Description:
Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Network gateways are required to send/receive traffic to a destination outside of a VPC. It is recommended that a metric filter and alarm be established for changes to network gateways.
Rationale:
Monitoring changes to network gateways will help ensure that all ingress/egress traffic traverses the VPC border via a controlled path.
Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
aws logs put-metric-filter --log-group-name --filter-name '' --metric-transformations metricName= '' ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
aws sns create-topic --name
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
aws sns subscribe --topic-arn --protocol --notification-endpoint
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
aws cloudwatch put-metric-alarm --alarm-name '' --metric-name '' --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions
.