Skip to content

Commit

Permalink
breaking: Control Tower 3.0 support, with the consolidating of the lo…
Browse files Browse the repository at this point in the history
…g group 'aws-controltower/CloudTrailLogs' into the management account the log metric and alarms in the enrolled account are removed

Signed-off-by: Stefan Wessels Beljaars <[email protected]>
  • Loading branch information
stefanwb committed Jan 2, 2024
1 parent 4703e57 commit 2c3aebb
Show file tree
Hide file tree
Showing 4 changed files with 0 additions and 58 deletions.
6 changes: 0 additions & 6 deletions data.tf
Original file line number Diff line number Diff line change
@@ -1,7 +1 @@
data "aws_cloudwatch_log_group" "cloudtrail" {
count = var.monitor_iam_activity_sns_topic_arn != null ? 1 : 0

name = "aws-controltower/CloudTrailLogs"
}

data "aws_region" "current" {}
9 changes: 0 additions & 9 deletions locals.tf
Original file line number Diff line number Diff line change
Expand Up @@ -8,15 +8,6 @@ locals {
]
]) : []

iam_activity = merge(
{
Root = "{ $.userIdentity.type=\"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" }"
},
var.monitor_iam_activity_sso == true ? {
SSO = "{ $.readOnly IS FALSE && $.userIdentity.sessionContext.sessionIssuer.userName = \"AWSReservedSSO_*\" && $.eventName != \"ConsoleLogin\" }"
} : {}
)

security_hub_standards_arns_default = [
"arn:aws:securityhub:${data.aws_region.current.name}::standards/aws-foundational-security-best-practices/v/1.0.0",
"arn:aws:securityhub:${data.aws_region.current.name}::standards/cis-aws-foundations-benchmark/v/1.4.0",
Expand Down
31 changes: 0 additions & 31 deletions main.tf
Original file line number Diff line number Diff line change
@@ -1,34 +1,3 @@
resource "aws_cloudwatch_log_metric_filter" "iam_activity" {
for_each = var.monitor_iam_activity_sns_topic_arn != null ? local.iam_activity : {}

name = "BaseLine-IAMActivity-${each.key}"
pattern = each.value
log_group_name = data.aws_cloudwatch_log_group.cloudtrail[0].name

metric_transformation {
name = "BaseLine-IAMActivity-${each.key}"
namespace = "BaseLine-IAMActivity"
value = "1"
}
}

resource "aws_cloudwatch_metric_alarm" "iam_activity" {
for_each = aws_cloudwatch_log_metric_filter.iam_activity

alarm_name = each.value.name
comparison_operator = "GreaterThanOrEqualToThreshold"
evaluation_periods = "1"
metric_name = each.value.name
namespace = each.value.metric_transformation[0].namespace
period = "300"
statistic = "Sum"
threshold = "1"
alarm_description = "Monitors IAM activity for ${each.key}"
alarm_actions = [var.monitor_iam_activity_sns_topic_arn]
insufficient_data_actions = []
tags = var.tags
}

resource "aws_config_aggregate_authorization" "default" {
for_each = { for aggregator in local.aws_config_aggregators : "${aggregator.account_id}-${aggregator.region}" => aggregator }

Expand Down
12 changes: 0 additions & 12 deletions variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -65,18 +65,6 @@ variable "service_quotas_manager_role" {
description = "Create the role needed to integrate the terraform-aws-mcaf-service-quotas-manager module"
}

variable "monitor_iam_activity_sns_topic_arn" {
type = string
default = null
description = "SNS Topic that should receive captured IAM activity events"
}

variable "monitor_iam_activity_sso" {
type = bool
default = true
description = "Whether IAM activity from SSO roles should be monitored"
}

variable "tags" {
type = map(string)
default = {}
Expand Down

0 comments on commit 2c3aebb

Please sign in to comment.