cwe-monitor-secgrp

The cwe-monitor-secgrp tool is a detective control for unauthorized or non-compliant changes to Amazon EC2 security group ingress rules. This CloudWatch Events rule, coupled with a Lambda function, monitors AWS API calls that modify these rules, specifically the AuthorizeSecurityGroupIngress and RevokeSecurityGroupIngress calls.

The technical architecture involves setting up a CloudWatch Events rule that triggers the Lambda function whenever these specific API calls are made. The Lambda function then examines the updated security group permissions against a pre-configured policy, which is hardcoded using the IpPermissions structure. If the permissions do not align with the policy, the function logs detailed messages in CloudWatch Logs, indicating the necessary actions to bring the security group into compliance.

Operationally, this setup requires careful configuration of the JSON event selector to target the specific security groups that need monitoring. For example, you need to specify the groupId in the event selector to focus on particular security groups. This approach ensures real-time detection and alerting for non-compliant changes, but it may introduce some latency depending on the frequency of API calls and the complexity of the policies being enforced.

From a technical standpoint, the function relies on CloudTrail for event sourcing, ensuring that all changes are captured as they occur. However, the scalability of this solution can be limited by the performance of the Lambda function and the volume of logs generated, which can lead to increased costs and potential delays in processing large numbers of events. Nonetheless, this tool provides a robust mechanism for maintaining compliance and security posture in AWS environments by automating the monitoring and enforcement of security group policies.