Control: 2.12 Ensure log monitoring and alerts are set up for VPC network route changes

Description

It is recommended that a metric filter and alarm be established for VPC network route changes.

Remediation

Perform the following to ensure the log monitoring and alerts are set up for VPC network route changes:

From Console

Logon to SLS Console.
Click Log Service Audit Service in the navigation pane.
Go to Access to Cloud Products > Global Configuration page.
- Select a location of project for logs.
- Check the Action Trail and configure a proper number of days.
- Click Save to save the changes.
Go to Access to Cloud Products > Global Configurations click Central Project.
Select Log Management > Actiontrail Log.
In the search/analytics console, input the following query:

("event.serviceName": Ecs or "event.serviceName": Vpc) and ("event.eventName": CreateRouteEntry or "event.eventName": DeleteRouteEntry or "event.eventName": ModifyRouteEntry or "event.eventName": AssociateRouteTable or "event.eventName": UnassociateRouteTable) | select count(1) as c

Create a dashboard and set alert for the query result.

Default Value:

The monitoring dashboard and alert is not set by default.

Usage

Run the control in your terminal:

powerpipe control run alicloud_compliance.control.cis_v200_2_12

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run alicloud_compliance.control.cis_v200_2_12 --share

SQL

This control uses a named query:

with actiontrail_check as (
  select
    name as trail_name,
    account_id,
    status,
    sls_project_arn,
    sls_write_role_arn,
    home_region,
    trail_region,
    substring(sls_project_arn from 'acs:log:([^:]+):') as sls_region,
    substring(sls_project_arn from 'project/([^/]+)') as sls_project_name
  from
    alicloud_action_trail
  where
    status = 'Enable' and sls_project_arn is not null
), alert_check as (
  select
    project,
    region,
    name as alert_name,
    display_name,
    status as alert_status,
    coalesce(
      query_obj ->> 'Query',
      query_obj ->> 'query',
      query_obj::text
    ) as query_text
  from
    alicloud_sls_alert,
    jsonb_array_elements(query_list) as query_obj
  where
    (status = 'ENABLED' or status is null) and query_list is not null
    and (
      coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%event.serviceName="Ecs"%'
      or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%event.serviceName="Vpc"%'
      or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%"event.serviceName": "Ecs"%'
      or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%"event.serviceName": "Vpc"%'
    )
    and (
      coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%event.eventName="CreateRouteEntry"%'
      or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%event.eventName="DeleteRouteEntry"%'
      or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%event.eventName="ModifyRouteEntry"%'
      or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%event.eventName="AssociateRouteTable"%'
      or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%event.eventName="UnassociateRouteTable"%'
      or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%"event.eventName": "CreateRouteEntry"%'
      or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%"event.eventName": "DeleteRouteEntry"%'
      or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%"event.eventName": "ModifyRouteEntry"%'
      or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%"event.eventName": "AssociateRouteTable"%'
      or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%"event.eventName": "UnassociateRouteTable"%'
    )
),
matched_pairs as (
  select distinct
    at.trail_name,
    at.sls_region,
    at.home_region,
    ac.alert_name,
    ac.region as alert_region
  from
    actiontrail_check at
    inner join alert_check ac on
      trim(lower(coalesce(at.sls_region, ''))) = trim(lower(coalesce(ac.region, '')))
      and at.sls_region is not null
      and ac.region is not null
      and at.sls_region != ''
      and ac.region != ''
)
select
  'acs:actiontrail:' || at.home_region || ':' || at.account_id || ':actiontrail/' || at.name as resource,
  case
    when at.status = 'Enable' and at.sls_project_arn is not null and exists (select 1 from matched_pairs mp where mp.trail_name = at.name) then 'ok'
    else 'alarm'
  end as status,
  case
    when at.status = 'Enable' and at.sls_project_arn is not null and exists (select 1 from matched_pairs mp where mp.trail_name = at.name) then at.name || ' is configured with ActionTrail enabled, delivering to SLS project in region '
      || substring(at.sls_project_arn from 'acs:log:([^:]+):') || ', and has a VPC network route change monitoring alert configured'
    when at.status = 'Enable' and at.sls_project_arn is not null then at.name || ' is configured with ActionTrail enabled and delivering to SLS project in region ' || substring(at.sls_project_arn from 'acs:log:([^:]+):') || ', but no VPC network route change monitoring alert found in that region'
    when at.status = 'Enable' and at.sls_project_arn is null then at.name || ' is enabled but not configured to deliver logs to SLS'
    else at.name || ' is not enabled'
  end as reason
  , account_id as account_id, region as region
from
  alicloud_action_trail at;