Products

Solutions

Company

Book A Live Demo

Ensure a Log Metric Filter and Alarm Exist for IAM Policy Changes Rule

This rule ensures the presence of a log metric filter and alarm for changes in IAM policies.

Rule	Ensure a log metric filter and alarm exist for IAM policy changes
Framework	cis_v140
Severity	✔ Low

Rule: IAM Policy Change Log Metric and Alarm (cis_v140)

This rule ensures that a log metric filter and alarm are in place to monitor and alert on any changes made to IAM policies. This helps in tracking any unauthorized modifications to IAM policies, which could potentially lead to security breaches and unauthorized access to resources.

Description

IAM policies control access to AWS resources and define what actions can be performed on these resources. Monitoring and tracking changes to IAM policies is crucial for maintaining a secure environment. By implementing this rule, a log metric filter and alarm will be configured to detect any changes made to IAM policies.

Troubleshooting Steps

1. Verify IAM policy change log metric filter

To troubleshoot, follow these steps to verify the existence and configuration of the IAM policy change log metric filter:

1.
Login to the AWS Management Console.

2.
Open the CloudWatch service.

3.
In the left menu, click on "Logs" under "Logs Insights".

4.
Locate the log group that captures IAM policy changes. By default, it is named
```
/aws/iam/
```
.

5.
Click on the log group to view the log streams.

6.
Select a log stream that contains policy change logs.

7.
Review the log stream to confirm that the IAM policy changes are logged, and the log format follows the desired configuration.

2. Check IAM policy change alarm

If the IAM policy change log metric filter exists, follow these steps to verify the associated alarm:

1.
Login to the AWS Management Console.

2.
Open the CloudWatch service.

3.
In the left menu, click on "Alarms" under "Alarms".

4.
Look for an alarm that is triggered by the IAM policy change log metric filter.

5.
Ensure that the alarm is enabled and has the desired configuration, such as the correct threshold and actions to take when triggered.

Necessary Codes

There are no specific codes required for this rule.

Remediation Steps

To implement this rule and ensure the existence of a log metric filter and alarm for IAM policy changes, follow these steps:

1.
Login to the AWS Management Console.

2.
Open the CloudWatch service.

3.
In the left menu, click on "Logs" under "Logs Insights".

4.
Locate the log group that captures IAM policy changes. By default, it is named
```
/aws/iam/
```
.

5.
Click on the log group, and then click on "Create Metric Filter".

6.
In the "Define Logs Metric Filter" section:
- Select "Filter pattern" and enter a suitable filter pattern to capture IAM policy changes. For example:
  { ($.eventName = PutGroupPolicy) || ($.eventName = PutRolePolicy) || ($.eventName = PutUserPolicy) || ($.eventName = CreatePolicy) || ($.eventName = DeletePolicy) || ($.eventName = AttachGroupPolicy) || ($.eventName = DetachGroupPolicy) || ($.eventName = AttachRolePolicy) || ($.eventName = DetachRolePolicy) || ($.eventName = AttachUserPolicy) || ($.eventName = DetachUserPolicy) }
  . This pattern captures the API actions associated with modifying IAM policies.
- Choose the appropriate log stream(s) where IAM policy changes are logged.
- Define the desired metric details, such as the metric name, namespace, and value.

7.
Click on "Test Pattern" to validate the filter against the log data.

8.
Once the test is successful, click on "Assign Metric".

9.
Configure the metric details and click on "Create Filter".

10.
In the left menu, click on "Alarms" under "Alarms".

11.
Click on "Create Alarm".

12.
In the "Create Alarm" wizard:
- Select the metric filter created in the previous step from the "Select metric" dropdown.
- Configure the desired threshold for the alarm.
- Specify the actions to take when the alarm is triggered. This can include sending notifications, executing Lambda functions, or other custom actions.
- Provide a name and description for the alarm.

13.
Review the configuration settings and click on "Create Alarm".

Once the above steps are completed, the log metric filter and alarm for IAM policy changes will be in place and actively monitoring the specified log group. Any changes made to IAM policies will trigger the alarm and alert the relevant personnel for appropriate action.

Note: It is recommended to assign appropriate permissions for creating and managing the log metric filters and alarms.

Ensure a Log Metric Filter and Alarm Exist for IAM Policy Changes Rule

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Description

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Troubleshooting Steps

.css-1ekaeh4{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:22px;font-weight:700;margin-top:1rem;margin-bottom:0rem;}1. Verify IAM policy change log metric filter

.css-1ekaeh4{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:22px;font-weight:700;margin-top:1rem;margin-bottom:0rem;}2. Check IAM policy change alarm

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Necessary Codes

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Remediation Steps

Is your System Free of Underlying Vulnerabilities? Find Out Now