Rule: Ensure a Log Metric Filter and Alarm Exist for Security Group Changes
This rule ensures the presence of a log metric filter and alarm for security group changes.
| Rule | Ensure a log metric filter and alarm exist for security group changes |
| Framework | General Data Protection Regulation (GDPR) |
| Severity | ✔ Low |
Rule Description:
This rule ensures that a log metric filter and alarm exist for any changes made to security groups in order to comply with the General Data Protection Regulation (GDPR). The GDPR sets strict requirements for protecting personal data, including ensuring that access to this data is controlled through appropriate security configurations.
Troubleshooting Steps:
If the log metric filter and alarm for security group changes do not exist or do not function correctly, follow these troubleshooting steps:
- 1.
Check CloudTrail Configuration: Verify that CloudTrail is properly configured to capture and log changes to security groups. Ensure that the correct AWS regions are included in the CloudTrail configuration.
- 2.
Check IAM Permissions: Confirm that the IAM user or role responsible for setting up the log metric filter and alarm has the necessary permissions to access CloudTrail logs, create metric filters, and create alarms.
- 3.
Verify Log Metric Filter: Ensure that the log metric filter has been correctly set up and is capturing changes to security groups in the CloudTrail logs. Review the filter pattern and confirm that it accurately matches the log events related to security group changes.
- 4.
Confirm Alarm Configuration: Check the alarm configuration, including the threshold and the actions taken when the alarm is triggered. Ensure that the intended recipients are notified when the alarm is activated.
- 5.
Review CloudWatch Metrics: Monitor the CloudWatch metrics related to the log metric filter and alarm to ensure that they are receiving and processing the expected log events. Observe whether any alarms have been triggered and investigate any potential issues.
- 6.
Test Security Group Changes: Make some test changes to security groups and verify that the log metric filter captures these changes and triggers the corresponding alarm. Adjust the log metric filter and alarm configuration if necessary.
- 7.
Consult AWS Documentation: If the troubleshooting steps mentioned above do not resolve the issue, consult the AWS documentation or contact AWS support for further assistance.
Necessary Codes:
In most cases, creating the log metric filter and alarm for security group changes can be done through the AWS Management Console or command-line interface (CLI). However, no specific code snippets are required for this rule as the configuration is managed through AWS services directly. Here is a step-by-step guide to set up the log metric filter and alarm using the AWS Management Console.
Step-by-Step Guide for Remediation:
- 1.
Sign in to the AWS Management Console: Visit the AWS Management Console (https://console.aws.amazon.com/) and sign in using your AWS account credentials.
- 2.
Open the CloudTrail Service: In the AWS Management Console, search for "CloudTrail" and open the CloudTrail service.
- 3.
Select the Appropriate Trail: From the list of trails, select the trail that captures changes to security groups for the desired AWS region.
- 4.
Configure Log Metric Filter: In the trail settings, locate the "CloudWatch Logs" section and click on "Configure".
- 5.
Create New Metric Filter: Click on "Add new metric filter" to create a new log metric filter.
- 6.
Define Filter Pattern: Provide a filter pattern that will capture log events related to security group changes. For example, the following pattern can be used:
{($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress)}
- 1.
Configure Metric Details: Set the metric namespace, name, and value for the log metric filter. You can customize these based on your preference or leave the default values.
- 2.
Save Metric Filter: Save the log metric filter configuration.
- 3.
Open the CloudWatch Service: In the AWS Management Console, search for "CloudWatch" and open the CloudWatch service.
- 4.
Navigate to Alarms: In the CloudWatch console, navigate to the "Alarms" section.
- 5.
Create New Alarm: Click on "Create alarm" to create a new alarm.
- 6.
Select Metric: In the "Create Alarm" wizard, select the metric generated by the log metric filter for security group changes.
- 7.
Configure Alarm Threshold: Set the threshold that should trigger the alarm. You may want to specify a threshold that aligns with the severity or significance of security group changes.
- 8.
Set Alarm Actions: Define the actions to be taken when the alarm is triggered. This can include sending notifications, executing Lambda functions, or performing custom actions.
- 9.
Save Alarm: Save the alarm configuration.
Conclusion:
By following this guide and ensuring the log metric filter and alarm are properly configured, you can comply with the General Data Protection Regulation (GDPR) guidelines by monitoring security group changes in your AWS environment. Remember to regularly review the log events, alarm triggers, and notifications to stay updated on any potential security risks related to security group changes.