# : ' # SYNOPSIS # Script to create metrices and alarms for various events in the AWS Account. # .DESCRIPTION # This script will create a CloudTrail, Cloudwatchlog group, S3 bucket, Event Metrices, SNS Topic and subscription and alarms to remediate the below list of policies. # Ensure a log metric filter and alarm exist for unauthorized API calls # Ensure a log metric filter and alarm exist for Management Console sign-in without MFA # Ensure a log metric filter and alarm exist for usage of 'root' account # Ensure a log metric filter and alarm exist for IAM policy changes # Ensure a log metric filter and alarm exist for CloudTrail configuration changes # Ensure a log metric filter and alarm exist for AWS Management Console authentication failures # Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs # Ensure a log metric filter and alarm exist for S3 bucket policy changes # Ensure a log metric filter and alarm exist for AWS Config configuration changes # Ensure a log metric filter and alarm exist for security group changes # Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) # Ensure a log metric filter and alarm exist for changes to network gateways # Ensure a log metric filter and alarm exist for route table changes # Ensure a log metric filter and alarm exist for VPC changes # Ensure a log metric filter and alarm exist for S3 bucket object read operations # Ensure a log metric filter and alarm exist for S3 bucket object write operations # Ensure a log metric filter and alarm exists for AWS Organizations changes # # .NOTES #Copyright (c) Zscaler. All rights reserved. #Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: #The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. #THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. # Version: 1.0 # # PREREQUISITE # - Install aws cli # Link : https://docs.aws.amazon.com/cli/latest/userguide/install-linux-al2017.html # - Configure your aws account using the below command: # aws configure # Enter the required inputs: (configure using details of the AWS account where you want to remediate the policies) # AWS Access Key ID: Access key of any admin user of the account in consideration. # AWS Secret Access Key: Secret Access Key of any admin user of the account in consideration # Default region name: Programmatic region name where you want to deploy the resources (eg: us-east-1) # Default output format: json # .EXAMPLE # Command to execute : aws cloudformation deploy --template-file remediate-monitoring-policies.yml --stack-name --parameter-overrides env= region= awsaccountid=<12-digit AWS account Id> emailid= --capabilities CAPABILITY_NAMED_IAM # .INPUTS # stack-name: Name of the stack that will be created # env: Environment prefix # region: Programmatic region name where you want to deploy the resources (eg: us-east-1) # awsaccountid: 12-digit AWS Account Id of the account where you need to set up the alarms # emailid: valid email id where one wishes to receive he notifications # .OUTPUTS # None # .NOTE: Once the script successfully creates all the resources and alarms, you need to subscribe to the SNS using the link you will receive in the entered email, to start receiving notificatins of the alarms. Parameters: env: Description: Environment prefix Type: String Default: dev region: Description: Region where the resources are to be deployed Type: String Default: us-east-1 awsaccountid: Description: AWS Account ID Type: String emailid: Description: Email ID where the sns notifications are to be sent Type: String Resources: S3Bucket: Type: AWS::S3::Bucket Properties: BucketName: Fn::Join: - "" - - !Ref env - '-' - !Ref awsaccountid BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: SSEAlgorithm: AES256 LifecycleConfiguration: Rules: - Id: Delete-ct-logs Prefix: cw-ctlogs/ Status: Enabled ExpirationInDays: 1 NoncurrentVersionExpirationInDays: 1 PublicAccessBlockConfiguration: BlockPublicAcls: true BlockPublicPolicy: true IgnorePublicAcls: true RestrictPublicBuckets: true Tags: - Key: "ServiceName" Value: "cloudtrail-log-bucket" - Key: "Description" Value: "Monitoring and alarm resource. Stores cloudtrail logs" CTBucketPolicy: Type: AWS::S3::BucketPolicy Properties: Bucket: Fn::Join: - "" - - !Ref env - '-' - !Ref awsaccountid PolicyDocument: Statement: - Sid: CTBucketPolicy1 Action: - "s3:GetBucketAcl" Effect: "Allow" Principal: Service: - cloudtrail.amazonaws.com Resource: Fn::Join: - "" - - 'arn:aws:s3:::' - !Ref env - '-' - !Ref awsaccountid - Sid: CTBucketPolicy2 Action: - "s3:PutObject" Effect: "Allow" Principal: Service: - cloudtrail.amazonaws.com Resource: Fn::Join: - "" - - 'arn:aws:s3:::' - !Ref env - '-' - !Ref awsaccountid - '/cw-ctlogs/*' Condition: StringLike: s3:x-amz-acl: - "bucket-owner-full-control" CTCWLogGroup: Type: AWS::Logs::LogGroup Properties: LogGroupName: Fn::Join: - "" - - !Ref env - '-monitoring-log-group' CTCloudwatchRole: Type: AWS::IAM::Role DependsOn: CTCWLogGroup Properties: RoleName: Fn::Join: - "" - - !Ref env - '-CT-CloudwatchRole' AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: - cloudtrail.amazonaws.com Action: sts:AssumeRole Policies: - PolicyName: ct-cloudwatch-policy PolicyDocument: Version: '2012-10-17' Statement: - Sid: CTCWPolicy1 Effect: Allow Action: - "logs:CreateLogStream" Resource: Fn::Join: - "" - - 'arn:aws:logs:' - !Ref region - ':' - !Ref awsaccountid - ':log-group:' - !Ref env - "-monitoring-log-group:*" - Sid: CTCWPolicy2 Effect: Allow Action: - "logs:PutLogEvents" Resource: Fn::Join: - "" - - 'arn:aws:logs:' - !Ref region - ':' - !Ref awsaccountid - ':log-group:' - !Ref env - "-monitoring-log-group:*" KmsKey: Type: AWS::KMS::Key Properties: Description: "KMS key for Cloudtrail and SNS Topic encryption" KeyPolicy: Version: '2012-10-17' Id: kms-key-cloudtrail-sns Statement: - Sid: Enable IAM User Permissions Effect: Allow Principal: AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:root' Action: 'kms:*' Resource: '*' - Sid: Allow CloudTrail to encrypt logs Effect: Allow Principal: Service: - cloudtrail.amazonaws.com Action: 'kms:GenerateDataKey*' Resource: '*' Condition: StringLike: 'kms:EncryptionContext:aws:cloudtrail:arn': !Sub 'arn:aws:cloudtrail:*:${AWS::AccountId}:trail/*' - Sid: Allow CloudTrail to describe key Effect: Allow Principal: Service: - cloudtrail.amazonaws.com Action: 'kms:DescribeKey' Resource: '*' - Sid: Allow principals in the account to decrypt log files Effect: Allow Principal: AWS: '*' Action: - 'kms:Decrypt' - 'kms:ReEncryptFrom' Resource: '*' Condition: StringEquals: 'kms:CallerAccount': !Sub '${AWS::AccountId}' StringLike: 'kms:EncryptionContext:aws:cloudtrail:arn': !Sub 'arn:aws:cloudtrail:*:${AWS::AccountId}:trail/*' - Sid: Allow alias creation during setup Effect: Allow Principal: AWS: '*' Action: 'kms:CreateAlias' Resource: '*' Condition: StringEquals: 'kms:ViaService': ec2.region.amazonaws.com 'kms:CallerAccount': !Sub '${AWS::AccountId}' - Sid: Enable cross account log decryption Effect: Allow Principal: AWS: '*' Action: - 'kms:Decrypt' - 'kms:ReEncryptFrom' Resource: '*' Condition: StringEquals: 'kms:CallerAccount': !Sub '${AWS::AccountId}' StringLike: 'kms:EncryptionContext:aws:cloudtrail:arn': !Sub 'arn:aws:cloudtrail:*:${AWS::AccountId}:trail/*' - Sid: Allow SNS to use the key Effect: Allow Principal: Service: - 'sns.amazonaws.com' Action: - 'kms:Encrypt' - 'kms:Decrypt' - 'kms:ReEncrypt*' - 'kms:GenerateDataKey*' - 'kms:DescribeKey' Resource: '*' MultiRegion: true EnableKeyRotation: true PendingWindowInDays: 7 Tags: - Key: "ServiceName" Value: "kms-key-cloudtrail-sns" - Key: "Description" Value: "KMS key for Cloudtrail and SNS Topic encryption" MonitoringCloudTrail: Type: AWS::CloudTrail::Trail DependsOn: - CTCloudwatchRole - KmsKey Properties: CloudWatchLogsLogGroupArn: Fn::Join: - "" - - 'arn:aws:logs:' - !Ref region - ':' - !Ref awsaccountid - ':log-group:' - !Ref env - '-monitoring-log-group:*' CloudWatchLogsRoleArn: Fn::Join: - "" - - 'arn:aws:iam::' - !Ref awsaccountid - ':' - 'role/' - !Ref env - '-CT-CloudwatchRole' IncludeGlobalServiceEvents: true IsLogging: true IsMultiRegionTrail: true KMSKeyId: !GetAtt KmsKey.Arn S3BucketName: Fn::Join: - "" - - !Ref env - '-' - !Ref awsaccountid S3KeyPrefix: cw-ctlogs TrailName: Fn::Join: - "" - - !Ref env - '-monitoring-trail' Tags: - Key: "ServiceName" Value: "monitoring-cloudtrail" - Key: "Description" Value: "Monitoring and alarm resource that provides API logs" EventSelectors: - DataResources: - Type: "AWS::S3::Object" Values: - "arn:aws:s3:::" IncludeManagementEvents: true ReadWriteType: All AlarmSNSTopic: Type: AWS::SNS::Topic DependsOn: KmsKey Properties: KmsMasterKeyId: !GetAtt KmsKey.Arn TopicName: Fn::Join: - "" - - !Ref env - '-monitoring-topic' SNSSubscription: Type: AWS::SNS::Subscription DependsOn: AlarmSNSTopic Properties: Endpoint: !Ref emailid Protocol: email TopicArn: Fn::Join: - "" - - 'arn:aws:sns:' - !Ref region - ':' - !Ref awsaccountid - ':' - !Ref env - '-monitoring-topic' UnauthorizedAPIMetricFilter: Type: AWS::Logs::MetricFilter DependsOn: AlarmSNSTopic Properties: LogGroupName: Fn::Join: - "" - - !Ref env - '-monitoring-log-group' FilterPattern: '{ ($.errorCode ="*UnauthorizedOperation") || ($.errorCode ="AccessDenied*") }' MetricTransformations: - MetricNamespace: Fn::Join: - "" - - !Ref env - '-MonitoringAlarmMetrics' MetricName: Fn::Join: - "" - - !Ref env - '-UnauthorizedAPICalls' MetricValue: '1' UnauthorizedAPICallsAlarm: Type: AWS::CloudWatch::Alarm Properties: AlarmName: Fn::Join: - "" - - !Ref env - '-UnauthorizedAPICalls' AlarmDescription: Alarm for Unauthorized API calls AlarmActions: - Fn::Join: - "" - - 'arn:aws:sns:' - !Ref region - ':' - !Ref awsaccountid - ':' - !Ref env - '-monitoring-topic' MetricName: Fn::Join: - "" - - !Ref env - '-UnauthorizedAPICalls' Namespace: Fn::Join: - "" - - !Ref env - '-MonitoringAlarmMetrics' ComparisonOperator: GreaterThanOrEqualToThreshold EvaluationPeriods: '1' Period: '300' Statistic: Sum Threshold: '1' SGChangesMetricFilter: Type: AWS::Logs::MetricFilter DependsOn: AlarmSNSTopic Properties: LogGroupName: Fn::Join: - "" - - !Ref env - '-monitoring-log-group' FilterPattern: '{ ($.eventName="AuthorizeSecurityGroupIngress") || ($.eventName="AuthorizeSecurityGroupEgress") || ($.eventName="RevokeSecurityGroupIngress") || ($.eventName="RevokeSecurityGroupEgress") || ($.eventName="CreateSecurityGroup") || ($.eventName="DeleteSecurityGroup") }' MetricTransformations: - MetricNamespace: Fn::Join: - "" - - !Ref env - '-MonitoringAlarmMetrics' MetricName: Fn::Join: - "" - - !Ref env - '-SecurityGroupChanges' MetricValue: '1' SGChangesAlarm: Type: AWS::CloudWatch::Alarm Properties: AlarmName: Fn::Join: - "" - - !Ref env - '-SecurityGroupChanges' AlarmDescription: Alarm for security group changes AlarmActions: - Fn::Join: - "" - - 'arn:aws:sns:' - !Ref region - ':' - !Ref awsaccountid - ':' - !Ref env - '-monitoring-topic' MetricName: Fn::Join: - "" - - !Ref env - '-SecurityGroupChanges' Namespace: Fn::Join: - "" - - !Ref env - '-MonitoringAlarmMetrics' ComparisonOperator: GreaterThanOrEqualToThreshold EvaluationPeriods: '1' Period: '300' Statistic: Sum Threshold: '1' NACLChangesMetricFilter: Type: AWS::Logs::MetricFilter DependsOn: AlarmSNSTopic Properties: LogGroupName: Fn::Join: - "" - - !Ref env - '-monitoring-log-group' FilterPattern: '{ ($.eventName="CreateNetworkAcl") || ($.eventName="CreateNetworkAclEntry") || ($.eventName="DeleteNetworkAcl") || ($.eventName="DeleteNetworkAclEntry") || ($.eventName="ReplaceNetworkAclEntry") || ($.eventName="ReplaceNetworkAclAssociation") }' MetricTransformations: - MetricNamespace: Fn::Join: - "" - - !Ref env - '-MonitoringAlarmMetrics' MetricName: Fn::Join: - "" - - !Ref env - '-NACLChanges' MetricValue: '1' NACLChangesAlarm: Type: AWS::CloudWatch::Alarm Properties: AlarmName: Fn::Join: - "" - - !Ref env - '-NACLChanges' AlarmDescription: Alarm for changes to NACL AlarmActions: - Fn::Join: - "" - - 'arn:aws:sns:' - !Ref region - ':' - !Ref awsaccountid - ':' - !Ref env - '-monitoring-topic' MetricName: Fn::Join: - "" - - !Ref env - '-NACLChanges' Namespace: Fn::Join: - "" - - !Ref env - '-MonitoringAlarmMetrics' ComparisonOperator: GreaterThanOrEqualToThreshold EvaluationPeriods: '1' Period: '300' Statistic: Sum Threshold: '1' NetworkGatewayMetricFilter: Type: AWS::Logs::MetricFilter DependsOn: AlarmSNSTopic Properties: LogGroupName: Fn::Join: - "" - - !Ref env - '-monitoring-log-group' FilterPattern: '{ ($.eventName="CreateCustomerGateway") || ($.eventName="DeleteCustomerGateway") || ($.eventName="AttachInternetGateway") || ($.eventName="CreateInternetGateway") || ($.eventName="DeleteInternetGateway") || ($.eventName="DetachInternetGateway") }' MetricTransformations: - MetricNamespace: Fn::Join: - "" - - !Ref env - '-MonitoringAlarmMetrics' MetricName: Fn::Join: - "" - - !Ref env - '-NetworkGatewayChanges' MetricValue: '1' NetworkGatewayAlarm: Type: AWS::CloudWatch::Alarm Properties: AlarmName: Fn::Join: - "" - - !Ref env - '-NetworkGatewayChanges' AlarmDescription: Alarm for changes to Network Gateway AlarmActions: - Fn::Join: - "" - - 'arn:aws:sns:' - !Ref region - ':' - !Ref awsaccountid - ':' - !Ref env - '-monitoring-topic' MetricName: Fn::Join: - "" - - !Ref env - '-NetworkGatewayChanges' Namespace: Fn::Join: - "" - - !Ref env - '-MonitoringAlarmMetrics' ComparisonOperator: GreaterThanOrEqualToThreshold EvaluationPeriods: '1' Period: '300' Statistic: Sum Threshold: '1' RouteTableChangesMetricFilter: Type: AWS::Logs::MetricFilter DependsOn: AlarmSNSTopic Properties: LogGroupName: Fn::Join: - "" - - !Ref env - '-monitoring-log-group' FilterPattern: '{ ($.eventName="CreateRoute") || ($.eventName="CreateRouteTable") || ($.eventName="ReplaceRoute") || ($.eventName="ReplaceRouteTableAssociation") || ($.eventName="DeleteRouteTable") || ($.eventName="DeleteRoute") || ($.eventName="DisassociateRouteTable") }' MetricTransformations: - MetricNamespace: Fn::Join: - "" - - !Ref env - '-MonitoringAlarmMetrics' MetricName: Fn::Join: - "" - - !Ref env - '-RouteTableChanges' MetricValue: '1' RouteTableChangesAlarm: Type: AWS::CloudWatch::Alarm Properties: AlarmName: Fn::Join: - "" - - !Ref env - '-RouteTableChanges' AlarmDescription: Alarm for changes to Route Table AlarmActions: - Fn::Join: - "" - - 'arn:aws:sns:' - !Ref region - ':' - !Ref awsaccountid - ':' - !Ref env - '-monitoring-topic' MetricName: Fn::Join: - "" - - !Ref env - '-RouteTableChanges' Namespace: Fn::Join: - "" - - !Ref env - '-MonitoringAlarmMetrics' ComparisonOperator: GreaterThanOrEqualToThreshold EvaluationPeriods: '1' Period: '300' Statistic: Sum Threshold: '1' VPCChangesMetricFilter: Type: AWS::Logs::MetricFilter DependsOn: AlarmSNSTopic Properties: LogGroupName: Fn::Join: - "" - - !Ref env - '-monitoring-log-group' FilterPattern: '{ ($.eventName="CreateVpc") || ($.eventName="DeleteVpc") || ($.eventName="ModifyVpcAttribute") || ($.eventName="AcceptVpcPeeringConnection") || ($.eventName="CreateVpcPeeringConnection") || ($.eventName="DeleteVpcPeeringConnection") || ($.eventName="RejectVpcPeeringConnection") || ($.eventName="AttachClassicLinkVpc") || ($.eventName="DetachClassicLinkVpc") || ($.eventName="DisableVpcClassicLink") || ($.eventName="EnableVpcClassicLink") }' MetricTransformations: - MetricNamespace: Fn::Join: - "" - - !Ref env - '-MonitoringAlarmMetrics' MetricName: Fn::Join: - "" - - !Ref env - '-VPCChanges' MetricValue: '1' VPCChangesAlarm: Type: AWS::CloudWatch::Alarm Properties: AlarmName: Fn::Join: - "" - - !Ref env - '-VPCChanges' AlarmDescription: Alarm for changes to VPC AlarmActions: - Fn::Join: - "" - - 'arn:aws:sns:' - !Ref region - ':' - !Ref awsaccountid - ':' - !Ref env - '-monitoring-topic' MetricName: Fn::Join: - "" - - !Ref env - '-VPCChanges' Namespace: Fn::Join: - "" - - !Ref env - '-MonitoringAlarmMetrics' ComparisonOperator: GreaterThanOrEqualToThreshold EvaluationPeriods: '1' Period: '300' Statistic: Sum Threshold: '1' ConsoleSignInMetricFilter: Type: AWS::Logs::MetricFilter DependsOn: AlarmSNSTopic Properties: LogGroupName: Fn::Join: - "" - - !Ref env - '-monitoring-log-group' FilterPattern: '{ ($.eventName ="ConsoleLogin") && ($.additionalEventData.MFAUsed !="Yes") }' MetricTransformations: - MetricNamespace: Fn::Join: - "" - - !Ref env - '-MonitoringAlarmMetrics' MetricName: Fn::Join: - "" - - !Ref env - '-ConsoleSignIn' MetricValue: '1' ConsoleSignInAlarm: Type: AWS::CloudWatch::Alarm Properties: AlarmName: Fn::Join: - "" - - !Ref env - '-ConsoleSignIn' AlarmDescription: Alarm for Management Console sign-in without MFA AlarmActions: - Fn::Join: - "" - - 'arn:aws:sns:' - !Ref region - ':' - !Ref awsaccountid - ':' - !Ref env - '-monitoring-topic' MetricName: Fn::Join: - "" - - !Ref env - '-ConsoleSignIn' Namespace: Fn::Join: - "" - - !Ref env - '-MonitoringAlarmMetrics' ComparisonOperator: GreaterThanOrEqualToThreshold EvaluationPeriods: '1' Period: '300' Statistic: Sum Threshold: '1' RootUsageMetricFilter: Type: AWS::Logs::MetricFilter DependsOn: AlarmSNSTopic Properties: LogGroupName: Fn::Join: - "" - - !Ref env - '-monitoring-log-group' FilterPattern: '{ ($.userIdentity.type ="Root") && $.userIdentity.invokedBy NOT EXISTS && ($.eventType !="AwsServiceEvent") }' MetricTransformations: - MetricNamespace: Fn::Join: - "" - - !Ref env - '-MonitoringAlarmMetrics' MetricName: Fn::Join: - "" - - !Ref env - '-RootUsage' MetricValue: '1' RootUsageAlarm: Type: AWS::CloudWatch::Alarm Properties: AlarmName: Fn::Join: - "" - - !Ref env - '-RootUsage' AlarmDescription: Alarm for Root Account usage AlarmActions: - Fn::Join: - "" - - 'arn:aws:sns:' - !Ref region - ':' - !Ref awsaccountid - ':' - !Ref env - '-monitoring-topic' MetricName: Fn::Join: - "" - - !Ref env - '-RootUsage' Namespace: Fn::Join: - "" - - !Ref env - '-MonitoringAlarmMetrics' ComparisonOperator: GreaterThanOrEqualToThreshold EvaluationPeriods: '1' Period: '300' Statistic: Sum Threshold: '1' IAMPolicyChangesMetricFilter: Type: AWS::Logs::MetricFilter DependsOn: AlarmSNSTopic Properties: LogGroupName: Fn::Join: - "" - - !Ref env - '-monitoring-log-group' FilterPattern: '{ ($.eventName="DeleteGroupPolicy") || ($.eventName="DeleteRolePolicy") || ($.eventName="DeleteUserPolicy") || ($.eventName="PutGroupPolicy") || ($.eventName="PutRolePolicy") || ($.eventName="PutUserPolicy") || ($.eventName="CreatePolicy") || ($.eventName="DeletePolicy") || ($.eventName="CreatePolicyVersion") || ($.eventName="DeletePolicyVersion") || ($.eventName="AttachRolePolicy") || ($.eventName="DetachRolePolicy") || ($.eventName="AttachUserPolicy") || ($.eventName="DetachUserPolicy") || ($.eventName="AttachGroupPolicy") || ($.eventName="DetachGroupPolicy") }' MetricTransformations: - MetricNamespace: Fn::Join: - "" - - !Ref env - '-MonitoringAlarmMetrics' MetricName: Fn::Join: - "" - - !Ref env - '-IAMPolicyChanges' MetricValue: '1' IAMPolicyChangesAlarm: Type: AWS::CloudWatch::Alarm Properties: AlarmName: Fn::Join: - "" - - !Ref env - '-IAMPolicyChanges' AlarmDescription: Alarm for changes to IAM Policies AlarmActions: - Fn::Join: - "" - - 'arn:aws:sns:' - !Ref region - ':' - !Ref awsaccountid - ':' - !Ref env - '-monitoring-topic' MetricName: Fn::Join: - "" - - !Ref env - '-IAMPolicyChanges' Namespace: Fn::Join: - "" - - !Ref env - '-MonitoringAlarmMetrics' ComparisonOperator: GreaterThanOrEqualToThreshold EvaluationPeriods: '1' Period: '300' Statistic: Sum Threshold: '1' CloudTrailConfigChangesMetricFilter: Type: AWS::Logs::MetricFilter DependsOn: AlarmSNSTopic Properties: LogGroupName: Fn::Join: - "" - - !Ref env - '-monitoring-log-group' FilterPattern: '{ ($.eventName="CreateTrail") || ($.eventName="UpdateTrail") || ($.eventName="DeleteTrail") || ($.eventName="StartLogging") || ($.eventName="StopLogging") }' MetricTransformations: - MetricNamespace: Fn::Join: - "" - - !Ref env - '-MonitoringAlarmMetrics' MetricName: Fn::Join: - "" - - !Ref env - '-CloudTrailConfigChanges' MetricValue: '1' CloudTrailConfigChangesAlarm: Type: AWS::CloudWatch::Alarm Properties: AlarmName: Fn::Join: - "" - - !Ref env - '-CloudTrailConfigChanges' AlarmDescription: Alarm for changes to CloudTrail configuration changes AlarmActions: - Fn::Join: - "" - - 'arn:aws:sns:' - !Ref region - ':' - !Ref awsaccountid - ':' - !Ref env - '-monitoring-topic' MetricName: Fn::Join: - "" - - !Ref env - '-CloudTrailConfigChanges' Namespace: Fn::Join: - "" - - !Ref env - '-MonitoringAlarmMetrics' ComparisonOperator: GreaterThanOrEqualToThreshold EvaluationPeriods: '1' Period: '300' Statistic: Sum Threshold: '1' ConsoleAuthFailureMetricFilter: Type: AWS::Logs::MetricFilter DependsOn: AlarmSNSTopic Properties: LogGroupName: Fn::Join: - "" - - !Ref env - '-monitoring-log-group' FilterPattern: '{ ($.eventName="ConsoleLogin") && ($.errorMessage ="Failed authentication") }' MetricTransformations: - MetricNamespace: Fn::Join: - "" - - !Ref env - '-MonitoringAlarmMetrics' MetricName: Fn::Join: - "" - - !Ref env - '-ConsoleAuthFailure' MetricValue: '1' ConsoleAuthFailureAlarm: Type: AWS::CloudWatch::Alarm Properties: AlarmName: Fn::Join: - "" - - !Ref env - '-ConsoleAuthFailure' AlarmDescription: Alarm for AWS Management Console authentication failures AlarmActions: - Fn::Join: - "" - - 'arn:aws:sns:' - !Ref region - ':' - !Ref awsaccountid - ':' - !Ref env - '-monitoring-topic' MetricName: Fn::Join: - "" - - !Ref env - '-ConsoleAuthFailure' Namespace: Fn::Join: - "" - - !Ref env - '-MonitoringAlarmMetrics' ComparisonOperator: GreaterThanOrEqualToThreshold EvaluationPeriods: '1' Period: '300' Statistic: Sum Threshold: '1' CMKDeletionMetricFilter: Type: AWS::Logs::MetricFilter DependsOn: AlarmSNSTopic Properties: LogGroupName: Fn::Join: - "" - - !Ref env - '-monitoring-log-group' FilterPattern: '{ ($.eventSource="kms.amazonaws.com") && (($.eventName="DisableKey") || ($.eventName="ScheduleKeyDeletion")) }' MetricTransformations: - MetricNamespace: Fn::Join: - "" - - !Ref env - '-MonitoringAlarmMetrics' MetricName: Fn::Join: - "" - - !Ref env - '-CMKDeletion' MetricValue: '1' CMKDeletionAlarm: Type: AWS::CloudWatch::Alarm Properties: AlarmName: Fn::Join: - "" - - !Ref env - '-CMKDeletion' AlarmDescription: Alarm for disabling or scheduled deletion of customer created CMKs AlarmActions: - Fn::Join: - "" - - 'arn:aws:sns:' - !Ref region - ':' - !Ref awsaccountid - ':' - !Ref env - '-monitoring-topic' MetricName: Fn::Join: - "" - - !Ref env - '-CMKDeletion' Namespace: Fn::Join: - "" - - !Ref env - '-MonitoringAlarmMetrics' ComparisonOperator: GreaterThanOrEqualToThreshold EvaluationPeriods: '1' Period: '300' Statistic: Sum Threshold: '1' S3PolicyChangesMetricFilter: Type: AWS::Logs::MetricFilter DependsOn: AlarmSNSTopic Properties: LogGroupName: Fn::Join: - "" - - !Ref env - '-monitoring-log-group' FilterPattern: '{ ($.eventSource="s3.amazonaws.com") && (($.eventName="PutBucketAcl") || ($.eventName="PutBucketPolicy") || ($.eventName="PutBucketCors") || ($.eventName="PutBucketLifecycle") || ($.eventName="PutBucketReplication") || ($.eventName="DeleteBucketPolicy") || ($.eventName="DeleteBucketCors") || ($.eventName="DeleteBucketLifecycle") || ($.eventName="DeleteBucketReplication")) }' MetricTransformations: - MetricNamespace: Fn::Join: - "" - - !Ref env - '-MonitoringAlarmMetrics' MetricName: Fn::Join: - "" - - !Ref env - '-S3PolicyChanges' MetricValue: '1' S3PolicyChangesAlarm: Type: AWS::CloudWatch::Alarm Properties: AlarmName: Fn::Join: - "" - - !Ref env - '-S3PolicyChanges' AlarmDescription: Alarm for S3 bucket policy changes AlarmActions: - Fn::Join: - "" - - 'arn:aws:sns:' - !Ref region - ':' - !Ref awsaccountid - ':' - !Ref env - '-monitoring-topic' MetricName: Fn::Join: - "" - - !Ref env - '-S3PolicyChanges' Namespace: Fn::Join: - "" - - !Ref env - '-MonitoringAlarmMetrics' ComparisonOperator: GreaterThanOrEqualToThreshold EvaluationPeriods: '1' Period: '300' Statistic: Sum Threshold: '1' AWSConfigChangesMetricFilter: Type: AWS::Logs::MetricFilter DependsOn: AlarmSNSTopic Properties: LogGroupName: Fn::Join: - "" - - !Ref env - '-monitoring-log-group' FilterPattern: '{ ($.eventSource="config.amazonaws.com") && (($.eventName="StopConfigurationRecorder") || ($.eventName="DeleteDeliveryChannel") || ($.eventName="PutDeliveryChannel") || ($.eventName="PutConfigurationRecorder")) }' MetricTransformations: - MetricNamespace: Fn::Join: - "" - - !Ref env - '-MonitoringAlarmMetrics' MetricName: Fn::Join: - "" - - !Ref env - '-AWSConfigChanges' MetricValue: '1' AWSConfigChangesAlarm: Type: AWS::CloudWatch::Alarm Properties: AlarmName: Fn::Join: - "" - - !Ref env - '-AWSConfigChanges' AlarmDescription: Alarm for S3 bucket policy changes AlarmActions: - Fn::Join: - "" - - 'arn:aws:sns:' - !Ref region - ':' - !Ref awsaccountid - ':' - !Ref env - '-monitoring-topic' MetricName: Fn::Join: - "" - - !Ref env - '-AWSConfigChanges' Namespace: Fn::Join: - "" - - !Ref env - '-MonitoringAlarmMetrics' ComparisonOperator: GreaterThanOrEqualToThreshold EvaluationPeriods: '1' Period: '300' Statistic: Sum Threshold: '1' #S3 getobject S3logGetObjectFilter: Type: AWS::Logs::MetricFilter DependsOn: AlarmSNSTopic Properties: LogGroupName: Fn::Join: - "" - - !Ref env - '-monitoring-log-group' FilterPattern: '{($.eventName = "GetObject")}' MetricTransformations: - MetricNamespace: Fn::Join: - "" - - !Ref env - '-MonitoringAlarmMetrics' MetricName: Fn::Join: - "" - - !Ref env - '-S3logGetObject' MetricValue: '1' S3logGetObjectAlarm: Type: AWS::CloudWatch::Alarm Properties: AlarmName: Fn::Join: - "" - - !Ref env - '-S3logGetObject' AlarmDescription: Alarm for S3 bucket read(GetObject) events AlarmActions: - Fn::Join: - "" - - 'arn:aws:sns:' - !Ref region - ':' - !Ref awsaccountid - ':' - !Ref env - '-monitoring-topic' MetricName: Fn::Join: - "" - - !Ref env - '-S3logGetObject' Namespace: Fn::Join: - "" - - !Ref env - '-MonitoringAlarmMetrics' ComparisonOperator: GreaterThanOrEqualToThreshold EvaluationPeriods: '1' Period: '300' Statistic: SampleCount Threshold: '1' #S3 putobject S3logPutObjectFilter: Type: AWS::Logs::MetricFilter DependsOn: AlarmSNSTopic Properties: LogGroupName: Fn::Join: - "" - - !Ref env - '-monitoring-log-group' FilterPattern: '{($.eventName = "PutObject")}' MetricTransformations: - MetricNamespace: Fn::Join: - "" - - !Ref env - '-MonitoringAlarmMetrics' MetricName: Fn::Join: - "" - - !Ref env - '-S3logPutObject' MetricValue: '1' S3logPutObjectAlarm: Type: AWS::CloudWatch::Alarm Properties: AlarmName: Fn::Join: - "" - - !Ref env - '-S3logPutObject' AlarmDescription: Alarm for S3 bucket write(PutObject) events AlarmActions: - Fn::Join: - "" - - 'arn:aws:sns:' - !Ref region - ':' - !Ref awsaccountid - ':' - !Ref env - '-monitoring-topic' MetricName: Fn::Join: - "" - - !Ref env - '-S3logPutObject' Namespace: Fn::Join: - "" - - !Ref env - '-MonitoringAlarmMetrics' ComparisonOperator: GreaterThanOrEqualToThreshold EvaluationPeriods: '1' Period: '300' Statistic: SampleCount Threshold: '1' OrganizationsMetricFilter: Type: AWS::Logs::MetricFilter DependsOn: AlarmSNSTopic Properties: LogGroupName: Fn::Join: - "" - - !Ref env - '-monitoring-log-group' FilterPattern: '{ ($.eventSource ="organizations.amazonaws.com") || ($.eventName ="AcceptHandshake") || ($.eventName ="CreateAccount") || ($.eventName = "CreateOrganization") || ($.eventName = "CreateOrganizationalUnit") || ($.eventName = "DeleteOrganization") || ($.eventName = "DeleteOrganizationalUnit") || ($.eventName = "InviteAccountToOrganization") || ($.eventName = "LeaveOrganization") || ($.eventName = "MoveAccount") || ($.eventName = "RemoveAccountFromOrganization") || ($.eventName = "UpdateOrganizationalUnit") }' MetricTransformations: - MetricNamespace: Fn::Join: - "" - - !Ref env - '-MonitoringAlarmMetrics' MetricName: Fn::Join: - "" - - !Ref env - '-OrganizationsEvents' MetricValue: '1' OrganizationsEventsAlarm: Type: AWS::CloudWatch::Alarm Properties: AlarmName: Fn::Join: - "" - - !Ref env - '-OrganizationsEvents' AlarmDescription: Alarm for Organizations events AlarmActions: - Fn::Join: - "" - - 'arn:aws:sns:' - !Ref region - ':' - !Ref awsaccountid - ':' - !Ref env - '-monitoring-topic' MetricName: Fn::Join: - "" - - !Ref env - '-OrganizationsEvents' Namespace: Fn::Join: - "" - - !Ref env - '-MonitoringAlarmMetrics' ComparisonOperator: GreaterThanOrEqualToThreshold EvaluationPeriods: '1' Period: '300' Statistic: Sum Threshold: '1'