AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
Network ACL Changes Alarm
More Info:
AWS Network ACLs configuration changes should be monitored using CloudWatch alarms.
Risk Level
Medium
Address
Security
Compliance Standards
SOC2, AWSWAF, HITRUST, CISAWS, CBP, NISTCSF
Triage and Remediation
Remediation
The “Network ACL Changes Alarm” indicates that changes have been made to the Network Access Control List (NACL) in your AWS account. To remediate this issue, you can follow the steps below:
-
Open the AWS Management Console and navigate to the VPC service.
-
Select the VPC where the NACL changes were made.
-
Click on the “Network ACLs” option in the left-hand menu.
-
Identify the NACL that has been modified and click on its name.
-
Review the “Inbound Rules” and “Outbound Rules” tabs to identify any unauthorized changes.
-
If unauthorized changes are identified, click the “Edit” button for the relevant rule and modify it as necessary.
-
Click the “Save” button to apply the changes.
-
Once all unauthorized changes have been remediated, update the alarm configuration to ensure that you are alerted if any further unauthorized changes are made to the NACL.
-
To update the alarm configuration, navigate to the CloudWatch service, select the relevant alarm, and click the “Actions” button.
-
Select “Edit” and update the alarm configuration as necessary.
-
Click the “Save” button to apply the changes.
By following these steps, you can remediate the “Network ACL Changes Alarm” issue in your AWS account.
The Network ACL Changes Alarm is triggered when there is a change to the network access control list (ACL) in your AWS account. This could potentially allow unauthorized access to your network resources. To remediate this issue, you can follow these steps:
-
Login to your AWS account and open the AWS CLI.
-
Verify that the Network ACL Changes Alarm is triggered by running the following command:
aws cloudwatch describe-alarms --alarm-names Network_ACL_Changes_Alarm
- Identify the network ACL that has been modified by running the following command:
aws ec2 describe-network-acls --query "NetworkAcls[?Associations[?SubnetId=='<subnet_id>']]"
Replace <subnet_id> with the ID of the subnet associated with the modified network ACL.
- Review the changes made to the network ACL by running the following command:
aws ec2 describe-network-acls --network-acl-id <network_acl_id> --query "NetworkAcls[0].Entries"
Replace <network_acl_id> with the ID of the modified network ACL.
- If the changes made to the network ACL are unauthorized, you can revert the changes by running the following command:
aws ec2 replace-network-acl-entry --network-acl-id <network_acl_id> --rule-number <rule_number> --protocol <protocol> --rule-action <rule_action> --cidr-block <cidr_block> --egress --region <region>
Replace <network_acl_id> with the ID of the modified network ACL, <rule_number> with the number of the rule that was modified, <protocol> with the protocol type, <rule_action> with the action taken, <cidr_block> with the CIDR block affected, and <region> with the AWS region where the network ACL is located.
- Finally, verify that the changes have been reverted by running the following command:
aws ec2 describe-network-acls --network-acl-id <network_acl_id> --query "NetworkAcls[0].Entries"
Replace <network_acl_id> with the ID of the modified network ACL. The output should show the original rules before the unauthorized changes were made.
By following these steps, you can remediate the Network ACL Changes Alarm in AWS using the AWS CLI.
The Network ACL Changes Alarm is triggered when there are changes made to the Network Access Control Lists (NACLs) in your AWS environment. To remediate this issue using Python, you can follow these steps:
-
Identify the source of the change: You can use the AWS CloudTrail service to identify the source of the change. CloudTrail logs all API calls made to your AWS account, and you can use it to see who made the change and when it was made.
-
Review the change: Once you have identified the source of the change, you should review the change to ensure that it was made in accordance with your organization’s security policies and best practices.
-
Roll back the change: If the change was made in error or is not in compliance with your organization’s security policies, you should roll back the change. You can use the AWS CLI or the AWS Management Console to roll back the change.
-
Update NACLs: If the change was made in compliance with your organization’s security policies, you should update your NACLs to reflect the change. You can use the AWS CLI or the AWS Management Console to update your NACLs.
-
Monitor for future changes: To prevent future misconfigurations, you should monitor your NACLs for changes and set up alerts to notify you of any unauthorized changes.
Here is some sample Python code to get you started with monitoring NACL changes using AWS CloudWatch:
import boto3
client = boto3.client('cloudwatch')
response = client.put_metric_alarm(
AlarmName='Network ACL Changes',
AlarmDescription='Alarm triggered when there are changes made to the Network Access Control Lists (NACLs)',
MetricName='NetworkAclChanges',
Namespace='AWS/EC2',
Statistic='Sum',
Period=300,
EvaluationPeriods=1,
Threshold=1,
ComparisonOperator='GreaterThanOrEqualToThreshold',
Dimensions=[
{
'Name': 'InstanceId',
'Value': 'i-0123456789abcdef0'
},
],
AlarmActions=[
'arn:aws:sns:us-west-2:123456789012:MyTopic'
],
OKActions=[
'arn:aws:sns:us-west-2:123456789012:MyTopic'
],
InsufficientDataActions=[
'arn:aws:sns:us-west-2:123456789012:MyTopic'
],
Unit='Count'
)
This code sets up a CloudWatch alarm to monitor for changes to NACLs in your AWS environment. When a change is detected, the alarm will trigger an SNS notification to a specified topic. You can customize this code to meet your specific needs and requirements.