AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
AWS Config Changes Alarm
More Info:
AWS Config configuration changes should be monitored using CloudWatch alarms.
Risk Level
Medium
Address
Security
Compliance Standards
SOC2, AWSWAF, HITRUST, CISAWSF, PCI, GDPR, APRA, MAS, NISTCSF, CBP, NIST4
Triage and Remediation
Remediation
AWS Config Changes Alarm is triggered when certain critical changes are made to the AWS Config settings. To ensure compliance, follow these steps to create a CloudWatch alarm to monitor AWS Config changes:
-
Sign in to the AWS Management Console.
-
Navigate to the CloudWatch dashboard at: https://console.aws.amazon.com/cloudwatch/.
-
In the left navigation panel, select Logs.
-
Select the log group created for your CloudTrail event logs and click Create Metric Filter.
-
On the Define Logs Metric Filter page, enter the following pattern in the Filter Pattern box:
{
($.eventSource = config.amazonaws.com) && (($.eventName = StopConfigurationRecorder)||($.eventName = DeleteDeliveryChannel)||($.eventName = PutDeliveryChannel)||($.eventName = PutConfigurationRecorder))
}
-
Review the metric filter configuration and click Assign Metric.
-
On the Create Metric Filter and Assign a Metric page:
- In the Filter Name box, enter a unique name like
AWSConfigChanges. - In the Metric Namespace box, type
CloudTrailMetrics. - In the Metric Name box, type
ConfigEventCount. - Click Show advanced metric settings, then enter
1in the Metric Value box.
- In the Filter Name box, enter a unique name like
-
Review the details and click Create Filter to generate the metric filter.
-
On the next page, click Create Alarm.
-
In the Create Alarm dialog box:
- Provide a unique name and short description for the alarm.
- Under Whenever: Metric Name, select
>=from the dropdown and enter1as the threshold value. - Under Actions, click the
+ Notificationbutton and choose the SNS topic for alarm notifications. - Set the Period to
5 Minutesand Statistic toSum.
-
Review the configuration and click Create Alarm. Once created, the alarm will be listed on the Alarms page.
The AWS Config Changes Alarm checks for specific configuration changes within your AWS account and triggers alerts. You can use the following AWS CLI commands to create the necessary metric filter and alarm:
- Run the following command to create a CloudWatch metric filter and associate it with the appropriate CloudTrail log group:
aws logs put-metric-filter
--region us-east-1
--log-group-name CloudTrail/CloudWatchLogGroup
--filter-name AWSConfigChanges
--filter-pattern '{ ($.eventSource = config.amazonaws.com) && (($.eventName = StopConfigurationRecorder)||($.eventName = DeleteDeliveryChannel)||($.eventName = PutDeliveryChannel)||($.eventName = PutConfigurationRecorder)) }'
--metric-transformations metricName=ConfigEventCount,metricNamespace=CloudTrailMetrics,metricValue=1
- Run the following command to create the CloudWatch alarm:
aws cloudwatch put-metric-alarm
--region us-east-1
--alarm-name AWSConfigChangesAlarm
--alarm-description "Triggered by AWS Config changes."
--metric-name ConfigEventCount
--namespace CloudTrailMetrics
--statistic Sum
--comparison-operator GreaterThanOrEqualToThreshold
--evaluation-periods 1
--period 300
--threshold 1
--actions-enabled
--alarm-actions arn:aws:sns:us-east-1:123456789012
- If the rule is non-compliant, create an alarm for AWS Config changes using the AWS CLI:
aws cloudwatch put-metric-alarm --alarm-name AWS-Config-Changes-Alarm --alarm-description "Alarm for AWS Config Changes" --metric-name ConfigurationChanges --namespace AWS/Config --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --alarm-actions <your-SNS-topic-ARN>
Note: Replace <your-SNS-topic-ARN> with the ARN of the SNS topic you want to receive the alarm notifications.
- Once completed, verify the alarm setup by listing the alarms:
aws cloudwatch describe-alarms --alarm-names AWSConfigChangesAlarm
- Finally, check whether the
AWS Config Changes Alarmis triggered and working as expected:
aws configservice get-compliance-details-by-config-rule --config-rule-name AWS-Config-Changes-Alarm
You can also automate the monitoring of AWS Config changes by setting up a Python-based Lambda function that triggers based on a CloudWatch alarm. Here’s an example:
-
Create an AWS Lambda function and use Python 3.x as the runtime.
-
Assign the necessary AWS Config trigger permissions to the Lambda function.
-
Use the following Python code to monitor and act on configuration changes:
import boto3
def lambda_handler(event, context):
cloudwatch = boto3.client('cloudwatch')
# Logic to handle AWS Config changes
if 'detail' in event and 'eventName' in event['detail']:
event_name = event['detail']['eventName']
if event_name in ['StopConfigurationRecorder', 'DeleteDeliveryChannel', 'PutDeliveryChannel', 'PutConfigurationRecorder']:
response = cloudwatch.put_metric_alarm(
AlarmName='AWSConfigChangesAlarm',
ComparisonOperator='GreaterThanOrEqualToThreshold',
EvaluationPeriods=1,
MetricName='ConfigEventCount',
Namespace='CloudTrailMetrics',
Period=300,
Statistic='Sum',
Threshold=1,
ActionsEnabled=True,
AlarmActions=['arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmSNSTopic'],
AlarmDescription='Triggered by AWS Config changes.'
)
return response
else:
print("Event is not related to AWS Config changes.")
else:
print("No event details found.")
- Test and deploy the Lambda function. Ensure that the necessary permissions and triggers are configured correctly.
By following these steps, you can automate the monitoring of AWS Config changes using Python and CloudWatch.