This repo contains sample code to help in deploying CIS benchmark alerts using Eventbridge instead of Cloudwatch Log Metric Filters.
Examples have been provided in both Cloudformation and Terraform. See the README file in each sub-directory for usage instructions
The IaC templates will deploy 15 Eventbridge rules that filter on the same events that the standard CIS Cloudwatch Log Metrics use. See CIS AWS Foundations Benchmark controls v1.3.0 for specific details on the benchmark and Cloudwatch Log Metric approach. The high level architecture deployed can be seen below.
When one of the Eventbridge rules are triggered it will forward the event to an SNS topic for notifications and a lambda for automated remediation (both the topic and lambda function are created by the IaC templates).
The Lambda function performs a sample remediation for CloudTrail events. Any additional remediation actions will need to be created still.
Note that these templates are for example purposes only and the notifications and lambda remediation are not flushed out enough for immediate use in a production environment. We recommend using the example lamdba code to expand on potential remediation options depending on event type.
Below are each of the 15 filters that are applied to the Eventbridge rules. They align with CIS Benchmarks 4.1 through 4.15 in v1.3.0 of the benchmarks. Each of the filters is applied automatically through the IaC templates or can be copy and pasted if you choose to create them manually.
{
"detail-type": ["AWS API Call via CloudTrail"],
"detail": {
"errorCode": ["AccessDenied*", "*UnauthorizedOperation"]
}
{
"detail-type": ["AWS Console Sign In via CloudTrail"],
"detail": {
"eventName": ["ConsoleLogin"],
"userIdentity": {
"type": ["IAMUser"]
},
"additionalEventData": {
"MFAUsed": [{ "anything-but": "Yes"}]
},
"responseElements": {
"ConsoleLogin": ["Success"]
}
}
}
{
"detail-type": ["AWS Console Sign In via CloudTrail"],
"detail": {
"userIdentity": {
"type": ["Root"],
"invokedBy": [ { "exists": false } ]
},
"eventType": [{ "anything-but": "AwsServiceEvent"}]
}
}
{
"source": ["aws.iam"],
"detail-type": ["AWS API Call via CloudTrail"],
"detail": {
"eventSource": ["iam.amazonaws.com"],
"eventName": [
"DeleteGroupPolicy",
"DeleteRolePolicy",
"DeleteUserPolicy",
"PutGroupPolicy",
"PutRolePolicy",
"PutUserPolicy",
"CreatePolicy",
"DeletePolicy",
"CreatePolicyVersion",
"DeletePolicyVersion",
"AttachRolePolicy",
"DetachRolePolicy",
"AttachUserPolicy",
"DetachUserPolicy",
"AttachGroupPolicy",
"DetachGroupPolicy"
]
}
}
{
"source": ["aws.cloudtrail"],
"detail-type": ["AWS API Call via CloudTrail"],
"detail": {
"eventSource": ["cloudtrail.amazonaws.com"],
"eventName": [
"CreateTrail",
"UpdateTrail",
"DeleteTrail",
"StartLogging",
"StopLogging"
]
}
}
{
"detail-type": ["AWS Console Sign In via CloudTrail"],
"detail": {
"responseElements": {
"ConsoleLogin": ["Failure"]
}
}
}
{
"source": ["aws.kms"],
"detail-type": ["AWS API Call via CloudTrail"],
"detail": {
"eventSource": ["kms.amazonaws.com"],
"eventName": [
"DisableKey",
"ScheduleKeyDeletion"
]
}
}
{
"source": ["aws.s3"],
"detail-type": ["AWS API Call via CloudTrail"],
"detail": {
"eventSource": ["s3.amazonaws.com"],
"eventName": [
"PutBucketAcl",
"PutBucketPolicy",
"PutBucketCors",
"PutBucketLifecycle",
"PutBucketReplication",
"DeleteBucketPolicy",
"DeleteBucketCors",
"DeleteBucketLifecycle",
"DeleteBucketReplication"
]
}
}
{
"source": ["aws.config"],
"detail-type": ["AWS API Call via CloudTrail"],
"detail": {
"eventSource": ["config.amazonaws.com"],
"eventName": [
"StopConfigurationRecorder",
"DeleteDeliveryChannel",
"PutDeliveryChannel",
"PutConfigurationRecorder"
]
}
}
{
"source": ["aws.ec2"],
"detail-type": ["AWS API Call via CloudTrail"],
"detail": {
"eventSource": ["ec2.amazonaws.com"],
"eventName": [
"AuthorizeSecurityGroupIngress",
"AuthorizeSecurityGroupEgress",
"RevokeSecurityGroupIngress",
"RevokeSecurityGroupEgress",
"CreateSecurityGroup",
"DeleteSecurityGroup"
]
}
}
{
"source": ["aws.ec2"],
"detail-type": ["AWS API Call via CloudTrail"],
"detail": {
"eventSource": ["ec2.amazonaws.com"],
"eventName": [
"CreateNetworkAcl",
"CreateNetworkAclEntry",
"DeleteNetworkAcl",
"DeleteNetworkAclEntry",
"ReplaceNetworkAclEntry",
"ReplaceNetworkAclAssociation"
]
}
}
{
"source": ["aws.ec2"],
"detail-type": ["AWS API Call via CloudTrail"],
"detail": {
"eventSource": ["ec2.amazonaws.com"],
"eventName": [
"CreateCustomerGateway",
"DeleteCustomerGateway",
"AttachInternetGateway",
"CreateInternetGateway",
"DeleteInternetGateway",
"DetachInternetGateway"
]
}
}
{
"source": ["aws.ec2"],
"detail-type": ["AWS API Call via CloudTrail"],
"detail": {
"eventSource": ["ec2.amazonaws.com"],
"eventName": [
"CreateRoute",
"CreateRouteTable",
"ReplaceRoute",
"ReplaceRouteTableAssociation",
"DeleteRouteTable",
"DeleteRoute",
"DisassociateRouteTable"
]
}
}
{
"source": ["aws.ec2"],
"detail-type": ["AWS API Call via CloudTrail"],
"detail": {
"eventSource": ["ec2.amazonaws.com"],
"eventName": [
"CreateVpc",
"DeleteVpc",
"ModifyVpcAttribute",
"AcceptVpcPeeringConnection",
"CreateVpcPeeringConnection",
"DeleteVpcPeeringConnection",
"RejectVpcPeeringConnection",
"AttachClassicLinkVpc",
"DetachClassicLinkVpc",
"DisableVpcClassicLink",
"EnableVpcClassicLink"
]
}
}
{
"source": ["aws.organizations"],
"detail-type": ["AWS API Call via CloudTrail"],
"detail": {
"eventSource": ["organizations.amazonaws.com"],
"eventName": [
"AcceptHandshake",
"AttachPolicy",
"CreateAccount",
"CreateOrganizationalUnit",
"CreatePolicy",
"DeclineHandshake",
"DeleteOrganization",
"DeleteOrganizationalUnit",
"DeletePolicy",
"DetachPolicy",
"DisablePolicyType",
"EnablePolicyType",
"InviteAccountToOrganization",
"LeaveOrganization",
"MoveAccount",
"RemoveAccountFromOrganization",
"UpdatePolicy",
"UpdateOrganizationalUnit"
]
}
}
Please view the License for limitations of liability.