWS Support.
Necessary Codes:
- 1.The following AWS CLI command can be used to create a log metric filter:
aws logs put-metric-filter --log-group-name <log-group-name> --filter-name NACL-Changes --filter-pattern "NACL modified" --metric-transformations metricName=NACL-Changes,metricNamespace=GDPR
- 1.Once the log metric filter is created, an alarm can be set up using AWS CLI with the following command:
aws cloudwatch put-metric-alarm --alarm-name NACL-Changes-Alarm --metric-name NACL-Changes --namespace GDPR --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --dimensions Name=LogGroupName,Value=<log-group-name> --evaluation-periods 1 --alarm-description "Alarm for detecting NACL changes" --alarm-actions <SNS-topic-ARN>
Remember to replace
<log-group-name><SNS-topic-ARN>Remediation Steps:
Follow these step-by-step instructions to remediate any issues related to NACL changes and ensure compliance with GDPR:
- 1.
Configure the log metric filter:
- Open the AWS CLI or AWS Management Console.
- Choose the appropriate log group or create a new one for storing NACL log data.
- Execute the AWS CLI command mentioned above to create the log metric filter.
- Ensure the filter name is set to "NACL-Changes" and the filter pattern is "NACL modified".
- Assign a meaningful metric name and namespace, such as "NACL-Changes" and "GDPR" respectively.
- 2.
Set up the alarm:
- Using AWS CLI or AWS Management Console, navigate to the CloudWatch service.
- Select "Alarms" from the left-hand menu.
- Click on "Create Alarm".
- Choose the predefined metric filter "NACL-Changes" under the "GDPR" namespace.
- Configure the alarm threshold as per your requirements (e.g., 1 change within 5 minutes).
- Select the appropriate SNS topic for alarm actions to receive notification alerts.
- Provide a descriptive alarm name, such as "NACL-Changes-Alarm", and a brief description.
Once the log metric filter and alarm are set up correctly, you will receive notifications whenever changes are made to NACLs, ensuring compliance with GDPR regulations. Regular monitoring of the alarms and log data will help promptly identify any unauthorized modifications or potential security breaches.