Ensure there is an Amazon CloudWatch alarm set up in your AWS account that is triggered each time a VPC Internet Gateway or a VPC VPN Customer Gateway configuration change is made. This CloudWatch alarm must fire every time an AWS API call is performed to create, update or delete a VPC Customer/Internet Gateway.
Using Amazon CloudWatch alarms to detect configuration changes involving your AWS VPC Customer/Internet Gateway(s) will help you prevent any unexpected modifications that may lead to unrestricted network access, loss of connection between your AWS VPC and Internet or loss of VPN connection between your VPC and the on-premise datacenter(s) linked.
Note 1: For this rule Cloud Conformity assumes that the CloudTrail service is already enabled to stream event log data to CloudWatch within your AWS account, otherwise see this rule to enable AWS Cloudtrail – CloudWatch integration.
Note 2: You have also the option to implement this conformity rule with AWS CloudFormation. Download the required CloudFormation template from this URL and follow the AWS instructions available here.
To determine if there are any CloudWatch alarms set up to monitor AWS VPCs configuration changes within your AWS account, perform the following:
Step 1: Create a Simple Notification Service (SNS) topic and the necessary subscription to send email notifications whenever the appropriate Amazon CloudWatch alarm (created at Step 2) is triggered.
Step 2: Create the necessary metric filter and the CloudWatch alarm that will fire and send notifications whenever an AWS VPC Customer/Internet Gateway configuration will change.