Network configuration change detected

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: High (not acceptable risk)
Rule ID: RTM-009

Cloud Conformity Real-Time Threat Monitoring and Analysis (RTMA) engine detected configuration changes made at the network level within your AWS account.

This rule can help you with the following compliance standards:

  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Real-Time Threat Monitoring.

Security



The activity detected for this Real-Time Monitoring rule could be any user action initiated through AWS Management Console or any AWS API request initiated programmatically using AWS CLI or SDK that is related to the configuration changing for any networking-based AWS resource such as Virtual Private Cloud (VPC) or Network Access Control List (NACL).

Cloud Conformity Real-Time Monitoring can detect essentially any API call related to networking configuration changes within your AWS account (using the Amazon Config service API) such as adding or removing inbound/outbound rules to/from an existing VPC security group, disassociate an Elastic IP address from an EC2 instance or from a network interface, updating the route tables for an AWS VPC peering connection, modifying the rules within a VPC Network ACL (NACL), etc.

In order to enable Real-Time Monitoring detection for this conformity rule, you must first define the AWS networking-based resources that can be monitored for configuration changes, within the rule configuration using the Cloud Conformity dashboard. The AWS resources supported by this Real-Time Monitoring rule are:
Virtual Private Clouds (VPCs)
VPC Network Access Control Lists (NACLs)
VPC Security Groups
VPC Route Tables
VPC Elastic Network Interfaces (ENIs)
VPC Internet Gateways
VPC Peering Connections
VPC NAT Gateways
VPC Endpoints
VPN Customer Gateways
VPC Elastic IP Addresses (EIPs)


Once conformity the rule is configured and all the resources/components are defined, you will be notified by the Cloud Conformity Real-Time Monitoring feature for any networking-based AWS action and/or API call detected within your AWS account.

To adhere to AWS security best practices and implement the principle of least privilege (i.e. the practice of providing every user/process/system the minimal amount of access required to perform its tasks), Cloud Conformity strongly recommends that you avoid as much as possible to provide your IAM users (except the system administrator) the permission to change the network configuration within your AWS account.

To adhere to AWS security best practices and implement the principle of least privilege (i.e. the practice of providing every user/process/system the minimal amount of access required to perform its tasks), Cloud Conformity strongly recommends that you avoid as much as possible to provide your IAM users (except the system administrator) the permission to change the network configuration within your AWS account.

Rationale



Monitoring configuration changes for your Amazon networking-based resources in real-time is crucial for keeping your AWS environment secure.

With Cloud Conformity Real-Time Monitoring network configuration monitoring you can gain complete visibility over your AWS networking infrastructure changes. This will help you prevent any accidental or intentional modifications that may lead to unauthorized network access or other related security breaches. Beyond prevention, you should be able to maintain your AWS account secure by taking actions upon detection of any unusual activity at the AWS network level and send real-time notifications, extremely useful when, for example, an unauthorized user is modifying a networking-based resources such as a VPC security group to allow unrestricted inbound access to TCP port 22 (SSH), which increases the opportunities for malicious activity such as hacking, man-in-the-middle attacks (MITM) and brute-force attacks.

References

Publication date Jun 12, 2017

Unlock the Remediation Steps


Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Network configuration change detected

Risk level: High