Check provider logo

AWS account has a CloudWatch Logs metric filter and alarm for VPC changes

cloudwatch_changes_to_vpcs_alarm_configured

Severitymedium
Servicecloudwatch
by Prowler
logging

CloudTrail events for VPC configuration changes are captured in CloudWatch Logs with a metric filter and an associated alarm. The filter targets actions like CreateVpc, DeleteVpc, ModifyVpcAttribute, and VPC peering operations to surface when network topology is altered.

Risk

Without alerting on VPC changes, unauthorized or accidental edits to routes, peering, or attributes can go unnoticed, exposing private networks and enabling data exfiltration (C), lateral movement and traffic tampering (I), and outages from misrouted or bridged networks (A).

Run this check with Prowler CLI

prowler aws --checks cloudwatch_changes_to_vpcs_alarm_configured

Run in Prowler Cloud

Recommendation

Create a CloudWatch Logs metric filter and alarm on CloudTrail for critical VPC change events, and notify responders. Apply least privilege to network changes, require change approvals, and use defense in depth (segmentation, route controls) to prevent and contain unauthorized modifications.

Remediation

Native IaC
Terraform
Other
  1. In the AWS Console, go to CloudWatch > Log groups and open the CloudTrail log group
  2. Choose Create metric filter
  3. For Filter pattern, paste: { ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }
  4. Name the filter and set Metric namespace to CISBenchmark, Metric name to vpc_changes_metric, Metric value to 1; create the filter
  5. Select the new filter and choose Create alarm
  6. Set Statistic to Sum, Period 5 minutes, Threshold type Static, Whenever Greater/Equal 1, Evaluation periods 1
  7. Create the alarm (actions/notifications are optional and not required for pass)

Source Code

Resource Type

AwsCloudWatchAlarm

References