Rule: Ensure a Log Metric Filter and Alarm Exist for Route Table Changes

Rule Description

Troubleshooting Steps

2. 1.

   Verify CloudTrail Configuration: Ensure that AWS CloudTrail is properly configured and enabled in your AWS account. Without CloudTrail, the necessary log data for monitoring route table changes will not be available. Check if CloudTrail is active and capturing relevant events.

4. 2.

   Check IAM Roles and Permissions: Validate that the IAM roles associated with the CloudTrail service have sufficient permissions to create log metric filters and alarms. Inspect the IAM policies attached to the roles to confirm they include necessary permissions for CloudWatch Logs and CloudWatch Alarms.

6. 3.

   Confirm Route Table Logging: Ensure that route table changes are being logged. Check the settings of your VPC's flow logs and verify if the flow logs capture the required information for route table modifications.

8. 4.

   Review Log Metric Filter: Examine the log metric filter that you created for tracking route table changes. Verify that the filter pattern is correctly defined to capture relevant events. If there are any issues with the pattern, update it to match the structure of the logged events correctly.

10. 5.

    Check Alarm Configuration: Review the alarm configuration associated with the log metric filter. Confirm that the alarm's threshold settings, actions, and notification mechanism are accurate. Make any necessary adjustments or corrections to ensure the alarm functions as intended.

12. 6.

    Review CloudWatch Logs Retention: Ensure that the CloudWatch Logs retention period is sufficient for storing the required log data. If the logs are being automatically deleted due to a short retention period, increase the retention period accordingly.

Necessary Codes

Remediation Steps

2. 1.

   Open the AWS Management Console: Go to the AWS Management Console and sign in to your AWS account.

4. 2.

   Navigate to CloudWatch: Using the AWS Console's search bar, search for and select "CloudWatch."

6. 3.

   Create a Log Metric Filter:

   • In the CloudWatch console, click on "Logs" in the sidebar.
   • Select the desired log group containing your VPC flow logs.
   • Click on "Create Metric Filter" to create a new log metric filter.
   • Define the filter pattern to match route table change events, for example:

     {($.eventName = CreateRouteTable) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = ReplaceRoute) || ($.eventName = DeleteRouteTable)}
     

   • Configure a metric value to be emitted when the filter pattern matches.
   • Assign a meaningful name to the log metric filter.
   • Click on "Create filter."
8. 4.

   Create an Alarm:

   • In the CloudWatch console, click on "Alarms" in the sidebar.
   • Click on "Create Alarm" to set up a new alarm for the log metric filter.
   • In the "Create Alarm" wizard, select the associated log metric filter you created in the previous step.
   • Configure the desired threshold and actions for the alarm.
   • Provide a name and description for the alarm to easily identify its purpose.
   • Confirm and create the alarm.
10. 5.

    Test the Alarm:

    • Conduct a test by intentionally making changes to your route tables, such as creating, modifying, or deleting entries.
    • Verify that the alarm triggers as expected and sends notifications if the specified threshold is breached.
12. 6.

    Monitor and Respond:

    • Regularly monitor the log metric filter and alarm for any route table changes.
    • Act promptly on any alarm triggers, reviewing the specific event details to identify the source and nature of the change.
    • Follow appropriate incident response procedures to investigate and mitigate any unauthorized or unexpected route table modifications.