terraform.aws-baseline-infra/modules/security_identity_compliance/cloudtrail_cwlogs/cw-loggroup.tf
2021-01-27 09:42:51 +08:00

36 lines
1.2 KiB
HCL

resource "aws_cloudwatch_log_group" "ct-cwl" {
name = "${local.resource-prefix}-cwl-001"
retention_in_days = var.cloudtrail-retain-days
kms_key_id = aws_kms_key.ctbucket-key.arn
tags = var.default-tags
}
resource "aws_cloudwatch_log_metric_filter" "cwl-metric-filter-cis11" {
name = "cis11-rootaccess-filter"
pattern = <<EOT
{$.userIdentity.type="Root" && $.userIdentity.invokedBy NOT EXISTS && $.eventType !="AwsServiceEvent"}
EOT
log_group_name = aws_cloudwatch_log_group.ct-cwl.name
metric_transformation {
name = "cis11-rootaccess-metric"
namespace = "LogMetrics"
value = "1"
}
}
resource "aws_cloudwatch_metric_alarm" "cis11-rootaccess-alarm" {
alarm_name = "cis11-rootaccess-alarm"
comparison_operator = "GreaterThanOrEqualToThreshold"
evaluation_periods = "1"
metric_name = "cis11-rootaccess-metric"
namespace = "LogMetrics"
period = "300"
statistic = "Average"
threshold = "1"
alarm_description = "Root access is detected from cloudtrail"
treat_missing_data = "notBreaching"
// alarm_actions = []
}