CloudWatch log metric filter and alarm for denied connections in VPC Flow Logs should be configured


CloudWatch metric filters and alarms should be configured to alert users to rejected connections in VPC flow logs so users can investigate anomalous traffic.

Console Remediation Steps

  • Navigate to VPC.

  • Click VPCs and select the desired VPC.

  • From the Actions drop-down, select Create flow log.

  • In the Filter, select Reject.

  • In Destination, select Send to CloudWatch Logs.

  • In Destination log group, select the log group.

  • In IAM role, select the name of the IAM role that has permissions to publish logs to CloudWatch Logs. See Working with Log Groups and Log Streams for more information.

  • Click Create flow log.

  • Navigate to CloudWatch.

  • Click Log groups and check the log group you created the filter on.

  • From the Actions drop-down, select Create metric filter.

  • In Filter Pattern, enter the following:

    • { ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }

  • Click Next.

  • Enter a Filter name.

  • Enter a Metric namespace.

  • Enter a Metric Name.

  • In Metric value, enter 1.

  • Click Next > Create metric filter.

  • Check the newly created metric filter and click Create alarm.

  • Select the Threshold type.

  • Define the alarm condition and threshold value.

  • Click Next.

  • In Alarm state trigger, select In alarm.

  • Select an existing SNS topic, create new topic, or use topic ARN.

    • If you selected to create a new topic, enter a name in Create a new topic.

    • Enter an email address in Email endpoints that will receive the notification.

    • Click Create topic.

  • Click Next.

  • Enter an Alarm name.

  • Optionally, enter an alarm description.

  • Click Next > Create alarm.

CLI Remediation Steps

  • Create the flow log for the VPC:

    • aws ec2 create-flow-logs --resource-type <value> --resource-ids <vpc id> --traffic-type REJECT --log-group-name <name> --deliver-logs-permission-arn <role arn>

  • Create the metric filter for the VPC flow logs:

    • aws logs put-metric-filter --log-group-name <name> --filter-name <name> --filter-pattern 'REJECT' --metric-transformations metricName=<metric name>,metricNamespace=<metric namespace>, metricValue=1,defaultValue=0

  • Create the alarm for the VPC flow logs:

    • aws cloudwatch put-metric-alarm --alarm-name <name> --metric-name <name> --namespace <namespace> --statistic <value> --evaluation-periods <value> --period <value> --threshold <value> --comparison-operator <value> --alarm-actions <arn of topic>