Control: 2.22 Ensure a log monitoring and alerts are set up for security group changes
Real-time monitoring of API calls can be achieved by directing ActionTrail Logs to Log Service and establishing corresponding query and alarms. Security Groups are a stateful packet filter that controls ingress and egress traffic within a VPC. It is recommended that a query and alarm be established changes to Security Groups.
Perform the following to ensure the log monitoring and alerts are set up for security group changes。
- Logon to SLS Console.
Log Service Audit Servicein the navigation pane.
- Go to
Access to Cloud Products > Global Configurationpage.
- Select a location of project for logs.
- Check the
Action Trailand configure a proper days.
Saveto save the changes.
- Go to
Access to Cloud Products > Global Configurationsclick
Log Management > Actiontrail Log.
- In the search/analytics console, input below query
(event_name: CreateSecurityGroup or event_name: AuthorizeSecurityGroup or event_name: AuthorizeSecurityGroupEgress or event_name: RevokeSecurityGroup or event_name: RevokeSecurityGroupEgress or event_name: JoinSecurityGroup or event_name: LeaveSecurityGroup or event_name: DeleteSecurityGroup or event_name: ModifySecurityGroupPolicy) | select count(1) as cnt
- Create a dashboard and set alert for the query result.
Run the control in your terminal:
steampipe check alicloud_compliance.control.cis_v100_2_22
Snapshot and share results via Steampipe Cloud:
steampipe loginsteampipe check --share alicloud_compliance.control.cis_v100_2_22
This control uses a named query:manual_control