The Internet Gateway (IGW) changes alarm is a useful tool for monitoring changes to internet gateways and maintaining the security of VPCs in AWS. By setting up this alarm, users can ensure that any unauthorized or unexpected changes to their internet gateway are quickly identified and resolved, reducing the risk of potential security breaches. The alarm can be set up to trigger when specific changes are made to the internet gateway, such as attachment or detachment of a VPC, changes to the route table, or changes to the security group.


When an Internet Gateway changes alarm is triggered, it is important to take immediate action to investigate and address any changes that may have occurred. Here are some remediation steps that can help ensure the security and availability of your VPC resources:

  1. Review the Alarm: Review the details of the alarm to understand the specific changes that triggered the alarm. This will help you determine the scope and severity of the potential impact.
  2. Investigate: Investigate the changes that triggered the alarm to determine whether they were authorized and whether they pose a security risk. Check the VPC Flow Logs to identify the source and destination of any network traffic associated with the changes.
  3. Rollback Unapproved Changes: If the changes were unauthorized or pose a security risk, roll them back immediately to their previous state. You can also use AWS Config to compare the current state of the IGW with its previous state and identify any changes that may have occurred.
  4. Update Security Groups: If the changes were authorized but pose a security risk, update the security groups associated with the IGW to limit access to only authorized traffic.
  5. Modify Route Tables: If the changes were authorized and do not pose a security risk, modify the route tables associated with the IGW to ensure that traffic is directed to the appropriate resources.
  6. Update IAM Policies: If the changes were unauthorized, update the IAM policies associated with the users or roles that made the changes to prevent similar unauthorized changes in the future.
  7. Monitor Activity: Monitor the activity of the VPC and the IGW to detect any unusual behavior. You can use CloudTrail to log and monitor all API activity associated with the VPC and the IGW.

By following these remediation steps, you can ensure that your VPC resources remain secure and available. Additionally, you can take proactive measures to prevent unauthorized changes and ensure that only authorized traffic is allowed to access your resources.

Enforced Resources
Note: Remediation steps provided by Lightlytics are meant to be suggestions and guidelines only. It is crucial to thoroughly verify and test any remediation steps before applying them to production environments. Each organization's infrastructure and security needs may differ, and blindly applying suggested remediation steps without proper testing could potentially cause unforeseen issues or vulnerabilities. Therefore, it is strongly recommended that you validate and customize any remediation steps to meet your organization's specific requirements and ensure that they align with your security policies and best practices.