Ensure that an AWS CloudWatch alarm is created and configured for the metric filter attached to the VPC Flow Logs CloudWatch log group in order to receive notifications when IP packets are rejected inside the specified VPC. The CloudWatch alarm needs to be configured to watch the VPC Flow Logs metric filter over a specified period of time and perform an action based on the value of the metric relative to a given threshold over a number of time periods. The action taken when the alarm changes its state must be a notification sent to an AWS SNS topic that you created. Prior to running this rule by the Cloud Conformity engine, the name of the VPC Flow Logs CloudWatch log group, e.g. <vpc_flow_log_group_name>, must be configured in the rule settings, on your Cloud Conformity account dashboard.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
When an Amazon CloudWatch alarm is configured for the VPC Flow Logs metric filter, you should be able to receive notifications when IP packets are rejected inside your VPC. In this way you can have an accurate image of the rejected IP traffic available within your Virtual Private Cloud.
Note 1: This conformity rule assumes that the VPC Flow Logs CloudWatch log group and the required metric filter are already configured within your AWS account, otherwise implement the steps outlined in this rule to create and configure the necessary resources.
Note 2: Make sure that you replace all <vpc_flow_log_group_name> placeholders found in the conformity rule content with the name of your own log group assigned to the VPC Flow Logs.
Audit
To determine if a CloudWatch alarm is created for the VPC Flow Logs metric filter and the alarm action is configured to send notifications to an SNS topic, perform the following actions:
Remediation / Resolution
To create and configure the required Amazon CloudWatch alarm for the VPC Flow Logs metric filter, perform the following actions:
References
- AWS Documentation
- Subscribe to a Topic
- Amazon CloudWatch Logs Concepts
- Searching and Filtering Log Data
- VPC Flow Logs
- Creating Amazon CloudWatch Alarms
- Create a Topic
- CIS Amazon Web Services Foundations
- AWS Command Line Interface (CLI) Documentation
- logs
- describe-metric-filters
- cloudwatch
- describe-alarms
- put-metric-alarm
- sns
- create-topic
- subscribe
- confirm-subscription
- describe-log-groups