Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: Ensure a log metric filter and alarm for NACL changes

This rule ensures the presence of a log metric filter and alarm for Network Access Control Lists (NACL) changes.

RuleEnsure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)
FrameworkNIST Cybersecurity Framework (CSF) v1.1
Severity
Low

Rule Description for Changes to Network Access Control Lists (NACL)

This rule ensures the monitoring and detection of changes made to Network Access Control Lists (NACLs) for compliance with the NIST Cybersecurity Framework (CSF) v1. The rule involves the creation of a log metric filter and an associated alarm, which will trigger an alert when any changes occur to the NACL configuration.

Troubleshooting Steps

If there are any issues or problems encountered while implementing this rule, the following steps can be followed for troubleshooting:

  1. 1.

    Verify AWS CloudTrail configuration: Ensure that AWS CloudTrail is properly configured and collecting logs. Check if the appropriate trails are enabled and logging events related to changes in NACLs.

  2. 2.

    Check permissions: Confirm that the IAM user or role used to create the CloudWatch events, metrics, and alarms has sufficient permissions to access and configure the necessary resources (such as CloudTrail, CloudWatch, and NACLs).

  3. 3.

    Validate log metric filter pattern: Double-check the log metric filter pattern configured in CloudWatch. Make sure it matches the desired NACL configuration change events.

  4. 4.

    Validate alarm configuration: Review the settings of the CloudWatch alarm associated with the log metric filter. Ensure that the alarm's threshold, actions, and notification preferences are set correctly.

  5. 5.

    Check alarm state: If the alarm is not triggering as expected, verify its state in the CloudWatch console. Look for any recent changes, errors, or issues that may indicate why the alarm is not activating.

Necessary Codes

The following code snippets provide an example of how to implement the rule using AWS CloudWatch and AWS CloudTrail:

Log Metric Filter

aws logs put-metric-filter \
  --log-group-name "/aws/cloudtrail/<YOUR_CLOUDTRAIL_NAME>" \
  --filter-name "NACLChangesFilter" \
  --filter-pattern "{ ($.eventSource = ec2.amazonaws.com) && ($.eventName = CreateNetworkAcl || $.eventName = DeleteNetworkAcl)}"

Alarm Creation

aws cloudwatch put-metric-alarm \
  --alarm-name "NACLChangesAlarm" \
  --actions-enabled \
  --alarm-actions "<YOUR_SNS_TOPIC_ARN>" \
  --metric-name "NACLChangesFilter" \
  --namespace "AWS/Logs" \
  --statistic "SampleCount" \
  --period 300 \
  --evaluation-periods 1 \
  --threshold 1 \
  --comparison-operator "GreaterThanOrEqualToThreshold"

Step-by-Step Guide for Remediation

To remediate any issues related to changes in Network Access Control Lists (NACLs) and ensure compliance with the NIST Cybersecurity Framework (CSF) v1, follow the step-by-step guide below:

  1. 1.

    Set up AWS CloudTrail:

    • Navigate to the AWS Management Console.
    • Open the AWS CloudTrail service.
    • Create a new trail or ensure an existing trail is active.
    • Configure the trail to capture NACL-related events.
  2. 2.

    Create a log metric filter:

    • Install and configure the AWS Command Line Interface (CLI) if not already done.
    • Open a terminal or command prompt.
    • Execute the provided code snippet for creating the log metric filter.
    • Replace "<YOUR_CLOUDTRAIL_NAME>" with the actual name of your CloudTrail trail.
    • Verify the successful creation of the log metric filter.
  3. 3.

    Create an alarm for the log metric filter:

    • Execute the provided code snippet for creating the CloudWatch alarm.
    • Replace "<YOUR_SNS_TOPIC_ARN>" with the ARN of the SNS topic that should receive the alarm notification.
    • Customize other alarm settings if necessary.
    • Confirm the successful creation of the alarm.
  4. 4.

    Configure notification preferences:

    • Access the CloudWatch console.
    • Open the Alarms section.
    • Locate the newly created alarm ("NACLChangesAlarm").
    • Configure the desired notification preferences, such as email or SMS, for receiving alerts.
  5. 5.

    Test the rule:

    • Make intentional changes to the Network Access Control Lists (NACLs) within your AWS environment.
    • Monitor the CloudWatch console for the triggered alarm.
    • Validate that proper alerts are sent to the configured notification destinations.

By following these steps, you can ensure the detection and monitoring of any changes made to Network Access Control Lists (NACLs) as required by the NIST Cybersecurity Framework (CSF) v1.

Is your System Free of Underlying Vulnerabilities?
Find Out Now