More Info:

AWS security groups configuration changes should be monitored using CloudWatch alarms. Ensure there is a CloudWatch alarm set up in your AWS account that is triggered each time a security group configuration change is made.

Risk Level

Medium

Address

Security

Compliance Standards

SOC2, NIST, HIPAA, ISO27001, AWSWAF, HITRUST, CISAWS, CBP, NISTCSF, CISAWSF, PCI, APRA, MAS, NIST4

Triage and Remediation

Remediation

Using Console

Sure, here are the step by step instructions to remediate the Security Group Changes Alarm misconfiguration in AWS using AWS console:Here are the step-by-step instructions to remediate the Security Group Changes Alarm misconfiguration in AWS using the AWS console:
  1. Sign in to your AWS Management Console.
  2. Navigate to the CloudWatch dashboard at https://console.aws.amazon.com/cloudwatch/.
  3. In the left navigation panel, select Logs.
  4. Select the log group created for your CloudTrail trail event logs and click the Create Metric Filter button.
  5. On the Define Logs Metric Filter page, paste the following pattern inside the Filter Pattern box: 
{
    ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) ||
    ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) ||
    ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup)
}
This pattern will be used for scanning the AWS CloudTrail logs for event names like “CreateSecurityGroup”, “AuthorizeSecurityGroupIngress”, or “DeleteSecurityGroup”.
  1. Review the metric filter configuration details, then click Assign Metric.
  2. On the Create Metric Filter and Assign a Metric page, perform the following:
    • In the Filter Name box, enter a unique name for the new filter (e.g., SecurityGroupConfigChanges).
    • In the Metric Namespace box, type CloudTrailMetrics.
    • In the Metric Name box, type SecurityGroupEventCount for the metric identifier.
    • Click Show advanced metric settings to slide down the advanced settings section.
    • In the Metric Value box, enter 1.
  3. Review the details, then click Create Filter to generate your new CloudWatch Logs metric filter.
  4. On the current page, click Create Alarm.
  5. In the Create Alarm dialog box, provide the following information:
    • Within the Alarm Threshold section, in the Name and Description fields, enter a unique name and a short description for the new CloudWatch alarm.
    • Under Whenever: Metric Name, select >= (greater than or equal to) from the dropdown list and enter 1 as the threshold value in the box next to the dropdown list to trigger the alarm every time a configuration change involving an AWS security group is made.
    • In the Actions section, click the + Notification button, select State is ALARM from the dropdown menu, and choose the AWS SNS topic name created previously from the Send notification to section.
    • In the Alarm Preview section, select 5 Minutes from the Period dropdown list and Sum from the Statistic list.
    • Review the CloudWatch alarm configuration details, then click Create Alarm. Once created, the new alarm will be listed on the Alarms page.
It is important to note that setting up the alarm does not fix the underlying issue. You need to identify and remediate the root cause of the misconfiguration to ensure that your infrastructure remains secure.

To remediate the Security Group Changes Alarm using the AWS CLI, follow these steps:
  1. Run the following command to create the necessary CloudWatch metric filter and associate it with the appropriate CloudTrail log group:
aws logs put-metric-filter \
    --region us-east-1 \
    --log-group-name CloudTrail/CloudWatchLogGroup \
    --filter-name SecurityGroupConfigChanges \
    --filter-pattern '{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) }' \
    --metric-transformations metricName=SecurityGroupEventCount,metricNamespace=CloudTrailMetrics,metricValue=1
  1. Run the following command to create the AWS CloudWatch alarm that will fire whenever a configuration change involving an AWS security group within your account is made:
aws cloudwatch put-metric-alarm \
    --region us-east-1 \
    --alarm-name SecurityGroupConfigChangesAlarm \
    --alarm-description "Triggered by AWS security group(s) config changes." \
    --metric-name SecurityGroupEventCount \
    --namespace CloudTrailMetrics \
    --statistic Sum \
    --comparison-operator GreaterThanOrEqualToThreshold \
    --evaluation-periods 1 \
    --period 300 \
    --threshold 1 \
    --actions-enabled \
    --alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmSNSTopic
After creating the alarm, ensure to investigate the cause of the security group changes and take any necessary steps to prevent similar misconfigurations in the future.
  1. To remediate the “Security Group Changes Alarm” misconfiguration in AWS using Python, you can follow the steps below:
  2. Import the necessary libraries and initialize the Boto3 client for CloudWatch logs and CloudWatch alarms.
  3. Create the metric filter to monitor changes to security groups.
  4. Create the CloudWatch alarm to trigger notifications for any changes. 
import boto3

# Initialize Boto3 clients
logs_client = boto3.client('logs')
cloudwatch_client = boto3.client('cloudwatch')

# Define parameters
log_group_name = 'CloudTrail/CloudWatchLogGroup'
filter_name = 'SecurityGroupConfigChanges'
metric_name = 'SecurityGroupEventCount'
namespace = 'CloudTrailMetrics'
alarm_name = 'SecurityGroupConfigChangesAlarm'
sns_topic_arn = 'ARN_OF_SNS_TOPIC'

# Create Metric Filter
logs_client.put_metric_filter(
    logGroupName=log_group_name,
    filterName=filter_name,
    filterPattern='{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) }',
    metricTransformations=[{
        'metricName': metric_name,
        'metricNamespace': namespace,
        'metricValue': '1'
    }]
)

# Create CloudWatch Alarm
cloudwatch_client.put_metric_alarm(
    AlarmName=alarm_name,
    AlarmDescription='Triggered by AWS security group(s) config changes.',
    MetricName=metric_name,
    Namespace=namespace,
    Statistic='Sum',
    Period=300,
    EvaluationPeriods=1,
    Threshold=1,
    ComparisonOperator='GreaterThanOrEqualToThreshold',
    ActionsEnabled=True,
    AlarmActions=[sns_topic_arn]
)

print("Metric filter and alarm created successfully.")
Note: Replace ARN_OF_SNS_TOPIC` with the appropriate ARN of your specific topic.

Additional Reading: