This rule ensures the presence of a log metric filter and alarm for IAM policy changes.
Rule | Ensure a log metric filter and alarm exist for IAM policy changes |
Framework | NIST Cybersecurity Framework (CSF) v1.1 |
Severity | ✔ Low |
Rule Description:
This rule ensures the implementation of a log metric filter and alarm for monitoring and detecting any changes made to IAM policies in compliance with the NIST Cybersecurity Framework (CSF) v1. IAM policy changes can be critical as they govern access and permissions within an organization's AWS environment. To maintain a secure and auditable environment, it is important to track and alert on any modifications to IAM policies.
Troubleshooting Steps (if applicable):
Necessary Code (if applicable):
No specific code is required for this rule. It relies on the configuration of log metric filters and alarms in AWS CloudWatch.
Step-by-Step Guide for Remediation:
Step 1: Configure Log Metric Filter
{ ($.eventName = CreatePolicyVersion) || ($.eventName = DeletePolicy) || ($.eventName = DeletePolicyVersion) || ($.eventName = PutGroupPolicy) || ($.eventName = PutRolePolicy) || ($.eventName = PutUserPolicy) || ($.eventName = RemoveGroupPolicy) || ($.eventName = RemoveRolePolicy) || ($.eventName = RemoveUserPolicy) || ($.eventName = SetDefaultPolicyVersion) || ($.eventName = UpdateAssumeRolePolicy) || ($.eventName = UpdatePolicy) || ($.eventName = UpdateRolePolicy) }
Step 2: Configure Alarm
Step 3: Verify and Test
By following the above steps, you will have successfully implemented a log metric filter and alarm for monitoring IAM policy changes in compliance with the NIST Cybersecurity Framework (CSF) v1.