Rule: Ensure a log metric filter and alarm exist for CloudTrail configuration changes
This rule ensures a log metric filter and alarm exist for CloudTrail configuration changes.
| Rule | Ensure a log metric filter and alarm exist for CloudTrail configuration changes |
| Framework | NIST Cybersecurity Framework (CSF) v1.1 |
| Severity | ✔ Low |
Rule Description
This rule ensures the presence of a log metric filter and alarm for CloudTrail configuration changes as defined by the NIST Cybersecurity Framework (CSF) v1. CloudTrail is a service provided by AWS that enables logging and monitoring of API activity within an AWS account. By configuring a log metric filter and alarm for CloudTrail configuration changes, organizations can be alerted of any modifications made to their CloudTrail settings, helping identify and respond to potential security threats in a timely manner.
Troubleshooting Steps
1. Verify CloudTrail Configuration
Ensure that CloudTrail is properly configured in your AWS account. Confirm that it is enabled for all regions and that the logs are stored in an S3 bucket.
2. Check IAM Permissions
Ensure that the IAM user or role used to configure the log metric filter and alarm has the necessary permissions. The user or role should have the "CloudTrailFullAccess" policy or at least the required permissions to create and manage log metric filters and alarms.
3. Check CloudWatch Logs
Verify that the CloudTrail logs are flowing into the CloudWatch Logs service. Check the CloudWatch Logs console to ensure that the logs are being received and stored correctly.
4. Review Log Metric Filter Configuration
Review the log metric filter configuration to ensure it is correctly set up to capture CloudTrail configuration changes. Make sure the filter pattern is properly defined and matches the expected events related to CloudTrail configuration modifications.
5. Verify Alarm Threshold and Actions
Check the alarm configuration to ensure that the threshold for triggering the alarm is set appropriately. Also, verify that the actions tied to the alarm are defined correctly, such as sending notifications to relevant stakeholders or triggering automated response mechanisms.
Necessary Code
To implement the log metric filter and alarm for CloudTrail configuration changes, you can use the AWS Command Line Interface (CLI) or AWS CloudFormation. Here's an example code snippet that demonstrates the CLI commands required:
# Create a log metric filter for CloudTrail configuration changes aws logs put-metric-filter --log-group-name <log-group-name> --filter-name CloudTrailConfigChanges --filter-pattern <filter-pattern> --metric-transformations metricName=CloudTrailConfigChanges,metricNamespace=CSFv1 --region <region> # Create an alarm for the log metric filter aws cloudwatch put-metric-alarm --alarm-name CloudTrailConfigChangesAlarm --metric-name CloudTrailConfigChanges --namespace CSFv1 --evaluation-periods 1 --threshold <threshold-value> --comparison-operator GreaterThanOrEqualToThreshold --alarm-actions <actions> --alarm-description "Alarm for CloudTrail configuration changes" --region <region>
Replace the placeholders (
<log-group-name><filter-pattern><region><threshold-value><actions>Step-by-Step Guide for Remediation
Follow these steps to implement the log metric filter and alarm for CloudTrail configuration changes:
- 1.Open the AWS Management Console and navigate to the CloudWatch service.
- 2.Go to the CloudWatch Logs console.
- 3.Create a new or select an existing log group where CloudTrail logs are stored.
- 4.Click on the "Actions" button and select "Create Metric Filter".
- 5.Specify a filter pattern that captures CloudTrail configuration changes. For example, you can use the following pattern: {($.eventSource = "cloudtrail.amazonaws.com" && $.eventName = "UpdateTrail")}.
- 6.Define the name for the metric filter (e.g., "CloudTrailConfigChanges").
- 7.Configure metric transformations by providing the metric name ("CloudTrailConfigChanges") and the namespace ("CSFv1").
- 8.Save the metric filter configuration.
- 9.Go to the CloudWatch service dashboard.
- 10.Click on "Alarms" in the left-hand menu.
- 11.Select "Create alarm" and choose the metric filter you created earlier ("CloudTrailConfigChanges").
- 12.Set the threshold value that defines when the alarm should trigger, based on your organization's specific requirements.
- 13.Configure the alarm actions, such as sending notifications or triggering automated responses.
- 14.Save the alarm configuration.
- 15.Test the setup by making changes to your CloudTrail configuration and ensuring that the alarm is triggered and notifications are received as expected.
By following these steps, you will successfully implement the log metric filter and alarm for CloudTrail configuration changes based on the NIST Cybersecurity Framework (CSF) v1.