Profile Applicability:

  • Level 1

Description:

Changes to route tables in a VPC are significant for network communication, and it is essential to monitor these changes to prevent unauthorized access or misconfigurations. This check ensures that route table changes, such as adding, modifying, or deleting routes, are logged and reviewed to maintain network integrity.

Rationale:

Route table modifications can significantly impact network traffic flow within your AWS environment. Unauthorized or accidental changes to route tables can cause disruptions or security risks. By monitoring these changes, you ensure that only authorized modifications are made and that any unintended changes are quickly detected.

Impact:

  • Positive Impact: Helps prevent disruptions in network communication and unauthorized access by monitoring route table changes.

  • Negative Impact: May introduce additional monitoring overhead, especially if frequent changes are made to the route tables.

Default Value:

By default, AWS does not log route table changes unless CloudTrail is enabled. This check ensures that CloudTrail is set up to capture these changes for auditing purposes.

Pre-Requisite:

  • Permissions Required: IAM permissions to view and configure CloudTrail and CloudWatch settings.

  • AWS Services: CloudTrail for logging route table changes, CloudWatch for monitoring and creating alerts.

  • Tools Required: AWS CloudTrail, CloudWatch Alarms, and optionally, AWS Lambda for automation

Remediation:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to CloudTrail and ensure a multi-region trail is enabled.

                         

  1. In CloudTrail, enable logging for management events if not already done.             

  2. In CloudWatch, create an alarm for changes related to route tables:

    • Create a metric filter for route table changes such as CreateRouteDeleteRoute, or ReplaceRoute.

    • Set the alarm to notify administrators if these changes are detected.

  3. Enable SNS notifications to alert the designated personnel when route table changes occur.

Using AWS CLI:

Enable CloudTrail to log management events:

aws cloudtrail create-trail --name <trail-name> --s3-bucket-name <bucket-name> --is-multi-region-trail

Enable management event logging:

aws cloudtrail update-trail --name <trail-name> --include-management-events

Search for route table changes:

aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=CreateRoute

Set up CloudWatch alarm:

aws cloudwatch put-metric-alarm --alarm-name "RouteTableChangeAlarm" --metric-name "EventCount" --namespace "AWS/CloudTrail" --statistic "Sum" --period 300 --threshold 1 --comparison-operator "GreaterThanOrEqualToThreshold" --alarm-actions <SNS-topic-arn> --dimensions Name=EventName,Value=CreateRoute

Implementation Steps:

Using AWS Console:

  1. Log in to the AWS Management Console.

  2. Navigate to CloudTrail and create a new trail or ensure an existing trail is capturing management events.

  3. Set up CloudWatch Alarms for specific route table changes (e.g., CreateRoute, DeleteRoute).

  4. Create SNS notifications to notify the appropriate team if route table changes occur.

  5. Test the alarm by making changes to a route table and ensuring the alarm triggers.

Using AWS CLI:

Create a CloudTrail trail for multi-region logging:

aws cloudtrail create-trail --name <trail-name> --s3-bucket-name <bucket-name> --is-multi-region-trail

Enable management event logging:

aws cloudtrail update-trail --name <trail-name> --include-management-events

Search for route table changes:

aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=CreateRoute

Create CloudWatch alarms:

aws cloudwatch put-metric-alarm --alarm-name "RouteTableChangeAlarm" --metric-name "EventCount" --namespace "AWS/CloudTrail" --statistic "Sum" --period 300 --threshold 1 --comparison-operator "GreaterThanOrEqualToThreshold" --alarm-actions <SNS-topic-arn> --dimensions Name=EventName,Value=CreateRoute

Backout Plan:

Using AWS Management Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon CloudWatch > Logs > Log Groups.

  3. Locate the Log Group that monitors Route Table changes and remove the associated Metric Filter:

    • Select Metric Filters and delete the filter connected to the Route Table monitoring.

  4. Navigate to CloudWatch Alarms and locate the alarm linked to the Route Table changes.

  5. Delete the alarm:

    • Select the alarm, go to Actions > Delete, and confirm the deletion.

Using AWS CLI:

List all metric filters to identify the one monitoring Route Table changes:

aws logs describe-metric-filters --log-group-name <log-group-name>

Delete the specific metric filter:

aws logs delete-metric-filter \
--log-group-name <log-group-name> \
--filter-name <filter-name>

List all CloudWatch alarms:
aws cloudwatch describe-alarms

  1. Delete the alarm linked to Route Table monitoring:

    aws cloudwatch delete-alarms --alarm-names <alarm-name>

References:

CIS Controls Mapping:

Control Version

Control ID

Control Description

v8

8.5

Collect detailed audit logs and configure alerts for any abnormal events

v7

6.3

Enable system logging to capture sensitive and relevant events