Login

Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Ensure a Log Metric Filter and Alarm Exist for AWS Config Configuration Changes Rule

This rule ensures the presence of a log metric filter and alarm for AWS Config configuration changes.

RuleEnsure a log metric filter and alarm exist for AWS Config configuration changes
FrameworkNIST Cybersecurity Framework (CSF) v1.1
Severity
Low

Rule Description

This rule ensures that a log metric filter and alarm are configured in AWS Config to track and notify any configuration changes that are not compliant with the NIST Cybersecurity Framework (CSF) v1. AWS Config helps in assessing, auditing, and evaluating the configuration of AWS resources to ensure compliance with security standards.

Troubleshooting Steps

If there are any issues with the log metric filter and alarm for AWS Config configuration changes, you can follow these troubleshooting steps:

  2. 1.

    Verify AWS Config is enabled: Ensure that AWS Config is enabled for the AWS account where the rule is being implemented. If not, enable AWS Config by following the AWS Config documentation.

  4. 2.

    Check access permissions: Ensure that the IAM user or role used to configure the log metric filter and alarm has the necessary permissions to access AWS Config and create CloudWatch logs and alarms. Make sure the required IAM policies are attached.

  6. 3.

    Review the log metric filter: Examine the log metric filter created for AWS Config to ensure it correctly captures the desired configuration changes. Verify the filter pattern and associated value to match the NIST CSF v1 requirements.

  8. 4.

    Verify CloudWatch alarm configuration: Validate the CloudWatch alarm configuration associated with the log metric filter. Check if the alarm threshold, period, and actions are set correctly to trigger appropriate notifications.

  10. 5.

    Check CloudWatch Logs: If the log metric filter is not functioning correctly, review the CloudWatch logs to identify any potential issues or errors. The logs provide detailed information about the filter processing and any encountered errors.

  12. 6.

    Test with sample configuration changes: Make sample configuration changes to AWS resources that should trigger the log metric filter and alarm. Ensure that the changes made are non-compliant with the NIST CSF v1 requirements. Inspect CloudWatch logs and verify if the alarm triggers as expected.

Necessary Codes

In this case, there are no specific code snippets to provide as the configuration is done through the AWS Management Console. However, note that the necessary configurations can be automated using Infrastructure as Code tools like AWS CloudFormation or AWS Terraform.

Step-by-Step Guide

Follow these steps to configure the log metric filter and alarm for AWS Config configuration changes for NIST CSF v1:

  2. 1.

    Log in to the AWS Management Console.

  4. 2.

    Open the AWS Config service console.

  6. 3.

    Ensure that AWS Config is enabled by following the AWS Config documentation if it is not already enabled.

  8. 4.

    In the AWS Config console, click on "Rules" in the left navigation pane.

  10. 5.

    Locate the rule related to NIST CSF v1 configuration changes. If it does not exist, create a new rule based on the NIST CSF v1 requirements.

  12. 6.

    Once you have identified or created the rule, click on it to view the rule details.

  14. 7.

    Within the rule details page, find the section related to configuring log metric filter and alarm. Click on the provided link or button to proceed.

  16. 8.

    You will be redirected to the Amazon CloudWatch console, specifically the log metric filter creation page.

  18. 9.

    During the log metric filter creation, define the filter pattern to match the NIST CSF v1 requirements. This pattern should capture the desired configuration changes for monitoring.

  20. 10.

    Configure the log metric filter to stream the filtered logs to a new or existing CloudWatch log group.

  22. 11.

    Once you have successfully configured the log metric filter, return to the AWS Config console.

  24. 12.

    Verify that the log metric filter is correctly associated with the configured rule.

  26. 13.

    Now, proceed to configure the CloudWatch alarm associated with the log metric filter. Click on the provided link or button to proceed.

  28. 14.

    In the CloudWatch alarm creation page, define the alarm threshold, period, and actions. Ensure that the alarm is properly configured to trigger notifications upon non-compliant NIST CSF v1 configuration changes.

  30. 15.

    Complete the CloudWatch alarm creation process.

  32. 16.

    Return to the AWS Config console and verify that the CloudWatch alarm is correctly associated with the rule.

Congratulations! You have successfully configured the log metric filter and alarm for AWS Config configuration changes for NIST CSF v1. Any subsequent non-compliant configuration changes will trigger the alarm and notify you according to the defined actions.

Is your System Free of Underlying Vulnerabilities?
Find Out Now