CloudWatch log metric filter and alarm are not set for VPC security group changes Affecting CloudWatch service in AWS

Snyk CCSS

Monitoring / Accounts Monitoring

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

AWS-Well-Architected CIS-AWS HIPAA ISO-27001 NIST-800-53 PCI-DSS SOC-2

Snyk ID SNYK-CC-00197
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

Monitoring changes to security groups helps ensure that resources and services are not unintentionally exposed.

How to fix?

Create an aws_cloudwatch_log_metric_filter and aws_cloudwatch_metric_alarm with an appropriate pattern attribute set for an aws_cloudwatch_log_group and aws_cloudtrail set of resources.

Use the following pattern attribute set:

$.eventName=AuthorizeSecurityGroupIngress
$.eventName=AuthorizeSecurityGroupEgress
$.eventName=RevokeSecurityGroupIngress
$.eventName=RevokeSecurityGroupEgress
$.eventName=CreateSecurityGroup
$.eventName=DeleteSecurityGroup

Terraform

References

Example: Security Group Configuration Changes

CloudWatch log metric filter and alarm are not set for VPC security group changes Affecting CloudWatch service in AWS

Severity

Description

How to fix?

Terraform

References