Rule: Ensure a log metric filter and alarm exist for IAM policy changes
This rule ensures the presence of log metric filter and alarm for IAM policy changes.
| Rule | Ensure a log metric filter and alarm exist for IAM policy changes |
| Framework | NIST Cybersecurity Framework (CSF) v1.1 |
| Severity | ✔ Low |
Rule Description
To ensure compliance with the NIST Cybersecurity Framework (CSF) v1, it is necessary to have a log metric filter and alarm in place for monitoring changes to the IAM policies in your system. This rule helps to detect any unauthorized modifications or potential security vulnerabilities related to IAM policies.
Troubleshooting Steps
If you encounter any issues related to the log metric filter and alarm for IAM policy changes, you can follow these troubleshooting steps:
- 1.
Verify CloudTrail configuration: Ensure that AWS CloudTrail is enabled and properly configured for the account you want to monitor. Check that the trail is set up to capture relevant events, including IAM policy changes.
- 2.
Check IAM permissions: Make sure that the IAM user or role you are using to set up the log metric filter and alarm has the necessary permissions. The user/role should have
andcloudwatch:PutMetricFilter
permissions.cloudwatch:PutMetricAlarm - 3.
Verify log metric filter syntax: Double-check the syntax of your log metric filter. Ensure that it matches the specifications mentioned in the AWS documentation. Validate the filter pattern to confirm it correctly captures IAM policy change events.
- 4.
Examine alarm configurations: Review the configuration of the CloudWatch alarm associated with the log metric filter. Confirm that the settings are correctly defined, including the alarm threshold, actions taken when triggered, and notification mechanisms.
- 5.
Test the setup: Create a test IAM policy change and verify if the log metric filter captures the event and the alarm is triggered. If the setup is correct, you should receive the expected notification or see the alarm state change in CloudWatch.
- 6.
Check CloudWatch logs and metrics: If issues persist, examine the CloudWatch logs and metrics associated with the log metric filter and alarm. Look for any error messages, anomalies, or unexpected behavior that could indicate a problem.
Necessary codes
In order to implement the log metric filter and alarm for IAM policy changes, you need to use the AWS Command Line Interface (CLI) to execute the following code snippets.
- 1.Create a log metric filter:
aws logs put-metric-filter --log-group-name <log-group-name> --filter-name IAMPolicyChangeFilter --filter-pattern '{ ($.eventName = "Put*") || ($.eventName = "Delete*") || ($.eventName = "Attach*") || ($.eventName = "Detach*") || ($.eventName = "Update*") }' --metric-transformations metricName=IAMPolicyChangeCount,metricNamespace=CSFv1,metricValue=1 --role-arn <role-arn>
Replace
<log-group-name><role-arn>- 1.Create a CloudWatch alarm:
aws cloudwatch put-metric-alarm --alarm-name IAMPolicyChangeAlarm --metric-name IAMPolicyChangeCount --namespace CSFv1 --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanThreshold --evaluation-periods 1 --alarm-actions <actions> --ok-actions <actions> --insufficient-data-actions <actions>
Replace
<actions>Remediation Steps
Follow these step-by-step instructions to remediate any issues related to the log metric filter and alarm for IAM policy changes:
- 1.Verify CloudTrail configuration:
- Go to the AWS Management Console.
- Navigate to the CloudTrail service.
- Select the trail associated with the account you want to monitor.
- Ensure that the trail is enabled and configured to capture IAM policy change events.
- 1.Check IAM permissions:
- Verify the IAM user or role used to set up the log metric filter and alarm.
- Ensure it has the necessary permissions, including
andcloudwatch:PutMetricFilter
.cloudwatch:PutMetricAlarm
- 1.Verify log metric filter syntax:
- Open the AWS CloudWatch Logs console.
- Locate the log group specified for IAM events.
- Edit the log metric filter for IAM policy changes.
- Review the filter pattern syntax and make any necessary corrections or adjustments.
- Validate the filter pattern to ensure it captures the desired IAM policy change events.
- 1.Examine alarm configurations:
- Access the AWS CloudWatch console.
- Select Alarms from the sidebar menu.
- Locate the alarm associated with the log metric filter for IAM policy changes.
- Review the alarm configuration, including the threshold, period, and actions taken when triggered.
- Make any required adjustments to align with your organization's requirements.
- 1.Test the setup:
- Perform a test change to an IAM policy.
- Monitor the log metric filter in the AWS CloudWatch console to verify that the event is captured.
- Check if the associated alarm is triggered and behaves as expected, based on the configured threshold and actions.
- 1.Check CloudWatch logs and metrics:
- If issues persist, review the CloudWatch logs for the log group capturing IAM events.
- Look for any error messages, anomalies, or unexpected behavior in the log data.
- Analyze the corresponding metrics in CloudWatch, focusing on the IAM policy change metric.
- Identify any discrepancies or irregularities that may indicate issues with the log metric filter or alarm setup.
Following these steps should help ensure that the log metric filter and alarm for IAM policy changes are correctly set up and functioning as intended, in compliance with the NIST Cybersecurity Framework (CSF) v1.