AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
Route Table Changes Alarm
More Info:
AWS Route Tables configuration changes should be monitored using CloudWatch alarms.
Risk Level
Medium
Address
Security
Compliance Standards
CISAWS, CBP, SOC2, NIST, HIPAA, ISO27001, AWSWAF, HITRUST, NISTCSF
Triage and Remediation
Remediation
The “Route Table Changes” alarm in AWS is triggered when there are any changes made to the route tables in your VPC. To remediate this issue, you can follow the below steps:
-
Login to your AWS console and go to the CloudWatch dashboard.
-
Click on “Alarms” in the left-hand navigation menu and select the “Route Table Changes” alarm.
-
Click on the “Actions” dropdown and select “Disable Alarm” to temporarily disable the alarm.
-
Next, go to the VPC dashboard and select the VPC that has the route table changes.
-
Click on “Route Tables” in the left-hand navigation menu and select the route table that has been changed.
-
Review the changes made to the route table and determine if they were intentional or not.
-
If the changes were intentional, update the alarm to reflect the new changes.
-
If the changes were not intentional, revert the changes made to the route table.
-
Once the changes have been made, re-enable the “Route Table Changes” alarm in the CloudWatch dashboard.
By following these steps, you can remediate the “Route Table Changes” alarm in AWS.
The “Route Table Changes Alarm” is an AWS CloudWatch alarm that is triggered when a change is made to a route table in your AWS account. To remediate this misconfiguration, you can follow the steps below using AWS CLI:
-
Log in to your AWS account and open the AWS CLI.
-
Check the current status of the alarm by running the following command:
aws cloudwatch describe-alarms --alarm-names <alarm-name>Replace
<alarm-name>with the name of your Route Table Changes Alarm. -
If the alarm is in the “ALARM” state, it means that a change has been made to a route table. To remediate this, you need to identify the change that was made and revert it.
-
To identify the change, you can check the CloudTrail logs for the time period when the alarm was triggered. Run the following command to get the CloudTrail events for the specified time period:
aws cloudtrail lookup-events --start-time <start-time> --end-time <end-time> --lookup-attributes AttributeKey=EventName,AttributeValue=CreateRouteTableReplace
<start-time>and<end-time>with the start and end time of the period when the alarm was triggered. -
Review the CloudTrail events to identify the change that was made to the route table. Once you have identified the change, you can revert it by running the appropriate AWS CLI command.
For example, if a new route was added to the route table, you can remove it by running the following command:
aws ec2 delete-route --route-table-id <route-table-id> --destination-cidr-block <destination-cidr-block>Replace
<route-table-id>with the ID of the affected route table and<destination-cidr-block>with the destination CIDR block of the route that was added. -
After you have reverted the change, check the status of the alarm again to ensure that it is no longer in the “ALARM” state:
aws cloudwatch describe-alarms --alarm-names <alarm-name>If the alarm is still in the “ALARM” state, repeat the above steps to identify and remediate any remaining misconfigurations.
Here are the step-by-step instructions to remediate the “Route Table Changes Alarm” misconfiguration in AWS using Python:
-
First, we need to identify the root cause of the alarm. Check the CloudWatch alarm to see which route table has been modified and by whom.
-
Once you have identified the route table that has been modified, you can revert the changes by updating the route table to its previous state. To do this, you will need to fetch the previous state of the route table.
-
To fetch the previous state of the route table, you can use the AWS CloudTrail service. CloudTrail logs all API calls made to your AWS account, including changes to route tables. You can use the
boto3library in Python to interact with the CloudTrail service. -
Use the
boto3library to create a CloudTrail client and fetch the events related to the modified route table. You can use the following code snippet to fetch the events:
import boto3
client = boto3.client('cloudtrail')
response = client.lookup_events(
LookupAttributes=[
{
'AttributeKey': 'ResourceName',
'AttributeValue': '<route_table_id>'
},
{
'AttributeKey': 'EventName',
'AttributeValue': 'ModifyRouteTable'
}
]
)
events = response['Events']
Replace <route_table_id> with the ID of the modified route table.
-
Once you have fetched the events, you can extract the previous state of the route table from the CloudTrail event. The previous state of the route table is stored in the
previousStatefield of theresourcePropertiesobject in the CloudTrail event. -
Use the
boto3library to update the route table with its previous state. You can use the following code snippet to update the route table:
import boto3
client = boto3.client('ec2')
response = client.replace_route_table_association(
AssociationId='<association_id>',
RouteTableId='<route_table_id>'
)
print(response)
Replace <association_id> with the ID of the route table association, and <route_table_id> with the ID of the modified route table.
- Finally, you can confirm that the route table has been updated to its previous state by checking the AWS Management Console or by using the
boto3library to fetch the route table details.
That’s it! By following these steps, you can remediate the “Route Table Changes Alarm” misconfiguration in AWS using Python.