Profile Applicability:

Level 2

Description:

AWS CloudTrail enables real-time monitoring of API calls by logging events to CloudWatch Logs or an external SIEM. Monitoring AWS Config changes ensures that AWS Config remains active and properly configured. AWS Config is a service that enables continuous monitoring of AWS resource configurations. Any unauthorized or accidental modifications to AWS Config can result in:

  • Loss of configuration history for compliance and security auditing.

  • Disruption in change tracking across AWS resources.

  • Security risks due to disabled configuration monitoring.
    This control ensures that AWS Config configuration modifications (e.g., stopping, deleting, or modifying configuration recorders or delivery channels) are logged, monitored, and alerted using CloudWatch Alarms and Amazon SNS notifications.

Rationale:

Monitoring AWS Config changes helps detect:

  • Unauthorized modifications that disable AWS Config tracking.

  • Accidental misconfigurations that disrupt AWS resource compliance monitoring.

  • Security incidents involving unexpected configuration setting changes.

Impact:

  • Failure to monitor AWS Config changes can result in:

    • Lack of visibility into AWS resource configurations.

    • Failure to comply with security and compliance policies.

    • Inability to track changes for troubleshooting security incidents.

  • Enabling monitoring does not impact performance, but it requires AWS CloudTrail and CloudWatch costs.

Default Value:

  • AWS CloudTrail does not log AWS Config changes by default.

  • CloudWatch Alarms and SNS notifications must be manually configured to monitor AWS Config modifications.

Pre-Requisites:

  1. AWS CloudTrail enabled with multi-region logging.

  2. AWS CloudWatch Logs enabled and linked to CloudTrail.

  3. IAM Permissions Required:

    • cloudtrail:DescribeTrails

    • cloudtrail:GetEventSelectors

    • logs:DescribeMetricFilters

    • cloudwatch:DescribeAlarms

    • sns:ListSubscriptionsByTopic

    • logs:PutMetricFilter, cloudwatch:PutMetricAlarm, sns:CreateTopic

Remediation

Test Plan:

Using AWS Console

  1. Login to the AWS Management Console.

  2. Navigate to CloudTrail: AWS CloudTrail Console

    .

  3. Verify there is at least one multi-region CloudTrail trail enabled.

  4. Ensure CloudTrail is logging management events:

    • Click on the trail and check Event Selectors.


    • Ensure management events are set to "All".


  5. Check that CloudTrail logs are being sent to CloudWatch.

  6. Navigate to CloudWatch Logs: AWS CloudWatch Console.



  7. Ensure that a metric filter is created for AWS Config changes.


  8. Check CloudWatch Alarms for alerts on AWS Config modifications.

Implementation Steps:
Using AWS CLI

Step 1: Create a Metric Filter for AWS Config Changes

aws logs put-metric-filter --log-group-name <trail-log-group-name> \
--filter-name aws-config-changes-metric \
--metric-transformations metricName=aws-config-changes-metric,metricNamespace="CISBenchmark",metricValue=1 \
--filter-pattern '{ ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder) || ($.eventName=DeleteDeliveryChannel) || ($.eventName=PutDeliveryChannel) || ($.eventName=PutConfigurationRecorder)) }'

Step 2: Create an SNS Topic for Notifications

aws sns create-topic --name aws-config-changes-alerts

Step 3: Subscribe to SNS Topic

aws sns subscribe --topic-arn <sns-topic-arn> --protocol email --notification-endpoint <[email protected]>

Step 4: Create a CloudWatch Alarm for AWS Config Changes

aws cloudwatch put-metric-alarm --alarm-name aws-config-changes-alarm \
--metric-name aws-config-changes-metric --statistic Sum --period 300 \
--threshold 1 --comparison-operator GreaterThanOrEqualToThreshold \
--evaluation-periods 1 --namespace "CISBenchmark" --alarm-actions <sns-topic-arn>

Backout Plan:

  1. Delete CloudWatch Alarm:

    aws cloudwatch delete-alarms --alarm-names aws-config-changes-alarm

  2. Remove the metric filter:

    aws logs delete-metric-filter --log-group-name <trail-log-group-name> --filter-name aws-config-changes-metric

  3. Delete SNS topic:

    aws sns delete-topic --topic-arn <sns-topic-arn>

References:

CIS Controls Mapping:

CIS Control Version

Control ID

Control Description

CIS v8

8.5

Collect detailed audit logs for security monitoring.

CIS v8

8.11

Conduct audit log reviews to detect anomalies.

CIS v7

6.3

Enable detailed logging for security monitoring.

CIS v7

1.4

Maintain a detailed asset inventory of AWS resources.

CIS v7

11.2

Document traffic configuration rules.