Ensure a Log Metric Filter and Alarm Rule for AWS Config Configuration Changes
This rule ensures the presence of a log metric filter and alarm for AWS Config configuration modifications.
| Rule | Ensure a log metric filter and alarm exist for AWS Config configuration changes |
| Framework | cis_v140 |
| Severity | ✔ Low |
Rule Description:
The rule ensures the presence of a log metric filter and alarm for AWS Config configuration changes that comply with the CIS AWS Foundations Benchmark (version 1.4.0).
Troubleshooting Steps:
If the log metric filter and alarm for AWS Config configuration changes do not exist, you can follow these troubleshooting steps:
- 1.
Verify Rule Evaluation: Ensure the AWS Config rule evaluation is running and the rule for cis_v140 is enabled. Use the AWS Config console or AWS CLI to check the rule status.
- 2.
Check CloudTrail Configuration: Verify that AWS CloudTrail is enabled and properly configured. Ensure that logging is turned on and the trail is capturing Config events.
- 3.
Check IAM Permissions: Confirm that the IAM role used by AWS Config has the necessary permissions to access CloudTrail and publish CloudWatch metrics. Ensure that the
has the required policies attached.AWSConfigRulesExecutionRole - 4.
Review AWS Config AWS Logging: Inspect the AWS Config settings to ensure that the AWS logging option is enabled. This allows AWS Config to log to CloudWatch logs.
- 5.
Confirm Log Metric Filter Configuration: Verify that the log metric filter for AWS Config configuration changes is properly configured. Ensure that the required filter pattern is present and captures the necessary log events.
- 6.
Validate CloudWatch Alarm Configuration: Double-check the CloudWatch alarm configuration associated with the log metric filter. Make sure the alarm is set up to trigger based on the expected criteria and that the actions taken upon triggering are appropriate.
Necessary Codes:
No specific code is required for this rule.
Remediation Steps:
To create a log metric filter and alarm for AWS Config configuration changes for cis_v140, perform the following steps:
- 1.
Create Log Metric Filter:
- Open the Amazon CloudWatch console.
- In the navigation pane, click on "Log groups" and select the log group configured for AWS Config.
- Click on "Create metric filter".
- Provide a filter pattern that matches AWS Config configuration change events related to cis_v140. For example:
{ ($.eventName = "Put*") && ($.eventSource = "config.amazonaws.com") && (($.additionalEventData.managedRuleIdentifier = "cis_v1.4.0_RuleID") || ($.additionalEventData.managedRuleIdentifier = "cis_v140"))) } - Configure the filter to extract the necessary information for evaluating the rule, such as dimensions, metric namespace, and value extracted from the event.
- Save the log metric filter.
- 2.
Create CloudWatch Alarm:
- In the CloudWatch console, go to "Alarms" in the navigation pane.
- Click on "Create alarm".
- Select the previously configured filter metric and define the threshold that triggers the alarm.
- Configure the actions to be taken when the alarm state is triggered, such as sending a notification or triggering an AWS Lambda function.
- Save the alarm.
- 3.
Verify Functionality:
- Test the log metric filter and alarm by making a configuration change that complies with cis_v140.
- Verify that the metric filter captures the event and sends it to CloudWatch.
- Ensure that the alarm state changes based on the defined threshold and triggers the associated actions.
By following these remediation steps, you will ensure the presence of a log metric filter and alarm that monitors AWS Config configuration changes for cis_v140, helping you maintain compliance with the CIS AWS Foundations Benchmark.