iCompaas Support

Profile Applicability:

• Level 1

Description:

This control ensures that AWS CloudTrail logs are continuously monitored for any changes to Network Access Control Lists (NACLs). By configuring a CloudWatch metric filter and corresponding alarm, organizations can detect and respond to unauthorized, accidental, or unexpected modifications to NACL configurations, which may affect the security of network traffic flow within a VPC.

Rationale:

NACLs act as virtual firewalls controlling inbound and outbound traffic at the subnet level. Any change to NACL configurations — such as adding, deleting, or modifying rules — can expose systems to potential network-based attacks or service disruptions. Monitoring NACL change events helps identify unauthorized or unplanned modifications in real-time, enabling prompt investigation and mitigation.

Impact:

• Positive Impact:Improves visibility into network boundary changes and strengthens overall security posture by ensuring timely alerts for any unauthorized NACL changes.
• Negative Impact:
  Minor additional costs associated with CloudWatch metric storage, alarms, and SNS notifications.

Default Value:

By default, AWS does not create a CloudWatch metric filter or alarm for NACL changes. Manual configuration is required.

Pre-Requisites:

• AWS CloudTrail must be enabled across all regions.

• CloudTrail logs must be delivered to a CloudWatch Logs group.

• Required IAM permissions:

  • logs:PutMetricFilter
    

  • cloudwatch:PutMetricAlarm
    

  • cloudwatch:DescribeAlarms
    

Remediation

Test Plan

Using AWS Console:

1. Sign in to the AWS Management Console.
2. Navigate to CloudWatch → Logs → Log groups.
3. Locate the CloudTrail log group (e.g., /aws/cloudtrail/...).
4. Choose Create metric filter.
5. Enter the following filter pattern to capture all NACL modification events:
6. Assign a metric name, e.g., NACLChanges.
7. Navigate to CloudWatch → Alarms → Create alarm.
8. Select the metric NACLChanges under the namespace CISBenchmark.
9. Configure the threshold condition (e.g., ≥ 1 occurrence within 5 minutes).
10. Set Actions to notify the security team via SNS (e.g., aws-security-alerts).
11. Save the configuration and simulate a NACL change to verify alert functionality.

Implementation Plan

Using AWS Console:

1. Go to CloudWatch → Logs → Log groups.
2. Select your CloudTrail log group.
3. Click Create metric filter.
4. Use the following filter pattern:
5. Set Metric Name: NACLChanges
6. Set Metric Namespace: CISBenchmark
7. Go to CloudWatch → Alarms → Create alarm.
8. Select the NACLChanges metric.
9. Configure Condition: ≥ 1 event in 5 minutes.
10. Under Actions, select Send notification to the SNS topic (e.g., aws-security-alerts).
11. Review and create the alarm.

Backout Plan

Using AWS Console:

1. Navigate to CloudWatch → Alarms.

2. Locate and select the NACLChangesAlarm.

3. Choose Actions → Delete.

4. Navigate to CloudWatch → Logs → Metric Filters.

5. Delete the NACL changes metric filter.

References:

• AWS CloudTrail Documentation
• AWS CloudWatch Documentation
• AWS NACL Documentation