CloudWatch log metric filter and alarm should be set for Config configuration changes


A CloudWatch metric filter and alarm should be established for detecting changes to AWS Config configuration. Monitoring changes to AWS Config configuration will help ensure sustained visibility of configuration items within the AWS account.

Console Remediation Steps

This is a two part process. First, you create a Metric Filter for specific CloudTrail log events. Next, you create a CloudWatch alarm for the filter. See Creating CloudWatch Alarms for CloudTrail Events: Examples for more information.

  • Step 1: To create the Metric Filter:

    • Navigate to CloudWatch.

    • In the left navigation, click Log Groups and select the desired log group. The log group must be assigned to a multi-region CloudTrail trail that has logging enabled (i.e., is in Logging status).

    • Select Metric filters > Create Metric Filter.

    • In Filter pattern, enter the following: { ($.eventSource = && (($.eventName = StopConfigurationRecorder)||($.eventName = DeleteDeliveryChannel)||($.eventName = PutDeliveryChannel)||($.eventName = PutConfigurationRecorder)) }

    • Click Next.

    • For Filter name, type ConfigActivity.

    • For Metric namespace, type CloudTrailMetrics.

    • For Metric name, type AWSConfigChanges.

    • For Metric value, type 1.

    • Click Next > Create metric filter.

  • Step 2: To create an Alarm:

    • Check the box next to the newly created metric filter and click Create alarm.

    • Select the Threshold type.

    • Define the alarm condition and threshold value.

    • Click Next.

    • In Alarm state trigger, select In alarm.

    • Select an existing SNS topic, create new topic, or use topic ARN. Note that the SNS topic must have at least one subscriber.

      • If you selected to create a new topic, enter a name in Create a new topic.

      • Enter an email address in Email endpoints that will receive the notification.

      • Click Create topic.

    • Click Next.

    • Enter an Alarm name.

    • Optionally, enter an alarm description.

    • Click Next > Create alarm.

CLI Remediation Steps

  • Create the metric filter for AWS Config changes:

    • aws logs put-metric-filter --log-group-name <name> --filter-name <name> --filter-pattern '{ ($.eventSource = && (($.eventName = StopConfigurationRecorder)||($.eventName = DeleteDeliveryChannel)||($.eventName = PutDeliveryChannel)||($.eventName = PutConfigurationRecorder)) } --metric-transformations metricName=ConfigEventCount,metricNamespace=CloudTrailMetrics,metricValue=1

  • Create the alarm:

    • aws cloudwatch put-metric-alarm --alarm-name AWSConfigChangesAlarm --alarm-description <description> --metric-name ConfigEventCount --namespace CloudTrailMetrics --statistic Sum --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --period 300 --threshold 1 --actions-enabled --alarm-actions <sns arn>