Tracking firewall changes with alarms

Tracking firewall configuration changes with associated alarms is important. Many times the system administrator inserts the rule of 0.0.0.0/0 to make things work the easy way.

This is the reason why reviewing firewall configuration changes every three months is necessary. Many times, in a span of three months, you might find a lot of newly added rules, and no one knows how they came into the firewall.

AWS allows you to track changes made to its environment, including that of security groups via its auditing service CloudTrail. This is a sample rule to monitor any changes to the security group:

{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) }

We can illustrate the process in form of a diagram as well:

On a high-level overview, this illustrates the preceding diagram—whenever the System Administrator makes changes to the firewall Rule, it generates an alarm, and the details of the event are sent to the security team.