Route Table Changes Alarm
More Info:
AWS Route Tables configuration changes should be monitored using CloudWatch alarms. This alarm is triggered when changes to route tables in your VPC occur, such as creating, replacing, or deleting routes.Risk Level
MediumAddress
SecurityCompliance Standards
CISAWS, CBP, SOC2, NIST, HIPAA, ISO27001, AWSWAF, HITRUST, NISTCSFTriage and Remediation
Remediation
Using Console
Using Console
Remediation using AWS Console:
- Sign in to the AWS Management Console.
- Navigate to CloudWatch dashboard at https://console.aws.amazon.com/cloudwatch/.
- In the left navigation panel, select Logs.
- Select the log group created for your CloudTrail trail event logs and click Create Metric Filter.
- On the Define Logs Metric Filter page, paste the following pattern inside the Filter Pattern box:
“CreateRoute”, “CreateRouteTable”, “ReplaceRoute”, “ReplaceRouteTableAssociation”, “DeleteRouteTable”, “DeleteRoute”, or “DisassociateRouteTable”.- Review the metric filter config details, then click Assign Metric.
-
On the Create Metric Filter and Assign a Metric page, perform the following:
- In the Filter Name box, enter a unique name for the new filter, e.g. RouteTableConfigChanges.
- In the Metric Namespace box, type CloudTrailMetrics.
- In the Metric Name box, type RouteTableEventCount for the metric identifier.
- Click Show advanced metric settings to expand the advanced settings section.
- In the Metric Value box, enter 1.
- Review the details, then click Create Filter to generate your new CloudWatch Logs metric filter.
-
On the current page, click Create Alarm:
- In the Alarm Threshold section, in the Name and Description fields, enter a unique name and a short description for the new CloudWatch alarm.
- Under Whenever: Metric Name, select >= (greater than or equal to) from the is dropdown list and enter 1 as the threshold value to trigger the alarm every time a configuration change involving an AWS Route Table is made.
- In the Actions section, click the + Notification button, select State is ALARM from the Whenever this alarm dropdown menu, and choose the AWS SNS topic created at Step 1.
- In the Alarm Preview section, select 5 Minutes from the Period dropdown list and Sum from the Statistic list.
- Review the CloudWatch alarm configuration details, then click Create Alarm.
Using CLI
Using CLI
Remediation using AWS CLI:
- Run the put-metric-filter command to create the necessary CloudWatch metric filter and associate it with the appropriate Amazon CloudTrail log group:
- Run the put-metric-alarm command to create the AWS CloudWatch alarm:
Using Python
Using Python
Remediation using Python:
- First, check the CloudWatch alarm to identify the route table that has been modified.
- Once identified, use the boto3 library to fetch the events from CloudTrail related to route table changes:
<route_table_id> with the ID of the modified route table.- Extract the previous state of the route table from the CloudTrail event. The previous state is stored in the previousState field of the resourceProperties object.
- Use the boto3 library to revert the route table to its previous state:
- Confirm that the route table has been updated to its previous state by checking the AWS Management Console or using the boto3 library to fetch the route table details.