For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/terraform-aws-cloudwatch-security-group-changes-alarm-missing.md.
A documentation index is available at /llms.txt.
This check ensures that log metric filters and corresponding alarms are configured to monitor changes to AWS security groups. Without a properly configured alarm referencing the correct log metric filter, security group changes—such as modifications to ingress or egress rules, or the creation and deletion of security groups—may go undetected. This lack of visibility can allow unauthorized or accidental changes that could expose sensitive resources or weaken the security posture of your environment. If left unaddressed, such misconfigurations could result in delayed detection of security incidents, increasing the potential for data breaches or service compromise.
Compliant Code Examples
resource"aws_cloudwatch_log_metric_filter""CIS_Security_Group_Changes_Metric_Filter"{name="CIS-SecurityGroupChanges"pattern="{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup)}"log_group_name=aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.namemetric_transformation{name="CIS-SecurityGroupChanges"namespace="CIS_Metric_Alarm_Namespace"value="1"}}resource"aws_cloudwatch_metric_alarm""CIS_Security_Group_Changes_CW_Alarm"{alarm_name="CIS-3.10-SecurityGroupChanges"comparison_operator="GreaterThanOrEqualToThreshold"evaluation_periods="1"metric_name=aws_cloudwatch_log_metric_filter.CIS_Security_Group_Changes_Metric_Filter.idnamespace="CIS_Metric_Alarm_Namespace"period="300"statistic="Sum"threshold="1"alarm_description="Monitoring changes to security group will help ensure that resources and services are not unintentionally exposed."alarm_actions=[aws_sns_topic.CIS_Alerts_SNS_Topic.arn]insufficient_data_actions=[]}
Non-Compliant Code Examples
resource"aws_cloudwatch_log_metric_filter""CIS_Security_Group_Changes_Metric_Filter"{name="CIS-SecurityGroupChanges"pattern="{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup)}"log_group_name=aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.namemetric_transformation{name="CIS-SecurityGroupChanges"namespace="CIS_Metric_Alarm_Namespace"value="1"}}resource"aws_cloudwatch_metric_alarm""CIS_Security_Group_Changes_CW_Alarm"{alarm_name="CIS-3.10-SecurityGroupChanges"comparison_operator="GreaterThanOrEqualToThreshold"evaluation_periods="1"metric_name="XXXX NOT YOUR FILTER XXXX"namespace="CIS_Metric_Alarm_Namespace"period="300"statistic="Sum"threshold="1"alarm_description="Monitoring changes to security group will help ensure that resources and services are not unintentionally exposed."alarm_actions=[aws_sns_topic.CIS_Alerts_SNS_Topic.arn]insufficient_data_actions=[]}
resource"aws_cloudwatch_log_metric_filter""cis_unauthorized_api_calls_metric_filter"{name="CIS-UnauthorizedAPICalls"pattern="{ ($.errorCode = \"*UnauthorizedOperation\") || ($.errorCode = \"AccessDenied*\") }"log_group_name=aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.namemetric_transformation{name="CIS-UnauthorizedAPICalls"namespace="CIS_Metric_Alarm_Namespace"value="1"}}resource"aws_cloudwatch_metric_alarm""cis_unauthorized_api_calls_cw_alarm"{alarm_name="CIS-3.1-UnauthorizedAPICalls"comparison_operator="GreaterThanOrEqualToThreshold"evaluation_periods="1"metric_name=aws_cloudwatch_log_metric_filter.cis_unauthorized_api_calls_metric_filter.idnamespace="CIS_Metric_Alarm_Namespace"period="300"statistic="Sum"threshold="1"alarm_description="Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity."alarm_actions=[aws_sns_topic.cis_alerts_sns_topic.arn]insufficient_data_actions=[]}
resource"aws_cloudwatch_log_metric_filter""CIS_Security_Group_Changes_Metric_Filter"{name="CIS-SecurityGroupChanges"pattern="{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup)}"log_group_name=aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.namemetric_transformation{name="CIS-SecurityGroupChanges"namespace="CIS_Metric_Alarm_Namespace"value="1"}}resource"aws_cloudwatch_metric_alarm""CIS_Security_Group_Changes_CW_Alarm"{alarm_name="CIS-3.10-SecurityGroupChanges"comparison_operator="GreaterThanOrEqualToThreshold"evaluation_periods="1"metric_name=aws_cloudwatch_log_metric_filter.CIS_Security_Group_Changes_Metric_Filter.idnamespace="CIS_Metric_Alarm_Namespace"period="300"statistic="Sum"threshold="1"alarm_description="Monitoring changes to security group will help ensure that resources and services are not unintentionally exposed."alarm_actions=[aws_sns_topic.CIS_Alerts_SNS_Topic.arn]insufficient_data_actions=[]}
1
2
rulesets:- Terraform / AWS # Rules to enforce / AWS.
Request a personalized demo
Get Started with Datadog
Ask AI
AI-generated responses may be inaccurate. Verify important info.
