Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Create CloudWatch Alarm for VPC Flow Logs Metric Filter

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: CWL-019

Ensure that an AWS CloudWatch alarm is created and configured for the metric filter attached to the VPC Flow Logs CloudWatch log group in order to receive notifications when IP packets are rejected inside the specified VPC. The CloudWatch alarm needs to be configured to watch the VPC Flow Logs metric filter over a specified period of time and perform an action based on the value of the metric relative to a given threshold over a number of time periods. The action taken when the alarm changes its state must be a notification sent to an AWS SNS topic that you created. Prior to running this rule by the Cloud Conformity engine, the name of the VPC Flow Logs CloudWatch log group, e.g. <vpc_flow_log_group_name>, must be configured in the rule settings, on your Cloud Conformity account dashboard.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

When an Amazon CloudWatch alarm is configured for the VPC Flow Logs metric filter, you should be able to receive notifications when IP packets are rejected inside your VPC. In this way you can have an accurate image of the rejected IP traffic available within your Virtual Private Cloud.

Note 1: This conformity rule assumes that the VPC Flow Logs CloudWatch log group and the required metric filter are already configured within your AWS account, otherwise implement the steps outlined in this rule to create and configure the necessary resources.
Note 2: Make sure that you replace all <vpc_flow_log_group_name> placeholders found in the conformity rule content with the name of your own log group assigned to the VPC Flow Logs.


Audit

To determine if a CloudWatch alarm is created for the VPC Flow Logs metric filter and the alarm action is configured to send notifications to an SNS topic, perform the following actions:

Using AWS Console

01 Sign in to your Cloud Conformity console, access Create CloudWatch Alarm for VPC Flow Logs Metric Filter conformity rule settings and copy the name configured for your flow log group (e.g. <vpc_flow_log_group_name>).

02 Sign in to the AWS Management Console.

03 Navigate to CloudWatch dashboard at https://console.aws.amazon.com/cloudwatch/.

04 In the left navigation panel, click Log groups to access the log groups available in the current AWS region.

05 Paste the name of your flow log group, copied at step no. 1, into the Filter log groups search box and press Enter.

06 Select the log group returned at the previous step and click on the <number> filter link , available in the Metric Filters column, to access the metric filters created for the selected log group.

07 On Filters for <vpc_flow_log_group_name> page, search for the metric filter box with the Filter Pattern configuration attribute value set to { $.errorCode = "AccessDenied" }. Once the metric filter is found, verify the Alarms attribute. If the Alarms attribute for the selected metric filter is not listed, there is no AWS CloudWatch alarm configured for the VPC Flow Logs metric filter, therefore you may not be able to receive notifications when IP packets are rejected inside your VPC.

08 Change the AWS region from the navigation bar and repeat steps no. 5 – 7 to check for AWS CloudWatch alarms configured for VPC Flow Logs metric filters available in other regions (if any).

Using AWS CLI

01 Sign in to your Cloud Conformity console, access Create CloudWatch Alarm for VPC Flow Logs Metric Filter conformity rule settings and copy the name defined for your flow log group (e.g. <vpc_flow_log_group_name>).

02 Run describe-metric-filters command (OSX/Linux/UNIX) using the name of the flow log group copied at the previous step as identifier and custom query filters to get the name of the metric filter attached to the selected CloudWatch log group. Replace <vpc_flow_log_group_name> with the name of your own flow log group:

aws logs describe-metric-filters
	--region us-east-1
	--log-group-name <vpc_flow_log_group_name>
	--query "metricFilters[*].metricTransformations[*].metricName[]"

03 The command request should return the name of the requested metric filter:

[
    "cc-vpc-flow-log-metric"
]

04 Run describe-alarms command (OSX/Linux/UNIX) using the name of the metric filter returned at the previous step as query parameter to describe the name and the action(s) configured for the AWS CloudWatch alarm created for the selected metric filter:

aws cloudwatch describe-alarms
	--region us-east-1
	--query "MetricAlarms[?MetricName == 'cc-vpc-flow-log-metric'].{AlarmName:AlarmName,AlarmActions:AlarmActions}"

05 The command output should return the requested configuration information:

[]

If the describe-alarms command output returns an empty array (i.e. []), as shown in the example above, there is no Amazon CloudWatch alarm configured for the VPC Flow Logs metric filter, therefore you may not be able to receive notifications when IP packets are rejected within your Virtual Private Cloud.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 2 – 5 to check for AWS CloudWatch alarms configured for VPC Flow Logs metric filters available in other regions (if applicable).

Remediation / Resolution

To create and configure the required Amazon CloudWatch alarm for the VPC Flow Logs metric filter, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to SNS dashboard at https://console.aws.amazon.com/sns/v2/.

03 In the navigation panel, select Topics and click the Create topic button.

04 In the Create topic dialog box, enter a name and a display name for your new SNS topic then click Create topic.

05 The page will redirect to newly created SNS topic configuration page or open by clicking on its Amazon Resource Name (ARN) link in SNS Topics.

06 Under Subscriptions section click Create Subscription.

07 Select Email as subscription protocol from the Protocol dropdown list.

08 In the Endpoint box, enter the email address where you want to receive the AWS CloudWatch alarm notifications then click Create Subscription to create the required subscription.

09 Use your preferred email client application to open the message received from AWS Notifications, then click on Confirm subscription link to confirm your new email subscription.

10 Now navigate to CloudWatch dashboard at https://console.aws.amazon.com/cloudwatch/.

11 In the left navigation panel, click Logs.

12 Select your VPC Flow Logs CloudWatch log group and click on the <number> filter link, available in the Metric Filters column, to access the metric filters page for the selected group.

13 On Filters for <vpc_flow_log_group_name> page, choose the metric filter that you want to configure (see Audit section part I to identify the right metric filter), then click Create alarm link available in the Metric filters section to initiate the CloudWatch alarm setup process.

14 Within Create Alarm page, provide the following information:

  1. In the Specify metric and conditions section, select 5 Minutes from the Period dropdown list and Sum from the Statistic list.
  2. In the Specify metric and conditions section, under Whenever: <Metric Name>select >= (greater than or equal to) and enter 1 as the threshold value in the box to trigger the alarm every time IP packets are rejected inside your VPC.
  3. In the Configure actions section, under Notification, select In alarm in the Alarm state trigger section and choose the AWS SNS topic name created earlier from Send notification to dropdown list.
  4. Inside the Add name and description section, in the Alarm name and Alarm description boxes, provide a unique name and a short description for your new CloudWatch alarm.
  5. In the Preview and create section, review the alarm configuration details then click Create Alarm. Once created, the new CloudWatch alarm will be listed on the Alarms page. After the monitoring data is loaded, the State (status) of the new CloudWatch alarm will change from Insufficient data to OK.

Using AWS CLI

01 First, run create-topic command (OSX/Linux/UNIX) to create a new SNS topic for sending email notifications whenever the required AWS CloudWatch alarm is triggered:

aws sns create-topic
	--region us-east-1
	--name cc-vpc-flow-log-notifications

02 The command output should return the ARN for the newly created AWS SNS topic:

{
   "TopicArn": "arn:aws:sns:us-east-1:12345678901:cc-vpc-flow-log-notifications"
}

03 Run subscribe command (OSX/Linux/UNIX) to send the subscription confirmation message to the notification endpoint (the email address provided as endpoint):

aws sns subscribe
	--topic-arn arn:aws:sns:us-east-1:123456789012:cc-vpc-flow-log-notifications
	--protocol email
	--notification-endpoint admin@cloudconformity.com

04 The command output should return the following metadata:

{
	"SubscriptionArn": "pending confirmation"
}

05 Use your preferred email client application to open the message received from AWS Notifications, then click on the appropriate link to confirm your new email subscription.

06 Run put-metric-alarm command (OSX/Linux/UNIX) to create the AWS CloudWatch alarm that will fire every time the threshold for the "REJECT" packets is reached. The following command example creates a CloudWatch alarm named "<vpc_flow_log_alarm_name>", within the US East (N. Virginia) region, for a metric filter called "<vpc_flow_log_metric_name>", alarm that sends notifications to an SNS topic called "cc-vpc-flow-log-notifications" when IP packets are rejected inside your VPC. Replace <vpc_flow_log_alarm_name> and <vpc_flow_log_metric_name> with your own resource names (if successful, the command does not return an output):

aws cloudwatch put-metric-alarm
	--region us-east-1
	--alarm-name <vpc_flow_log_alarm_name>
	--alarm-description "Triggered by 'REJECT' packets."
	--metric-name <vpc_flow_log_metric_name>
	--namespace LogMetrics
	--statistic Sum
	--comparison-operator GreaterThanOrEqualToThreshold
	--evaluation-periods 1
	--period 300
	--threshold 1
	--actions-enabled
	--alarm-actions arn:aws:sns:us-east-1:123456789012:cc-vpc-flow-log-notifications

References

Publication date Aug 18, 2016