iCompaas Support

Profile Applicability:

• Level 1

Description:

This control ensures that AWS CloudTrail log data is monitored for any configuration changes to network gateways, such as Internet Gateways, NAT Gateways, and Virtual Private Gateways. A CloudWatch metric filter and alarm must be created to detect and alert when these gateways are created, modified, attached, detached, or deleted. Monitoring such events helps ensure that network routing and connectivity remain secure and aligned with organizational policies.

Rationale:

Network gateways play a crucial role in controlling how AWS resources connect to external networks and the internet. Unauthorized or accidental modifications to gateways can lead to service disruptions, unauthorized access, or data exposure. Establishing metric filters and alarms provides visibility into these configuration changes and allows security teams to quickly investigate and respond to suspicious activity.

Impact:

• Positive Impact:Provides early detection of unauthorized or accidental network gateway changes.Enhances network visibility and helps maintain security boundaries.Supports compliance with network security and change management requirements.
• Negative Impact:Slight increase in CloudWatch log ingestion and monitoring costs.

Default Value:

By default, AWS does not create a metric filter or alarm for network gateway changes. Manual setup is required.

Pre-Requisite:

• CloudTrail must be enabled for all regions.
• CloudTrail logs must be delivered to a CloudWatch Logs group.
• IAM permissions required: logs:PutMetricFilter, cloudwatch:PutMetricAlarm, and cloudwatch:DescribeAlarms.

Remediation

Test Plan

Using AWS Console:

1. Sign in to the AWS Management Console.

2. Navigate to CloudWatch → Logs → Log groups.

3. Locate the CloudTrail log group (usually named /aws/cloudtrail/...).

4. Select Create metric filter.

5. Enter the following filter pattern to detect changes to network gateways:

6. Assign a metric name such as NetworkGatewayChangeEvents.

7. Go to CloudWatch → Alarms → Create alarm.

8. Create an alarm for the NetworkGatewayChangeEvents metric.

9. Set a threshold (e.g., ≥ 1 occurrence within 5 minutes) and configure SNS notifications to alert the security team.

10. Save the configuration.

Implementation Plan

Using AWS Console:

1. Go to CloudWatch → Logs → Log groups.

2. Open the CloudTrail log group.

3. Choose Create metric filter and use the following pattern:

4. Set Metric Name: NetworkGatewayChangeEvents.

5. Create an Alarm:

   • Metric: NetworkGatewayChangeEvents

   • Namespace: CISBenchmark

   • Condition: ≥ 1 in 5 minutes

   • Actions: Send notification to security team via SNS topic (e.g., aws-security-alerts)

6. Save all changes.

Backout Plan

Using AWS Console:

1. Go to CloudWatch → Alarms.

2. Select the NetworkGatewayChangeEventsAlarm.

3. Choose Actions → Delete.

4. Go to Logs → Metric Filters.

5. Delete the NetworkGatewayChangeEvents filter.

References:

• AWS CloudTrail Documentation

• AWS CloudWatch Documentation

• Amazon VPC Documentation – Internet Gateways

• Amazon VPC Documentation – NAT Gateways