Ensure there is a CloudWatch alarm set up in your AWS account that is triggered each time a Network Access Control List (NACL) configuration change is made. This CloudWatch alarm must fire every time an AWS API call is performed to create, update or delete a Network ACL.
The Network ACLs provide an additional layer of defense for your Virtual Private Clouds (VPCs). Using CloudWatch alarms to detect any configuration changes involving Network ACLs will help you prevent unexpected inbound and/or outbound rule modifications that may lead to unrestricted access and increase the opportunities for Distributed Denial of Service (DDoS) attacks.
Note 1: For this rule Cloud Conformity assumes that the CloudTrail service is already enabled to stream event log data to CloudWatch within your AWS account, otherwise see this rule to enable AWS Cloudtrail – CloudWatch integration.
Note 2: You have also the option to implement this conformity rule with AWS CloudFormation. Download the required CloudFormation template from this URL and follow the AWS instructions available here.
To determine if there are any CloudWatch alarms set up to monitor AWS Network ACLs configuration changes within your AWS account, perform the following:
Step 1: Create a Simple Notification Service (SNS) topic and the necessary subscription to send email notifications whenever your Amazon CloudWatch alarm is triggered.
Step 2: Create the necessary metric filter and the CloudWatch alarm that will fire and send SNS notifications whenever an AWS Network ACL (NACL) configuration will change.