This rule ensures the presence of log metric filter and alarm for IAM policy changes.
Rule | Ensure a log metric filter and alarm exist for IAM policy changes |
Framework | NIST Cybersecurity Framework (CSF) v1.1 |
Severity | ✔ Low |
Rule Description
To ensure compliance with the NIST Cybersecurity Framework (CSF) v1, it is necessary to have a log metric filter and alarm in place for monitoring changes to the IAM policies in your system. This rule helps to detect any unauthorized modifications or potential security vulnerabilities related to IAM policies.
Troubleshooting Steps
If you encounter any issues related to the log metric filter and alarm for IAM policy changes, you can follow these troubleshooting steps:
Verify CloudTrail configuration: Ensure that AWS CloudTrail is enabled and properly configured for the account you want to monitor. Check that the trail is set up to capture relevant events, including IAM policy changes.
Check IAM permissions: Make sure that the IAM user or role you are using to set up the log metric filter and alarm has the necessary permissions. The user/role should have
cloudwatch:PutMetricFilter
and cloudwatch:PutMetricAlarm
permissions.Verify log metric filter syntax: Double-check the syntax of your log metric filter. Ensure that it matches the specifications mentioned in the AWS documentation. Validate the filter pattern to confirm it correctly captures IAM policy change events.
Examine alarm configurations: Review the configuration of the CloudWatch alarm associated with the log metric filter. Confirm that the settings are correctly defined, including the alarm threshold, actions taken when triggered, and notification mechanisms.
Test the setup: Create a test IAM policy change and verify if the log metric filter captures the event and the alarm is triggered. If the setup is correct, you should receive the expected notification or see the alarm state change in CloudWatch.
Check CloudWatch logs and metrics: If issues persist, examine the CloudWatch logs and metrics associated with the log metric filter and alarm. Look for any error messages, anomalies, or unexpected behavior that could indicate a problem.
Necessary codes
In order to implement the log metric filter and alarm for IAM policy changes, you need to use the AWS Command Line Interface (CLI) to execute the following code snippets.
aws logs put-metric-filter --log-group-name <log-group-name> --filter-name IAMPolicyChangeFilter --filter-pattern '{ ($.eventName = "Put*") || ($.eventName = "Delete*") || ($.eventName = "Attach*") || ($.eventName = "Detach*") || ($.eventName = "Update*") }' --metric-transformations metricName=IAMPolicyChangeCount,metricNamespace=CSFv1,metricValue=1 --role-arn <role-arn>
Replace
<log-group-name>
with the name of your CloudWatch log group where IAM events are logged. Replace <role-arn>
with the ARN of the IAM role that has permission to create the metric filter.aws cloudwatch put-metric-alarm --alarm-name IAMPolicyChangeAlarm --metric-name IAMPolicyChangeCount --namespace CSFv1 --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanThreshold --evaluation-periods 1 --alarm-actions <actions> --ok-actions <actions> --insufficient-data-actions <actions>
Replace
<actions>
with the appropriate ARNs or actions to be taken when the alarm is triggered or returns to normal. You may set up SNS notifications, Lambda functions, or other actions based on your requirements.Remediation Steps
Follow these step-by-step instructions to remediate any issues related to the log metric filter and alarm for IAM policy changes:
cloudwatch:PutMetricFilter
and cloudwatch:PutMetricAlarm
.Following these steps should help ensure that the log metric filter and alarm for IAM policy changes are correctly set up and functioning as intended, in compliance with the NIST Cybersecurity Framework (CSF) v1.