This rule ensures presence of log metric filter and alarm for disabling or scheduled deletion of customer managed keys.
Rule | Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer managed keys |
Framework | NIST Cybersecurity Framework (CSF) v1.1 |
Severity | ✔ Low |
Rule Description
The rule ensures that a log metric filter and alarm are in place to detect and notify any disabling or scheduled deletion of customer managed keys in accordance with the NIST Cybersecurity Framework (CSF) v1.
Troubleshooting Steps
Verify AWS CloudTrail is enabled: Ensure that AWS CloudTrail is enabled in your AWS account. This service captures API activity and can be used for logging and auditing purposes.
Verify the NIST CSF v1 configuration: Check if your organization follows the NIST CSF v1 for managing customer managed keys and that it includes provisions for disabling or scheduled deletion of these keys. Ensure that the relevant policies are in place.
Check IAM permissions: Ensure that the IAM user or role used to create the log metric filter and alarm has appropriate permissions to access and modify CloudWatch Logs and CloudWatch Alarms.
Review CloudWatch Logs: Examine the CloudWatch Logs to see if any relevant log entries are present. Look for events related to disabling or scheduled deletion of customer managed keys.
Check CloudWatch metric filters: Verify that the CloudWatch metric filter has been created correctly and is filtering the desired log events.
Validate CloudWatch alarm configuration: Confirm that the CloudWatch alarm is properly configured to trigger based on the desired metric filter. Review the conditions, threshold, and notification settings.
Necessary Codes
There are no specific codes required for this rule. However, you may need to use AWS Command-Line Interface (CLI) commands to create the log metric filter and alarm if you prefer using CLI over the AWS Management Console.
Step-by-Step Guide
Follow these steps to ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer managed keys for NIST CSF v1:
Step 1: Access AWS Management Console
Step 2: Create a Log Metric Filter
Step 3: Create a CloudWatch Alarm
Conclusion
By following the above steps, you will ensure that a log metric filter and alarm are in place to detect any disabling or scheduled deletion of customer managed keys in line with the NIST CSF v1. Regularly monitor the logs and alarms to promptly identify any potential security incidents related to the keys.