More Info:

AWS Route Tables configuration changes should be monitored using CloudWatch alarms. This alarm is triggered when changes to route tables in your VPC occur, such as creating, replacing, or deleting routes.

Risk Level

Medium

Address

Security

Compliance Standards

CISAWS, CBP, SOC2, NIST, HIPAA, ISO27001, AWSWAF, HITRUST, NISTCSF

Triage and Remediation

Remediation

Using Console

Remediation using AWS Console:

  1. Sign in to the AWS Management Console.
  2. Navigate to CloudWatch dashboard at https://console.aws.amazon.com/cloudwatch/.
  3. In the left navigation panel, select Logs.
  4. Select the log group created for your CloudTrail trail event logs and click Create Metric Filter.
  5. On the Define Logs Metric Filter page, paste the following pattern inside the Filter Pattern box: 
{
    ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) ||
    ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) ||
    ($.eventName = DisassociateRouteTable)
}
This pattern will be used for scanning the AWS CloudTrail logs for event names like “CreateRoute”, “CreateRouteTable”, “ReplaceRoute”, “ReplaceRouteTableAssociation”, “DeleteRouteTable”, “DeleteRoute”, or “DisassociateRouteTable”.
  1. Review the metric filter config details, then click Assign Metric.
  2. On the Create Metric Filter and Assign a Metric page, perform the following:
    • In the Filter Name box, enter a unique name for the new filter, e.g. RouteTableConfigChanges.
    • In the Metric Namespace box, type CloudTrailMetrics.
    • In the Metric Name box, type RouteTableEventCount for the metric identifier.
    • Click Show advanced metric settings to expand the advanced settings section.
    • In the Metric Value box, enter 1.
  3. Review the details, then click Create Filter to generate your new CloudWatch Logs metric filter.
  4. On the current page, click Create Alarm:
    • In the Alarm Threshold section, in the Name and Description fields, enter a unique name and a short description for the new CloudWatch alarm.
    • Under Whenever: Metric Name, select >= (greater than or equal to) from the is dropdown list and enter 1 as the threshold value to trigger the alarm every time a configuration change involving an AWS Route Table is made.
    • In the Actions section, click the + Notification button, select State is ALARM from the Whenever this alarm dropdown menu, and choose the AWS SNS topic created at Step 1.
    • In the Alarm Preview section, select 5 Minutes from the Period dropdown list and Sum from the Statistic list.
  5. Review the CloudWatch alarm configuration details, then click Create Alarm.
By following these steps, you can remediate the “Route Table Changes” alarm using the AWS Console.

Remediation using AWS CLI:

  1. Run the put-metric-filter command to create the necessary CloudWatch metric filter and associate it with the appropriate Amazon CloudTrail log group:
aws logs put-metric-filter \
    --region us-east-1 \
    --log-group-name CloudTrail/CloudWatchLogGroup \
    --filter-name RouteTableConfigChanges \
    --filter-pattern '{ ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) }' \
    --metric-transformations metricName=RouteTableEventCount,metricNamespace=CloudTrailMetrics,metricValue=1
  1. Run the put-metric-alarm command to create the AWS CloudWatch alarm:
aws cloudwatch put-metric-alarm \
    --region us-east-1 \
    --alarm-name RouteTableConfigChangesAlarm \
    --alarm-description "Triggered by AWS Route Table config changes." \
    --metric-name RouteTableEventCount \
    --namespace CloudTrailMetrics \
    --statistic Sum \
    --comparison-operator GreaterThanOrEqualToThreshold \
    --evaluation-periods 1 \
    --period 300 \
    --threshold 1 \
    --actions-enabled \
    --alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmSNSTopic
By following these steps, you can remediate the “Route Table Changes” alarm using the AWS CLI.

Remediation using Python:

  1. First, check the CloudWatch alarm to identify the route table that has been modified.
  2. Once identified, use the boto3 library to fetch the events from CloudTrail related to route table changes: 
import boto3

client = boto3.client('cloudtrail')

response = client.lookup_events(
    LookupAttributes=[
        {
            'AttributeKey': 'ResourceName',
            'AttributeValue': '<route_table_id>'
        },
        {
            'AttributeKey': 'EventName',
            'AttributeValue': 'ModifyRouteTable'
        }
    ]
)

events = response['Events']
Replace <route_table_id> with the ID of the modified route table.
  1. Extract the previous state of the route table from the CloudTrail event. The previous state is stored in the previousState field of the resourceProperties object.
  2. Use the boto3 library to revert the route table to its previous state: 
import boto3

client = boto3.client('ec2')

response = client.replace_route_table_association(
    AssociationId='<association_id>',
    RouteTableId='<route_table_id>'
)

print(response)
Replace association_id with the ID of the route table association, and route_table_id with the ID of the modified route table.
  1. Confirm that the route table has been updated to its previous state by checking the AWS Management Console or using the boto3 library to fetch the route table details.
By following these steps, you can remediate the “Route Table Changes” alarm using Python.

Additional Reading: