AWS-Monitoring-Security-Group-Change-Log-Metric

Severity : Medium

Description: This control checks if CloudWatch alarm exists for cloud trail events to monitor Security Group changes. Real-time monitoring can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Monitoring changes to security group will help ensure that resources and services are not unintentionally exposed. Security Groups are a stateful packet filter that controls ingress and egress traffic within a VPC. It is recommended that a metric filter and alarm be established changes to Security Groups.

Remediation Steps:

Perform following to configure monitoring for SecurityGroup changes :

Create the cloud trail for SecurityGroup Change

  1. Login to the AWS Management Console at https://console.aws.amazon.com

  2. Go to CloudTrail in services

  3. On Trails section of the Dashboard , choose Create trail.

  4. For Trail name, type a name.

  5. For organization trail, choose to enable the trail for all accounts in organization.

  6. For Storage location, choose Create new S3 bucket or Use existing S3 bucket. if using existing bucket, specify a bucket in Trail log bucket name,

  7. Create a folder and Enter the folder name in Prefix. This helps organize logs in bucket.

  8. For Log file SSE-KMS encryption, choose Enabled.

  9. In Additional settings, For Log file validation, choose Enabled.

  10. Configure CloudTrail to send log files to CloudWatch Logs by choosing Enabled in CloudWatch Logs.

  11. For Tags, add one or more custom tags.

  12. On the Choose log events, In Management events for API activity, choose if to log Read events and Write events both.

  13. Choose Next.

  14. Choose Create trail.

Create a metric filter for SecurityGroup Changes

  1. Go to CloudWatch in services.

  2. In the navigation, choose Logs.

  3. In the list of log groups, choose the log group that was created for CloudTrail log events above.

  4. Choose Actions, and then choose Create metric filter.

  5. On the Define pattern page, in Create filter pattern, enter the following for Filter pattern.

    1. {($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup)}
  6. In Test pattern, leave defaults. Choose Next.

  7. On the Assign metric page, for Filter name, enter securitygroup_change_metric.

  8. In Metric details, turn on Create new, and enter CISBenchmark for Metric namespace. For Metric name, Enter SecurityGroupChangeMetric, For Metric value, type 1, Leave Default value blank.

  9. Choose Next.

  10. Choose Create metric filter to create the filter.

Create an alarm for log event for SecurityGroup Change

  1. On the Metric filters tab, find the metric filter.

  2. Check the box for the metric filter.

  3. In the Metric filters, choose Create alarm.

  4. On the Create Alarm, Enter following in Specify metric and conditions

    1. 1 for Graph

    2. Sum for Statistic

    3. 5 minute for Period.

    4. In Conditions, for Threshold type, choose Static.

    5. 1 for Threshold. In Additional Settings section, for Treat missing data as drop-down list, select missing.

    6. Choose Next.

  5. On the Configure actions, choose In alarm for in alarm state

    1. For Select an SNS topic, choose Create new.

    2. For SNS topic name, enter SecurityGroupChangeAlarmTopic.

    3. For Email endpoints that will receive the notification, enter email addresses of users who want to receive notifications.

    4. Choose Create topic.

  6. Choose Next.

  7. On the Add name and description, enter alarm name and description.

  8. Choose Next.

  9. On the Preview and create, choose Create alarm.

Important:

Reference:

Blue Hexagon Proprietary