Ensure a Log Metric Filter Rule for Security Group Changes
This rule ensures the existence of a log metric filter and alarm for monitoring security group changes.
| Rule | Ensure a log metric filter and alarm exist for security group changes |
| Framework | NIST Cybersecurity Framework (CSF) v1.1 |
| Severity | ✔ Low |
Rule Description
This rule ensures that a log metric filter and alarm are in place to monitor any changes to security groups in accordance with the NIST Cybersecurity Framework (CSF) v1. The CSF provides guidelines for organizations to manage and improve their cybersecurity posture.
Policy Details
To comply with the NIST CSF v1, organizations need to effectively monitor and track any changes made to security groups within their systems. A log metric filter and alarm should be implemented to instantly detect and alert on any modifications to security groups. By doing so, organizations can promptly respond to potential security risks and maintain the integrity of their systems.
Troubleshooting Steps (if applicable)
If the log metric filter and alarm for security group changes are not working as intended or not implemented, follow these troubleshooting steps:
- 1.
Check AWS CloudTrail Configuration: Verify if AWS CloudTrail is enabled on the AWS account. CloudTrail logs API activities and can be used to track security group changes.
- 2.
Verify Relevant Log Groups: Ensure that the log groups receiving CloudTrail logs are correctly configured. Check if any log groups related to security group changes are present and active.
- 3.
Confirm Metric Filter Existence: Verify if a metric filter exists for security group changes. Check if it correctly identifies and extracts security group modification events in the CloudTrail logs.
- 4.
Check Alarm Configuration: Review the alarm configuration associated with the metric filter. Ensure that the alarm is set up to trigger notifications when security group changes are detected.
- 5.
Test the Alarm: Simulate a security group change to verify if the alarm triggers appropriately and sends the expected notifications.
- 6.
Review IAM Roles and Permissions: Ensure that the appropriate IAM roles and permissions are assigned to the CloudTrail service and relevant AWS entities. This ensures proper access to logs and alarm triggers.
- 7.
Verify Log Retention and Storage: Check the log retention period and storage options for the CloudTrail logs. Ensure that the logs are retained for the required duration and stored securely.
- 8.
Monitor Alarm Notifications: Make sure that the alarm notifications are being received by the designated individuals or teams responsible for responding to security incidents.
Necessary Codes (if applicable)
There are no specific codes provided for this rule. However, configuring a log metric filter and alarm can be achieved using AWS CloudFormation or AWS Command Line Interface (CLI) commands.
Step-by-Step Guide for Remediation
Follow these steps to remediate the rule by setting up a log metric filter and alarm for security group changes:
- 1.
Enable AWS CloudTrail: If not already enabled, enable CloudTrail for your AWS account. This can be done through the AWS Management Console or by using the AWS CLI command:
aws cloudtrail create-trail --name MyCloudTrail --s3-bucket-name MyBucket - 2.
Create a Log Group: Create a log group to receive the CloudTrail logs specifically for security group changes. Use the AWS Management Console or the AWS CLI command:
aws logs create-log-group --log-group-name MyLogGroup - 3.
Define a Metric Filter: Set up a metric filter to extract security group change events from the CloudTrail logs. Use the AWS Management Console or the AWS CLI command:
aws logs put-metric-filter --log-group-name MyLogGroup --filter-name "SecurityGroupChanges" --filter-pattern "{($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) || ($.eventName = ModifySecurityGroupRules)}" - 4.
Configure Metric Filter Metric: Create a new metric based on the filter pattern to trigger the alarm when security group changes are detected. Use the AWS Management Console or the AWS CLI command:
aws cloudwatch put-metric-alarm --alarm-name "SecurityGroupChangesAlarm" --metric-name "SecurityGroupChangesMetric" --namespace "LogMetrics" --period 300 --threshold 1 --comparison-operator "GreaterThanThreshold" --evaluation-periods 1 --alarm-description "Alarm triggered for Security Group changes" --alarm-actions arn:aws:sns:us-west-2:123456789012:MySNS - 5.
Test the Configuration: Simulate a security group change to verify if the alarm triggers as expected.
Note: Replace the placeholders (e.g., MyCloudTrail, MyBucket, MyLogGroup, SecurityGroupChanges, MyAlarm, MySNS) with appropriate names and ARNs as per your AWS environment.
By following these steps, you can ensure compliance with the NIST CSF v1 by implementing a log metric filter and alarm for security group changes.