Profile Applicability:

  • Level 1


Description:

This control ensures that AWS CloudTrail log data is monitored for configuration changes made to AWS Config. A CloudWatch metric filter and corresponding alarm must be created to detect and alert whenever AWS Config settings are modified. Monitoring AWS Config changes ensures that unauthorized modifications to compliance or monitoring configurations are promptly detected and remediated.


Rationale:

AWS Config continuously evaluates and records configuration changes to AWS resources to ensure compliance and governance. Unauthorized modifications to AWS Config (such as disabling the recorder, deleting delivery channels, or changing rule settings) can disrupt compliance tracking and conceal security drifts. By monitoring these changes, organizations maintain the integrity of their compliance monitoring and ensure that AWS Config remains enabled and correctly configured.


Impact:

  • Positive Impact: Maintains integrity and reliability of compliance monitoring. Enables quick response to unauthorized AWS Config changes. Supports continuous compliance with internal and external standards.
  • Negative Impact: Minor increase in CloudWatch costs for log ingestion and metric storage.


Default Value:

By default, AWS does not provide a metric filter or alarm for AWS Config configuration changes. Manual configuration is required.


Pre-Requisite:

  • CloudTrail must be enabled in all regions.

  • CloudTrail logs must be delivered to a CloudWatch Logs group.

  • IAM permissions required: logs:PutMetricFilter, cloudwatch:PutMetricAlarm, and cloudwatch:DescribeAlarms.


Remediation

Test Plan

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to CloudWatch → Logs → Log groups.

  3. Locate the CloudTrail log group (typically named /aws/cloudtrail/...).

  4. Select Create metric filter.

  5. Enter the following filter pattern to detect AWS Config configuration changes:

  6. Assign a metric name such as AWSConfigChanges.

  7. Go to CloudWatch → Alarms → Create alarm.

  8. Create an alarm for the AWSConfigChanges metric.

  9. Set a threshold (e.g., ≥ 1 occurrence within 5 minutes) and configure SNS notifications to alert the security team.

  10. Save the configuration.


Implementation Plan

Using AWS Console:

  1. Go to CloudWatch → Logs → Log groups.

  2. Open the CloudTrail log group.

  3. Choose Create metric filter and use the following pattern:

  4. Set Metric Name: AWSConfigChanges.

  5. Create an Alarm:

    • Metric: AWSConfigChanges

    • Namespace: CISBenchmark

    • Condition: ≥ 1 in 5 minutes

    • Actions: Send notification to security team via SNS topic (e.g., aws-security-alerts)

  6. Save all changes.


Backout Plan

Using AWS Console:

  1. Go to CloudWatch → Alarms.
  2. Select the AWSConfigChangesAlarm.
  3. Choose Actions → Delete.
  4. Go to Logs → Metric Filters.
  5. Delete the AWSConfigChanges filter.


References: