Triage and Remediation
Remediation
Using Console
Using Console
Sure, here are the step by step instructions to remediate the Security Group Changes Alarm misconfiguration in AWS using AWS console:Here are the step-by-step instructions to remediate the Security Group Changes Alarm misconfiguration in AWS using the AWS console:This pattern will be used for scanning the AWS CloudTrail logs for event names like “CreateSecurityGroup”, “AuthorizeSecurityGroupIngress”, or “DeleteSecurityGroup”.
- Sign in to your AWS Management Console.
- Navigate to the CloudWatch dashboard at https://console.aws.amazon.com/cloudwatch/.
- In the left navigation panel, select Logs.
- Select the log group created for your CloudTrail trail event logs and click the Create Metric Filter button.
- On the Define Logs Metric Filter page, paste the following pattern inside the Filter Pattern box:
- Review the metric filter configuration details, then click Assign Metric.
-
On the Create Metric Filter and Assign a Metric page, perform the following:
- In the Filter Name box, enter a unique name for the new filter (e.g.,
SecurityGroupConfigChanges). - In the Metric Namespace box, type
CloudTrailMetrics. - In the Metric Name box, type
SecurityGroupEventCountfor the metric identifier. - Click Show advanced metric settings to slide down the advanced settings section.
- In the Metric Value box, enter
1.
- In the Filter Name box, enter a unique name for the new filter (e.g.,
- Review the details, then click Create Filter to generate your new CloudWatch Logs metric filter.
- On the current page, click Create Alarm.
-
In the Create Alarm dialog box, provide the following information:
- Within the Alarm Threshold section, in the Name and Description fields, enter a unique name and a short description for the new CloudWatch alarm.
- Under Whenever: Metric Name, select
>=(greater than or equal to) from the dropdown list and enter1as the threshold value in the box next to the dropdown list to trigger the alarm every time a configuration change involving an AWS security group is made. - In the Actions section, click the + Notification button, select State is ALARM from the dropdown menu, and choose the AWS SNS topic name created previously from the Send notification to section.
- In the Alarm Preview section, select
5 Minutesfrom the Period dropdown list andSumfrom the Statistic list. - Review the CloudWatch alarm configuration details, then click Create Alarm. Once created, the new alarm will be listed on the Alarms page.
Using CLI
Using CLI
To remediate the Security Group Changes Alarm using the AWS CLI, follow these steps:After creating the alarm, ensure to investigate the cause of the security group changes and take any necessary steps to prevent similar misconfigurations in the future.
- Run the following command to create the necessary CloudWatch metric filter and associate it with the appropriate CloudTrail log group:
- Run the following command to create the AWS CloudWatch alarm that will fire whenever a configuration change involving an AWS security group within your account is made:
Using Python
Using Python
- To remediate the “Security Group Changes Alarm” misconfiguration in AWS using Python, you can follow the steps below:
- Import the necessary libraries and initialize the Boto3 client for CloudWatch logs and CloudWatch alarms.
- Create the metric filter to monitor changes to security groups.
- Create the CloudWatch alarm to trigger notifications for any changes.