Rule: Ensure a Log Metric Filter for NACL Changes

Rule Description:

Troubleshooting Steps (if any):

2. 1.

   Verify the CloudWatch Logs: Ensure that the CloudWatch Logs are enabled and configured correctly. Check if the logs related to NACL changes are being captured and stored in CloudWatch Logs.

4. 2.

   Validate the Log Metric Filter: Double-check the Log Metric Filter configuration to ensure it accurately captures the relevant log events related to NACL changes. Ensure that the filter pattern matches the event structure and log data.

6. 3.

   Check Alarm Configuration: Review the Alarm configuration to ensure it is set up correctly. Verify that the threshold conditions, actions to be taken, and notification settings are appropriately configured.

8. 4.

   Testing and Verification: Create a test NACL change event and monitor the CloudWatch Logs and Alarm to ensure they correctly trigger an alert. If the test event does not generate an alarm, investigate and troubleshoot any misconfigurations or issues in the filter pattern or alarm settings.

10. 5.

    Consulting Documentation: Consult the AWS documentation for CloudWatch Logs and Alarms to ensure adherence to the recommended practices and troubleshooting steps.

Necessary Codes (if any):

Step-by-Step Guide for Remediation:

2. 1.

   Log in to the AWS Management Console.

4. 2.

   Open the CloudWatch service.

6. 3.

   Click on "Logs" in the left-hand navigation pane.

8. 4.

   Select the appropriate log group that captures the NACL change events. If the log group does not exist, create it by clicking on "Create log group" and provide a meaningful name.

10. 5.

    Click on "Create Metric Filter" in the top-right corner.

12. 6.

    In the "Create Metric Filter" wizard, select the log group you want to create the filter for.

14. 7.

    Define the filter pattern that matches the log events related to NACL changes. For example, you can use the following filter pattern:

    { $.eventName = "ModifyNetworkAclEntry" }
    

    This pattern captures the events where a modification is made to a Network ACL entry.

16. 8.

    Define a name for the filter and click on "Test Pattern" to verify that it captures the desired events. Adjust the pattern if necessary.

18. 9.

    Click on "Assign Metric" to specify the metric namespace and dimensions for the filtered events. For example, you can use the following settings:

    • Namespace: Custom/NACLChanges
    • Dimension Value: NetworkAcl
20. 10.

    Configure the metric value extraction if required. Click on "Create Filter" once all the settings are configured.

22. 11.

    Now, navigate to the CloudWatch service home page and click on "Alarms" in the left-hand navigation pane.

24. 12.

    Click on "Create Alarm" to begin configuring the alarm for NACL changes.

26. 13.

    In the "Create Alarm" wizard, select the appropriate metric related to NACL changes (e.g., Custom/NACLChanges).

28. 14.

    Specify the conditions based on your requirements. For example, you can set the threshold to "Any data point" and choose "Greater/Equal" and set the threshold value to 1.

30. 15.

    Configure the actions to be taken when the alarm state is triggered, such as sending a notification via SNS, executing an AWS Lambda function, or stopping an EC2 instance if necessary.

32. 16.

    Review the alarm settings and click on "Create Alarm" to finish creating the alarm.

34. 17.

    Test the log metric filter and alarm by making a deliberate NACL change in your environment. Verify if the change triggers the alarm and sends the appropriate notifications.