initial commit
This commit is contained in:
@@ -0,0 +1,21 @@
|
||||
# Overview
|
||||
This module performs the following tasks:
|
||||
|
||||
- Create KMS key for cloudtrail and CWL encryption
|
||||
- Create s3 bucket for cloudtrail use
|
||||
- Create cloudtrail
|
||||
- Create cloudwatch log group for cloudtrail
|
||||
- Create cloudwatch metric filter for CIS1.1
|
||||
- Create cloudwatch alarm for CIS1.1
|
||||
|
||||
## Inputs:
|
||||
| Name | Description | Type | Default | Required |
|
||||
|------|-------------|------|---------|:-----:|
|
||||
| application | name of application | string | none | yes |
|
||||
| environment | capacity of environment (prd/dev/lab) | string | none | yes |
|
||||
| customer-name | owner of aws resources | string | none | yes |
|
||||
| project | name of project | string | none | yes |
|
||||
| default-tags | tags to be added to resources | list | none | yes |
|
||||
| cloudtrail-retain-days | Days before cloudtrail logs are expired on s3 | number | 90 | yes |
|
||||
| aws-region-short | short name of aws region (e.g. apne1) | string | none | yes |
|
||||
|
||||
@@ -0,0 +1,80 @@
|
||||
resource "aws_iam_role" "iam_cloudtrial_cloudwatch_role" {
|
||||
name = "${var.resource-prefix}-cwl-role"
|
||||
assume_role_policy = data.aws_iam_policy_document.ct-role-assumerole-policy.json
|
||||
description = "Enables AWS CloudTrail to deliver log to CloudWatch log"
|
||||
tags = var.default-tags
|
||||
}
|
||||
|
||||
resource "aws_iam_role_policy" "iam_cloudtrial_cloudwatach_role_policy" {
|
||||
name = "${var.resource-prefix}-cwl-role-policy"
|
||||
role = aws_iam_role.iam_cloudtrial_cloudwatch_role.id
|
||||
policy = data.aws_iam_policy_document.ct-role-pdoc.json
|
||||
}
|
||||
|
||||
data "aws_iam_policy_document" "ct-role-assumerole-policy" {
|
||||
statement {
|
||||
effect = "Allow"
|
||||
actions = ["sts:AssumeRole"]
|
||||
|
||||
principals {
|
||||
type = "Service"
|
||||
identifiers = ["cloudtrail.amazonaws.com"]
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
data "aws_iam_policy_document" "ct-role-pdoc" {
|
||||
statement {
|
||||
effect = "Allow"
|
||||
actions = ["logs:CreateLogStream"]
|
||||
|
||||
resources = [
|
||||
"${aws_cloudwatch_log_group.ct-cwl.arn}:log-stream:*",
|
||||
]
|
||||
}
|
||||
|
||||
statement {
|
||||
effect = "Allow"
|
||||
actions = ["logs:PutLogEvents"]
|
||||
|
||||
resources = [
|
||||
"${aws_cloudwatch_log_group.ct-cwl.arn}:log-stream:*",
|
||||
]
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
||||
resource "aws_cloudtrail" "default" {
|
||||
name = "${var.resource-prefix}-trail-001"
|
||||
enable_logging = true
|
||||
s3_bucket_name = local.ct-bucket-name
|
||||
enable_log_file_validation = true
|
||||
is_multi_region_trail = true
|
||||
include_global_service_events = true
|
||||
cloud_watch_logs_role_arn = aws_iam_role.iam_cloudtrial_cloudwatch_role.arn
|
||||
cloud_watch_logs_group_arn = "${aws_cloudwatch_log_group.ct-cwl.arn}:*"
|
||||
tags = var.default-tags
|
||||
kms_key_id = aws_kms_key.ctbucket-key.arn
|
||||
is_organization_trail = false
|
||||
|
||||
event_selector {
|
||||
read_write_type = "All"
|
||||
include_management_events = true
|
||||
|
||||
data_resource {
|
||||
type = "AWS::S3::Object"
|
||||
values = ["arn:aws:s3:::"]
|
||||
}
|
||||
|
||||
data_resource {
|
||||
type = "AWS::Lambda::Function"
|
||||
values = ["arn:aws:lambda"]
|
||||
}
|
||||
}
|
||||
|
||||
#insight_selector {
|
||||
# insight_type = "ApiCallRateInsight"
|
||||
#}
|
||||
}
|
||||
|
||||
@@ -0,0 +1,69 @@
|
||||
resource "aws_kms_key" "ctbucket-key" {
|
||||
deletion_window_in_days = 7
|
||||
tags = var.default-tags
|
||||
policy = data.aws_iam_policy_document.key-policy.json
|
||||
enable_key_rotation = true
|
||||
}
|
||||
|
||||
resource "aws_kms_alias" ctbucket-key-aliaas {
|
||||
name = "alias/${var.resource-prefix}-kmskey-default"
|
||||
target_key_id = aws_kms_key.ctbucket-key.key_id
|
||||
}
|
||||
|
||||
# https://gist.github.com/shortjared/4c1e3fe52bdfa47522cfe5b41e5d6f22
|
||||
data "aws_iam_policy_document" "key-policy" {
|
||||
statement {
|
||||
sid = "Key usage by aws services"
|
||||
principals {
|
||||
identifiers = [
|
||||
"autoscaling.amazonaws.com",
|
||||
"cloudtrail.amazonaws.com",
|
||||
"eks.amazonaws.com",
|
||||
"eks-nodegroup.amazonaws.com",
|
||||
"guardduty.amazonaws.com",
|
||||
"delivery.logs.amazonaws.com",
|
||||
"sns.amazonaws.com",
|
||||
"sqs.amazonaws.com",
|
||||
"lambda.amazonaws.com",
|
||||
"backup.amazonaws.com",
|
||||
"events.amazonaws.com",
|
||||
"cloudwatch.amazonaws.com",
|
||||
"s3.amazonaws.com",
|
||||
"logs.amazonaws.com"
|
||||
]
|
||||
type = "Service"
|
||||
}
|
||||
|
||||
actions = [
|
||||
"kms:Encrypt",
|
||||
"kms:Decrypt",
|
||||
"kms:ReEncrypt*",
|
||||
"kms:GenerateDataKey*",
|
||||
"kms:DescribeKey"
|
||||
]
|
||||
|
||||
resources = [
|
||||
"*"
|
||||
]
|
||||
|
||||
effect = "Allow"
|
||||
}
|
||||
|
||||
statement {
|
||||
sid = "Key administrator"
|
||||
actions = [
|
||||
"kms:*"
|
||||
]
|
||||
|
||||
resources = [
|
||||
"*"
|
||||
]
|
||||
|
||||
principals {
|
||||
type = "AWS"
|
||||
identifiers = [data.aws_caller_identity.this.account_id]
|
||||
}
|
||||
|
||||
effect = "Allow"
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,64 @@
|
||||
|
||||
|
||||
data "aws_iam_policy_document" "cloudtrail_bucket_policy" {
|
||||
statement {
|
||||
sid = "AWSCloudTrailAclCheck"
|
||||
|
||||
principals {
|
||||
type = "Service"
|
||||
identifiers = ["cloudtrail.amazonaws.com"]
|
||||
}
|
||||
|
||||
actions = [
|
||||
"s3:GetBucketAcl",
|
||||
]
|
||||
|
||||
resources = [
|
||||
"arn:aws:s3:::${local.ct-bucket-name}",
|
||||
]
|
||||
}
|
||||
|
||||
statement {
|
||||
sid = "AWSCloudTrailWrite"
|
||||
|
||||
principals {
|
||||
type = "Service"
|
||||
identifiers = ["config.amazonaws.com", "cloudtrail.amazonaws.com"]
|
||||
}
|
||||
|
||||
actions = [
|
||||
"s3:PutObject"
|
||||
]
|
||||
|
||||
resources = [
|
||||
"arn:aws:s3:::${local.ct-bucket-name}/*"
|
||||
]
|
||||
}
|
||||
|
||||
statement {
|
||||
sid = "ReadAccessForAccountOwner"
|
||||
|
||||
principals {
|
||||
type = "AWS"
|
||||
identifiers = [data.aws_caller_identity.this.account_id]
|
||||
}
|
||||
|
||||
actions = [
|
||||
"s3:Get*"
|
||||
]
|
||||
|
||||
resources = [
|
||||
"arn:aws:s3:::${local.ct-bucket-name}",
|
||||
"arn:aws:s3:::${local.ct-bucket-name}/*"
|
||||
]
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
module ct-bucket {
|
||||
source = "../../storage/infra-s3-bucket"
|
||||
|
||||
bucket-name = local.ct-bucket-name
|
||||
bucket-policy-json = data.aws_iam_policy_document.cloudtrail_bucket_policy.json
|
||||
default-tags = var.default-tags
|
||||
}
|
||||
@@ -0,0 +1,377 @@
|
||||
resource "aws_cloudwatch_log_group" "ct-cwl" {
|
||||
name_prefix = "cloudtrail/"
|
||||
retention_in_days = var.cloudtrail-retain-days
|
||||
kms_key_id = aws_kms_key.ctbucket-key.arn
|
||||
tags = var.default-tags
|
||||
}
|
||||
|
||||
resource "aws_cloudwatch_log_metric_filter" "cwl-metric-filter-cis11" {
|
||||
name = "cis11-rootaccess-filter"
|
||||
pattern = <<EOT
|
||||
{$.userIdentity.type="Root" && $.userIdentity.invokedBy NOT EXISTS && $.eventType !="AwsServiceEvent"}
|
||||
EOT
|
||||
log_group_name = aws_cloudwatch_log_group.ct-cwl.name
|
||||
|
||||
metric_transformation {
|
||||
name = "cis11-rootaccess-metric"
|
||||
namespace = "LogMetrics"
|
||||
value = "1"
|
||||
}
|
||||
}
|
||||
|
||||
resource "aws_cloudwatch_metric_alarm" "cis11-rootaccess-alarm" {
|
||||
alarm_name = "cis11-rootaccess-alarm"
|
||||
comparison_operator = "GreaterThanOrEqualToThreshold"
|
||||
evaluation_periods = "1"
|
||||
metric_name = "cis11-rootaccess-metric"
|
||||
namespace = "LogMetrics"
|
||||
period = "300"
|
||||
statistic = "Average"
|
||||
threshold = "1"
|
||||
alarm_description = "Root access is detected from cloudtrail"
|
||||
treat_missing_data = "notBreaching"
|
||||
|
||||
// alarm_actions = []
|
||||
}
|
||||
|
||||
// CIS 3.x benchmark from asecure.cloud https://asecure.cloud/p/monitoring_cis_benchmark/
|
||||
|
||||
resource "aws_cloudwatch_metric_alarm" "CwAlarm2" {
|
||||
alarm_name = "cis-unauthorized_api_calls"
|
||||
alarm_description = "A CloudWatch Alarm that triggers if Multiple unauthorized actions or logins attempted."
|
||||
metric_name = "UnauthorizedAttemptCount"
|
||||
namespace = "CloudTrailMetrics"
|
||||
statistic = "Sum"
|
||||
period = "60"
|
||||
threshold = "1"
|
||||
evaluation_periods = "1"
|
||||
comparison_operator = "GreaterThanOrEqualToThreshold"
|
||||
// alarm_actions = [""]
|
||||
treat_missing_data = "notBreaching"
|
||||
}
|
||||
|
||||
resource "aws_cloudwatch_log_metric_filter" "MetricFilter2" {
|
||||
log_group_name = aws_cloudwatch_log_group.ct-cwl.name
|
||||
pattern = "{ ($.errorCode = \"*UnauthorizedOperation\") || ($.errorCode = \"AccessDenied*\") }"
|
||||
name = "UnauthorizedAttemptCount"
|
||||
|
||||
metric_transformation {
|
||||
name = "UnauthorizedAttemptCount"
|
||||
value = "1"
|
||||
namespace = "CloudTrailMetrics"
|
||||
}
|
||||
}
|
||||
|
||||
resource "aws_cloudwatch_metric_alarm" "CwAlarm3" {
|
||||
alarm_name = "cis-no_mfa_console_logins"
|
||||
alarm_description = "A CloudWatch Alarm that triggers if there is a Management Console sign-in without MFA."
|
||||
metric_name = "ConsoleSigninWithoutMFA"
|
||||
namespace = "CloudTrailMetrics"
|
||||
statistic = "Sum"
|
||||
period = "60"
|
||||
threshold = "1"
|
||||
evaluation_periods = "1"
|
||||
comparison_operator = "GreaterThanOrEqualToThreshold"
|
||||
// alarm_actions = [""]
|
||||
treat_missing_data = "notBreaching"
|
||||
}
|
||||
|
||||
resource "aws_cloudwatch_log_metric_filter" "MetricFilter3" {
|
||||
log_group_name = aws_cloudwatch_log_group.ct-cwl.name
|
||||
pattern = "{($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") && ($.responseElements.ConsoleLogin != \"Failure\") && ($.additionalEventData.SamlProviderArn NOT EXISTS) }"
|
||||
name = "ConsoleSigninWithoutMFA"
|
||||
|
||||
metric_transformation {
|
||||
name = "ConsoleSigninWithoutMFA"
|
||||
value = "1"
|
||||
namespace = "CloudTrailMetrics"
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
resource "aws_cloudwatch_metric_alarm" "CwAlarm4" {
|
||||
alarm_name = "cis-iam_policy_changes"
|
||||
alarm_description = "A CloudWatch Alarm that triggers when changes are made to IAM policies. Events include IAM policy creation/deletion/update operations as well as attaching/detaching policies from IAM users, roles or groups."
|
||||
metric_name = "IAMPolicyEventCount"
|
||||
namespace = "CloudTrailMetrics"
|
||||
statistic = "Sum"
|
||||
period = "300"
|
||||
threshold = "1"
|
||||
evaluation_periods = "1"
|
||||
comparison_operator = "GreaterThanOrEqualToThreshold"
|
||||
// alarm_actions = [""]
|
||||
treat_missing_data = "notBreaching"
|
||||
}
|
||||
|
||||
resource "aws_cloudwatch_log_metric_filter" "MetricFilter4" {
|
||||
log_group_name = aws_cloudwatch_log_group.ct-cwl.name
|
||||
pattern = "{($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)}"
|
||||
name = "IAMPolicyEventCount"
|
||||
|
||||
metric_transformation {
|
||||
name = "IAMPolicyEventCount"
|
||||
value = "1"
|
||||
namespace = "CloudTrailMetrics"
|
||||
}
|
||||
}
|
||||
|
||||
resource "aws_cloudwatch_metric_alarm" "CwAlarm5" {
|
||||
alarm_name = "cis-cloudtrail_changes"
|
||||
alarm_description = "A CloudWatch Alarm that triggers when changes are made to CloudTrail."
|
||||
metric_name = "CloudTrailEventCount"
|
||||
namespace = "CloudTrailMetrics"
|
||||
statistic = "Sum"
|
||||
period = "300"
|
||||
threshold = "1"
|
||||
evaluation_periods = "1"
|
||||
comparison_operator = "GreaterThanOrEqualToThreshold"
|
||||
// alarm_actions = [""]
|
||||
treat_missing_data = "notBreaching"
|
||||
}
|
||||
|
||||
resource "aws_cloudwatch_log_metric_filter" "MetricFilter5" {
|
||||
log_group_name = aws_cloudwatch_log_group.ct-cwl.name
|
||||
pattern = "{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }"
|
||||
name = "CloudTrailEventCount"
|
||||
|
||||
metric_transformation {
|
||||
name = "CloudTrailEventCount"
|
||||
value = "1"
|
||||
namespace = "CloudTrailMetrics"
|
||||
}
|
||||
}
|
||||
|
||||
resource "aws_cloudwatch_metric_alarm" "CwAlarm6" {
|
||||
alarm_name = "cis-failed_console_logins"
|
||||
alarm_description = "A CloudWatch Alarm that triggers if there are AWS Management Console authentication failures."
|
||||
metric_name = "ConsoleLoginFailures"
|
||||
namespace = "CloudTrailMetrics"
|
||||
statistic = "Sum"
|
||||
period = "300"
|
||||
threshold = "1"
|
||||
evaluation_periods = "1"
|
||||
comparison_operator = "GreaterThanOrEqualToThreshold"
|
||||
// alarm_actions = [""]
|
||||
treat_missing_data = "notBreaching"
|
||||
}
|
||||
|
||||
resource "aws_cloudwatch_log_metric_filter" "MetricFilter6" {
|
||||
log_group_name = aws_cloudwatch_log_group.ct-cwl.name
|
||||
pattern = "{ ($.eventName = ConsoleLogin) && ($.errorMessage = \"Failed authentication\") }"
|
||||
name = "ConsoleLoginFailures"
|
||||
|
||||
metric_transformation {
|
||||
name = "ConsoleLoginFailures"
|
||||
value = "1"
|
||||
namespace = "CloudTrailMetrics"
|
||||
}
|
||||
}
|
||||
|
||||
resource "aws_cloudwatch_metric_alarm" "CwAlarm7" {
|
||||
alarm_name = "cis-disabled_deleted_cmks"
|
||||
alarm_description = "A CloudWatch Alarm that triggers if customer created CMKs get disabled or scheduled for deletion."
|
||||
metric_name = "KMSCustomerKeyDeletion"
|
||||
namespace = "CloudTrailMetrics"
|
||||
statistic = "Sum"
|
||||
period = "60"
|
||||
threshold = "1"
|
||||
evaluation_periods = "1"
|
||||
comparison_operator = "GreaterThanOrEqualToThreshold"
|
||||
// alarm_actions = [""]
|
||||
treat_missing_data = "notBreaching"
|
||||
}
|
||||
|
||||
resource "aws_cloudwatch_log_metric_filter" "MetricFilter7" {
|
||||
log_group_name = aws_cloudwatch_log_group.ct-cwl.name
|
||||
pattern = "{ ($.eventSource = kms.amazonaws.com) && (($.eventName=DisableKey) || ($.eventName=ScheduleKeyDeletion)) }"
|
||||
name = "KMSCustomerKeyDeletion"
|
||||
|
||||
metric_transformation {
|
||||
name = "KMSCustomerKeyDeletion"
|
||||
value = "1"
|
||||
namespace = "CloudTrailMetrics"
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
resource "aws_cloudwatch_metric_alarm" "CwAlarm8" {
|
||||
alarm_name = "cis-s3_changes"
|
||||
alarm_description = "A CloudWatch Alarm that triggers when changes are made to an S3 Bucket."
|
||||
metric_name = "S3BucketActivityEventCount"
|
||||
namespace = "CloudTrailMetrics"
|
||||
statistic = "Sum"
|
||||
period = "300"
|
||||
threshold = "1"
|
||||
evaluation_periods = "1"
|
||||
comparison_operator = "GreaterThanOrEqualToThreshold"
|
||||
// alarm_actions = [""]
|
||||
treat_missing_data = "notBreaching"
|
||||
}
|
||||
|
||||
resource "aws_cloudwatch_log_metric_filter" "MetricFilter8" {
|
||||
log_group_name = aws_cloudwatch_log_group.ct-cwl.name
|
||||
pattern = "{ ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }"
|
||||
name = "S3BucketActivityEventCount"
|
||||
|
||||
metric_transformation {
|
||||
name = "S3BucketActivityEventCount"
|
||||
value = "1"
|
||||
namespace = "CloudTrailMetrics"
|
||||
}
|
||||
}
|
||||
|
||||
resource "aws_cloudwatch_metric_alarm" "CwAlarm9" {
|
||||
alarm_name = "cis-config_changes"
|
||||
alarm_description = "A CloudWatch Alarm that triggers when changes are made to AWS Config."
|
||||
metric_name = "CloudTrailEventCount"
|
||||
namespace = "CloudTrailMetrics"
|
||||
statistic = "Sum"
|
||||
period = "300"
|
||||
threshold = "1"
|
||||
evaluation_periods = "1"
|
||||
comparison_operator = "GreaterThanOrEqualToThreshold"
|
||||
// alarm_actions = [""]
|
||||
treat_missing_data = "notBreaching"
|
||||
}
|
||||
|
||||
resource "aws_cloudwatch_log_metric_filter" "MetricFilter9" {
|
||||
log_group_name = aws_cloudwatch_log_group.ct-cwl.name
|
||||
pattern = "{ ($.eventName = PutConfigurationRecorder) || ($.eventName = StopConfigurationRecorder) || ($.eventName = DeleteDeliveryChannel) || ($.eventName = PutDeliveryChannel) }"
|
||||
name = "CloudTrailEventCount"
|
||||
|
||||
metric_transformation {
|
||||
name = "CloudTrailEventCount"
|
||||
value = "1"
|
||||
namespace = "CloudTrailMetrics"
|
||||
}
|
||||
}
|
||||
|
||||
resource "aws_cloudwatch_metric_alarm" "CwAlarm10" {
|
||||
alarm_name = "cis-securitygroup_changes"
|
||||
alarm_description = "A CloudWatch Alarm that triggers when changes are made to Security Groups."
|
||||
metric_name = "SecurityGroupEventCount"
|
||||
namespace = "CloudTrailMetrics"
|
||||
statistic = "Sum"
|
||||
period = "300"
|
||||
threshold = "1"
|
||||
evaluation_periods = "1"
|
||||
comparison_operator = "GreaterThanOrEqualToThreshold"
|
||||
// alarm_actions = [""]
|
||||
treat_missing_data = "notBreaching"
|
||||
}
|
||||
|
||||
resource "aws_cloudwatch_log_metric_filter" "MetricFilter10" {
|
||||
log_group_name = aws_cloudwatch_log_group.ct-cwl.name
|
||||
pattern = "{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) }"
|
||||
name = "SecurityGroupEventCount"
|
||||
|
||||
metric_transformation {
|
||||
name = "SecurityGroupEventCount"
|
||||
value = "1"
|
||||
namespace = "CloudTrailMetrics"
|
||||
}
|
||||
}
|
||||
|
||||
resource "aws_cloudwatch_metric_alarm" "CwAlarm11" {
|
||||
alarm_name = "cis-nacl_changes"
|
||||
alarm_description = "A CloudWatch Alarm that triggers when changes are made to Network ACLs."
|
||||
metric_name = "NetworkAclEventCount"
|
||||
namespace = "CloudTrailMetrics"
|
||||
statistic = "Sum"
|
||||
period = "300"
|
||||
threshold = "1"
|
||||
evaluation_periods = "1"
|
||||
comparison_operator = "GreaterThanOrEqualToThreshold"
|
||||
// alarm_actions = [""]
|
||||
treat_missing_data = "notBreaching"
|
||||
}
|
||||
|
||||
resource "aws_cloudwatch_log_metric_filter" "MetricFilter11" {
|
||||
log_group_name = aws_cloudwatch_log_group.ct-cwl.name
|
||||
pattern = "{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) }"
|
||||
name = "NetworkAclEventCount"
|
||||
|
||||
metric_transformation {
|
||||
name = "NetworkAclEventCount"
|
||||
value = "1"
|
||||
namespace = "CloudTrailMetrics"
|
||||
}
|
||||
}
|
||||
|
||||
resource "aws_cloudwatch_metric_alarm" "CwAlarm12" {
|
||||
alarm_name = "cis-igw_changes"
|
||||
alarm_description = "A CloudWatch Alarm that triggers when changes are made to an Internet Gateway in a VPC."
|
||||
metric_name = "GatewayEventCount"
|
||||
namespace = "CloudTrailMetrics"
|
||||
statistic = "Sum"
|
||||
period = "300"
|
||||
threshold = "1"
|
||||
evaluation_periods = "1"
|
||||
comparison_operator = "GreaterThanOrEqualToThreshold"
|
||||
// alarm_actions = [""]
|
||||
treat_missing_data = "notBreaching"
|
||||
}
|
||||
|
||||
resource "aws_cloudwatch_log_metric_filter" "MetricFilter12" {
|
||||
log_group_name = aws_cloudwatch_log_group.ct-cwl.name
|
||||
pattern = "{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }"
|
||||
name = "GatewayEventCount"
|
||||
|
||||
metric_transformation {
|
||||
name = "GatewayEventCount"
|
||||
value = "1"
|
||||
namespace = "CloudTrailMetrics"
|
||||
}
|
||||
}
|
||||
|
||||
resource "aws_cloudwatch_metric_alarm" "CwAlarm13" {
|
||||
alarm_name = "cis-vpc_routetable_changes"
|
||||
alarm_description = "A CloudWatch Alarm that triggers when changes are made to a VPC's Route Table."
|
||||
metric_name = "VpcRouteTableEventCount"
|
||||
namespace = "CloudTrailMetrics"
|
||||
statistic = "Sum"
|
||||
period = "300"
|
||||
threshold = "1"
|
||||
evaluation_periods = "1"
|
||||
comparison_operator = "GreaterThanOrEqualToThreshold"
|
||||
// alarm_actions = [""]
|
||||
treat_missing_data = "notBreaching"
|
||||
}
|
||||
|
||||
resource "aws_cloudwatch_log_metric_filter" "MetricFilter13" {
|
||||
log_group_name = aws_cloudwatch_log_group.ct-cwl.name
|
||||
pattern = "{ ($.eventName = AssociateRouteTable) || ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DeleteRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DisassociateRouteTable) }"
|
||||
name = "VpcRouteTableEventCount"
|
||||
|
||||
metric_transformation {
|
||||
name = "VpcRouteTableEventCount"
|
||||
value = "1"
|
||||
namespace = "CloudTrailMetrics"
|
||||
}
|
||||
}
|
||||
|
||||
resource "aws_cloudwatch_metric_alarm" "CwAlarm14" {
|
||||
alarm_name = "cis-vpc_changes"
|
||||
alarm_description = "A CloudWatch Alarm that triggers when changes are made to a VPC."
|
||||
metric_name = "VpcEventCount"
|
||||
namespace = "CloudTrailMetrics"
|
||||
statistic = "Sum"
|
||||
period = "300"
|
||||
threshold = "1"
|
||||
evaluation_periods = "1"
|
||||
comparison_operator = "GreaterThanOrEqualToThreshold"
|
||||
// alarm_actions = [""]
|
||||
treat_missing_data = "notBreaching"
|
||||
}
|
||||
|
||||
resource "aws_cloudwatch_log_metric_filter" "MetricFilter14" {
|
||||
log_group_name = aws_cloudwatch_log_group.ct-cwl.name
|
||||
pattern = "{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }"
|
||||
name = "VpcEventCount"
|
||||
|
||||
metric_transformation {
|
||||
name = "VpcEventCount"
|
||||
value = "1"
|
||||
namespace = "CloudTrailMetrics"
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1 @@
|
||||
data "aws_caller_identity" "this" {}
|
||||
@@ -0,0 +1,19 @@
|
||||
/*
|
||||
variable "customer-name" {}
|
||||
variable "environment" {}
|
||||
variable "project" {}
|
||||
variable "application" {}
|
||||
*/
|
||||
variable resource-prefix {}
|
||||
variable "default-tags" {}
|
||||
variable "cloudtrail-retain-days" {
|
||||
type = number
|
||||
default = 90
|
||||
}
|
||||
|
||||
data aws_region this-region {}
|
||||
|
||||
locals {
|
||||
ct-bucket-name = "${var.resource-prefix}-ctbucket-${data.aws_caller_identity.this.account_id}"
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user