2021-01-26 21:40:02 +08:00
resource " aws_cloudwatch_log_group " " ct-cwl " {
2021-01-28 15:04:01 +08:00
name_prefix = " cloudtrail/ "
2021-01-27 09:42:51 +08:00
retention_in_days = var . cloudtrail - retain - days
2021-01-26 21:40:02 +08:00
kms_key_id = aws_kms_key . ctbucket - key . arn
tags = var . default - tags
}
resource " aws_cloudwatch_log_metric_filter " " cwl-metric-filter-cis11 " {
name = " cis11-rootaccess-filter "
pattern = < < EOT
{ $ . userIdentity . type =" Root " && $ . userIdentity . invokedBy NOT EXISTS && $ . eventType ! = " AwsServiceEvent " }
EOT
log_group_name = aws_cloudwatch_log_group . ct - cwl . name
metric_transformation {
name = " cis11-rootaccess-metric "
namespace = " LogMetrics "
value = " 1 "
}
}
resource " aws_cloudwatch_metric_alarm " " cis11-rootaccess-alarm " {
alarm_name = " cis11-rootaccess-alarm "
comparison_operator = " GreaterThanOrEqualToThreshold "
evaluation_periods = " 1 "
metric_name = " cis11-rootaccess-metric "
namespace = " LogMetrics "
period = " 300 "
statistic = " Average "
threshold = " 1 "
alarm_description = " Root access is detected from cloudtrail "
treat_missing_data = " notBreaching "
// alarm_actions = []
}
2021-01-29 14:39:58 +08:00
// CIS 3.x benchmark from asecure.cloud https://asecure.cloud/p/monitoring_cis_benchmark/
resource " aws_cloudwatch_metric_alarm " " CwAlarm2 " {
alarm_name = " cis-unauthorized_api_calls "
alarm_description = " A CloudWatch Alarm that triggers if Multiple unauthorized actions or logins attempted. "
metric_name = " UnauthorizedAttemptCount "
namespace = " CloudTrailMetrics "
statistic = " Sum "
period = " 60 "
threshold = " 1 "
evaluation_periods = " 1 "
comparison_operator = " GreaterThanOrEqualToThreshold "
// alarm_actions = [""]
treat_missing_data = " notBreaching "
}
resource " aws_cloudwatch_log_metric_filter " " MetricFilter2 " {
log_group_name = aws_cloudwatch_log_group . ct - cwl . name
pattern = " { ( $ .errorCode = \ " * UnauthorizedOperation \ " ) || ( $ .errorCode = \ " AccessDenied * \ " ) } "
name = " UnauthorizedAttemptCount "
metric_transformation {
name = " UnauthorizedAttemptCount "
value = " 1 "
namespace = " CloudTrailMetrics "
}
}
resource " aws_cloudwatch_metric_alarm " " CwAlarm3 " {
alarm_name = " cis-no_mfa_console_logins "
alarm_description = " A CloudWatch Alarm that triggers if there is a Management Console sign-in without MFA. "
metric_name = " ConsoleSigninWithoutMFA "
namespace = " CloudTrailMetrics "
statistic = " Sum "
period = " 60 "
threshold = " 1 "
evaluation_periods = " 1 "
comparison_operator = " GreaterThanOrEqualToThreshold "
// alarm_actions = [""]
treat_missing_data = " notBreaching "
}
resource " aws_cloudwatch_log_metric_filter " " MetricFilter3 " {
log_group_name = aws_cloudwatch_log_group . ct - cwl . name
pattern = " {( $ .eventName = \ " ConsoleLogin \ " ) && ( $ .additionalEventData.MFAUsed != \ " Yes \ " ) && ( $ .responseElements.ConsoleLogin != \ " Failure \ " ) && ( $ .additionalEventData.SamlProviderArn NOT EXISTS) } "
name = " ConsoleSigninWithoutMFA "
metric_transformation {
name = " ConsoleSigninWithoutMFA "
value = " 1 "
namespace = " CloudTrailMetrics "
}
}
resource " aws_cloudwatch_metric_alarm " " CwAlarm4 " {
alarm_name = " cis-iam_policy_changes "
alarm_description = " A CloudWatch Alarm that triggers when changes are made to IAM policies. Events include IAM policy creation/deletion/update operations as well as attaching/detaching policies from IAM users, roles or groups. "
metric_name = " IAMPolicyEventCount "
namespace = " CloudTrailMetrics "
statistic = " Sum "
period = " 300 "
threshold = " 1 "
evaluation_periods = " 1 "
comparison_operator = " GreaterThanOrEqualToThreshold "
// alarm_actions = [""]
treat_missing_data = " notBreaching "
}
resource " aws_cloudwatch_log_metric_filter " " MetricFilter4 " {
log_group_name = aws_cloudwatch_log_group . ct - cwl . name
pattern = " {( $ .eventName=DeleteGroupPolicy)||( $ .eventName=DeleteRolePolicy)||( $ .eventName=DeleteUserPolicy)||( $ .eventName=PutGroupPolicy)||( $ .eventName=PutRolePolicy)||( $ .eventName=PutUserPolicy)||( $ .eventName=CreatePolicy)||( $ .eventName=DeletePolicy)||( $ .eventName=CreatePolicyVersion)||( $ .eventName=DeletePolicyVersion)||( $ .eventName=AttachRolePolicy)||( $ .eventName=DetachRolePolicy)||( $ .eventName=AttachUserPolicy)||( $ .eventName=DetachUserPolicy)||( $ .eventName=AttachGroupPolicy)||( $ .eventName=DetachGroupPolicy)} "
name = " IAMPolicyEventCount "
metric_transformation {
name = " IAMPolicyEventCount "
value = " 1 "
namespace = " CloudTrailMetrics "
}
}
resource " aws_cloudwatch_metric_alarm " " CwAlarm5 " {
alarm_name = " cis-cloudtrail_changes "
alarm_description = " A CloudWatch Alarm that triggers when changes are made to CloudTrail. "
metric_name = " CloudTrailEventCount "
namespace = " CloudTrailMetrics "
statistic = " Sum "
period = " 300 "
threshold = " 1 "
evaluation_periods = " 1 "
comparison_operator = " GreaterThanOrEqualToThreshold "
// alarm_actions = [""]
treat_missing_data = " notBreaching "
}
resource " aws_cloudwatch_log_metric_filter " " MetricFilter5 " {
log_group_name = aws_cloudwatch_log_group . ct - cwl . name
pattern = " { ( $ .eventName = CreateTrail) || ( $ .eventName = UpdateTrail) || ( $ .eventName = DeleteTrail) || ( $ .eventName = StartLogging) || ( $ .eventName = StopLogging) } "
name = " CloudTrailEventCount "
metric_transformation {
name = " CloudTrailEventCount "
value = " 1 "
namespace = " CloudTrailMetrics "
}
}
resource " aws_cloudwatch_metric_alarm " " CwAlarm6 " {
alarm_name = " cis-failed_console_logins "
alarm_description = " A CloudWatch Alarm that triggers if there are AWS Management Console authentication failures. "
metric_name = " ConsoleLoginFailures "
namespace = " CloudTrailMetrics "
statistic = " Sum "
period = " 300 "
threshold = " 1 "
evaluation_periods = " 1 "
comparison_operator = " GreaterThanOrEqualToThreshold "
// alarm_actions = [""]
treat_missing_data = " notBreaching "
}
resource " aws_cloudwatch_log_metric_filter " " MetricFilter6 " {
log_group_name = aws_cloudwatch_log_group . ct - cwl . name
pattern = " { ( $ .eventName = ConsoleLogin) && ( $ .errorMessage = \ " Failed authentication \ " ) } "
name = " ConsoleLoginFailures "
metric_transformation {
name = " ConsoleLoginFailures "
value = " 1 "
namespace = " CloudTrailMetrics "
}
}
resource " aws_cloudwatch_metric_alarm " " CwAlarm7 " {
alarm_name = " cis-disabled_deleted_cmks "
alarm_description = " A CloudWatch Alarm that triggers if customer created CMKs get disabled or scheduled for deletion. "
metric_name = " KMSCustomerKeyDeletion "
namespace = " CloudTrailMetrics "
statistic = " Sum "
period = " 60 "
threshold = " 1 "
evaluation_periods = " 1 "
comparison_operator = " GreaterThanOrEqualToThreshold "
// alarm_actions = [""]
treat_missing_data = " notBreaching "
}
resource " aws_cloudwatch_log_metric_filter " " MetricFilter7 " {
log_group_name = aws_cloudwatch_log_group . ct - cwl . name
pattern = " { ( $ .eventSource = kms.amazonaws.com) && (( $ .eventName=DisableKey) || ( $ .eventName=ScheduleKeyDeletion)) } "
name = " KMSCustomerKeyDeletion "
metric_transformation {
name = " KMSCustomerKeyDeletion "
value = " 1 "
namespace = " CloudTrailMetrics "
}
}
resource " aws_cloudwatch_metric_alarm " " CwAlarm8 " {
alarm_name = " cis-s3_changes "
alarm_description = " A CloudWatch Alarm that triggers when changes are made to an S3 Bucket. "
metric_name = " S3BucketActivityEventCount "
namespace = " CloudTrailMetrics "
statistic = " Sum "
period = " 300 "
threshold = " 1 "
evaluation_periods = " 1 "
comparison_operator = " GreaterThanOrEqualToThreshold "
// alarm_actions = [""]
treat_missing_data = " notBreaching "
}
resource " aws_cloudwatch_log_metric_filter " " MetricFilter8 " {
log_group_name = aws_cloudwatch_log_group . ct - cwl . name
pattern = " { ( $ .eventSource = s3.amazonaws.com) && (( $ .eventName = PutBucketAcl) || ( $ .eventName = PutBucketPolicy) || ( $ .eventName = PutBucketCors) || ( $ .eventName = PutBucketLifecycle) || ( $ .eventName = PutBucketReplication) || ( $ .eventName = DeleteBucketPolicy) || ( $ .eventName = DeleteBucketCors) || ( $ .eventName = DeleteBucketLifecycle) || ( $ .eventName = DeleteBucketReplication)) } "
name = " S3BucketActivityEventCount "
metric_transformation {
name = " S3BucketActivityEventCount "
value = " 1 "
namespace = " CloudTrailMetrics "
}
}
resource " aws_cloudwatch_metric_alarm " " CwAlarm9 " {
alarm_name = " cis-config_changes "
alarm_description = " A CloudWatch Alarm that triggers when changes are made to AWS Config. "
metric_name = " CloudTrailEventCount "
namespace = " CloudTrailMetrics "
statistic = " Sum "
period = " 300 "
threshold = " 1 "
evaluation_periods = " 1 "
comparison_operator = " GreaterThanOrEqualToThreshold "
// alarm_actions = [""]
treat_missing_data = " notBreaching "
}
resource " aws_cloudwatch_log_metric_filter " " MetricFilter9 " {
log_group_name = aws_cloudwatch_log_group . ct - cwl . name
pattern = " { ( $ .eventName = PutConfigurationRecorder) || ( $ .eventName = StopConfigurationRecorder) || ( $ .eventName = DeleteDeliveryChannel) || ( $ .eventName = PutDeliveryChannel) } "
name = " CloudTrailEventCount "
metric_transformation {
name = " CloudTrailEventCount "
value = " 1 "
namespace = " CloudTrailMetrics "
}
}
resource " aws_cloudwatch_metric_alarm " " CwAlarm10 " {
alarm_name = " cis-securitygroup_changes "
alarm_description = " A CloudWatch Alarm that triggers when changes are made to Security Groups. "
metric_name = " SecurityGroupEventCount "
namespace = " CloudTrailMetrics "
statistic = " Sum "
period = " 300 "
threshold = " 1 "
evaluation_periods = " 1 "
comparison_operator = " GreaterThanOrEqualToThreshold "
// alarm_actions = [""]
treat_missing_data = " notBreaching "
}
resource " aws_cloudwatch_log_metric_filter " " MetricFilter10 " {
log_group_name = aws_cloudwatch_log_group . ct - cwl . name
pattern = " { ( $ .eventName = AuthorizeSecurityGroupIngress) || ( $ .eventName = AuthorizeSecurityGroupEgress) || ( $ .eventName = RevokeSecurityGroupIngress) || ( $ .eventName = RevokeSecurityGroupEgress) || ( $ .eventName = CreateSecurityGroup) || ( $ .eventName = DeleteSecurityGroup) } "
name = " SecurityGroupEventCount "
metric_transformation {
name = " SecurityGroupEventCount "
value = " 1 "
namespace = " CloudTrailMetrics "
}
}
resource " aws_cloudwatch_metric_alarm " " CwAlarm11 " {
alarm_name = " cis-nacl_changes "
alarm_description = " A CloudWatch Alarm that triggers when changes are made to Network ACLs. "
metric_name = " NetworkAclEventCount "
namespace = " CloudTrailMetrics "
statistic = " Sum "
period = " 300 "
threshold = " 1 "
evaluation_periods = " 1 "
comparison_operator = " GreaterThanOrEqualToThreshold "
// alarm_actions = [""]
treat_missing_data = " notBreaching "
}
resource " aws_cloudwatch_log_metric_filter " " MetricFilter11 " {
log_group_name = aws_cloudwatch_log_group . ct - cwl . name
pattern = " { ( $ .eventName = CreateNetworkAcl) || ( $ .eventName = CreateNetworkAclEntry) || ( $ .eventName = DeleteNetworkAcl) || ( $ .eventName = DeleteNetworkAclEntry) || ( $ .eventName = ReplaceNetworkAclEntry) || ( $ .eventName = ReplaceNetworkAclAssociation) } "
name = " NetworkAclEventCount "
metric_transformation {
name = " NetworkAclEventCount "
value = " 1 "
namespace = " CloudTrailMetrics "
}
}
resource " aws_cloudwatch_metric_alarm " " CwAlarm12 " {
alarm_name = " cis-igw_changes "
alarm_description = " A CloudWatch Alarm that triggers when changes are made to an Internet Gateway in a VPC. "
metric_name = " GatewayEventCount "
namespace = " CloudTrailMetrics "
statistic = " Sum "
period = " 300 "
threshold = " 1 "
evaluation_periods = " 1 "
comparison_operator = " GreaterThanOrEqualToThreshold "
// alarm_actions = [""]
treat_missing_data = " notBreaching "
}
resource " aws_cloudwatch_log_metric_filter " " MetricFilter12 " {
log_group_name = aws_cloudwatch_log_group . ct - cwl . name
pattern = " { ( $ .eventName = CreateCustomerGateway) || ( $ .eventName = DeleteCustomerGateway) || ( $ .eventName = AttachInternetGateway) || ( $ .eventName = CreateInternetGateway) || ( $ .eventName = DeleteInternetGateway) || ( $ .eventName = DetachInternetGateway) } "
name = " GatewayEventCount "
metric_transformation {
name = " GatewayEventCount "
value = " 1 "
namespace = " CloudTrailMetrics "
}
}
resource " aws_cloudwatch_metric_alarm " " CwAlarm13 " {
alarm_name = " cis-vpc_routetable_changes "
alarm_description = " A CloudWatch Alarm that triggers when changes are made to a VPC's Route Table. "
metric_name = " VpcRouteTableEventCount "
namespace = " CloudTrailMetrics "
statistic = " Sum "
period = " 300 "
threshold = " 1 "
evaluation_periods = " 1 "
comparison_operator = " GreaterThanOrEqualToThreshold "
// alarm_actions = [""]
treat_missing_data = " notBreaching "
}
resource " aws_cloudwatch_log_metric_filter " " MetricFilter13 " {
log_group_name = aws_cloudwatch_log_group . ct - cwl . name
pattern = " { ( $ .eventName = AssociateRouteTable) || ( $ .eventName = CreateRoute) || ( $ .eventName = CreateRouteTable) || ( $ .eventName = DeleteRoute) || ( $ .eventName = DeleteRouteTable) || ( $ .eventName = ReplaceRoute) || ( $ .eventName = ReplaceRouteTableAssociation) || ( $ .eventName = DisassociateRouteTable) } "
name = " VpcRouteTableEventCount "
metric_transformation {
name = " VpcRouteTableEventCount "
value = " 1 "
namespace = " CloudTrailMetrics "
}
}
resource " aws_cloudwatch_metric_alarm " " CwAlarm14 " {
alarm_name = " cis-vpc_changes "
alarm_description = " A CloudWatch Alarm that triggers when changes are made to a VPC. "
metric_name = " VpcEventCount "
namespace = " CloudTrailMetrics "
statistic = " Sum "
period = " 300 "
threshold = " 1 "
evaluation_periods = " 1 "
comparison_operator = " GreaterThanOrEqualToThreshold "
// alarm_actions = [""]
treat_missing_data = " notBreaching "
}
resource " aws_cloudwatch_log_metric_filter " " MetricFilter14 " {
log_group_name = aws_cloudwatch_log_group . ct - cwl . name
pattern = " { ( $ .eventName = CreateVpc) || ( $ .eventName = DeleteVpc) || ( $ .eventName = ModifyVpcAttribute) || ( $ .eventName = AcceptVpcPeeringConnection) || ( $ .eventName = CreateVpcPeeringConnection) || ( $ .eventName = DeleteVpcPeeringConnection) || ( $ .eventName = RejectVpcPeeringConnection) || ( $ .eventName = AttachClassicLinkVpc) || ( $ .eventName = DetachClassicLinkVpc) || ( $ .eventName = DisableVpcClassicLink) || ( $ .eventName = EnableVpcClassicLink) } "
name = " VpcEventCount "
metric_transformation {
name = " VpcEventCount "
value = " 1 "
namespace = " CloudTrailMetrics "
}
}