Ensure Rule: Log Metric Filter for CMK Deletion
This rule ensures a log metric filter and alarm exist for disabling or scheduled deletion of customer managed keys.
| Rule | Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer managed keys |
| Framework | General Data Protection Regulation (GDPR) |
| Severity | ✔ Low |
Rule Description
This rule ensures that a log metric filter and alarm exist to detect and notify any attempts of disabling or scheduled deletion of customer managed keys related to General Data Protection Regulation (GDPR) compliance. By monitoring the log activities, this rule helps in maintaining the security and integrity of customer managed keys and ensures compliance with GDPR.
Troubleshooting Steps
If the log metric filter and alarm for disabling or scheduled deletion of customer managed keys for GDPR are not in place, follow these troubleshooting steps to set them up:
- 1.
Check IAM permissions: Make sure you have the necessary IAM permissions to configure log metric filters and alarms. Specifically, you need the
andlogs:PutMetricFilter
permissions.cloudwatch:PutMetricAlarm - 2.
Review the log groups: Verify that the log groups containing the relevant audit logs for customer managed keys exist. This could be logs from services like AWS Key Management Service (KMS), CloudTrail, or other services where key management activities are logged.
- 3.
Create a log metric filter: Create a log metric filter that captures events related to disabling or scheduled deletion of customer managed keys. Define appropriate filter patterns to match these events accurately.
- 4.
Configure a CloudWatch log alarm: Once the log metric filter is in place, configure a CloudWatch log alarm to monitor the filter's metrics. Set the desired threshold for triggering the alarm, which could be based on the number of events or the frequency of events.
- 5.
Define notification actions: Specify the appropriate notification actions for the CloudWatch log alarm. This could include sending notifications via email, SMS, or triggering an AWS Simple Notification Service (SNS) topic.
Necessary Codes
Here are the necessary codes for setting up the log metric filter and alarm:
CloudFormation Template:
AWSTemplateFormatVersion: '2010-09-09'
Resources:
MetricFilter:
Type: 'AWS::Logs::MetricFilter'
Properties:
LogGroupName: "<LOG_GROUP_NAME>"
FilterPattern: "<FILTER_PATTERN>"
MetricTransformations:
- MetricName: "<METRIC_NAME>"
MetricNamespace: "<METRIC_NAMESPACE>"
MetricValue: "1"
Alarm:
Type: 'AWS::CloudWatch::Alarm'
Properties:
AlarmName: "<ALARM_NAME>"
AlarmDescription: "<ALARM_DESCRIPTION>"
ComparisonOperator: GreaterThanThreshold
EvaluationPeriods: 1
MetricName: "<METRIC_NAME>"
Namespace: "<METRIC_NAMESPACE>"
Period: 300
Statistic: Sum
Threshold: 1
AlarmActions:
- "<SNS_TOPIC_ARN>"
Replace the placeholders
<LOG_GROUP_NAME><FILTER_PATTERN><METRIC_NAME><METRIC_NAMESPACE><ALARM_NAME><ALARM_DESCRIPTION><SNS_TOPIC_ARN>AWS CLI Command:
aws logs put-metric-filter --log-group-name <LOG_GROUP_NAME> --filter-name "<FILTER_NAME>" --filter-pattern "<FILTER_PATTERN>" --metric-transformations '[ { "metricName": "<METRIC_NAME>", "metricNamespace": "<METRIC_NAMESPACE>", "metricValue": "1" } ]' aws cloudwatch put-metric-alarm --alarm-name "<ALARM_NAME>" --alarm-description "<ALARM_DESCRIPTION>" --comparison-operator GreaterThanThreshold --evaluation-periods 1 --metric-name "<METRIC_NAME>" --namespace "<METRIC_NAMESPACE>" --period 300 --statistic Sum --threshold 1 --alarm-actions "<SNS_TOPIC_ARN>"
Replace the placeholders
<LOG_GROUP_NAME><FILTER_NAME><FILTER_PATTERN><METRIC_NAME><METRIC_NAMESPACE><ALARM_NAME><ALARM_DESCRIPTION><SNS_TOPIC_ARN>Step-by-Step Guide for Remediation
Follow these steps to remediate any issues identified by the log metric filter and alarm:
- 1.
Investigate the alarm: When the alarm is triggered, investigate the related log events to determine the details of the disabling or scheduled deletion of customer managed keys.
- 2.
Identify the source and intent: Analyze the log events to identify the source and intent behind the action. Determine if the action was performed intentionally or if it indicates a potential security breach or violation of GDPR compliance.
- 3.
Take appropriate actions: Based on the investigation, take the necessary steps to address the situation. This could involve:
- Restoring or re-enabling the customer managed keys if they were mistakenly disabled or marked for deletion.
- Analyzing any potential security risks or breaches and initiating the required incident response activities.
- Reviewing the access controls and permissions associated with the customer managed keys to prevent unauthorized modifications in the future.
- 4.
Document and report: Document the findings, actions taken, and any recommendations for improving the security and compliance measures related to customer managed keys. Report the incident to the appropriate stakeholders, including the incident response team, compliance officers, and data protection officers if necessary.
Conclusion
By implementing the log metric filter and alarm for disabling or scheduled deletion of customer managed keys, you can proactively monitor and respond to any activities that may impact key security and GDPR compliance. Regularly review the logs, investigate and remediate any detected incidents, and ensure proper documentation and reporting for continuous improvement of your security measures.