CloudWatch log metric filter and alarm are not set for denied connections in VPC flow logs Affecting CloudWatch service in AWS
Severity Framework
CCSS (Common Configuration Scoring System) is a set of measures used to determine the severity of the rule.
Snyk CCSS
Rule category
Each rule is associated with a high-level category. For example IAM, Container, Monitoring, Logging, Network, etc.
Monitoring/ Accounts Monitoring
Is your environment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsFrameworks
AWS-Well-ArchitectedHIPAAISO-27001NIST-800-53SOC-2
- Snyk IDSNYK-CC-00156
- creditSnyk Research Team
Description
CloudWatch metric filters and alarms should be configured to alert users to rejected connections in VPC flow logs so users can investigate anomalous traffic.
How to fix?
Create an aws_cloudwatch_log_metric_filter and aws_cloudwatch_metric_alarm with an appropriate pattern attribute set for an aws_cloudwatch_log_group and aws_cloudtrail set of resources.
Use the following pattern attribute set:
$version
$account
$eni
$source
$destination
$srcport
$destport="22"
$protocol="6"
$packets
$bytes
$windowstart
$windowend
$action="REJECT"
$flowlogstatus