Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Ensure a Log Metric Filter and Alarm Exist for Changes to Network Gateways Rule

This rule ensures the presence of a log metric filter and alarm for any changes made to network gateways.

RuleEnsure a log metric filter and alarm exist for changes to network gateways
FrameworkNIST Cybersecurity Framework (CSF) v1.1
Severity
Low

Rule Description:

The rule ensures that a log metric filter and alarm are set up to monitor and detect any changes made to network gateways in compliance with the NIST Cybersecurity Framework (CSF) version 1.

Troubleshooting Steps:

  1. 1.

    Verify IAM Permissions: Ensure that the user or role has the necessary permissions to create log metric filters and alarms in the AWS environment.

  2. 2.

    Confirm Active CSF Version: Ensure that the current version of the NIST Cybersecurity Framework being followed is version 1.

  3. 3.

    Check Existing Log Metric Filters and Alarms: Validate if any log metric filters and alarms for network gateways already exist to avoid duplication or conflict.

  4. 4.

    Review CloudTrail: Analyze the CloudTrail logs to determine if network gateway changes are being recorded properly. If not, investigate and resolve any CloudTrail configuration issues.

CloudFormation Template:

Below is an example CloudFormation template to set up a log metric filter and alarm for changes to AWS network gateways.

---
AWSTemplateFormatVersion: '2010-09-09'
Resources:
  NetworkGatewayMetricFilter:
    Type: AWS::Logs::MetricFilter
    Properties:
      LogGroupName: !Ref LogGroup
      MetricTransformations:
        - MetricName: NetworkGatewayChanges
          MetricNamespace: AWS/NetworkGateway
          MetricValue: '1'
      FilterPattern: >
        { ($.eventName = CreateVpnGateway) ||
          ($.eventName = DeleteVpnGateway) ||
          ($.eventName = AttachInternetGateway) ||
          ($.eventName = DetachInternetGateway) ||
          ($.eventName = CreateNatGateway) ||
          ($.eventName = DeleteNatGateway) ||
          ($.eventName = CreateCustomerGateway) ||
          ($.eventName = DeleteCustomerGateway) ||
          ($.eventName = CreateVpcPeeringConnection) ||
          ($.eventName = DeleteVpcPeeringConnection) ||
          ($.eventName = CreateRoute) ||
          ($.eventName = DeleteRoute) }
  NetworkGatewayAlarm:
    Type: "AWS::CloudWatch::Alarm"
    Properties:
      AlarmName: NetworkGatewayChangesAlarm
      AlarmDescription: Alert for changes to network gateways
      MetricName: NetworkGatewayChanges
      Namespace: AWS/NetworkGateway
      Statistic: SampleCount
      Period: '300'
      EvaluationPeriods: '1'
      Threshold: '1'
      ComparisonOperator: GreaterThanThreshold
      TreatMissingData: notBreaching
  LogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      LogGroupName: /aws/management/network-gateway-events

Remediation Steps:

  1. 1.

    Open the AWS CloudFormation Management Console.

  2. 2.

    Choose "Create Stack" and select "Template is ready" option.

  3. 3.

    Upload the CloudFormation template provided above or copy the template code into the editor.

  4. 4.

    Select an appropriate stack name and provide any necessary parameters or tags.

  5. 5.

    Click on "Next" and proceed to the next steps.

  6. 6.

    Review the stack configuration and click on "Create stack" to initiate the creation process.

  7. 7.

    Wait for the stack creation to complete.

  8. 8.

    Once the stack creation is successful, the log metric filter and alarm for changes to network gateways will be in place.

  9. 9.

    Monitor the CloudWatch alarms for any alerts regarding network gateway changes.

Verification:

To verify if the log metric filter and alarm are working correctly:

  1. 1.

    Go to the AWS CloudWatch dashboard.

  2. 2.

    Navigate to the "Alarms" section.

  3. 3.

    Locate the "NetworkGatewayChangesAlarm" alarm.

  4. 4.

    Confirm that the alarm state is set to OK and there are no recent breaching or insufficient data states.

  5. 5.

    If network gateway changes are made, the alarm state should change accordingly.

  6. 6.

    Additionally, you can check the CloudWatch logs for the log group '/aws/management/network-gateway-events' to view the specific events related to network gateway changes.

Note:

This CloudFormation template and remediation steps will help you set up a comprehensive monitoring solution for network gateway changes aligned with the NIST Cybersecurity Framework (CSF) version 1. You can customize the template and alarm settings as per your requirements and organizational standards.

Is your System Free of Underlying Vulnerabilities?
Find Out Now