AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
Internet Gateway Changes Alarm
More Info:
AWS VPC Customer/Internet Gateway configuration changes should be monitored using CloudWatch alarms.
Risk Level
Medium
Address
Security
Compliance Standards
SOC2, HIPAA, ISO27001, AWSWAF, HITRUST, CISAWS, CBP, NISTCSF
Triage and Remediation
Remediation
Sure, here are the step-by-step instructions to remediate the “Internet Gateway Changes Alarm” misconfiguration in AWS using the AWS console:
- Log in to the AWS Management Console.
- Navigate to the CloudWatch service.
- In the left-hand menu, click on “Alarms”.
- Locate the “Internet Gateway Changes Alarm” from the list of alarms and select it.
- Click on the “Actions” dropdown menu and select “Disable Alarm”.
- Confirm that you want to disable the alarm by clicking “Yes, Disable”.
- If you want to permanently remove the alarm, select the alarm again and click on the “Actions” dropdown menu and select “Delete Alarm”.
- Confirm that you want to delete the alarm by clicking “Yes, Delete”.
Once you have completed these steps, the “Internet Gateway Changes Alarm” will be remediated in AWS. It is important to note that disabling or deleting an alarm will prevent you from receiving notifications if the alarm is triggered in the future. Therefore, it is recommended to review the alarm settings and adjust them accordingly to avoid future misconfigurations.
The “Internet Gateway Changes Alarm” indicates that changes have been made to the internet gateway in your AWS environment. To remediate this issue using AWS CLI, follow these steps:
-
Open the AWS CLI on your local machine.
-
Run the following command to describe the internet gateways in your AWS environment:
aws ec2 describe-internet-gateways
-
Identify the internet gateway that has been changed by comparing the output of the above command with the previous state of your environment.
-
Run the following command to delete the internet gateway:
aws ec2 delete-internet-gateway --internet-gateway-id `<internet_gateway_id>`
Note: Replace <internet_gateway_id> with the ID of the internet gateway that has been changed.
- If the internet gateway was deleted by mistake, run the following command to create a new internet gateway:
aws ec2 create-internet-gateway
- Attach the new internet gateway to your VPC using the following command:
aws ec2 attach-internet-gateway --internet-gateway-id <new_internet_gateway_id> --vpc-id <vpc_id>
Note: Replace <new_internet_gateway_id> with the ID of the new internet gateway that was created and <vpc_id> with the ID of your VPC.
- Verify that the internet gateway has been remediated by running the describe-internet-gateways command again and checking that the internet gateway is attached to your VPC.
The misconfiguration “Internet Gateway Changes Alarm” in AWS can occur when there is a change in the Internet Gateway associated with the VPC. To remediate this, you can follow these steps using Python:
- Import the necessary modules and define the AWS client:
import boto3
client = boto3.client('cloudwatch')
- Define the name of the alarm that needs to be remediated:
alarm_name = 'InternetGatewayChangesAlarm'
- Get the alarm details using the
describe_alarms()method:
response = client.describe_alarms(
AlarmNames=[alarm_name]
)
- Check if the alarm exists and has the correct action:
if len(response['MetricAlarms']) == 0:
print(f"The alarm {alarm_name} does not exist.")
elif response['MetricAlarms'][0]['AlarmActions'] == []:
print(f"The alarm {alarm_name} has no actions.")
else:
print(f"The alarm {alarm_name} has actions.")
- If the alarm exists and has no actions, add the necessary action using the
put_metric_alarm()method:
response = client.put_metric_alarm(
AlarmName=alarm_name,
AlarmActions=['arn:aws:sns:us-east-1:123456789012:MyTopic'],
MetricName='InternetGatewayAttached',
Namespace='AWS/EC2',
Statistic='Sum',
Dimensions=[
{
'Name': 'VpcId',
'Value': 'vpc-12345678'
},
],
Period=300,
EvaluationPeriods=1,
Threshold=1,
ComparisonOperator='GreaterThanOrEqualToThreshold',
TreatMissingData='notBreaching'
)
Note: Replace the AlarmActions value with the ARN of the SNS topic that needs to be notified.
- Verify that the action has been added:
response = client.describe_alarms(
AlarmNames=[alarm_name]
)
if response['MetricAlarms'][0]['AlarmActions'] == []:
print(f"The alarm {alarm_name} still has no actions.")
else:
print(f"The alarm {alarm_name} now has actions.")
- If the action was successfully added, print a success message:
print(f"The alarm {alarm_name} has been remediated.")
This Python script will add an SNS topic as the action for the “Internet Gateway Changes Alarm” in AWS.