AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
Network ACL Changes Alarm
More Info:
AWS Network ACLs configuration changes should be monitored using CloudWatch alarms.
Risk Level
Medium
Address
Security
Compliance Standards
SOC2, AWSWAF, HITRUST, CISAWS, CBP, NISTCSF, CISAWSF, PCI, APRA, MAS, NIST4
Triage and Remediation
Remediation
The “Network ACL Changes Alarm” indicates that changes have been made to the Network Access Control List (NACL) in your AWS account. To set up this alarm and monitor NACL changes, follow these steps:
-
Open the AWS Management Console and navigate to CloudWatch.
-
In the left navigation panel, select Logs.
-
Select the log group created for your CloudTrail trail event logs, and click Create Metric Filter.
-
On the Define Logs Metric Filter page, enter the following pattern in the Filter Pattern box:
{
($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) ||
($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation)
}
This filter will capture relevant NACL creation, update, and deletion events.
-
Review the metric filter details and click Assign Metric.
-
On the Create Metric Filter and Assign a Metric page:
- In the Filter Name box, enter
NetworkACLConfigChanges. - In the Metric Namespace box, enter
CloudTrailMetrics. - In the Metric Name box, enter
NetworkAclEventCount. - Click Show advanced metric settings to expand the settings, and in the Metric Value box, enter
1.
- In the Filter Name box, enter
-
Review the details and click Create Filter to finalize the metric filter.
-
After creating the filter, click Create Alarm.
-
In the Create Alarm dialog box:
- In the Name field, enter a unique name, such as
NetworkACLConfigChangesAlarm. - Set the alarm to trigger when the metric value is >= 1.
- Under Actions, click + Notification, and choose State is ALARM. Select the SNS topic to notify when the alarm triggers.
- In the Name field, enter a unique name, such as
-
In the Alarm Preview section, set the evaluation period to 5 Minutes, and the statistic type to Sum.
-
Review the alarm configuration and click Create Alarm.
Following these steps will ensure that you are alerted whenever a change is made to a Network ACL in your AWS account.
To set up the Network ACL Changes Alarm using the AWS CLI, follow these steps:
- Run the following command to create a CloudWatch metric filter that monitors CloudTrail logs for Network ACL changes:
aws logs put-metric-filter \
--region <region> \
--log-group-name CloudTrail/CloudWatchLogGroup \
--filter-name NetworkACLConfigChanges \
--filter-pattern '{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) }' \
--metric-transformations metricName=NetworkAclEventCount,metricNamespace=CloudTrailMetrics,metricValue=1
Replace region with your AWS region.
- Create a CloudWatch alarm that will trigger whenever there is a change to a Network ACL:
aws cloudwatch put-metric-alarm \
--region <region> \
--alarm-name NetworkACLConfigChangesAlarm \
--alarm-description "Triggered by AWS Network ACL configuration changes." \
--metric-name NetworkAclEventCount \
--namespace CloudTrailMetrics \
--statistic Sum \
--comparison-operator GreaterThanOrEqualToThreshold \
--evaluation-periods 1 \
--period 300 \
--threshold 1 \
--actions-enabled \
--alarm-actions arn:aws:sns:<region>:<account_id>:CloudWatchAlarmSNSTopic
Replace region with your AWS region and account_id with your AWS account ID.
By following these CLI steps, you can automate the creation of the necessary CloudWatch metric filters and alarms to monitor changes to your Network ACLs.
The Network ACL Changes Alarm is triggered when changes are made to Network Access Control Lists (NACLs) in your AWS environment. To implement the remediation using Python, follow these steps:
-
Identify the source of change: Use the AWS CloudTrail service to track the source of any changes. CloudTrail logs all API calls made in your AWS account, which will help you identify who made the change and when it occurred.
-
Review the change: Once the source is identified, review the change to ensure it aligns with your organization’s security policies and best practices.
-
Roll back the change: If the change was made in error or violates your security policies, use the AWS CLI or AWS Management Console to roll back the change.
-
Update NACLs: If the change is legitimate, ensure that your NACLs are updated accordingly using the AWS CLI or AWS Management Console.
-
Monitor future changes: Set up monitoring to track future NACL changes and use alerts to notify you of unauthorized modifications.
Here is a Python code sample to help set up the CloudWatch Metric Filter and Alarm for monitoring NACL changes using AWS Boto3:
import boto3
# Initialize clients for CloudWatch Logs and CloudWatch
logs_client = boto3.client('logs', region_name='us-east-1')
cloudwatch_client = boto3.client('cloudwatch', region_name='us-east-1')
# Step 1: Create Metric Filter for Network ACL changes
logs_client.put_metric_filter(
logGroupName='CloudTrail/CloudWatchLogGroup',
filterName='NetworkACLConfigChanges',
filterPattern='{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) }',
metricTransformations=[
{
'metricName': 'NetworkAclEventCount',
'metricNamespace': 'CloudTrailMetrics',
'metricValue': '1'
}
]
)
# Step 2: Create CloudWatch Alarm
cloudwatch_client.put_metric_alarm(
AlarmName='NetworkACLConfigChangesAlarm',
AlarmDescription='Alarm triggered by AWS Network ACL configuration changes.',
MetricName='NetworkAclEventCount',
Namespace='CloudTrailMetrics',
Statistic='Sum',
Period=300,
EvaluationPeriods=1,
Threshold=1,
ComparisonOperator='GreaterThanOrEqualToThreshold',
ActionsEnabled=True,
AlarmActions=[
'arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmSNSTopic'
]
)
This code sets up a CloudWatch metric filter to monitor for NACL changes (such as CreateNetworkAcl, DeleteNetworkAcl, etc.) by scanning CloudTrail logs. Creates a CloudWatch alarm that triggers when the metric detects a Network ACL change, sending a notification to the specified SNS topic.