Profile Applicability

  • Level 1

Description:

Network gateways in AWS, such as Internet Gateways (IGWs) and Virtual Private Gateways (VGWs), play a critical role in managing the flow of network traffic between AWS VPCs and external networks. Changes to network gateway configurations—such as creating, deleting, or modifying gateways—can significantly impact the availability, security, and connectivity of your resources.

To ensure that any changes to network gateway configurations are tracked, it is important to enable monitoring for these changes. AWS CloudTrail can be used to log actions related to network gateways, enabling visibility into changes such as the attachment or detachment of IGWs and VGWs from VPCs.

Rationale:

Monitoring changes to network gateways provides several benefits:

  • Security: Detects unauthorized or unintended changes to network configurations that could compromise security or connectivity.

  • Compliance: Ensures that all modifications to networking infrastructure are tracked for auditing and compliance purposes.

  • Visibility: Improves visibility into network changes, helping teams quickly identify and address issues that could impact service availability.

  • Incident detection: Enables faster detection of misconfigurations or malicious changes to network access that could expose resources to unauthorized access.

Without monitoring, changes to network gateways may go undetected, leading to potential network disruptions, security vulnerabilities, or compliance violations.

Impact:

Failure to monitor network gateway changes can result in:

  • Unauthorized changes: Security breaches could occur if network gateways are modified or detached without proper oversight.

  • Network misconfigurations: Incorrect modifications to network gateways can lead to network outages or loss of connectivity.

  • Non-compliance: Violates best practices and regulatory requirements that mandate continuous monitoring and auditing of network-related changes.

  • Increased risk of attacks: Malicious actors could take advantage of undetected changes to network configurations to exploit vulnerabilities.

Enabling monitoring for network gateway changes ensures that all modifications are intentional, secure, and auditable.

Default Value:

By default, AWS does not automatically log changes to network gateways unless CloudTrail is explicitly configured to do so. You must enable CloudTrail and configure it to capture network gateway events for monitoring.

Pre-Requisites:

  • AWS CLI installed and configured

  • IAM permissions:

    • cloudtrail:CreateTrail

    • cloudtrail:DescribeTrails

    • cloudtrail:PutEventSelectors

    • cloudtrail:StartLogging

  • CloudTrail must be configured to log network gateway events

Remediation:

Test Plan:

Using AWS Console:

  1. Go to the AWS CloudTrail Console.

  2. Verify if CloudTrail is configured to monitor network gateway changes. CloudTrail should log events like AttachInternetGatewayDetachInternetGateway, and CreateVPNConnection.

  3. Review the Event History in CloudTrail for any changes to network gateways and ensure that they are being tracked.

Using AWS CLI :

To check if CloudTrail is capturing network gateway events:

aws cloudtrail describe-trails --query "trailList[?Name=='<trail-name>']" --output table

To verify if network gateway events are being captured:

aws cloudtrail get-event-selectors --trail-name <trail-name> --output table
Implementation Plan:

Using AWS Console:

  1. Enable CloudTrail to log network gateway changes:

    • Go to the CloudTrail Console.

    • Create a new trail or modify an existing trail to ensure that Management Events are included, specifically logging Write-only or All events.

    • Ensure that Global service events are enabled to capture network gateway changes across all regions.

  2. Verify CloudTrail is logging network gateway changes:

    • After enabling or modifying the trail, check the Event history for entries related to network gateways, such as AttachInternetGatewayDetachInternetGateway, or CreateVPNConnection.

Using AWS CLI:

  1. Enable CloudTrail to monitor network gateway changes:

aws cloudtrail create-trail --name <trail-name> --s3-bucket-name <bucket-name> --include-global-service-events

  1. Verify the event selectors for network gateway changes:

aws cloudtrail get-event-selectors --trail-name <trail-name> --output table

  1. Check for network gateway events in CloudTrail:

aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventSource,AttributeValue=ec2.amazonaws.com --query "Events[?EventName=='AttachInternetGateway' || EventName=='DetachInternetGateway' || EventName=='CreateVPNConnection']" --output table

Backout Plan:

Using AWS Console:

  1. If enabling CloudTrail causes performance or logging issues:

    • Go to the CloudTrail Console.

    • Modify the trail configuration to reduce the number of events being captured or disable logging temporarily while troubleshooting.

  2. Reconfigure CloudTrail settings if logging causes unnecessary overhead or issues with performance.

Using AWS CLI:

  1. Stop CloudTrail logging temporarily if issues occur:

aws cloudtrail stop-logging --name <trail-name>

  1. Re-enable CloudTrail logging once issues are resolved:

aws cloudtrail start-logging --name <trail-name>

References:

CIS Controls Mapping:

CIS Control Version

Control ID

Control Description

CIS v8

4.9

Perform Continuous Security Monitoring and Incident Detection

CIS v7

6.3

Monitor Security Configurations for Compliance

CIS v7

5.2

Securely Manage and Monitor Cloud Accounts and Services