terraform.aws-baseline-infra/modules/security_identity_compliance/cloudtrail_cwlogs/cw-loggroup.tf

377 lines
14 KiB
Terraform
Raw Normal View History

2021-01-26 21:40:02 +08:00
resource "aws_cloudwatch_log_group" "ct-cwl" {
2021-01-28 15:04:01 +08:00
name_prefix = "cloudtrail/"
2021-01-27 09:42:51 +08:00
retention_in_days = var.cloudtrail-retain-days
2021-01-26 21:40:02 +08:00
kms_key_id = aws_kms_key.ctbucket-key.arn
tags = var.default-tags
}
resource "aws_cloudwatch_log_metric_filter" "cwl-metric-filter-cis11" {
name = "cis11-rootaccess-filter"
pattern = <<EOT
{$.userIdentity.type="Root" && $.userIdentity.invokedBy NOT EXISTS && $.eventType !="AwsServiceEvent"}
EOT
log_group_name = aws_cloudwatch_log_group.ct-cwl.name
metric_transformation {
name = "cis11-rootaccess-metric"
namespace = "LogMetrics"
value = "1"
}
}
resource "aws_cloudwatch_metric_alarm" "cis11-rootaccess-alarm" {
alarm_name = "cis11-rootaccess-alarm"
comparison_operator = "GreaterThanOrEqualToThreshold"
evaluation_periods = "1"
metric_name = "cis11-rootaccess-metric"
namespace = "LogMetrics"
period = "300"
statistic = "Average"
threshold = "1"
alarm_description = "Root access is detected from cloudtrail"
treat_missing_data = "notBreaching"
// alarm_actions = []
}
2021-01-29 14:39:58 +08:00
// CIS 3.x benchmark from asecure.cloud https://asecure.cloud/p/monitoring_cis_benchmark/
resource "aws_cloudwatch_metric_alarm" "CwAlarm2" {
alarm_name = "cis-unauthorized_api_calls"
alarm_description = "A CloudWatch Alarm that triggers if Multiple unauthorized actions or logins attempted."
metric_name = "UnauthorizedAttemptCount"
namespace = "CloudTrailMetrics"
statistic = "Sum"
period = "60"
threshold = "1"
evaluation_periods = "1"
comparison_operator = "GreaterThanOrEqualToThreshold"
// alarm_actions = [""]
treat_missing_data = "notBreaching"
}
resource "aws_cloudwatch_log_metric_filter" "MetricFilter2" {
log_group_name = aws_cloudwatch_log_group.ct-cwl.name
pattern = "{ ($.errorCode = \"*UnauthorizedOperation\") || ($.errorCode = \"AccessDenied*\") }"
name = "UnauthorizedAttemptCount"
metric_transformation {
name = "UnauthorizedAttemptCount"
value = "1"
namespace = "CloudTrailMetrics"
}
}
resource "aws_cloudwatch_metric_alarm" "CwAlarm3" {
alarm_name = "cis-no_mfa_console_logins"
alarm_description = "A CloudWatch Alarm that triggers if there is a Management Console sign-in without MFA."
metric_name = "ConsoleSigninWithoutMFA"
namespace = "CloudTrailMetrics"
statistic = "Sum"
period = "60"
threshold = "1"
evaluation_periods = "1"
comparison_operator = "GreaterThanOrEqualToThreshold"
// alarm_actions = [""]
treat_missing_data = "notBreaching"
}
resource "aws_cloudwatch_log_metric_filter" "MetricFilter3" {
log_group_name = aws_cloudwatch_log_group.ct-cwl.name
pattern = "{($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") && ($.responseElements.ConsoleLogin != \"Failure\") && ($.additionalEventData.SamlProviderArn NOT EXISTS) }"
name = "ConsoleSigninWithoutMFA"
metric_transformation {
name = "ConsoleSigninWithoutMFA"
value = "1"
namespace = "CloudTrailMetrics"
}
}
resource "aws_cloudwatch_metric_alarm" "CwAlarm4" {
alarm_name = "cis-iam_policy_changes"
alarm_description = "A CloudWatch Alarm that triggers when changes are made to IAM policies. Events include IAM policy creation/deletion/update operations as well as attaching/detaching policies from IAM users, roles or groups."
metric_name = "IAMPolicyEventCount"
namespace = "CloudTrailMetrics"
statistic = "Sum"
period = "300"
threshold = "1"
evaluation_periods = "1"
comparison_operator = "GreaterThanOrEqualToThreshold"
// alarm_actions = [""]
treat_missing_data = "notBreaching"
}
resource "aws_cloudwatch_log_metric_filter" "MetricFilter4" {
log_group_name = aws_cloudwatch_log_group.ct-cwl.name
pattern = "{($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)}"
name = "IAMPolicyEventCount"
metric_transformation {
name = "IAMPolicyEventCount"
value = "1"
namespace = "CloudTrailMetrics"
}
}
resource "aws_cloudwatch_metric_alarm" "CwAlarm5" {
alarm_name = "cis-cloudtrail_changes"
alarm_description = "A CloudWatch Alarm that triggers when changes are made to CloudTrail."
metric_name = "CloudTrailEventCount"
namespace = "CloudTrailMetrics"
statistic = "Sum"
period = "300"
threshold = "1"
evaluation_periods = "1"
comparison_operator = "GreaterThanOrEqualToThreshold"
// alarm_actions = [""]
treat_missing_data = "notBreaching"
}
resource "aws_cloudwatch_log_metric_filter" "MetricFilter5" {
log_group_name = aws_cloudwatch_log_group.ct-cwl.name
pattern = "{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }"
name = "CloudTrailEventCount"
metric_transformation {
name = "CloudTrailEventCount"
value = "1"
namespace = "CloudTrailMetrics"
}
}
resource "aws_cloudwatch_metric_alarm" "CwAlarm6" {
alarm_name = "cis-failed_console_logins"
alarm_description = "A CloudWatch Alarm that triggers if there are AWS Management Console authentication failures."
metric_name = "ConsoleLoginFailures"
namespace = "CloudTrailMetrics"
statistic = "Sum"
period = "300"
threshold = "1"
evaluation_periods = "1"
comparison_operator = "GreaterThanOrEqualToThreshold"
// alarm_actions = [""]
treat_missing_data = "notBreaching"
}
resource "aws_cloudwatch_log_metric_filter" "MetricFilter6" {
log_group_name = aws_cloudwatch_log_group.ct-cwl.name
pattern = "{ ($.eventName = ConsoleLogin) && ($.errorMessage = \"Failed authentication\") }"
name = "ConsoleLoginFailures"
metric_transformation {
name = "ConsoleLoginFailures"
value = "1"
namespace = "CloudTrailMetrics"
}
}
resource "aws_cloudwatch_metric_alarm" "CwAlarm7" {
alarm_name = "cis-disabled_deleted_cmks"
alarm_description = "A CloudWatch Alarm that triggers if customer created CMKs get disabled or scheduled for deletion."
metric_name = "KMSCustomerKeyDeletion"
namespace = "CloudTrailMetrics"
statistic = "Sum"
period = "60"
threshold = "1"
evaluation_periods = "1"
comparison_operator = "GreaterThanOrEqualToThreshold"
// alarm_actions = [""]
treat_missing_data = "notBreaching"
}
resource "aws_cloudwatch_log_metric_filter" "MetricFilter7" {
log_group_name = aws_cloudwatch_log_group.ct-cwl.name
pattern = "{ ($.eventSource = kms.amazonaws.com) && (($.eventName=DisableKey) || ($.eventName=ScheduleKeyDeletion)) }"
name = "KMSCustomerKeyDeletion"
metric_transformation {
name = "KMSCustomerKeyDeletion"
value = "1"
namespace = "CloudTrailMetrics"
}
}
resource "aws_cloudwatch_metric_alarm" "CwAlarm8" {
alarm_name = "cis-s3_changes"
alarm_description = "A CloudWatch Alarm that triggers when changes are made to an S3 Bucket."
metric_name = "S3BucketActivityEventCount"
namespace = "CloudTrailMetrics"
statistic = "Sum"
period = "300"
threshold = "1"
evaluation_periods = "1"
comparison_operator = "GreaterThanOrEqualToThreshold"
// alarm_actions = [""]
treat_missing_data = "notBreaching"
}
resource "aws_cloudwatch_log_metric_filter" "MetricFilter8" {
log_group_name = aws_cloudwatch_log_group.ct-cwl.name
pattern = "{ ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }"
name = "S3BucketActivityEventCount"
metric_transformation {
name = "S3BucketActivityEventCount"
value = "1"
namespace = "CloudTrailMetrics"
}
}
resource "aws_cloudwatch_metric_alarm" "CwAlarm9" {
alarm_name = "cis-config_changes"
alarm_description = "A CloudWatch Alarm that triggers when changes are made to AWS Config."
metric_name = "CloudTrailEventCount"
namespace = "CloudTrailMetrics"
statistic = "Sum"
period = "300"
threshold = "1"
evaluation_periods = "1"
comparison_operator = "GreaterThanOrEqualToThreshold"
// alarm_actions = [""]
treat_missing_data = "notBreaching"
}
resource "aws_cloudwatch_log_metric_filter" "MetricFilter9" {
log_group_name = aws_cloudwatch_log_group.ct-cwl.name
pattern = "{ ($.eventName = PutConfigurationRecorder) || ($.eventName = StopConfigurationRecorder) || ($.eventName = DeleteDeliveryChannel) || ($.eventName = PutDeliveryChannel) }"
name = "CloudTrailEventCount"
metric_transformation {
name = "CloudTrailEventCount"
value = "1"
namespace = "CloudTrailMetrics"
}
}
resource "aws_cloudwatch_metric_alarm" "CwAlarm10" {
alarm_name = "cis-securitygroup_changes"
alarm_description = "A CloudWatch Alarm that triggers when changes are made to Security Groups."
metric_name = "SecurityGroupEventCount"
namespace = "CloudTrailMetrics"
statistic = "Sum"
period = "300"
threshold = "1"
evaluation_periods = "1"
comparison_operator = "GreaterThanOrEqualToThreshold"
// alarm_actions = [""]
treat_missing_data = "notBreaching"
}
resource "aws_cloudwatch_log_metric_filter" "MetricFilter10" {
log_group_name = aws_cloudwatch_log_group.ct-cwl.name
pattern = "{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) }"
name = "SecurityGroupEventCount"
metric_transformation {
name = "SecurityGroupEventCount"
value = "1"
namespace = "CloudTrailMetrics"
}
}
resource "aws_cloudwatch_metric_alarm" "CwAlarm11" {
alarm_name = "cis-nacl_changes"
alarm_description = "A CloudWatch Alarm that triggers when changes are made to Network ACLs."
metric_name = "NetworkAclEventCount"
namespace = "CloudTrailMetrics"
statistic = "Sum"
period = "300"
threshold = "1"
evaluation_periods = "1"
comparison_operator = "GreaterThanOrEqualToThreshold"
// alarm_actions = [""]
treat_missing_data = "notBreaching"
}
resource "aws_cloudwatch_log_metric_filter" "MetricFilter11" {
log_group_name = aws_cloudwatch_log_group.ct-cwl.name
pattern = "{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) }"
name = "NetworkAclEventCount"
metric_transformation {
name = "NetworkAclEventCount"
value = "1"
namespace = "CloudTrailMetrics"
}
}
resource "aws_cloudwatch_metric_alarm" "CwAlarm12" {
alarm_name = "cis-igw_changes"
alarm_description = "A CloudWatch Alarm that triggers when changes are made to an Internet Gateway in a VPC."
metric_name = "GatewayEventCount"
namespace = "CloudTrailMetrics"
statistic = "Sum"
period = "300"
threshold = "1"
evaluation_periods = "1"
comparison_operator = "GreaterThanOrEqualToThreshold"
// alarm_actions = [""]
treat_missing_data = "notBreaching"
}
resource "aws_cloudwatch_log_metric_filter" "MetricFilter12" {
log_group_name = aws_cloudwatch_log_group.ct-cwl.name
pattern = "{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }"
name = "GatewayEventCount"
metric_transformation {
name = "GatewayEventCount"
value = "1"
namespace = "CloudTrailMetrics"
}
}
resource "aws_cloudwatch_metric_alarm" "CwAlarm13" {
alarm_name = "cis-vpc_routetable_changes"
alarm_description = "A CloudWatch Alarm that triggers when changes are made to a VPC's Route Table."
metric_name = "VpcRouteTableEventCount"
namespace = "CloudTrailMetrics"
statistic = "Sum"
period = "300"
threshold = "1"
evaluation_periods = "1"
comparison_operator = "GreaterThanOrEqualToThreshold"
// alarm_actions = [""]
treat_missing_data = "notBreaching"
}
resource "aws_cloudwatch_log_metric_filter" "MetricFilter13" {
log_group_name = aws_cloudwatch_log_group.ct-cwl.name
pattern = "{ ($.eventName = AssociateRouteTable) || ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DeleteRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DisassociateRouteTable) }"
name = "VpcRouteTableEventCount"
metric_transformation {
name = "VpcRouteTableEventCount"
value = "1"
namespace = "CloudTrailMetrics"
}
}
resource "aws_cloudwatch_metric_alarm" "CwAlarm14" {
alarm_name = "cis-vpc_changes"
alarm_description = "A CloudWatch Alarm that triggers when changes are made to a VPC."
metric_name = "VpcEventCount"
namespace = "CloudTrailMetrics"
statistic = "Sum"
period = "300"
threshold = "1"
evaluation_periods = "1"
comparison_operator = "GreaterThanOrEqualToThreshold"
// alarm_actions = [""]
treat_missing_data = "notBreaching"
}
resource "aws_cloudwatch_log_metric_filter" "MetricFilter14" {
log_group_name = aws_cloudwatch_log_group.ct-cwl.name
pattern = "{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }"
name = "VpcEventCount"
metric_transformation {
name = "VpcEventCount"
value = "1"
namespace = "CloudTrailMetrics"
}
}