--- title: CloudWatch route table changes alarm missing description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > CloudWatch route table changes alarm missing --- # CloudWatch route table changes alarm missing {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `terraform-aws-cloudwatch-route-table-changes-alarm-missing` **Provider:** AWS **Platform:** Terraform **Severity:** Low **Category:** Observability #### Learn More{% #learn-more %} - [Provider Reference](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter#pattern) ### Description{% #description %} This check ensures that a CloudWatch log metric filter and corresponding alarm are configured to detect and alert on changes to AWS VPC route tables. Without associating the alarm's `metric_name` with the correct CloudWatch log metric filter, as in `metric_name = "XXXX NOT YOUR FILTER XXXX"`, changes to route tables may go unmonitored, potentially allowing unauthorized modifications to routing paths without triggering any notifications. This oversight increases the risk of undetected network misconfigurations or malicious activity that could compromise the integrity and security of cloud network traffic flows. ## Compliant Code Examples{% #compliant-code-examples %} ```terraform resource "aws_cloudwatch_log_metric_filter" "cis_route_table_changes_metric_filter" { name = "CIS-RouteTableChanges" pattern = "{ ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) }" log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name metric_transformation { name = "CIS-RouteTableChanges" namespace = "CIS_Metric_Alarm_Namespace" value = "1" } } resource "aws_cloudwatch_metric_alarm" "cis_route_table_changes_cw_alarm" { alarm_name = "CIS-3.13-RouteTableChanges" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" metric_name = aws_cloudwatch_log_metric_filter.cis_route_table_changes_metric_filter.id namespace = "CIS_Metric_Alarm_Namespace" period = "300" statistic = "Sum" threshold = "1" alarm_description = "Monitoring changes to route tables will help ensure that all VPC traffic flows through an expected path." alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] insufficient_data_actions = [] } ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```terraform resource "aws_cloudwatch_log_metric_filter" "cis_route_table_changes_metric_filter" { name = "CIS-RouteTableChanges" pattern = "{ ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) }" log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name metric_transformation { name = "CIS-RouteTableChanges" namespace = "CIS_Metric_Alarm_Namespace" value = "1" } } resource "aws_cloudwatch_metric_alarm" "cis_route_table_changes_cw_alarm" { alarm_name = "CIS-3.13-RouteTableChanges" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" metric_name = "XXXX NOT YOUR FILTER XXXX" namespace = "CIS_Metric_Alarm_Namespace" period = "300" statistic = "Sum" threshold = "1" alarm_description = "Monitoring changes to route tables will help ensure that all VPC traffic flows through an expected path." alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] insufficient_data_actions = [] } ``` ```terraform resource "aws_cloudwatch_log_metric_filter" "cis_unauthorized_api_calls_metric_filter" { name = "CIS-UnauthorizedAPICalls" pattern = "{ ($.errorCode = \"*UnauthorizedOperation\") || ($.errorCode = \"AccessDenied*\") }" log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name metric_transformation { name = "CIS-UnauthorizedAPICalls" namespace = "CIS_Metric_Alarm_Namespace" value = "1" } } resource "aws_cloudwatch_metric_alarm" "cis_unauthorized_api_calls_cw_alarm" { alarm_name = "CIS-3.1-UnauthorizedAPICalls" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" metric_name = aws_cloudwatch_log_metric_filter.cis_unauthorized_api_calls_metric_filter.id namespace = "CIS_Metric_Alarm_Namespace" period = "300" statistic = "Sum" threshold = "1" alarm_description = "Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity." alarm_actions = [aws_sns_topic.cis_alerts_sns_topic.arn] insufficient_data_actions = [] } ``` ```terraform resource "aws_cloudwatch_log_metric_filter" "cis_route_table_changes_metric_filter" { name = "CIS-RouteTableChanges" pattern = "{ ($.eventName = CreateRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) }" log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name metric_transformation { name = "CIS-RouteTableChanges" namespace = "CIS_Metric_Alarm_Namespace" value = "1" } } resource "aws_cloudwatch_metric_alarm" "cis_route_table_changes_cw_alarm" { alarm_name = "CIS-3.13-RouteTableChanges" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" metric_name = aws_cloudwatch_log_metric_filter.cis_route_table_changes_metric_filter.id namespace = "CIS_Metric_Alarm_Namespace" period = "300" statistic = "Sum" threshold = "1" alarm_description = "Monitoring changes to route tables will help ensure that all VPC traffic flows through an expected path." alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] insufficient_data_actions = [] } ```