> ## Documentation Index
> Fetch the complete documentation index at: https://cloudanix.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Security Group Changes Alarm

### More Info:

AWS security groups configuration changes should be monitored using CloudWatch alarms. Ensure there is a CloudWatch alarm set up in your AWS account that is triggered each time a security group configuration change is made.

### Risk Level

Medium

### Address

Security

### Compliance Standards

SOC2, NIST, HIPAA, ISO27001, AWSWAF, HITRUST, CISAWS, CBP, NISTCSF, CISAWSF, PCI, APRA, MAS, NIST4

### Triage and Remediation

<Tabs>
  <Tab title="Remediation">
    ### Remediation

    <AccordionGroup>
      <Accordion title="Using Console" defaultOpen="true">
        Sure, here are the step by step instructions to remediate the Security Group Changes Alarm misconfiguration in AWS using AWS console:

        Here are the step-by-step instructions to remediate the Security Group Changes Alarm misconfiguration in AWS using the AWS console:

        1. Sign in to your AWS Management Console.

        2. Navigate to the CloudWatch dashboard at [https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/).

        3. In the left navigation panel, select **Logs**.

        4. Select the log group created for your CloudTrail trail event logs and click the **Create Metric Filter** button.

        5. On the Define Logs Metric Filter page, paste the following pattern inside the Filter Pattern box:

        ```
        {
            ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) ||
            ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) ||
            ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup)
        }
        ```

        This pattern will be used for scanning the AWS CloudTrail logs for event names like "CreateSecurityGroup", "AuthorizeSecurityGroupIngress", or "DeleteSecurityGroup".

        6. Review the metric filter configuration details, then click **Assign Metric**.

        7. On the Create Metric Filter and Assign a Metric page, perform the following:

           * In the **Filter Name** box, enter a unique name for the new filter (e.g., `SecurityGroupConfigChanges`).
           * In the **Metric Namespace** box, type `CloudTrailMetrics`.
           * In the **Metric Name** box, type `SecurityGroupEventCount` for the metric identifier.
           * Click **Show advanced metric settings** to slide down the advanced settings section.
           * In the **Metric Value** box, enter `1`.

        8. Review the details, then click **Create Filter** to generate your new CloudWatch Logs metric filter.

        9. On the current page, click **Create Alarm**.

        10. In the Create Alarm dialog box, provide the following information:
            * Within the **Alarm Threshold** section, in the **Name** and **Description** fields, enter a unique name and a short description for the new CloudWatch alarm.
            * Under **Whenever: Metric Name**, select `>=` (greater than or equal to) from the dropdown list and enter `1` as the threshold value in the box next to the dropdown list to trigger the alarm every time a configuration change involving an AWS security group is made.
            * In the **Actions** section, click the **+ Notification** button, select **State is ALARM** from the dropdown menu, and choose the AWS SNS topic name created previously from the **Send notification to** section.
            * In the **Alarm Preview** section, select `5 Minutes` from the **Period** dropdown list and `Sum` from the **Statistic** list.
            * Review the CloudWatch alarm configuration details, then click **Create Alarm**. Once created, the new alarm will be listed on the Alarms page.

        It is important to note that setting up the alarm does not fix the underlying issue. You need to identify and remediate the root cause of the misconfiguration to ensure that your infrastructure remains secure.

        #
      </Accordion>

      <Accordion title="Using CLI">
        To remediate the Security Group Changes Alarm using the AWS CLI, follow these steps:

        1. Run the following command to create the necessary CloudWatch metric filter and associate it with the appropriate CloudTrail log group:

        ```bash theme={null}
        aws logs put-metric-filter \
            --region us-east-1 \
            --log-group-name CloudTrail/CloudWatchLogGroup \
            --filter-name SecurityGroupConfigChanges \
            --filter-pattern '{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) }' \
            --metric-transformations metricName=SecurityGroupEventCount,metricNamespace=CloudTrailMetrics,metricValue=1
        ```

        2. Run the following command to create the AWS CloudWatch alarm that will fire whenever a configuration change involving an AWS security group within your account is made:

        ```bash theme={null}
        aws cloudwatch put-metric-alarm \
            --region us-east-1 \
            --alarm-name SecurityGroupConfigChangesAlarm \
            --alarm-description "Triggered by AWS security group(s) config changes." \
            --metric-name SecurityGroupEventCount \
            --namespace CloudTrailMetrics \
            --statistic Sum \
            --comparison-operator GreaterThanOrEqualToThreshold \
            --evaluation-periods 1 \
            --period 300 \
            --threshold 1 \
            --actions-enabled \
            --alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmSNSTopic
        ```

        After creating the alarm, ensure to investigate the cause of the security group changes and take any necessary steps to prevent similar misconfigurations in the future.
      </Accordion>

      <Accordion title="Using Python">
        1. To remediate the "Security Group Changes Alarm" misconfiguration in AWS using Python, you can follow the steps below:

        2. Import the necessary libraries and initialize the Boto3 client for CloudWatch logs and CloudWatch alarms.

        3. Create the metric filter to monitor changes to security groups.

        4. Create the CloudWatch alarm to trigger notifications for any changes.

        ```python theme={null}
        import boto3

        # Initialize Boto3 clients
        logs_client = boto3.client('logs')
        cloudwatch_client = boto3.client('cloudwatch')

        # Define parameters
        log_group_name = 'CloudTrail/CloudWatchLogGroup'
        filter_name = 'SecurityGroupConfigChanges'
        metric_name = 'SecurityGroupEventCount'
        namespace = 'CloudTrailMetrics'
        alarm_name = 'SecurityGroupConfigChangesAlarm'
        sns_topic_arn = 'ARN_OF_SNS_TOPIC'

        # Create Metric Filter
        logs_client.put_metric_filter(
            logGroupName=log_group_name,
            filterName=filter_name,
            filterPattern='{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) }',
            metricTransformations=[{
                'metricName': metric_name,
                'metricNamespace': namespace,
                'metricValue': '1'
            }]
        )

        # Create CloudWatch Alarm
        cloudwatch_client.put_metric_alarm(
            AlarmName=alarm_name,
            AlarmDescription='Triggered by AWS security group(s) config changes.',
            MetricName=metric_name,
            Namespace=namespace,
            Statistic='Sum',
            Period=300,
            EvaluationPeriods=1,
            Threshold=1,
            ComparisonOperator='GreaterThanOrEqualToThreshold',
            ActionsEnabled=True,
            AlarmActions=[sns_topic_arn]
        )

        print("Metric filter and alarm created successfully.")
        ```

        Note: Replace ARN\_OF\_SNS\_TOPIC\` with the appropriate ARN of your specific topic.
      </Accordion>
    </AccordionGroup>
  </Tab>
</Tabs>

### Additional Reading:

* [https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html#cloudwatch-alarms-for-cloudtrail-security-group](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html#cloudwatch-alarms-for-cloudtrail-security-group)
* [https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/CloudWatchLogs/securitygroup-changes-alarm.html](https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/CloudWatchLogs/securitygroup-changes-alarm.html)
