Triage and Remediation
Remediation
Using Console
Using Console
Remediation using AWS Console:
- Sign in to the AWS Management Console.
- Navigate to CloudWatch dashboard at https://console.aws.amazon.com/cloudwatch/.
- In the left navigation panel, select Logs.
- Select the log group created for your CloudTrail trail event logs and click Create Metric Filter.
- On the Define Logs Metric Filter page, paste the following pattern inside the Filter Pattern box:
“CreateRoute”, “CreateRouteTable”, “ReplaceRoute”, “ReplaceRouteTableAssociation”, “DeleteRouteTable”, “DeleteRoute”, or “DisassociateRouteTable”.- Review the metric filter config details, then click Assign Metric.
-
On the Create Metric Filter and Assign a Metric page, perform the following:
- In the Filter Name box, enter a unique name for the new filter, e.g. RouteTableConfigChanges.
- In the Metric Namespace box, type CloudTrailMetrics.
- In the Metric Name box, type RouteTableEventCount for the metric identifier.
- Click Show advanced metric settings to expand the advanced settings section.
- In the Metric Value box, enter 1.
- Review the details, then click Create Filter to generate your new CloudWatch Logs metric filter.
-
On the current page, click Create Alarm:
- In the Alarm Threshold section, in the Name and Description fields, enter a unique name and a short description for the new CloudWatch alarm.
- Under Whenever: Metric Name, select >= (greater than or equal to) from the is dropdown list and enter 1 as the threshold value to trigger the alarm every time a configuration change involving an AWS Route Table is made.
- In the Actions section, click the + Notification button, select State is ALARM from the Whenever this alarm dropdown menu, and choose the AWS SNS topic created at Step 1.
- In the Alarm Preview section, select 5 Minutes from the Period dropdown list and Sum from the Statistic list.
- Review the CloudWatch alarm configuration details, then click Create Alarm.
Using CLI
Using CLI
Remediation using AWS CLI:
- Run the put-metric-filter command to create the necessary CloudWatch metric filter and associate it with the appropriate Amazon CloudTrail log group:
- Run the put-metric-alarm command to create the AWS CloudWatch alarm:
Using Python
Using Python
Remediation using Python:
- First, check the CloudWatch alarm to identify the route table that has been modified.
- Once identified, use the boto3 library to fetch the events from CloudTrail related to route table changes:
<route_table_id> with the ID of the modified route table.- Extract the previous state of the route table from the CloudTrail event. The previous state is stored in the previousState field of the resourceProperties object.
- Use the boto3 library to revert the route table to its previous state:
- Confirm that the route table has been updated to its previous state by checking the AWS Management Console or using the boto3 library to fetch the route table details.