From 187760ec157787668cd22ba4030efb8892a1a44c Mon Sep 17 00:00:00 2001 From: xpk Date: Fri, 29 Jan 2021 14:39:58 +0800 Subject: [PATCH] UPD: added CIS 3.x CWL alarms --- .../cloudtrail_cwlogs/cw-loggroup.tf | 342 ++++++++++++++++++ 1 file changed, 342 insertions(+) diff --git a/modules/security_identity_compliance/cloudtrail_cwlogs/cw-loggroup.tf b/modules/security_identity_compliance/cloudtrail_cwlogs/cw-loggroup.tf index 47fdc4b..2735d56 100644 --- a/modules/security_identity_compliance/cloudtrail_cwlogs/cw-loggroup.tf +++ b/modules/security_identity_compliance/cloudtrail_cwlogs/cw-loggroup.tf @@ -33,3 +33,345 @@ resource "aws_cloudwatch_metric_alarm" "cis11-rootaccess-alarm" { // alarm_actions = [] } + +// CIS 3.x benchmark from asecure.cloud https://asecure.cloud/p/monitoring_cis_benchmark/ + +resource "aws_cloudwatch_metric_alarm" "CwAlarm2" { + alarm_name = "cis-unauthorized_api_calls" + alarm_description = "A CloudWatch Alarm that triggers if Multiple unauthorized actions or logins attempted." + metric_name = "UnauthorizedAttemptCount" + namespace = "CloudTrailMetrics" + statistic = "Sum" + period = "60" + threshold = "1" + evaluation_periods = "1" + comparison_operator = "GreaterThanOrEqualToThreshold" + // alarm_actions = [""] + treat_missing_data = "notBreaching" +} + +resource "aws_cloudwatch_log_metric_filter" "MetricFilter2" { + log_group_name = aws_cloudwatch_log_group.ct-cwl.name + pattern = "{ ($.errorCode = \"*UnauthorizedOperation\") || ($.errorCode = \"AccessDenied*\") }" + name = "UnauthorizedAttemptCount" + + metric_transformation { + name = "UnauthorizedAttemptCount" + value = "1" + namespace = "CloudTrailMetrics" + } +} + +resource "aws_cloudwatch_metric_alarm" "CwAlarm3" { + alarm_name = "cis-no_mfa_console_logins" + alarm_description = "A CloudWatch Alarm that triggers if there is a Management Console sign-in without MFA." + metric_name = "ConsoleSigninWithoutMFA" + namespace = "CloudTrailMetrics" + statistic = "Sum" + period = "60" + threshold = "1" + evaluation_periods = "1" + comparison_operator = "GreaterThanOrEqualToThreshold" + // alarm_actions = [""] + treat_missing_data = "notBreaching" +} + +resource "aws_cloudwatch_log_metric_filter" "MetricFilter3" { + log_group_name = aws_cloudwatch_log_group.ct-cwl.name + pattern = "{($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") && ($.responseElements.ConsoleLogin != \"Failure\") && ($.additionalEventData.SamlProviderArn NOT EXISTS) }" + name = "ConsoleSigninWithoutMFA" + + metric_transformation { + name = "ConsoleSigninWithoutMFA" + value = "1" + namespace = "CloudTrailMetrics" + } + +} + +resource "aws_cloudwatch_metric_alarm" "CwAlarm4" { + alarm_name = "cis-iam_policy_changes" + alarm_description = "A CloudWatch Alarm that triggers when changes are made to IAM policies. Events include IAM policy creation/deletion/update operations as well as attaching/detaching policies from IAM users, roles or groups." + metric_name = "IAMPolicyEventCount" + namespace = "CloudTrailMetrics" + statistic = "Sum" + period = "300" + threshold = "1" + evaluation_periods = "1" + comparison_operator = "GreaterThanOrEqualToThreshold" + // alarm_actions = [""] + treat_missing_data = "notBreaching" +} + +resource "aws_cloudwatch_log_metric_filter" "MetricFilter4" { + log_group_name = aws_cloudwatch_log_group.ct-cwl.name + pattern = "{($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)}" + name = "IAMPolicyEventCount" + + metric_transformation { + name = "IAMPolicyEventCount" + value = "1" + namespace = "CloudTrailMetrics" + } +} + +resource "aws_cloudwatch_metric_alarm" "CwAlarm5" { + alarm_name = "cis-cloudtrail_changes" + alarm_description = "A CloudWatch Alarm that triggers when changes are made to CloudTrail." + metric_name = "CloudTrailEventCount" + namespace = "CloudTrailMetrics" + statistic = "Sum" + period = "300" + threshold = "1" + evaluation_periods = "1" + comparison_operator = "GreaterThanOrEqualToThreshold" + // alarm_actions = [""] + treat_missing_data = "notBreaching" +} + +resource "aws_cloudwatch_log_metric_filter" "MetricFilter5" { + log_group_name = aws_cloudwatch_log_group.ct-cwl.name + pattern = "{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }" + name = "CloudTrailEventCount" + + metric_transformation { + name = "CloudTrailEventCount" + value = "1" + namespace = "CloudTrailMetrics" + } +} + +resource "aws_cloudwatch_metric_alarm" "CwAlarm6" { + alarm_name = "cis-failed_console_logins" + alarm_description = "A CloudWatch Alarm that triggers if there are AWS Management Console authentication failures." + metric_name = "ConsoleLoginFailures" + namespace = "CloudTrailMetrics" + statistic = "Sum" + period = "300" + threshold = "1" + evaluation_periods = "1" + comparison_operator = "GreaterThanOrEqualToThreshold" + // alarm_actions = [""] + treat_missing_data = "notBreaching" +} + +resource "aws_cloudwatch_log_metric_filter" "MetricFilter6" { + log_group_name = aws_cloudwatch_log_group.ct-cwl.name + pattern = "{ ($.eventName = ConsoleLogin) && ($.errorMessage = \"Failed authentication\") }" + name = "ConsoleLoginFailures" + + metric_transformation { + name = "ConsoleLoginFailures" + value = "1" + namespace = "CloudTrailMetrics" + } +} + +resource "aws_cloudwatch_metric_alarm" "CwAlarm7" { + alarm_name = "cis-disabled_deleted_cmks" + alarm_description = "A CloudWatch Alarm that triggers if customer created CMKs get disabled or scheduled for deletion." + metric_name = "KMSCustomerKeyDeletion" + namespace = "CloudTrailMetrics" + statistic = "Sum" + period = "60" + threshold = "1" + evaluation_periods = "1" + comparison_operator = "GreaterThanOrEqualToThreshold" + // alarm_actions = [""] + treat_missing_data = "notBreaching" +} + +resource "aws_cloudwatch_log_metric_filter" "MetricFilter7" { + log_group_name = aws_cloudwatch_log_group.ct-cwl.name + pattern = "{ ($.eventSource = kms.amazonaws.com) && (($.eventName=DisableKey) || ($.eventName=ScheduleKeyDeletion)) }" + name = "KMSCustomerKeyDeletion" + + metric_transformation { + name = "KMSCustomerKeyDeletion" + value = "1" + namespace = "CloudTrailMetrics" + } + +} + +resource "aws_cloudwatch_metric_alarm" "CwAlarm8" { + alarm_name = "cis-s3_changes" + alarm_description = "A CloudWatch Alarm that triggers when changes are made to an S3 Bucket." + metric_name = "S3BucketActivityEventCount" + namespace = "CloudTrailMetrics" + statistic = "Sum" + period = "300" + threshold = "1" + evaluation_periods = "1" + comparison_operator = "GreaterThanOrEqualToThreshold" + // alarm_actions = [""] + treat_missing_data = "notBreaching" +} + +resource "aws_cloudwatch_log_metric_filter" "MetricFilter8" { + log_group_name = aws_cloudwatch_log_group.ct-cwl.name + pattern = "{ ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }" + name = "S3BucketActivityEventCount" + + metric_transformation { + name = "S3BucketActivityEventCount" + value = "1" + namespace = "CloudTrailMetrics" + } +} + +resource "aws_cloudwatch_metric_alarm" "CwAlarm9" { + alarm_name = "cis-config_changes" + alarm_description = "A CloudWatch Alarm that triggers when changes are made to AWS Config." + metric_name = "CloudTrailEventCount" + namespace = "CloudTrailMetrics" + statistic = "Sum" + period = "300" + threshold = "1" + evaluation_periods = "1" + comparison_operator = "GreaterThanOrEqualToThreshold" + // alarm_actions = [""] + treat_missing_data = "notBreaching" +} + +resource "aws_cloudwatch_log_metric_filter" "MetricFilter9" { + log_group_name = aws_cloudwatch_log_group.ct-cwl.name + pattern = "{ ($.eventName = PutConfigurationRecorder) || ($.eventName = StopConfigurationRecorder) || ($.eventName = DeleteDeliveryChannel) || ($.eventName = PutDeliveryChannel) }" + name = "CloudTrailEventCount" + + metric_transformation { + name = "CloudTrailEventCount" + value = "1" + namespace = "CloudTrailMetrics" + } +} + +resource "aws_cloudwatch_metric_alarm" "CwAlarm10" { + alarm_name = "cis-securitygroup_changes" + alarm_description = "A CloudWatch Alarm that triggers when changes are made to Security Groups." + metric_name = "SecurityGroupEventCount" + namespace = "CloudTrailMetrics" + statistic = "Sum" + period = "300" + threshold = "1" + evaluation_periods = "1" + comparison_operator = "GreaterThanOrEqualToThreshold" + // alarm_actions = [""] + treat_missing_data = "notBreaching" +} + +resource "aws_cloudwatch_log_metric_filter" "MetricFilter10" { + log_group_name = aws_cloudwatch_log_group.ct-cwl.name + pattern = "{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) }" + name = "SecurityGroupEventCount" + + metric_transformation { + name = "SecurityGroupEventCount" + value = "1" + namespace = "CloudTrailMetrics" + } +} + +resource "aws_cloudwatch_metric_alarm" "CwAlarm11" { + alarm_name = "cis-nacl_changes" + alarm_description = "A CloudWatch Alarm that triggers when changes are made to Network ACLs." + metric_name = "NetworkAclEventCount" + namespace = "CloudTrailMetrics" + statistic = "Sum" + period = "300" + threshold = "1" + evaluation_periods = "1" + comparison_operator = "GreaterThanOrEqualToThreshold" + // alarm_actions = [""] + treat_missing_data = "notBreaching" + } + +resource "aws_cloudwatch_log_metric_filter" "MetricFilter11" { + log_group_name = aws_cloudwatch_log_group.ct-cwl.name + pattern = "{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) }" + name = "NetworkAclEventCount" + + metric_transformation { + name = "NetworkAclEventCount" + value = "1" + namespace = "CloudTrailMetrics" + } +} + +resource "aws_cloudwatch_metric_alarm" "CwAlarm12" { + alarm_name = "cis-igw_changes" + alarm_description = "A CloudWatch Alarm that triggers when changes are made to an Internet Gateway in a VPC." + metric_name = "GatewayEventCount" + namespace = "CloudTrailMetrics" + statistic = "Sum" + period = "300" + threshold = "1" + evaluation_periods = "1" + comparison_operator = "GreaterThanOrEqualToThreshold" + // alarm_actions = [""] + treat_missing_data = "notBreaching" +} + +resource "aws_cloudwatch_log_metric_filter" "MetricFilter12" { + log_group_name = aws_cloudwatch_log_group.ct-cwl.name + pattern = "{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }" + name = "GatewayEventCount" + + metric_transformation { + name = "GatewayEventCount" + value = "1" + namespace = "CloudTrailMetrics" + } +} + +resource "aws_cloudwatch_metric_alarm" "CwAlarm13" { + alarm_name = "cis-vpc_routetable_changes" + alarm_description = "A CloudWatch Alarm that triggers when changes are made to a VPC's Route Table." + metric_name = "VpcRouteTableEventCount" + namespace = "CloudTrailMetrics" + statistic = "Sum" + period = "300" + threshold = "1" + evaluation_periods = "1" + comparison_operator = "GreaterThanOrEqualToThreshold" + // alarm_actions = [""] + treat_missing_data = "notBreaching" +} + +resource "aws_cloudwatch_log_metric_filter" "MetricFilter13" { + log_group_name = aws_cloudwatch_log_group.ct-cwl.name + pattern = "{ ($.eventName = AssociateRouteTable) || ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DeleteRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DisassociateRouteTable) }" + name = "VpcRouteTableEventCount" + + metric_transformation { + name = "VpcRouteTableEventCount" + value = "1" + namespace = "CloudTrailMetrics" + } +} + +resource "aws_cloudwatch_metric_alarm" "CwAlarm14" { + alarm_name = "cis-vpc_changes" + alarm_description = "A CloudWatch Alarm that triggers when changes are made to a VPC." + metric_name = "VpcEventCount" + namespace = "CloudTrailMetrics" + statistic = "Sum" + period = "300" + threshold = "1" + evaluation_periods = "1" + comparison_operator = "GreaterThanOrEqualToThreshold" + // alarm_actions = [""] + treat_missing_data = "notBreaching" +} + +resource "aws_cloudwatch_log_metric_filter" "MetricFilter14" { + log_group_name = aws_cloudwatch_log_group.ct-cwl.name + pattern = "{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }" + name = "VpcEventCount" + + metric_transformation { + name = "VpcEventCount" + value = "1" + namespace = "CloudTrailMetrics" + } +} \ No newline at end of file