CloudWatch log metric filter and alarm for VPC security group changes should be configured¶
Description¶
It is recommended that users establish a metric filter and alarm for changes to Security Groups. Monitoring changes to security groups helps to ensure that resources and services are not unintentionally exposed.
Console Remediation Steps¶
This is a two part process. First, you create the Metric Filter. Next, you create a CloudWatch alarm. See Creating CloudWatch Alarms for CloudTrail Events: Examples for more information.
Create the Metric Filter:
Navigate to CloudWatch.
In the left navigation, click Logs.
Select the log group that you created for CloudTrail log events.
Choose Create Metric Filter.
On the Define Logs Metric Filter screen, choose Filter Pattern and then type the following:
{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) }
Choose Assign Metric.
For Filter Name, type SecurityGroupEvents.
For Metric Namespace, type CloudTrailMetrics.
For Metric Name, type SecurityGroupEventsEventCount.
Choose Show advanced metric settings.
For Metric Value, type 1.
Choose Create Filter.
Create an Alarm:
On the Filters for Log_Group_Name page, click Create Alarm.
On the Create Alarm page, provide the following values:
In Name, enter Security Group Configuration Changes.
In Whenever, enter
is >= 1
for1 consecutive period
.From the period drop-down, select 5 minutes.
From the Statistic drop-down, select Sum.
In the Actions section, in the Send notification to field, select New List and enter a unique name for it.
In Email List, type the email address to which you want notifications sent.
Click Create Alarm.
CLI Remediation Steps¶
This is a two part process. First, you create the Metric Filter and next you create the Metric Alarm.
Create the Metric Filter.
Create the Metric Alarm.