Security group changes alarm

AWS-CW-010 is an AWS security check performed by cloud-audit, an open-source AWS security scanner. Checks if a CloudWatch metric filter and alarm exist to detect security group changes (AuthorizeSecurityGroupIngress, CreateSecurityGroup, etc.). Without this monitoring, network exposure changes go undetected.

Why it matters

Security group changes directly control network access to your AWS resources. A single AuthorizeSecurityGroupIngress call can expose databases, internal services, or management interfaces to the entire internet. In the 2019 Capital One breach, the attacker exploited an overly permissive security group that allowed the SSRF attack path. Security group changes in production should be infrequent and planned, so real-time alerts catch both malicious modifications and accidental misconfigurations. This monitoring is especially critical for detecting lateral movement where an attacker opens ports between VPCs or subnets to reach previously isolated resources.

Common causes

Security group changes happen frequently during active development, making it easy to overlook a misconfiguration that opens a port to 0.0.0.0/0. Teams that manage security groups via the AWS Console instead of IaC have no code review process to catch overly permissive rules. Automated deployments may modify security groups as part of scaling operations without proper validation of the new rules.

Detection

Run cloud-audit to detect this issue:

pip install cloud-audit
cloud-audit scan -R

The -R flag includes remediation details for every finding, including this one.

Remediation: AWS CLI

# Create metric filter:
aws logs put-metric-filter \
  --log-group-name <CLOUDTRAIL_LOG_GROUP> \
  --filter-name CIS-4.10 \
  --filter-pattern '{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) }' \
  --metric-transformations metricName=CIS-4-10,metricNamespace=CISBenchmark,metricValue=1
# Create alarm:
aws cloudwatch put-metric-alarm \
  --alarm-name CIS-4.10 \
  --metric-name CIS-4-10 \
  --namespace CISBenchmark \
  --statistic Sum --period 300 --threshold 1 \
  --comparison-operator GreaterThanOrEqualToThreshold \
  --evaluation-periods 1 \
  --alarm-actions <SNS_TOPIC_ARN>

Remediation: Terraform

resource "aws_cloudwatch_log_metric_filter" "cis_4_10" {
  name           = "CIS-4.10"
  log_group_name = aws_cloudwatch_log_group.cloudtrail.name
  pattern        = "{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) }"

  metric_transformation {
    name      = "CIS-4-10"
    namespace = "CISBenchmark"
    value     = "1"
  }
}

resource "aws_cloudwatch_metric_alarm" "cis_4_10" {
  alarm_name          = "CIS-4.10"
  metric_name         = "CIS-4-10"
  namespace           = "CISBenchmark"
  statistic           = "Sum"
  period              = 300
  threshold           = 1
  comparison_operator = "GreaterThanOrEqualToThreshold"
  evaluation_periods  = 1
  alarm_actions       = [aws_sns_topic.alerts.arn]
}

Compliance mapping

This check maps to CIS 4.10 in the CIS AWS Foundations Benchmark. The CIS Benchmark provides prescriptive guidance for configuring security options for a subset of AWS services.