Open menu
-->

Create CloudWatch Alarm for VPC Flow Logs Metric Filter

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: High (not acceptable risk)

Ensure that an AWS CloudWatch alarm is created and configured for the metric filter attached to the VPC Flow Logs CloudWatch log group in order to receive notifications when IP packets are rejected inside the specified VPC. The CloudWatch alarm needs to be configured to watch the VPC Flow Logs metric filter over a specified period of time and perform an action based on the value of the metric relative to a given threshold over a number of time periods. The action taken when the alarm changes its state must be a notification sent to an AWS SNS topic that you created. Prior to running this rule by the Cloud Conformity engine, the name of the VPC Flow Logs CloudWatch log group, e.g. <vpc_flow_log_group_name>, must be configured in the rule settings, on your Cloud Conformity account dashboard.

This rule resolution is part of the Cloud Conformity Security Package

When an Amazon CloudWatch alarm is configured for the VPC Flow Logs metric filter, you should be able to receive notifications when IP packets are rejected inside your VPC. In this way you can have an accurate image of the rejected IP traffic available within your Virtual Private Cloud. Note 1: This conformity rule assumes that the VPC Flow Logs CloudWatch log group and the required metric filter are already configured within your AWS account, otherwise implement the steps outlined in this rule to create and configure the necessary resources.
Note 2: Make sure that you replace all <vpc_flow_log_group_name> placeholders found in the conformity rule content with the name of your own log group assigned to the VPC Flow Logs.

Audit

To determine if a CloudWatch alarm is created for the VPC Flow Logs metric filter and the alarm action is configured to send notifications to an SNS topic, perform the following actions:

Using AWS Console

01 Sign in to your Cloud Conformity console, access Create CloudWatch Alarm for VPC Flow Logs Metric Filter conformity rule settings and copy the name configured for your flow log group (e.g. <vpc_flow_log_group_name>).

02 Sign in to the AWS Management Console.

03 Navigate to CloudWatch dashboard at https://console.aws.amazon.com/cloudwatch/.

04 In the left navigation panel, click Logs to access the log groups available in the current AWS region.

05 Paste the name of your flow log group, copied at step no. 1, into the Log Group Name Prefix search box and press Enter.

06 Select the log group returned at the previous step and click on the <number> filter link, available in the Metric Filters column, to access the metric filters created for the selected log group.

07 On Filters for <vpc_flow_log_group_name> page, search for the metric filter box with the Filter Pattern configuration attribute value set to { $.errorCode = "AccessDenied" }. Once the metric filter is found, verify the Alarm attribute. If the Alarm attribute for the selected metric filter is not listed, there is no AWS CloudWatch alarm configured for the VPC Flow Logs metric filter, therefore you may not be able to receive notifications when IP packets are rejected inside your VPC.

08 Change the AWS region from the navigation bar and repeat steps no. 5 – 7 to check for AWS CloudWatch alarms configured for VPC Flow Logs metric filters available in other regions (if any).

Using AWS CLI

01 Sign in to your Cloud Conformity console, access Create CloudWatch Alarm for VPC Flow Logs Metric Filter conformity rule settings and copy the name defined for your flow log group (e.g. <vpc_flow_log_group_name>).

02 Run describe-metric-filters command (OSX/Linux/UNIX) using the name of the flow log group copied at the previous step as identifier and custom query filters to get the name of the metric filter attached to the selected CloudWatch log group. Replace <vpc_flow_log_group_name> with the name of your own flow log group:

aws logs describe-metric-filters
	--region us-east-1
	--log-group-name <vpc_flow_log_group_name>
	--query "metricFilters[*].metricTransformations[*].metricName[]"

03 The command request should return the name of the requested metric filter:

[
    "cc-vpc-flow-log-metric"
]

04 Run describe-alarms command (OSX/Linux/UNIX) using the name of the metric filter returned at the previous step as query parameter to describe the name and the action(s) configured for the AWS CloudWatch alarm created for the selected metric filter:

aws cloudwatch describe-alarms
	--region us-east-1
	--query "MetricAlarms[?MetricName == 'cc-vpc-flow-log-metric'].{AlarmName:AlarmName,AlarmActions:AlarmActions}"

05 The command output should return the requested configuration information:

[]

If the describe-alarms command output returns an empty array (i.e. []), as shown in the example above, there is no Amazon CloudWatch alarm configured for the VPC Flow Logs metric filter, therefore you may not be able to receive notifications when IP packets are rejected within your Virtual Private Cloud.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 2 – 5 to check for AWS CloudWatch alarms configured for VPC Flow Logs metric filters available in other regions (if applicable).

Remediation / Resolution

To create and configure the required Amazon CloudWatch alarm for the VPC Flow Logs metric filter, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to SNS dashboard at https://console.aws.amazon.com/sns/v2/.

03 In the navigation panel, select Topics and click the Create new topic button.

04 In the Create new topic dialog box, enter a name and a display name for your new SNS topic then click Create Topic.

05 Open the newly created SNS topic configuration page by clicking on its Amazon Resource Name (ARN) link.

06 Under Subscription section click Create Subscription.

07 Select Email as subscription protocol from the Protocol dropdown list.

08 In the Endpoint box, enter the email address where you want to receive the AWS CloudWatch alarm notifications then click Create Subscription to create the required subscription.

09 Use your preferred email client application to open the message received from AWS Notifications, then click on Confirm subscription link, i.e.

Confirm subscription

to confirm your new email subscription.

10 Now navigate to CloudWatch dashboard at https://console.aws.amazon.com/cloudwatch/.

11 In the left navigation panel, click Logs.

12 Select your VPC Flow Logs CloudWatch log group and click on the <number> filter link, available in the Metric Filters column, to access the metric filters page for the selected group.

13 On Filters for <vpc_flow_log_group_name> page, choose the metric filter that you want to configure (see Audit section part I to identify the right metric filter), then click Create Alarm link available inside the metric box to initiate the CloudWatch alarm setup process.

14 Within Create Alarm dialog box, provide the following information:

  1. Inside the Alarm Threshold section, in the Name and Description boxes, provide a unique name and a short description for your new CloudWatch alarm.
  2. Under Whenever: <Metric Name>, select >= (greater than or equal to) from the is dropdown list and enter 1 as the threshold value in the box next to the dropdown list to trigger the alarm every time IP packets are rejected inside your VPC.
  3. In the Actions section, click the + Notification button, select State is ALARM from the Whenever this alarm dropdown menu and choose the AWS SNS topic name created earlier from Send notification to dropdown list.
  4. In the Alarm Preview section, select 5 Minutes from the Period dropdown list and Sum from the Statistic list.
  5. Review the alarm configuration details then click Create Alarm. Once created, the new CloudWatch alarm will be listed on the Alarms page. After the monitoring data is loaded, the State (status) of the new CloudWatch alarm will change from INSUFFICIENT_DATA to OK.

Using AWS CLI

01 First, run create-topic command (OSX/Linux/UNIX) to create a new SNS topic for sending email notifications whenever the required AWS CloudWatch alarm is triggered:

aws sns create-topic
	--region us-east-1
	--name cc-vpc-flow-log-notifications

02 The command output should return the ARN for the newly created AWS SNS topic:

{
   "TopicArn": "arn:aws:sns:us-east-1:12345678901:cc-vpc-flow-log-notifications"
}

03 Run subscribe command (OSX/Linux/UNIX) to send the subscription confirmation message to the notification endpoint (the email address provided as endpoint):

aws sns subscribe
	--topic-arn arn:aws:sns:us-east-1:123456789012:cc-vpc-flow-log-notifications
	--protocol email
	--notification-endpoint admin@cloudconformity.com

04 The command output should return the following metadata:

{
	"SubscriptionArn": "pending confirmation"
}

05 Use your preferred email client application to open the message received from AWS Notifications, then click on the appropriate link, i.e.

Confirm subscription

to confirm your new email subscription.

06 Run put-metric-alarm command (OSX/Linux/UNIX) to create the AWS CloudWatch alarm that will fire every time the threshold for the "REJECT" packets is reached. The following command example creates a CloudWatch alarm named "<vpc_flow_log_alarm_name>", within the US East (N. Virginia) region, for a metric filter called "<vpc_flow_log_metric_name>", alarm that sends notifications to an SNS topic called "cc-vpc-flow-log-notifications" when IP packets are rejected inside your VPC. Replace <vpc_flow_log_alarm_name> and <vpc_flow_log_metric_name> with your own resource names (if successful, the command does not return an output):

aws cloudwatch put-metric-alarm
	--region us-east-1
	--alarm-name <vpc_flow_log_alarm_name>
	--alarm-description "Triggered by 'REJECT' packets."
	--metric-name <vpc_flow_log_metric_name>
	--namespace LogMetrics
	--statistic Sum
	--comparison-operator GreaterThanOrEqualToThreshold
	--evaluation-periods 1
	--period 300
	--threshold 1
	--actions-enabled
	--alarm-actions arn:aws:sns:us-east-1:123456789012:cc-vpc-flow-log-notifications

References

Publication date Aug 18, 2016