Profile Applicability:
Level 1
Description:
AWS CloudTrail enables real-time monitoring of API calls by logging events to CloudWatch Logs or an external SIEM. Monitoring route table changes is crucial to ensure that network traffic flows securely and as expected.
Route tables determine how network traffic is routed within a VPC, and any unauthorized or accidental modifications could lead to:
Unintended exposure to the internet.
Network misconfigurations causing downtime.
Security risks due to unauthorized route modifications.
This control ensures that route table modifications (e.g., creation, replacement, deletion, disassociation) are logged, monitored, and alerted using CloudWatch Alarms and Amazon SNS notifications.
Rationale:
Monitoring route table changes helps detect:
Unauthorized modifications that may redirect traffic.
Misconfigurations that break connectivity.
Potential security incidents involving rogue routes or backdoors.
Impact:
Failure to monitor route table changes can result in:
Unauthorized traffic redirection leading to data exfiltration.
Loss of connectivity for critical applications.
Security risks due to open access to untrusted networks.
Enabling monitoring does not impact performance, but it requires AWS CloudTrail and CloudWatch costs.
Default Value:
AWS CloudTrail does not log route table changes by default.
CloudWatch Alarms and SNS notifications must be manually configured to monitor route table modifications.
Pre-Requisites:
AWS CloudTrail enabled with multi-region logging.
AWS CloudWatch Logs enabled and linked to CloudTrail.
IAM Permissions Required:
cloudtrail:DescribeTrails
cloudtrail:GetEventSelectors
logs:DescribeMetricFilters
cloudwatch:DescribeAlarms
sns:ListSubscriptionsByTopic
logs:PutMetricFilter, cloudwatch:PutMetricAlarm, sns:CreateTopic
Remediation:
Test Plan:
Using AWS Console
Login to the AWS Management Console.
Navigate to CloudTrail: AWS CloudTrail Console.
Verify there is at least one multi-region CloudTrail trail enabled.
Ensure CloudTrail is logging management events:
Click on the trail and check Event Selectors.
Ensure management events are set to "All".
Check that CloudTrail logs are being sent to CloudWatch.
Navigate to CloudWatch Logs: AWS CloudWatch Console.
Ensure that a metric filter is created for route table changes.
Check CloudWatch Alarms for alerts on route table modifications.
Implementation Steps:
Using AWS Console
Step 1: Create a Metric Filter for Route Table Changes
aws logs put-metric-filter --log-group-name <trail-log-group-name> \
--filter-name route-table-changes-metric \
--metric-transformations metricName=route-table-changes-metric,metricNamespace='CISBenchmark',metricValue=1 \
--filter-pattern '{ ($.eventSource = ec2.amazonaws.com) && ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) }'Step 2: Create an SNS Topic for Notifications
aws sns create-topic --name route-table-changes-alerts
Step 3: Subscribe to SNS Topic
aws sns subscribe --topic-arn <sns-topic-arn> --protocol email --notification-endpoint <your-email@example.com>
Step 4: Create a CloudWatch Alarm for Route Table Changes
aws cloudwatch put-metric-alarm --alarm-name route-table-changes-alarm \ --metric-name route-table-changes-metric --statistic Sum --period 300 \ --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold \ --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns-topic-arn>
Backout Plan:
Delete CloudWatch Alarm:
aws cloudwatch delete-alarms --alarm-names route-table-changes-alarm
Remove the metric filter:
aws logs delete-metric-filter --log-group-name <trail-log-group-name> --filter-name route-table-changes-metric
Delete SNS topic:
aws sns delete-topic --topic-arn <sns-topic-arn>