Security group changes will most likely be warranted and initiated by the account owner. Keeping and reporting on logs for these events is beneficial in order to obtain an audit trail and sequence of events surrounding each change. Attackers will seek to alter security groups in order to maintain a footprint and access to the resource.
To learn more about the category of security group changes monitored by CUIT, refer to AWS documentation for some of the common items such as:
CreateSecurityGroup: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateSecurityGroup.html
RevokeSecurityGroupIngress: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RevokeSecurityGroupIngress.html
RevokeSecurityGroupEgress: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RevokeSecurityGroupEgress.html