iCompaas Support

Profile Applicability

• Level 1

Description

AWS VPC (Virtual Private Cloud) allows users to define and control the network environment in which their AWS resources reside. Monitoring VPC changes is critical to maintain the security, integrity, and compliance of the AWS environment. Changes to a VPC, such as the creation of subnets, route tables, or internet gateways, can significantly affect network security and access controls.

To ensure visibility and accountability, it is important to monitor any changes to VPC configurations. This can be achieved through AWS CloudTrail, which provides logs of all actions taken within the AWS environment, including VPC modifications. Enabling monitoring ensures that all changes to VPC configurations are tracked, reviewed, and audited.

Rationale:

Monitoring VPC changes provides the following benefits:

• Security: Identifies unauthorized or unintended changes that may expose the VPC or other AWS resources to risk.
  

• Compliance: Helps meet regulatory and security standards that require continuous monitoring and auditing of VPC changes.
  

• Auditability: Provides a full audit trail of all VPC-related changes, which is critical for forensic investigations and troubleshooting.
  

• Change management: Ensures that all modifications to VPC configurations are intentional and documented, helping to avoid configuration drift or misconfigurations.
  

Without monitoring, unauthorized changes to VPC configurations could go undetected, potentially introducing security risks or compliance violations.

Impact:

Failure to monitor VPC changes can result in:

• Unauthorized changes: Configuration changes made by unauthorized users may not be detected, leading to security vulnerabilities.
  

• Non-compliance: Without monitoring, you may violate compliance standards that mandate continuous tracking and auditing of infrastructure changes.
  

• Network misconfigurations: Changes that are not tracked may lead to misconfigurations, causing network outages or security weaknesses.
  

Enabling monitoring of VPC changes ensures that all modifications are intentional, secure, and auditable.

Default Value:

By default, AWS does not automatically monitor or log all VPC changes unless CloudTrail is configured to do so. You need to enable CloudTrail and configure it to monitor VPC-related events.

Pre-Requisites:

• AWS CLI installed and configured
  

• IAM permissions:
  

  • cloudtrail:CreateTrail
    

  • cloudtrail:DescribeTrails
    

  • cloudtrail:PutEventSelectors
    

  • cloudtrail:StartLogging
    

• CloudTrail must be configured to log VPC-related events
  

Remediation:

Test Plan:

Using AWS Console:

1. Go to the AWS CloudTrail Console.
   

2. Check if CloudTrail is set up and verify that VPC-related events are being logged.
   

3. Ensure that VPC-related activities (such as creating VPCs, subnets, route tables, etc.) are being captured in the CloudTrail logs.
   

4. Verify that CloudTrail is enabled for all regions where VPC changes need to be monitored.
   

Using AWS CLI:

aws cloudtrail describe-trails --query "trailList[?Name=='<trail-name>']" --output table

To verify the event selectors for VPC-related activities:

aws cloudtrail get-event-selectors --trail-name <trail-name> --output table

Implementation Plan:

Using AWS Console:

1. Enable CloudTrail for VPC change monitoring:
   

   • Go to the CloudTrail Console.
     

   • Create a new trail or modify an existing trail to ensure that management events are captured.
     

   • Under Event selectors, ensure that Read and Write management events are enabled to capture all changes to VPC configurations.
     

   • Make sure that global services events are enabled to log VPC changes across all regions.
     

2. Verify CloudTrail logging for VPC changes:
   

   • After enabling the trail, check the Event history in CloudTrail for logged VPC-related events, such as CreateVpc, CreateSubnet, and ModifyVpcAttribute.
     

Using AWS CLI:

1. Enable CloudTrail to monitor VPC changes:
   

aws cloudtrail create-trail --name <trail-name> --s3-bucket-name <bucket-name> --include-global-service-events

2. Verify the event selectors for CloudTrail:
   

aws cloudtrail get-event-selectors --trail-name <trail-name> --output table

3. Check for VPC-related events in CloudTrail:
   

aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventSource,AttributeValue=vpc.amazonaws.com --output table

Backout Plan:

Using AWS Console:

1. If enabling CloudTrail causes issues with performance or logging:
   

   • Go to the CloudTrail Console.
     

   • Disable or modify the trail to reduce the volume of logged events, if necessary.
     

2. Review the CloudTrail configuration to ensure it is not over-logging or collecting unnecessary events that could affect performance.
   

Using AWS CLI:

1. Disable CloudTrail logging temporarily:
   

aws cloudtrail stop-logging --name <trail-name>

2. Re-enable CloudTrail logging:
   

aws cloudtrail start-logging --name <trail-name>

References:

• AWS CloudTrail Documentation
  

• AWS CLI Command Reference for CloudTrail
  

• AWS Best Practices for CloudTrail
  

CIS Controls Mapping: