GithubHelp home page GithubHelp logo

virsas / terraform_cw_alarm Goto Github PK

View Code? Open in Web Editor NEW
0.0 0.0 0.0 10 KB

Terraform module to create cloudwatch alarms

License: MIT License

HCL 100.00%
aws terraform cloudwatch cloudwatch-alarms

terraform_cw_alarm's Introduction

terraform_cw_alarm

Terraform module to create cloudwatch log group.

Dependencies

Terraform example

variable "unauthorized_api_calls_metric" { 
  default = {
    name        = "unauthorized_api_calls_metric"
    namespace   = "CISBenchmark"
    patern      = "{($.errorCode = \"*UnauthorizedOperation\") || ($.errorCode = \"AccessDenied*\")}"
    operator    = "GreaterThanOrEqualToThreshold"
    period      = 300
    eval_period = 1
    threshold   = 10
    statistic   = "Sum"
    missing     = "notBreaching"
  }
}

module "cw_alarm_unauthorized_api_calls_metric" {
  source  = "git::https://github.com/virsas/terraform_cw_alarm.git?ref=v1.0.0"
  # alarm configuration
  alarm   = var.unauthorized_api_calls_metric
  # list of SNS. you can use multiple ones or just point to the one that points to pagerduty
  sns     = [module.sns_topic_alarms.arn]
  # the id output of the cloudwatch filter
  filter  = module.cw_filter_unauthorized_api_calls_metric.id
}

The Center for Internet Security (CIS) AWS Foundations Benchmark

To comply with the CIX benchmark add following:

variable "unauthorized_api_calls_metric" { 
  default = {
    name        = "unauthorized_api_calls_metric"
    namespace   = "CISBenchmark"
    patern      = "{($.errorCode = \"*UnauthorizedOperation\") || ($.errorCode = \"AccessDenied*\")}"
    operator    = "GreaterThanOrEqualToThreshold"
    period      = 300
    eval_period = 1
    threshold   = 10
    statistic   = "Sum"
    missing     = "notBreaching"
  }
}
variable "security_group_changes_metric" { 
  default = {
    name        = "security_group_changes_metric"
    namespace   = "CISBenchmark"
    patern      = "{($.eventName=AuthorizeSecurityGroupIngress) || ($.eventName=AuthorizeSecurityGroupEgress) || ($.eventName=RevokeSecurityGroupIngress) || ($.eventName=RevokeSecurityGroupEgress) || ($.eventName=CreateSecurityGroup) || ($.eventName=DeleteSecurityGroup)}"
    operator    = "GreaterThanOrEqualToThreshold"
    period      = 300
    eval_period = 1
    threshold   = 1
    statistic   = "Sum"
    missing     = "notBreaching"
  }
}
variable "network_acl_changes_metric" { 
  default = {
    name        = "network_acl_changes_metric"
    namespace   = "CISBenchmark"
    patern      = "{($.eventName=CreateNetworkAcl) || ($.eventName=CreateNetworkAclEntry) || ($.eventName=DeleteNetworkAcl) || ($.eventName=DeleteNetworkAclEntry) || ($.eventName=ReplaceNetworkAclEntry) || ($.eventName=ReplaceNetworkAclAssociation)}"
    operator    = "GreaterThanOrEqualToThreshold"
    period      = 300
    eval_period = 1
    threshold   = 1
    statistic   = "Sum"
    missing     = "notBreaching"
  }
}
variable "gateway_changes_metric" { 
  default = {
    name        = "gateway_changes_metric"
    namespace   = "CISBenchmark"
    patern      = "{($.eventName=CreateCustomerGateway) || ($.eventName=DeleteCustomerGateway) || ($.eventName=AttachInternetGateway) || ($.eventName=CreateInternetGateway) || ($.eventName=DeleteInternetGateway) || ($.eventName=DetachInternetGateway)}"
    operator    = "GreaterThanOrEqualToThreshold"
    period      = 300
    eval_period = 1
    threshold   = 1
    statistic   = "Sum"
    missing     = "notBreaching"
  }
}
variable "route_changes_metric" { 
  default = {
    name        = "route_changes_metric"
    namespace   = "CISBenchmark"
    patern      = "{($.eventName=CreateRoute) || ($.eventName=CreateRouteTable) || ($.eventName=ReplaceRoute) || ($.eventName=ReplaceRouteTableAssociation) || ($.eventName=DeleteRouteTable) || ($.eventName=DeleteRoute) || ($.eventName=DisassociateRouteTable)}"
    operator    = "GreaterThanOrEqualToThreshold"
    period      = 300
    eval_period = 1
    threshold   = 1
    statistic   = "Sum"
    missing     = "notBreaching"
  }
}
variable "vpc_changes_metric" { 
  default = {
    name        = "vpc_changes_metric"
    namespace   = "CISBenchmark"
    patern      = "{($.eventName=CreateVpc) || ($.eventName=DeleteVpc) || ($.eventName=ModifyVpcAttribute) || ($.eventName=AcceptVpcPeeringConnection) || ($.eventName=CreateVpcPeeringConnection) || ($.eventName=DeleteVpcPeeringConnection) || ($.eventName=RejectVpcPeeringConnection) || ($.eventName=AttachClassicLinkVpc) || ($.eventName=DetachClassicLinkVpc) || ($.eventName=DisableVpcClassicLink) || ($.eventName=EnableVpcClassicLink)}"
    operator    = "GreaterThanOrEqualToThreshold"
    period      = 300
    eval_period = 1
    threshold   = 1
    statistic   = "Sum"
    missing     = "notBreaching"
  }
}
variable "no_mfa_console_signin_alarm" { 
  default = {
    name        = "no_mfa_console_signin_alarm"
    namespace   = "CISBenchmark"
    patern      = "{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") && ($.userIdentity.type = \"IAMUser\") && ($.responseElements.ConsoleLogin = \"Success\") }"
    operator    = "GreaterThanOrEqualToThreshold"
    period      = 300
    eval_period = 1
    threshold   = 1
    statistic   = "Sum"
    missing     = "notBreaching"
  }
}
variable "root_usage_metric" { 
  default = {
    name        = "root_usage_metric"
    namespace   = "CISBenchmark"
    patern      = "{ $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" }"
    operator    = "GreaterThanOrEqualToThreshold"
    period      = 300
    eval_period = 1
    threshold   = 1
    statistic   = "Sum"
    missing     = "notBreaching"
  }
}
variable "iam_changes_metric" { 
  default = {
    name        = "iam_changes_metric"
    namespace   = "CISBenchmark"
    patern      = "{($.eventName=DeleteGroupPolicy) || ($.eventName=DeleteRolePolicy) || ($.eventName=DeleteUserPolicy) || ($.eventName=PutGroupPolicy) || ($.eventName=PutRolePolicy) || ($.eventName=PutUserPolicy) || ($.eventName=CreatePolicy) || ($.eventName=DeletePolicy) || ($.eventName=CreatePolicyVersion) || ($.eventName=DeletePolicyVersion) || ($.eventName=AttachRolePolicy) || ($.eventName=DetachRolePolicy) || ($.eventName=AttachUserPolicy) || ($.eventName=DetachUserPolicy) || ($.eventName=AttachGroupPolicy) || ($.eventName=DetachGroupPolicy)}"
    operator    = "GreaterThanOrEqualToThreshold"
    period      = 300
    eval_period = 1
    threshold   = 1
    statistic   = "Sum"
    missing     = "notBreaching"
  }
}
variable "cloudtrail_cfg_changes_metric" { 
  default = {
    name        = "cloudtrail_cfg_changes_metric"
    namespace   = "CISBenchmark"
    patern      = "{($.eventName=CreateTrail) || ($.eventName=UpdateTrail) || ($.eventName=DeleteTrail) || ($.eventName=StartLogging) || ($.eventName=StopLogging)}"
    operator    = "GreaterThanOrEqualToThreshold"
    period      = 300
    eval_period = 1
    threshold   = 1
    statistic   = "Sum"
    missing     = "notBreaching"
  }
}
variable "console_signin_failure_metric" { 
  default = {
    name        = "console_signin_failure_metric"
    namespace   = "CISBenchmark"
    patern      = "{($.eventName=ConsoleLogin) && ($.errorMessage=\"Failed authentication\")}"
    operator    = "GreaterThanOrEqualToThreshold"
    period      = 300
    eval_period = 1
    threshold   = 1
    statistic   = "Sum"
    missing     = "notBreaching"
  }
}
variable "disable_or_delete_cmk_changes_metric" { 
  default = {
    name        = "disable_or_delete_cmk_changes_metric"
    namespace   = "CISBenchmark"
    patern      = "{($.eventSource=kms.amazonaws.com) && (($.eventName=DisableKey) || ($.eventName=ScheduleKeyDeletion))}"
    operator    = "GreaterThanOrEqualToThreshold"
    period      = 300
    eval_period = 1
    threshold   = 1
    statistic   = "Sum"
    missing     = "notBreaching"
  }
}
variable "s3_bucket_policy_changes_metric" { 
  default = {
    name        = "s3_bucket_policy_changes_metric"
    namespace   = "CISBenchmark"
    patern      = "{($.eventSource=s3.amazonaws.com) && (($.eventName=PutBucketAcl) || ($.eventName=PutBucketPolicy) || ($.eventName=PutBucketCors) || ($.eventName=PutBucketLifecycle) || ($.eventName=PutBucketReplication) || ($.eventName=DeleteBucketPolicy) || ($.eventName=DeleteBucketCors) || ($.eventName=DeleteBucketLifecycle) || ($.eventName=DeleteBucketReplication))}"
    operator    = "GreaterThanOrEqualToThreshold"
    period      = 300
    eval_period = 1
    threshold   = 1
    statistic   = "Sum"
    missing     = "notBreaching"
  }
}
variable "aws_config_changes_metric" { 
  default = {
    name        = "aws_config_changes_metric"
    namespace   = "CISBenchmark"
    patern      = "{($.eventSource=config.amazonaws.com) && (($.eventName=StopConfigurationRecorder) || ($.eventName=DeleteDeliveryChannel) || ($.eventName=PutDeliveryChannel) || ($.eventName=PutConfigurationRecorder))}"
    operator    = "GreaterThanOrEqualToThreshold"
    period      = 300
    eval_period = 1
    threshold   = 1
    statistic   = "Sum"
    missing     = "notBreaching"
  }
}

##
module "cw_filter_unauthorized_api_calls_metric" {
  source = "git::https://github.com/virsas/terraform_cw_filter.git?ref=v1.0.0"
  alarm  = var.unauthorized_api_calls_metric
  group  = module.cw_cloudtrail.name
}
module "cw_alarm_unauthorized_api_calls_metric" {
  source  = "git::https://github.com/virsas/terraform_cw_alarm.git?ref=v1.0.0"
  alarm   = var.unauthorized_api_calls_metric
  sns     = [module.sns_topic_alarms.arn]
  filter  = module.cw_filter_unauthorized_api_calls_metric.id
}
##
module "cw_filter_security_group_changes_metric" {
  source = "git::https://github.com/virsas/terraform_cw_filter.git?ref=v1.0.0"
  alarm  = var.security_group_changes_metric
  group  = module.cw_cloudtrail.name
}
module "cw_alarm_security_group_changes_metric" {
  source  = "git::https://github.com/virsas/terraform_cw_alarm.git?ref=v1.0.0"
  alarm   = var.security_group_changes_metric
  sns     = [module.sns_topic_alarms.arn]
  filter  = module.cw_filter_security_group_changes_metric.id
}
##
module "cw_filter_network_acl_changes_metric" {
  source = "git::https://github.com/virsas/terraform_cw_filter.git?ref=v1.0.0"
  alarm  = var.network_acl_changes_metric
  group  = module.cw_cloudtrail.name
}
module "cw_alarm_network_acl_changes_metric" {
  source  = "git::https://github.com/virsas/terraform_cw_alarm.git?ref=v1.0.0"
  alarm   = var.network_acl_changes_metric
  sns     = [module.sns_topic_alarms.arn]
  filter  = module.cw_filter_network_acl_changes_metric.id
}
##
module "cw_filter_gateway_changes_metric" {
  source = "git::https://github.com/virsas/terraform_cw_filter.git?ref=v1.0.0"
  alarm  = var.gateway_changes_metric
  group  = module.cw_cloudtrail.name
}
module "cw_alarm_gateway_changes_metric" {
  source  = "git::https://github.com/virsas/terraform_cw_alarm.git?ref=v1.0.0"
  alarm   = var.gateway_changes_metric
  sns     = [module.sns_topic_alarms.arn]
  filter  = module.cw_filter_gateway_changes_metric.id
}
##
module "cw_filter_route_changes_metric" {
  source = "git::https://github.com/virsas/terraform_cw_filter.git?ref=v1.0.0"
  alarm  = var.route_changes_metric
  group  = module.cw_cloudtrail.name
}
module "cw_alarm_route_changes_metric" {
  source  = "git::https://github.com/virsas/terraform_cw_alarm.git?ref=v1.0.0"
  alarm   = var.route_changes_metric
  sns     = [module.sns_topic_alarms.arn]
  filter  = module.cw_filter_route_changes_metric.id
}
##
module "cw_filter_vpc_changes_metric" {
  source = "git::https://github.com/virsas/terraform_cw_filter.git?ref=v1.0.0"
  alarm  = var.vpc_changes_metric
  group  = module.cw_cloudtrail.name
}
module "cw_alarm_vpc_changes_metric" {
  source  = "git::https://github.com/virsas/terraform_cw_alarm.git?ref=v1.0.0"
  alarm   = var.vpc_changes_metric
  sns     = [module.sns_topic_alarms.arn]
  filter  = module.cw_filter_vpc_changes_metric.id
}
##
module "cw_filter_no_mfa_console_signin_alarm" {
  source = "git::https://github.com/virsas/terraform_cw_filter.git?ref=v1.0.0"
  alarm  = var.no_mfa_console_signin_alarm
  group  = module.cw_cloudtrail.name
}
module "cw_alarm_no_mfa_console_signin_alarm" {
  source  = "git::https://github.com/virsas/terraform_cw_alarm.git?ref=v1.0.0"
  alarm   = var.no_mfa_console_signin_alarm
  sns     = [module.sns_topic_alarms.arn]
  filter  = module.cw_filter_no_mfa_console_signin_alarm.id
}
##
module "cw_filter_root_usage_metric" {
  source = "git::https://github.com/virsas/terraform_cw_filter.git?ref=v1.0.0"
  alarm  = var.root_usage_metric
  group  = module.cw_cloudtrail.name
}
module "cw_alarm_root_usage_metric" {
  source  = "git::https://github.com/virsas/terraform_cw_alarm.git?ref=v1.0.0"
  alarm   = var.root_usage_metric
  sns     = [module.sns_topic_alarms.arn]
  filter  = module.cw_filter_root_usage_metric.id
}
##
module "cw_filter_iam_changes_metric" {
  source = "git::https://github.com/virsas/terraform_cw_filter.git?ref=v1.0.0"
  alarm  = var.iam_changes_metric
  group  = module.cw_cloudtrail.name
}
module "cw_alarm_iam_changes_metric" {
  source  = "git::https://github.com/virsas/terraform_cw_alarm.git?ref=v1.0.0"
  alarm   = var.iam_changes_metric
  sns     = [module.sns_topic_alarms.arn]
  filter  = module.cw_filter_iam_changes_metric.id
}
##
module "cw_filter_cloudtrail_cfg_changes_metric" {
  source = "git::https://github.com/virsas/terraform_cw_filter.git?ref=v1.0.0"
  alarm  = var.cloudtrail_cfg_changes_metric
  group  = module.cw_cloudtrail.name
}
module "cw_alarm_cloudtrail_cfg_changes_metric" {
  source  = "git::https://github.com/virsas/terraform_cw_alarm.git?ref=v1.0.0"
  alarm   = var.cloudtrail_cfg_changes_metric
  sns     = [module.sns_topic_alarms.arn]
  filter  = module.cw_filter_cloudtrail_cfg_changes_metric.id
}
##
module "cw_filter_console_signin_failure_metric" {
  source = "git::https://github.com/virsas/terraform_cw_filter.git?ref=v1.0.0"
  alarm  = var.console_signin_failure_metric
  group  = module.cw_cloudtrail.name
}
module "cw_alarm_console_signin_failure_metric" {
  source  = "git::https://github.com/virsas/terraform_cw_alarm.git?ref=v1.0.0"
  alarm   = var.console_signin_failure_metric
  sns     = [module.sns_topic_alarms.arn]
  filter  = module.cw_filter_console_signin_failure_metric.id
}
##
module "cw_filter_disable_or_delete_cmk_changes_metric" {
  source = "git::https://github.com/virsas/terraform_cw_filter.git?ref=v1.0.0"
  alarm  = var.disable_or_delete_cmk_changes_metric
  group  = module.cw_cloudtrail.name
}
module "cw_alarm_disable_or_delete_cmk_changes_metric" {
  source  = "git::https://github.com/virsas/terraform_cw_alarm.git?ref=v1.0.0"
  alarm   = var.disable_or_delete_cmk_changes_metric
  sns     = [module.sns_topic_alarms.arn]
  filter  = module.cw_filter_disable_or_delete_cmk_changes_metric.id
}
##
module "cw_filter_s3_bucket_policy_changes_metric" {
  source = "git::https://github.com/virsas/terraform_cw_filter.git?ref=v1.0.0"
  alarm  = var.s3_bucket_policy_changes_metric
  group  = module.cw_cloudtrail.name
}
module "cw_alarm_s3_bucket_policy_changes_metric" {
  source  = "git::https://github.com/virsas/terraform_cw_alarm.git?ref=v1.0.0"
  alarm   = var.s3_bucket_policy_changes_metric
  sns     = [module.sns_topic_alarms.arn]
  filter  = module.cw_filter_s3_bucket_policy_changes_metric.id
}
##
module "cw_filter_aws_config_changes_metric" {
  source = "git::https://github.com/virsas/terraform_cw_filter.git?ref=v1.0.0"
  alarm  = var.aws_config_changes_metric
  group  = module.cw_cloudtrail.name
}
module "cw_alarm_aws_config_changes_metric" {
  source  = "git::https://github.com/virsas/terraform_cw_alarm.git?ref=v1.0.0"
  alarm   = var.aws_config_changes_metric
  sns     = [module.sns_topic_alarms.arn]
  filter  = module.cw_filter_aws_config_changes_metric.id
}

terraform_cw_alarm's People

Contributors

smoravcik avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.