Ensure a log metric filter and alarm exist for changes to network gateways

Property
Languageterraform
Severitylow
Servicecloudwatch
ProviderAWS

Description

You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
Network gateways are required to send and receive traffic to a destination outside a VPC.

CIS recommends that you create a metric filter and alarm for changes to network gateways. Monitoring these changes helps ensure that all ingress and egress traffic traverses the VPC border via a controlled path.

Ensure a log metric filter and alarm exist for CloudTrail configuration changes

Property
Languageterraform
Severitylow
Servicecloudwatch
ProviderAWS

Description

You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms.

CIS recommends that you create a metric filter and alarm for changes to CloudTrail configuration settings. Monitoring these changes helps ensure sustained visibility to activities in the account.

Resolution

Create an alarm to alert on CloudTrail configuration changes

Ensure a log metric filter and alarm exist for IAM policy changes

Property
Languageterraform
Severitylow
Servicecloudwatch
ProviderAWS

Description

You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms.

CIS recommends that you create a metric filter and alarm for changes made to IAM policies. Monitoring these changes helps ensure that authentication and authorization controls remain intact.

Resolution

Create an alarm to alert on IAM Policy changes

Ensure a log metric filter and alarm exist for organisation changes

Property
Languageterraform
Severitylow
Servicecloudwatch
ProviderAWS

Description

Monitoring AWS Organizations changes can help you prevent any unwanted, accidental or intentional modifications that may lead to unauthorized access or other security breaches. This monitoring technique helps you to ensure that any unexpected changes performed within your AWS Organizations can be investigated and any unwanted changes can be rolled back.

Resolution

Create an alarm to alert on organisation changes

Ensure a log metric filter and alarm exist for route table changes

Property
Languageterraform
Severitylow
Servicecloudwatch
ProviderAWS

Description

You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
Routing tables route network traffic between subnets and to network gateways.

CIS recommends that you create a metric filter and alarm for changes to route tables. Monitoring these changes helps ensure that all VPC traffic flows through an expected path.

Ensure a log metric filter and alarm exist for S3 bucket policy changes

Property
Languageterraform
Severitylow
Servicecloudwatch
ProviderAWS

Description

You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms.

CIS recommends that you create a metric filter and alarm for changes to S3 bucket policies. Monitoring these changes might reduce time to detect and correct permissive policies on sensitive S3 buckets.

Resolution

Create an alarm to alert on S3 Bucket policy changes

Ensure a log metric filter and alarm exist for security group changes

Property
Languageterraform
Severitylow
Servicecloudwatch
ProviderAWS

Description

You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
Security groups are a stateful packet filter that controls ingress and egress traffic in a VPC.

CIS recommends that you create a metric filter and alarm for changes to security groups. Monitoring these changes helps ensure that resources and services aren’t unintentionally exposed.

Ensure a log metric filter and alarm exist for unauthorized API calls

Property
Languageterraform
Severitylow
Servicecloudwatch
ProviderAWS

Description

You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. You can have more than one VPC in an account, and you can create a peer connection between two VPCs, enabling network traffic to route between VPCs.

CIS recommends that you create a metric filter and alarm for changes to VPCs. Monitoring these changes helps ensure that authentication and authorization controls remain intact.

Ensure a log metric filter and alarm exist for usage of root user

Property
Languageterraform
Severitylow
Servicecloudwatch
ProviderAWS

Description

You can do real-time monitoring of API calls directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms.

CIS recommends that you create a metric filter and alarm for root user login attempts. Monitoring for root user logins provides visibility into the use of a fully privileged account and an opportunity to reduce the use of it.

Ensure a log metric filter and alarm exist for VPC changes

Property
Languageterraform
Severitylow
Servicecloudwatch
ProviderAWS

Description

You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
You can have more than one VPC in an account, and you can create a peer connection between two VPCs, enabling network traffic to route between VPCs.

CIS recommends that you create a metric filter and alarm for changes to VPCs. Monitoring these changes helps ensure that authentication and authorization controls remain intact.