Giter Site home page Giter Site logo

terraform-aws-cloudtrail-alarms's Introduction

terraform-aws-cloudtrail-alarms

This module creates a number of Cloudwatch alarms that alert on Cloudtrail events; they are meant to provide compliance with the AWS CIS benchmark.

This module uses Cloudtrail logs which have been written to a Cloudwatch logs group; this means for organizations with an organization Cloudtrail, you only need to put this in the master account.

The following alarms are available in this module; all can be toggled on or off, but by default all alarms are active.

  • AWS Config changes
  • Cloudtrail config changes
  • Console signin failures
  • Disabling or deleting CMK
  • IAM changes
  • Network ACL changes
  • Network gateway changes
  • No MFA console logins
  • Root account usage
  • Route table changes
  • S3 bucket policy changes
  • Security group changes
  • Unauthorized API calls
  • VPC changes

These alarms were adapted from those in https://github.com/nozaq/terraform-aws-secure-baseline.

Usage

module "cloudtrail_alarms" {
  source         = "trussworks/cloudtrail-alarms/aws"
  version        = "~> 1.0.0"

  alarm_sns_topic_arn = aws_sns_topic.my_alerts.arn
}

Requirements

Name Version
terraform >= 1.0
aws >= 3.0

Providers

Name Version
aws >= 3.0

Modules

No modules.

Resources

Name Type
aws_cloudwatch_log_metric_filter.aws_config_changes resource
aws_cloudwatch_log_metric_filter.cloudtrail_cfg_changes resource
aws_cloudwatch_log_metric_filter.console_signin_failures resource
aws_cloudwatch_log_metric_filter.disable_or_delete_cmk resource
aws_cloudwatch_log_metric_filter.iam_changes resource
aws_cloudwatch_log_metric_filter.nacl_changes resource
aws_cloudwatch_log_metric_filter.network_gw_changes resource
aws_cloudwatch_log_metric_filter.no_mfa_console_signin_assumed_role resource
aws_cloudwatch_log_metric_filter.no_mfa_console_signin_no_assumed_role resource
aws_cloudwatch_log_metric_filter.root_usage resource
aws_cloudwatch_log_metric_filter.route_table_changes resource
aws_cloudwatch_log_metric_filter.s3_bucket_policy_changes resource
aws_cloudwatch_log_metric_filter.security_group_changes resource
aws_cloudwatch_log_metric_filter.unauthorized_api_calls resource
aws_cloudwatch_log_metric_filter.vpc_changes resource
aws_cloudwatch_metric_alarm.aws_config_changes resource
aws_cloudwatch_metric_alarm.cloudtrail_cfg_changes resource
aws_cloudwatch_metric_alarm.console_signin_failures resource
aws_cloudwatch_metric_alarm.disable_or_delete_cmk resource
aws_cloudwatch_metric_alarm.iam_changes resource
aws_cloudwatch_metric_alarm.nacl_changes resource
aws_cloudwatch_metric_alarm.network_gw_changes resource
aws_cloudwatch_metric_alarm.no_mfa_console_signin resource
aws_cloudwatch_metric_alarm.root_usage resource
aws_cloudwatch_metric_alarm.route_table_changes resource
aws_cloudwatch_metric_alarm.s3_bucket_policy_changes resource
aws_cloudwatch_metric_alarm.security_group_changes resource
aws_cloudwatch_metric_alarm.unauthorized_api_calls resource
aws_cloudwatch_metric_alarm.vpc_changes resource

Inputs

Name Description Type Default Required
alarm_namespace Namespace for generated Cloudwatch alarms string "CISBenchmark" no
alarm_prefix Prefix for the alarm name string "" no
alarm_sns_topic_arn SNS topic ARN for generated alarms string n/a yes
aws_config_changes Toggle AWS Config changes alarm bool true no
cloudtrail_cfg_changes Toggle Cloudtrail config changes alarm bool true no
cloudtrail_log_group_name Cloudwatch log group name for Cloudtrail logs string "cloudtrail-events" no
console_signin_failures Toggle console signin failures alarm bool true no
disable_assumed_role_login_alerts Toggle to disable assumed role console login alerts - violates CIS Benchmark bool false no
disable_or_delete_cmk Toggle disable or delete CMK alarm bool true no
iam_changes Toggle IAM changes alarm bool true no
nacl_changes Toggle network ACL changes alarm bool true no
network_gw_changes Toggle network gateway changes alarm bool true no
no_mfa_console_login Toggle no MFA console login alarm bool true no
root_usage Toggle root usage alarm bool true no
route_table_changes Toggle route table changes alarm bool true no
s3_bucket_policy_changes Toggle S3 bucket policy changes alarm bool true no
security_group_changes Toggle security group changes alarm bool true no
tags Tags for resources created map(string) {} no
unauthorized_api_calls Toggle unauthorized api calls alarm bool true no
vpc_changes Toggle VPC changes alarm bool true no

Outputs

No outputs.

terraform-aws-cloudtrail-alarms's People

Contributors

atlantis-truss avatar avanti-joshi avatar cblkwell avatar chrisgilmerproj avatar eeeady avatar esacteksab avatar github-actions[bot] avatar jsclarridge avatar mdawn avatar mdrummerboy09 avatar ralren avatar renovate-bot avatar renovate[bot] avatar rgilkey avatar rpdelaney avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

qapital rgilkey arun9theja suhas-nayak jaredclarke syllogy bodeplot-jpg ste-bah djenova avi202020 mostafanewir dchocoboo

terraform-aws-cloudtrail-alarms's Issues

Dependency Dashboard

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

This repository currently has no open or pending branches.

Detected dependencies

github-actions
.github/workflows/validate.yml
terraform
versions.tf
  • aws >= 3.0
  • hashicorp/terraform >= 1.0
  • Check this box to trigger a request for Renovate to run again on this repository

Alarm description for disable_or_delete_cmk is incorrect

The alarm description for disable_or_delete_cmk is copied from another alarm (console_signin_failures). It may be worth replacing with something like this?

Monitoring attempts to disable or delete Customer Master Keys (CMKs) may detect an attempt to delete or invalidate customer production data stored on AWS.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.