lacework-global-63
4.12 Ensure a log metric filter and alarm exist for changes to network gateways (Automated)
Profile Applicability
• Level 1
Description
Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Network gateways are required to send/receive traffic to a destination outside of a VPC. It is recommended that a metric filter and alarm be established for changes to network gateways.
Rationale
Monitoring changes to network gateways will help ensure that all ingress/egress traffic traverses the VPC border via a controlled path.
Audit
Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:
- Identify the log group name configured for use with active multi-region CloudTrail:
List all CloudTrails:
aws cloudtrail describe-trails
Identify Multi region CloudTrails:
Trails with "IsMultiRegionTrail" set to true
From value associated with CloudWatchLogsLogGroupArn note
<cloudtrail_log_group_name>
Example: for CloudWatchLogsLogGroupArn that looks like arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*
, <cloudtrail_log_group_name>
would be NewGroup
- Ensure Identified Multi region CloudTrail is active
aws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail>
ensure IsLogging
is set to TRUE
- Ensure identified Multi-region CloudTrail captures all Management Events
aws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails>
Ensure there is at least one Event Selector for a Trail with IncludeManagementEvents
set to true
and ReadWriteType
set to All
- Get a list of all associated metric filters for this
<cloudtrail_log_group_name>
:
aws logs describe-metric-filters --log-group-name "<cloudtrail_log_group_name>"
- Ensure the output from the above command contains the following:
"filterPattern": "{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }"
Note the
<network_gw_changes_metric>
value associated with thefilterPattern
found in step 3.Get a list of CloudWatch alarms and filter on the
<network_gw_changes_metric>
captured in step 4.
aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== `<network_gw_changes_metric>`]'
Note the
AlarmActions
value - this will provide the SNS topic ARN value.Ensure there is at least one active subscriber to the SNS topic
aws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn>
at least one subscription should have "SubscriptionArn" with valid aws ARN.
Example of valid "SubscriptionArn": "arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>"
Remediation
Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
- Create a metric filter based on filter pattern provided which checks for network gateways changes and the
<cloudtrail_log_group_name>
taken from audit step 1.
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<network_gw_changes_metric>` --metric-transformations metricName= `<network_gw_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }'
note
You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
- Create an SNS topic that the alarm will notify
aws sns create-topic --name <sns_topic_name>
note
you can execute this command once and then re-use the same topic for all monitoring alarms.
- Create an SNS subscription to the topic created in step 2
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
note
you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
- Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2
aws cloudwatch put-metric-alarm --alarm-name `<network_gw_changes_alarm>` --metric-name `<network_gw_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>
References
CCE-79197-0
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html
https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html
Additional Information
Configuring log metric filter and alarm on Multi-region (global) CloudTrail
- ensures that activities from all regions (used as well as unused) are monitored
- ensures that activities on all supported global services are monitored
- ensures that all management events across all regions are monitored