AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
VPC Changes Alarm
More Info:
AWS VPCs configuration changes should be monitored using CloudWatch alarms.
Risk Level
Medium
Address
Security
Compliance Standards
CISAWS, CBP, SOC2, NIST, HIPAA, ISO27001, AWSWAF, HITRUST, NISTCSF, CISAWSF, PCI, APRA, MAS, NIST4
Triage and Remediation
Remediation
The VPC Changes Alarm is triggered when changes are made to the VPC configuration. To remediate this issue and set up the alarm, follow the steps below:
-
Sign in to the AWS Management Console.
-
Navigate to the CloudWatch dashboard at CloudWatch Console.
-
In the left navigation panel, select Logs.
-
Select the log group created for your CloudTrail trail event logs and click Create Metric Filter.
-
On the Define Logs Metric Filter page, paste the following filter pattern inside the Filter Pattern box:
{
($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) ||
($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) ||
($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) ||
($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) ||
($.eventName = EnableVpcClassicLink)
}
-
Review the metric filter configuration and click Assign Metric.
-
On the Create Metric Filter and Assign a Metric page, perform the following:
- In the Filter Name box, enter a unique name for the new filter, e.g.,
VPCNetworkConfigChanges. - In the Metric Namespace box, type
CloudTrailMetrics. - In the Metric Name box, type
VpcEventCount. - In the Metric Value box, enter
1.
- In the Filter Name box, enter a unique name for the new filter, e.g.,
-
Review the details and click Create Filter.
-
On the current page, click Create Alarm.
-
In the Create Alarm dialog box, provide the following:
- Name and Description: Enter a unique name and a short description for the CloudWatch alarm.
- Alarm Threshold: Set the threshold to trigger the alarm every time a configuration change involving an AWS VPC is made.
- Actions: Add notifications using an existing SNS topic.
- Alarm Preview: Set the period to
5 minutesand chooseSumfor the statistic.
- Review the details and click Create Alarm. Once created, the new alarm will be listed on the Alarms page.
The “VPC Changes Alarm” is an AWS CloudWatch alarm that is triggered when there are changes made to the Virtual Private Cloud (VPC) configuration. To remediate this issue, you can follow these steps:
- Run the following command to create the necessary CloudWatch metric filter and associate it with the appropriate Amazon CloudTrail log group:
aws logs put-metric-filter \
--region us-east-1 \
--log-group-name CloudTrail/CloudWatchLogGroup \
--filter-name VPCNetworkConfigChanges \
--filter-pattern '{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }' \
--metric-transformations metricName=VpcEventCount,metricNamespace=CloudTrailMetrics,metricValue=1
- Run the following command to create the AWS CloudWatch alarm:
aws cloudwatch put-metric-alarm \
--region us-east-1 \
--alarm-name VPCNetworkConfigChangesAlarm \
--alarm-description "Triggered by AWS VPC(s) environment config changes." \
--metric-name VpcEventCount \
--namespace CloudTrailMetrics \
--statistic Sum \
--comparison-operator GreaterThanOrEqualToThreshold \
--evaluation-periods 1 \
--period 300 \
--threshold 1 \
--actions-enabled \
--alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmSNSTopic
To create a CloudWatch alarm using Python, follow these steps:
- Import the necessary AWS SDK libraries in Python:
import boto3
from botocore.exceptions import ClientError
- Create a CloudWatch alarm:
def create_cloudwatch_alarm():
cloudwatch = boto3.client('cloudwatch')
sns = boto3.client('sns')
alarm_name = 'VPCNetworkConfigChangesAlarm'
alarm_description = 'Alarm triggered by AWS VPC environment config changes.'
alarm_actions = ['arn:aws:sns:us-west-2:123456789012:my-email-topic']
metric_name = 'VpcEventCount'
namespace = 'CloudTrailMetrics'
statistic = 'Sum'
period = 300
evaluation_periods = 1
threshold = 1
comparison_operator = 'GreaterThanOrEqualToThreshold'
try:
cloudwatch.put_metric_alarm(
AlarmName=alarm_name,
AlarmDescription=alarm_description,
ActionsEnabled=True,
AlarmActions=alarm_actions,
MetricName=metric_name,
Namespace=namespace,
Statistic=statistic,
Period=period,
EvaluationPeriods=evaluation_periods,
Threshold=threshold,
ComparisonOperator=comparison_operator
)
print('CloudWatch alarm created successfully')
except ClientError as e:
print('Error creating CloudWatch alarm:', e)
return False
return True
-
Replace the email topic ARN with your own.
-
Call the
create_cloudwatch_alarm()function:
if __name__ == '__main__':
create_cloudwatch_alarm()
These steps will create a CloudWatch alarm using Python that monitors VPC configuration changes.