AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
Route Table Changes Alarm
More Info:
AWS Route Tables configuration changes should be monitored using CloudWatch alarms. This alarm is triggered when changes to route tables in your VPC occur, such as creating, replacing, or deleting routes.
Risk Level
Medium
Address
Security
Compliance Standards
CISAWS, CBP, SOC2, NIST, HIPAA, ISO27001, AWSWAF, HITRUST, NISTCSF
Triage and Remediation
Remediation
Remediation using AWS Console:
-
Sign in to the AWS Management Console.
-
Navigate to CloudWatch dashboard at https://console.aws.amazon.com/cloudwatch/.
-
In the left navigation panel, select Logs.
-
Select the log group created for your CloudTrail trail event logs and click Create Metric Filter.
-
On the Define Logs Metric Filter page, paste the following pattern inside the Filter Pattern box:
{
($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) ||
($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) ||
($.eventName = DisassociateRouteTable)
}
This pattern will be used for scanning the AWS CloudTrail logs for event names like “CreateRoute”, “CreateRouteTable”, “ReplaceRoute”, “ReplaceRouteTableAssociation”, “DeleteRouteTable”, “DeleteRoute”, or “DisassociateRouteTable”.
-
Review the metric filter config details, then click Assign Metric.
-
On the Create Metric Filter and Assign a Metric page, perform the following:
- In the Filter Name box, enter a unique name for the new filter, e.g. RouteTableConfigChanges.
- In the Metric Namespace box, type CloudTrailMetrics.
- In the Metric Name box, type RouteTableEventCount for the metric identifier.
- Click Show advanced metric settings to expand the advanced settings section.
- In the Metric Value box, enter 1.
-
Review the details, then click Create Filter to generate your new CloudWatch Logs metric filter.
-
On the current page, click Create Alarm:
- In the Alarm Threshold section, in the Name and Description fields, enter a unique name and a short description for the new CloudWatch alarm.
- Under Whenever: Metric Name, select >= (greater than or equal to) from the is dropdown list and enter 1 as the threshold value to trigger the alarm every time a configuration change involving an AWS Route Table is made.
- In the Actions section, click the + Notification button, select State is ALARM from the Whenever this alarm dropdown menu, and choose the AWS SNS topic created at Step 1.
- In the Alarm Preview section, select 5 Minutes from the Period dropdown list and Sum from the Statistic list.
-
Review the CloudWatch alarm configuration details, then click Create Alarm.
By following these steps, you can remediate the “Route Table Changes” alarm using the AWS Console.
Remediation using AWS CLI:
- Run the put-metric-filter command to create the necessary CloudWatch metric filter and associate it with the appropriate Amazon CloudTrail log group:
aws logs put-metric-filter \
--region us-east-1 \
--log-group-name CloudTrail/CloudWatchLogGroup \
--filter-name RouteTableConfigChanges \
--filter-pattern '{ ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) }' \
--metric-transformations metricName=RouteTableEventCount,metricNamespace=CloudTrailMetrics,metricValue=1
- Run the put-metric-alarm command to create the AWS CloudWatch alarm:
aws cloudwatch put-metric-alarm \
--region us-east-1 \
--alarm-name RouteTableConfigChangesAlarm \
--alarm-description "Triggered by AWS Route Table config changes." \
--metric-name RouteTableEventCount \
--namespace CloudTrailMetrics \
--statistic Sum \
--comparison-operator GreaterThanOrEqualToThreshold \
--evaluation-periods 1 \
--period 300 \
--threshold 1 \
--actions-enabled \
--alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmSNSTopic
By following these steps, you can remediate the “Route Table Changes” alarm using the AWS CLI.
Remediation using Python:
-
First, check the CloudWatch alarm to identify the route table that has been modified.
-
Once identified, use the boto3 library to fetch the events from CloudTrail related to route table changes:
import boto3
client = boto3.client('cloudtrail')
response = client.lookup_events(
LookupAttributes=[
{
'AttributeKey': 'ResourceName',
'AttributeValue': '<route_table_id>'
},
{
'AttributeKey': 'EventName',
'AttributeValue': 'ModifyRouteTable'
}
]
)
events = response['Events']
Replace <route_table_id> with the ID of the modified route table.
-
Extract the previous state of the route table from the CloudTrail event. The previous state is stored in the previousState field of the resourceProperties object.
-
Use the boto3 library to revert the route table to its previous state:
import boto3
client = boto3.client('ec2')
response = client.replace_route_table_association(
AssociationId='<association_id>',
RouteTableId='<route_table_id>'
)
print(response)
Replace association_id with the ID of the route table association, and route_table_id with the ID of the modified route table.
- Confirm that the route table has been updated to its previous state by checking the AWS Management Console or using the boto3 library to fetch the route table details.
By following these steps, you can remediate the “Route Table Changes” alarm using Python.