Cloudwatch log metric filter and alarm are not set for Config configuration changes Affecting CloudWatch service in AWS

Severity Framework Snyk CCSS

Rule category Monitoring / Accounts Monitoring

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

AWS-Well-Architected CIS-AWS

Snyk ID SNYK-CC-00168
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

Monitoring changes to AWS Config configuration helps ensure sustained visibility of configuration items within the AWS account.

How to fix?

Create an aws_cloudwatch_log_metric_filter and aws_cloudwatch_metric_alarm with an appropriate pattern attribute set for an aws_cloudwatch_log_group and aws_cloudtrail set of resources.

Use the following pattern attribute set:

$.eventSource=config.amazonaws.com
$.eventName=StopConfigurationRecorder
$.eventName=DeleteDeliveryChannel
$.eventName=PutDeliveryChannel
$.eventName=PutConfigurationRecorder

Terraform

References

Example: Creating CloudWatch Alarms for CloudTrail Events