Rule: Ensure a Log Metric Filter and Alarm for S3 Bucket Policy Changes
This rule ensures the presence of a log metric filter and alarm for any changes to the S3 bucket policy.
| Rule | Ensure a log metric filter and alarm exist for S3 bucket policy changes |
| Framework | NIST Cybersecurity Framework (CSF) v1.1 |
| Severity | ✔ Low |
Rule Description:
The rule ensures that a log metric filter and alarm are configured to track any changes made to the S3 bucket policies in accordance with the NIST Cybersecurity Framework (CSF) v1. This helps in monitoring and detecting unauthorized modifications or policy violations in S3 bucket policies, which are critical for maintaining the security and compliance of the system.
Troubleshooting Steps:
- 1.
Verify AWS CloudTrail is enabled: Ensure that AWS CloudTrail is enabled for the AWS account where the S3 buckets are located. This service is responsible for capturing and logging all API actions performed in the account.
- 2.
Check CloudWatch Logs: Confirm that the CloudWatch Logs are properly configured to receive CloudTrail events. This includes checking for the correct log group and log stream, which will store the S3 bucket policy-related logs.
- 3.
Validate Log Metric Filter: Verify that a log metric filter is in place to extract S3 bucket policy-related events from the CloudWatch Logs. The filter pattern should be created to match the relevant S3 bucket policy changes.
- 4.
Check Alarm Configuration: Ensure that an alarm is associated with the log metric filter, triggering an action when specific conditions are met. The conditions should be set to detect S3 bucket policy changes.
- 5.
Test the Alarm: Perform a test by intentionally modifying an S3 bucket policy. Check if the alarm gets triggered and sends the appropriate notification.
Necessary Codes:
No specific code examples are provided for this rule, as it relies on configuring AWS CloudTrail, CloudWatch Logs, log metric filters, and alarms through AWS Management Console or programmatically using AWS CLI or SDKs.
Step-by-Step Guide for Remediation:
Follow these steps to configure the log metric filter and alarm for S3 bucket policy changes:
- 1.
Login to the AWS Management Console.
- 2.
Open the CloudTrail service.
- 3.
Ensure that CloudTrail is enabled for the AWS account if not already enabled. If required, follow the prompts to create and enable CloudTrail.
- 4.
Open the CloudWatch service.
- 5.
Navigate to the CloudWatch Logs section and verify that the required log group for storing CloudTrail logs exists. If not, create a new log group.
- 6.
Access the log group containing the CloudTrail logs for the AWS account.
- 7.
Create a log metric filter by selecting the log group and clicking on "Create Metric Filter."
- 8.
Configure the filter pattern to identify S3 bucket policy changes. Refer to the AWS CloudWatch Logs documentation for guidance on creating an appropriate filter pattern.
- 9.
Set the filter name and create a new metric namespace for the filter.
- 10.
Specify the metric value under "Metric Details" and provide a unique name for it.
- 11.
Click on "Create Filter" to save the log metric filter.
- 12.
To create an alarm for the log metric filter, select the created metric filter and click on "Create Alarm."
- 13.
Configure the alarm threshold conditions based on the desired policy violation criteria. For example, set the alarm to trigger when the matched events count exceeds a specific threshold within a given time frame.
- 14.
Define the alarm actions, such as sending a notification via SNS, triggering a Lambda function, or executing a custom action script.
- 15.
Review the alarm configuration and click on "Create Alarm" to save it.
- 16.
Test the alarm functionality by intentionally modifying an S3 bucket policy.
- 17.
Verify if the alarm triggers and sends the expected notification or performs the defined action.
By following these steps, you can ensure that a log metric filter and alarm are present to track S3 bucket policy changes according to the NIST Cybersecurity Framework (CSF) v1.