This module creates a number of Cloudwatch alarms that alert on Cloudtrail events; they are meant to provide compliance with the AWS CIS benchmark.
This module uses Cloudtrail logs which have been written to a Cloudwatch logs group; this means for organizations with an organization Cloudtrail, you only need to put this in the master account.
The following alarms are available in this module; all can be toggled on or off, but by default all alarms are active.
- AWS Config changes
- Cloudtrail config changes
- Console signin failures
- Disabling or deleting CMK
- IAM changes
- Network ACL changes
- Network gateway changes
- No MFA console logins
- Root account usage
- Route table changes
- S3 bucket policy changes
- Security group changes
- Unauthorized API calls
- VPC changes
These alarms were adapted from those in https://github.com/nozaq/terraform-aws-secure-baseline.
module "cloudtrail_alarms" {
source = "trussworks/cloudtrail-alarms/aws"
version = "~> 1.0.0"
alarm_sns_topic_arn = aws_sns_topic.my_alerts.arn
}| Name | Version |
|---|---|
| terraform | >= 1.0 |
| aws | >= 3.0 |
| Name | Version |
|---|---|
| aws | >= 3.0 |
No modules.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| alarm_namespace | Namespace for generated Cloudwatch alarms | string |
"CISBenchmark" |
no |
| alarm_prefix | Prefix for the alarm name | string |
"" |
no |
| alarm_sns_topic_arn | SNS topic ARN for generated alarms | string |
n/a | yes |
| aws_config_changes | Toggle AWS Config changes alarm | bool |
true |
no |
| cloudtrail_cfg_changes | Toggle Cloudtrail config changes alarm | bool |
true |
no |
| cloudtrail_log_group_name | Cloudwatch log group name for Cloudtrail logs | string |
"cloudtrail-events" |
no |
| console_signin_failures | Toggle console signin failures alarm | bool |
true |
no |
| disable_assumed_role_login_alerts | Toggle to disable assumed role console login alerts - violates CIS Benchmark | bool |
false |
no |
| disable_or_delete_cmk | Toggle disable or delete CMK alarm | bool |
true |
no |
| iam_changes | Toggle IAM changes alarm | bool |
true |
no |
| nacl_changes | Toggle network ACL changes alarm | bool |
true |
no |
| network_gw_changes | Toggle network gateway changes alarm | bool |
true |
no |
| no_mfa_console_login | Toggle no MFA console login alarm | bool |
true |
no |
| root_usage | Toggle root usage alarm | bool |
true |
no |
| route_table_changes | Toggle route table changes alarm | bool |
true |
no |
| s3_bucket_policy_changes | Toggle S3 bucket policy changes alarm | bool |
true |
no |
| security_group_changes | Toggle security group changes alarm | bool |
true |
no |
| tags | Tags for resources created | map(string) |
{} |
no |
| unauthorized_api_calls | Toggle unauthorized api calls alarm | bool |
true |
no |
| vpc_changes | Toggle VPC changes alarm | bool |
true |
no |
No outputs.