Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer managed keys

This rule ensures presence of log metric filter and alarm for disabling or scheduled deletion of customer managed keys.

RuleEnsure a log metric filter and alarm exist for disabling or scheduled deletion of customer managed keys
FrameworkNIST Cybersecurity Framework (CSF) v1.1
Severity
Low

Rule Description

The rule ensures that a log metric filter and alarm are in place to detect and notify any disabling or scheduled deletion of customer managed keys in accordance with the NIST Cybersecurity Framework (CSF) v1.

Troubleshooting Steps

  1. 1.

    Verify AWS CloudTrail is enabled: Ensure that AWS CloudTrail is enabled in your AWS account. This service captures API activity and can be used for logging and auditing purposes.

  2. 2.

    Verify the NIST CSF v1 configuration: Check if your organization follows the NIST CSF v1 for managing customer managed keys and that it includes provisions for disabling or scheduled deletion of these keys. Ensure that the relevant policies are in place.

  3. 3.

    Check IAM permissions: Ensure that the IAM user or role used to create the log metric filter and alarm has appropriate permissions to access and modify CloudWatch Logs and CloudWatch Alarms.

  4. 4.

    Review CloudWatch Logs: Examine the CloudWatch Logs to see if any relevant log entries are present. Look for events related to disabling or scheduled deletion of customer managed keys.

  5. 5.

    Check CloudWatch metric filters: Verify that the CloudWatch metric filter has been created correctly and is filtering the desired log events.

  6. 6.

    Validate CloudWatch alarm configuration: Confirm that the CloudWatch alarm is properly configured to trigger based on the desired metric filter. Review the conditions, threshold, and notification settings.

Necessary Codes

There are no specific codes required for this rule. However, you may need to use AWS Command-Line Interface (CLI) commands to create the log metric filter and alarm if you prefer using CLI over the AWS Management Console.

Step-by-Step Guide

Follow these steps to ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer managed keys for NIST CSF v1:

Step 1: Access AWS Management Console

  1. 1.
    Log in to the AWS Management Console using your AWS account credentials.
  2. 2.
    Navigate to the CloudWatch service.

Step 2: Create a Log Metric Filter

  1. 1.
    In the CloudWatch console, click on "Log groups" in the navigation pane.
  2. 2.
    Select the appropriate log group that contains the logs related to customer managed keys.
  3. 3.
    Click on the "Create metric filter" button.
  4. 4.
    Specify a filter pattern that captures the events related to disabling or scheduled deletion of customer managed keys.
  5. 5.
    Configure the filter to extract relevant information from the log entries.
  6. 6.
    Select the appropriate log group to which the metric filter applies.
  7. 7.
    Click on "Test pattern" to verify that the filter matches the desired log events.
  8. 8.
    Click on "Assign metric" and provide a name for the metric.
  9. 9.
    Click on "Create filter".

Step 3: Create a CloudWatch Alarm

  1. 1.
    Open the CloudWatch console and click on "Alarms" in the navigation pane.
  2. 2.
    Click on "Create alarm".
  3. 3.
    In the "Create alarm wizard", select the metric filter created in the previous step.
  4. 4.
    Configure the conditions for the alarm based on your organization's requirements. This may include setting a threshold for the number of occurrences or a specific period of time.
  5. 5.
    Configure the actions to be taken when the alarm is triggered, such as sending notifications via email or invoking a Lambda function.
  6. 6.
    Provide a name and description for the alarm.
  7. 7.
    Review the alarm configuration and click on "Create alarm".

Conclusion

By following the above steps, you will ensure that a log metric filter and alarm are in place to detect any disabling or scheduled deletion of customer managed keys in line with the NIST CSF v1. Regularly monitor the logs and alarms to promptly identify any potential security incidents related to the keys.

Is your System Free of Underlying Vulnerabilities?
Find Out Now