TF 0044 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Ensure a log metric filter and alarm exist for security group changes
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| Service | cloudwatch |
| Provider | AWS |
Description
You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
Security groups are a stateful packet filter that controls ingress and egress traffic in a VPC.
CIS recommends that you create a metric filter and alarm for changes to security groups. Monitoring these changes helps ensure that resources and services aren't unintentionally exposed.
Resolution
Create an alarm to alert on security group changes