Login

Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Ensure a Log Metric Filter and Alarm Exist for S3 Bucket Policy Changes Rule

This rule ensures the presence of a log metric filter and alarm for monitoring S3 bucket policy changes.

RuleEnsure a log metric filter and alarm exist for S3 bucket policy changes
FrameworkGeneral Data Protection Regulation (GDPR)
Severity
Low

Rule Description:

This rule ensures that a log metric filter and alarm are present to monitor any changes made to the S3 bucket policy regarding General Data Protection Regulation (GDPR). By having this rule in place, organizations can track and be alerted whenever there is an alteration to the bucket policy that could potentially impact GDPR compliance.

Troubleshooting Steps:

If the log metric filter and alarm are not present or not functioning as expected, you can follow these troubleshooting steps:

  2. 1.

    Verify IAM Role Permissions: Ensure that the IAM role associated with the CloudWatch Logs has the necessary permissions to create and configure log metric filters and alarms. The required permissions include 

    cloudwatch:PutMetricFilter
    and 
    cloudwatch:PutMetricAlarm
    .

  4. 2.

    Validate Log Metric Filter: Check if the log metric filter is configured correctly. Verify the filter pattern to capture the S3 bucket policy changes related to GDPR. Check if the filter is set to capture the appropriate log group and region.

  6. 3.

    Confirm Alarm Configuration: Review the alarm settings to ensure they are configured correctly. Verify the alarm threshold, comparison operator, and actions to be triggered upon breach of the threshold. Make sure the alarm state is set to trigger actions (e.g., sending notifications).

  8. 4.

    Check CloudWatch Logs Integration: Ensure that the CloudTrail logs are properly integrated with CloudWatch Logs. Confirm that the S3 bucket in question is configured to send logs to CloudWatch Logs, and the log group captures the relevant logs.

  10. 5.

    Validate Notification Settings: Verify that the necessary email addresses or other notification endpoints are correctly configured to receive notifications triggered by the alarm. Double-check the email delivery settings and ensure they are not routed to spam or junk folders.

  12. 6.

    Test Policy Change: Make a sample change to the S3 bucket policy related to GDPR and check if the log metric filter captures the change and triggers the alarm as expected. This step will help confirm if the rule is functioning correctly.

Necessary Codes:

If you need to create or modify the log metric filter and alarm, here are the necessary codes:

  2. 1.
    Create Log Metric Filter:
aws logs put-metric-filter --log-group-name <log-group-name> --filter-name GDPRBucketPolicyChanges --filter-pattern '[version, user, eventSource = s3.amazonaws.com, eventName = PutBucketPolicy, errorCode != AccessDenied]' --metric-transformations metricName=GDPRBucketPolicyChanges,metricNamespace=GDPRMetrics,value=1 --region <region>

Replace 

<log-group-name>
with the name of the CloudWatch log group capturing the S3 bucket logs, and 
<region>
with the appropriate AWS region.

  2. 1.
    Create Alarm:
aws cloudwatch put-metric-alarm --alarm-name GDPRBucketPolicyChangesAlarm --metric-name GDPRBucketPolicyChanges --namespace GDPRMetrics --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --alarm-description "S3 bucket policy change related to GDPR detected" --actions-enabled --alarm-actions <SNS-topic-ARN> --region <region>

Replace 

<SNS-topic-ARN>
with the ARN of the Amazon SNS topic where you want to receive the alarm notifications, and 
<region>
with the desired AWS region.

Remediation Steps:

To remediate any issues related to the log metric filter and alarm, follow these step-by-step instructions:

  2. 1.

    Review IAM Role Permissions: Ensure that the IAM role associated with the CloudWatch Logs has the necessary permissions (

    cloudwatch:PutMetricFilter
    and 
    cloudwatch:PutMetricAlarm
    ). If needed, update the IAM role with the correct permissions.

  4. 2.

    Validate Log Metric Filter:

    • Confirm the correctness of the filter pattern used to capture S3 bucket policy changes related to GDPR. Modify the filter pattern if necessary.
    • Double-check the log group and region settings to ensure they match the desired configuration.
  6. 3.

    Confirm Alarm Configuration:

    • Review alarm settings such as threshold, comparison operator, and actions. Adjust these parameters according to your requirements.
    • Ensure that the alarm state is set to trigger actions (enabled).
  8. 4.

    Check CloudWatch Logs Integration:

    • Verify that the S3 bucket is configured to send logs to CloudWatch Logs.
    • Confirm that the log group capturing the logs is appropriately set up.
  10. 5.

    Validate Notification Settings:

    • Check the notification settings to ensure they are accurate and up to date.
    • Test notification delivery by triggering a test alarm and verifying if notifications are received.
  12. 6.

    Test Policy Change:

    • Make a sample change to the S3 bucket policy related to GDPR and check if the log metric filter captures the change and triggers the alarm as expected. This step will validate the rule's effectiveness.

By following these troubleshooting and remediation steps, you can ensure the presence and proper functioning of the log metric filter and alarm for monitoring S3 bucket policy changes related to GDPR.

Is your System Free of Underlying Vulnerabilities?
Find Out Now