CloudWatch log metric filter and alarm for VPC changes should be configured


A CloudWatch metric filter and alarm should be established for changes made to VPCs. Monitoring changes to VPCs helps ensure that VPC traffic flow is not being negatively impacted.

Console Remediation Steps

This is a two part process. First, you create the Metric Filter. Next, you create a CloudWatch alarm. See Creating CloudWatch Alarms for CloudTrail Events: Examples for more information.

  • Create the Metric Filter:

    • Navigate to CloudWatch.

    • In the left navigation, click Logs.

    • Select the log group that you created for CloudTrail log events.

    • Choose Create Metric Filter.

    • On the Define Logs Metric Filter screen, choose Filter Pattern and then type the following: { ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }

    • Choose Assign Metric.

    • For Filter Name, type VpcChanges.

    • For Metric Namespace, type CloudTrailMetrics.

    • For Metric Name, type VpcChangesEventCount.

    • Choose Show advanced metric settings.

    • For Metric Value, type 1.

    • Choose Create Filter.

  • Create an Alarm:

    • On the Filters for Log_Group_Name page, click Create Alarm.

    • On the Create Alarm page, provide the following values:

      • In Name, enter VPC Changes.

      • In Whenever, enter is >= 1 for 1 consecutive period.

      • From the period drop-down, select 5 minutes.

      • From the Statistic drop-down, select Sum.

      • In the Actions section, in the Send notification to field, select New List and enter a unique name for it.

      • In Email List, type the email address to which you want notifications sent.

    • Click Create Alarm.

CLI Remediation Steps