CloudWatch log metric filter and alarm for VPC security group changes should be configured

Description

It is recommended that users establish a metric filter and alarm for changes to Security Groups. Monitoring changes to security groups helps to ensure that resources and services are not unintentionally exposed.

Console Remediation Steps

This is a two part process. First, you create a Metric Filter for specific CloudTrail log events. Next, you create a CloudWatch alarm for the filter. See Creating CloudWatch Alarms for CloudTrail Events: Examples for more information.

• Step 1: To create the Metric Filter:

  • Navigate to CloudWatch.

  • In the left navigation, click Log Groups and select the desired log group. The log group must be assigned to a multi-region CloudTrail trail that has logging enabled (i.e., is in Logging status).

  • Select Metric filters > Create Metric Filter.

  • In Filter pattern, enter the following: { ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) }

  • Click Next.

  • For Filter name, type SecurityGroupEvents.

  • For Metric namespace, type CloudTrailMetrics.

  • For Metric name, type SecurityGroupEventCount.

  • For Metric value, type 1.

  • Click Next > Create metric filter.

• Step 2: To create an Alarm:

  • Check the box next to the newly created metric filter and click Create alarm.

  • Select the Threshold type.

  • Define the alarm condition and threshold value.

  • Click Next.

  • In Alarm state trigger, select In alarm.

  • Select an existing SNS topic, create new topic, or use topic ARN. Note that the SNS topic must have at least one subscriber.

    • If you selected to create a new topic, enter a name in Create a new topic.

    • Enter an email address in Email endpoints that will receive the notification.

    • Click Create topic.

  • Click Next.

  • Enter an Alarm name.

  • Optionally, enter an alarm description.

  • Click Next > Create alarm.

CLI Remediation Steps

• This is a two part process. First, you create the Metric Filter and next you create the Metric Alarm.

• Create the Metric Filter.

  • AWS CloudWatch: Metric Filter via CLI.

• Create the Metric Alarm.

  • AWS CloudWatch: Metric Alarm via CLI.

Documentation Links

• Example: Security Group Configuration Changes

• AWS CloudWatch: Metric Alarm via CLI

• AWS CloudWatch: Metric Filter via CLI