Ensure a Log Metric Filter and Alarm Exist for VPC Changes

Rule Description:

Troubleshooting Steps:

2. 1.

   Check IAM Permissions: Ensure that the IAM user or role associated with your AWS account has sufficient permissions to create and manage CloudWatch logs, metrics, and alarms.

4. 2.

   Verify Log Group Configuration: Confirm that the log group for the VPC changes is properly configured and enabled for logging. You can do this by going to the CloudWatch console and checking the log group settings.

6. 3.

   Check Metric Filter Configuration: Validate the metric filter configuration for filtering VPC changes. Ensure that the filter pattern correctly captures the relevant events for VPC configuration modifications.

8. 4.

   Review Alarm Settings: Verify the alarm settings, including the threshold, evaluation period, and actions. Make sure the alarm is set up to trigger when the metric filter detects VPC changes.

10. 5.

    Test Log Metric Filter: Test the log metric filter by making a sample VPC configuration change and verifying that the filter captures the event and sends it to CloudWatch logs.

12. 6.

    Test Alarm Trigger: Validate the alarm trigger by intentionally triggering a VPC configuration change and confirming that the alarm is triggered and the appropriate actions (such as sending notifications) are executed.

Necessary Codes:

Step-by-Step Guide for Remediation:

2. 1.

   Open the AWS Management Console and navigate to the CloudWatch service.

4. 2.

   In the CloudWatch console, select "Logs" from the left-hand menu.

6. 3.

   Click on "Create log group" to create a new log group dedicated to monitoring VPC changes. Provide a descriptive name for the log group, such as "VPC-Change-LogGroup."

8. 4.

   Ensure that the log group you just created is selected. Click on "Create metric filter" from the "Actions" drop-down menu.

10. 5.

    In the "Create metric filter" wizard:

    • Select the log group you created in the previous step.
    • Define the filter pattern. This pattern should match the log events related to VPC configuration changes. For example, you can use the filter pattern:

    { ($.eventSource = ec2.amazonaws.com) && ($.eventName = CreateVpc || $.eventName = DeleteVpc) }
    

    This pattern captures VPC creation and deletion events. Adjust the pattern as per your specific logging requirements.

    • Choose a metric namespace and a metric name for the filtered events. For example, you can set the namespace as "Custom/VPC" and the metric name as "VPCChanges."
    • (Optional) Assign a metric value to the filtered events. This can be useful if you want to differentiate certain types of VPC changes.
    • Click on "Test pattern" to verify that the filter correctly captures the sample log event. Adjust the pattern if necessary.
    • Click on "Assign metric" to proceed.
12. 6.

    In the "Assign metric filter to log group" wizard:

    • Select the previously created log group from the drop-down.
    • Click on "Create metric filter" to save the filter.
14. 7.

    With the log metric filter in place, it's time to create an alarm that will be triggered when VPC changes occur.

16. 8.

    In the CloudWatch console, select "Alarms" from the left-hand menu.

18. 9.

    Click on "Create alarm" to start configuring the alarm.

    • In the "Create Alarm" wizard, select "Select metric."
    • Choose the "Custom/VPC" namespace and select the "VPCChanges" metric you created in the previous steps.
    • Define the threshold and evaluation period required for the alarm to trigger. For example, you may set the threshold to "1" and the evaluation period to "1 minute."
    • Configure the actions to be taken when the alarm is triggered, such as sending notifications or executing automated remediation scripts.
    • Provide a meaningful name and description for the alarm.
    • Click on "Create alarm" to save the configuration.
20. 10.

    Test the setup by making a sample VPC configuration change. Ensure that the log metric filter captures the event and the associated alarm is triggered accordingly.