iCompaas Support

Profile Applicability:

• Level 1

Description:

This control ensures that AWS CloudTrail log data is monitored for any configuration changes made to Virtual Private Clouds (VPCs). A CloudWatch metric filter and alarm should be created to detect and alert on events that modify VPCs, subnets, route tables, internet gateways, or peering connections. Monitoring these activities helps detect unauthorized or unintentional network configuration changes that could compromise security or disrupt connectivity.

Rationale:

The VPC forms the foundational network layer for AWS resources. Any unauthorized or accidental modification to VPC components can expose services to external threats or disrupt business operations. By setting up a log metric filter and alarm, organizations can promptly identify and respond to suspicious VPC configuration changes, preserving the security and integrity of the network infrastructure.

Impact:

• Positive Impact:Increases visibility into critical network configuration changes.Enables early detection of misconfigurations or unauthorized modifications.Helps ensure compliance with network security and change management policies.
• Negative Impact:Slight increase in CloudWatch monitoring and alerting costs.

Default Value:

By default, AWS does not create a metric filter or alarm for VPC configuration changes. Manual setup is required.

Pre-Requisite:

• CloudTrail must be enabled for all regions.
• CloudTrail logs must be delivered to a CloudWatch Logs group.
• IAM permissions required: logs:PutMetricFilter, cloudwatch:PutMetricAlarm, and cloudwatch:DescribeAlarms.

Remediation

Test Plan

Using AWS Console:

1. Sign in to the AWS Management Console.

2. Navigate to CloudWatch → Logs → Log groups.

3. Locate the CloudTrail log group (usually named /aws/cloudtrail/...).

4. Select Create metric filter.

5. Enter the following filter pattern to detect VPC configuration changes:

6. Assign a metric name such as VPCChangeEvents.

7. Go to CloudWatch → Alarms → Create alarm.

8. Create an alarm for the VPCChangeEvents metric.

9. Set a threshold (e.g., ≥ 1 occurrence in 5 minutes) and configure SNS notifications to alert the security team.

10. Save the configuration.

Implementation Plan

Using AWS Console:

1. Go to CloudWatch → Logs → Log groups.
2. Open the CloudTrail log group.
3. Choose Create metric filter and use the following pattern:
4. Set Metric Name: VPCChangeEvents.
5. Create an Alarm:
   • Metric: VPCChangeEvents
   • Namespace: CISBenchmark
   • Condition: ≥ 1 in 5 minutes
   • Actions: Send notification to security team via SNS topic (e.g., aws-security-alerts)
6. Save all changes.

Backout Plan

Using AWS Console:

1. Go to CloudWatch → Alarms.

2. Select the VPCChangeEventsAlarm.

3. Choose Actions → Delete.

4. Go to Logs → Metric Filters.

5. Delete the VPCChangeEvents filter.

References:

• AWS CloudTrail Documentation
• AWS CloudWatch Documentation
• Amazon VPC Documentation