github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/cloudwatch/require_network_gateway_change_alarm.go (about) 1 package cloudwatch 2 3 import ( 4 "github.com/khulnasoft-lab/defsec/internal/rules" 5 "github.com/khulnasoft-lab/defsec/pkg/framework" 6 "github.com/khulnasoft-lab/defsec/pkg/providers" 7 "github.com/khulnasoft-lab/defsec/pkg/providers/aws/cloudwatch" 8 "github.com/khulnasoft-lab/defsec/pkg/scan" 9 "github.com/khulnasoft-lab/defsec/pkg/severity" 10 "github.com/khulnasoft-lab/defsec/pkg/state" 11 "github.com/khulnasoft-lab/defsec/pkg/types" 12 ) 13 14 var requireNetworkGatewayChangeAlarm = rules.Register( 15 scan.Rule{ 16 AVDID: "AVD-AWS-0158", 17 Provider: providers.AWSProvider, 18 Service: "cloudwatch", 19 ShortCode: "require-network-gateway-changes-alarm", 20 Summary: "Ensure a log metric filter and alarm exist for changes to network gateways", 21 Impact: "Network gateways control the ingress and egress, changes could be made to maliciously allow egress of data or external ingress. Without alerting, this could go unnoticed.", 22 Resolution: "Create an alarm to alert on network gateway changes", 23 Frameworks: map[framework.Framework][]string{ 24 framework.CIS_AWS_1_2: { 25 "3.12", 26 }, 27 framework.CIS_AWS_1_4: { 28 "4.12", 29 }, 30 }, 31 Explanation: `You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. 32 Network gateways are required to send and receive traffic to a destination outside a VPC. 33 34 CIS recommends that you create a metric filter and alarm for changes to network gateways. Monitoring these changes helps ensure that all ingress and egress traffic traverses the VPC border via a controlled path.`, 35 Links: []string{ 36 "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html", 37 }, 38 Terraform: &scan.EngineMetadata{}, 39 CloudFormation: &scan.EngineMetadata{}, 40 Severity: severity.Low, 41 }, 42 func(s *state.State) (results scan.Results) { 43 44 multiRegionTrails := s.AWS.CloudTrail.MultiRegionTrails() 45 for _, trail := range multiRegionTrails { 46 logGroup := s.AWS.CloudWatch.GetLogGroupByArn(trail.CloudWatchLogsLogGroupArn.Value()) 47 if logGroup == nil || trail.IsLogging.IsFalse() { 48 continue 49 } 50 51 var metricFilter cloudwatch.MetricFilter 52 var found bool 53 for _, filter := range logGroup.MetricFilters { 54 if filter.FilterPattern.Contains(`{($.eventName=CreateCustomerGateway) || 55 ($.eventName=DeleteCustomerGateway) || ($.eventName=AttachInternetGateway) || 56 ($.eventName=CreateInternetGateway) || ($.eventName=DeleteInternetGateway) || 57 ($.eventName=DetachInternetGateway)}`, types.IgnoreWhitespace) { 58 metricFilter = filter 59 found = true 60 break 61 } 62 } 63 64 if !found { 65 results.Add("Cloudtrail has no network gateway change log filter", trail) 66 continue 67 } 68 69 if metricAlarm := s.AWS.CloudWatch.GetAlarmByMetricName(metricFilter.FilterName.Value()); metricAlarm == nil { 70 results.Add("Cloudtrail has no network gateway change alarm", trail) 71 continue 72 } 73 74 results.AddPassed(trail) 75 } 76 77 return 78 }, 79 )