Rule: Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer managed keys
This rule ensures a log metric filter and alarm exist for disabling or scheduled deletion of customer managed keys.
| Rule | Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer managed keys |
| Framework | NIST Cybersecurity Framework (CSF) v1.1 |
| Severity | ✔ Low |
Rule Description:
This rule ensures that a log metric filter and alarm exist to detect any disabling or scheduled deletion of customer-managed keys. It aligns with the NIST Cybersecurity Framework (CSF) v1 guidelines to enhance security measures for protecting sensitive data.
Troubleshooting Steps:
If the log metric filter or alarm does not exist or is not configured properly, follow these troubleshooting steps:
- 1.
Verify AWS CloudTrail logging is enabled:
- Go to the AWS Management Console.
- Navigate to the CloudTrail service.
- Ensure that CloudTrail is enabled for the AWS account.
- 2.
Check for existing metric filters and alarms:
- Go to the AWS Management Console.
- Navigate to the CloudWatch service.
- Select "Logs" from the left-hand menu.
- Look for an existing metric filter related to disabling or scheduled deletion of customer-managed keys.
- Ensure that an alarm is associated with the metric filter.
- 3.
Validate the log metric filter's pattern:
- Open the existing metric filter or create a new one.
- Check the pattern used in the metric filter for accurate matching of disabling or scheduled deletion of customer-managed keys events.
- Ensure the pattern properly captures the key events in the logs.
- 4.
Verify the associated alarm settings:
- Open the associated alarm for the log metric filter.
- Check if the alarm is correctly configured to trigger based on the defined threshold and evaluation period.
- Ensure the alarm sends notifications to the appropriate recipient(s) for prompt action.
Necessary Codes:
No specific code is required for this rule.
Step-by-Step Guide for Remediation:
Follow these steps to ensure the log metric filter and alarm exist for disabling or scheduled deletion of customer-managed keys:
- 1.
Open the AWS Management Console.
- 2.
Navigate to the CloudWatch service.
- 3.
Select "Logs" from the left-hand menu.
- 4.
Click on the log group that contains the relevant CloudTrail logs.
- 5.
Select the "Actions" button and choose "Create metric filter."
- 6.
Define a filter pattern that matches disabling or scheduled deletion of customer-managed keys events. Example pattern:
{($.eventSource = kms.amazonaws.com) && (($.eventName = DisableKey) || ($.eventName = ScheduleKeyDeletion))} - 7.
Test the pattern to ensure it matches the desired events by using the provided log samples.
- 8.
Specify a name for the metric filter.
- 9.
Define the filter's destination as "Metric."
- 10.
Add a corresponding metric namespace and metric name to identify the filter's monitoring data accurately.
- 11.
Click on "Create filter."
- 12.
Once the filter is created, return to the log group page.
- 13.
Locate the created metric filter and click on the associated alarm link.
- 14.
Configure the alarm based on your desired threshold(s) and evaluation period.
- 15.
Define the action(s) to be taken when the alarm is triggered, such as sending a notification to relevant stakeholders.
- 16.
Click on "Create alarm."
- 17.
Test the alarm by generating appropriate events or wait for the regular logs to populate.
- 18.
Monitor the alarm for any triggering events related to disabling or scheduled deletion of customer-managed keys.
Note: Repeat these steps for each relevant log group if multiple exist.
By following these steps, you can ensure the presence of a log metric filter and alarm for disabling or scheduled deletion of customer-managed keys, aligning with the NIST Cybersecurity Framework (CSF) v1 requirements.