Ensure a Log Metric Filter and Alarm Exist for AWS Config Configuration Changes Rule

This rule ensures the presence of a log metric filter and alarm for AWS Config configuration changes.

Rule	Ensure a log metric filter and alarm exist for AWS Config configuration changes
Framework	NIST Cybersecurity Framework (CSF) v1.1
Severity	✔ Low

Rule Description

This rule ensures that a log metric filter and alarm are in place to monitor and alert on configuration changes in AWS Config, specifically following the NIST Cybersecurity Framework (CSF) v1 guidelines. By implementing this rule, you can enhance the security of your AWS infrastructure and proactively detect any unauthorized or unexpected configuration modifications.

Troubleshooting Steps

If you encounter any issues with the log metric filter and alarm for AWS Config configuration changes, follow these troubleshooting steps:

1.
Verify AWS Config setup: Ensure that AWS Config is properly set up and enabled for your AWS account.

2.
Check IAM permissions: Confirm that the IAM user or role executing the commands has the necessary permissions to create log metric filters and alarms.

3.
Review log group: Check the CloudWatch log group associated with AWS Config configuration changes for any errors or anomalies.

4.
Inspect IAM role: Verify that the IAM role associated with AWS Config has the required permissions to write logs to CloudWatch.

5.
Check alarm configuration: Review the alarm configuration settings, including the threshold values, actions, and notification targets.

6.
Test logging and alarm: Make a test configuration change in AWS Config and validate if the log metric filter and alarm trigger as expected.

Code

The following code snippets demonstrate the necessary configurations to implement the log metric filter and alarm for AWS Config configuration changes in accordance with the NIST CSF v1:

Log Metric Filter

Create a log metric filter to capture AWS Config configuration changes:

aws logs put-metric-filter \
--log-group-name <log-group-name> \
--filter-name "AWSConfigChangesFilter" \
--metric-transformations \
metricName=ConfigChanges,metricNamespace=ConfigChangesNamespace,metricValue=1 \
--filter-pattern '[version = "1.0", ruleId, changedProperties, changeType = "ConfigurationItemChange"]'

Note: Replace

<log-group-name>

with the actual name of your CloudWatch log group.

Alarm

Create an alarm to trigger based on the log metric filter:

aws cloudwatch put-metric-alarm \
--alarm-name "AWSConfigChangesAlarm" \
--alarm-description "Alarm for AWS Config configuration changes" \
--metric-name ConfigChanges \
--namespace ConfigChangesNamespace \
--statistic Sum \
--period 300 \
--evaluation-periods 1 \
--threshold 1 \
--comparison-operator GreaterThanOrEqualToThreshold \
--alarm-actions <SNS-topic-ARN> \
--dimensions Name=logGroupName,Value=<log-group-name>

Note: Replace

<SNS-topic-ARN>

with the ARN of the SNS topic to which the alarm should send notifications, and

<log-group-name>

with the actual name of your CloudWatch log group.

Remediation Steps

In order to remediate any identified issues or non-compliance with the rule, follow these step-by-step guidelines:

1.
Verify AWS Config: Ensure that AWS Config is enabled and functioning properly for your AWS account.

2.
Create Log Metric Filter: Use the provided code snippet to create a log metric filter for AWS Config configuration changes. Replace
```
<log-group-name>
```
with the appropriate log group name.

3.
Create Alarm: Utilize the code snippet to create an AWS CloudWatch alarm based on the log metric filter. Replace
```
<SNS-topic-ARN>
```
with the desired SNS topic ARN for receiving notifications, and
```
<log-group-name>
```
with the corresponding log group name.

4.
Test the Alarm: Generate a configuration change in AWS Config to validate if the alarm triggers as expected. Monitor the CloudWatch metrics and check if the alarm state changes accordingly.

5.
Investigate and Remediate: If the alarm triggers due to unauthorized or unexpected configuration changes, investigate the incident immediately. Take necessary action to address the issue and remediate the configuration change, ensuring compliance with the NIST CSF guidelines.

6.
Monitor: Continuously monitor the log metric filter, alarm, and AWS Config configuration changes to ensure ongoing compliance and security of your AWS resources.

By following these steps, you can successfully implement and maintain a log metric filter and alarm for AWS Config configuration changes, aligning with the NIST CSF v1 guidelines.

Ensure a Log Metric Filter and Alarm Exist for AWS Config Configuration Changes Rule

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Log Metric Filter

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Alarm

Is your System Free of Underlying Vulnerabilities? Find Out Now

Log Metric Filter

Alarm

Is your System Free of Underlying Vulnerabilities?
Find Out Now