From 83f5f9e85937fd4bdbd8f9ff92c8096b570804d8 Mon Sep 17 00:00:00 2001 From: "Grayson, Matthew" Date: Thu, 19 Oct 2023 15:42:05 -0500 Subject: [PATCH 01/16] Add log metric filters and alarms for remaining CloudWatch controls. --- infrastructure/alarms.tf | 20 --- infrastructure/log_alarms.tf | 195 ++++++++++++++++++++++++++++ infrastructure/log_filters.tf | 237 ++++++++++++++++++++++++++++++++++ infrastructure/prod.tfvars | 17 ++- infrastructure/sns.tf | 5 + infrastructure/stage.tfvars | 17 ++- infrastructure/vars.tf | 82 +++++++++++- 7 files changed, 547 insertions(+), 26 deletions(-) delete mode 100644 infrastructure/alarms.tf create mode 100644 infrastructure/log_alarms.tf create mode 100644 infrastructure/log_filters.tf diff --git a/infrastructure/alarms.tf b/infrastructure/alarms.tf deleted file mode 100644 index c654bbbc5..000000000 --- a/infrastructure/alarms.tf +++ /dev/null @@ -1,20 +0,0 @@ -resource "aws_cloudwatch_log_metric_filter" "cloudwatch1" { - log_group_name = var.cloudtrail_log_group_name - name = var.log_metric_name_cloudwatch1 - pattern = "{$.userIdentity.type=\"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType !=\"AwsServiceEvent\"}" - metric_transformation { - name = var.log_metric_name_cloudwatch1 - namespace = var.log_metric_namespace_cloudwatch - default_value = 0 - value = 1 - } -} - -resource "aws_cloudwatch_metric_alarm" "cloudwatch1" { - alarm_name = "${var.log_metric_name_cloudwatch1}-alarm" - metric_name = var.log_metric_name_cloudwatch1 - alarm_actions = [aws_sns_topic.alarms.arn] - comparison_operator = "GreaterThanOrEqualToThreshold" - evaluation_periods = 1 - threshold = 1 -} \ No newline at end of file diff --git a/infrastructure/log_alarms.tf b/infrastructure/log_alarms.tf new file mode 100644 index 000000000..bd969f234 --- /dev/null +++ b/infrastructure/log_alarms.tf @@ -0,0 +1,195 @@ +resource "aws_cloudwatch_metric_alarm" "cloudwatch1" { + alarm_name = "${var.log_metric_name_cloudwatch1}-alarm" + metric_name = var.log_metric_name_cloudwatch1 + alarm_actions = [aws_sns_topic.alarms.arn] + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = 1 + threshold = 1 + + tags = { + project = var.project + stage = var.stage + } +} + +resource "aws_cloudwatch_metric_alarm" "cloudwatch2" { + alarm_name = "${var.log_metric_name_cloudwatch2}-alarm" + metric_name = var.log_metric_name_cloudwatch2 + alarm_actions = [aws_sns_topic.alarms.arn] + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = 1 + threshold = 1 + + tags = { + project = var.project + stage = var.stage + } +} + +resource "aws_cloudwatch_metric_alarm" "cloudwatch3" { + alarm_name = "${var.log_metric_name_cloudwatch3}-alarm" + metric_name = var.log_metric_name_cloudwatch3 + alarm_actions = [aws_sns_topic.alarms.arn] + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = 1 + threshold = 1 + + tags = { + project = var.project + stage = var.stage + } +} + +resource "aws_cloudwatch_metric_alarm" "cloudwatch4" { + alarm_name = "${var.log_metric_name_cloudwatch4}-alarm" + metric_name = var.log_metric_name_cloudwatch4 + alarm_actions = [aws_sns_topic.alarms.arn] + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = 1 + threshold = 1 + + tags = { + project = var.project + stage = var.stage + } +} + +resource "aws_cloudwatch_metric_alarm" "cloudwatch5" { + alarm_name = "${var.log_metric_name_cloudwatch5}-alarm" + metric_name = var.log_metric_name_cloudwatch5 + alarm_actions = [aws_sns_topic.alarms.arn] + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = 1 + threshold = 1 + + tags = { + project = var.project + stage = var.stage + } +} + +resource "aws_cloudwatch_metric_alarm" "cloudwatch6" { + alarm_name = "${var.log_metric_name_cloudwatch6}-alarm" + metric_name = var.log_metric_name_cloudwatch6 + alarm_actions = [aws_sns_topic.alarms.arn] + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = 1 + threshold = 1 + + tags = { + project = var.project + stage = var.stage + } +} + +resource "aws_cloudwatch_metric_alarm" "cloudwatch7" { + alarm_name = "${var.log_metric_name_cloudwatch7}-alarm" + metric_name = var.log_metric_name_cloudwatch7 + alarm_actions = [aws_sns_topic.alarms.arn] + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = 1 + threshold = 1 + + tags = { + project = var.project + stage = var.stage + } +} + +resource "aws_cloudwatch_metric_alarm" "cloudwatch8" { + alarm_name = "${var.log_metric_name_cloudwatch8}-alarm" + metric_name = var.log_metric_name_cloudwatch8 + alarm_actions = [aws_sns_topic.alarms.arn] + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = 1 + threshold = 1 + + tags = { + project = var.project + stage = var.stage + } +} + +resource "aws_cloudwatch_metric_alarm" "cloudwatch9" { + alarm_name = "${var.log_metric_name_cloudwatch9}-alarm" + metric_name = var.log_metric_name_cloudwatch9 + alarm_actions = [aws_sns_topic.alarms.arn] + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = 1 + threshold = 1 + + tags = { + project = var.project + stage = var.stage + } +} + +resource "aws_cloudwatch_metric_alarm" "cloudwatch10" { + alarm_name = "${var.log_metric_name_cloudwatch10}-alarm" + metric_name = var.log_metric_name_cloudwatch10 + alarm_actions = [aws_sns_topic.alarms.arn] + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = 1 + threshold = 1 + + tags = { + project = var.project + stage = var.stage + } +} + +resource "aws_cloudwatch_metric_alarm" "cloudwatch11" { + alarm_name = "${var.log_metric_name_cloudwatch11}-alarm" + metric_name = var.log_metric_name_cloudwatch11 + alarm_actions = [aws_sns_topic.alarms.arn] + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = 1 + threshold = 1 + + tags = { + project = var.project + stage = var.stage + } +} + +resource "aws_cloudwatch_metric_alarm" "cloudwatch12" { + alarm_name = "${var.log_metric_name_cloudwatch12}-alarm" + metric_name = var.log_metric_name_cloudwatch12 + alarm_actions = [aws_sns_topic.alarms.arn] + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = 1 + threshold = 1 + + tags = { + project = var.project + stage = var.stage + } +} + +resource "aws_cloudwatch_metric_alarm" "cloudwatch13" { + alarm_name = "${var.log_metric_name_cloudwatch13}-alarm" + metric_name = var.log_metric_name_cloudwatch13 + alarm_actions = [aws_sns_topic.alarms.arn] + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = 1 + threshold = 1 + + tags = { + project = var.project + stage = var.stage + } +} + +resource "aws_cloudwatch_metric_alarm" "cloudwatch14" { + alarm_name = "${var.log_metric_name_cloudwatch14}-alarm" + metric_name = var.log_metric_name_cloudwatch14 + alarm_actions = [aws_sns_topic.alarms.arn] + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = 1 + threshold = 1 + + tags = { + project = var.project + stage = var.stage + } +} \ No newline at end of file diff --git a/infrastructure/log_filters.tf b/infrastructure/log_filters.tf new file mode 100644 index 000000000..c9127ed2a --- /dev/null +++ b/infrastructure/log_filters.tf @@ -0,0 +1,237 @@ +resource "aws_cloudwatch_log_metric_filter" "cloudwatch1" { + log_group_name = var.cloudtrail_log_group_name + name = var.log_metric_name_cloudwatch1 + pattern = "{$.userIdentity.type=\"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType !=\"AwsServiceEvent\"}" + metric_transformation { + name = var.log_metric_name_cloudwatch1 + namespace = var.log_metric_namespace + default_value = 0 + value = 1 + } + + tags = { + project = var.project + stage = var.stage + } +} + +resource "aws_cloudwatch_log_metric_filter" "cloudwatch2" { + log_group_name = var.cloudtrail_log_group_name + name = var.log_metric_name_cloudwatch2 + pattern = "{($.errorCode=\"*UnauthorizedOperation\") || ($.errorCode=\"AccessDenied*\")}" + metric_transformation { + name = var.log_metric_name_cloudwatch2 + namespace = var.log_metric_namespace + default_value = 0 + value = 1 + } + + tags = { + project = var.project + stage = var.stage + } +} + +resource "aws_cloudwatch_log_metric_filter" "cloudwatch3" { + log_group_name = var.cloudtrail_log_group_name + name = var.log_metric_name_cloudwatch3 + pattern = "{($.eventName=\"ConsoleLogin\") && ($.additionalEventData.MFAUsed !=\"Yes\") && ($.userIdentity.type=\"IAMUser\") && ($.responseElements.ConsoleLogin=\"Success\")}" + metric_transformation { + name = var.log_metric_name_cloudwatch3 + namespace = var.log_metric_namespace + default_value = 0 + value = 1 + } + + tags = { + project = var.project + stage = var.stage + } +} + +resource "aws_cloudwatch_log_metric_filter" "cloudwatch4" { + log_group_name = var.cloudtrail_log_group_name + name = var.log_metric_name_cloudwatch4 + pattern = "{($.eventSource=iam.amazonaws.com) && (($.eventName=DeleteGroupPolicy) || ($.eventName=DeleteRolePolicy) || ($.eventName=DeleteUserPolicy) || ($.eventName=PutGroupPolicy) || ($.eventName=PutRolePolicy) || ($.eventName=PutUserPolicy) || ($.eventName=CreatePolicy) || ($.eventName=DeletePolicy) || ($.eventName=CreatePolicyVersion) || ($.eventName=DeletePolicyVersion) || ($.eventName=AttachRolePolicy) || ($.eventName=DetachRolePolicy) || ($.eventName=AttachUserPolicy) || ($.eventName=DetachUserPolicy) || ($.eventName=AttachGroupPolicy) || ($.eventName=DetachGroupPolicy))}" + metric_transformation { + name = var.log_metric_name_cloudwatch4 + namespace = var.log_metric_namespace + default_value = 0 + value = 1 + } + + tags = { + project = var.project + stage = var.stage + } +} + +resource "aws_cloudwatch_log_metric_filter" "cloudwatch5" { + log_group_name = var.cloudtrail_log_group_name + name = var.log_metric_name_cloudwatch5 + pattern = "{($.eventName=CreateTrail) || ($.eventName=UpdateTrail) || ($.eventName=DeleteTrail) || ($.eventName=StartLogging) || ($.eventName=StopLogging)}" + metric_transformation { + name = var.log_metric_name_cloudwatch5 + namespace = var.log_metric_namespace + default_value = 0 + value = 1 + } + + tags = { + project = var.project + stage = var.stage + } +} + +resource "aws_cloudwatch_log_metric_filter" "cloudwatch6" { + log_group_name = var.cloudtrail_log_group_name + name = var.log_metric_name_cloudwatch6 + pattern = "{($.eventName=ConsoleLogin) && ($.errorMessage=\"Failed authentication\")}" + metric_transformation { + name = var.log_metric_name_cloudwatch6 + namespace = var.log_metric_namespace + default_value = 0 + value = 1 + } + + tags = { + project = var.project + stage = var.stage + } +} + +resource "aws_cloudwatch_log_metric_filter" "cloudwatch7" { + log_group_name = var.cloudtrail_log_group_name + name = var.log_metric_name_cloudwatch7 + pattern = "{($.eventSource=kms.amazonaws.com) && (($.eventName=DisableKey) || ($.eventName=ScheduleKeyDeletion))}" + metric_transformation { + name = var.log_metric_name_cloudwatch7 + namespace = var.log_metric_namespace + default_value = 0 + value = 1 + } + + tags = { + project = var.project + stage = var.stage + } +} + +resource "aws_cloudwatch_log_metric_filter" "cloudwatch8" { + log_group_name = var.cloudtrail_log_group_name + name = var.log_metric_name_cloudwatch8 + pattern = "{($.eventSource=s3.amazonaws.com) && (($.eventName=PutBucketAcl) || ($.eventName=PutBucketPolicy) || ($.eventName=PutBucketCors) || ($.eventName=PutBucketLifecycle) || ($.eventName=PutBucketReplication) || ($.eventName=DeleteBucketPolicy) || ($.eventName=DeleteBucketCors) || ($.eventName=DeleteBucketLifecycle) || ($.eventName=DeleteBucketReplication))}" + metric_transformation { + name = var.log_metric_name_cloudwatch8 + namespace = var.log_metric_namespace + default_value = 0 + value = 1 + } + + tags = { + project = var.project + stage = var.stage + } +} + +resource "aws_cloudwatch_log_metric_filter" "cloudwatch9" { + log_group_name = var.cloudtrail_log_group_name + name = var.log_metric_name_cloudwatch9 + pattern = "{($.eventSource=config.amazonaws.com) && (($.eventName=StopConfigurationRecorder) || ($.eventName=DeleteDeliveryChannel) || ($.eventName=PutDeliveryChannel) || ($.eventName=PutConfigurationRecorder))}" + metric_transformation { + name = var.log_metric_name_cloudwatch9 + namespace = var.log_metric_namespace + default_value = 0 + value = 1 + } + + tags = { + project = var.project + stage = var.stage + } +} + +resource "aws_cloudwatch_log_metric_filter" "cloudwatch10" { + log_group_name = var.cloudtrail_log_group_name + name = var.log_metric_name_cloudwatch10 + pattern = "{($.eventName=AuthorizeSecurityGroupIngress) || ($.eventName=AuthorizeSecurityGroupEgress) || ($.eventName=RevokeSecurityGroupIngress) || ($.eventName=RevokeSecurityGroupEgress) || ($.eventName=CreateSecurityGroup) || ($.eventName=DeleteSecurityGroup)}" + metric_transformation { + name = var.log_metric_name_cloudwatch10 + namespace = var.log_metric_namespace + default_value = 0 + value = 1 + } + + tags = { + project = var.project + stage = var.stage + } +} + +resource "aws_cloudwatch_log_metric_filter" "cloudwatch11" { + log_group_name = var.cloudtrail_log_group_name + name = var.log_metric_name_cloudwatch11 + pattern = "{($.eventName=CreateNetworkAcl) || ($.eventName=CreateNetworkAclEntry) || ($.eventName=DeleteNetworkAcl) || ($.eventName=DeleteNetworkAclEntry) || ($.eventName=ReplaceNetworkAclEntry) || ($.eventName=ReplaceNetworkAclAssociation)}" + metric_transformation { + name = var.log_metric_name_cloudwatch11 + namespace = var.log_metric_namespace + default_value = 0 + value = 1 + } + + tags = { + project = var.project + stage = var.stage + } +} + +resource "aws_cloudwatch_log_metric_filter" "cloudwatch12" { + log_group_name = var.cloudtrail_log_group_name + name = var.log_metric_name_cloudwatch12 + pattern = "{($.eventName=CreateCustomerGateway) || ($.eventName=DeleteCustomerGateway) || ($.eventName=AttachInternetGateway) || ($.eventName=CreateInternetGateway) || ($.eventName=DeleteInternetGateway) || ($.eventName=DetachInternetGateway)}" + metric_transformation { + name = var.log_metric_name_cloudwatch12 + namespace = var.log_metric_namespace + default_value = 0 + value = 1 + } + + tags = { + project = var.project + stage = var.stage + } +} + +resource "aws_cloudwatch_log_metric_filter" "cloudwatch13" { + log_group_name = var.cloudtrail_log_group_name + name = var.log_metric_name_cloudwatch13 + pattern = "{($.eventSource=ec2.amazonaws.com) && (($.eventName=CreateRoute) || ($.eventName=CreateRouteTable) || ($.eventName=ReplaceRoute) || ($.eventName=ReplaceRouteTableAssociation) || ($.eventName=DeleteRouteTable) || ($.eventName=DeleteRoute) || ($.eventName=DisassociateRouteTable))}" + metric_transformation { + name = var.log_metric_name_cloudwatch13 + namespace = var.log_metric_namespace + default_value = 0 + value = 1 + } + + tags = { + project = var.project + stage = var.stage + } +} + +resource "aws_cloudwatch_log_metric_filter" "cloudwatch14" { + log_group_name = var.cloudtrail_log_group_name + name = var.log_metric_name_cloudwatch14 + pattern = "{($.eventName=CreateVpc) || ($.eventName=DeleteVpc) || ($.eventName=ModifyVpcAttribute) || ($.eventName=AcceptVpcPeeringConnection) || ($.eventName=CreateVpcPeeringConnection) || ($.eventName=DeleteVpcPeeringConnection) || ($.eventName=RejectVpcPeeringConnection) || ($.eventName=AttachClassicLinkVpc) || ($.eventName=DetachClassicLinkVpc) || ($.eventName=DisableVpcClassicLink) || ($.eventName=EnableVpcClassicLink)}" + metric_transformation { + name = var.log_metric_name_cloudwatch14 + namespace = var.log_metric_namespace + default_value = 0 + value = 1 + } + + tags = { + project = var.project + stage = var.stage + } +} diff --git a/infrastructure/prod.tfvars b/infrastructure/prod.tfvars index 63fbf24a6..239ec7d5f 100644 --- a/infrastructure/prod.tfvars +++ b/infrastructure/prod.tfvars @@ -10,8 +10,21 @@ db_name = "crossfeed-prod-db2" db_port = 5432 db_table_name = "cfproddb" db_instance_class = "db.t3.2xlarge" -log_metric_namespace_cloudwatch = "crossfeed-prod-cloudwatch-controls" -log_metric_name_cloudwatch1 = "crossfeed-prod-cloudwatch1" +log_metric_namespace = "crossfeed-prod-cloudwatch-controls" +log_metric_name_cloudwatch1 = "crossfeed-prod-RootUserAccess" +log_metric_name_cloudwatch2 = "crossfeed-prod-UnauthorizedApiCall" +log_metric_name_cloudwatch3 = "crossfeed-prod-ConsoleSignInWithoutMFA" +log_metric_name_cloudwatch4 = "crossfeed-prod-IAMPolicyChange" +log_metric_name_cloudwatch5 = "crossfeed-prod-CloudTrailConfigurationChanges" +log_metric_name_cloudwatch6 = "crossfeed-prod-ConsoleLoginFailure" +log_metric_name_cloudwatch7 = "crossfeed-prod-DisablingOrScheduledDeletionOfCMK" +log_metric_name_cloudwatch8 = "crossfeed-prod-S3BucketPolicyChanges" +log_metric_name_cloudwatch9 = "crossfeed-prod-AWSConfigConfigurationChange" +log_metric_name_cloudwatch10 = "crossfeed-prod-SecurityGroupChange" +log_metric_name_cloudwatch11 = "crossfeed-prod-NACLChange" +log_metric_name_cloudwatch12 = "crossfeed-prod-NetworkGatewayChange" +log_metric_name_cloudwatch13 = "crossfeed-prod-RouteTableChange" +log_metric_name_cloudwatch14 = "crossfeed-prod-VPCChange" sns_topic_alarms = "crossfeed-prod-cis-alarms" ssm_lambda_subnet = "/crossfeed/prod/SUBNET_ID" ssm_lambda_sg = "/crossfeed/prod/SG_ID" diff --git a/infrastructure/sns.tf b/infrastructure/sns.tf index cb0dd789b..bc08accaa 100644 --- a/infrastructure/sns.tf +++ b/infrastructure/sns.tf @@ -1,3 +1,8 @@ resource "aws_sns_topic" "alarms" { name = var.sns_topic_alarms + + tags = { + project = var.project + stage = var.stage + } } diff --git a/infrastructure/stage.tfvars b/infrastructure/stage.tfvars index 98822439b..e648a1ca7 100644 --- a/infrastructure/stage.tfvars +++ b/infrastructure/stage.tfvars @@ -10,8 +10,21 @@ db_name = "crossfeed-stage-db" db_port = 5432 db_table_name = "cfstagingdb" db_instance_class = "db.t3.2xlarge" -log_metric_namespace_cloudwatch = "crossfeed-staging-cloudwatch-controls" -log_metric_name_cloudwatch1 = "crossfeed-staging-cloudwatch1" +log_metric_namespace = "LogMetrics" +log_metric_name_cloudwatch1 = "crossfeed-staging-RootUserAccess" +log_metric_name_cloudwatch2 = "crossfeed-staging-UnauthorizedApiCall" +log_metric_name_cloudwatch3 = "crossfeed-staging-ConsoleSignInWithoutMFA" +log_metric_name_cloudwatch4 = "crossfeed-staging-IAMPolicyChange" +log_metric_name_cloudwatch5 = "crossfeed-staging-CloudTrailConfigurationChanges" +log_metric_name_cloudwatch6 = "crossfeed-staging-ConsoleLoginFailure" +log_metric_name_cloudwatch7 = "crossfeed-staging-DisablingOrScheduledDeletionOfCMK" +log_metric_name_cloudwatch8 = "crossfeed-staging-S3BucketPolicyChanges" +log_metric_name_cloudwatch9 = "crossfeed-staging-AWSConfigConfigurationChange" +log_metric_name_cloudwatch10 = "crossfeed-staging-SecurityGroupChange" +log_metric_name_cloudwatch11 = "crossfeed-staging-NACLChange" +log_metric_name_cloudwatch12 = "crossfeed-staging-NetworkGatewayChange" +log_metric_name_cloudwatch13 = "crossfeed-staging-RouteTableChange" +log_metric_name_cloudwatch14 = "crossfeed-staging-VPCChange" sns_topic_alarms = "crossfeed-staging-cis-alarms" ssm_lambda_subnet = "/crossfeed/staging/SUBNET_ID" ssm_lambda_sg = "/crossfeed/staging/SG_ID" diff --git a/infrastructure/vars.tf b/infrastructure/vars.tf index 2e432cdfc..157aea125 100644 --- a/infrastructure/vars.tf +++ b/infrastructure/vars.tf @@ -64,10 +64,10 @@ variable "frontend_cert_arn" { default = "arn:aws:acm:us-east-1:563873274798:certificate/7c6a5980-80e3-47a4-9f21-cbda44b6f34c" } -variable "log_metric_namespace_cloudwatch" { +variable "log_metric_namespace" { description = "log_metric_namespace" type = string - default = "crossfeed-staging-cloudwatch-controls" + default = "LogMetrics" } variable "log_metric_name_cloudwatch1" { @@ -76,6 +76,84 @@ variable "log_metric_name_cloudwatch1" { default = "crossfeed-staging-RootUserAccess" } +variable "log_metric_name_cloudwatch2" { + description = "log_metric_filter_cloudwatch2" + type = string + default = "crossfeed-staging-UnauthorizedAPICall" +} + +variable "log_metric_name_cloudwatch3" { + description = "log_metric_filter_cloudwatch3" + type = string + default = "crossfeed-staging-ConsoleLoginWithoutMFA" +} + +variable "log_metric_name_cloudwatch4" { + description = "log_metric_filter_cloudwatch4" + type = string + default = "crossfeed-staging-IAMPolicyChange" +} + +variable "log_metric_name_cloudwatch5" { + description = "log_metric_filter_cloudwatch5" + type = string + default = "crossfeed-staging-CloudTrailConfigurationChange" +} + +variable "log_metric_name_cloudwatch6" { + description = "log_metric_filter_cloudwatch6" + type = string + default = "crossfeed-staging-ConsoleLoginFailure" +} + +variable "log_metric_name_cloudwatch7" { + description = "log_metric_filter_cloudwatch7" + type = string + default = "crossfeed-staging-DisablingOrScheduledDeletionOfCMK" +} + +variable "log_metric_name_cloudwatch8" { + description = "log_metric_filter_cloudwatch8" + type = string + default = "crossfeed-staging-S3BucketPolicyChange" +} + +variable "log_metric_name_cloudwatch9" { + description = "log_metric_filter_cloudwatch9" + type = string + default = "crossfeed-staging-AWSConfigConfigurationChange" +} + +variable "log_metric_name_cloudwatch10" { + description = "log_metric_filter_cloudwatch10" + type = string + default = "crossfeed-staging-SecurityGroupChange" +} + +variable "log_metric_name_cloudwatch11" { + description = "log_metric_filter_cloudwatch11" + type = string + default = "crossfeed-staging-NACLChange" +} + +variable "log_metric_name_cloudwatch12" { + description = "log_metric_filter_cloudwatch12" + type = string + default = "crossfeed-staging-NetworkGatewayChange" +} + +variable "log_metric_name_cloudwatch13" { + description = "log_metric_filter_cloudwatch13" + type = string + default = "crossfeed-staging-RouteTableChange" +} + +variable "log_metric_name_cloudwatch14" { + description = "log_metric_filter_cloudwatch14" + type = string + default = "crossfeed-staging-VPCChange" +} + variable "sns_topic_alarms" { description = "sns_alarm_topic_name" type = string From c89d2ac2fbc249ecedbe0bee29d3fa4ec535d3b5 Mon Sep 17 00:00:00 2001 From: "Grayson, Matthew" Date: Thu, 19 Oct 2023 15:49:55 -0500 Subject: [PATCH 02/16] Fix log_metric_namespace definition in prod.tfvars. --- infrastructure/prod.tfvars | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infrastructure/prod.tfvars b/infrastructure/prod.tfvars index 239ec7d5f..8c27ec90c 100644 --- a/infrastructure/prod.tfvars +++ b/infrastructure/prod.tfvars @@ -10,7 +10,7 @@ db_name = "crossfeed-prod-db2" db_port = 5432 db_table_name = "cfproddb" db_instance_class = "db.t3.2xlarge" -log_metric_namespace = "crossfeed-prod-cloudwatch-controls" +log_metric_namespace = "LogMetrics" log_metric_name_cloudwatch1 = "crossfeed-prod-RootUserAccess" log_metric_name_cloudwatch2 = "crossfeed-prod-UnauthorizedApiCall" log_metric_name_cloudwatch3 = "crossfeed-prod-ConsoleSignInWithoutMFA" From f9f968f36e70d82f0762dfdb342098b3bcf80c28 Mon Sep 17 00:00:00 2001 From: "Grayson, Matthew" Date: Thu, 19 Oct 2023 15:57:16 -0500 Subject: [PATCH 03/16] Remove tags from log_filters. --- infrastructure/log_filters.tf | 70 ----------------------------------- 1 file changed, 70 deletions(-) diff --git a/infrastructure/log_filters.tf b/infrastructure/log_filters.tf index c9127ed2a..4a9a97be0 100644 --- a/infrastructure/log_filters.tf +++ b/infrastructure/log_filters.tf @@ -8,11 +8,6 @@ resource "aws_cloudwatch_log_metric_filter" "cloudwatch1" { default_value = 0 value = 1 } - - tags = { - project = var.project - stage = var.stage - } } resource "aws_cloudwatch_log_metric_filter" "cloudwatch2" { @@ -25,11 +20,6 @@ resource "aws_cloudwatch_log_metric_filter" "cloudwatch2" { default_value = 0 value = 1 } - - tags = { - project = var.project - stage = var.stage - } } resource "aws_cloudwatch_log_metric_filter" "cloudwatch3" { @@ -42,11 +32,6 @@ resource "aws_cloudwatch_log_metric_filter" "cloudwatch3" { default_value = 0 value = 1 } - - tags = { - project = var.project - stage = var.stage - } } resource "aws_cloudwatch_log_metric_filter" "cloudwatch4" { @@ -59,11 +44,6 @@ resource "aws_cloudwatch_log_metric_filter" "cloudwatch4" { default_value = 0 value = 1 } - - tags = { - project = var.project - stage = var.stage - } } resource "aws_cloudwatch_log_metric_filter" "cloudwatch5" { @@ -76,11 +56,6 @@ resource "aws_cloudwatch_log_metric_filter" "cloudwatch5" { default_value = 0 value = 1 } - - tags = { - project = var.project - stage = var.stage - } } resource "aws_cloudwatch_log_metric_filter" "cloudwatch6" { @@ -93,11 +68,6 @@ resource "aws_cloudwatch_log_metric_filter" "cloudwatch6" { default_value = 0 value = 1 } - - tags = { - project = var.project - stage = var.stage - } } resource "aws_cloudwatch_log_metric_filter" "cloudwatch7" { @@ -110,11 +80,6 @@ resource "aws_cloudwatch_log_metric_filter" "cloudwatch7" { default_value = 0 value = 1 } - - tags = { - project = var.project - stage = var.stage - } } resource "aws_cloudwatch_log_metric_filter" "cloudwatch8" { @@ -127,11 +92,6 @@ resource "aws_cloudwatch_log_metric_filter" "cloudwatch8" { default_value = 0 value = 1 } - - tags = { - project = var.project - stage = var.stage - } } resource "aws_cloudwatch_log_metric_filter" "cloudwatch9" { @@ -144,11 +104,6 @@ resource "aws_cloudwatch_log_metric_filter" "cloudwatch9" { default_value = 0 value = 1 } - - tags = { - project = var.project - stage = var.stage - } } resource "aws_cloudwatch_log_metric_filter" "cloudwatch10" { @@ -161,11 +116,6 @@ resource "aws_cloudwatch_log_metric_filter" "cloudwatch10" { default_value = 0 value = 1 } - - tags = { - project = var.project - stage = var.stage - } } resource "aws_cloudwatch_log_metric_filter" "cloudwatch11" { @@ -178,11 +128,6 @@ resource "aws_cloudwatch_log_metric_filter" "cloudwatch11" { default_value = 0 value = 1 } - - tags = { - project = var.project - stage = var.stage - } } resource "aws_cloudwatch_log_metric_filter" "cloudwatch12" { @@ -195,11 +140,6 @@ resource "aws_cloudwatch_log_metric_filter" "cloudwatch12" { default_value = 0 value = 1 } - - tags = { - project = var.project - stage = var.stage - } } resource "aws_cloudwatch_log_metric_filter" "cloudwatch13" { @@ -212,11 +152,6 @@ resource "aws_cloudwatch_log_metric_filter" "cloudwatch13" { default_value = 0 value = 1 } - - tags = { - project = var.project - stage = var.stage - } } resource "aws_cloudwatch_log_metric_filter" "cloudwatch14" { @@ -229,9 +164,4 @@ resource "aws_cloudwatch_log_metric_filter" "cloudwatch14" { default_value = 0 value = 1 } - - tags = { - project = var.project - stage = var.stage - } } From 4d67c648f765fae5dd1ce14266920fd3e02a8ee0 Mon Sep 17 00:00:00 2001 From: "Grayson, Matthew" Date: Thu, 19 Oct 2023 17:03:19 -0500 Subject: [PATCH 04/16] Add statistic field to alarms. --- infrastructure/log_alarms.tf | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/infrastructure/log_alarms.tf b/infrastructure/log_alarms.tf index bd969f234..26b79e879 100644 --- a/infrastructure/log_alarms.tf +++ b/infrastructure/log_alarms.tf @@ -5,6 +5,7 @@ resource "aws_cloudwatch_metric_alarm" "cloudwatch1" { comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = 1 threshold = 1 + statistic = "SampleCount" tags = { project = var.project @@ -19,6 +20,7 @@ resource "aws_cloudwatch_metric_alarm" "cloudwatch2" { comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = 1 threshold = 1 + statistic = "SampleCount" tags = { project = var.project @@ -33,6 +35,7 @@ resource "aws_cloudwatch_metric_alarm" "cloudwatch3" { comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = 1 threshold = 1 + statistic = "SampleCount" tags = { project = var.project @@ -47,6 +50,7 @@ resource "aws_cloudwatch_metric_alarm" "cloudwatch4" { comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = 1 threshold = 1 + statistic = "SampleCount" tags = { project = var.project @@ -61,6 +65,7 @@ resource "aws_cloudwatch_metric_alarm" "cloudwatch5" { comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = 1 threshold = 1 + statistic = "SampleCount" tags = { project = var.project @@ -75,6 +80,7 @@ resource "aws_cloudwatch_metric_alarm" "cloudwatch6" { comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = 1 threshold = 1 + statistic = "SampleCount" tags = { project = var.project @@ -89,6 +95,7 @@ resource "aws_cloudwatch_metric_alarm" "cloudwatch7" { comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = 1 threshold = 1 + statistic = "SampleCount" tags = { project = var.project @@ -103,6 +110,7 @@ resource "aws_cloudwatch_metric_alarm" "cloudwatch8" { comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = 1 threshold = 1 + statistic = "SampleCount" tags = { project = var.project @@ -117,6 +125,7 @@ resource "aws_cloudwatch_metric_alarm" "cloudwatch9" { comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = 1 threshold = 1 + statistic = "SampleCount" tags = { project = var.project @@ -131,6 +140,7 @@ resource "aws_cloudwatch_metric_alarm" "cloudwatch10" { comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = 1 threshold = 1 + statistic = "SampleCount" tags = { project = var.project @@ -145,6 +155,7 @@ resource "aws_cloudwatch_metric_alarm" "cloudwatch11" { comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = 1 threshold = 1 + statistic = "SampleCount" tags = { project = var.project @@ -159,6 +170,7 @@ resource "aws_cloudwatch_metric_alarm" "cloudwatch12" { comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = 1 threshold = 1 + statistic = "SampleCount" tags = { project = var.project @@ -173,6 +185,7 @@ resource "aws_cloudwatch_metric_alarm" "cloudwatch13" { comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = 1 threshold = 1 + statistic = "SampleCount" tags = { project = var.project @@ -187,6 +200,7 @@ resource "aws_cloudwatch_metric_alarm" "cloudwatch14" { comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = 1 threshold = 1 + statistic = "SampleCount" tags = { project = var.project From a20074ddee81b1d8d51a77ffcf29a4330286e1be Mon Sep 17 00:00:00 2001 From: "Grayson, Matthew" Date: Fri, 20 Oct 2023 01:19:10 -0500 Subject: [PATCH 05/16] Add system shutdown filter and alarm; refactor log metric names to be more descriptive. --- infrastructure/log_alarms.tf | 98 ++++++++++++++++++++--------------- infrastructure/log_filters.tf | 96 +++++++++++++++++++--------------- infrastructure/prod.tfvars | 29 ++++++----- infrastructure/stage.tfvars | 29 ++++++----- infrastructure/vars.tf | 62 ++++++++++++---------- 5 files changed, 174 insertions(+), 140 deletions(-) diff --git a/infrastructure/log_alarms.tf b/infrastructure/log_alarms.tf index 26b79e879..7f2c05b78 100644 --- a/infrastructure/log_alarms.tf +++ b/infrastructure/log_alarms.tf @@ -1,6 +1,6 @@ -resource "aws_cloudwatch_metric_alarm" "cloudwatch1" { - alarm_name = "${var.log_metric_name_cloudwatch1}-alarm" - metric_name = var.log_metric_name_cloudwatch1 +resource "aws_cloudwatch_metric_alarm" "root_user" { + alarm_name = "${var.log_metric_root_user}-alarm" + metric_name = var.log_metric_root_user alarm_actions = [aws_sns_topic.alarms.arn] comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = 1 @@ -13,9 +13,9 @@ resource "aws_cloudwatch_metric_alarm" "cloudwatch1" { } } -resource "aws_cloudwatch_metric_alarm" "cloudwatch2" { - alarm_name = "${var.log_metric_name_cloudwatch2}-alarm" - metric_name = var.log_metric_name_cloudwatch2 +resource "aws_cloudwatch_metric_alarm" "unauthorized_api_call" { + alarm_name = "${var.log_metric_unauthorized_api_call}-alarm" + metric_name = var.log_metric_unauthorized_api_call alarm_actions = [aws_sns_topic.alarms.arn] comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = 1 @@ -28,9 +28,9 @@ resource "aws_cloudwatch_metric_alarm" "cloudwatch2" { } } -resource "aws_cloudwatch_metric_alarm" "cloudwatch3" { - alarm_name = "${var.log_metric_name_cloudwatch3}-alarm" - metric_name = var.log_metric_name_cloudwatch3 +resource "aws_cloudwatch_metric_alarm" "login_without_mfa" { + alarm_name = "${var.log_metric_login_without_mfa}-alarm" + metric_name = var.log_metric_login_without_mfa alarm_actions = [aws_sns_topic.alarms.arn] comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = 1 @@ -43,9 +43,9 @@ resource "aws_cloudwatch_metric_alarm" "cloudwatch3" { } } -resource "aws_cloudwatch_metric_alarm" "cloudwatch4" { - alarm_name = "${var.log_metric_name_cloudwatch4}-alarm" - metric_name = var.log_metric_name_cloudwatch4 +resource "aws_cloudwatch_metric_alarm" "iam_policy" { + alarm_name = "${var.log_metric_iam_policy}-alarm" + metric_name = var.log_metric_iam_policy alarm_actions = [aws_sns_topic.alarms.arn] comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = 1 @@ -58,9 +58,9 @@ resource "aws_cloudwatch_metric_alarm" "cloudwatch4" { } } -resource "aws_cloudwatch_metric_alarm" "cloudwatch5" { - alarm_name = "${var.log_metric_name_cloudwatch5}-alarm" - metric_name = var.log_metric_name_cloudwatch5 +resource "aws_cloudwatch_metric_alarm" "cloudtrail" { + alarm_name = "${var.log_metric_cloudtrail}-alarm" + metric_name = var.log_metric_cloudtrail alarm_actions = [aws_sns_topic.alarms.arn] comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = 1 @@ -73,9 +73,9 @@ resource "aws_cloudwatch_metric_alarm" "cloudwatch5" { } } -resource "aws_cloudwatch_metric_alarm" "cloudwatch6" { - alarm_name = "${var.log_metric_name_cloudwatch6}-alarm" - metric_name = var.log_metric_name_cloudwatch6 +resource "aws_cloudwatch_metric_alarm" "login_failure" { + alarm_name = "${var.log_metric_login_failure}-alarm" + metric_name = var.log_metric_login_failure alarm_actions = [aws_sns_topic.alarms.arn] comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = 1 @@ -88,9 +88,9 @@ resource "aws_cloudwatch_metric_alarm" "cloudwatch6" { } } -resource "aws_cloudwatch_metric_alarm" "cloudwatch7" { - alarm_name = "${var.log_metric_name_cloudwatch7}-alarm" - metric_name = var.log_metric_name_cloudwatch7 +resource "aws_cloudwatch_metric_alarm" "cmk_delete_disable" { + alarm_name = "${var.log_metric_cmk_delete_disable}-alarm" + metric_name = var.log_metric_cmk_delete_disable alarm_actions = [aws_sns_topic.alarms.arn] comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = 1 @@ -103,9 +103,9 @@ resource "aws_cloudwatch_metric_alarm" "cloudwatch7" { } } -resource "aws_cloudwatch_metric_alarm" "cloudwatch8" { - alarm_name = "${var.log_metric_name_cloudwatch8}-alarm" - metric_name = var.log_metric_name_cloudwatch8 +resource "aws_cloudwatch_metric_alarm" "s3_bucket_policy" { + alarm_name = "${var.log_metric_s3_bucket_policy}-alarm" + metric_name = var.log_metric_s3_bucket_policy alarm_actions = [aws_sns_topic.alarms.arn] comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = 1 @@ -118,9 +118,9 @@ resource "aws_cloudwatch_metric_alarm" "cloudwatch8" { } } -resource "aws_cloudwatch_metric_alarm" "cloudwatch9" { - alarm_name = "${var.log_metric_name_cloudwatch9}-alarm" - metric_name = var.log_metric_name_cloudwatch9 +resource "aws_cloudwatch_metric_alarm" "aws_config" { + alarm_name = "${var.log_metric_aws_config}-alarm" + metric_name = var.log_metric_aws_config alarm_actions = [aws_sns_topic.alarms.arn] comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = 1 @@ -133,9 +133,9 @@ resource "aws_cloudwatch_metric_alarm" "cloudwatch9" { } } -resource "aws_cloudwatch_metric_alarm" "cloudwatch10" { - alarm_name = "${var.log_metric_name_cloudwatch10}-alarm" - metric_name = var.log_metric_name_cloudwatch10 +resource "aws_cloudwatch_metric_alarm" "security_group" { + alarm_name = "${var.log_metric_security_group}-alarm" + metric_name = var.log_metric_security_group alarm_actions = [aws_sns_topic.alarms.arn] comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = 1 @@ -148,9 +148,9 @@ resource "aws_cloudwatch_metric_alarm" "cloudwatch10" { } } -resource "aws_cloudwatch_metric_alarm" "cloudwatch11" { - alarm_name = "${var.log_metric_name_cloudwatch11}-alarm" - metric_name = var.log_metric_name_cloudwatch11 +resource "aws_cloudwatch_metric_alarm" "nacl" { + alarm_name = "${var.log_metric_nacl}-alarm" + metric_name = var.log_metric_nacl alarm_actions = [aws_sns_topic.alarms.arn] comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = 1 @@ -163,9 +163,9 @@ resource "aws_cloudwatch_metric_alarm" "cloudwatch11" { } } -resource "aws_cloudwatch_metric_alarm" "cloudwatch12" { - alarm_name = "${var.log_metric_name_cloudwatch12}-alarm" - metric_name = var.log_metric_name_cloudwatch12 +resource "aws_cloudwatch_metric_alarm" "network_gateway" { + alarm_name = "${var.log_metric_network_gateway}-alarm" + metric_name = var.log_metric_network_gateway alarm_actions = [aws_sns_topic.alarms.arn] comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = 1 @@ -178,9 +178,9 @@ resource "aws_cloudwatch_metric_alarm" "cloudwatch12" { } } -resource "aws_cloudwatch_metric_alarm" "cloudwatch13" { - alarm_name = "${var.log_metric_name_cloudwatch13}-alarm" - metric_name = var.log_metric_name_cloudwatch13 +resource "aws_cloudwatch_metric_alarm" "route_table" { + alarm_name = "${var.log_metric_route_table}-alarm" + metric_name = var.log_metric_route_table alarm_actions = [aws_sns_topic.alarms.arn] comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = 1 @@ -193,9 +193,23 @@ resource "aws_cloudwatch_metric_alarm" "cloudwatch13" { } } -resource "aws_cloudwatch_metric_alarm" "cloudwatch14" { - alarm_name = "${var.log_metric_name_cloudwatch14}-alarm" - metric_name = var.log_metric_name_cloudwatch14 +resource "aws_cloudwatch_metric_alarm" "vpc" { + alarm_name = "${var.log_metric_vpc}-alarm" + metric_name = var.log_metric_vpc + alarm_actions = [aws_sns_topic.alarms.arn] + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = 1 + threshold = 1 + statistic = "SampleCount" + + tags = { + project = var.project + stage = var.stage + } +} + +resource "aws_cloudwatch_metric_alarm" "system_shutdown" { + alarm_name = "${var.log_metric_system_shutdown}-alarm" alarm_actions = [aws_sns_topic.alarms.arn] comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = 1 diff --git a/infrastructure/log_filters.tf b/infrastructure/log_filters.tf index 4a9a97be0..4c574aaf7 100644 --- a/infrastructure/log_filters.tf +++ b/infrastructure/log_filters.tf @@ -1,167 +1,179 @@ -resource "aws_cloudwatch_log_metric_filter" "cloudwatch1" { +resource "aws_cloudwatch_log_metric_filter" "root_user" { log_group_name = var.cloudtrail_log_group_name - name = var.log_metric_name_cloudwatch1 + name = var.log_metric_root_user pattern = "{$.userIdentity.type=\"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType !=\"AwsServiceEvent\"}" metric_transformation { - name = var.log_metric_name_cloudwatch1 + name = var.log_metric_root_user namespace = var.log_metric_namespace default_value = 0 value = 1 } } -resource "aws_cloudwatch_log_metric_filter" "cloudwatch2" { +resource "aws_cloudwatch_log_metric_filter" "unauthorized_api_call" { log_group_name = var.cloudtrail_log_group_name - name = var.log_metric_name_cloudwatch2 + name = var.log_metric_unauthorized_api_call pattern = "{($.errorCode=\"*UnauthorizedOperation\") || ($.errorCode=\"AccessDenied*\")}" metric_transformation { - name = var.log_metric_name_cloudwatch2 + name = var.log_metric_unauthorized_api_call namespace = var.log_metric_namespace default_value = 0 value = 1 } } -resource "aws_cloudwatch_log_metric_filter" "cloudwatch3" { +resource "aws_cloudwatch_log_metric_filter" "login_without_mfa" { log_group_name = var.cloudtrail_log_group_name - name = var.log_metric_name_cloudwatch3 + name = var.log_metric_login_without_mfa pattern = "{($.eventName=\"ConsoleLogin\") && ($.additionalEventData.MFAUsed !=\"Yes\") && ($.userIdentity.type=\"IAMUser\") && ($.responseElements.ConsoleLogin=\"Success\")}" metric_transformation { - name = var.log_metric_name_cloudwatch3 + name = var.log_metric_login_without_mfa namespace = var.log_metric_namespace default_value = 0 value = 1 } } -resource "aws_cloudwatch_log_metric_filter" "cloudwatch4" { +resource "aws_cloudwatch_log_metric_filter" "iam_policy" { log_group_name = var.cloudtrail_log_group_name - name = var.log_metric_name_cloudwatch4 + name = var.log_metric_iam_policy pattern = "{($.eventSource=iam.amazonaws.com) && (($.eventName=DeleteGroupPolicy) || ($.eventName=DeleteRolePolicy) || ($.eventName=DeleteUserPolicy) || ($.eventName=PutGroupPolicy) || ($.eventName=PutRolePolicy) || ($.eventName=PutUserPolicy) || ($.eventName=CreatePolicy) || ($.eventName=DeletePolicy) || ($.eventName=CreatePolicyVersion) || ($.eventName=DeletePolicyVersion) || ($.eventName=AttachRolePolicy) || ($.eventName=DetachRolePolicy) || ($.eventName=AttachUserPolicy) || ($.eventName=DetachUserPolicy) || ($.eventName=AttachGroupPolicy) || ($.eventName=DetachGroupPolicy))}" metric_transformation { - name = var.log_metric_name_cloudwatch4 + name = var.log_metric_iam_policy namespace = var.log_metric_namespace default_value = 0 value = 1 } } -resource "aws_cloudwatch_log_metric_filter" "cloudwatch5" { +resource "aws_cloudwatch_log_metric_filter" "cloudtrail" { log_group_name = var.cloudtrail_log_group_name - name = var.log_metric_name_cloudwatch5 + name = var.log_metric_cloudtrail pattern = "{($.eventName=CreateTrail) || ($.eventName=UpdateTrail) || ($.eventName=DeleteTrail) || ($.eventName=StartLogging) || ($.eventName=StopLogging)}" metric_transformation { - name = var.log_metric_name_cloudwatch5 + name = var.log_metric_cloudtrail namespace = var.log_metric_namespace default_value = 0 value = 1 } } -resource "aws_cloudwatch_log_metric_filter" "cloudwatch6" { +resource "aws_cloudwatch_log_metric_filter" "login_failure" { log_group_name = var.cloudtrail_log_group_name - name = var.log_metric_name_cloudwatch6 + name = var.log_metric_login_failure pattern = "{($.eventName=ConsoleLogin) && ($.errorMessage=\"Failed authentication\")}" metric_transformation { - name = var.log_metric_name_cloudwatch6 + name = var.log_metric_login_failure namespace = var.log_metric_namespace default_value = 0 value = 1 } } -resource "aws_cloudwatch_log_metric_filter" "cloudwatch7" { +resource "aws_cloudwatch_log_metric_filter" "cmk_delete_disable" { log_group_name = var.cloudtrail_log_group_name - name = var.log_metric_name_cloudwatch7 + name = var.log_metric_cmk_delete_disable pattern = "{($.eventSource=kms.amazonaws.com) && (($.eventName=DisableKey) || ($.eventName=ScheduleKeyDeletion))}" metric_transformation { - name = var.log_metric_name_cloudwatch7 + name = var.log_metric_cmk_delete_disable namespace = var.log_metric_namespace default_value = 0 value = 1 } } -resource "aws_cloudwatch_log_metric_filter" "cloudwatch8" { +resource "aws_cloudwatch_log_metric_filter" "s3_bucket_policy" { log_group_name = var.cloudtrail_log_group_name - name = var.log_metric_name_cloudwatch8 + name = var.log_metric_s3_bucket_policy pattern = "{($.eventSource=s3.amazonaws.com) && (($.eventName=PutBucketAcl) || ($.eventName=PutBucketPolicy) || ($.eventName=PutBucketCors) || ($.eventName=PutBucketLifecycle) || ($.eventName=PutBucketReplication) || ($.eventName=DeleteBucketPolicy) || ($.eventName=DeleteBucketCors) || ($.eventName=DeleteBucketLifecycle) || ($.eventName=DeleteBucketReplication))}" metric_transformation { - name = var.log_metric_name_cloudwatch8 + name = var.log_metric_s3_bucket_policy namespace = var.log_metric_namespace default_value = 0 value = 1 } } -resource "aws_cloudwatch_log_metric_filter" "cloudwatch9" { +resource "aws_cloudwatch_log_metric_filter" "aws_config" { log_group_name = var.cloudtrail_log_group_name - name = var.log_metric_name_cloudwatch9 + name = var.log_metric_aws_config pattern = "{($.eventSource=config.amazonaws.com) && (($.eventName=StopConfigurationRecorder) || ($.eventName=DeleteDeliveryChannel) || ($.eventName=PutDeliveryChannel) || ($.eventName=PutConfigurationRecorder))}" metric_transformation { - name = var.log_metric_name_cloudwatch9 + name = var.log_metric_aws_config namespace = var.log_metric_namespace default_value = 0 value = 1 } } -resource "aws_cloudwatch_log_metric_filter" "cloudwatch10" { +resource "aws_cloudwatch_log_metric_filter" "security_group" { log_group_name = var.cloudtrail_log_group_name - name = var.log_metric_name_cloudwatch10 + name = var.log_metric_security_group pattern = "{($.eventName=AuthorizeSecurityGroupIngress) || ($.eventName=AuthorizeSecurityGroupEgress) || ($.eventName=RevokeSecurityGroupIngress) || ($.eventName=RevokeSecurityGroupEgress) || ($.eventName=CreateSecurityGroup) || ($.eventName=DeleteSecurityGroup)}" metric_transformation { - name = var.log_metric_name_cloudwatch10 + name = var.log_metric_security_group namespace = var.log_metric_namespace default_value = 0 value = 1 } } -resource "aws_cloudwatch_log_metric_filter" "cloudwatch11" { +resource "aws_cloudwatch_log_metric_filter" "nacl" { log_group_name = var.cloudtrail_log_group_name - name = var.log_metric_name_cloudwatch11 + name = var.log_metric_nacl pattern = "{($.eventName=CreateNetworkAcl) || ($.eventName=CreateNetworkAclEntry) || ($.eventName=DeleteNetworkAcl) || ($.eventName=DeleteNetworkAclEntry) || ($.eventName=ReplaceNetworkAclEntry) || ($.eventName=ReplaceNetworkAclAssociation)}" metric_transformation { - name = var.log_metric_name_cloudwatch11 + name = var.log_metric_nacl namespace = var.log_metric_namespace default_value = 0 value = 1 } } -resource "aws_cloudwatch_log_metric_filter" "cloudwatch12" { +resource "aws_cloudwatch_log_metric_filter" "network_gateway" { log_group_name = var.cloudtrail_log_group_name - name = var.log_metric_name_cloudwatch12 + name = var.log_metric_network_gateway pattern = "{($.eventName=CreateCustomerGateway) || ($.eventName=DeleteCustomerGateway) || ($.eventName=AttachInternetGateway) || ($.eventName=CreateInternetGateway) || ($.eventName=DeleteInternetGateway) || ($.eventName=DetachInternetGateway)}" metric_transformation { - name = var.log_metric_name_cloudwatch12 + name = var.log_metric_network_gateway namespace = var.log_metric_namespace default_value = 0 value = 1 } } -resource "aws_cloudwatch_log_metric_filter" "cloudwatch13" { +resource "aws_cloudwatch_log_metric_filter" "route_table" { log_group_name = var.cloudtrail_log_group_name - name = var.log_metric_name_cloudwatch13 + name = var.log_metric_route_table pattern = "{($.eventSource=ec2.amazonaws.com) && (($.eventName=CreateRoute) || ($.eventName=CreateRouteTable) || ($.eventName=ReplaceRoute) || ($.eventName=ReplaceRouteTableAssociation) || ($.eventName=DeleteRouteTable) || ($.eventName=DeleteRoute) || ($.eventName=DisassociateRouteTable))}" metric_transformation { - name = var.log_metric_name_cloudwatch13 + name = var.log_metric_route_table namespace = var.log_metric_namespace default_value = 0 value = 1 } } -resource "aws_cloudwatch_log_metric_filter" "cloudwatch14" { +resource "aws_cloudwatch_log_metric_filter" "vpc" { log_group_name = var.cloudtrail_log_group_name - name = var.log_metric_name_cloudwatch14 + name = var.log_metric_vpc pattern = "{($.eventName=CreateVpc) || ($.eventName=DeleteVpc) || ($.eventName=ModifyVpcAttribute) || ($.eventName=AcceptVpcPeeringConnection) || ($.eventName=CreateVpcPeeringConnection) || ($.eventName=DeleteVpcPeeringConnection) || ($.eventName=RejectVpcPeeringConnection) || ($.eventName=AttachClassicLinkVpc) || ($.eventName=DetachClassicLinkVpc) || ($.eventName=DisableVpcClassicLink) || ($.eventName=EnableVpcClassicLink)}" metric_transformation { - name = var.log_metric_name_cloudwatch14 + name = var.log_metric_vpc namespace = var.log_metric_namespace default_value = 0 value = 1 } } + +resource "aws_cloudwatch_log_metric_filter" "system_shutdown" { + log_group_name = var.cloudtrail_log_group_name + name = var.log_metric_system_shutdown + pattern = "{($.eventName=StopInstances) || ($.eventName=TerminateInstances)}" + metric_transformation { + name = var.log_metric_system_shutdown + namespace = var.log_metric_namespace + default_value = 0 + value = 1 + } +} \ No newline at end of file diff --git a/infrastructure/prod.tfvars b/infrastructure/prod.tfvars index 8c27ec90c..940fb7bb6 100644 --- a/infrastructure/prod.tfvars +++ b/infrastructure/prod.tfvars @@ -11,20 +11,21 @@ db_port = 5432 db_table_name = "cfproddb" db_instance_class = "db.t3.2xlarge" log_metric_namespace = "LogMetrics" -log_metric_name_cloudwatch1 = "crossfeed-prod-RootUserAccess" -log_metric_name_cloudwatch2 = "crossfeed-prod-UnauthorizedApiCall" -log_metric_name_cloudwatch3 = "crossfeed-prod-ConsoleSignInWithoutMFA" -log_metric_name_cloudwatch4 = "crossfeed-prod-IAMPolicyChange" -log_metric_name_cloudwatch5 = "crossfeed-prod-CloudTrailConfigurationChanges" -log_metric_name_cloudwatch6 = "crossfeed-prod-ConsoleLoginFailure" -log_metric_name_cloudwatch7 = "crossfeed-prod-DisablingOrScheduledDeletionOfCMK" -log_metric_name_cloudwatch8 = "crossfeed-prod-S3BucketPolicyChanges" -log_metric_name_cloudwatch9 = "crossfeed-prod-AWSConfigConfigurationChange" -log_metric_name_cloudwatch10 = "crossfeed-prod-SecurityGroupChange" -log_metric_name_cloudwatch11 = "crossfeed-prod-NACLChange" -log_metric_name_cloudwatch12 = "crossfeed-prod-NetworkGatewayChange" -log_metric_name_cloudwatch13 = "crossfeed-prod-RouteTableChange" -log_metric_name_cloudwatch14 = "crossfeed-prod-VPCChange" +log_metric_root_user = "crossfeed-prod-RootUserAccess" +log_metric_unauthorized_api_call = "crossfeed-prod-UnauthorizedApiCall" +log_metric_login_without_mfa = "crossfeed-prod-ConsoleSignInWithoutMFA" +log_metric_iam_policy = "crossfeed-prod-IAMPolicyChange" +log_metric_cloudtrail = "crossfeed-prod-CloudTrailConfigurationChanges" +log_metric_login_failure = "crossfeed-prod-ConsoleLoginFailure" +log_metric_cmk_delete_disable = "crossfeed-prod-DisablingOrScheduledDeletionOfCMK" +log_metric_s3_bucket_policy = "crossfeed-prod-S3BucketPolicyChanges" +log_metric_aws_config = "crossfeed-prod-AWSConfigConfigurationChange" +log_metric_security_group = "crossfeed-prod-SecurityGroupChange" +log_metric_nacl = "crossfeed-prod-NACLChange" +log_metric_network_gateway = "crossfeed-prod-NetworkGatewayChange" +log_metric_route_table = "crossfeed-prod-RouteTableChange" +log_metric_vpc = "crossfeed-prod-VPCChange" +log_metric_system_shutdown = "crossfeed-prod-SystemShutdown" sns_topic_alarms = "crossfeed-prod-cis-alarms" ssm_lambda_subnet = "/crossfeed/prod/SUBNET_ID" ssm_lambda_sg = "/crossfeed/prod/SG_ID" diff --git a/infrastructure/stage.tfvars b/infrastructure/stage.tfvars index e648a1ca7..a5f2324f1 100644 --- a/infrastructure/stage.tfvars +++ b/infrastructure/stage.tfvars @@ -11,20 +11,21 @@ db_port = 5432 db_table_name = "cfstagingdb" db_instance_class = "db.t3.2xlarge" log_metric_namespace = "LogMetrics" -log_metric_name_cloudwatch1 = "crossfeed-staging-RootUserAccess" -log_metric_name_cloudwatch2 = "crossfeed-staging-UnauthorizedApiCall" -log_metric_name_cloudwatch3 = "crossfeed-staging-ConsoleSignInWithoutMFA" -log_metric_name_cloudwatch4 = "crossfeed-staging-IAMPolicyChange" -log_metric_name_cloudwatch5 = "crossfeed-staging-CloudTrailConfigurationChanges" -log_metric_name_cloudwatch6 = "crossfeed-staging-ConsoleLoginFailure" -log_metric_name_cloudwatch7 = "crossfeed-staging-DisablingOrScheduledDeletionOfCMK" -log_metric_name_cloudwatch8 = "crossfeed-staging-S3BucketPolicyChanges" -log_metric_name_cloudwatch9 = "crossfeed-staging-AWSConfigConfigurationChange" -log_metric_name_cloudwatch10 = "crossfeed-staging-SecurityGroupChange" -log_metric_name_cloudwatch11 = "crossfeed-staging-NACLChange" -log_metric_name_cloudwatch12 = "crossfeed-staging-NetworkGatewayChange" -log_metric_name_cloudwatch13 = "crossfeed-staging-RouteTableChange" -log_metric_name_cloudwatch14 = "crossfeed-staging-VPCChange" +log_metric_root_user = "crossfeed-staging-RootUserAccess" +log_metric_unauthorized_api_call = "crossfeed-staging-UnauthorizedApiCall" +log_metric_login_without_mfa = "crossfeed-staging-ConsoleSignInWithoutMFA" +log_metric_iam_policy = "crossfeed-staging-IAMPolicyChange" +log_metric_cloudtrail = "crossfeed-staging-CloudTrailConfigurationChanges" +log_metric_login_failure = "crossfeed-staging-ConsoleLoginFailure" +log_metric_cmk_delete_disable = "crossfeed-staging-DisablingOrScheduledDeletionOfCMK" +log_metric_s3_bucket_policy = "crossfeed-staging-S3BucketPolicyChanges" +log_metric_aws_config = "crossfeed-staging-AWSConfigConfigurationChange" +log_metric_security_group = "crossfeed-staging-SecurityGroupChange" +log_metric_nacl = "crossfeed-staging-NACLChange" +log_metric_network_gateway = "crossfeed-staging-NetworkGatewayChange" +log_metric_route_table = "crossfeed-staging-RouteTableChange" +log_metric_vpc = "crossfeed-staging-VPCChange" +log_metric_system_shutdown = "crossfeed-staging-SystemShutdown" sns_topic_alarms = "crossfeed-staging-cis-alarms" ssm_lambda_subnet = "/crossfeed/staging/SUBNET_ID" ssm_lambda_sg = "/crossfeed/staging/SG_ID" diff --git a/infrastructure/vars.tf b/infrastructure/vars.tf index 157aea125..26ca00531 100644 --- a/infrastructure/vars.tf +++ b/infrastructure/vars.tf @@ -70,90 +70,96 @@ variable "log_metric_namespace" { default = "LogMetrics" } -variable "log_metric_name_cloudwatch1" { - description = "log_metric_filter_cloudwatch1" +variable "log_metric_root_user" { + description = "log_metric_filter_root_user" type = string default = "crossfeed-staging-RootUserAccess" } -variable "log_metric_name_cloudwatch2" { - description = "log_metric_filter_cloudwatch2" +variable "log_metric_unauthorized_api_call" { + description = "log_metric_filter_unauthorized_api_call" type = string default = "crossfeed-staging-UnauthorizedAPICall" } -variable "log_metric_name_cloudwatch3" { - description = "log_metric_filter_cloudwatch3" +variable "log_metric_login_without_mfa" { + description = "log_metric_filter_login_without_mfa" type = string default = "crossfeed-staging-ConsoleLoginWithoutMFA" } -variable "log_metric_name_cloudwatch4" { - description = "log_metric_filter_cloudwatch4" +variable "log_metric_iam_policy" { + description = "log_metric_filter_iam_policy" type = string default = "crossfeed-staging-IAMPolicyChange" } -variable "log_metric_name_cloudwatch5" { - description = "log_metric_filter_cloudwatch5" +variable "log_metric_cloudtrail" { + description = "log_metric_filter_cloudtrail" type = string default = "crossfeed-staging-CloudTrailConfigurationChange" } -variable "log_metric_name_cloudwatch6" { - description = "log_metric_filter_cloudwatch6" +variable "log_metric_login_failure" { + description = "log_metric_filter_login_failure" type = string default = "crossfeed-staging-ConsoleLoginFailure" } -variable "log_metric_name_cloudwatch7" { - description = "log_metric_filter_cloudwatch7" +variable "log_metric_cmk_delete_disable" { + description = "log_metric_filter_cmk_delete_disable" type = string default = "crossfeed-staging-DisablingOrScheduledDeletionOfCMK" } -variable "log_metric_name_cloudwatch8" { - description = "log_metric_filter_cloudwatch8" +variable "log_metric_s3_bucket_policy" { + description = "log_metric_filter_s3_bucket_policy" type = string default = "crossfeed-staging-S3BucketPolicyChange" } -variable "log_metric_name_cloudwatch9" { - description = "log_metric_filter_cloudwatch9" +variable "log_metric_aws_config" { + description = "log_metric_filter_aws_config" type = string default = "crossfeed-staging-AWSConfigConfigurationChange" } -variable "log_metric_name_cloudwatch10" { - description = "log_metric_filter_cloudwatch10" +variable "log_metric_security_group" { + description = "log_metric_filter_security_group" type = string default = "crossfeed-staging-SecurityGroupChange" } -variable "log_metric_name_cloudwatch11" { - description = "log_metric_filter_cloudwatch11" +variable "log_metric_nacl" { + description = "log_metric_filter_nacl" type = string default = "crossfeed-staging-NACLChange" } -variable "log_metric_name_cloudwatch12" { - description = "log_metric_filter_cloudwatch12" +variable "log_metric_network_gateway" { + description = "log_metric_filter_network_gateway" type = string default = "crossfeed-staging-NetworkGatewayChange" } -variable "log_metric_name_cloudwatch13" { - description = "log_metric_filter_cloudwatch13" +variable "log_metric_route_table" { + description = "log_metric_filter_route_table" type = string default = "crossfeed-staging-RouteTableChange" } -variable "log_metric_name_cloudwatch14" { - description = "log_metric_filter_cloudwatch14" +variable "log_metric_vpc" { + description = "log_metric_filter_vpc" type = string default = "crossfeed-staging-VPCChange" } +variable "log_metric_system_shutdown" { + description = "log_metric_filter_system_shutdown" + type = string + default = "crossfeed-staging-SystemShutdown" +} + variable "sns_topic_alarms" { description = "sns_alarm_topic_name" type = string From 39d6bb953fb92c6117d56a16af3312bc0ae7fcc0 Mon Sep 17 00:00:00 2001 From: "Grayson, Matthew" Date: Tue, 24 Oct 2023 17:09:47 -0500 Subject: [PATCH 06/16] Fix capitalization of tags for resources in cloudwatch.tf, log_alarms.tf, and sns.tf. --- infrastructure/cloudwatch.tf | 8 ++--- infrastructure/log_alarms.tf | 60 ++++++++++++++++++------------------ infrastructure/sns.tf | 4 +-- 3 files changed, 36 insertions(+), 36 deletions(-) diff --git a/infrastructure/cloudwatch.tf b/infrastructure/cloudwatch.tf index 83711d6fd..dd8fdb2d0 100644 --- a/infrastructure/cloudwatch.tf +++ b/infrastructure/cloudwatch.tf @@ -1,8 +1,8 @@ resource "aws_s3_bucket" "cloudwatch_bucket" { bucket = var.cloudwatch_bucket_name tags = { - project = var.project - stage = var.stage + Project = var.project + Stage = var.stage } } @@ -12,8 +12,8 @@ resource "aws_cloudwatch_log_group" "cloudwatch_bucket" { retention_in_days = 365 kms_key_id = aws_kms_key.key.arn tags = { - project = var.project - stage = var.stage + Project = var.project + Stage = var.stage } } diff --git a/infrastructure/log_alarms.tf b/infrastructure/log_alarms.tf index 7f2c05b78..dffcf3d7e 100644 --- a/infrastructure/log_alarms.tf +++ b/infrastructure/log_alarms.tf @@ -8,8 +8,8 @@ resource "aws_cloudwatch_metric_alarm" "root_user" { statistic = "SampleCount" tags = { - project = var.project - stage = var.stage + Project = var.project + Stage = var.stage } } @@ -23,8 +23,8 @@ resource "aws_cloudwatch_metric_alarm" "unauthorized_api_call" { statistic = "SampleCount" tags = { - project = var.project - stage = var.stage + Project = var.project + Stage = var.stage } } @@ -38,8 +38,8 @@ resource "aws_cloudwatch_metric_alarm" "login_without_mfa" { statistic = "SampleCount" tags = { - project = var.project - stage = var.stage + Project = var.project + Stage = var.stage } } @@ -53,8 +53,8 @@ resource "aws_cloudwatch_metric_alarm" "iam_policy" { statistic = "SampleCount" tags = { - project = var.project - stage = var.stage + Project = var.project + Stage = var.stage } } @@ -68,8 +68,8 @@ resource "aws_cloudwatch_metric_alarm" "cloudtrail" { statistic = "SampleCount" tags = { - project = var.project - stage = var.stage + Project = var.project + Stage = var.stage } } @@ -83,8 +83,8 @@ resource "aws_cloudwatch_metric_alarm" "login_failure" { statistic = "SampleCount" tags = { - project = var.project - stage = var.stage + Project = var.project + Stage = var.stage } } @@ -98,8 +98,8 @@ resource "aws_cloudwatch_metric_alarm" "cmk_delete_disable" { statistic = "SampleCount" tags = { - project = var.project - stage = var.stage + Project = var.project + Stage = var.stage } } @@ -113,8 +113,8 @@ resource "aws_cloudwatch_metric_alarm" "s3_bucket_policy" { statistic = "SampleCount" tags = { - project = var.project - stage = var.stage + Project = var.project + Stage = var.stage } } @@ -128,8 +128,8 @@ resource "aws_cloudwatch_metric_alarm" "aws_config" { statistic = "SampleCount" tags = { - project = var.project - stage = var.stage + Project = var.project + Stage = var.stage } } @@ -143,8 +143,8 @@ resource "aws_cloudwatch_metric_alarm" "security_group" { statistic = "SampleCount" tags = { - project = var.project - stage = var.stage + Project = var.project + Stage = var.stage } } @@ -158,8 +158,8 @@ resource "aws_cloudwatch_metric_alarm" "nacl" { statistic = "SampleCount" tags = { - project = var.project - stage = var.stage + Project = var.project + Stage = var.stage } } @@ -173,8 +173,8 @@ resource "aws_cloudwatch_metric_alarm" "network_gateway" { statistic = "SampleCount" tags = { - project = var.project - stage = var.stage + Project = var.project + Stage = var.stage } } @@ -188,8 +188,8 @@ resource "aws_cloudwatch_metric_alarm" "route_table" { statistic = "SampleCount" tags = { - project = var.project - stage = var.stage + Project = var.project + Stage = var.stage } } @@ -203,8 +203,8 @@ resource "aws_cloudwatch_metric_alarm" "vpc" { statistic = "SampleCount" tags = { - project = var.project - stage = var.stage + Project = var.project + Stage = var.stage } } @@ -217,7 +217,7 @@ resource "aws_cloudwatch_metric_alarm" "system_shutdown" { statistic = "SampleCount" tags = { - project = var.project - stage = var.stage + Project = var.project + Stage = var.stage } } \ No newline at end of file diff --git a/infrastructure/sns.tf b/infrastructure/sns.tf index bc08accaa..9b1820c80 100644 --- a/infrastructure/sns.tf +++ b/infrastructure/sns.tf @@ -2,7 +2,7 @@ resource "aws_sns_topic" "alarms" { name = var.sns_topic_alarms tags = { - project = var.project - stage = var.stage + Project = var.project + Stage = var.stage } } From 4d6a6cf7f3cdb71621df2748cc6d07a4880f1f28 Mon Sep 17 00:00:00 2001 From: "Grayson, Matthew" Date: Wed, 25 Oct 2023 08:54:18 -0500 Subject: [PATCH 07/16] Add severity tag to alarms; refactor alarm name for ec2 instance shutdown. --- infrastructure/log_alarms.tf | 19 +++++++++++++++++-- infrastructure/log_filters.tf | 6 +++--- infrastructure/prod.tfvars | 2 +- infrastructure/stage.tfvars | 2 +- infrastructure/vars.tf | 30 +++++++++++++++++++++++++++--- 5 files changed, 49 insertions(+), 10 deletions(-) diff --git a/infrastructure/log_alarms.tf b/infrastructure/log_alarms.tf index dffcf3d7e..202718222 100644 --- a/infrastructure/log_alarms.tf +++ b/infrastructure/log_alarms.tf @@ -10,6 +10,7 @@ resource "aws_cloudwatch_metric_alarm" "root_user" { tags = { Project = var.project Stage = var.stage + Severity = var.severity_high } } @@ -25,6 +26,7 @@ resource "aws_cloudwatch_metric_alarm" "unauthorized_api_call" { tags = { Project = var.project Stage = var.stage + Severity = var.severity_low } } @@ -40,6 +42,7 @@ resource "aws_cloudwatch_metric_alarm" "login_without_mfa" { tags = { Project = var.project Stage = var.stage + Severity = var.severity_high } } @@ -55,6 +58,7 @@ resource "aws_cloudwatch_metric_alarm" "iam_policy" { tags = { Project = var.project Stage = var.stage + Severity = var.severity_high } } @@ -70,6 +74,7 @@ resource "aws_cloudwatch_metric_alarm" "cloudtrail" { tags = { Project = var.project Stage = var.stage + Severity = var.severity_high } } @@ -85,6 +90,7 @@ resource "aws_cloudwatch_metric_alarm" "login_failure" { tags = { Project = var.project Stage = var.stage + Severity = var.severity_low } } @@ -100,6 +106,7 @@ resource "aws_cloudwatch_metric_alarm" "cmk_delete_disable" { tags = { Project = var.project Stage = var.stage + Severity = var.severity_critical } } @@ -115,6 +122,7 @@ resource "aws_cloudwatch_metric_alarm" "s3_bucket_policy" { tags = { Project = var.project Stage = var.stage + Severity = var.severity_high } } @@ -130,6 +138,7 @@ resource "aws_cloudwatch_metric_alarm" "aws_config" { tags = { Project = var.project Stage = var.stage + Severity = var.severity_high } } @@ -145,6 +154,7 @@ resource "aws_cloudwatch_metric_alarm" "security_group" { tags = { Project = var.project Stage = var.stage + Severity = var.severity_high } } @@ -160,6 +170,7 @@ resource "aws_cloudwatch_metric_alarm" "nacl" { tags = { Project = var.project Stage = var.stage + Severity = var.severity_high } } @@ -175,6 +186,7 @@ resource "aws_cloudwatch_metric_alarm" "network_gateway" { tags = { Project = var.project Stage = var.stage + Severity = var.severity_high } } @@ -190,6 +202,7 @@ resource "aws_cloudwatch_metric_alarm" "route_table" { tags = { Project = var.project Stage = var.stage + Severity = var.severity_high } } @@ -205,11 +218,12 @@ resource "aws_cloudwatch_metric_alarm" "vpc" { tags = { Project = var.project Stage = var.stage + Severity = var.severity_high } } -resource "aws_cloudwatch_metric_alarm" "system_shutdown" { - alarm_name = "${var.log_metric_system_shutdown}-alarm" +resource "aws_cloudwatch_metric_alarm" "ec2_shutdown" { + alarm_name = "${var.log_metric_ec2_shutdown}-alarm" alarm_actions = [aws_sns_topic.alarms.arn] comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = 1 @@ -219,5 +233,6 @@ resource "aws_cloudwatch_metric_alarm" "system_shutdown" { tags = { Project = var.project Stage = var.stage + Severity = var.severity_critical } } \ No newline at end of file diff --git a/infrastructure/log_filters.tf b/infrastructure/log_filters.tf index 4c574aaf7..02d23d95a 100644 --- a/infrastructure/log_filters.tf +++ b/infrastructure/log_filters.tf @@ -166,12 +166,12 @@ resource "aws_cloudwatch_log_metric_filter" "vpc" { } } -resource "aws_cloudwatch_log_metric_filter" "system_shutdown" { +resource "aws_cloudwatch_log_metric_filter" "ec2_shutdown" { log_group_name = var.cloudtrail_log_group_name - name = var.log_metric_system_shutdown + name = var.log_metric_ec2_shutdown pattern = "{($.eventName=StopInstances) || ($.eventName=TerminateInstances)}" metric_transformation { - name = var.log_metric_system_shutdown + name = var.log_metric_ec2_shutdown namespace = var.log_metric_namespace default_value = 0 value = 1 diff --git a/infrastructure/prod.tfvars b/infrastructure/prod.tfvars index 940fb7bb6..40c014f9b 100644 --- a/infrastructure/prod.tfvars +++ b/infrastructure/prod.tfvars @@ -25,7 +25,7 @@ log_metric_nacl = "crossfeed-prod-NACLChange" log_metric_network_gateway = "crossfeed-prod-NetworkGatewayChange" log_metric_route_table = "crossfeed-prod-RouteTableChange" log_metric_vpc = "crossfeed-prod-VPCChange" -log_metric_system_shutdown = "crossfeed-prod-SystemShutdown" +log_metric_ec2_shutdown = "crossfeed-prod-SystemShutdown" sns_topic_alarms = "crossfeed-prod-cis-alarms" ssm_lambda_subnet = "/crossfeed/prod/SUBNET_ID" ssm_lambda_sg = "/crossfeed/prod/SG_ID" diff --git a/infrastructure/stage.tfvars b/infrastructure/stage.tfvars index a5f2324f1..c5c37a25b 100644 --- a/infrastructure/stage.tfvars +++ b/infrastructure/stage.tfvars @@ -25,7 +25,7 @@ log_metric_nacl = "crossfeed-staging-NACLChange" log_metric_network_gateway = "crossfeed-staging-NetworkGatewayChange" log_metric_route_table = "crossfeed-staging-RouteTableChange" log_metric_vpc = "crossfeed-staging-VPCChange" -log_metric_system_shutdown = "crossfeed-staging-SystemShutdown" +log_metric_ec2_shutdown = "crossfeed-staging-SystemShutdown" sns_topic_alarms = "crossfeed-staging-cis-alarms" ssm_lambda_subnet = "/crossfeed/staging/SUBNET_ID" ssm_lambda_sg = "/crossfeed/staging/SG_ID" diff --git a/infrastructure/vars.tf b/infrastructure/vars.tf index 26ca00531..9ee9cd5dd 100644 --- a/infrastructure/vars.tf +++ b/infrastructure/vars.tf @@ -154,10 +154,10 @@ variable "log_metric_vpc" { default = "crossfeed-staging-VPCChange" } -variable "log_metric_system_shutdown" { - description = "log_metric_filter_system_shutdown" +variable "log_metric_ec2_shutdown" { + description = "log_metric_filter_ec2_shutdown" type = string - default = "crossfeed-staging-SystemShutdown" + default = "crossfeed-staging-EC2Shutdown" } variable "sns_topic_alarms" { @@ -531,3 +531,27 @@ variable "create_elk_instance" { type = bool default = false } + +variable "severity_critical" { + description = "severity_critical" + type = string + default = "CRITICAL" +} + +variable "severity_high" { + description = "severity_high" + type = string + default = "HIGH" +} + +variable "severity_medium" { + description = "severity_medium" + type = string + default = "MEDIUM" +} + +variable "severity_low" { + description = "severity_low" + type = string + default = "LOW" +} \ No newline at end of file From cc2786cf3193550ef3187885c4cb462a6880c9b9 Mon Sep 17 00:00:00 2001 From: "Grayson, Matthew" Date: Wed, 25 Oct 2023 08:55:13 -0500 Subject: [PATCH 08/16] Fix formatting. --- infrastructure/log_alarms.tf | 60 ++++++++++++++++++------------------ infrastructure/prod.tfvars | 2 +- infrastructure/stage.tfvars | 2 +- 3 files changed, 32 insertions(+), 32 deletions(-) diff --git a/infrastructure/log_alarms.tf b/infrastructure/log_alarms.tf index 202718222..65d008f8e 100644 --- a/infrastructure/log_alarms.tf +++ b/infrastructure/log_alarms.tf @@ -8,8 +8,8 @@ resource "aws_cloudwatch_metric_alarm" "root_user" { statistic = "SampleCount" tags = { - Project = var.project - Stage = var.stage + Project = var.project + Stage = var.stage Severity = var.severity_high } } @@ -24,8 +24,8 @@ resource "aws_cloudwatch_metric_alarm" "unauthorized_api_call" { statistic = "SampleCount" tags = { - Project = var.project - Stage = var.stage + Project = var.project + Stage = var.stage Severity = var.severity_low } } @@ -40,8 +40,8 @@ resource "aws_cloudwatch_metric_alarm" "login_without_mfa" { statistic = "SampleCount" tags = { - Project = var.project - Stage = var.stage + Project = var.project + Stage = var.stage Severity = var.severity_high } } @@ -56,8 +56,8 @@ resource "aws_cloudwatch_metric_alarm" "iam_policy" { statistic = "SampleCount" tags = { - Project = var.project - Stage = var.stage + Project = var.project + Stage = var.stage Severity = var.severity_high } } @@ -72,8 +72,8 @@ resource "aws_cloudwatch_metric_alarm" "cloudtrail" { statistic = "SampleCount" tags = { - Project = var.project - Stage = var.stage + Project = var.project + Stage = var.stage Severity = var.severity_high } } @@ -88,8 +88,8 @@ resource "aws_cloudwatch_metric_alarm" "login_failure" { statistic = "SampleCount" tags = { - Project = var.project - Stage = var.stage + Project = var.project + Stage = var.stage Severity = var.severity_low } } @@ -104,8 +104,8 @@ resource "aws_cloudwatch_metric_alarm" "cmk_delete_disable" { statistic = "SampleCount" tags = { - Project = var.project - Stage = var.stage + Project = var.project + Stage = var.stage Severity = var.severity_critical } } @@ -120,8 +120,8 @@ resource "aws_cloudwatch_metric_alarm" "s3_bucket_policy" { statistic = "SampleCount" tags = { - Project = var.project - Stage = var.stage + Project = var.project + Stage = var.stage Severity = var.severity_high } } @@ -136,8 +136,8 @@ resource "aws_cloudwatch_metric_alarm" "aws_config" { statistic = "SampleCount" tags = { - Project = var.project - Stage = var.stage + Project = var.project + Stage = var.stage Severity = var.severity_high } } @@ -152,8 +152,8 @@ resource "aws_cloudwatch_metric_alarm" "security_group" { statistic = "SampleCount" tags = { - Project = var.project - Stage = var.stage + Project = var.project + Stage = var.stage Severity = var.severity_high } } @@ -168,8 +168,8 @@ resource "aws_cloudwatch_metric_alarm" "nacl" { statistic = "SampleCount" tags = { - Project = var.project - Stage = var.stage + Project = var.project + Stage = var.stage Severity = var.severity_high } } @@ -184,8 +184,8 @@ resource "aws_cloudwatch_metric_alarm" "network_gateway" { statistic = "SampleCount" tags = { - Project = var.project - Stage = var.stage + Project = var.project + Stage = var.stage Severity = var.severity_high } } @@ -200,8 +200,8 @@ resource "aws_cloudwatch_metric_alarm" "route_table" { statistic = "SampleCount" tags = { - Project = var.project - Stage = var.stage + Project = var.project + Stage = var.stage Severity = var.severity_high } } @@ -216,8 +216,8 @@ resource "aws_cloudwatch_metric_alarm" "vpc" { statistic = "SampleCount" tags = { - Project = var.project - Stage = var.stage + Project = var.project + Stage = var.stage Severity = var.severity_high } } @@ -231,8 +231,8 @@ resource "aws_cloudwatch_metric_alarm" "ec2_shutdown" { statistic = "SampleCount" tags = { - Project = var.project - Stage = var.stage + Project = var.project + Stage = var.stage Severity = var.severity_critical } } \ No newline at end of file diff --git a/infrastructure/prod.tfvars b/infrastructure/prod.tfvars index 40c014f9b..4d99ffec3 100644 --- a/infrastructure/prod.tfvars +++ b/infrastructure/prod.tfvars @@ -25,7 +25,7 @@ log_metric_nacl = "crossfeed-prod-NACLChange" log_metric_network_gateway = "crossfeed-prod-NetworkGatewayChange" log_metric_route_table = "crossfeed-prod-RouteTableChange" log_metric_vpc = "crossfeed-prod-VPCChange" -log_metric_ec2_shutdown = "crossfeed-prod-SystemShutdown" +log_metric_ec2_shutdown = "crossfeed-prod-SystemShutdown" sns_topic_alarms = "crossfeed-prod-cis-alarms" ssm_lambda_subnet = "/crossfeed/prod/SUBNET_ID" ssm_lambda_sg = "/crossfeed/prod/SG_ID" diff --git a/infrastructure/stage.tfvars b/infrastructure/stage.tfvars index c5c37a25b..ca9bf8f99 100644 --- a/infrastructure/stage.tfvars +++ b/infrastructure/stage.tfvars @@ -25,7 +25,7 @@ log_metric_nacl = "crossfeed-staging-NACLChange" log_metric_network_gateway = "crossfeed-staging-NetworkGatewayChange" log_metric_route_table = "crossfeed-staging-RouteTableChange" log_metric_vpc = "crossfeed-staging-VPCChange" -log_metric_ec2_shutdown = "crossfeed-staging-SystemShutdown" +log_metric_ec2_shutdown = "crossfeed-staging-SystemShutdown" sns_topic_alarms = "crossfeed-staging-cis-alarms" ssm_lambda_subnet = "/crossfeed/staging/SUBNET_ID" ssm_lambda_sg = "/crossfeed/staging/SG_ID" From 8f9251a3e9e335444ebf76dde6f9cf8cc7a23951 Mon Sep 17 00:00:00 2001 From: "Grayson, Matthew" Date: Wed, 25 Oct 2023 09:49:21 -0500 Subject: [PATCH 09/16] Refactor ec2 shutdown metric vars. --- infrastructure/prod.tfvars | 2 +- infrastructure/stage.tfvars | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/infrastructure/prod.tfvars b/infrastructure/prod.tfvars index 4d99ffec3..c3507b554 100644 --- a/infrastructure/prod.tfvars +++ b/infrastructure/prod.tfvars @@ -25,7 +25,7 @@ log_metric_nacl = "crossfeed-prod-NACLChange" log_metric_network_gateway = "crossfeed-prod-NetworkGatewayChange" log_metric_route_table = "crossfeed-prod-RouteTableChange" log_metric_vpc = "crossfeed-prod-VPCChange" -log_metric_ec2_shutdown = "crossfeed-prod-SystemShutdown" +log_metric_ec2_shutdown = "crossfeed-prod-EC2Shutdown" sns_topic_alarms = "crossfeed-prod-cis-alarms" ssm_lambda_subnet = "/crossfeed/prod/SUBNET_ID" ssm_lambda_sg = "/crossfeed/prod/SG_ID" diff --git a/infrastructure/stage.tfvars b/infrastructure/stage.tfvars index ca9bf8f99..975ab28df 100644 --- a/infrastructure/stage.tfvars +++ b/infrastructure/stage.tfvars @@ -25,7 +25,7 @@ log_metric_nacl = "crossfeed-staging-NACLChange" log_metric_network_gateway = "crossfeed-staging-NetworkGatewayChange" log_metric_route_table = "crossfeed-staging-RouteTableChange" log_metric_vpc = "crossfeed-staging-VPCChange" -log_metric_ec2_shutdown = "crossfeed-staging-SystemShutdown" +log_metric_ec2_shutdown = "crossfeed-staging-EC2Shutdown" sns_topic_alarms = "crossfeed-staging-cis-alarms" ssm_lambda_subnet = "/crossfeed/staging/SUBNET_ID" ssm_lambda_sg = "/crossfeed/staging/SG_ID" From 674b00f10d31a58ea4acce10d5b9ac2b66715117 Mon Sep 17 00:00:00 2001 From: "Grayson, Matthew" Date: Thu, 26 Oct 2023 10:09:24 -0500 Subject: [PATCH 10/16] Add filters/alarms for db instance shutdowns and deletions. --- infrastructure/log_alarms.tf | 30 ++++++++++++++++++++++++++++++ infrastructure/log_filters.tf | 24 ++++++++++++++++++++++++ infrastructure/prod.tfvars | 2 ++ infrastructure/stage.tfvars | 2 ++ infrastructure/vars.tf | 12 ++++++++++++ 5 files changed, 70 insertions(+) diff --git a/infrastructure/log_alarms.tf b/infrastructure/log_alarms.tf index 65d008f8e..9fd84dcf7 100644 --- a/infrastructure/log_alarms.tf +++ b/infrastructure/log_alarms.tf @@ -230,6 +230,36 @@ resource "aws_cloudwatch_metric_alarm" "ec2_shutdown" { threshold = 1 statistic = "SampleCount" + tags = { + Project = var.project + Stage = var.stage + Severity = var.severity_critical + } +} + +resource "aws_cloudwatch_metric_alarm" "db_shutdown" { + alarm_name = "${var.log_metric_db_shutdown}-alarm" + alarm_actions = [aws_sns_topic.alarms.arn] + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = 1 + threshold = 1 + statistic = "SampleCount" + + tags = { + Project = var.project + Stage = var.stage + Severity = var.severity_critical + } +} + +resource "aws_cloudwatch_metric_alarm" "db_deletion" { + alarm_name = "${var.log_metric_db_deletion}-alarm" + alarm_actions = [aws_sns_topic.alarms.arn] + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = 1 + threshold = 1 + statistic = "SampleCount" + tags = { Project = var.project Stage = var.stage diff --git a/infrastructure/log_filters.tf b/infrastructure/log_filters.tf index 02d23d95a..7c84e9614 100644 --- a/infrastructure/log_filters.tf +++ b/infrastructure/log_filters.tf @@ -176,4 +176,28 @@ resource "aws_cloudwatch_log_metric_filter" "ec2_shutdown" { default_value = 0 value = 1 } +} + +resource "aws_cloudwatch_log_metric_filter" "db_shutdown" { + log_group_name = var.cloudtrail_log_group_name + name = var.log_metric_db_shutdown + pattern = "{$.eventName=StopDBInstance}" + metric_transformation { + name = var.log_metric_db_shutdown + namespace = var.log_metric_namespace + default_value = 0 + value = 1 + } +} + +resource "aws_cloudwatch_log_metric_filter" "db_deletion" { + log_group_name = var.cloudtrail_log_group_name + name = var.log_metric_db_deletion + pattern = "{$.eventName=DeleteDBInstance}" + metric_transformation { + name = var.log_metric_db_deletion + namespace = var.log_metric_namespace + default_value = 0 + value = 1 + } } \ No newline at end of file diff --git a/infrastructure/prod.tfvars b/infrastructure/prod.tfvars index c3507b554..5f6bc2cab 100644 --- a/infrastructure/prod.tfvars +++ b/infrastructure/prod.tfvars @@ -26,6 +26,8 @@ log_metric_network_gateway = "crossfeed-prod-NetworkGatewayChange" log_metric_route_table = "crossfeed-prod-RouteTableChange" log_metric_vpc = "crossfeed-prod-VPCChange" log_metric_ec2_shutdown = "crossfeed-prod-EC2Shutdown" +log_metric_db_shutdown = "crossfeed-prod-DBShutdown" +log_metric_db_deletion = "crossfeed-prod-DBDeletion" sns_topic_alarms = "crossfeed-prod-cis-alarms" ssm_lambda_subnet = "/crossfeed/prod/SUBNET_ID" ssm_lambda_sg = "/crossfeed/prod/SG_ID" diff --git a/infrastructure/stage.tfvars b/infrastructure/stage.tfvars index 975ab28df..4236e6c80 100644 --- a/infrastructure/stage.tfvars +++ b/infrastructure/stage.tfvars @@ -26,6 +26,8 @@ log_metric_network_gateway = "crossfeed-staging-NetworkGatewayChange" log_metric_route_table = "crossfeed-staging-RouteTableChange" log_metric_vpc = "crossfeed-staging-VPCChange" log_metric_ec2_shutdown = "crossfeed-staging-EC2Shutdown" +log_metric_db_shutdown = "crossfeed-staging-DBShutdown" +log_metric_db_deletion = "crossfeed-staging-DBDeletion" sns_topic_alarms = "crossfeed-staging-cis-alarms" ssm_lambda_subnet = "/crossfeed/staging/SUBNET_ID" ssm_lambda_sg = "/crossfeed/staging/SG_ID" diff --git a/infrastructure/vars.tf b/infrastructure/vars.tf index 9ee9cd5dd..a8aa692d8 100644 --- a/infrastructure/vars.tf +++ b/infrastructure/vars.tf @@ -160,6 +160,18 @@ variable "log_metric_ec2_shutdown" { default = "crossfeed-staging-EC2Shutdown" } +variable "log_metric_db_shutdown" { + description = "log_metric_filter_DB_shutdown" + type = string + default = "crossfeed-staging-DBShutdown" +} + +variable "log_metric_db_deletion" { + description = "log_metric_filter_db_deletion" + type = string + default = "crossfeed-staging-DBDeletion" +} + variable "sns_topic_alarms" { description = "sns_alarm_topic_name" type = string From b3d1e4fae38d947bad4240b815aeac92567956df Mon Sep 17 00:00:00 2001 From: "Grayson, Matthew" Date: Thu, 9 Nov 2023 08:43:47 -0600 Subject: [PATCH 11/16] Add api_error_rate alert and vars. --- infrastructure/log_alarms.tf | 19 +++++++++++++++++++ infrastructure/prod.tfvars | 1 + infrastructure/stage.tfvars | 1 + infrastructure/vars.tf | 6 ++++++ 4 files changed, 27 insertions(+) diff --git a/infrastructure/log_alarms.tf b/infrastructure/log_alarms.tf index 9fd84dcf7..661076ca3 100644 --- a/infrastructure/log_alarms.tf +++ b/infrastructure/log_alarms.tf @@ -14,6 +14,25 @@ resource "aws_cloudwatch_metric_alarm" "root_user" { } } +resource "aws_cloudwatch_metric_alarm" "api_error_rate" { + alarm_name = "${var.log_metric_api_error_rate}-alarm" + alarm_description = "API error rate exceeded 5%" + metric_name = "5XXError" + alarm_actions = [aws_sns_topic.alarms.arn] + comparison_operator = "GreateerThanOrEqualToThreshold" + evaluation_periods = 2 + threshold = 0.05 + statistic = "Average" + unit = "Count" + treat_missing_data = "notBreaching" + + tags = { + Project = var.project + Stage = var.stage + Severity = var.severity_medium + } +} + resource "aws_cloudwatch_metric_alarm" "unauthorized_api_call" { alarm_name = "${var.log_metric_unauthorized_api_call}-alarm" metric_name = var.log_metric_unauthorized_api_call diff --git a/infrastructure/prod.tfvars b/infrastructure/prod.tfvars index 5f6bc2cab..216623e38 100644 --- a/infrastructure/prod.tfvars +++ b/infrastructure/prod.tfvars @@ -11,6 +11,7 @@ db_port = 5432 db_table_name = "cfproddb" db_instance_class = "db.t3.2xlarge" log_metric_namespace = "LogMetrics" +log_metric_api_error_rate = "crossfeed-prod-APIErrorRate" log_metric_root_user = "crossfeed-prod-RootUserAccess" log_metric_unauthorized_api_call = "crossfeed-prod-UnauthorizedApiCall" log_metric_login_without_mfa = "crossfeed-prod-ConsoleSignInWithoutMFA" diff --git a/infrastructure/stage.tfvars b/infrastructure/stage.tfvars index 4236e6c80..87be67790 100644 --- a/infrastructure/stage.tfvars +++ b/infrastructure/stage.tfvars @@ -12,6 +12,7 @@ db_table_name = "cfstagingdb" db_instance_class = "db.t3.2xlarge" log_metric_namespace = "LogMetrics" log_metric_root_user = "crossfeed-staging-RootUserAccess" +log_metric_api_error_rate = "crossfeed-staging-APIErrorRate" log_metric_unauthorized_api_call = "crossfeed-staging-UnauthorizedApiCall" log_metric_login_without_mfa = "crossfeed-staging-ConsoleSignInWithoutMFA" log_metric_iam_policy = "crossfeed-staging-IAMPolicyChange" diff --git a/infrastructure/vars.tf b/infrastructure/vars.tf index a8aa692d8..e82fd682b 100644 --- a/infrastructure/vars.tf +++ b/infrastructure/vars.tf @@ -70,6 +70,12 @@ variable "log_metric_namespace" { default = "LogMetrics" } +variable "log_metric_api_error_rate" { + description = "log_metric_filter_api_error_rate" + type = string + default = "crossfeed-staging-APIErrorRate" +} + variable "log_metric_root_user" { description = "log_metric_filter_root_user" type = string From ca984738a5ec8dcb9d01329e27ec3b4ce7755e78 Mon Sep 17 00:00:00 2001 From: "Grayson, Matthew" Date: Thu, 9 Nov 2023 09:53:41 -0600 Subject: [PATCH 12/16] Define period. --- infrastructure/log_alarms.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/infrastructure/log_alarms.tf b/infrastructure/log_alarms.tf index 661076ca3..5a3d3c7b0 100644 --- a/infrastructure/log_alarms.tf +++ b/infrastructure/log_alarms.tf @@ -20,6 +20,7 @@ resource "aws_cloudwatch_metric_alarm" "api_error_rate" { metric_name = "5XXError" alarm_actions = [aws_sns_topic.alarms.arn] comparison_operator = "GreateerThanOrEqualToThreshold" + period = 60 evaluation_periods = 2 threshold = 0.05 statistic = "Average" From 245f8f7097e3b84419ad0729277982b547ab5d3c Mon Sep 17 00:00:00 2001 From: "Grayson, Matthew" Date: Thu, 16 Nov 2023 16:13:04 -0600 Subject: [PATCH 13/16] Terraform formatting. --- infrastructure/prod.tfvars | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infrastructure/prod.tfvars b/infrastructure/prod.tfvars index e5f93a1fe..6d269e6ef 100644 --- a/infrastructure/prod.tfvars +++ b/infrastructure/prod.tfvars @@ -54,7 +54,7 @@ ssm_sixgill_client_id = "/crossfeed/prod/SIXGILL_CLIENT_ID" ssm_sixgill_client_secret = "/crossfeed/prod/SIXGILL_CLIENT_SECRET" ssm_lg_api_key = "/crossfeed/prod/LG_API_KEY" ssm_lg_workspace_name = "/crossfeed/prod/LG_WORKSPACE_NAME" -ssm_shodan_queue_url = "/crossfeed/prod/SHODAN_QUEUE_URL" +ssm_shodan_queue_url = "/crossfeed/prod/SHODAN_QUEUE_URL" cloudfront_name = "Crossfeed Prod Frontend" db_group_name = "crossfeed-prod-db-group" worker_ecs_repository_name = "crossfeed-prod-worker" From fd5d42d28c0d57deec1a687de0a5eed91b0857b3 Mon Sep 17 00:00:00 2001 From: "Grayson, Matthew" Date: Thu, 16 Nov 2023 16:25:06 -0600 Subject: [PATCH 14/16] Fix typo in api_error_rate caomparison_operator. --- infrastructure/log_alarms.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infrastructure/log_alarms.tf b/infrastructure/log_alarms.tf index 4413a8f2b..6e7d0762d 100644 --- a/infrastructure/log_alarms.tf +++ b/infrastructure/log_alarms.tf @@ -21,7 +21,7 @@ resource "aws_cloudwatch_metric_alarm" "api_error_rate" { alarm_description = "API error rate exceeded 5%" metric_name = "5XXError" alarm_actions = [aws_sns_topic.alarms.arn] - comparison_operator = "GreateerThanOrEqualToThreshold" + comparison_operator = "GreaterThanOrEqualToThreshold" period = 60 evaluation_periods = 2 threshold = 0.05 From c0da13c8e2a90e453fdf6d52780772677516b6d2 Mon Sep 17 00:00:00 2001 From: "Grayson, Matthew" Date: Fri, 17 Nov 2023 09:26:05 -0600 Subject: [PATCH 15/16] Add alarm descriptions. --- infrastructure/api_gateway_alarms.tf | 20 ++++++++++++++++ infrastructure/log_alarms.tf | 36 +++++++++++++--------------- 2 files changed, 36 insertions(+), 20 deletions(-) create mode 100644 infrastructure/api_gateway_alarms.tf diff --git a/infrastructure/api_gateway_alarms.tf b/infrastructure/api_gateway_alarms.tf new file mode 100644 index 000000000..006996896 --- /dev/null +++ b/infrastructure/api_gateway_alarms.tf @@ -0,0 +1,20 @@ +resource "aws_cloudwatch_metric_alarm" "api_error_rate" { + alarm_name = "${var.log_metric_api_error_rate}-alarm" + alarm_description = "The percentage of API calls returning a 5xx error exceeds 5%" + metric_name = "5XXError" + alarm_actions = [aws_sns_topic.alarms.arn] + comparison_operator = "GreaterThanOrEqualToThreshold" + period = 60 + evaluation_periods = 2 + threshold = 0.05 + statistic = "Average" + unit = "Count" + treat_missing_data = "notBreaching" + + tags = { + Project = var.project + Stage = var.stage + Severity = var.severity_medium + } +} + diff --git a/infrastructure/log_alarms.tf b/infrastructure/log_alarms.tf index 6e7d0762d..948514ff9 100644 --- a/infrastructure/log_alarms.tf +++ b/infrastructure/log_alarms.tf @@ -1,5 +1,6 @@ resource "aws_cloudwatch_metric_alarm" "root_user" { alarm_name = "${var.log_metric_root_user}-alarm" + alarm_description = "The root user account signed into AWS" metric_name = var.log_metric_root_user namespace = var.log_metric_namespace alarm_actions = [aws_sns_topic.alarms.arn] @@ -16,28 +17,9 @@ resource "aws_cloudwatch_metric_alarm" "root_user" { } } -resource "aws_cloudwatch_metric_alarm" "api_error_rate" { - alarm_name = "${var.log_metric_api_error_rate}-alarm" - alarm_description = "API error rate exceeded 5%" - metric_name = "5XXError" - alarm_actions = [aws_sns_topic.alarms.arn] - comparison_operator = "GreaterThanOrEqualToThreshold" - period = 60 - evaluation_periods = 2 - threshold = 0.05 - statistic = "Average" - unit = "Count" - treat_missing_data = "notBreaching" - - tags = { - Project = var.project - Stage = var.stage - Severity = var.severity_medium - } -} - resource "aws_cloudwatch_metric_alarm" "unauthorized_api_call" { alarm_name = "${var.log_metric_unauthorized_api_call}-alarm" + alarm_description = "An API call returned an unauthorized error" metric_name = var.log_metric_unauthorized_api_call namespace = var.log_metric_namespace alarm_actions = [aws_sns_topic.alarms.arn] @@ -56,6 +38,7 @@ resource "aws_cloudwatch_metric_alarm" "unauthorized_api_call" { resource "aws_cloudwatch_metric_alarm" "login_without_mfa" { alarm_name = "${var.log_metric_login_without_mfa}-alarm" + alarm_description = "A user logged into AWS without MFA" metric_name = var.log_metric_login_without_mfa namespace = var.log_metric_namespace alarm_actions = [aws_sns_topic.alarms.arn] @@ -74,6 +57,7 @@ resource "aws_cloudwatch_metric_alarm" "login_without_mfa" { resource "aws_cloudwatch_metric_alarm" "iam_policy" { alarm_name = "${var.log_metric_iam_policy}-alarm" + alarm_description = "An IAM policy was modified" metric_name = var.log_metric_iam_policy namespace = var.log_metric_namespace alarm_actions = [aws_sns_topic.alarms.arn] @@ -92,6 +76,7 @@ resource "aws_cloudwatch_metric_alarm" "iam_policy" { resource "aws_cloudwatch_metric_alarm" "cloudtrail" { alarm_name = "${var.log_metric_cloudtrail}-alarm" + alarm_description = "CloudTrail configurations were modified" metric_name = var.log_metric_cloudtrail namespace = var.log_metric_namespace alarm_actions = [aws_sns_topic.alarms.arn] @@ -110,6 +95,7 @@ resource "aws_cloudwatch_metric_alarm" "cloudtrail" { resource "aws_cloudwatch_metric_alarm" "login_failure" { alarm_name = "${var.log_metric_login_failure}-alarm" + alarm_description = "A user sign in to AWS failed" metric_name = var.log_metric_login_failure namespace = var.log_metric_namespace alarm_actions = [aws_sns_topic.alarms.arn] @@ -128,6 +114,7 @@ resource "aws_cloudwatch_metric_alarm" "login_failure" { resource "aws_cloudwatch_metric_alarm" "cmk_delete_disable" { alarm_name = "${var.log_metric_cmk_delete_disable}-alarm" + alarm_description = "A customer-managed key was disabled or scheduled for deletion" metric_name = var.log_metric_cmk_delete_disable namespace = var.log_metric_namespace alarm_actions = [aws_sns_topic.alarms.arn] @@ -146,6 +133,7 @@ resource "aws_cloudwatch_metric_alarm" "cmk_delete_disable" { resource "aws_cloudwatch_metric_alarm" "s3_bucket_policy" { alarm_name = "${var.log_metric_s3_bucket_policy}-alarm" + alarm_description = "An S3 bucket policy was modified" metric_name = var.log_metric_s3_bucket_policy namespace = var.log_metric_namespace alarm_actions = [aws_sns_topic.alarms.arn] @@ -164,6 +152,7 @@ resource "aws_cloudwatch_metric_alarm" "s3_bucket_policy" { resource "aws_cloudwatch_metric_alarm" "aws_config" { alarm_name = "${var.log_metric_aws_config}-alarm" + alarm_description = "AWS Config configurations were modified" metric_name = var.log_metric_aws_config namespace = var.log_metric_namespace alarm_actions = [aws_sns_topic.alarms.arn] @@ -182,6 +171,7 @@ resource "aws_cloudwatch_metric_alarm" "aws_config" { resource "aws_cloudwatch_metric_alarm" "security_group" { alarm_name = "${var.log_metric_security_group}-alarm" + alarm_description = "A security group was modified" metric_name = var.log_metric_security_group namespace = var.log_metric_namespace alarm_actions = [aws_sns_topic.alarms.arn] @@ -200,6 +190,7 @@ resource "aws_cloudwatch_metric_alarm" "security_group" { resource "aws_cloudwatch_metric_alarm" "nacl" { alarm_name = "${var.log_metric_nacl}-alarm" + alarm_description = "A network ACL was modified" metric_name = var.log_metric_nacl namespace = var.log_metric_namespace alarm_actions = [aws_sns_topic.alarms.arn] @@ -218,6 +209,7 @@ resource "aws_cloudwatch_metric_alarm" "nacl" { resource "aws_cloudwatch_metric_alarm" "network_gateway" { alarm_name = "${var.log_metric_network_gateway}-alarm" + alarm_description = "A network gateway was modified" metric_name = var.log_metric_network_gateway namespace = var.log_metric_namespace alarm_actions = [aws_sns_topic.alarms.arn] @@ -236,6 +228,7 @@ resource "aws_cloudwatch_metric_alarm" "network_gateway" { resource "aws_cloudwatch_metric_alarm" "route_table" { alarm_name = "${var.log_metric_route_table}-alarm" + alarm_description = "A route table was modified" metric_name = var.log_metric_route_table namespace = var.log_metric_namespace alarm_actions = [aws_sns_topic.alarms.arn] @@ -272,6 +265,7 @@ resource "aws_cloudwatch_metric_alarm" "vpc" { resource "aws_cloudwatch_metric_alarm" "ec2_shutdown" { alarm_name = "${var.log_metric_ec2_shutdown}-alarm" + alarm_description = "An EC2 instance was shut down" metric_name = var.log_metric_ec2_shutdown namespace = var.log_metric_namespace alarm_actions = [aws_sns_topic.alarms.arn] @@ -290,6 +284,7 @@ resource "aws_cloudwatch_metric_alarm" "ec2_shutdown" { resource "aws_cloudwatch_metric_alarm" "db_shutdown" { alarm_name = "${var.log_metric_db_shutdown}-alarm" + alarm_description = "An RDS instance was shut down" metric_name = var.log_metric_db_shutdown namespace = var.log_metric_namespace alarm_actions = [aws_sns_topic.alarms.arn] @@ -308,6 +303,7 @@ resource "aws_cloudwatch_metric_alarm" "db_shutdown" { resource "aws_cloudwatch_metric_alarm" "db_deletion" { alarm_name = "${var.log_metric_db_deletion}-alarm" + alarm_description = "An RDS instance was deleted" metric_name = var.log_metric_db_deletion namespace = var.log_metric_namespace alarm_actions = [aws_sns_topic.alarms.arn] From 550385cfd28b375677a745a70e218c9c43468fa5 Mon Sep 17 00:00:00 2001 From: "Grayson, Matthew" Date: Thu, 28 Dec 2023 09:30:42 -0500 Subject: [PATCH 16/16] Update description for AWS Config alarm. --- infrastructure/log_alarms.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infrastructure/log_alarms.tf b/infrastructure/log_alarms.tf index 18195d25b..da37d1f4a 100644 --- a/infrastructure/log_alarms.tf +++ b/infrastructure/log_alarms.tf @@ -152,7 +152,7 @@ resource "aws_cloudwatch_metric_alarm" "s3_bucket_policy" { resource "aws_cloudwatch_metric_alarm" "aws_config" { alarm_name = "${var.log_metric_aws_config}-alarm" - alarm_description = "AWS Config configurations were modified" + alarm_description = "AWS Config was modified" metric_name = var.log_metric_aws_config namespace = var.log_metric_namespace alarm_actions = [aws_sns_topic.alarms.arn]