Perform the following to setup the metric filter, alarm, SNS topic, and subscription:

1. Identify the log group name configured for use with CloudTrail
2. Note the <cloudtrail_log_group_name> value associated with
   CloudWatchLogsLogGroupArn :
3. Create a metric filter based on filter pattern provided which checks for NACL changes
   and the <cloudtrail_log_group_name> taken from step 2.
    Note : You can choose your own metricName and metricNamespace strings. Using the same
   metricNamespace for all Foundations Benchmark metrics will group them together.
4. Create an SNS topic that the alarm will notify
    Note : you can re-use the same topic for all monitoring alarms.
5. Create an SNS subscription to the topic created in step 4
    Note : you can re-use the same SNS subscription for all monitoring alarms.
6. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step
   3 and an SNS topic created in step 4
    Note : set the period and threshold to values that fit your organization.

To Create Metric Filter and Cloudwatch Alarm

1.Navigate to Cloudwatch dashboard at https://console.aws.amazon.com/cloudwatch/.

2.In the left navigation panel, select Logs.

3.Select the log group created for your CloudTrail trail event logs and click Create Metric Filter button.

4.On the Define Logs Metric Filter page, paste the following pattern inside the Filter Pattern box: { ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }. This pattern will be used for scanning the AWS CloudTrail logs for event names like “CreateInternetGateway”, “AttachInternetGateway” or “DeleteInternetGateway”.

5.Review the metric filter config details then click Assign Metric.

6.On the Create Metric Filter and Assign a Metric page, perform the following:

<span style=white-space:pre