Ensure a log metric filter and alarm exist for VPC changes
This rule ensures the presence of a log metric filter and alarm for VPC changes.
| Rule | Ensure a log metric filter and alarm exist for VPC changes |
| Framework | cis_v150 |
| Severity | ✔ Low |
Rule Description:
The rule requires the creation of a log metric filter and alarm to monitor any changes related to Virtual Private Cloud (VPC) settings and configurations. This rule is specifically defined by CIS benchmark version 1.5.0.
Troubleshooting Steps:
- 1.Ensure that the required AWS account has the necessary permissions to create and manage log metrics filters and alarms.
- 2.Validate if the desired VPC changes are being captured in the logs.
- 3.Check if CloudWatch Logs and CloudWatch Alarms are properly configured and integrated with the VPC in question.
- 4.Verify if the log metric filter and alarm configurations meet the requirements specified in the CIS benchmark.
Necessary Codes (if applicable):
There are no specific codes required for this rule.
Remediation Steps:
Follow the steps below to remediate this rule and ensure compliance:
Step 1: Creating a Log Metric Filter
- 1.Go to the AWS Management Console and navigate to the CloudWatch service.
- 2.In the navigation pane, click on "Logs" and select the desired log group.
- 3.Click on the "Create Metric Filter" button.
- 4.In the "Filter Pattern" section, input the following filter pattern:
{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AttachVpnGateway) || ($.eventName = DetachVpnGateway) || ($.eventName = EnableVgwRoutePropagation) || ($.eventName = DisableVgwRoutePropagation) || ($.eventName = AssociateVpcCidrBlock) || ($.eventName = DisassociateVpcCidrBlock) || ($.eventName = CreateRoute) || ($.eventName = ReplaceRoute) || ($.eventName = DeleteRoute) }
- 1.Choose a log group from the drop-down list or create a new one.
- 2.In the "Metric Details" section, provide a name and namespace for the metric.
- 3.Click on "Create Filter" to save the log metric filter.
Step 2: Creating an Alarm
- 1.While still in the CloudWatch service, click on "Alarms" in the navigation pane.
- 2.Click on the "Create Alarm" button.
- 3.Select the log metric filter created in the previous step from the list of metrics.
- 4.Configure the threshold conditions for the alarm, such as the "Whenever" and "Threshold" values.
- 5.Specify the actions to be taken when the alarm state is triggered, such as sending notifications or initiating automated responses.
- 6.Provide a name and description for the alarm.
- 7.Click on "Create Alarm" to save the alarm configuration.
Verification:
To verify the compliance with this rule, follow these steps:
- 1.Go to the AWS Management Console and navigate to the CloudWatch service.
- 2.In the navigation pane, click on "Alarms" and locate the alarm created for VPC changes.
- 3.Confirm that the alarm's state is "OK" or "INSUFFICIENT_DATA." If it is in an "ALARM" state, there might be a VPC change detected.
- 4.If the alarm is triggered, investigate the VPC changes in the associated CloudWatch Logs to ensure they are authorized and expected.
By following these steps, you have successfully created a log metric filter and alarm to monitor VPC changes, as required by the CIS benchmark version 1.5.0. This ensures compliance and provides improved visibility into modifications made to VPC settings and configurations.