Ensure a Log Metric Filter and Alarm Exist for Security Group Changes

This rule ensures the presence of a log metric filter and alarm for security group modifications.

Rule	Ensure a log metric filter and alarm exist for security group changes
Framework	NIST Cybersecurity Framework (CSF) v1.1
Severity	✔ Low

Rule Description: Log Metric Filter and Alarm for Security Group Changes - NIST CSF v1

Rule Summary:

To comply with the NIST Cybersecurity Framework (CSF) version 1, it is necessary to have a log metric filter and alarm in place for monitoring security group changes. This rule ensures that any modifications to security groups within your infrastructure are logged and monitored for potential security incidents.

Troubleshooting Steps:

In case the log metric filter and alarm for security group changes are not present or not functioning properly, follow these troubleshooting steps:

1.
Check if the necessary AWS services (such as CloudWatch, CloudTrail) are properly configured and enabled.

2.
Ensure the appropriate IAM permissions are assigned to the account or user responsible for monitoring security group changes.

3.
Review the CloudTrail logs for any errors or issues related to security group logging and monitoring.

Necessary Code:

The following AWS CloudFormation template demonstrates the necessary code to create a log metric filter and alarm for security group changes:

Resources:
  SecurityGroupChanges:
    Type: AWS::Logs::MetricFilter
    Properties:
      LogGroupName: !Ref 'LogGroup'
      FilterPattern: '{ ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) || ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) }'
      MetricTransformations:
        - MetricName: SecurityGroupChanges
          MetricNamespace: AWS/Security
          MetricValue: 1

  SecurityGroupChangesAlarm:
    Type: AWS::CloudWatch::Alarm
    Properties:
      AlarmName: SecurityGroupChangesAlarm
      AlarmDescription: Alarm for detecting security group changes
      Namespace: AWS/Security
      MetricName: SecurityGroupChanges
      Statistic: Sum
      Period: 300 # 5 minutes
      EvaluationPeriods: 1
      Threshold: 1
      ComparisonOperator: GreaterThanOrEqualToThreshold
      AlarmActions:
        - !Ref 'SNSTopicArn'

Note: This code is in YAML format and can be used with AWS CloudFormation to automate the creation and configuration of the log metric filter and alarm.

Step-by-Step Guide for Remediation:

Follow these steps to create a log metric filter and alarm for security group changes:

1.
Log in to the AWS Management Console.

2.
Navigate to the CloudWatch service.

3.
Click on "Log groups" in the left-hand menu.

4.
Choose the relevant log group where the security group changes should be logged.

5.
Click on the "Actions" dropdown menu and select "Create metric filter".

6.
In the "Filter pattern" field, enter the following pattern:

{ ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) || ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) }

1.
Configure the "Filter name" and "Metric namespace" fields according to your preference or leave them as default.

2.
Under "Metric value", enter "1" to count each occurrence of a security group change as one metric.

3.
Click on "Assign metric".

4.
In the CloudWatch console, navigate to "Alarms" in the left-hand menu.

5.
Click on "Create alarm".

6.
Select "Browse" in the "Metric name" field and choose the metric name created in the previous step.

7.
Configure the alarm threshold, evaluation period, and other alarm properties according to your requirements.

8.
Specify the action to be taken when the alarm state is triggered (e.g., sending an email notification).

9.
Click on "Create alarm" to save the configuration.

Once the log metric filter and alarm are successfully created, any changes to the security groups within the selected log group will trigger the alarm according to the configured threshold and evaluation period.

Summary:

By implementing a log metric filter and alarm for security group changes, you adhere to the NIST CSF v1 requirement of monitoring modifications to security groups. This helps ensure the security of your infrastructure and aids in identifying any unauthorized changes made to security groups.

Ensure a Log Metric Filter and Alarm Exist for Security Group Changes

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Rule Summary:

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Troubleshooting Steps:

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Necessary Code:

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Step-by-Step Guide for Remediation:

Is your System Free of Underlying Vulnerabilities? Find Out Now

Rule Summary:

Troubleshooting Steps:

Necessary Code:

Step-by-Step Guide for Remediation:

Is your System Free of Underlying Vulnerabilities?
Find Out Now