2021-01-26 21:40:02 +08:00
|
|
|
resource "aws_cloudwatch_log_group" "ct-cwl" {
|
|
|
|
|
name = "${local.resource-prefix}-cwl-001"
|
2021-01-27 09:42:51 +08:00
|
|
|
retention_in_days = var.cloudtrail-retain-days
|
2021-01-26 21:40:02 +08:00
|
|
|
kms_key_id = aws_kms_key.ctbucket-key.arn
|
|
|
|
|
tags = var.default-tags
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
resource "aws_cloudwatch_log_metric_filter" "cwl-metric-filter-cis11" {
|
|
|
|
|
name = "cis11-rootaccess-filter"
|
|
|
|
|
pattern = <<EOT
|
|
|
|
|
{$.userIdentity.type="Root" && $.userIdentity.invokedBy NOT EXISTS && $.eventType !="AwsServiceEvent"}
|
|
|
|
|
EOT
|
|
|
|
|
log_group_name = aws_cloudwatch_log_group.ct-cwl.name
|
|
|
|
|
|
|
|
|
|
metric_transformation {
|
|
|
|
|
name = "cis11-rootaccess-metric"
|
|
|
|
|
namespace = "LogMetrics"
|
|
|
|
|
value = "1"
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
resource "aws_cloudwatch_metric_alarm" "cis11-rootaccess-alarm" {
|
|
|
|
|
alarm_name = "cis11-rootaccess-alarm"
|
|
|
|
|
comparison_operator = "GreaterThanOrEqualToThreshold"
|
|
|
|
|
evaluation_periods = "1"
|
|
|
|
|
metric_name = "cis11-rootaccess-metric"
|
|
|
|
|
namespace = "LogMetrics"
|
|
|
|
|
period = "300"
|
|
|
|
|
statistic = "Average"
|
|
|
|
|
threshold = "1"
|
|
|
|
|
alarm_description = "Root access is detected from cloudtrail"
|
|
|
|
|
treat_missing_data = "notBreaching"
|
|
|
|
|
|
|
|
|
|
// alarm_actions = []
|
|
|
|
|
}
|
