From 603ed0b16f54c89b3c47d6a2576561a0d4ce841b Mon Sep 17 00:00:00 2001
From: zfLQ2qx2 <31103058+zfLQ2qx2@users.noreply.github.com>
Date: Tue, 19 Nov 2019 01:37:42 -0500
Subject: [PATCH] Update log metric filter checks to latest AWS CIS Foundations
Benchmark and provide hints on how to remediate
---
checks/check31 | 25 +++++++++++++++++++++++++
checks/check310 | 27 ++++++++++++++++++++++++++-
checks/check311 | 27 ++++++++++++++++++++++++++-
checks/check312 | 27 ++++++++++++++++++++++++++-
checks/check313 | 27 ++++++++++++++++++++++++++-
checks/check314 | 27 ++++++++++++++++++++++++++-
checks/check32 | 25 +++++++++++++++++++++++++
checks/check33 | 25 +++++++++++++++++++++++++
checks/check34 | 27 ++++++++++++++++++++++++++-
checks/check35 | 27 ++++++++++++++++++++++++++-
checks/check36 | 25 +++++++++++++++++++++++++
checks/check37 | 25 +++++++++++++++++++++++++
checks/check38 | 27 ++++++++++++++++++++++++++-
checks/check39 | 27 ++++++++++++++++++++++++++-
14 files changed, 359 insertions(+), 9 deletions(-)
diff --git a/checks/check31 b/checks/check31
index 13a11eb1e44..8a8d1329cdb 100644
--- a/checks/check31
+++ b/checks/check31
@@ -7,6 +7,31 @@
#
# You should have received a copy of the license along with this
# work. If not, see .
+#
+# Remediation:
+#
+# https://d1.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
+#
+# aws logs put-metric-filter \
+# --region us-east-1 \
+# --log-group-name CloudTrail/MyCloudTrailLG \
+# --filter-name AWSAuthorizationFailures \
+# --filter-pattern '{ $.errorCode = "*UnauthorizedOperation" || $.errorCode = "AccessDenied*" }' \
+# --metric-transformations metricName=AuthorizationFailureCount,metricNamespace=CloudTrailMetrics,metricValue=1
+#
+# aws cloudwatch put-metric-alarm \
+# --region us-east-1 \
+# --alarm-name "Authorization Failures" \
+# --alarm-description "Alarm triggered when unauthorized API calls are made" \
+# --metric-name AuthorizationFailureCount \
+# --namespace CloudTrailMetrics \
+# --statistic Sum \
+# --comparison-operator GreaterThanOrEqualToThreshold \
+# --evaluation-periods 1 \
+# --period 300 \
+# --threshold 1 \
+# --actions-enabled \
+# --alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmTopic
CHECK_ID_check31="3.1,3.01"
CHECK_TITLE_check31="[check31] Ensure a log metric filter and alarm exist for unauthorized API calls (Scored)"
diff --git a/checks/check310 b/checks/check310
index 3c1e1d11243..77f4b5a3ce2 100644
--- a/checks/check310
+++ b/checks/check310
@@ -7,6 +7,31 @@
#
# You should have received a copy of the license along with this
# work. If not, see .
+#
+# Remediation:
+#
+# https://d1.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
+#
+# aws logs put-metric-filter \
+# --region us-east-1 \
+# --log-group-name CloudTrail/CloudWatchLogGroup \
+# --filter-name SecurityGroupConfigChanges \
+# --filter-pattern '{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) }' \
+# --metric-transformations metricName=SecurityGroupEventCount,metricNamespace=CloudTrailMetrics,metricValue=1
+#
+# aws cloudwatch put-metric-alarm \
+# --region us-east-1 \
+# --alarm-name SecurityGroupConfigChangesAlarm \
+# --alarm-description "Triggered by AWS security group(s) config changes." \
+# --metric-name SecurityGroupEventCount \
+# --namespace CloudTrailMetrics \
+# --statistic Sum \
+# --comparison-operator GreaterThanOrEqualToThreshold \
+# --evaluation-periods 1 \
+# --period 300 \
+# --threshold 1 \
+# --actions-enabled \
+# --alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmTopic
CHECK_ID_check310="3.10"
CHECK_TITLE_check310="[check310] Ensure a log metric filter and alarm exist for security group changes (Scored)"
@@ -15,5 +40,5 @@ CHECK_TYPE_check310="LEVEL2"
CHECK_ALTERNATE_check310="check310"
check310(){
- check3x '\$\.eventName\s*=\s*AuthorizeSecurityGroupIngress.+\$\.eventName\s*=\s*AuthorizeSecurityGroupEgress.+\$\.eventName\s*=\s*CreateSecurityGroup.+\$\.eventName\s*=\s*DeleteSecurityGroup'
+ check3x '\$\.eventName\s*=\s*AuthorizeSecurityGroupIngress.+\$\.eventName\s*=\s*AuthorizeSecurityGroupEgress.+\$\.eventName\s*=\s*RevokeSecurityGroupIngress.+\$\.eventName\s*=\s*RevokeSecurityGroupEgress.+\$\.eventName\s*=\s*CreateSecurityGroup.+\$\.eventName\s*=\s*DeleteSecurityGroup'
}
diff --git a/checks/check311 b/checks/check311
index 12aec273f45..b69fc75a2de 100644
--- a/checks/check311
+++ b/checks/check311
@@ -7,6 +7,31 @@
#
# You should have received a copy of the license along with this
# work. If not, see .
+#
+# Remediation:
+#
+# https://d1.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
+#
+# aws logs put-metric-filter \
+# --region us-east-1 \
+# --log-group-name CloudTrail/CloudWatchLogGroup \
+# --filter-name NetworkACLConfigChanges \
+# --filter-pattern '{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) }' \
+# --metric-transformations metricName=NetworkAclEventCount,metricNamespace=CloudTrailMetrics,metricValue=1
+#
+# aws cloudwatch put-metric-alarm \
+# --region us-east-1 \
+# --alarm-name NetworkACLConfigChangesAlarm \
+# --alarm-description "Triggered by AWS Network ACL(s) config changes." \
+# --metric-name NetworkAclEventCount \
+# --namespace CloudTrailMetrics \
+# --statistic Sum \
+# --comparison-operator GreaterThanOrEqualToThreshold \
+# --evaluation-periods 1 \
+# --period 300 \
+# --threshold 1 \
+# --actions-enabled \
+# --alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmTopic
CHECK_ID_check311="3.11"
CHECK_TITLE_check311="[check311] Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) (Scored)"
@@ -15,5 +40,5 @@ CHECK_TYPE_check311="LEVEL2"
CHECK_ALTERNATE_check311="check311"
check311(){
- check3x '\$\.eventName\s*=\s*CreateNetworkAcl.+\$\.eventName\s*=\s*CreateNetworkAclEntry.+\$\.eventName\s*=\s*ReplaceNetworkAclEntry.+\$\.eventName\s*=\s*ReplaceNetworkAclAssociation'
+ check3x '\$\.eventName\s*=\s*CreateNetworkAcl.+\$\.eventName\s*=\s*CreateNetworkAclEntry.+\$\.eventName\s*=\s*DeleteNetworkAcl.+\$\.eventName\s*=\s*DeleteNetworkAclEntry.+\$\.eventName\s*=\s*ReplaceNetworkAclEntry.+\$\.eventName\s*=\s*ReplaceNetworkAclAssociation'
}
diff --git a/checks/check312 b/checks/check312
index 0bf516b6933..49e1462e3e7 100644
--- a/checks/check312
+++ b/checks/check312
@@ -7,6 +7,31 @@
#
# You should have received a copy of the license along with this
# work. If not, see .
+#
+# Remediation:
+#
+# https://d1.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
+#
+# aws logs put-metric-filter \
+# --region us-east-1 \
+# --log-group-name CloudTrail/CloudWatchLogGroup \
+# --filter-name VPCGatewayConfigChanges \
+# --filter-pattern '{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }' \
+# --metric-transformations metricName=GatewayEventCount,metricNamespace=CloudTrailMetrics,metricValue=1
+#
+# aws cloudwatch put-metric-alarm \
+# --region us-east-1 \
+# --alarm-name VPCGatewayConfigChangesAlarm \
+# --alarm-description "Triggered by VPC Customer/Internet Gateway changes." \
+# --metric-name GatewayEventCount \
+# --namespace CloudTrailMetrics \
+# --statistic Sum \
+# --comparison-operator GreaterThanOrEqualToThreshold \
+# --evaluation-periods 1 \
+# --period 300 \
+# --threshold 1 \
+# --actions-enabled \
+# --alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmTopic
CHECK_ID_check312="3.12"
CHECK_TITLE_check312="[check312] Ensure a log metric filter and alarm exist for changes to network gateways (Scored)"
@@ -15,5 +40,5 @@ CHECK_TYPE_check312="LEVEL1"
CHECK_ALTERNATE_check312="check312"
check312(){
- check3x '\$\.eventName\s*=\s*CreateCustomerGateway.+\$\.eventName\s*=\s*DeleteCustomerGateway.+\$\.eventName\s*=\s*DeleteInternetGateway.+\$\.eventName\s*=\s*DetachInternetGateway'
+ check3x '\$\.eventName\s*=\s*CreateCustomerGateway.+\$\.eventName\s*=\s*DeleteCustomerGateway.+\$\.eventName\s*=\s*AttachInternetGateway.+\$\.eventName\s*=\s*CreateInternetGateway.+\$\.eventName\s*=\s*DeleteInternetGateway.+\$\.eventName\s*=\s*DetachInternetGateway'
}
diff --git a/checks/check313 b/checks/check313
index ca619ecc725..a6a81edc01b 100644
--- a/checks/check313
+++ b/checks/check313
@@ -7,6 +7,31 @@
#
# You should have received a copy of the license along with this
# work. If not, see .
+#
+# Remediation:
+#
+# https://d1.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
+#
+# aws logs put-metric-filter \
+# --region us-east-1 \
+# --log-group-name CloudTrail/CloudWatchLogGroup \
+# --filter-name RouteTableConfigChanges \
+# --filter-pattern '{ ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) }' \
+# --metric-transformations metricName=RouteTableEventCount,metricNamespace=CloudTrailMetrics,metricValue=1
+#
+# aws cloudwatch put-metric-alarm \
+# --region us-east-1 \
+# --alarm-name RouteTableConfigChangesAlarm \
+# --alarm-description "Triggered by AWS Route Table config changes." \
+# --metric-name RouteTableEventCount \
+# --namespace CloudTrailMetrics \
+# --statistic Sum \
+# --comparison-operator GreaterThanOrEqualToThreshold \
+# --evaluation-periods 1 \
+# --period 300 \
+# --threshold 1 \
+# --actions-enabled \
+# --alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmTopic
CHECK_ID_check313="3.13"
CHECK_TITLE_check313="[check313] Ensure a log metric filter and alarm exist for route table changes (Scored)"
@@ -15,5 +40,5 @@ CHECK_TYPE_check313="LEVEL1"
CHECK_ALTERNATE_check313="check313"
check313(){
- check3x '\$\.eventName\s*=\s*CreateRoute.+\$\.eventName\s*=\s*CreateRouteTable.+\$\.eventName\s*=\s*DeleteRoute.+\$\.eventName\s*=\s*DisassociateRouteTable'
+ check3x '\$\.eventName\s*=\s*CreateRoute.+\$\.eventName\s*=\s*CreateRouteTable.+\$\.eventName\s*=\s*ReplaceRoute.+\$\.eventName\s*=\s*ReplaceRouteTableAssociation.+\$\.eventName\s*=\s*DeleteRouteTable.+\$\.eventName\s*=\s*DeleteRoute.+\$\.eventName\s*=\s*DisassociateRouteTable'
}
diff --git a/checks/check314 b/checks/check314
index 6c29c946320..3a6c9d7d27c 100644
--- a/checks/check314
+++ b/checks/check314
@@ -7,6 +7,31 @@
#
# You should have received a copy of the license along with this
# work. If not, see .
+#
+# Remediation:
+#
+# https://d1.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
+#
+# aws logs put-metric-filter \
+# --region us-east-1 \
+# --log-group-name CloudTrail/CloudWatchLogGroup \
+# --filter-name VPCNetworkConfigChanges \
+# --filter-pattern '{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }' \
+# --metric-transformations metricName=VpcEventCount,metricNamespace=CloudTrailMetrics,metricValue=1
+#
+# aws cloudwatch put-metric-alarm \
+# --region us-east-1 \
+# --alarm-name VPCNetworkConfigChangesAlarm \
+# --alarm-description "Triggered by AWS VPC(s) environment config changes." \
+# --metric-name VpcEventCount \
+# --namespace CloudTrailMetrics \
+# --statistic Sum \
+# --comparison-operator GreaterThanOrEqualToThreshold \
+# --evaluation-periods 1 \
+# --period 300 \
+# --threshold 1 \
+# --actions-enabled \
+# --alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmTopic
CHECK_ID_check314="3.14"
CHECK_TITLE_check314="[check314] Ensure a log metric filter and alarm exist for VPC changes (Scored)"
@@ -15,5 +40,5 @@ CHECK_TYPE_check314="LEVEL1"
CHECK_ALTERNATE_check314="check314"
check314(){
- check3x '\$\.eventName\s*=\s*CreateVpc.+\$\.eventName\s*=\s*DeleteVpc.+\$\.eventName\s*=\s*DisableVpcClassicLink.+\$\.eventName\s*=\s*EnableVpcClassicLink'
+ check3x '\$\.eventName\s*=\s*CreateVpc.+\$\.eventName\s*=\s*DeleteVpc.+\$\.eventName\s*=\s*ModifyVpcAttribute.+\$\.eventName\s*=\s*AcceptVpcPeeringConnection.+\$\.eventName\s*=\s*CreateVpcPeeringConnection.+\$\.eventName\s*=\s*DeleteVpcPeeringConnection.+\$\.eventName\s*=\s*RejectVpcPeeringConnection.+\$\.eventName\s*=\s*AttachClassicLinkVpc.+\$\.eventName\s*=\s*DetachClassicLinkVpc.+\$\.eventName\s*=\s*DisableVpcClassicLink.+\$\.eventName\s*=\s*EnableVpcClassicLink'
}
diff --git a/checks/check32 b/checks/check32
index e13b18dd577..83779842dff 100644
--- a/checks/check32
+++ b/checks/check32
@@ -7,6 +7,31 @@
#
# You should have received a copy of the license along with this
# work. If not, see .
+#
+# Remediation:
+#
+# https://d1.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
+#
+# aws logs put-metric-filter \
+# --region us-east-1 \
+# --log-group-name CloudTrail/CloudWatchLogGroup \
+# --filter-name ConsoleSignInWithoutMfaCount \
+# --filter-pattern '{ $.eventName = "ConsoleLogin" && $.additionalEventData.MFAUsed != "Yes" }' \
+# --metric-transformations metricName=ConsoleSignInWithoutMfaCount,metricNamespace=CloudTrailMetrics,metricValue=1
+#
+# aws cloudwatch put-metric-alarm \
+# --region us-east-1 \
+# --alarm-name ConsoleSignInWithoutMfaAlarm \
+# --alarm-description "Triggered by sign-in requests made without MFA." \
+# --metric-name ConsoleSignInWithoutMfaCount \
+# --namespace CloudTrailMetrics \
+# --statistic Sum \
+# --comparison-operator GreaterThanOrEqualToThreshold \
+# --evaluation-periods 1 \
+# --period 300 \
+# --threshold 1 \
+# --actions-enabled \
+# --alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmTopic
CHECK_ID_check32="3.2,3.02"
CHECK_TITLE_check32="[check32] Ensure a log metric filter and alarm exist for Management Console sign-in without MFA (Scored)"
diff --git a/checks/check33 b/checks/check33
index b6825566c0b..00c6d7dd65c 100644
--- a/checks/check33
+++ b/checks/check33
@@ -7,6 +7,31 @@
#
# You should have received a copy of the license along with this
# work. If not, see .
+#
+# Remediation:
+#
+# https://d1.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
+#
+# aws logs put-metric-filter \
+# --region us-east-1 \
+# --log-group-name CloudTrail/CloudWatchLogGroup \
+# --filter-name RootAccountUsage \
+# --filter-pattern '{ $.userIdentity.type = "Root" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != "AwsServiceEvent" }' \
+# --metric-transformations metricName=RootAccountUsageEventCount,metricNamespace=CloudTrailMetrics,metricValue=1 \
+#
+# aws cloudwatch put-metric-alarm \
+# --region us-east-1 \
+# --alarm-name RootAccountUsageAlarm \
+# --alarm-description "Triggered by AWS Root Account usage." \
+# --metric-name RootAccountUsageEventCount \
+# --namespace CloudTrailMetrics \
+# --statistic \
+# --comparison-operator GreaterThanOrEqualToThreshold \
+# --evaluation-periods 1 \
+# --period 300 \
+# --threshold 1 \
+# --actions-enabled \
+# --alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmTopic
CHECK_ID_check33="3.3,3.03"
CHECK_TITLE_check33="[check33] Ensure a log metric filter and alarm exist for usage of root account (Scored)"
diff --git a/checks/check34 b/checks/check34
index 4eaf345cd6a..e4751c79e1e 100644
--- a/checks/check34
+++ b/checks/check34
@@ -7,6 +7,31 @@
#
# You should have received a copy of the license along with this
# work. If not, see .
+#
+# Remediation:
+#
+# https://d1.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
+#
+# aws logs put-metric-filter \
+# --region us-east-1 \
+# --log-group-name CloudTrail/CloudWatchLogGroup \
+# --filter-name IAMAuthConfigChanges \
+# --filter-pattern '{ ($.eventName = DeleteGroupPolicy) || ($.eventName = DeleteRolePolicy) || ($.eventName = DeleteUserPolicy) || ($.eventName = PutGroupPolicy) || ($.eventName = PutRolePolicy) || ($.eventName = PutUserPolicy) || ($.eventName = CreatePolicy) || ($.eventName = DeletePolicy) || ($.eventName = CreatePolicyVersion) || ($.eventName = DeletePolicyVersion) || ($.eventName = AttachRolePolicy) || ($.eventName = DetachRolePolicy) || ($.eventName = AttachUserPolicy) || ($.eventName = DetachUserPolicy) || ($.eventName = AttachGroupPolicy) || ($.eventName = DetachGroupPolicy) }' \
+# --metric-transformations metricName=IAMPolicyEventCount,metricNamespace=CloudTrailMetrics,metricValue=1
+#
+# aws cloudwatch put-metric-alarm \
+# --region us-east-1 \
+# --alarm-name IAMAuthorizationActivityAlarm \
+# --alarm-description "Triggered by AWS IAM authorization config changes." \
+# --metric-name IAMPolicyEventCount \
+# --namespace CloudTrailMetrics \
+# --statistic Sum \
+# --comparison-operator GreaterThanOrEqualToThreshold \
+# --evaluation-periods 1 \
+# --period 300 \
+# --threshold 1 \
+# --actions-enabled \
+# --alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmTopic
CHECK_ID_check34="3.4,3.04"
CHECK_TITLE_check34="[check34] Ensure a log metric filter and alarm exist for IAM policy changes (Scored)"
@@ -15,5 +40,5 @@ CHECK_TYPE_check34="LEVEL1"
CHECK_ALTERNATE_check304="check34"
check34(){
- check3x '\$\.eventName\s*=\s*DeleteGroupPolicy.+\$\.eventName\s*=\s*DeleteRolePolicy.+\$\.eventName\s*=\s*AttachGroupPolicy.+\$\.eventName\s*=\s*DetachGroupPolicy'
+ check3x '\$\.eventName\s*=\s*DeleteGroupPolicy.+\$\.eventName\s*=\s*DeleteRolePolicy.+\$\.eventName\s*=\s*DeleteUserPolicy.+\$\.eventName\s*=\s*PutGroupPolicy.+\$\.eventName\s*=\s*PutRolePolicy.+\$\.eventName\s*=\s*PutUserPolicy.+\$\.eventName\s*=\s*CreatePolicy.+\$\.eventName\s*=\s*DeletePolicy.+\$\.eventName\s*=\s*CreatePolicyVersion.+\$\.eventName\s*=\s*DeletePolicyVersion.+\$\.eventName\s*=\s*AttachRolePolicy.+\$\.eventName\s*=\s*DetachRolePolicy.+\$\.eventName\s*=\s*AttachUserPolicy.+\$\.eventName\s*=\s*DetachUserPolicy.+\$\.eventName\s*=\s*AttachGroupPolicy.+\$\.eventName\s*=\s*DetachGroupPolicy'
}
diff --git a/checks/check35 b/checks/check35
index 63ba2243cb9..b8b4c6cf7f8 100644
--- a/checks/check35
+++ b/checks/check35
@@ -7,6 +7,31 @@
#
# You should have received a copy of the license along with this
# work. If not, see .
+#
+# Remediation:
+#
+# https://d1.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
+#
+# aws logs put-metric-filter \
+# --region us-east-1 \
+# --log-group-name CloudTrail/MyCloudTrailLG \
+# --filter-name AWSCloudTrailChanges \
+# --filter-pattern '{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }' \
+# --metric-transformations metricName=CloudTrailEventCount,metricNamespace=CloudTrailMetrics,metricValue=1
+#
+# aws cloudwatch put-metric-alarm \
+# --region us-east-1 \
+# --alarm-name "CloudTrail Changes" \
+# --alarm-description "Triggered by AWS CloudTrail configuration changes." \
+# --metric-name CloudTrailEventCount \
+# --namespace CloudTrailMetrics \
+# --statistic Sum \
+# --comparison-operator GreaterThanOrEqualToThreshold \
+# --evaluation-periods 1 \
+# --period 300 \
+# --threshold 1 \
+# --actions-enabled \
+# --alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmTopic
CHECK_ID_check35="3.5,3.05"
CHECK_TITLE_check35="[check35] Ensure a log metric filter and alarm exist for CloudTrail configuration changes (Scored)"
@@ -15,5 +40,5 @@ CHECK_TYPE_check35="LEVEL1"
CHECK_ALTERNATE_check305="check35"
check35(){
- check3x '\$\.eventName\s*=\s*CreateTrail.+\$\.eventName\s*=\s*UpdateTrail.+\$\.eventName\s*=\s*StartLogging.+\$\.eventName\s*=\s*StopLogging'
+ check3x '\$\.eventName\s*=\s*CreateTrail.+\$\.eventName\s*=\s*UpdateTrail.+\$\.eventName\s*=\s*DeleteTrail.+\$\.eventName\s*=\s*StartLogging.+\$\.eventName\s*=\s*StopLogging'
}
diff --git a/checks/check36 b/checks/check36
index 8fc6d86f5ee..699739d89a4 100644
--- a/checks/check36
+++ b/checks/check36
@@ -7,6 +7,31 @@
#
# You should have received a copy of the license along with this
# work. If not, see .
+#
+# Remediation:
+#
+# https://d1.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
+#
+# aws logs put-metric-filter \
+# --region us-east-1 \
+# --log-group-name CloudTrail/MyCloudTrailLG \
+# --filter-name AWSConsoleSignInFailures \
+# --filter-pattern '{ ($.eventName = ConsoleLogin) && ($.errorMessage = "Failed authentication") }' \
+# --metric-transformations metricName=ConsoleSigninFailureCount,metricNamespace=CloudTrailMetrics,metricValue=1
+#
+# aws cloudwatch put-metric-alarm \
+# --region us-east-1 \
+# --alarm-name "Console Sign-in Failures" \
+# --alarm-description "AWS Management Console Sign-in Failure Alarm." \
+# --metric-name ConsoleSigninFailureCount \
+# --namespace CloudTrailMetrics \
+# --statistic Sum \
+# --comparison-operator GreaterThanOrEqualToThreshold \
+# --evaluation-periods 1 \
+# --period 300 \
+# --threshold 3 \
+# --actions-enabled \
+# --alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmTopic
CHECK_ID_check36="3.6,3.06"
CHECK_TITLE_check36="[check36] Ensure a log metric filter and alarm exist for AWS Management Console authentication failures (Scored)"
diff --git a/checks/check37 b/checks/check37
index 44e671135ed..c0390bc97b1 100644
--- a/checks/check37
+++ b/checks/check37
@@ -7,6 +7,31 @@
#
# You should have received a copy of the license along with this
# work. If not, see .
+#
+# Remediation:
+#
+# https://d1.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
+#
+# aws logs put-metric-filter \
+# --region us-east-1 \
+# --log-group-name CloudTrail/CloudWatchLogGroup \
+# --filter-name AWSCMKChanges \
+# --filter-pattern '{ ($.eventSource = kms.amazonaws.com) && (($.eventName = DisableKey) || ($.eventName = ScheduleKeyDeletion)) }' \
+# --metric-transformations metricName=CMKEventCount,metricNamespace=CloudTrailMetrics,metricValue=1
+#
+# aws cloudwatch put-metric-alarm \
+# --region us-east-1 \
+# --alarm-name AWSCMKChangesAlarm \
+# --alarm-description "Triggered by AWS CMK changes." \
+# --metric-name CMKEventCount \
+# --namespace CloudTrailMetrics \
+# --statistic Sum \
+# --comparison-operator GreaterThanOrEqualToThreshold \
+# --evaluation-periods 1 \
+# --period 300 \
+# --threshold 1 \
+# --actions-enabled \
+# --alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmTopic
CHECK_ID_check37="3.7,3.07"
CHECK_TITLE_check37="[check37] Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs (Scored)"
diff --git a/checks/check38 b/checks/check38
index f0188751324..ddc69d36894 100644
--- a/checks/check38
+++ b/checks/check38
@@ -7,6 +7,31 @@
#
# You should have received a copy of the license along with this
# work. If not, see .
+#
+# Remediation:
+#
+# https://d1.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
+#
+# aws logs put-metric-filter \
+# --region us-east-1 \
+# --log-group-name CloudTrail/CloudWatchLogGroup \
+# --filter-name S3BucketConfigChanges \
+# --filter-pattern '{ ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }' \
+# --metric-transformations metricName=S3BucketEventCount,metricNamespace=CloudTrailMetrics,metricValue=1
+#
+# aws cloudwatch put-metric-alarm \
+# --region us-east-1 \
+# --alarm-name S3BucketConfigChangesAlarm \
+# --alarm-description "Triggered by AWS S3 Bucket config changes." \
+# --metric-name S3BucketEventCount \
+# --namespace CloudTrailMetrics \
+# --statistic Sum \
+# --comparison-operator GreaterThanOrEqualToThreshold \
+# --evaluation-periods 1 \
+# --period 300 \
+# --threshold 1 \
+# --actions-enabled \
+# --alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmTopic
CHECK_ID_check38="3.8,3.08"
CHECK_TITLE_check38="[check38] Ensure a log metric filter and alarm exist for S3 bucket policy changes (Scored)"
@@ -15,5 +40,5 @@ CHECK_TYPE_check38="LEVEL1"
CHECK_ALTERNATE_check308="check38"
check38(){
- check3x '\$\.eventSource\s*=\s*s3.amazonaws.com.+\$\.eventName\s*=\s*PutBucketAcl.+\$\.eventName\s*=\s*DeleteBucketLifecycle.+\$\.eventName\s*=\s*DeleteBucketReplication'
+ check3x '\$\.eventSource\s*=\s*s3.amazonaws.com.+\$\.eventName\s*=\s*PutBucketAcl.+\$\.eventName\s*=\s*PutBucketPolicy.+\$\.eventName\s*=\s*PutBucketCors.+\$\.eventName\s*=\s*PutBucketLifecycle.+\$\.eventName\s*=\s*PutBucketReplication.+\$\.eventName\s*=\s*DeleteBucketPolicy.+\$\.eventName\s*=\s*DeleteBucketCors.+\$\.eventName\s*=\s*DeleteBucketLifecycle.+\$\.eventName\s*=\s*DeleteBucketReplication'
}
diff --git a/checks/check39 b/checks/check39
index d8feb0de29e..3a812a4ae52 100644
--- a/checks/check39
+++ b/checks/check39
@@ -7,6 +7,31 @@
#
# You should have received a copy of the license along with this
# work. If not, see .
+#
+# Remediation:
+#
+# https://d1.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
+#
+# aws logs put-metric-filter \
+# --region us-east-1 \
+# --log-group-name CloudTrail/CloudWatchLogGroup \
+# --filter-name AWSConfigChanges \
+# --filter-pattern '{ ($.eventSource = config.amazonaws.com) && (($.eventName = StopConfigurationRecorder)||($.eventName = DeleteDeliveryChannel)||($.eventName = PutDeliveryChannel)||($.eventName = PutConfigurationRecorder)) }' \
+# --metric-transformations metricName=ConfigEventCount,metricNamespace=CloudTrailMetrics,metricValue=1
+#
+# aws cloudwatch put-metric-alarm \
+# --region us-east-1 \
+# --alarm-name AWSConfigChangesAlarm \
+# --alarm-description "Triggered by AWS Config changes." \
+# --metric-name ConfigEventCount \
+# --namespace CloudTrailMetrics \
+# --statistic Sum \
+# --comparison-operator GreaterThanOrEqualToThreshold \
+# --evaluation-periods 1 \
+# --period 300 \
+# --threshold 1 \
+# --actions-enabled \
+# --alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmTopic
CHECK_ID_check39="3.9,3.09"
CHECK_TITLE_check39="[check39] Ensure a log metric filter and alarm exist for AWS Config configuration changes (Scored)"
@@ -15,5 +40,5 @@ CHECK_TYPE_check39="LEVEL2"
CHECK_ALTERNATE_check309="check39"
check39(){
- check3x '\$\.eventSource\s*=\s*config.amazonaws.com.+\$\.eventName\s*=\s*StopConfigurationRecorder.+\$\.eventName\s*=\s*PutDeliveryChannel.+\$\.eventName\s*=\s*PutConfigurationRecorder'
+ check3x '\$\.eventSource\s*=\s*config.amazonaws.com.+\$\.eventName\s*=\s*StopConfigurationRecorder.+\$\.eventName\s*=\s*DeleteDeliveryChannel.+\$\.eventName\s*=\s*PutDeliveryChannel.+\$\.eventName\s*=\s*PutConfigurationRecorder'
}