Profile Applicability:

  • Level 1


Description:

This control ensures that AWS CloudTrail logs are monitored for any changes made to Security Groups. A CloudWatch metric filter and corresponding alarm must be created to detect and alert on events related to the creation, modification, or deletion of Security Groups. Monitoring these changes helps prevent unauthorized network access or misconfigurations that could expose resources to security threats.


Rationale:

Security Groups act as virtual firewalls controlling inbound and outbound traffic to AWS resources. Unauthorized or unintended modifications can compromise the security posture of an environment by allowing unrestricted or malicious access. Setting up alerts for Security Group changes helps identify and respond to suspicious activities, ensuring that only authorized modifications are made.


Impact:

  • Positive Impact:Increases visibility into network-level access changes.Helps detect unauthorized modifications promptly.Supports compliance and audit requirements for network security monitoring.
  • Negative Impact:Slight increase in CloudWatch costs for log processing and alerting.


Default Value:

By default, AWS does not provide metric filters or alarms for Security Group changes. Manual configuration is required to enable monitoring.


Pre-Requisite:

  • CloudTrail must be enabled in all regions.
  • CloudTrail logs must be delivered to a CloudWatch Logs group.
  • IAM permissions required: logs:PutMetricFilter, cloudwatch:PutMetricAlarm, and cloudwatch:DescribeAlarms.


Remediation

Test Plan

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to CloudWatch → Logs → Log groups.

  3. Locate the CloudTrail log group (typically named /aws/cloudtrail/...).

  4. Select Create metric filter.

  5. Enter the following filter pattern to detect Security Group changes:

  6. Assign a metric name such as SecurityGroupChangeEvents.

  7. Go to CloudWatch → Alarms → Create alarm.

  8. Create an alarm for the SecurityGroupChangeEvents metric.

  9. Set a threshold (e.g., ≥ 1 occurrence within 5 minutes) and configure SNS notifications to alert the security team.

  10. Save the configuration.


Implementation Plan

Using AWS Console:

  1. Go to CloudWatch → Logs → Log groups.

  2. Open the CloudTrail log group.

  3. Choose Create metric filter and use the following pattern:

  4. Set Metric Name: SecurityGroupChangeEvents.

  5. Create an Alarm:

    • Metric: SecurityGroupChangeEvents

    • Namespace: CISBenchmark

    • Condition: ≥ 1 in 5 minutes

    • Actions: Send notification to security team via SNS topic (e.g., aws-security-alerts)

  6. Save all configurations.



Backout Plan

Using AWS Console:

  1. Go to CloudWatch → Alarms.

  2. Select the SecurityGroupChangeEventsAlarm.

  3. Choose Actions → Delete.

  4. Go to Logs → Metric Filters.

  5. Delete the SecurityGroupChangeEvents filter.


References: