Profile Applicability:

Level 1

Description:

AWS CloudTrail enables real-time monitoring of API calls by logging events to CloudWatch Logs or an external SIEM. Monitoring VPC changes ensures network configurations remain secure and intact, preventing unauthorized modifications that could impact security, connectivity, or availability.

This control ensures that VPC configuration changes (e.g., VPC creation, deletion, peering changes) are logged, monitored, and alerted using CloudWatch Alarms and Amazon SNS notifications.

Rationale:

VPCs define the networking structure within an AWS environment. Unauthorized or misconfigured changes to VPC components can:

  • Expose internal resources to the internet.

  • Create unintended network connections.

  • Cause disruptions to critical applications.

By logging and monitoring VPC changes, organizations can detect and respond to unauthorized modifications, ensuring network security and compliance.

Impact:

  • Failure to monitor VPC changes can result in:

    • Unintended exposure of private resources.

    • Loss of connectivity due to misconfigurations.

    • Security risks due to unauthorized VPC peering or classic link modifications.

  • Enabling monitoring does not impact performance but requires AWS CloudTrail and CloudWatch costs.

Default Value:

  • AWS CloudTrail does not log VPC changes by default.

  • CloudWatch Alarms and SNS notifications must be manually configured to monitor VPC modifications.

Pre-Requisites:

  1. AWS CloudTrail enabled with multi-region logging.

  2. AWS CloudWatch Logs enabled and linked to CloudTrail.

  3. IAM Permissions Required:

    • cloudtrail:DescribeTrails

    • cloudtrail:GetEventSelectors

    • logs:DescribeMetricFilters

    • cloudwatch:DescribeAlarms

    • sns:ListSubscriptionsByTopic

    • logs:PutMetricFilter, cloudwatch:PutMetricAlarm, sns:CreateTopic

Remediation:

Test Plan:

Using AWS Console

  1. Login to the AWS Management Console.

  2. Navigate to CloudTrail: AWS CloudTrail Console.



  3. Verify there is at least one multi-region CloudTrail trail enabled.

  4. Ensure CloudTrail is logging management events:

    • Click on the trail and check Event Selectors.



    • Ensure management events are set to "All".

  5. Check that CloudTrail logs are being sent to CloudWatch.



  6. Navigate to CloudWatch Logs: AWS CloudWatch Console.


  7. Ensure that a metric filter is created for VPC changes.


  8. Check CloudWatch Alarms for alerts on VPC modifications.


Remediation:

Test Plan:

Using AWS Console

  1. List all CloudTrail trails and check for multi-region status:

    aws cloudtrail describe-trails --query "trailList[*].{Name:Name, IsMultiRegion: IsMultiRegionTrail}"

  • Ensure "IsMultiRegion": true for at least one trail.

  1. Verify CloudTrail is logging management events:

    aws cloudtrail get-event-selectors --trail-name <trail-name>

  2. Expected output:

    {
    "EventSelectors": [
        {
            "IncludeManagementEvents": true,
            "ReadWriteType": "All"
        }
    ]
}

  1. Check if a metric filter is set on CloudWatch Logs:

    aws logs describe-metric-filters --log-group-name <trail-log-group-name>

  2. Ensure CloudWatch alarm exists for VPC changes:

    aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName==`vpc-changes-metric`]'

  3. Check if SNS topic exists for alerts:

    aws sns list-subscriptions-by-topic --topic-arn <sns-topic-arn>

Implementation Steps:
Using AWS Console

Step 1: Create a Metric Filter for VPC Changes

aws logs put-metric-filter --log-group-name <trail-log-group-name> \
--filter-name vpc-changes-metric \
--metric-transformations metricName=vpc-changes-metric,metricNamespace='CISBenchmark',metricValue=1 \
--filter-pattern '{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }'

Step 2: Create an SNS Topic for Notifications

aws sns create-topic --name vpc-changes-alerts

Step 3: Subscribe to SNS Topic

aws sns subscribe --topic-arn <sns-topic-arn> --protocol email --notification-endpoint <your-email@example.com>

Step 4: Create a CloudWatch Alarm for VPC Changes

aws cloudwatch put-metric-alarm --alarm-name vpc-changes-alarm \
--metric-name vpc-changes-metric --statistic Sum --period 300 \
--threshold 1 --comparison-operator GreaterThanOrEqualToThreshold \
--evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns-topic-arn>

Backout Plan:

  1. Delete CloudWatch Alarm:

    aws cloudwatch delete-alarms --alarm-names vpc-changes-alarm

  2. Remove the metric filter:

    aws logs delete-metric-filter --log-group-name <trail-log-group-name> --filter-name vpc-changes-metric

  3. Delete SNS topic:

    aws sns delete-topic --topic-arn <sns-topic-arn>


References:

CIS Controls Mapping:

CIS Control Version

Control ID

Control Description

CIS v8

8.5

Collect detailed audit logs for security monitoring.

CIS v8

8.11

Conduct audit log reviews to detect anomalies.

CIS v7

5.5

Implement automated configuration monitoring.

CIS v7

6.3

Enable detailed system logging.