Profile Applicability:
Level 2
Description:
AWS CloudTrail enables real-time monitoring of API calls by logging events to CloudWatch Logs or an external SIEM. Monitoring security group changes ensures that network access control policies remain consistent and secure. Security Groups act as stateful packet filters controlling ingress and egress traffic within a VPC. Any unauthorized or accidental modifications can result in:
Unintended exposure of AWS resources to the internet.
Network misconfigurations leading to security vulnerabilities.
Security risks due to unauthorized firewall rule modifications.
This control ensures that security group modifications (e.g., creation, deletion, ingress/egress rule modifications) are logged, monitored, and alerted using CloudWatch Alarms and Amazon SNS notifications.
Rationale:
Monitoring security group changes helps detect:
Unauthorized modifications that may allow malicious traffic.
Accidental misconfigurations that disrupt access controls.
Security incidents involving unexpected traffic flow changes.
Impact:
Failure to monitor security group changes can result in:
Exposing AWS resources to unauthorized traffic.
Loss of access control for critical applications.
Security risks due to open access to untrusted networks.
Enabling monitoring does not impact performance, but it requires AWS CloudTrail and CloudWatch costs.
Default Value:
AWS CloudTrail does not log security group changes by default.
CloudWatch Alarms and SNS notifications must be manually configured to monitor security group modifications.
Pre-Requisites:
AWS CloudTrail enabled with multi-region logging.
AWS CloudWatch Logs enabled and linked to CloudTrail.
IAM Permissions Required:
cloudtrail:DescribeTrails
cloudtrail:GetEventSelectors
logs:DescribeMetricFilters
cloudwatch:DescribeAlarms
sns:ListSubscriptionsByTopic
logs:PutMetricFilter, cloudwatch:PutMetricAlarm, sns:CreateTopic
Remediation:
Test Plan:
Using AWS Console
Login to the AWS Management Console.
Navigate to CloudTrail: AWS CloudTrail Console.
Verify there is at least one multi-region CloudTrail trail enabled.
Ensure CloudTrail is logging management events:
Click on the trail and check Event Selectors.
Ensure management events are set to "All".
Check that CloudTrail logs are being sent to CloudWatch.
Navigate to CloudWatch Logs: AWS CloudWatch Console.
Ensure that a metric filter is created for security group changes.
Check CloudWatch Alarms for alerts on security group modifications.
Implementation Steps:
Using AWS CLI
Step 1: Create a Metric Filter for Security Group Changes
aws logs put-metric-filter --log-group-name <trail-log-group-name> \
--filter-name security-group-changes-metric \
--metric-transformations metricName=security-group-changes-metric,metricNamespace="CISBenchmark",metricValue=1 \
--filter-pattern '{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) }'Step 2: Create an SNS Topic for Notifications
aws sns create-topic --name security-group-changes-alerts
Step 3: Subscribe to SNS Topic
aws sns subscribe --topic-arn <sns-topic-arn> --protocol email --notification-endpoint <your-email@example.com>
Step 4: Create a CloudWatch Alarm for Security Group Changes
aws cloudwatch put-metric-alarm --alarm-name security-group-changes-alarm \ --metric-name security-group-changes-metric --statistic Sum --period 300 \ --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold \ --evaluation-periods 1 --namespace "CISBenchmark" --alarm-actions <sns-topic-arn>
Backout Plan:
Delete CloudWatch Alarm:
aws cloudwatch delete-alarms --alarm-names security-group-changes-alarm
Remove the metric filter:
aws logs delete-metric-filter --log-group-name <trail-log-group-name> --filter-name security-group-changes-metric
Delete SNS topic:
aws sns delete-topic --topic-arn <sns-topic-arn>