Network gateway changes alarm

AWS-CW-012 is an AWS security check performed by cloud-audit, an open-source AWS security scanner. Checks if a CloudWatch metric filter and alarm exist to detect network gateway changes (CreateCustomerGateway, AttachInternetGateway, DeleteInternetGateway). Without this monitoring, network boundary changes go undetected.

Why it matters

Internet gateways and customer gateways define the network boundary between your VPC and the outside world. Attaching an internet gateway to a private VPC instantly exposes any resource with a public IP to the internet. Creating a customer gateway establishes a VPN tunnel that could route traffic to an attacker-controlled network. These are high-impact, low-frequency changes that should always trigger investigation. An attacker with VPC permissions could attach an internet gateway to exfiltrate data from previously isolated subnets, or create a customer gateway to establish a persistent backdoor tunnel that survives credential rotation.

Common causes

Gateway changes are infrequent in production, so teams do not prioritize monitoring for them. New VPC deployments may attach internet gateways through CloudFormation or Terraform without the change being visible to the security team. Developer sandbox accounts may have gateway creation permissions that are not monitored, creating blind spots when those patterns are replicated in production.

Detection

Run cloud-audit to detect this issue:

pip install cloud-audit
cloud-audit scan -R

The -R flag includes remediation details for every finding, including this one.

Remediation: AWS CLI

# Create metric filter:
aws logs put-metric-filter \
  --log-group-name <CLOUDTRAIL_LOG_GROUP> \
  --filter-name CIS-4.12 \
  --filter-pattern '{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }' \
  --metric-transformations metricName=CIS-4-12,metricNamespace=CISBenchmark,metricValue=1
# Create alarm:
aws cloudwatch put-metric-alarm \
  --alarm-name CIS-4.12 \
  --metric-name CIS-4-12 \
  --namespace CISBenchmark \
  --statistic Sum --period 300 --threshold 1 \
  --comparison-operator GreaterThanOrEqualToThreshold \
  --evaluation-periods 1 \
  --alarm-actions <SNS_TOPIC_ARN>

Remediation: Terraform

resource "aws_cloudwatch_log_metric_filter" "cis_4_12" {
  name           = "CIS-4.12"
  log_group_name = aws_cloudwatch_log_group.cloudtrail.name
  pattern        = "{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }"

  metric_transformation {
    name      = "CIS-4-12"
    namespace = "CISBenchmark"
    value     = "1"
  }
}

resource "aws_cloudwatch_metric_alarm" "cis_4_12" {
  alarm_name          = "CIS-4.12"
  metric_name         = "CIS-4-12"
  namespace           = "CISBenchmark"
  statistic           = "Sum"
  period              = 300
  threshold           = 1
  comparison_operator = "GreaterThanOrEqualToThreshold"
  evaluation_periods  = 1
  alarm_actions       = [aws_sns_topic.alerts.arn]
}

Compliance mapping

This check maps to CIS 4.12 in the CIS AWS Foundations Benchmark. The CIS Benchmark provides prescriptive guidance for configuring security options for a subset of AWS services.