Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Groups are a stateful packet filter that controls ingress and egress traffic within a VPC. Monitoring changes to security group will help ensure that resources and services are not unintentionally exposed.
Recommended Mitigation
It is recommended that a metric filter and alarm be established for detecting changes to Security Groups.
Logging and monitoring
