• PURPOSE
• WHY USE THIS TEMPLATE
• STACK DEPLOYMENT
• STACK DELETION

The purpose of this project is to automate fixes for Section 3 Monitoring of the CIS (Center for Internet Security) AWS Foundations Benchmark.

This AWS CloudFormation template let's you register an email that will receive alarms for the following controls:

• 3.1 Ensure a log metric filter and alarm exist for unauthorized API calls
• 3.2 Ensure a log metric filter and alarm exist for Management Console sign-in without MFA (Scored)
• 3.3 Ensure a log metric filter and alarm exist for usage of "root" account (Scored)
• 3.4 Ensure a log metric filter and alarm exist for IAM policy changes (Scored)
• 3.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes (Scored)
• 3.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures (Scored)
• 3.7 Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs (Scored)
• 3.8 Ensure a log metric filter and alarm exist for S3 bucket policy changes (Scored)
• 3.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes (Scored)
• 3.10 Ensure a log metric filter and alarm exist for security group changes (Scored)
• 3.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) (Scored)
• 3.12 Ensure a log metric filter and alarm exist for changes to network gateways (Scored)
• 3.13 Ensure a log metric filter and alarm exist for route table changes (Scored)
• 3.14 Ensure a log metric filter and alarm exist for VPC changes (Scored)

The following control is not included as it is not scored:

• 3.15 Ensure appropriate subscribers to each SNS topic (Not Scored)

In addition to quickly remediating Section 3 Monitoring of the CIS AWS Foundations Benchmark, this AWS CloudFormation template let's you customize your own names for the following:

• Alarm and CloudTrail Topic Name
• Alarm and CloudTrail Display Name
• CloudTrail S3 Bucket
• CloudTrail Log Group
• CloudTrail Role Name
• Metric Name Space
• Metric Filter Names

The advantage of custom naming is that you can more easily align resource names with your organization's naming conventions.

This template is also non-destructive so you should be able to deploy and remove without interfering with existing resources but do test first!

1. Login to your AWS account and select the region that you want to deploy template.

2. Click the Launch Stack button below to go directly to the CloudFormation service in the selected region of your AWS account.

3. At the Specify Details screen you can play around with different naming conventions but at a minimum you must set the email address that you want to receive alarms. If you launch using [email protected] the stack will complete but you'll never receive alerts because unless you have access to the mailbox of [email protected] you won't be able to verify the address. Also, use a group email instead of individuals if possible so the relevant folks can receive the notifications.

4. As you scroll down, again you use your own naming conventions but the defaults will let you launch the stack however the naming conventions will be automatically generated with random values. You can add up to three AWS accounts to receive logs from however, you'll need to configure those accounts manually using the instructions at Receiving CloudTrail Log Files from Multiple Accounts:

5. The Metric Filter names are the main part of this template. Use the defaults or change to your own naming convention. I have set the Alarm names to be the same as the Metric Filter names for simplicity.

6. Feel free to set Tags if you want. Otherwise click Next.

7. Review your settings, check the acknowledgement box, and click Create to launch the stack.

8. During creation of the stack and assuming that you changed the default [email protected] email address, you will receive a verification email. Click on the Confirm subscription link or copy the link and paste it in your browser of choice.

9. You should receive a Subscription Confirmed message after clicking on the Confirm subscription link from the email you received.

10. Your stack should now be complete. Click on the Outputs dropdown to see the registered email address and the CloudTrail S3 bucket.

11. Go to CloudWatch, click Logs, and then click on the metric filters that have been created.

12. You can now see the configured Metric Filters and Alarms. I have highlighted Filter Name and Metric. For whatever reason, you cannot actually set the Filter Name from CloudFormation but you can do it from the AWS CLI. So the name that is actually getting set with this template is the Metric field.

When you delete a stack, all Topics are automatically deleted. Subscriptions to those Topics are not. Make sure you verify your email subscriptions even if you are testing. If you don't when you delete the stack you cannot immediately delete the subscriptions that were associated with the Topic that was created - you'll have to wait three days for AWS to do it automatically for you.