Account monitors VPC route table changes with a CloudWatch Logs metric filter and alarm
cloudwatch_changes_to_network_route_tables_alarm_configured
VPC route table changes are captured from CloudTrail logs by a CloudWatch Logs metric filter with an associated alarm for events like CreateRoute, CreateRouteTable, ReplaceRoute, ReplaceRouteTableAssociation, DeleteRoute, DeleteRouteTable, and DisassociateRouteTable.
Risk
Without monitoring of route table changes, unauthorized or accidental edits can redirect traffic, bypass inspection, or blackhole routes, impacting confidentiality (exfiltration), integrity (tampered paths), and availability (outages from misrouted traffic).
prowler aws --checks cloudwatch_changes_to_network_route_tables_alarm_configured
Recommendation
Implement a CloudWatch Logs metric filter and alarm on CloudTrail for these route table events and notify responders. Enforce least privilege for route modifications, require change control, and apply defense in depth with VPC Flow Logs and guardrails to prevent and quickly contain unsafe routing changes.
Remediation
- In the AWS console, open CloudWatch > Log groups and select your CloudTrail log group
- Go to Metric filters > Create metric filter
- Set Filter pattern to: {($.eventSource = ec2.amazonaws.com) && (($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable))}
- Name the metric and set Metric value to 1; choose any namespace/name
- Create the filter
- From the filter, click Create alarm
- Set Statistic: Sum, Period: 5 minutes, Threshold type: Static, Threshold: 1, Whenever: Greater/Equal
- Create the alarm (notifications optional)
Source Code
Resource Type
AwsCloudWatchAlarm