Rule: Ensure a Log Metric Filter and Alarm Exist for CloudTrail Configuration Changes
This rule ensures proper monitoring of CloudTrail configuration changes.
| Rule | Ensure a log metric filter and alarm exist for CloudTrail configuration changes |
| Framework | NIST Cybersecurity Framework (CSF) v1.1 |
| Severity | ✔ Low |
Rule Description
This rule ensures the presence of a log metric filter and alarm for CloudTrail configuration changes, specifically aligned with the NIST Cybersecurity Framework (CSF) v1 guidelines. CloudTrail provides a detailed audit trail of API calls and actions performed within your AWS account, helping you monitor activities and detect potential security incidents. By monitoring CloudTrail configuration changes, you can ensure compliance with NIST CSF recommendations and enhance the security of your AWS environment.
Troubleshooting Steps
- 1.
Verify CloudTrail Configuration: Validate that CloudTrail is properly configured in your AWS account and is enabled for the necessary AWS services. This includes ensuring that the appropriate trails are created, and that they capture the desired events and logs.
- 2.
Check Log Metric Filters: Confirm the existence of log metric filters in CloudTrail. These filters extract specific fields and information from CloudTrail logs, allowing you to create actionable metrics based on matching patterns.
- 3.
Validate Alarms: Ensure that the CloudTrail configuration change alarm is properly defined and associated with the log metric filter. Verify that the alarm settings are aligned with the NIST CSF v1 guidelines, such as defining the appropriate threshold for triggering the alarm.
- 4.
Review CloudTrail Logs: Inspect the CloudTrail logs to identify any potential configuration change events that are not triggering the log metric filter and alarm. Verify if there are any exceptions or errors in the logs that may be causing the issue.
- 5.
Check Permissions: Confirm that the IAM roles or users associated with the log metric filter and alarm have the necessary permissions to access the CloudTrail logs and publish metrics to Amazon CloudWatch.
Necessary Code
No code snippet is provided for this rule, as it primarily involves configuring CloudTrail, log metric filters, and alarms using AWS Management Console or AWS CLI.
Remediation Steps
Follow these steps to remediate the rule violations related to ensuring the presence of a log metric filter and alarm for CloudTrail configuration changes for NIST CSF v1:
- 1.
Access the AWS Management Console or use the AWS CLI with appropriate permissions to perform the following steps.
- 2.
Enable CloudTrail: If CloudTrail is not already enabled, navigate to the CloudTrail service in the AWS Management Console, click "Trails" from the left-side menu, and create a new trail. Specify the AWS services and regions to monitor and configure the desired settings.
- 3.
Create Log Metric Filter: In the CloudTrail service, click on the created trail and go to its settings. Under "Data events", click "Manage data event settings". Then, click "Add data event". In the subsequent page, define the log metric filter for the CloudTrail configuration changes, specifying matching patterns for the necessary fields like "eventName" or "eventSource".
- 4.
Configure Metric Filters: Choose whether to create a new metric filter or use an existing one. If you choose to create a new metric filter, provide a name, define the filter pattern, and specify the desired metric namespace and metric value. Ensure that the filter pattern matches the intended CloudTrail configuration change events.
- 5.
Define Alarm: After configuring the metric filter, click on the "Create alarm" button to create a new alarm. Select the metric filter that was created in the previous step, define the alarm threshold based on NIST CSF v1 recommendations, and specify the actions to perform when the alarm state is triggered.
- 6.
Review and Complete: Review the configured settings, ensuring they align with the NIST CSF v1 guidelines. Once satisfied, click "Create alarm" to finalize the process.
- 7.
Verify Functionality: Perform regular tests to ensure that all CloudTrail configuration changes are properly logged, filtered, and triggering the associated alarm. Monitor the CloudWatch metrics and alarm state to confirm the effective functioning of the rule.
By following these steps, you have successfully remediated the rule violations and established a reliable log metric filter and alarm for CloudTrail configuration changes as per the NIST Cybersecurity Framework (CSF) v1 guidelines.