Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Severity : Medium

Description:

...

This control checks if CloudWatch alarm exists for cloud trail events to monitor changes in VPC . Real-time monitoring for changes in VPC can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Monitoring changes to VPC will help reveal application errors and may reduce time to detect malicious activity. It is possible to have more than 1 VPC within an account, in addition it is also possible to create a peer connection between 2 VPCs enabling network traffic to route between VPCs. It is recommended that a metric filter and alarm be established for changes made to VPCs.

Remediation Steps:

Perform following to configure Monitoring VPC changes :

Create the cloud trail for the VPC Change

  1. Login to the AWS Management Console at https://console.aws.amazon.com

  2. Go to CloudTrail in services

  3. On Trails section of the Dashboard , choose Create trail.

  4. For Trail name, type a name.

  5. For organization trail, choose to enable the trail for all accounts in organization.

  6. For Storage location, choose Create new S3 bucket or Use existing S3 bucket. if using existing bucket, specify a bucket in Trail log bucket name,

  7. Create a folder and Enter the folder name in Prefix. This helps organize logs in bucket.

  8. For Log file SSE-KMS encryption, choose Enabled.

  9. In Additional settings, For Log file validation, choose Enabled.

  10. Configure CloudTrail to send log files to CloudWatch Logs by choosing Enabled in CloudWatch Logs.

  11. For Tags, add one or more custom tags.

  12. On the Choose log events, In Management events for API activity, choose if to log Read events and Write events both.

  13. Choose Next.

  14. Choose Create trail.

Create a metric filter for the VPC Change log

  1. Go to CloudWatch in services.

  2. In the navigation, choose Logs.

  3. In the list of log groups, choose the log group that was created for CloudTrail log events above.

  4. Choose Actions, and then choose Create metric filter.

  5. On the Define pattern page, in Create filter pattern, enter the following for Filter pattern.

    1. Code Block
      { ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }
  6. In Test pattern, leave defaults. Choose Next.

  7. On the Assign metric page, for Filter name, enter vpc_change_log_metric.

  8. In Metric details, turn on Create new, and enter CISBenchmark for Metric namespace. For Metric name, Enter VpcChangeLogMetric, For Metric value, type 1, Leave Default value blank.

  9. Choose Next.

  10. Choose Create metric filter to create the filter.

Create an alarm for log Event for VPC Change log

  1. On the Metric filters tab, find the metric filter.

  2. Check the box for the metric filter.

  3. In the Metric filters, choose Create alarm.

  4. On the Create Alarm, Enter following in Specify metric and conditions

    1. 1 for Graph

    2. Sum for Statistic

    3. 5 minute for Period.

    4. In Conditions, for Threshold type, choose Static.

    5. 1 for Threshold. In Additional Settings section, for Treat missing data as drop-down list, select missing.

    6. Choose Next.

  5. On the Configure actions, choose In alarm for in alarm state

    1. For Select an SNS topic, choose Create new.

    2. For SNS topic name, enter VpcChangeAlarmTopic.

    3. For Email endpoints that will receive the notification, enter email addresses of users who want to receive notifications.

    4. Choose Create topic.

  6. Choose Next.

  7. On the Add name and description, enter alarm name and description.

  8. Choose Next.

  9. On the Preview and create, choose Create alarm.

Important:

Reference: