CloudWatch log metric filter and alarm for VPC security group changes should be configured


It is recommended that users establish a metric filter and alarm for changes to Security Groups. Monitoring changes to security groups helps to ensure that resources and services are not unintentionally exposed.

Console Remediation Steps

This is a two part process. First, you create the Metric Filter. Next, you create a CloudWatch alarm. See Creating CloudWatch Alarms for CloudTrail Events: Examples for more information.

  • Create the Metric Filter:

    • Navigate to CloudWatch.

    • In the left navigation, click Logs.

    • Select the log group that you created for CloudTrail log events.

    • Choose Create Metric Filter.

    • On the Define Logs Metric Filter screen, choose Filter Pattern and then type the following: { ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) }

    • Choose Assign Metric.

    • For Filter Name, type SecurityGroupEvents.

    • For Metric Namespace, type CloudTrailMetrics.

    • For Metric Name, type SecurityGroupEventsEventCount.

    • Choose Show advanced metric settings.

    • For Metric Value, type 1.

    • Choose Create Filter.

  • Create an Alarm:

    • On the Filters for Log_Group_Name page, click Create Alarm.

    • On the Create Alarm page, provide the following values:

      • In Name, enter Security Group Configuration Changes.

      • In Whenever, enter is >= 1 for 1 consecutive period.

      • From the period drop-down, select 5 minutes.

      • From the Statistic drop-down, select Sum.

      • In the Actions section, in the Send notification to field, select New List and enter a unique name for it.

      • In Email List, type the email address to which you want notifications sent.

    • Click Create Alarm.

CLI Remediation Steps