Rule: Ensure a log metric filter and alarm exist for VPC changes

This rule requires the existence of a log metric filter and alarm for VPC changes.

Rule	Ensure a log metric filter and alarm exist for VPC changes
Framework	NIST Cybersecurity Framework (CSF) v1.1
Severity	✔ Low

Rule Description:

The rule ensures that a log metric filter and alarm are set up to monitor and alert for any VPC changes in alignment with the NIST Cybersecurity Framework (CSF) v1. This helps in maintaining the security and integrity of the Virtual Private Cloud (VPC) environment.

Troubleshooting Steps:

1.
Verify if the CloudTrail service is enabled in the AWS Management Console.

2.
Ensure that the necessary IAM permissions are granted to access and configure CloudTrail and CloudWatch services.

3.
Confirm that the necessary log groups and metric filters are created correctly.

4.
Check if the alarm is set up properly and associated with the metric filter.

5.
Validate that the alert notifications are correctly configured.

Necessary Codes:

No specific codes are required for this rule as it is related to configuring CloudTrail and CloudWatch services.

Step-by-step Guide for Remediation:

CloudTrail Setup:

1.
Go to the AWS Management Console and navigate to the CloudTrail service.

2.
Click on "Create trail" to create a new trail.

3.
Provide a name for the trail and select a S3 bucket to store the CloudTrail logs.

4.
Enable "Management events" for the trail.

5.
Under "Data events", enable logging for "CreateVpc", "DeleteVpc", and "ModifyVpcAttribute" events.

6.
Click on "Create" to create the trail.

CloudWatch Metric Filter Setup:

1.
Go to the AWS Management Console and navigate to the CloudWatch service.

2.
Click on "Log groups" and select the log group corresponding to the CloudTrail logs.

3.
Click on "Create metric filter" for the log group.

Specify a filter pattern that captures VPC-related events. Example:

{ $.eventName = "CreateVpc" || $.eventName = "DeleteVpc" || $.eventName = "ModifyVpcAttribute" }

5.
Choose a metric namespace and name for the filter.

6.
Click on "Create filter" to create the metric filter.

CloudWatch Alarm Setup:

1.
In the CloudWatch Management Console, go to "Alarms" on the left-hand menu.

2.
Click on "Create alarm" to configure a new alarm.

3.
Select the metric filter created in the previous step as the alarm source.

4.
Set the appropriate threshold and conditions for the alarm trigger. You can choose to trigger the alarm when the count is greater than zero or set a specific threshold.

5.
Configure the actions to be taken when the alarm is triggered, such as sending a notification via SNS topic or executing an Auto Scaling policy.

6.
Click on "Create alarm" to create the alarm.

Conclusion:

By following the above steps, you can ensure that a log metric filter and alarm are set up to monitor VPC changes in accordance with NIST CSF v1. This helps in maintaining the visibility and security of your AWS VPC environment.

Rule: Ensure a log metric filter and alarm exist for VPC changes

.css-1ekaeh4{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:22px;font-weight:700;margin-top:1rem;margin-bottom:0rem;}CloudTrail Setup:

.css-1ekaeh4{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:22px;font-weight:700;margin-top:1rem;margin-bottom:0rem;}CloudWatch Metric Filter Setup:

.css-1ekaeh4{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:22px;font-weight:700;margin-top:1rem;margin-bottom:0rem;}CloudWatch Alarm Setup:

Is your System Free of Underlying Vulnerabilities? Find Out Now

CloudTrail Setup:

CloudWatch Metric Filter Setup:

CloudWatch Alarm Setup:

Is your System Free of Underlying Vulnerabilities?
Find Out Now