More Info:

AWS VPCs configuration changes should be monitored using CloudWatch alarms.

Risk Level

Medium

Address

Security

Compliance Standards

CISAWS, CBP, SOC2, NIST, HIPAA, ISO27001, AWSWAF, HITRUST, NISTCSF, CISAWSF, PCI, APRA, MAS, NIST4

Triage and Remediation

Remediation

Using Console

The VPC Changes Alarm is triggered when changes are made to the VPC configuration. To remediate this issue and set up the alarm, follow the steps below:
  1. Sign in to the AWS Management Console.
  2. Navigate to the CloudWatch dashboard at CloudWatch Console.
  3. In the left navigation panel, select Logs.
  4. Select the log group created for your CloudTrail trail event logs and click Create Metric Filter.
  5. On the Define Logs Metric Filter page, paste the following filter pattern inside the Filter Pattern box: 
{
    ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) ||
    ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) ||
    ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) ||
    ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) ||
    ($.eventName = EnableVpcClassicLink)
}
  1. Review the metric filter configuration and click Assign Metric.
  2. On the Create Metric Filter and Assign a Metric page, perform the following:
    • In the Filter Name box, enter a unique name for the new filter, e.g., VPCNetworkConfigChanges.
    • In the Metric Namespace box, type CloudTrailMetrics.
    • In the Metric Name box, type VpcEventCount.
    • In the Metric Value box, enter 1.
  3. Review the details and click Create Filter.
  4. On the current page, click Create Alarm.
  5. In the Create Alarm dialog box, provide the following:
  • Name and Description: Enter a unique name and a short description for the CloudWatch alarm.
  • Alarm Threshold: Set the threshold to trigger the alarm every time a configuration change involving an AWS VPC is made.
  • Actions: Add notifications using an existing SNS topic.
  • Alarm Preview: Set the period to 5 minutes and choose Sum for the statistic.
  1. Review the details and click Create Alarm. Once created, the new alarm will be listed on the Alarms page.

The “VPC Changes Alarm” is an AWS CloudWatch alarm that is triggered when there are changes made to the Virtual Private Cloud (VPC) configuration. To remediate this issue, you can follow these steps:
  1. Run the following command to create the necessary CloudWatch metric filter and associate it with the appropriate Amazon CloudTrail log group:
aws logs put-metric-filter \
    --region us-east-1 \
    --log-group-name CloudTrail/CloudWatchLogGroup \
    --filter-name VPCNetworkConfigChanges \
    --filter-pattern '{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }' \
    --metric-transformations metricName=VpcEventCount,metricNamespace=CloudTrailMetrics,metricValue=1
  1. Run the following command to create the AWS CloudWatch alarm:
aws cloudwatch put-metric-alarm \
    --region us-east-1 \
    --alarm-name VPCNetworkConfigChangesAlarm \
    --alarm-description "Triggered by AWS VPC(s) environment config changes." \
    --metric-name VpcEventCount \
    --namespace CloudTrailMetrics \
    --statistic Sum \
    --comparison-operator GreaterThanOrEqualToThreshold \
    --evaluation-periods 1 \
    --period 300 \
    --threshold 1 \
    --actions-enabled \
    --alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmSNSTopic
To create a CloudWatch alarm using Python, follow these steps:
  1. Import the necessary AWS SDK libraries in Python:
import boto3
from botocore.exceptions import ClientError
  1. Create a CloudWatch alarm:
def create_cloudwatch_alarm():
    cloudwatch = boto3.client('cloudwatch')
    sns = boto3.client('sns')
    alarm_name = 'VPCNetworkConfigChangesAlarm'
    alarm_description = 'Alarm triggered by AWS VPC environment config changes.'
    alarm_actions = ['arn:aws:sns:us-west-2:123456789012:my-email-topic']
    metric_name = 'VpcEventCount'
    namespace = 'CloudTrailMetrics'
    statistic = 'Sum'
    period = 300
    evaluation_periods = 1
    threshold = 1
    comparison_operator = 'GreaterThanOrEqualToThreshold'
    try:
        cloudwatch.put_metric_alarm(
            AlarmName=alarm_name,
            AlarmDescription=alarm_description,
            ActionsEnabled=True,
            AlarmActions=alarm_actions,
            MetricName=metric_name,
            Namespace=namespace,
            Statistic=statistic,
            Period=period,
            EvaluationPeriods=evaluation_periods,
            Threshold=threshold,
            ComparisonOperator=comparison_operator
        )
        print('CloudWatch alarm created successfully')
    except ClientError as e:
        print('Error creating CloudWatch alarm:', e)
        return False
    return True
  1. Replace the email topic ARN with your own.
  2. Call the create_cloudwatch_alarm() function: 
if __name__ == '__main__':
    create_cloudwatch_alarm()
These steps will create a CloudWatch alarm using Python that monitors VPC configuration changes.

Additional Reading: