Почетна Преглед Помоћ
Регистрација Пријавите се
AFS
/
xdr-terraform-modules
2
0
Креирај огранак 0
Датотеке Дискусије 0 Захтеви за спајање 0 Вики
Преглед изворни кода

Fixes CloudWatch Alert for Logins without MFA

Filters out login events that were from Okta, but only when they are to
the appropriate accounts.

Also adds default values to the remaining metrics.

To be tagged v0.7.11
Fred Damstra пре 5 година
родитељ
72df3df03a
комит
76a9976db6
1 измењених фајлова са 19 додато и 1 уклоњено
Подељен поглед Покажи статистику Diff
  1. 19 1
      base/account_standards/cloudwatch_metrics_and_alarms.tf

+ 19 - 1
base/account_standards/cloudwatch_metrics_and_alarms.tf
Прегледај датотеку 

@@ -11,6 +11,7 @@ resource "aws_cloudwatch_log_metric_filter" "unauthorized_api_calls" {
 
     name      = "UnauthorizedAPICalls"
 
     namespace = local.alarm_namespace
 
     value     = "1"
 
+    default_value = 0
 
   }
 
   depends_on = [ module.cloudtrail-logging ]
 
 }
 
@@ -30,15 +31,20 @@ resource "aws_cloudwatch_metric_alarm" "unauthorized_api_calls" {
 
   depends_on = [ module.cloudtrail-logging ]
 
 }
 
 
+# This doesn't match the CIS exactly, because we do our MFA through okta instead of through AWS, so MFA is false for our
 
+# logins. Instead, we make sure they come in via okta and to the correct account.
 
+#
 
+# Okta handles our MFA, so MFA is always set to false for our logins. Lets just make sure they use the correct account(s).
 
 resource "aws_cloudwatch_log_metric_filter" "no_mfa_console_signin" {
 
   name           = "NoMFAConsoleSignin"
 
-  pattern        = "{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") }"
 
+  pattern        = "{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") && ( ($.additionalEventData.SamlProviderArn NOT EXISTS) || (($.additionalEventData.SamlProviderArn != \"arn:aws-us-gov:iam::701290387780:saml-provider/OKTA\") && ($.additionalEventData.SamlProviderArn != \"arn:aws:iam::471284459109:saml-provider/OKTA\"))) }"
 
   log_group_name = var.log_group_name
 
 
   metric_transformation {
 
     name      = "NoMFAConsoleSignin"
 
     namespace = local.alarm_namespace
 
     value     = "1"
 
+    default_value = 0
 
   }
 
   depends_on = [ module.cloudtrail-logging ]
 
 }
 
@@ -66,6 +72,7 @@ resource "aws_cloudwatch_log_metric_filter" "root_usage" {
 
     name      = "RootUsage"
 
     namespace = local.alarm_namespace
 
     value     = "1"
 
+    default_value = 0
 
   }
 
   depends_on = [ module.cloudtrail-logging ]
 
 }
 
@@ -93,6 +100,7 @@ resource "aws_cloudwatch_log_metric_filter" "iam_changes" {
 
     name      = "IAMChanges"
 
     namespace = local.alarm_namespace
 
     value     = "1"
 
+    default_value = 0
 
   }
 
   depends_on = [ module.cloudtrail-logging ]
 
 }
 
@@ -120,6 +128,7 @@ resource "aws_cloudwatch_log_metric_filter" "cloudtrail_cfg_changes" {
 
     name      = "CloudTrailCfgChanges"
 
     namespace = local.alarm_namespace
 
     value     = "1"
 
+    default_value = 0
 
   }
 
 
   depends_on = [ module.cloudtrail-logging ]
 
@@ -148,6 +157,7 @@ resource "aws_cloudwatch_log_metric_filter" "console_signin_failures" {
 
     name      = "ConsoleSigninFailures"
 
     namespace = local.alarm_namespace
 
     value     = "1"
 
+    default_value = 0
 
   }
 
   depends_on = [ module.cloudtrail-logging ]
 
 }
 
@@ -175,6 +185,7 @@ resource "aws_cloudwatch_log_metric_filter" "disable_or_delete_cmk" {
 
     name      = "DisableOrDeleteCMK"
 
     namespace = local.alarm_namespace
 
     value     = "1"
 
+    default_value = 0
 
   }
 
   depends_on = [ module.cloudtrail-logging ]
 
 }
 
@@ -202,6 +213,7 @@ resource "aws_cloudwatch_log_metric_filter" "s3_bucket_policy_changes" {
 
     name      = "S3BucketPolicyChanges"
 
     namespace = local.alarm_namespace
 
     value     = "1"
 
+    default_value = 0
 
   }
 
   depends_on = [ module.cloudtrail-logging ]
 
 }
 
@@ -229,6 +241,7 @@ resource "aws_cloudwatch_log_metric_filter" "aws_config_changes" {
 
     name      = "AWSConfigChanges"
 
     namespace = local.alarm_namespace
 
     value     = "1"
 
+    default_value = 0
 
   }
 
   depends_on = [ module.cloudtrail-logging ]
 
 }
 
@@ -256,6 +269,7 @@ resource "aws_cloudwatch_log_metric_filter" "security_group_changes" {
 
     name      = "SecurityGroupChanges"
 
     namespace = local.alarm_namespace
 
     value     = "1"
 
+    default_value = 0
 
   }
 
   depends_on = [ module.cloudtrail-logging ]
 
 }
 
@@ -283,6 +297,7 @@ resource "aws_cloudwatch_log_metric_filter" "nacl_changes" {
 
     name      = "NACLChanges"
 
     namespace = local.alarm_namespace
 
     value     = "1"
 
+    default_value = 0
 
   }
 
   depends_on = [ module.cloudtrail-logging ]
 
 }
 
@@ -310,6 +325,7 @@ resource "aws_cloudwatch_log_metric_filter" "network_gw_changes" {
 
     name      = "NetworkGWChanges"
 
     namespace = local.alarm_namespace
 
     value     = "1"
 
+    default_value = 0
 
   }
 
   depends_on = [ module.cloudtrail-logging ]
 
 }
 
@@ -337,6 +353,7 @@ resource "aws_cloudwatch_log_metric_filter" "route_table_changes" {
 
     name      = "RouteTableChanges"
 
     namespace = local.alarm_namespace
 
     value     = "1"
 
+    default_value = 0
 
   }
 
   depends_on = [ module.cloudtrail-logging ]
 
 }
 
@@ -364,6 +381,7 @@ resource "aws_cloudwatch_log_metric_filter" "vpc_changes" {
 
     name      = "VPCChanges"
 
     namespace = local.alarm_namespace
 
     value     = "1"
 
+    default_value = 0
 
   }
 
   depends_on = [ module.cloudtrail-logging ]
 
 }