This rule ensures the presence of a log metric filter and alarm for monitoring route table changes.
Rule | Ensure a log metric filter and alarm exist for route table changes |
Framework | NIST Cybersecurity Framework (CSF) v1.1 |
Severity | ✔ Low |
Rule Description
This rule ensures that a log metric filter and alarm exist for route table changes in compliance with the NIST Cybersecurity Framework (CSF) v1. The objective is to monitor and alert any modifications made to the routing tables within an infrastructure, providing visibility and control over network configuration changes.
Troubleshooting Steps
If there are any issues with the log metric filter and alarm, follow these troubleshooting steps:
Verify the CloudTrail configuration:
Verify the log metric filter configuration:
Verify the alarm configuration:
Check IAM permissions:
Review CloudTrail logs and CloudWatch metrics:
Consult AWS documentation and support:
Necessary Codes
No codes are required for this rule.
Remediation Steps
Follow these step-by-step instructions to remediate any issues related to the log metric filter and alarm for route table changes:
Log in to the AWS Management Console.
Navigate to the CloudWatch service.
Click on "Log groups" in the left sidebar.
Select the appropriate log group containing the CloudTrail logs.
Click on the "Create metric filter" button.
In the "Filter pattern" field, enter the following pattern to match route table changes:
{ ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DisassociateRouteTable) || ($.eventName = AssociateRouteTable) || ($.eventName = CreateRoute) || ($.eventName = ReplaceRoute) || ($.eventName = DeleteRoute) }
Click on the "Test pattern" button to verify that the filter matches the desired events. Adjust the pattern if necessary.
Choose a name for the filter and provide a metric name for the extracted value.
Click on "Create filter" to save the log metric filter.
Return to the CloudWatch service dashboard.
Click on "Alarms" in the left sidebar.
Click on the "Create alarm" button.
In the "Create Alarm" wizard, select the "Select metric" button.
Choose the log metric filter previously created for route table changes.
Configure the desired threshold and conditions for the alarm.
Provide a name and description for the alarm.
Specify the actions to be taken when the alarm state is triggered (e.g., sending a notification, executing a Lambda function, etc.).
Click on the "Create alarm" button to save the CloudWatch alarm.
Verify that the log metric filter and alarm are properly configured by reviewing the alarm status and testing route table modifications.
By following these steps, you can ensure that a log metric filter and alarm exist for route table changes in compliance with the NIST Cybersecurity Framework (CSF) v1.