forked from GSA/grace-alerting
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmetrics.tf
129 lines (115 loc) · 5.63 KB
/
metrics.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
#######################
# Metric based alarms #
#######################
# Metric root_login
resource "aws_cloudwatch_log_metric_filter" "root_login" {
count = var.alert_on_root_login ? 1 : 0
name = "root_login"
pattern = "{ $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" }"
log_group_name = var.cloudtrail_log_group_name
metric_transformation {
name = "root_login"
namespace = "GRACECISBenchmark"
value = "1"
default_value = "0"
}
}
# Alarm root_login
resource "aws_cloudwatch_metric_alarm" "root_login" {
count = var.alert_on_console_login_failures ? 1 : 0
alarm_name = "root_login"
comparison_operator = "GreaterThanOrEqualToThreshold"
evaluation_periods = "1"
metric_name = aws_cloudwatch_log_metric_filter.root_login[count.index].id
namespace = "GRACECISBenchmark"
period = var.root_login_period
statistic = "Sum"
threshold = var.root_login_threshold
treat_missing_data = "ignore"
alarm_description = "Monitoring for root account logins will provide visibility into the use of a fully privileged account and an opportunity to reduce the use of it."
alarm_actions = [aws_cloudformation_stack.alerting_topic.outputs["Arn"]]
}
# Metric console_login_failures
resource "aws_cloudwatch_log_metric_filter" "console_login_failures" {
count = var.alert_on_console_login_failures ? 1 : 0
name = "console_login_failures"
pattern = "{ ($.eventName = ConsoleLogin) && ($.errorMessage = \"Failed authentication\") }"
log_group_name = var.cloudtrail_log_group_name
metric_transformation {
name = "console_login_failures"
namespace = "GRACECISBenchmark"
value = "1"
default_value = "0"
}
}
# Alarm console_login_failures
resource "aws_cloudwatch_metric_alarm" "console_login_failures" {
count = var.alert_on_console_login_failures ? 1 : 0
alarm_name = "console_login_failures"
comparison_operator = "GreaterThanOrEqualToThreshold"
evaluation_periods = "1"
metric_name = aws_cloudwatch_log_metric_filter.console_login_failures[count.index].id
namespace = "GRACECISBenchmark"
period = var.console_login_failures_period
statistic = "Sum"
threshold = var.console_login_failures_threshold
treat_missing_data = "ignore"
alarm_description = "Monitoring failed console logins may decrease lead time to detect an attempt to brute force a credential, which may provide an indicator, such as source IP, that can be used in other event correlation."
alarm_actions = [aws_cloudformation_stack.alerting_topic.outputs["Arn"]]
}
# Metric disable_or_delete_kms_key
resource "aws_cloudwatch_log_metric_filter" "disable_or_delete_kms_key" {
count = var.alert_on_disable_or_delete_kms_key ? 1 : 0
name = "disable_or_delete_kms_key"
pattern = "{ ($.eventSource = kms.amazonaws.com) && (($.eventName = DisableKey) || ($.eventName = ScheduleKeyDeletion)) }"
log_group_name = var.cloudtrail_log_group_name
metric_transformation {
name = "disable_or_delete_kms_key"
namespace = "GRACECISBenchmark"
value = "1"
default_value = "0"
}
}
# Alarm disable_or_delete_kms_key
resource "aws_cloudwatch_metric_alarm" "disable_or_delete_kms_key" {
count = var.alert_on_disable_or_delete_kms_key ? 1 : 0
alarm_name = "disable_or_delete_kms_key"
comparison_operator = "GreaterThanOrEqualToThreshold"
evaluation_periods = "1"
metric_name = aws_cloudwatch_log_metric_filter.disable_or_delete_kms_key[count.index].id
namespace = "GRACECISBenchmark"
period = var.disable_or_delete_kms_key_period
statistic = "Sum"
threshold = var.disable_or_delete_kms_key_threshold
treat_missing_data = "ignore"
alarm_description = "Monitoring failed console logins may decrease lead time to detect an attempt to brute force a credential, which may provide an indicator, such as source IP, that can be used in other event correlation."
alarm_actions = [aws_cloudformation_stack.alerting_topic.outputs["Arn"]]
}
# Metric console_login_without_mfa
resource "aws_cloudwatch_log_metric_filter" "console_login_without_mfa" {
count = var.alert_on_console_login_without_mfa ? 1 : 0
name = "console_login_without_mfa"
pattern = "{ ($.eventName = ConsoleLogin) && ($.additionalEventData.MFAUsed = No) }"
log_group_name = var.cloudtrail_log_group_name
metric_transformation {
name = "console_login_without_mfa"
namespace = "GRACECISBenchmark"
value = "1"
default_value = "0"
}
}
# Alarm console_login_without_mfa
resource "aws_cloudwatch_metric_alarm" "console_login_without_mfa" {
count = var.alert_on_console_login_without_mfa ? 1 : 0
alarm_name = "console_login_without_mfa"
comparison_operator = "GreaterThanOrEqualToThreshold"
evaluation_periods = "1"
metric_name = aws_cloudwatch_log_metric_filter.console_login_without_mfa[count.index].id
namespace = "GRACECISBenchmark"
period = var.console_login_without_mfa_period
statistic = "Sum"
threshold = var.console_login_without_mfa_threshold
treat_missing_data = "ignore"
alarm_description = "Monitoring for console logins without MFA will provide visibility into all console logins that do not utilize MFA."
alarm_actions = [aws_cloudformation_stack.alerting_topic.outputs["Arn"]]
}