Ensure CloudWatch has an Alarm for VPC Changes

Amazon CloudWatch is a monitoring and observability service that can give real time insight into all actions and metrics going on with-in your infrastructure. CloudWatch allows for the creation of alarms that can allow for actionable responses to events. Understanding when a VPC changes alert you to a potential security incident and is why this is considered a security best practice. This can help with ensuring you are compliant with the CIS benchmark. If you need to create additional alarms for other services, you can leverage our CloudTrail Event Generator tool to help you create the event pattern.

Audit & Remediation

  • Login into your AWS account
  • Navigate to the CloudWatch service at: https://console.aws.amazon.com/cloudwatch
  • Navigate to Logs --> Log groups in the left hand panel. Then in the main panel, in the filter look for your CloudTrail log group.

 

 

  • Select the tab Metric filters and in the text boxFind metric filters look for:
    { ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }
  • If nothing is returned, select the button Create metric filter

 

 

  • In the Filter pattern and the following filter:
    { ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }
  • select the Next button.

 

 

  • Fill in the following information into this form:
    • Filter name: VPC Changes
    • Metric namespace: CloudTrail
    • Metric name: VPC Changes.
    • Metric value: 1.
  • Select next to save the alarm.
  • Continue this for each AWS account you have to ensure compliancy.
See all of your AWS assets in a single place!

Do you want to see all of your AWS assets in once place for all regions and all accounts?
Login to our online demo to see exactly what this looks like.
demo.intelligentdiscovery.io

 

Other Key Features

Inventory

Consolidate your inventory management with consistent and frequent security logs, inventories, and change logs. Dashboard reporting for extensive analytical value.

learn more +

Cost & Usage

Access consolidated capacity, cost, and volume tools in a scaling environment without impacting production or breaking the bank.

learn more +