CloudWatch Logs metric filter and alarm exist for security group changes
cloudwatch_log_metric_filter_security_group_changes
CloudTrail events for security group configuration changes are monitored using a CloudWatch Logs metric filter with an associated alarm. The filter targets actions like AuthorizeSecurityGroupIngress/Egress, RevokeSecurityGroupIngress/Egress, CreateSecurityGroup, and DeleteSecurityGroup to surface any security group modifications.
Risk
Without alerting on security group changes, unauthorized or mistaken rules can expose services to the Internet, enabling brute force and lateral movement (confidentiality, integrity). Deletions or restrictive edits can break connectivity (availability). Delayed detection increases attacker dwell time and impact.
prowler aws --checks cloudwatch_log_metric_filter_security_group_changes
Recommendation
Establish real-time alerts for security group modifications by sending CloudTrail to CloudWatch, creating metric filters and alarms, and notifying responders.
- Enforce least privilege on SG changes
- Use change management and tagging
- Centralize logs, test alarms, and maintain runbooks
- Layer with NACLs and WAF for defense in depth
Remediation
- Open the CloudWatch console > Logs > Log groups, and select the CloudTrail log group
- Create metric filter with this pattern: { ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) }
- Assign metric: name <example_metric_name>, namespace <example_metric_namespace>, value 1, then create the filter
- From the metric filter, choose Create alarm and set: Statistic Sum, Period 5 minutes, Threshold type Static, Greater/Equal 1, Evaluation periods 1, then create the alarm
Source Code
Resource Type
AwsCloudWatchAlarm
References
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html
- https://support.icompaas.com/support/solutions/articles/62000084030-ensure-a-log-metric-filter-and-alarm-exist-for-security-group-changes
- https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Alarm-On-Logs.html
- https://asecure.cloud/a/cwalarm_securitygroup_changes/