For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/terraform-aws-cloudwatch-vpc-changes-alarm-missing.md.
A documentation index is available at /llms.txt.
To ensure proper monitoring and alerting of changes to Virtual Private Cloud (VPC) configurations, a log metric filter and corresponding CloudWatch alarm should be configured to detect and notify administrators of events such as CreateVpc, DeleteVpc, or ModifyVpcAttribute. If the metric_name attribute in the aws_cloudwatch_metric_alarm resource does not reference the correct log metric filter (for example, metric_name = "XXXX NOT YOUR FILTER XXXX"), the alarm will not trigger on actual VPC changes, leaving unauthorized or accidental modifications undetected. This misconfiguration undermines security monitoring efforts and increases the risk of undetected changes that could impact network segmentation, access control, or data exposure.
Compliant Code Examples
resource"aws_cloudwatch_log_metric_filter""CIS_VPC_Changes_Metric_Filter"{name="CIS-VPCChanges"pattern="{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }"log_group_name=aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.namemetric_transformation{name="CIS-VPCChanges"namespace="CIS_Metric_Alarm_Namespace"value="1"}}resource"aws_cloudwatch_metric_alarm""CIS_VPC_Changes_CW_Alarm"{alarm_name="CIS-3.14-VPCChanges"comparison_operator="GreaterThanOrEqualToThreshold"evaluation_periods="1"metric_name=aws_cloudwatch_log_metric_filter.CIS_VPC_Changes_Metric_Filter.idnamespace="CIS_Metric_Alarm_Namespace"period="300"statistic="Sum"threshold="1"alarm_description="Monitoring changes to VPC will help ensure that all VPC traffic flows through an expected path."alarm_actions=[aws_sns_topic.CIS_Alerts_SNS_Topic.arn]insufficient_data_actions=[]}
Non-Compliant Code Examples
resource"aws_cloudwatch_log_metric_filter""CIS_VPC_Changes_Metric_Filter"{name="CIS-VPCChanges"pattern="{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }"log_group_name=aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.namemetric_transformation{name="CIS-VPCChanges"namespace="CIS_Metric_Alarm_Namespace"value="1"}}resource"aws_cloudwatch_metric_alarm""CIS_VPC_Changes_CW_Alarm"{alarm_name="CIS-3.14-VPCChanges"comparison_operator="GreaterThanOrEqualToThreshold"evaluation_periods="1"metric_name="XXXX NOT YOUR FILTER XXXX"namespace="CIS_Metric_Alarm_Namespace"period="300"statistic="Sum"threshold="1"alarm_description="Monitoring changes to VPC will help ensure that all VPC traffic flows through an expected path."alarm_actions=[aws_sns_topic.CIS_Alerts_SNS_Topic.arn]insufficient_data_actions=[]}
resource"aws_cloudwatch_log_metric_filter""cis_no_mfa_console_signin_metric_filter"{name="CIS-ConsoleSigninWithoutMFA"pattern="{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") }"log_group_name=aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.namemetric_transformation{name="CIS-ConsoleSigninWithoutMFA"namespace="CIS_Metric_Alarm_Namespace"value="1"}}resource"aws_cloudwatch_metric_alarm""cis_no_mfa_console_signin_cw_alarm"{alarm_name="CIS-3.2-ConsoleSigninWithoutMFA"comparison_operator="GreaterThanOrEqualToThreshold"evaluation_periods="1"metric_name=aws_cloudwatch_log_metric_filter.cis_no_mfa_console_signin_metric_filter.idnamespace="CIS_Metric_Alarm_Namespace"period="300"statistic="Sum"threshold="1"alarm_description="Monitoring for single-factor console logins will increase visibility into accounts that are not protected by MFA."alarm_actions=[aws_sns_topic.CIS_Alerts_SNS_Topic.arn]insufficient_data_actions=[]}
resource"aws_cloudwatch_log_metric_filter""CIS_VPC_Changes_Metric_Filter"{name="CIS-VPCChanges"pattern="{ ($.eventName = CreateVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = EnableVpcClassicLink) }"log_group_name=aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.namemetric_transformation{name="CIS-VPCChanges"namespace="CIS_Metric_Alarm_Namespace"value="1"}}resource"aws_cloudwatch_metric_alarm""CIS_VPC_Changes_CW_Alarm"{alarm_name="CIS-3.14-VPCChanges"comparison_operator="GreaterThanOrEqualToThreshold"evaluation_periods="1"metric_name=aws_cloudwatch_log_metric_filter.CIS_VPC_Changes_Metric_Filter.idnamespace="CIS_Metric_Alarm_Namespace"period="300"statistic="Sum"threshold="1"alarm_description="Monitoring changes to VPC will help ensure that all VPC traffic flows through an expected path."alarm_actions=[aws_sns_topic.CIS_Alerts_SNS_Topic.arn]insufficient_data_actions=[]}
1
2
rulesets:- Terraform / AWS # Rules to enforce / AWS.
Request a personalized demo
Get Started with Datadog
Ask AI
AI-generated responses may be inaccurate. Verify important info.
