CloudWatch log metric filter and alarm are not set for changes to VPC NACLs Affecting CloudWatch service in AWS

Snyk CCSS

Monitoring / Network

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

AWS-Well-Architected CIS-AWS HIPAA ISO-27001 NIST-800-53 PCI-DSS SOC-2

Snyk ID SNYK-CC-00098
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

Monitoring changes to NACLs helps ensure that AWS resources and services are not unintentionally exposed.

How to fix?

Create an aws_cloudwatch_log_metric_filter and aws_cloudwatch_metric_alarm with an appropriate pattern attribute set for an aws_cloudwatch_log_group and aws_cloudtrail set of resources.

Use the following pattern attribute set:

$.eventName=CreateNetworkAcl
$.eventName=CreateNetworkAclEntry
$.eventName=DeleteNetworkAcl
$.eventName=DeleteNetworkAclEntry
$.eventName=ReplaceNetworkAclEntry
$.eventName=ReplaceNetworkAclAssociation

cli

Terraform

References

Example: Network Access Control List (ACL) Changes

CloudWatch log metric filter and alarm are not set for changes to VPC NACLs Affecting CloudWatch service in AWS

Severity

Description

How to fix?

cli

Terraform

References