Profile Applicability:
Level 2
Description:
AWS CloudTrail enables real-time monitoring of API calls by logging events to CloudWatch Logs or an external SIEM. Monitoring NACL changes ensures that network security rules remain consistent and secure. Network Access Control Lists (NACLs) act as stateless packet filters controlling ingress and egress traffic for subnets within a VPC. Any unauthorized or accidental modifications can result in:
Unauthorized access to AWS resources.
Network misconfigurations leading to downtime.
Security risks due to unintended exposure of sensitive resources.
This control ensures that NACL modifications (e.g., creation, deletion, entry modifications, and association changes) are logged, monitored, and alerted using CloudWatch Alarms and Amazon SNS notifications.
Rationale:
Monitoring NACL changes helps detect:
Unauthorized modifications that may allow malicious traffic.
Accidental misconfigurations that disrupt access controls.
Security incidents involving unexpected traffic flow changes.
Impact:
Failure to monitor NACL changes can result in:
Exposing AWS resources to unauthorized traffic.
Loss of access control for critical applications.
Security risks due to open access to untrusted networks.
Enabling monitoring does not impact performance, but it requires AWS CloudTrail and CloudWatch costs.
Default Value:
AWS CloudTrail does not log NACL changes by default.
CloudWatch Alarms and SNS notifications must be manually configured to monitor NACL modifications.
Pre-Requisites:
AWS CloudTrail enabled with multi-region logging.
AWS CloudWatch Logs enabled and linked to CloudTrail.
IAM Permissions Required:
cloudtrail:DescribeTrails
cloudtrail:GetEventSelectors
logs:DescribeMetricFilters
cloudwatch:DescribeAlarms
sns:ListSubscriptionsByTopic
logs:PutMetricFilter, cloudwatch:PutMetricAlarm, sns:CreateTopic
Remediation:
Test Plan:
Using AWS Console
Login to the AWS Management Console.
Navigate to CloudTrail: AWS CloudTrail Console.
Verify there is at least one multi-region CloudTrail trail enabled.
Ensure CloudTrail is logging management events:
Click on the trail and check Event Selectors.
Ensure management events are set to "All".
Check that CloudTrail logs are being sent to CloudWatch.
Navigate to CloudWatch Logs: AWS CloudWatch Console.
Ensure that a metric filter is created for NACL changes.
Check CloudWatch Alarms for alerts on NACL modifications.
Implementation Steps:
Using AWS CLI
Step 1: Create a Metric Filter for NACL Changes
aws logs put-metric-filter --log-group-name <trail-log-group-name> \
--filter-name nacl-changes-metric \
--metric-transformations metricName=nacl-changes-metric,metricNamespace='CISBenchmark',metricValue=1 \
--filter-pattern '{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) }'Step 2: Create an SNS Topic for Notifications
aws sns create-topic --name nacl-changes-alerts
Step 3: Subscribe to SNS Topic
aws sns subscribe --topic-arn <sns-topic-arn> --protocol email --notification-endpoint <your-email@example.com>
Step 4: Create a CloudWatch Alarm for NACL Changes
aws cloudwatch put-metric-alarm --alarm-name nacl-changes-alarm \ --metric-name nacl-changes-metric --statistic Sum --period 300 \ --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold \ --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns-topic-arn>
Backout Plan:
Delete CloudWatch Alarm:
aws cloudwatch delete-alarms --alarm-names nacl-changes-alarm
Remove the metric filter:
aws logs delete-metric-filter --log-group-name <trail-log-group-name> --filter-name nacl-changes-metric
Delete SNS topic:
aws sns delete-topic --topic-arn <sns-topic-arn>