Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Ensure a Log Metric Filter and Alarm Exist for IAM Policy Changes Rule

This rule ensures the presence of a log metric filter and alarm for IAM policy changes.

RuleEnsure a log metric filter and alarm exist for IAM policy changes
FrameworkNIST Cybersecurity Framework (CSF) v1.1
Severity
Low

Rule Description:

This rule ensures the implementation of a log metric filter and alarm for monitoring and detecting any changes made to IAM policies in compliance with the NIST Cybersecurity Framework (CSF) v1. IAM policy changes can be critical as they govern access and permissions within an organization's AWS environment. To maintain a secure and auditable environment, it is important to track and alert on any modifications to IAM policies.

Troubleshooting Steps (if applicable):

  1. 1.
    Verify that log metric filters and alarms are properly configured.
  2. 2.
    Check if the filters are accurately capturing IAM policy changes.
  3. 3.
    Ensure that notifications are set up correctly to receive alerts.
  4. 4.
    Review the AWS CloudTrail and CloudWatch logs for any issues or errors.
  5. 5.
    Validate the IAM policy changes against the NIST CSF v1 requirements.

Necessary Code (if applicable):

No specific code is required for this rule. It relies on the configuration of log metric filters and alarms in AWS CloudWatch.

Step-by-Step Guide for Remediation:

Step 1: Configure Log Metric Filter

  1. 1.
    Open the AWS Management Console and navigate to the CloudWatch service.
  2. 2.
    Select the appropriate region.
  3. 3.
    In the left-hand menu, click on "Logs" and select the log group where you want to create a filter.
  4. 4.
    Click on "Create Metric Filter" to begin the configuration.
  5. 5.
    In the "Filter Pattern" section, specify the filter pattern that matches IAM policy change events. For example, you can use the following filter pattern:
{ ($.eventName = CreatePolicyVersion) || ($.eventName = DeletePolicy) || ($.eventName = DeletePolicyVersion) || ($.eventName = PutGroupPolicy) || ($.eventName = PutRolePolicy) || ($.eventName = PutUserPolicy) || ($.eventName = RemoveGroupPolicy) || ($.eventName = RemoveRolePolicy) || ($.eventName = RemoveUserPolicy) || ($.eventName = SetDefaultPolicyVersion) || ($.eventName = UpdateAssumeRolePolicy) || ($.eventName = UpdatePolicy) || ($.eventName = UpdateRolePolicy) }
  1. 1.
    Choose a name for your metric filter and provide a metric namespace, metric name, and metric value.
  2. 2.
    Click on "Create Filter" to save the configuration.

Step 2: Configure Alarm

  1. 1.
    In the CloudWatch Management Console, navigate to the "Alarms" section.
  2. 2.
    Click on "Create Alarm" to start setting up the alarm.
  3. 3.
    In the "Select metric" section, search and select the metric that corresponds to the IAM policy change filter created in Step 1.
  4. 4.
    Set the conditions for the alarm. For example, you can set the threshold to "1" and select the period and evaluation periods as per your requirements.
  5. 5.
    Configure the actions that should be triggered when the alarm state is triggered, such as sending a notification via SNS or triggering an AWS Lambda function.
  6. 6.
    Review the settings and click on "Create Alarm" to save the configuration.

Step 3: Verify and Test

  1. 1.
    To verify that the log metric filter and alarm are functioning correctly, make a test change to an IAM policy within your AWS environment.
  2. 2.
    Check if the CloudWatch logs capture the change event.
  3. 3.
    Verify if the CloudWatch alarm is triggered and notifications are received as expected.
  4. 4.
    Ensure that the IAM policy change is reflected in your NIST CSF v1 compliance guidelines.

By following the above steps, you will have successfully implemented a log metric filter and alarm for monitoring IAM policy changes in compliance with the NIST Cybersecurity Framework (CSF) v1.

Is your System Free of Underlying Vulnerabilities?
Find Out Now