This rule ensures the presence of a log metric filter and alarm for Network Access Control Lists (NACL) changes.
Rule | Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) |
Framework | NIST Cybersecurity Framework (CSF) v1.1 |
Severity | ✔ Low |
Rule Description for Changes to Network Access Control Lists (NACL)
This rule ensures the monitoring and detection of changes made to Network Access Control Lists (NACLs) for compliance with the NIST Cybersecurity Framework (CSF) v1. The rule involves the creation of a log metric filter and an associated alarm, which will trigger an alert when any changes occur to the NACL configuration.
Troubleshooting Steps
If there are any issues or problems encountered while implementing this rule, the following steps can be followed for troubleshooting:
Verify AWS CloudTrail configuration: Ensure that AWS CloudTrail is properly configured and collecting logs. Check if the appropriate trails are enabled and logging events related to changes in NACLs.
Check permissions: Confirm that the IAM user or role used to create the CloudWatch events, metrics, and alarms has sufficient permissions to access and configure the necessary resources (such as CloudTrail, CloudWatch, and NACLs).
Validate log metric filter pattern: Double-check the log metric filter pattern configured in CloudWatch. Make sure it matches the desired NACL configuration change events.
Validate alarm configuration: Review the settings of the CloudWatch alarm associated with the log metric filter. Ensure that the alarm's threshold, actions, and notification preferences are set correctly.
Check alarm state: If the alarm is not triggering as expected, verify its state in the CloudWatch console. Look for any recent changes, errors, or issues that may indicate why the alarm is not activating.
Necessary Codes
The following code snippets provide an example of how to implement the rule using AWS CloudWatch and AWS CloudTrail:
Log Metric Filter
aws logs put-metric-filter \ --log-group-name "/aws/cloudtrail/<YOUR_CLOUDTRAIL_NAME>" \ --filter-name "NACLChangesFilter" \ --filter-pattern "{ ($.eventSource = ec2.amazonaws.com) && ($.eventName = CreateNetworkAcl || $.eventName = DeleteNetworkAcl)}"
Alarm Creation
aws cloudwatch put-metric-alarm \ --alarm-name "NACLChangesAlarm" \ --actions-enabled \ --alarm-actions "<YOUR_SNS_TOPIC_ARN>" \ --metric-name "NACLChangesFilter" \ --namespace "AWS/Logs" \ --statistic "SampleCount" \ --period 300 \ --evaluation-periods 1 \ --threshold 1 \ --comparison-operator "GreaterThanOrEqualToThreshold"
Step-by-Step Guide for Remediation
To remediate any issues related to changes in Network Access Control Lists (NACLs) and ensure compliance with the NIST Cybersecurity Framework (CSF) v1, follow the step-by-step guide below:
Set up AWS CloudTrail:
Create a log metric filter:
Create an alarm for the log metric filter:
Configure notification preferences:
Test the rule:
By following these steps, you can ensure the detection and monitoring of any changes made to Network Access Control Lists (NACLs) as required by the NIST Cybersecurity Framework (CSF) v1.