Skip to content
/ terraform-aws-cloudtrail-alarms Public

Provides CIS Benchmark-compliant Cloudwatch alarms for Cloudtrail events.

19 stars 15 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

trussworks/terraform-aws-cloudtrail-alarms

BranchesTags

Repository files navigation

terraform-aws-cloudtrail-alarms

This module creates a number of Cloudwatch alarms that alert on Cloudtrail events; they are meant to provide compliance with the AWS CIS benchmark.

This module uses Cloudtrail logs which have been written to a Cloudwatch logs group; this means for organizations with an organization Cloudtrail, you only need to put this in the master account.

The following alarms are available in this module; all can be toggled on or off, but by default all alarms are active.

  • AWS Config changes
  • Cloudtrail config changes
  • Console signin failures
  • Disabling or deleting CMK
  • IAM changes
  • Network ACL changes
  • Network gateway changes
  • No MFA console logins
  • Root account usage
  • Route table changes
  • S3 bucket policy changes
  • Security group changes
  • Unauthorized API calls
  • VPC changes

These alarms were adapted from those in https://github.com/nozaq/terraform-aws-secure-baseline.

Usage

module "cloudtrail_alarms" {
  source         = "trussworks/cloudtrail-alarms/aws"
  version        = "~> 1.0.0"

  alarm_sns_topic_arn = aws_sns_topic.my_alerts.arn
}

Requirements

Name Version
terraform >= 1.0
aws >= 3.0

Providers

Name Version
aws >= 3.0

Modules

No modules.

Resources

Name Type
aws_cloudwatch_log_metric_filter.aws_config_changes resource
aws_cloudwatch_log_metric_filter.cloudtrail_cfg_changes resource
aws_cloudwatch_log_metric_filter.console_signin_failures resource
aws_cloudwatch_log_metric_filter.disable_or_delete_cmk resource
aws_cloudwatch_log_metric_filter.iam_changes resource
aws_cloudwatch_log_metric_filter.nacl_changes resource
aws_cloudwatch_log_metric_filter.network_gw_changes resource
aws_cloudwatch_log_metric_filter.no_mfa_console_signin_assumed_role resource
aws_cloudwatch_log_metric_filter.no_mfa_console_signin_no_assumed_role resource
aws_cloudwatch_log_metric_filter.root_usage resource
aws_cloudwatch_log_metric_filter.route_table_changes resource
aws_cloudwatch_log_metric_filter.s3_bucket_policy_changes resource
aws_cloudwatch_log_metric_filter.security_group_changes resource
aws_cloudwatch_log_metric_filter.unauthorized_api_calls resource
aws_cloudwatch_log_metric_filter.vpc_changes resource
aws_cloudwatch_metric_alarm.aws_config_changes resource
aws_cloudwatch_metric_alarm.cloudtrail_cfg_changes resource
aws_cloudwatch_metric_alarm.console_signin_failures resource
aws_cloudwatch_metric_alarm.disable_or_delete_cmk resource
aws_cloudwatch_metric_alarm.iam_changes resource
aws_cloudwatch_metric_alarm.nacl_changes resource
aws_cloudwatch_metric_alarm.network_gw_changes resource
aws_cloudwatch_metric_alarm.no_mfa_console_signin resource
aws_cloudwatch_metric_alarm.root_usage resource
aws_cloudwatch_metric_alarm.route_table_changes resource
aws_cloudwatch_metric_alarm.s3_bucket_policy_changes resource
aws_cloudwatch_metric_alarm.security_group_changes resource
aws_cloudwatch_metric_alarm.unauthorized_api_calls resource
aws_cloudwatch_metric_alarm.vpc_changes resource

Inputs

Name Description Type Default Required
alarm_namespace Namespace for generated Cloudwatch alarms string "CISBenchmark" no
alarm_prefix Prefix for the alarm name string "" no
alarm_sns_topic_arn SNS topic ARN for generated alarms string n/a yes
aws_config_changes Toggle AWS Config changes alarm bool true no
cloudtrail_cfg_changes Toggle Cloudtrail config changes alarm bool true no
cloudtrail_log_group_name Cloudwatch log group name for Cloudtrail logs string "cloudtrail-events" no
console_signin_failures Toggle console signin failures alarm bool true no
disable_assumed_role_login_alerts Toggle to disable assumed role console login alerts - violates CIS Benchmark bool false no
disable_or_delete_cmk Toggle disable or delete CMK alarm bool true no
iam_changes Toggle IAM changes alarm bool true no
nacl_changes Toggle network ACL changes alarm bool true no
network_gw_changes Toggle network gateway changes alarm bool true no
no_mfa_console_login Toggle no MFA console login alarm bool true no
root_usage Toggle root usage alarm bool true no
route_table_changes Toggle route table changes alarm bool true no
s3_bucket_policy_changes Toggle S3 bucket policy changes alarm bool true no
security_group_changes Toggle security group changes alarm bool true no
tags Tags for resources created map(string) {} no
unauthorized_api_calls Toggle unauthorized api calls alarm bool true no
vpc_changes Toggle VPC changes alarm bool true no

Outputs

No outputs.

About

Provides CIS Benchmark-compliant Cloudwatch alarms for Cloudtrail events.

Topics

aws terraform aws-cloudtrail aws-cloudwatch terraform-modules

Resources

Readme

Code of conduct

Code of conduct
Activity
Custom properties

Stars

19 stars

Watchers

8 watching

Forks

15 forks
Report repository

Releases 9

Deprecate using Terraform versions before 1.0 Latest
Jun 8, 2023
+ 8 releases

Packages

No packages published

Contributors 15

Languages