Rule: Ensure a log metric filter and alarm exist for route table changes
This rule ensures the presence of a log metric filter and alarm for route table changes
| Rule | Ensure a log metric filter and alarm exist for route table changes |
| Framework | NIST Cybersecurity Framework (CSF) v1.1 |
| Severity | ✔ Low |
Rule/Policy Description:
The rule requires the presence of a log metric filter and alarm for monitoring and detecting any changes to the route table in accordance with the NIST Cybersecurity Framework (CSF) v1. This rule ensures that any modifications to the route table are promptly detected and alerted, enabling proactive response and investigation.
Troubleshooting Steps:
If the log metric filter and alarm are not present, follow the troubleshooting steps below:
- 1.
Verify CloudWatch Logs Configuration: Ensure that your VPC is configured to send logs to CloudWatch Logs. If not, you need to enable logging for VPC Flow Logs, VPC Flow Logs should be created and delivered to CloudWatch Logs.
- 2.
Create a Log Metric Filter: Use the AWS Management Console or AWS CLI to create a log metric filter that captures the relevant events for route table changes. Specify the necessary filter patterns that match the route table modification events, such as creating, modifying, or deleting routes. The filter should be associated with the appropriate CloudWatch Log Group.
- 3.
Create an Alarm: Configure a CloudWatch Alarm to monitor the log metric filter. Set the alarm threshold to trigger when a specific number of route table change events occur within a defined time period. Customize the threshold values based on your environment and monitoring requirements.
- 4.
Test the Monitoring Setup: Validate the monitoring setup by deliberately making changes to the route table and verifying if the log metric filter triggers the alarm. Monitor the CloudWatch Alarm dashboard or receive notifications via SNS (Simple Notification Service) to confirm that the alarm is working correctly.
Necessary Codes (if applicable):
This section provides the necessary codes to achieve the rule compliance. However, since NIST CSF does not provide specific code snippets, you need to implement the following steps manually or through AWS Management Console:
- 1.Creating a Log Metric Filter:
aws logs put-metric-filter \ --log-group-name <log-group-name> \ --filter-name "RouteTableChanges" \ --filter-pattern "{ ($.eventName = CreateRouteTable) || ($.eventName = ModifyRoute) || ($.eventName = DeleteRoute) }" \ --metric-transformations \ metricName=RouteTableChanges,metricNamespace="CloudTrailMetrics",metricValue=1
- 1.Creating an Alarm:
aws cloudwatch put-metric-alarm \ --alarm-name "RouteTableChangesAlarm" \ --alarm-description "Detects route table changes" \ --metric-name RouteTableChanges \ --namespace CloudTrailMetrics \ --statistic Sum \ --period <desired-period> \ --evaluation-periods <desired-evaluation-periods> \ --comparison-operator GreaterThanThreshold \ --threshold <desired-threshold> \ --alarm-actions <ARN-of-SNS-topic>
Note: Replace
<log-group-name><desired-period><desired-evaluation-periods><desired-threshold><ARN-of-SNS-topic>Step-by-Step Guide for Remediation:
Follow the steps below to remediate the rule violation:
- 1.
Configure CloudWatch Logs: Enable logging for VPC Flow Logs if not already enabled. Ensure that the logs are delivered to CloudWatch Logs.
- 2.
Create a Log Metric Filter: Using the AWS Management Console or AWS CLI, create a log metric filter to capture route table change events. Specify the filter patterns matching create, modify, or delete route events. Associate the filter with the appropriate CloudWatch Log Group.
- 3.
Create an Alarm: Configure a CloudWatch Alarm to monitor the log metric filter. Set the alarm threshold to trigger when a certain number of route table change events occur within a defined time period.
- 4.
Test Monitoring Setup: Validate the monitoring setup by making deliberate changes to the route table and ensure the log metric filter triggers the alarm. Monitor the CloudWatch Alarm dashboard or receive notifications to confirm the alarm's functionality.
By following these steps, you will successfully remediate the missing log metric filter and alarm for route table changes as required by the NIST CSF v1.