Profile Applicability:
Level 1:
Description:
AWS CloudTrail enables real-time monitoring of API calls by logging events to CloudWatch Logs or an external SIEM. Monitoring network gateway changes ensures that all ingress/egress traffic is routed securely and controlled. Network gateways such as Internet Gateways (IGW), Customer Gateways (CGW), and Virtual Private Gateways (VGW) provide connectivity between AWS VPCs and external networks. Any unauthorized or accidental modifications can result in:
Unintended exposure of AWS resources to the internet.
Loss of connectivity to on-premises networks.
Security risks due to unauthorized route modifications.
This control ensures that network gateway modifications (e.g., creation, deletion, attachment, detachment) are logged, monitored, and alerted using CloudWatch Alarms and Amazon SNS notifications.
Rationale:
Monitoring network gateway changes helps detect:
Unauthorized modifications that may allow malicious ingress/egress traffic.
Misconfigurations that disrupt connectivity between AWS and external networks.
Potential security incidents involving unauthorized gateway attachments.
Impact:
Failure to monitor network gateway changes can result in:
Unintended exposure of AWS resources to public networks.
Loss of connectivity between AWS and on-premises networks.
Security risks due to unauthorized internet or VPN gateway modifications.
Enabling monitoring does not impact performance, but it requires AWS CloudTrail and CloudWatch costs.
Default Value:
AWS CloudTrail does not log network gateway changes by default.
CloudWatch Alarms and SNS notifications must be manually configured to monitor network gateway modifications.
Pre-Requisites:
AWS CloudTrail enabled with multi-region logging.
AWS CloudWatch Logs enabled and linked to CloudTrail.
IAM Permissions Required:
cloudtrail:DescribeTrails
cloudtrail:GetEventSelectors
logs:DescribeMetricFilters
cloudwatch:DescribeAlarms
sns:ListSubscriptionsByTopic
logs:PutMetricFilter, cloudwatch:PutMetricAlarm, sns:CreateTopic
Remediation:
Test Plan:
Using AWS Console
Login to the AWS Management Console.
Navigate to CloudTrail: AWS CloudTrail Console.
Verify there is at least one multi-region CloudTrail trail enabled.
Ensure CloudTrail is logging management events:
Click on the trail and check Event Selectors.
Ensure management events are set to "All".
Check that CloudTrail logs are being sent to CloudWatch.
Navigate to CloudWatch Logs: AWS CloudWatch Console.
Ensure that a metric filter is created for network gateway changes.
Check CloudWatch Alarms for alerts on network gateway modifications.
Implementation Steps:
Using AWS Console
Step 1: Create a Metric Filter for Network Gateway Changes
aws logs put-metric-filter --log-group-name <trail-log-group-name> \
--filter-name network-gw-changes-metric \
--metric-transformations metricName=network-gw-changes-metric,metricNamespace='CISBenchmark',metricValue=1 \
--filter-pattern '{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }'Step 2: Create an SNS Topic for Notifications
aws sns create-topic --name network-gw-changes-alerts
Step 3: Subscribe to SNS Topic
aws sns subscribe --topic-arn <sns-topic-arn> --protocol email --notification-endpoint <[email protected]>
Step 4: Create a CloudWatch Alarm for Network Gateway Changes
aws cloudwatch put-metric-alarm --alarm-name network-gw-changes-alarm \ --metric-name network-gw-changes-metric --statistic Sum --period 300 \ --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold \ --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns-topic-arn>
Backout Plan:
Delete CloudWatch Alarm:
aws cloudwatch delete-alarms --alarm-names network-gw-changes-alarm
Remove the metric filter:
aws logs delete-metric-filter --log-group-name <trail-log-group-name> --filter-name network-gw-changes-metric
Delete SNS topic:
aws sns delete-topic --topic-arn <sns-topic-arn>