Ensure a Log Metric Filter and Alarm Exist for VPC Changes Rule
This rule ensures the presence of a log metric filter and alarm for VPC changes.
| Rule | Ensure a log metric filter and alarm exist for VPC changes |
| Framework | cis_v130 |
| Severity | ✔ Low |
Rule Description:
The rule requires the creation of a log metric filter and alarm to be set up for VPC (Virtual Private Cloud) changes in accordance with the Center for Internet Security (CIS) Version 1.3.0 benchmark. This rule helps to monitor and track any modifications made to VPCs, assisting in ensuring the security and compliance of the AWS environment.
Troubleshooting Steps:
- 1.
Verify VPC Flow Logs:
- Ensure that VPC flow logs are enabled on the VPCs you want to monitor.
- Check if the VPC flow logs are correctly delivering logs to the configured destination (e.g., CloudWatch Logs).
- 2.
Confirm Log Metric Filter:
- Verify if a log metric filter exists for VPC changes.
- Ensure that the log metric filter pattern correctly captures log events related to VPC changes.
- 3.
Validate Alarm Configuration:
- Check if an alarm is configured to monitor the log metric filter.
- Verify that the alarm thresholds and actions are set up correctly.
- 4.
Verify Event History:
- Check the event history related to the VPC changes in the CloudTrail logs.
- Identify if there are any unauthorized or unexpected VPC modifications.
Necessary Codes:
In this case, there is no specific code to be provided as the implementation of log metric filters and alarms might vary depending on the AWS infrastructure and monitoring setup. However, the following steps outline the general procedure for remediation.
Remediation Steps:
- 1.
Enable VPC Flow Logs:
- To enable VPC flow logs, navigate to the Amazon VPC console.
- Select the desired VPC and click on the "Actions" button.
- Choose "Create Flow Log" and configure the log settings as per your requirements, selecting the appropriate destination (e.g., CloudWatch Logs).
- 2.
Create Log Metric Filter:
- Go to the CloudWatch console.
- Select the appropriate log group where VPC flow logs are delivered.
- Click on "Create Metric Filter" to define the filter pattern.
- Specify a filter pattern that captures VPC changes, such as:
{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) } - Configure the log metric filter details, such as the metric namespace, metric name, and value extracted from the logs.
- Click on "Test Pattern" to verify that the filter matches the expected log events.
- Lastly, click on "Create Filter" to create the log metric filter.
- 3.
Set up an Alarm:
- After creating the log metric filter, select the "Create Alarm" option.
- Define the alarm threshold based on your requirements (e.g., triggering an alarm if the metric value is greater than zero).
- Configure the actions to be performed when the alarm state changes.
- Specify the notification recipients who will be alerted when the alarm state changes (e.g., an email or an SNS topic).
- Click on "Create Alarm" to complete the process.
Summary:
By following the above steps, you ensure compliance with the CIS benchmark v1.3.0 by setting up a log metric filter and alarm for VPC changes. This allows you to track any modifications made to VPCs and promptly respond to any unauthorized or unexpected changes. Regularly monitoring the CloudWatch Logs and investigating alarm notifications will help maintain the security and compliance of your AWS environment.