For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/terraform-aws-cloudwatch-route-table-changes-alarm-missing.md.
A documentation index is available at /llms.txt.
This check ensures that a CloudWatch log metric filter and corresponding alarm are configured to detect and alert on changes to AWS VPC route tables. Without associating the alarm’s metric_name with the correct CloudWatch log metric filter, as in metric_name = "XXXX NOT YOUR FILTER XXXX", changes to route tables may go unmonitored, potentially allowing unauthorized modifications to routing paths without triggering any notifications. This oversight increases the risk of undetected network misconfigurations or malicious activity that could compromise the integrity and security of cloud network traffic flows.
Compliant Code Examples
resource"aws_cloudwatch_log_metric_filter""cis_route_table_changes_metric_filter"{name="CIS-RouteTableChanges"pattern="{ ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) }"log_group_name=aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.namemetric_transformation{name="CIS-RouteTableChanges"namespace="CIS_Metric_Alarm_Namespace"value="1"}}resource"aws_cloudwatch_metric_alarm""cis_route_table_changes_cw_alarm"{alarm_name="CIS-3.13-RouteTableChanges"comparison_operator="GreaterThanOrEqualToThreshold"evaluation_periods="1"metric_name=aws_cloudwatch_log_metric_filter.cis_route_table_changes_metric_filter.idnamespace="CIS_Metric_Alarm_Namespace"period="300"statistic="Sum"threshold="1"alarm_description="Monitoring changes to route tables will help ensure that all VPC traffic flows through an expected path."alarm_actions=[aws_sns_topic.CIS_Alerts_SNS_Topic.arn]insufficient_data_actions=[]}
Non-Compliant Code Examples
resource"aws_cloudwatch_log_metric_filter""cis_route_table_changes_metric_filter"{name="CIS-RouteTableChanges"pattern="{ ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) }"log_group_name=aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.namemetric_transformation{name="CIS-RouteTableChanges"namespace="CIS_Metric_Alarm_Namespace"value="1"}}resource"aws_cloudwatch_metric_alarm""cis_route_table_changes_cw_alarm"{alarm_name="CIS-3.13-RouteTableChanges"comparison_operator="GreaterThanOrEqualToThreshold"evaluation_periods="1"metric_name="XXXX NOT YOUR FILTER XXXX"namespace="CIS_Metric_Alarm_Namespace"period="300"statistic="Sum"threshold="1"alarm_description="Monitoring changes to route tables will help ensure that all VPC traffic flows through an expected path."alarm_actions=[aws_sns_topic.CIS_Alerts_SNS_Topic.arn]insufficient_data_actions=[]}
resource"aws_cloudwatch_log_metric_filter""cis_unauthorized_api_calls_metric_filter"{name="CIS-UnauthorizedAPICalls"pattern="{ ($.errorCode = \"*UnauthorizedOperation\") || ($.errorCode = \"AccessDenied*\") }"log_group_name=aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.namemetric_transformation{name="CIS-UnauthorizedAPICalls"namespace="CIS_Metric_Alarm_Namespace"value="1"}}resource"aws_cloudwatch_metric_alarm""cis_unauthorized_api_calls_cw_alarm"{alarm_name="CIS-3.1-UnauthorizedAPICalls"comparison_operator="GreaterThanOrEqualToThreshold"evaluation_periods="1"metric_name=aws_cloudwatch_log_metric_filter.cis_unauthorized_api_calls_metric_filter.idnamespace="CIS_Metric_Alarm_Namespace"period="300"statistic="Sum"threshold="1"alarm_description="Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity."alarm_actions=[aws_sns_topic.cis_alerts_sns_topic.arn]insufficient_data_actions=[]}
resource"aws_cloudwatch_log_metric_filter""cis_route_table_changes_metric_filter"{name="CIS-RouteTableChanges"pattern="{ ($.eventName = CreateRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) }"log_group_name=aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.namemetric_transformation{name="CIS-RouteTableChanges"namespace="CIS_Metric_Alarm_Namespace"value="1"}}resource"aws_cloudwatch_metric_alarm""cis_route_table_changes_cw_alarm"{alarm_name="CIS-3.13-RouteTableChanges"comparison_operator="GreaterThanOrEqualToThreshold"evaluation_periods="1"metric_name=aws_cloudwatch_log_metric_filter.cis_route_table_changes_metric_filter.idnamespace="CIS_Metric_Alarm_Namespace"period="300"statistic="Sum"threshold="1"alarm_description="Monitoring changes to route tables will help ensure that all VPC traffic flows through an expected path."alarm_actions=[aws_sns_topic.CIS_Alerts_SNS_Topic.arn]insufficient_data_actions=[]}
1
2
rulesets:- Terraform / AWS # Rules to enforce / AWS.
Request a personalized demo
Get Started with Datadog
Ask AI
AI-generated responses may be inaccurate. Verify important info.
