--- title: CloudWatch network gateways changes alarm missing description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > CloudWatch network gateways changes alarm missing --- # CloudWatch network gateways changes alarm missing {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `terraform-aws-cloudwatch-network-gateways-changes-alarm-missing` **Provider:** AWS **Platform:** Terraform **Severity:** Low **Category:** Observability #### Learn More{% #learn-more %} - [Provider Reference](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter#pattern) ### Description{% #description %} This control checks that a log metric filter and an associated alarm are set up to monitor changes to network gateways in AWS, such as creation or deletion of customer or internet gateways. If the `metric_name` attribute in the `aws_cloudwatch_metric_alarm` resource is not correctly set to the name of the log metric filter (for example, `"XXXX NOT YOUR FILTER XXXX"`), gateway modifications may go undetected. Without this alerting, unauthorized or unintended changes to network gateways can occur without notice, potentially exposing the VPC to security risks or data exfiltration. ## Compliant Code Examples{% #compliant-code-examples %} ```terraform resource "aws_cloudwatch_log_metric_filter" "cis_network_gateway_changes_metric_filter" { name = "CIS-NetworkGatewayChanges" pattern = "{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }" log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name metric_transformation { name = "CIS-NetworkGatewayChanges" namespace = "CIS_Metric_Alarm_Namespace" value = "1" } } resource "aws_cloudwatch_metric_alarm" "cis_network_gateway_changes_cw_alarm" { alarm_name = "CIS-3.12-NetworkGatewayChanges" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" metric_name = aws_cloudwatch_log_metric_filter.cis_network_gateway_changes_metric_filter.id namespace = "CIS_Metric_Alarm_Namespace" period = "300" statistic = "Sum" threshold = "1" alarm_description = "Monitoring changes to network gateways will help ensure that all ingress/egress traffic traverses the VPC border via a controlled path." alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] insufficient_data_actions = [] } ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```terraform resource "aws_cloudwatch_log_metric_filter" "cis_network_gateway_changes_metric_filter" { name = "CIS-NetworkGatewayChanges" pattern = "{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }" log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name metric_transformation { name = "CIS-NetworkGatewayChanges" namespace = "CIS_Metric_Alarm_Namespace" value = "1" } } resource "aws_cloudwatch_metric_alarm" "cis_network_gateway_changes_cw_alarm" { alarm_name = "CIS-3.12-NetworkGatewayChanges" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" metric_name = "XXXX NOT YOUR FILTER XXXX" namespace = "CIS_Metric_Alarm_Namespace" period = "300" statistic = "Sum" threshold = "1" alarm_description = "Monitoring changes to network gateways will help ensure that all ingress/egress traffic traverses the VPC border via a controlled path." alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] insufficient_data_actions = [] } ``` ```terraform resource "aws_cloudwatch_log_metric_filter" "cis_unauthorized_api_calls_metric_filter" { name = "CIS-UnauthorizedAPICalls" pattern = "{ ($.errorCode = \"*UnauthorizedOperation\") || ($.errorCode = \"AccessDenied*\") }" log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name metric_transformation { name = "CIS-UnauthorizedAPICalls" namespace = "CIS_Metric_Alarm_Namespace" value = "1" } } resource "aws_cloudwatch_metric_alarm" "cis_unauthorized_api_calls_cw_alarm" { alarm_name = "CIS-3.1-UnauthorizedAPICalls" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" metric_name = aws_cloudwatch_log_metric_filter.cis_unauthorized_api_calls_metric_filter.id namespace = "CIS_Metric_Alarm_Namespace" period = "300" statistic = "Sum" threshold = "1" alarm_description = "Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity." alarm_actions = [aws_sns_topic.cis_alerts_sns_topic.arn] insufficient_data_actions = [] } ``` ```terraform resource "aws_cloudwatch_log_metric_filter" "cis_network_gateway_changes_metric_filter" { name = "CIS-NetworkGatewayChanges" pattern = "{ ($.eventName = CreateCustomerGateway) || ($.eventName = DetachInternetGateway) }" log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name metric_transformation { name = "CIS-NetworkGatewayChanges" namespace = "CIS_Metric_Alarm_Namespace" value = "1" } } resource "aws_cloudwatch_metric_alarm" "cis_network_gateway_changes_cw_alarm" { alarm_name = "CIS-3.12-NetworkGatewayChanges" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" metric_name = aws_cloudwatch_log_metric_filter.cis_network_gateway_changes_metric_filter.id namespace = "CIS_Metric_Alarm_Namespace" period = "300" statistic = "Sum" threshold = "1" alarm_description = "Monitoring changes to network gateways will help ensure that all ingress/egress traffic traverses the VPC border via a controlled path." alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] insufficient_data_actions = [] } ```