Internet Gateway Changes Alarm
AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
Internet Gateway Changes Alarm
More Info:
AWS VPC Customer/Internet Gateway configuration changes should be monitored using CloudWatch alarms.
Risk Level
Medium
Address
Security
Compliance Standards
SOC2, HIPAA, ISO27001, NIST4, CISAWSF, PCI, APRA, MAS
Triage and Remediation
Remediation
To remediate the “Internet Gateway Changes Alarm” misconfiguration in AWS using the AWS console, follow these steps:
- Sign in to the AWS Management Console.
- Navigate to the CloudWatch dashboard at https://console.aws.amazon.com/cloudwatch/.
- In the left navigation panel, select Logs.
- Select the log group created for your CloudTrail trail event logs and click Create Metric Filter.
- On the Define Logs Metric Filter page, paste the following pattern inside the Filter Pattern box:
{
($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) ||
($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway)
}
This pattern will be used for scanning the AWS CloudTrail logs for event names like “CreateInternetGateway”, “AttachInternetGateway” or “DeleteInternetGateway”.
- Review the metric filter configuration details, then click Assign Metric.
- On the Create Metric Filter and Assign a Metric page, perform the following:
- In the Filter Name box, enter a unique name for the new filter, e.g.,
VPCGatewayConfigChanges. - In the Metric Namespace box, type
CloudTrailMetrics. - In the Metric Name box, type
GatewayEventCountfor the metric identifier. - Click Show advanced metric settings to slide down the advanced settings section.
- In the Metric Value box, enter
1.
- In the Filter Name box, enter a unique name for the new filter, e.g.,
- Review the details, then click Create Filter to generate your new CloudWatch Logs metric filter.
- On the current page, click Create Alarm.
- In the Create Alarm dialog box, provide the following information: - Within the Alarm Threshold section, in the Name and Description fields, enter a unique name and a short description for the new CloudWatch alarm. - Under Whenever: Metric Name, select
>= (greater than or equal to)from the dropdown list and enter1as the threshold value to trigger the alarm every time a configuration change involving a VPC Network Customer/Internet Gateway is made. - In the Actions section, click the + Notification button, selectState is ALARMfrom the Whenever this alarm dropdown menu, and choose the AWS SNS topic name created at Step 1 from Send notification to. - In the Alarm Preview section, select5 Minutesfrom the Period dropdown list andSumfrom the Statistic list. - Review the CloudWatch alarm configuration details, then click Create Alarm. Once created, the new alarm will be listed on the Alarms page.
To remediate the “Internet Gateway Changes Alarm” misconfiguration using the AWS CLI, follow these steps:
-
Open the AWS CLI on your local machine.
-
Run the following command to create the necessary CloudWatch metric filter and associate it with your Amazon CloudTrail log group (the command does not return an output):
aws logs put-metric-filter \
--region us-east-1 \
--log-group-name CloudTrail/CloudWatchLogGroup \
--filter-name VPCGatewayConfigChanges \
--filter-pattern '{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }' \
--metric-transformations metricName=GatewayEventCount,metricNamespace=CloudTrailMetrics,metricValue=1
- Run the following command to create the AWS CloudWatch alarm that will fire whenever a configuration change involving an AWS VPC Customer/Internet Gateway will be made (the command does not return an output):
aws cloudwatch put-metric-alarm \
--region us-east-1 \
--alarm-name VPCGatewayConfigChangesAlarm \
--alarm-description "Triggered by VPC Customer/Internet Gateway changes." \
--metric-name GatewayEventCount \
--namespace CloudTrailMetrics \
--statistic Sum \
--comparison-operator GreaterThanOrEqualToThreshold \
--evaluation-periods 1 \
--period 300 \
--threshold 1 \
--actions-enabled \
--alarm-actions arn:aws:sns:us-east-1:123456789
The misconfiguration “Internet Gateway Changes Alarm” in AWS can occur when there is a change in the Internet Gateway associated with the VPC. To remediate this, you can follow these steps using Python:
- Import the necessary modules and define the AWS client:
import boto3
client = boto3.client('logs')
cloudwatch = boto3.client('cloudwatch')
- Define the log group name, metric filter name, and alarm name:
log_group_name = 'CloudTrail/CloudWatchLogGroup'
filter_name = 'VPCGatewayConfigChanges'
alarm_name = 'VPCGatewayConfigChangesAlarm'
- Create the metric filter using the
put_metric_filtermethod:
response = client.put_metric_filter(
logGroupName=log_group_name,
filterName=filter_name,
filterPattern='{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }',
metricTransformations=[
{
'metricName': 'GatewayEventCount',
'metricNamespace': 'CloudTrailMetrics',
'metricValue': '1'
}
]
)
- Create the CloudWatch alarm using the put_metric_alarm method:
cloudwatch.put_metric_alarm(
AlarmName=alarm_name,
AlarmDescription="Triggered by VPC Customer/Internet Gateway changes.",
MetricName='GatewayEventCount',
Namespace='CloudTrailMetrics',
Statistic='Sum',
Period=300,
EvaluationPeriods=1,
Threshold=1,
ComparisonOperator='GreaterThanOrEqualToThreshold',
ActionsEnabled=True,
AlarmActions=['arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmSNSTopic']
)
- Verify the alarm has been created:
response = cloudwatch.describe_alarms(
AlarmNames=[alarm_name]
)
if len(response['MetricAlarms']) > 0:
print(f"The alarm '{alarm_name}' has been created successfully.")
else:
print(f"Failed to create the alarm '{alarm_name}'.")