Rule: Ensure a Log Metric Filter and Alarm Exist for Changes to Network Gateways
This rule ensures the presence of a log metric filter and alarm for any modifications made to network gateways.
| Rule | Ensure a log metric filter and alarm exist for changes to network gateways |
| Framework | NIST Cybersecurity Framework (CSF) v1.1 |
| Severity | ✔ Low |
Rule Description
This rule ensures that a log metric filter and alarm exist to detect any changes made to network gateways in accordance with the NIST Cybersecurity Framework (CSF) v1. By implementing this rule, organizations can proactively monitor and respond to any modifications to network gateways, which are critical components of the network infrastructure.
Troubleshooting Steps
If the log metric filter and alarm do not exist for network gateway changes, follow these troubleshooting steps:
- 1.
Verify Log Metric Filter: Check if the log metric filter for network gateway changes is configured correctly. Ensure that it accurately captures the relevant log events related to modifications made to network gateways.
- 2.
Check Alarm Configuration: Validate the alarm configuration associated with the log metric filter. Make sure that the alarm is set up to trigger an alert when the defined threshold or criteria for network gateway changes are met.
- 3.
Review Permission Settings: Verify that the IAM (Identity and Access Management) permissions are correctly set for the log metric filter and alarm. Ensure that the necessary roles or users have appropriate access to read the logs and trigger the alarm.
- 4.
Check Log Sources: Ensure that the relevant logs from network gateways are captured and sent to the log management system. Validate the log sources and confirm that they are properly configured to forward logs to the designated log management platform.
Necessary Codes
To implement the log metric filter and alarm for changes to network gateways, the following AWS CloudWatch Logs Filter Pattern can be used:
{ $.eventName = "ModifyVpcGatewayAttachment" }
This filter pattern focuses on the "ModifyVpcGatewayAttachment" event associated with network gateway changes.
Step-by-Step Guide for Remediation
Follow these steps to set up the log metric filter and alarm for network gateway changes:
- 1.
Access AWS Management Console: Log in to the AWS Management Console using your credentials.
- 2.
Navigate to CloudWatch: Go to the CloudWatch service from the list of available AWS services.
- 3.
Choose Logs: Select "Logs" from the left-hand menu to access the log management interface.
- 4.
Select Log Group: Choose the relevant log group where the logs from network gateways are stored.
- 5.
Create Metric Filter: Click on the "Create Metric Filter" button to start configuring the filter.
- 6.
Define Filter Pattern: In the "Filter Pattern" section, enter the provided filter pattern:
{ $.eventName = "ModifyVpcGatewayAttachment" } - 7.
Assign Metric Details: Specify the details for the metric, such as the metric name, namespace, and dimensions. You can customize these based on your requirements and naming conventions.
- 8.
Create Filter: Click on the "Create Filter" button to save the log metric filter.
- 9.
Navigate to Alarms: Go back to the CloudWatch service and select "Alarms" from the left-hand menu.
- 10.
Create Alarm: Click on the "Create Alarm" button to begin setting up the alarm.
- 11.
Select Metric: In the "Create Alarm" wizard, choose the metric filter that was created earlier from the list of available metrics.
- 12.
Set Alarm Threshold: Configure the threshold for the alarm. Define the conditions that trigger the alarm, such as the number of occurrences of network gateway changes within a specified time period.
- 13.
Configure Actions: Specify the actions to be taken when the alarm state is triggered. This can include sending email notifications, triggering an automated response, or integrating with other AWS services.
- 14.
Review and Create: Review the alarm settings and click on the "Create Alarm" button to finalize the configuration.
Once the log metric filter and alarm are set up, the system will continuously monitor the log events and trigger the alarm whenever a change is detected in any network gateway.
Conclusion
Implementing a log metric filter and alarm for changes to network gateways aligns with the NIST Cybersecurity Framework (CSF) v1. It enables organizations to detect and respond promptly to any modifications made to network gateways, enhancing the overall security posture of their infrastructure. Following the step-by-step guide provided above will ensure the successful implementation of this rule.