Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: Ensure a log metric filter and alarm exist for IAM policy changes

This rule ensures the presence of log metric filter and alarm for IAM policy changes.

RuleEnsure a log metric filter and alarm exist for IAM policy changes
FrameworkNIST Cybersecurity Framework (CSF) v1.1
Severity
Low

Rule Description

To ensure compliance with the NIST Cybersecurity Framework (CSF) v1, it is necessary to have a log metric filter and alarm in place for monitoring changes to the IAM policies in your system. This rule helps to detect any unauthorized modifications or potential security vulnerabilities related to IAM policies.

Troubleshooting Steps

If you encounter any issues related to the log metric filter and alarm for IAM policy changes, you can follow these troubleshooting steps:

  1. 1.

    Verify CloudTrail configuration: Ensure that AWS CloudTrail is enabled and properly configured for the account you want to monitor. Check that the trail is set up to capture relevant events, including IAM policy changes.

  2. 2.

    Check IAM permissions: Make sure that the IAM user or role you are using to set up the log metric filter and alarm has the necessary permissions. The user/role should have

    cloudwatch:PutMetricFilter
    and
    cloudwatch:PutMetricAlarm
    permissions.

  3. 3.

    Verify log metric filter syntax: Double-check the syntax of your log metric filter. Ensure that it matches the specifications mentioned in the AWS documentation. Validate the filter pattern to confirm it correctly captures IAM policy change events.

  4. 4.

    Examine alarm configurations: Review the configuration of the CloudWatch alarm associated with the log metric filter. Confirm that the settings are correctly defined, including the alarm threshold, actions taken when triggered, and notification mechanisms.

  5. 5.

    Test the setup: Create a test IAM policy change and verify if the log metric filter captures the event and the alarm is triggered. If the setup is correct, you should receive the expected notification or see the alarm state change in CloudWatch.

  6. 6.

    Check CloudWatch logs and metrics: If issues persist, examine the CloudWatch logs and metrics associated with the log metric filter and alarm. Look for any error messages, anomalies, or unexpected behavior that could indicate a problem.

Necessary codes

In order to implement the log metric filter and alarm for IAM policy changes, you need to use the AWS Command Line Interface (CLI) to execute the following code snippets.

  1. 1.
    Create a log metric filter:
aws logs put-metric-filter --log-group-name <log-group-name> --filter-name IAMPolicyChangeFilter --filter-pattern '{ ($.eventName = "Put*") || ($.eventName = "Delete*") || ($.eventName = "Attach*") || ($.eventName = "Detach*") || ($.eventName = "Update*") }' --metric-transformations metricName=IAMPolicyChangeCount,metricNamespace=CSFv1,metricValue=1 --role-arn <role-arn>

Replace

<log-group-name>
with the name of your CloudWatch log group where IAM events are logged. Replace
<role-arn>
with the ARN of the IAM role that has permission to create the metric filter.

  1. 1.
    Create a CloudWatch alarm:
aws cloudwatch put-metric-alarm --alarm-name IAMPolicyChangeAlarm --metric-name IAMPolicyChangeCount --namespace CSFv1 --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanThreshold --evaluation-periods 1 --alarm-actions <actions> --ok-actions <actions> --insufficient-data-actions <actions>

Replace

<actions>
with the appropriate ARNs or actions to be taken when the alarm is triggered or returns to normal. You may set up SNS notifications, Lambda functions, or other actions based on your requirements.

Remediation Steps

Follow these step-by-step instructions to remediate any issues related to the log metric filter and alarm for IAM policy changes:

  1. 1.
    Verify CloudTrail configuration:
  • Go to the AWS Management Console.
  • Navigate to the CloudTrail service.
  • Select the trail associated with the account you want to monitor.
  • Ensure that the trail is enabled and configured to capture IAM policy change events.
  1. 1.
    Check IAM permissions:
  • Verify the IAM user or role used to set up the log metric filter and alarm.
  • Ensure it has the necessary permissions, including
    cloudwatch:PutMetricFilter
    and
    cloudwatch:PutMetricAlarm
    .
  1. 1.
    Verify log metric filter syntax:
  • Open the AWS CloudWatch Logs console.
  • Locate the log group specified for IAM events.
  • Edit the log metric filter for IAM policy changes.
  • Review the filter pattern syntax and make any necessary corrections or adjustments.
  • Validate the filter pattern to ensure it captures the desired IAM policy change events.
  1. 1.
    Examine alarm configurations:
  • Access the AWS CloudWatch console.
  • Select Alarms from the sidebar menu.
  • Locate the alarm associated with the log metric filter for IAM policy changes.
  • Review the alarm configuration, including the threshold, period, and actions taken when triggered.
  • Make any required adjustments to align with your organization's requirements.
  1. 1.
    Test the setup:
  • Perform a test change to an IAM policy.
  • Monitor the log metric filter in the AWS CloudWatch console to verify that the event is captured.
  • Check if the associated alarm is triggered and behaves as expected, based on the configured threshold and actions.
  1. 1.
    Check CloudWatch logs and metrics:
  • If issues persist, review the CloudWatch logs for the log group capturing IAM events.
  • Look for any error messages, anomalies, or unexpected behavior in the log data.
  • Analyze the corresponding metrics in CloudWatch, focusing on the IAM policy change metric.
  • Identify any discrepancies or irregularities that may indicate issues with the log metric filter or alarm setup.

Following these steps should help ensure that the log metric filter and alarm for IAM policy changes are correctly set up and functioning as intended, in compliance with the NIST Cybersecurity Framework (CSF) v1.

Is your System Free of Underlying Vulnerabilities?
Find Out Now