|
|
@@ -1,7 +1,16 @@
|
|
|
+########################
|
|
|
+# TO BE DISABLED
|
|
|
+#
|
|
|
+# These alerts have been recreated in Splunk, where they return far more useful information.
|
|
|
+# These alerts only say, "Something happened" and don't explain what/where/how, so they're
|
|
|
+# mostly useless.
|
|
|
+#
|
|
|
+# I plan to disable them completely once I gain confidence in the splunk alerts
|
|
|
locals {
|
|
|
alarm_namespace = "cis"
|
|
|
}
|
|
|
|
|
|
+# Notification via Splunk Alert: "CIS 3.1 - Unauthorized API Calls"
|
|
|
resource "aws_cloudwatch_log_metric_filter" "unauthorized_api_calls" {
|
|
|
name = "UnauthorizedAPICalls"
|
|
|
pattern = "{ ($.errorCode = \"*UnauthorizedOperation\") || ($.errorCode = \"AccessDenied*\") }"
|
|
|
@@ -35,6 +44,8 @@ resource "aws_cloudwatch_metric_alarm" "unauthorized_api_calls" {
|
|
|
# logins. Instead, we make sure they come in via okta and to the correct account.
|
|
|
#
|
|
|
# Okta handles our MFA, so MFA is always set to false for our logins. Lets just make sure they use the correct account(s).
|
|
|
+#
|
|
|
+# Notification via Splunk Alert: "CIS 3.2 - Management Console sign-in without MFA"
|
|
|
resource "aws_cloudwatch_log_metric_filter" "no_mfa_console_signin" {
|
|
|
name = "NoMFAConsoleSignin"
|
|
|
pattern = "{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") && ( ($.additionalEventData.SamlProviderArn NOT EXISTS) || (($.additionalEventData.SamlProviderArn != \"arn:aws-us-gov:iam::701290387780:saml-provider/OKTA\") && ($.additionalEventData.SamlProviderArn != \"arn:aws:iam::471284459109:saml-provider/OKTA\"))) }"
|
|
|
@@ -63,6 +74,7 @@ resource "aws_cloudwatch_metric_alarm" "no_mfa_console_signin" {
|
|
|
insufficient_data_actions = []
|
|
|
}
|
|
|
|
|
|
+# Notification via Splunk Alert: "CIS 3.3 - Root Account Usage"
|
|
|
resource "aws_cloudwatch_log_metric_filter" "root_usage" {
|
|
|
name = "RootUsage"
|
|
|
pattern = "{ $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" }"
|
|
|
@@ -91,6 +103,7 @@ resource "aws_cloudwatch_metric_alarm" "root_usage" {
|
|
|
insufficient_data_actions = []
|
|
|
}
|
|
|
|
|
|
+# Notification via Splunk Alert: "CIS 3.4 - IAM policy changes"
|
|
|
resource "aws_cloudwatch_log_metric_filter" "iam_changes" {
|
|
|
name = "IAMChanges"
|
|
|
pattern = "{($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)}"
|
|
|
@@ -119,6 +132,7 @@ resource "aws_cloudwatch_metric_alarm" "iam_changes" {
|
|
|
insufficient_data_actions = []
|
|
|
}
|
|
|
|
|
|
+# Notification via Splunk Alert: "CIS 3.5 - CloudTrail configuration changes"
|
|
|
resource "aws_cloudwatch_log_metric_filter" "cloudtrail_cfg_changes" {
|
|
|
name = "CloudTrailCfgChanges"
|
|
|
pattern = "{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }"
|
|
|
@@ -148,6 +162,7 @@ resource "aws_cloudwatch_metric_alarm" "cloudtrail_cfg_changes" {
|
|
|
insufficient_data_actions = []
|
|
|
}
|
|
|
|
|
|
+# Notification via Splunk Alert: "CIS 3.6 - Console Signin Failures"
|
|
|
resource "aws_cloudwatch_log_metric_filter" "console_signin_failures" {
|
|
|
name = "ConsoleSigninFailures"
|
|
|
pattern = "{ ($.eventName = ConsoleLogin) && ($.errorMessage = \"Failed authentication\") }"
|
|
|
@@ -176,6 +191,7 @@ resource "aws_cloudwatch_metric_alarm" "console_signin_failures" {
|
|
|
insufficient_data_actions = []
|
|
|
}
|
|
|
|
|
|
+# Notification via Splunk Alert: "CIS 3.7 - Disable or Delete CMK"
|
|
|
resource "aws_cloudwatch_log_metric_filter" "disable_or_delete_cmk" {
|
|
|
name = "DisableOrDeleteCMK"
|
|
|
pattern = "{ ($.eventSource = kms.amazonaws.com) && (($.eventName = DisableKey) || ($.eventName = ScheduleKeyDeletion)) }"
|
|
|
@@ -204,6 +220,7 @@ resource "aws_cloudwatch_metric_alarm" "disable_or_delete_cmk" {
|
|
|
insufficient_data_actions = []
|
|
|
}
|
|
|
|
|
|
+# Notification via Splunk Alert: "CIS 3.8 - S3 Bucket Policy Change"
|
|
|
resource "aws_cloudwatch_log_metric_filter" "s3_bucket_policy_changes" {
|
|
|
name = "S3BucketPolicyChanges"
|
|
|
pattern = "{ ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }"
|
|
|
@@ -232,6 +249,7 @@ resource "aws_cloudwatch_metric_alarm" "s3_bucket_policy_changes" {
|
|
|
insufficient_data_actions = []
|
|
|
}
|
|
|
|
|
|
+# Notification via Splunk Alert: "CIS 3.9 - AWS Config Service Changes"
|
|
|
resource "aws_cloudwatch_log_metric_filter" "aws_config_changes" {
|
|
|
name = "AWSConfigChanges"
|
|
|
pattern = "{ ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) }"
|
|
|
@@ -260,6 +278,7 @@ resource "aws_cloudwatch_metric_alarm" "aws_config_changes" {
|
|
|
insufficient_data_actions = []
|
|
|
}
|
|
|
|
|
|
+# Notification via Splunk Alert: "CIS 3.10 - Security Group Changes"
|
|
|
resource "aws_cloudwatch_log_metric_filter" "security_group_changes" {
|
|
|
name = "SecurityGroupChanges"
|
|
|
pattern = "{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup)}"
|
|
|
@@ -288,6 +307,7 @@ resource "aws_cloudwatch_metric_alarm" "security_group_changes" {
|
|
|
insufficient_data_actions = []
|
|
|
}
|
|
|
|
|
|
+# Notification via Splunk Alert: "CIS 3.11 - Network ACL Changes"
|
|
|
resource "aws_cloudwatch_log_metric_filter" "nacl_changes" {
|
|
|
name = "NACLChanges"
|
|
|
pattern = "{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) }"
|
|
|
@@ -316,6 +336,7 @@ resource "aws_cloudwatch_metric_alarm" "nacl_changes" {
|
|
|
insufficient_data_actions = []
|
|
|
}
|
|
|
|
|
|
+# Notification via Splunk Alert: "CIS 3.12 - Network Gateway Changes"
|
|
|
resource "aws_cloudwatch_log_metric_filter" "network_gw_changes" {
|
|
|
name = "NetworkGWChanges"
|
|
|
pattern = "{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }"
|
|
|
@@ -344,6 +365,7 @@ resource "aws_cloudwatch_metric_alarm" "network_gw_changes" {
|
|
|
insufficient_data_actions = []
|
|
|
}
|
|
|
|
|
|
+# Notification via Splunk Alert: "CIS 3.13 - Route Table Changes"
|
|
|
resource "aws_cloudwatch_log_metric_filter" "route_table_changes" {
|
|
|
name = "RouteTableChanges"
|
|
|
pattern = "{ ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) }"
|
|
|
@@ -372,6 +394,7 @@ resource "aws_cloudwatch_metric_alarm" "route_table_changes" {
|
|
|
insufficient_data_actions = []
|
|
|
}
|
|
|
|
|
|
+# Notification via Splunk Alert: "CIS 3.14 - VPC Changes"
|
|
|
resource "aws_cloudwatch_log_metric_filter" "vpc_changes" {
|
|
|
name = "VPCChanges"
|
|
|
pattern = "{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }"
|
Fred Damstra