Description:
Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Groups are a stateful packet filter that controls ingress and egress traffic within a VPC. It is recommended that a metric filter and alarm be established for detecting changes to Security Groups.
Rationale:
Monitoring changes to security group will help ensure that resources and services are not unintentionally exposed.
Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
aws logs put-metric-filter --log-group-name "" --filter-name "" --metric-transformations metricName= "" ,metricNamespace="CISBenchmark",metricValue=1 --filter-pattern "{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) }"
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
aws sns create-topic --name ""
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
aws sns subscribe --topic-arn "" --protocol --notification-endpoint ""
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
aws cloudwatch put-metric-alarm --alarm-name "" --metric-name "" --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace "CISBenchmark" --alarm-actions ""