iCompaas Support

Profile Applicability

• Level 1

Description:

Route tables in AWS VPC control the routing of traffic between subnets, peered VPCs, and the internet. Changes to route tables, such as adding, removing, or modifying routes, can significantly impact the network's accessibility and security posture. Therefore, monitoring these changes is crucial for detecting any unauthorized or unintentional modifications.

Enabling monitoring for route table changes allows organizations to track who made the changes, when they were made, and what modifications were applied. This visibility helps maintain the integrity of network configurations and ensures that unauthorized or accidental changes are detected and remediated.

Rationale:

Monitoring route table changes provides the following benefits:

• Security: Helps detect unauthorized modifications to the network routing that could expose resources to the internet or allow unauthorized access.
  

• Compliance: Meets security best practices and regulatory requirements that mandate tracking of network configurations.
  

• Auditability: Provides a clear audit trail for route table changes, enabling accountability for network modifications.
  

• Proactive management: Enables proactive detection and remediation of network configuration issues before they can be exploited.
  

Without monitoring route table changes, unauthorized or accidental changes may go undetected, potentially leading to network misconfigurations or security vulnerabilities.

Impact:

Failure to monitor route table changes can result in:

• Unauthorized access: Misconfigured routes may expose resources to unauthorized access or external networks.
  

• Network misconfigurations: Changes to route tables could cause network outages or disrupt communications between instances and services.
  

• Non-compliance: Violates compliance standards that require tracking and monitoring of network-related changes.
  

• Increased risk of attacks: Unauthorized or undetected changes may be exploited by attackers to gain access to sensitive resources.
  

By enabling monitoring, organizations can ensure that all route table changes are tracked and reviewed for security and compliance.

Default Value:

AWS does not automatically monitor or log changes to route tables unless CloudTrail is configured to do so. It is necessary to configure CloudTrail to capture route table modifications for monitoring and auditing.

Pre-Requisites:

• AWS CLI installed and configured
  

• IAM permissions:
  

  • cloudtrail:CreateTrail
    

  • cloudtrail:DescribeTrails
    

  • cloudtrail:PutEventSelectors
    

  • cloudtrail:StartLogging
    

• CloudTrail must be set up to log route table changes
  

Remediation:

Test Plan:

Using AWS Console:

1. Go to the AWS CloudTrail Console.
   

2. Ensure that CloudTrail is enabled and configured to log changes to route tables.
   

3. Verify that the changes are being captured in CloudTrail by reviewing the Event history for actions related to route tables, such as CreateRoute, DeleteRoute, and ModifyRouteTable.
   

Using AWS CLI:

aws cloudtrail describe-trails --query "trailList[?Name=='<trail-name>']" --output table

To verify if route table events are being captured:

aws cloudtrail get-event-selectors --trail-name <trail-name> --output table

Implementation Plan:

Using AWS Console:

1. Enable CloudTrail to log route table changes:
   

   • Go to the CloudTrail Console.
     

   • Create a new trail or modify an existing trail to ensure that Management Events are enabled, specifically logging Write-only or All events.
     

   • Ensure that Global service events are enabled to capture route table modifications across all regions.
     

   • Verify that the trail is capturing all VPC-related actions, including route table changes.
     

2. Verify CloudTrail is logging route table changes:
   

   • Check the Event history in CloudTrail for entries related to route table modifications, such as CreateRoute, DeleteRoute, or ModifyRouteTable.
     

Using AWS CLI:

1. Enable CloudTrail to log route table changes:
   

aws cloudtrail create-trail --name <trail-name> --s3-bucket-name <bucket-name> --include-global-service-events

2. Verify the event selectors for route table changes:
   

aws cloudtrail get-event-selectors --trail-name <trail-name> --output table

            3. Check for route table events in CloudTrail:

aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventSource,AttributeValue=ec2.amazonaws.com --query "Events[?EventName=='CreateRoute' || EventName=='DeleteRoute' || EventName=='ModifyRouteTable']" --output table

Backout Plan:

Using AWS Console:

1. If enabling CloudTrail causes performance or logging issues:
   

   • Go to the CloudTrail Console.
     

   • Disable or modify the trail to reduce the volume of logged events if necessary.
     

2. Reconfigure the CloudTrail trail to focus on only essential event logging if there are performance or data concerns.
   

Using AWS CLI:

1. Stop CloudTrail logging temporarily:
   

aws cloudtrail stop-logging --name <trail-name>

2. Re-enable CloudTrail logging once issues are resolved:
   

aws cloudtrail start-logging --name <trail-name>

References:

• AWS CloudTrail Documentation
  

• AWS CLI Command Reference for CloudTrail
  

• AWS Best Practices for CloudTrail
  

CIS Controls Mapping: