Ensure a Log Metric Filter and Alarm Exist for Security Group Changes Rule
This rule ensures the presence of a log metric filter and alarm for any security group changes.
| Rule | Ensure a log metric filter and alarm exist for security group changes |
| Framework | cis_v130 |
| Severity | ✔ Low |
Rule Description:
The rule requires a log metric filter and alarm to be set up for detecting and monitoring security group changes in compliance with the CIS benchmark version 1.3.0.
Remediation Steps:
To remediate this, you need to perform the following steps:
Log Metric Filter Configuration:
- 1.Log in to the AWS Management Console.
- 2.Navigate to the CloudWatch service.
- 3.In the CloudWatch dashboard, select "Logs" from the left-hand menu.
- 4.Choose the appropriate log group that contains your VPC Flow Logs.
- 5.Click on "Create Metric Filter" at the top-right corner.
Filter Pattern:
- 1.
Enter a filter pattern that matches security group changes in the logs.
Filter pattern example:
{($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress)}
Assign Metric:
- 1.After entering the filter pattern, click on the "Assign Metric" button to define the metric for the filter.
- 2.Provide a name for the metric.
- 3.Define a metric value that represents the log events matching the filter pattern.
- 4.Click on the "Create Filter" button to save the filter.
Alarm Configuration:
- 1.From the left-hand menu, select "Alarms" in the CloudWatch dashboard.
- 2.Click on "Create Alarm" to start configuring the alarm.
- 3.Select the metric filter you created in the previous steps.
- 4.Set the threshold conditions for the alarm based on your requirements.
- 5.Configure the actions to be taken when the alarm state is triggered (e.g., sending notifications, triggering auto-remediation, etc.).
- 6.Review the alarm settings and click on the "Create Alarm" button to save the alarm.
Troubleshooting Steps:
If you encounter any issues during the configuration or if the alarm fails to trigger for security group changes, try the following troubleshooting steps:
- 1.Check if your VPC Flow Logs are enabled and properly configured.
- 2.Ensure that the log group selected for the filter contains the VPC Flow Logs.
- 3.Validate that the filter pattern is correctly entered and matches the security group change events in the logs.
- 4.Verify that the filter is assigned to the intended metric.
- 5.Double-check the threshold conditions set in the alarm configuration.
- 6.Ensure that the actions configured for the alarm are appropriate and functional.
If the above steps do not resolve the issue, refer to AWS documentation or consult with an AWS expert for further assistance.
Code (if applicable):
There is no specific code required for this rule. The configuration is done through the AWS Management Console using the CloudWatch service.
Additional Notes:
Implementing this log metric filter and alarm will help you detect and respond to security group changes in your AWS environment. It will enhance your overall security posture and compliance with the CIS benchmark. Regularly monitoring these changes can protect your resources from unauthorized access or misconfigurations.