Create CloudWatch Alarm for VPC Flow Logs Metric Filter

01 Sign in to your Cloud Conformity console, access Create CloudWatch Alarm for VPC Flow Logs Metric Filter conformity rule settings and copy the name configured for your flow log group (e.g. <vpc_flow_log_group_name>).

02 Sign in to the AWS Management Console.

03 Navigate to CloudWatch dashboard at https://console.aws.amazon.com/cloudwatch/.

04 In the left navigation panel, click Log groups to access the log groups available in the current AWS region.

05 Paste the name of your flow log group, copied at step no. 1, into the Filter log groups search box and press Enter.

06 Select the log group returned at the previous step and click on the <number> filter link , available in the Metric Filters column, to access the metric filters created for the selected log group.

07 On Filters for <vpc_flow_log_group_name> page, search for the metric filter box with the Filter Pattern configuration attribute value set to { $.errorCode = "AccessDenied" }. Once the metric filter is found, verify the Alarms attribute. If the Alarms attribute for the selected metric filter is not listed, there is no AWS CloudWatch alarm configured for the VPC Flow Logs metric filter, therefore you may not be able to receive notifications when IP packets are rejected inside your VPC.

08 Change the AWS region from the navigation bar and repeat steps no. 5 – 7 to check for AWS CloudWatch alarms configured for VPC Flow Logs metric filters available in other regions (if any).

01 Sign in to your Cloud Conformity console, access Create CloudWatch Alarm for VPC Flow Logs Metric Filter conformity rule settings and copy the name defined for your flow log group (e.g. <vpc_flow_log_group_name>).

02 Run describe-metric-filters command (OSX/Linux/UNIX) using the name of the flow log group copied at the previous step as identifier and custom query filters to get the name of the metric filter attached to the selected CloudWatch log group. Replace <vpc_flow_log_group_name> with the name of your own flow log group:

aws logs describe-metric-filters
	--region us-east-1
	--log-group-name <vpc_flow_log_group_name>
	--query "metricFilters[*].metricTransformations[*].metricName[]"

03 The command request should return the name of the requested metric filter:

[
    "cc-vpc-flow-log-metric"
]

04 Run describe-alarms command (OSX/Linux/UNIX) using the name of the metric filter returned at the previous step as query parameter to describe the name and the action(s) configured for the AWS CloudWatch alarm created for the selected metric filter:

aws cloudwatch describe-alarms
	--region us-east-1
	--query "MetricAlarms[?MetricName == 'cc-vpc-flow-log-metric'].{AlarmName:AlarmName,AlarmActions:AlarmActions}"

05 The command output should return the requested configuration information:

[]

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 2 – 5 to check for AWS CloudWatch alarms configured for VPC Flow Logs metric filters available in other regions (if applicable).

01 Sign in to the AWS Management Console.

02 Navigate to SNS dashboard at https://console.aws.amazon.com/sns/v2/.

03 In the navigation panel, select Topics and click the Create topic button.

04 In the Create topic dialog box, enter a name and a display name for your new SNS topic then click Create topic.

05 The page will redirect to newly created SNS topic configuration page or open by clicking on its Amazon Resource Name (ARN) link in SNS Topics.

06 Under Subscriptions section click Create Subscription.

07 Select Email as subscription protocol from the Protocol dropdown list.

08 In the Endpoint box, enter the email address where you want to receive the AWS CloudWatch alarm notifications then click Create Subscription to create the required subscription.

09 Use your preferred email client application to open the message received from AWS Notifications, then click on Confirm subscription link to confirm your new email subscription.

10 Now navigate to CloudWatch dashboard at https://console.aws.amazon.com/cloudwatch/.

11 In the left navigation panel, click Logs.

12 Select your VPC Flow Logs CloudWatch log group and click on the <number> filter link, available in the Metric Filters column, to access the metric filters page for the selected group.

13 On Filters for <vpc_flow_log_group_name> page, choose the metric filter that you want to configure (see Audit section part I to identify the right metric filter), then click Create alarm link available in the Metric filters section to initiate the CloudWatch alarm setup process.

14 Within Create Alarm page, provide the following information:

1. In the Specify metric and conditions section, select 5 Minutes from the Period dropdown list and Sum from the Statistic list.
2. In the Specify metric and conditions section, under Whenever: <Metric Name>select >= (greater than or equal to) and enter 1 as the threshold value in the box to trigger the alarm every time IP packets are rejected inside your VPC.
3. In the Configure actions section, under Notification, select In alarm in the Alarm state trigger section and choose the AWS SNS topic name created earlier from Send notification to dropdown list.
4. Inside the Add name and description section, in the Alarm name and Alarm description boxes, provide a unique name and a short description for your new CloudWatch alarm.
5. In the Preview and create section, review the alarm configuration details then click Create Alarm. Once created, the new CloudWatch alarm will be listed on the Alarms page. After the monitoring data is loaded, the State (status) of the new CloudWatch alarm will change from Insufficient data to OK.

01 First, run create-topic command (OSX/Linux/UNIX) to create a new SNS topic for sending email notifications whenever the required AWS CloudWatch alarm is triggered:

aws sns create-topic
	--region us-east-1
	--name cc-vpc-flow-log-notifications

02 The command output should return the ARN for the newly created AWS SNS topic:

{
   "TopicArn": "arn:aws:sns:us-east-1:12345678901:cc-vpc-flow-log-notifications"
}

03 Run subscribe command (OSX/Linux/UNIX) to send the subscription confirmation message to the notification endpoint (the email address provided as endpoint):

aws sns subscribe
	--topic-arn arn:aws:sns:us-east-1:123456789012:cc-vpc-flow-log-notifications
	--protocol email
	--notification-endpoint admin@cloudconformity.com

04 The command output should return the following metadata:

{
	"SubscriptionArn": "pending confirmation"
}

05 Use your preferred email client application to open the message received from AWS Notifications, then click on the appropriate link to confirm your new email subscription.

06 Run put-metric-alarm command (OSX/Linux/UNIX) to create the AWS CloudWatch alarm that will fire every time the threshold for the "REJECT" packets is reached. The following command example creates a CloudWatch alarm named "<vpc_flow_log_alarm_name>", within the US East (N. Virginia) region, for a metric filter called "<vpc_flow_log_metric_name>", alarm that sends notifications to an SNS topic called "cc-vpc-flow-log-notifications" when IP packets are rejected inside your VPC. Replace <vpc_flow_log_alarm_name> and <vpc_flow_log_metric_name> with your own resource names (if successful, the command does not return an output):

aws cloudwatch put-metric-alarm
	--region us-east-1
	--alarm-name <vpc_flow_log_alarm_name>
	--alarm-description "Triggered by 'REJECT' packets."
	--metric-name <vpc_flow_log_metric_name>
	--namespace LogMetrics
	--statistic Sum
	--comparison-operator GreaterThanOrEqualToThreshold
	--evaluation-periods 1
	--period 300
	--threshold 1
	--actions-enabled
	--alarm-actions arn:aws:sns:us-east-1:123456789012:cc-vpc-flow-log-notifications