Ensure there is a CloudWatch alarm set up in your AWS account that is triggered each time a security group configuration change is made. This CloudWatch alarm must fire every time an AWS API call is performed to create, update or delete a security group.
This rule can help you with the following compliance standards:
- CISAWSF
- PCI
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Using CloudWatch alarms to detect any configuration changes involving AWS security groups will help you prevent unexpected inbound and/or outbound rule modifications that may lead to unrestricted or unauthorized access.
Note 1: For this rule Cloud Conformity assumes that the CloudTrail service is already enabled to stream event log data to CloudWatch within your AWS account, otherwise see this rule to enable AWS Cloudtrail – CloudWatch integration.
Note 2: You have also the option to implement this conformity rule with AWS CloudFormation. Download the required CloudFormation template from this URL and follow the AWS instructions available here.
Audit
To determine if there are any CloudWatch alarms set up to monitor AWS security groups configuration changes within your AWS account, perform the following:
Remediation / Resolution
Step 1: Create a Simple Notification Service (SNS) topic and the necessary subscription to send notifications whenever an AWS CloudWatch alarm is triggered by a security group configuration change.
Step 2: Create the necessary metric filter and the CloudWatch alarm that will fire and send email notifications whenever an AWS security group configuration will change.
References
- AWS Documentation
- Amazon CloudWatch Concepts
- Creating CloudWatch Alarms for CloudTrail Events
- Create a Topic
- Subscribe to a Topic
- Using an AWS CloudFormation Template to Create CloudWatch Alarms
- AWS Command Line Interface (CLI) Documentation
- cloudwatch
- describe-alarms-for-metric
- put-metric-alarm
- put-metric-filter
- sns
- create-topic
- subscribe
- confirm-subscription
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Security Group Changes Alarm
Risk Level: Medium