|
|
@@ -11,6 +11,7 @@ resource "aws_cloudwatch_log_metric_filter" "unauthorized_api_calls" {
|
|
|
name = "UnauthorizedAPICalls"
|
|
|
namespace = local.alarm_namespace
|
|
|
value = "1"
|
|
|
+ default_value = 0
|
|
|
}
|
|
|
depends_on = [ module.cloudtrail-logging ]
|
|
|
}
|
|
|
@@ -30,15 +31,20 @@ resource "aws_cloudwatch_metric_alarm" "unauthorized_api_calls" {
|
|
|
depends_on = [ module.cloudtrail-logging ]
|
|
|
}
|
|
|
|
|
|
+# This doesn't match the CIS exactly, because we do our MFA through okta instead of through AWS, so MFA is false for our
|
|
|
+# logins. Instead, we make sure they come in via okta and to the correct account.
|
|
|
+#
|
|
|
+# Okta handles our MFA, so MFA is always set to false for our logins. Lets just make sure they use the correct account(s).
|
|
|
resource "aws_cloudwatch_log_metric_filter" "no_mfa_console_signin" {
|
|
|
name = "NoMFAConsoleSignin"
|
|
|
- pattern = "{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") }"
|
|
|
+ pattern = "{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") && ( ($.additionalEventData.SamlProviderArn NOT EXISTS) || (($.additionalEventData.SamlProviderArn != \"arn:aws-us-gov:iam::701290387780:saml-provider/OKTA\") && ($.additionalEventData.SamlProviderArn != \"arn:aws:iam::471284459109:saml-provider/OKTA\"))) }"
|
|
|
log_group_name = var.log_group_name
|
|
|
|
|
|
metric_transformation {
|
|
|
name = "NoMFAConsoleSignin"
|
|
|
namespace = local.alarm_namespace
|
|
|
value = "1"
|
|
|
+ default_value = 0
|
|
|
}
|
|
|
depends_on = [ module.cloudtrail-logging ]
|
|
|
}
|
|
|
@@ -66,6 +72,7 @@ resource "aws_cloudwatch_log_metric_filter" "root_usage" {
|
|
|
name = "RootUsage"
|
|
|
namespace = local.alarm_namespace
|
|
|
value = "1"
|
|
|
+ default_value = 0
|
|
|
}
|
|
|
depends_on = [ module.cloudtrail-logging ]
|
|
|
}
|
|
|
@@ -93,6 +100,7 @@ resource "aws_cloudwatch_log_metric_filter" "iam_changes" {
|
|
|
name = "IAMChanges"
|
|
|
namespace = local.alarm_namespace
|
|
|
value = "1"
|
|
|
+ default_value = 0
|
|
|
}
|
|
|
depends_on = [ module.cloudtrail-logging ]
|
|
|
}
|
|
|
@@ -120,6 +128,7 @@ resource "aws_cloudwatch_log_metric_filter" "cloudtrail_cfg_changes" {
|
|
|
name = "CloudTrailCfgChanges"
|
|
|
namespace = local.alarm_namespace
|
|
|
value = "1"
|
|
|
+ default_value = 0
|
|
|
}
|
|
|
|
|
|
depends_on = [ module.cloudtrail-logging ]
|
|
|
@@ -148,6 +157,7 @@ resource "aws_cloudwatch_log_metric_filter" "console_signin_failures" {
|
|
|
name = "ConsoleSigninFailures"
|
|
|
namespace = local.alarm_namespace
|
|
|
value = "1"
|
|
|
+ default_value = 0
|
|
|
}
|
|
|
depends_on = [ module.cloudtrail-logging ]
|
|
|
}
|
|
|
@@ -175,6 +185,7 @@ resource "aws_cloudwatch_log_metric_filter" "disable_or_delete_cmk" {
|
|
|
name = "DisableOrDeleteCMK"
|
|
|
namespace = local.alarm_namespace
|
|
|
value = "1"
|
|
|
+ default_value = 0
|
|
|
}
|
|
|
depends_on = [ module.cloudtrail-logging ]
|
|
|
}
|
|
|
@@ -202,6 +213,7 @@ resource "aws_cloudwatch_log_metric_filter" "s3_bucket_policy_changes" {
|
|
|
name = "S3BucketPolicyChanges"
|
|
|
namespace = local.alarm_namespace
|
|
|
value = "1"
|
|
|
+ default_value = 0
|
|
|
}
|
|
|
depends_on = [ module.cloudtrail-logging ]
|
|
|
}
|
|
|
@@ -229,6 +241,7 @@ resource "aws_cloudwatch_log_metric_filter" "aws_config_changes" {
|
|
|
name = "AWSConfigChanges"
|
|
|
namespace = local.alarm_namespace
|
|
|
value = "1"
|
|
|
+ default_value = 0
|
|
|
}
|
|
|
depends_on = [ module.cloudtrail-logging ]
|
|
|
}
|
|
|
@@ -256,6 +269,7 @@ resource "aws_cloudwatch_log_metric_filter" "security_group_changes" {
|
|
|
name = "SecurityGroupChanges"
|
|
|
namespace = local.alarm_namespace
|
|
|
value = "1"
|
|
|
+ default_value = 0
|
|
|
}
|
|
|
depends_on = [ module.cloudtrail-logging ]
|
|
|
}
|
|
|
@@ -283,6 +297,7 @@ resource "aws_cloudwatch_log_metric_filter" "nacl_changes" {
|
|
|
name = "NACLChanges"
|
|
|
namespace = local.alarm_namespace
|
|
|
value = "1"
|
|
|
+ default_value = 0
|
|
|
}
|
|
|
depends_on = [ module.cloudtrail-logging ]
|
|
|
}
|
|
|
@@ -310,6 +325,7 @@ resource "aws_cloudwatch_log_metric_filter" "network_gw_changes" {
|
|
|
name = "NetworkGWChanges"
|
|
|
namespace = local.alarm_namespace
|
|
|
value = "1"
|
|
|
+ default_value = 0
|
|
|
}
|
|
|
depends_on = [ module.cloudtrail-logging ]
|
|
|
}
|
|
|
@@ -337,6 +353,7 @@ resource "aws_cloudwatch_log_metric_filter" "route_table_changes" {
|
|
|
name = "RouteTableChanges"
|
|
|
namespace = local.alarm_namespace
|
|
|
value = "1"
|
|
|
+ default_value = 0
|
|
|
}
|
|
|
depends_on = [ module.cloudtrail-logging ]
|
|
|
}
|
|
|
@@ -364,6 +381,7 @@ resource "aws_cloudwatch_log_metric_filter" "vpc_changes" {
|
|
|
name = "VPCChanges"
|
|
|
namespace = local.alarm_namespace
|
|
|
value = "1"
|
|
|
+ default_value = 0
|
|
|
}
|
|
|
depends_on = [ module.cloudtrail-logging ]
|
|
|
}
|
Frederick Damstra