CloudWatch route table changes alarm missing
This product is not supported for your selected
Datadog site. (
).
Id: 2285e608-ddbc-47f3-ba54-ce7121e31216
Cloud Provider: aws
Framework: Terraform
Severity: Low
Category: Observability
Learn More
Description
This check ensures that a CloudWatch log metric filter and corresponding alarm are configured to detect and alert on changes to AWS VPC route tables. Without associating the alarm’s metric_name with the correct CloudWatch log metric filter, as in metric_name = "XXXX NOT YOUR FILTER XXXX", changes to route tables may go unmonitored, potentially allowing unauthorized modifications to routing paths without triggering any notifications. This oversight increases the risk of undetected network misconfigurations or malicious activity that could compromise the integrity and security of cloud network traffic flows.
Compliant Code Examples
resource "aws_cloudwatch_log_metric_filter" "cis_route_table_changes_metric_filter" {
name = "CIS-RouteTableChanges"
pattern = "{ ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) }"
log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name
metric_transformation {
name = "CIS-RouteTableChanges"
namespace = "CIS_Metric_Alarm_Namespace"
value = "1"
}
}
resource "aws_cloudwatch_metric_alarm" "cis_route_table_changes_cw_alarm" {
alarm_name = "CIS-3.13-RouteTableChanges"
comparison_operator = "GreaterThanOrEqualToThreshold"
evaluation_periods = "1"
metric_name = aws_cloudwatch_log_metric_filter.cis_route_table_changes_metric_filter.id
namespace = "CIS_Metric_Alarm_Namespace"
period = "300"
statistic = "Sum"
threshold = "1"
alarm_description = "Monitoring changes to route tables will help ensure that all VPC traffic flows through an expected path."
alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn]
insufficient_data_actions = []
}
Non-Compliant Code Examples
resource "aws_cloudwatch_log_metric_filter" "cis_unauthorized_api_calls_metric_filter" {
name = "CIS-UnauthorizedAPICalls"
pattern = "{ ($.errorCode = \"*UnauthorizedOperation\") || ($.errorCode = \"AccessDenied*\") }"
log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name
metric_transformation {
name = "CIS-UnauthorizedAPICalls"
namespace = "CIS_Metric_Alarm_Namespace"
value = "1"
}
}
resource "aws_cloudwatch_metric_alarm" "cis_unauthorized_api_calls_cw_alarm" {
alarm_name = "CIS-3.1-UnauthorizedAPICalls"
comparison_operator = "GreaterThanOrEqualToThreshold"
evaluation_periods = "1"
metric_name = aws_cloudwatch_log_metric_filter.cis_unauthorized_api_calls_metric_filter.id
namespace = "CIS_Metric_Alarm_Namespace"
period = "300"
statistic = "Sum"
threshold = "1"
alarm_description = "Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity."
alarm_actions = [aws_sns_topic.cis_alerts_sns_topic.arn]
insufficient_data_actions = []
}
resource "aws_cloudwatch_log_metric_filter" "cis_route_table_changes_metric_filter" {
name = "CIS-RouteTableChanges"
pattern = "{ ($.eventName = CreateRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) }"
log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name
metric_transformation {
name = "CIS-RouteTableChanges"
namespace = "CIS_Metric_Alarm_Namespace"
value = "1"
}
}
resource "aws_cloudwatch_metric_alarm" "cis_route_table_changes_cw_alarm" {
alarm_name = "CIS-3.13-RouteTableChanges"
comparison_operator = "GreaterThanOrEqualToThreshold"
evaluation_periods = "1"
metric_name = aws_cloudwatch_log_metric_filter.cis_route_table_changes_metric_filter.id
namespace = "CIS_Metric_Alarm_Namespace"
period = "300"
statistic = "Sum"
threshold = "1"
alarm_description = "Monitoring changes to route tables will help ensure that all VPC traffic flows through an expected path."
alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn]
insufficient_data_actions = []
}
resource "aws_cloudwatch_log_metric_filter" "cis_route_table_changes_metric_filter" {
name = "CIS-RouteTableChanges"
pattern = "{ ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) }"
log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name
metric_transformation {
name = "CIS-RouteTableChanges"
namespace = "CIS_Metric_Alarm_Namespace"
value = "1"
}
}
resource "aws_cloudwatch_metric_alarm" "cis_route_table_changes_cw_alarm" {
alarm_name = "CIS-3.13-RouteTableChanges"
comparison_operator = "GreaterThanOrEqualToThreshold"
evaluation_periods = "1"
metric_name = "XXXX NOT YOUR FILTER XXXX"
namespace = "CIS_Metric_Alarm_Namespace"
period = "300"
statistic = "Sum"
threshold = "1"
alarm_description = "Monitoring changes to route tables will help ensure that all VPC traffic flows through an expected path."
alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn]
insufficient_data_actions = []
}
