Internet Gateway Changes Alarm
More Info:
AWS VPC Customer/Internet Gateway configuration changes should be monitored using CloudWatch alarms.Risk Level
MediumAddress
SecurityCompliance Standards
SOC2, HIPAA, ISO27001, NIST4, CISAWSF, PCI, APRA, MASTriage and Remediation
Remediation
Using Console
Using Console
To remediate the “Internet Gateway Changes Alarm” misconfiguration in AWS using the AWS console, follow these steps:This pattern will be used for scanning the AWS CloudTrail logs for event names like
- Sign in to the AWS Management Console.
- Navigate to the CloudWatch dashboard at https://console.aws.amazon.com/cloudwatch/.
- In the left navigation panel, select Logs.
- Select the log group created for your CloudTrail trail event logs and click Create Metric Filter.
- On the Define Logs Metric Filter page, paste the following pattern inside the Filter Pattern box:
“CreateInternetGateway”, “AttachInternetGateway” or “DeleteInternetGateway”.- Review the metric filter configuration details, then click Assign Metric.
- On the Create Metric Filter and Assign a Metric page, perform the following:
- In the Filter Name box, enter a unique name for the new filter, e.g.,
VPCGatewayConfigChanges. - In the Metric Namespace box, type
CloudTrailMetrics. - In the Metric Name box, type
GatewayEventCountfor the metric identifier. - Click Show advanced metric settings to slide down the advanced settings section.
- In the Metric Value box, enter
1.
- In the Filter Name box, enter a unique name for the new filter, e.g.,
- Review the details, then click Create Filter to generate your new CloudWatch Logs metric filter.
- On the current page, click Create Alarm.
- In the Create Alarm dialog box, provide the following information: - Within the Alarm Threshold section, in the Name and Description fields, enter a unique name and a short description for the new CloudWatch alarm. - Under Whenever: Metric Name, select
>= (greater than or equal to)from the dropdown list and enter1as the threshold value to trigger the alarm every time a configuration change involving a VPC Network Customer/Internet Gateway is made. - In the Actions section, click the + Notification button, selectState is ALARMfrom the Whenever this alarm dropdown menu, and choose the AWS SNS topic name created at Step 1 from Send notification to. - In the Alarm Preview section, select5 Minutesfrom the Period dropdown list andSumfrom the Statistic list. - Review the CloudWatch alarm configuration details, then click Create Alarm. Once created, the new alarm will be listed on the Alarms page.
Using CLI
Using CLI
To remediate the “Internet Gateway Changes Alarm” misconfiguration using the AWS CLI, follow these steps:
- Open the AWS CLI on your local machine.
- Run the following command to create the necessary CloudWatch metric filter and associate it with your Amazon CloudTrail log group (the command does not return an output):
- Run the following command to create the AWS CloudWatch alarm that will fire whenever a configuration change involving an AWS VPC Customer/Internet Gateway will be made (the command does not return an output):
Using Python
Using Python
The misconfiguration “Internet Gateway Changes Alarm” in AWS can occur when there is a change in the Internet Gateway associated with the VPC. To remediate this, you can follow these steps using Python:
- Import the necessary modules and define the AWS client:
- Define the log group name, metric filter name, and alarm name:
- Create the metric filter using the
put_metric_filtermethod:
- Create the CloudWatch alarm using the put_metric_alarm method:
- Verify the alarm has been created: