Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: Ensure a Log Metric Filter and Alarm Exist for Route Table Changes

This rule ensures the presence of a log metric filter and alarm for monitoring route table changes.

RuleEnsure a log metric filter and alarm exist for route table changes
FrameworkNIST Cybersecurity Framework (CSF) v1.1
Severity
Low

Rule Description

This rule ensures that a log metric filter and alarm exist for route table changes in compliance with the NIST Cybersecurity Framework (CSF) v1. The objective is to monitor and alert any modifications made to the routing tables within an infrastructure, providing visibility and control over network configuration changes.

Troubleshooting Steps

If there are any issues with the log metric filter and alarm, follow these troubleshooting steps:

  1. 1.

    Verify the CloudTrail configuration:

    • Ensure that CloudTrail is enabled for the AWS account and the desired AWS Region.
    • Check if the CloudTrail trail is properly configured to capture route table-related events.
  2. 2.

    Verify the log metric filter configuration:

    • Validate that the log metric filters are correctly set up in CloudWatch Logs.
    • Confirm that the filter pattern is accurately defined to match route table change events.
  3. 3.

    Verify the alarm configuration:

    • Validate the alarm setup in CloudWatch Alarms.
    • Ensure that all necessary conditions and thresholds are correctly defined.
  4. 4.

    Check IAM permissions:

    • Verify that the IAM role or user associated with the CloudTrail, CloudWatch Logs, and CloudWatch Alarms has the required permissions to perform the necessary actions.
  5. 5.

    Review CloudTrail logs and CloudWatch metrics:

    • Analyze the CloudTrail logs to check if route table changes are being recorded.
    • Review the CloudWatch metrics to identify any anomalies or issues with the log metric filter and alarm.
  6. 6.

    Consult AWS documentation and support:

    • If the issue persists, consult the official AWS documentation and seek assistance from AWS support for further troubleshooting and guidance.

Necessary Codes

No codes are required for this rule.

Remediation Steps

Follow these step-by-step instructions to remediate any issues related to the log metric filter and alarm for route table changes:

  1. 1.

    Log in to the AWS Management Console.

  2. 2.

    Navigate to the CloudWatch service.

  3. 3.

    Click on "Log groups" in the left sidebar.

  4. 4.

    Select the appropriate log group containing the CloudTrail logs.

  5. 5.

    Click on the "Create metric filter" button.

  6. 6.

    In the "Filter pattern" field, enter the following pattern to match route table changes:

    { ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DisassociateRouteTable) || ($.eventName = AssociateRouteTable) || ($.eventName = CreateRoute) || ($.eventName = ReplaceRoute) || ($.eventName = DeleteRoute) }
    
  7. 7.

    Click on the "Test pattern" button to verify that the filter matches the desired events. Adjust the pattern if necessary.

  8. 8.

    Choose a name for the filter and provide a metric name for the extracted value.

  9. 9.

    Click on "Create filter" to save the log metric filter.

  10. 10.

    Return to the CloudWatch service dashboard.

  11. 11.

    Click on "Alarms" in the left sidebar.

  12. 12.

    Click on the "Create alarm" button.

  13. 13.

    In the "Create Alarm" wizard, select the "Select metric" button.

  14. 14.

    Choose the log metric filter previously created for route table changes.

  15. 15.

    Configure the desired threshold and conditions for the alarm.

  16. 16.

    Provide a name and description for the alarm.

  17. 17.

    Specify the actions to be taken when the alarm state is triggered (e.g., sending a notification, executing a Lambda function, etc.).

  18. 18.

    Click on the "Create alarm" button to save the CloudWatch alarm.

  19. 19.

    Verify that the log metric filter and alarm are properly configured by reviewing the alarm status and testing route table modifications.

By following these steps, you can ensure that a log metric filter and alarm exist for route table changes in compliance with the NIST Cybersecurity Framework (CSF) v1.

Is your System Free of Underlying Vulnerabilities?
Find Out Now