diff --git a/apps-devstg/us-east-1/security-audit/.terraform.lock.hcl b/apps-devstg/us-east-1/security-audit/.terraform.lock.hcl deleted file mode 100644 index 122923871..000000000 --- a/apps-devstg/us-east-1/security-audit/.terraform.lock.hcl +++ /dev/null @@ -1,68 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/hashicorp/aws" { - version = "4.46.0" - constraints = ">= 2.0.0, >= 3.0.0, ~> 4.10" - hashes = [ - "h1:1+HdnLUAzb8FDfWs/Mpyv8r2OjYh9Fpyu9Dgj8v+ZuA=", - "h1:EZB4OgvytV38JpWyye9zoMQ0bfT9yB9xSXM5NY3Lrws=", - "zh:1678e6a4bdb3d81a6713adc62ca0fdb8250c584e10c10d1daca72316e9db8df2", - "zh:329903acf86ef6072502736dff4c43c2b50f762a958f76aa924e2d74c7fca1e3", - "zh:33db8131fe0ec7e1d9f30bc9f65c2440e9c1f708d681b6062757a351f1df7ce6", - "zh:3a3b010bc393784c16f4b6cdce7f76db93d5efa323fce4920bfea9e9ba6abe44", - "zh:979e2713a5759a7483a065e149e3cb69db9225326fc0457fa3fc3a48aed0c63f", - "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:9efcf0067e16ad53da7504178a05eb2118770b4ae00c193c10ecad4cbfce308e", - "zh:a10655bf1b6376ab7f3e55efadf54dc70f7bd07ca11369557c312095076f9d62", - "zh:b0394dd42cbd2a718a7dd7ae0283f04769aaf8b3d52664e141da59c0171a11ab", - "zh:b958e614c2cf6d9c05a6ad5e94dc5c04b97ebfb84415da068be5a081b5ebbe24", - "zh:ba5069e624210c63ad9e633a8eb0108b21f2322bc4967ba2b82d09168c466888", - "zh:d7dfa597a17186e7f4d741dd7111849f1c0dd6f7ebc983043d8262d2fb37b408", - "zh:e8a641ca2c99f96d64fa2725875e797273984981d3e54772a2823541c44e3cd3", - "zh:f89898b7067c4246293a8007f59f5cfcac7b8dd251d39886c7a53ba596251466", - "zh:fb1e1df1d5cc208e08a850f8e84423bce080f01f5e901791c79df369d3ed52f2", - ] -} - -provider "registry.terraform.io/hashicorp/local" { - version = "2.2.3" - constraints = ">= 1.3.0" - hashes = [ - "h1:aWp5iSUxBGgPv1UnV5yag9Pb0N+U1I0sZb38AXBFO8A=", - "h1:m79NYOmoeeLZfRMRCmOoCe2bcCuCwuMppPpj1g5mHLU=", - "zh:04f0978bb3e052707b8e82e46780c371ac1c66b689b4a23bbc2f58865ab7d5c0", - "zh:6484f1b3e9e3771eb7cc8e8bab8b35f939a55d550b3f4fb2ab141a24269ee6aa", - "zh:78a56d59a013cb0f7eb1c92815d6eb5cf07f8b5f0ae20b96d049e73db915b238", - "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:8aa9950f4c4db37239bcb62e19910c49e47043f6c8587e5b0396619923657797", - "zh:996beea85f9084a725ff0e6473a4594deb5266727c5f56e9c1c7c62ded6addbb", - "zh:9a7ef7a21f48fabfd145b2e2a4240ca57517ad155017e86a30860d7c0c109de3", - "zh:a63e70ac052aa25120113bcddd50c1f3cfe61f681a93a50cea5595a4b2cc3e1c", - "zh:a6e8d46f94108e049ad85dbed60354236dc0b9b5ec8eabe01c4580280a43d3b8", - "zh:bb112ce7efbfcfa0e65ed97fa245ef348e0fd5bfa5a7e4ab2091a9bd469f0a9e", - "zh:d7bec0da5c094c6955efed100f3fe22fca8866859f87c025be1760feb174d6d9", - "zh:fb9f271b72094d07cef8154cd3d50e9aa818a0ea39130bc193132ad7b23076fd", - ] -} - -provider "registry.terraform.io/hashicorp/null" { - version = "3.2.1" - constraints = ">= 2.0.0" - hashes = [ - "h1:FbGfc+muBsC17Ohy5g806iuI1hQc4SIexpYCrQHQd8w=", - "h1:nwEVpUhaxWeG5C81lwaI5buwrp1NI/mH1FFqsB2nOHg=", - "zh:58ed64389620cc7b82f01332e27723856422820cfd302e304b5f6c3436fb9840", - "zh:62a5cc82c3b2ddef7ef3a6f2fedb7b9b3deff4ab7b414938b08e51d6e8be87cb", - "zh:63cff4de03af983175a7e37e52d4bd89d990be256b16b5c7f919aff5ad485aa5", - "zh:74cb22c6700e48486b7cabefa10b33b801dfcab56f1a6ac9b6624531f3d36ea3", - "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:79e553aff77f1cfa9012a2218b8238dd672ea5e1b2924775ac9ac24d2a75c238", - "zh:a1e06ddda0b5ac48f7e7c7d59e1ab5a4073bbcf876c73c0299e4610ed53859dc", - "zh:c37a97090f1a82222925d45d84483b2aa702ef7ab66532af6cbcfb567818b970", - "zh:e4453fbebf90c53ca3323a92e7ca0f9961427d2f0ce0d2b65523cc04d5d999c2", - "zh:e80a746921946d8b6761e77305b752ad188da60688cfd2059322875d363be5f5", - "zh:fbdb892d9822ed0e4cb60f2fedbdbb556e4da0d88d3b942ae963ed6ff091e48f", - "zh:fca01a623d90d0cad0843102f9b8b9fe0d3ff8244593bd817f126582b52dd694", - ] -} diff --git a/apps-devstg/us-east-1/security-audit/awscloudtrail.tf b/apps-devstg/us-east-1/security-audit/awscloudtrail.tf deleted file mode 100644 index 50ccd99b4..000000000 --- a/apps-devstg/us-east-1/security-audit/awscloudtrail.tf +++ /dev/null @@ -1,86 +0,0 @@ -module "cloudtrail" { - source = "github.com/binbashar/terraform-aws-cloudtrail.git?ref=0.21.0" - namespace = var.project - stage = var.environment - name = "cloudtrail-org" - enable_logging = true - enable_log_file_validation = true - include_global_service_events = true - is_multi_region_trail = true - s3_bucket_name = data.terraform_remote_state.security_audit.outputs.bucket_id - cloud_watch_logs_group_arn = "${aws_cloudwatch_log_group.cloudtrail.arn}:*" - cloud_watch_logs_role_arn = aws_iam_role.cloudtrail_cloudwatch_events.arn - kms_key_arn = data.terraform_remote_state.security_keys.outputs.aws_kms_key_arn -} - -module "cloudtrail_api_alarms" { - source = "github.com/binbashar/terraform-aws-cloudtrail-cloudwatch-alarms.git?ref=0.14.3" - log_group_region = var.region - log_group_name = aws_cloudwatch_log_group.cloudtrail.name - metric_namespace = var.metric_namespace - dashboard_enabled = var.create_dashboard - - # Uncomment if /notifications SNS is configured and you want to send notifications via slack - sns_topic_arn = data.terraform_remote_state.notifications.outputs.sns_topic_arn_monitoring_sec - metrics = local.metrics - - # KMS key use for encrypting the Amazon SNS topic. - kms_master_key_id = data.terraform_remote_state.keys.outputs.aws_kms_key_id -} - -#==================================================================# -# setup cloudwatch logs group in order to receive cloudtrail events -#==================================================================# -resource "aws_cloudwatch_log_group" "cloudtrail" { - name = "${var.project}-${var.environment}-cloudtrail" - retention_in_days = "14" - kms_key_id = data.terraform_remote_state.keys.outputs.aws_kms_key_arn - - tags = local.tags -} - -#==================================================================# -# setup role and policy to allow cloudtrail to write to cloudwatch -#==================================================================# -resource "aws_iam_role" "cloudtrail_cloudwatch_events" { - name = "CloudtrailCloudwatchEvents" - assume_role_policy = data.aws_iam_policy_document.assume_policy.json -} - -data "aws_iam_policy_document" "assume_policy" { - statement { - effect = "Allow" - actions = ["sts:AssumeRole"] - - principals { - type = "Service" - identifiers = ["cloudtrail.amazonaws.com"] - } - } -} - -resource "aws_iam_role_policy" "cloudtrail_cloudwatch_events_policy" { - name = "CloudtrailCloudwatchEvents" - role = aws_iam_role.cloudtrail_cloudwatch_events.id - policy = data.aws_iam_policy_document.cloudtrail_role_policy.json -} - -data "aws_iam_policy_document" "cloudtrail_role_policy" { - statement { - effect = "Allow" - actions = ["logs:CreateLogStream"] - - resources = [ - "arn:aws:logs:${var.region}:${var.accounts.apps-devstg.id}:log-group:${aws_cloudwatch_log_group.cloudtrail.name}:log-stream:*", - ] - } - - statement { - effect = "Allow" - actions = ["logs:PutLogEvents"] - - resources = [ - "arn:aws:logs:${var.region}:${var.accounts.apps-devstg.id}:log-group:${aws_cloudwatch_log_group.cloudtrail.name}:log-stream:*", - ] - } -} diff --git a/apps-devstg/us-east-1/security-audit/common-variables.tf b/apps-devstg/us-east-1/security-audit/common-variables.tf deleted file mode 120000 index 81b884acd..000000000 --- a/apps-devstg/us-east-1/security-audit/common-variables.tf +++ /dev/null @@ -1 +0,0 @@ -../../../config/common-variables.tf \ No newline at end of file diff --git a/apps-devstg/us-east-1/security-audit/config.tf b/apps-devstg/us-east-1/security-audit/config.tf deleted file mode 100644 index b44514c56..000000000 --- a/apps-devstg/us-east-1/security-audit/config.tf +++ /dev/null @@ -1,72 +0,0 @@ -#=============================# -# AWS Provider Settings # -#=============================# -provider "aws" { - region = var.region - profile = var.profile -} - -#=============================# -# Backend Config (partial) # -#=============================# -terraform { - required_version = "~> 1.2.7" - - required_providers { - aws = "~> 4.10" - } - - backend "s3" { - key = "apps-devstg/security-audit/terraform.tfstate" - } -} - -#=============================# -# Data sources # -#=============================# -data "aws_caller_identity" "current" {} -data "aws_region" "current" {} - -data "terraform_remote_state" "keys" { - backend = "s3" - - config = { - region = var.region - profile = var.profile - bucket = var.bucket - key = "${var.environment}/security-keys/terraform.tfstate" - } -} - -data "terraform_remote_state" "notifications" { - backend = "s3" - - config = { - region = var.region - profile = var.profile - bucket = var.bucket - key = "${var.environment}/notifications/terraform.tfstate" - } -} - -data "terraform_remote_state" "security_audit" { - backend = "s3" - - config = { - region = var.region - profile = "${var.project}-security-devops" - bucket = "${var.project}-security-terraform-backend" - key = "security/security-audit/terraform.tfstate" - } -} - -data "terraform_remote_state" "security_keys" { - backend = "s3" - - config = { - region = var.region - profile = "${var.project}-security-devops" - bucket = "${var.project}-security-terraform-backend" - key = "security/security-keys/terraform.tfstate" - } -} diff --git a/apps-devstg/us-east-1/security-audit/locals.tf b/apps-devstg/us-east-1/security-audit/locals.tf deleted file mode 100644 index 81dc4659f..000000000 --- a/apps-devstg/us-east-1/security-audit/locals.tf +++ /dev/null @@ -1,40 +0,0 @@ -locals { - region = var.region == null ? data.aws_region.current.name : var.region - - alarm_suffix = "${var.environment}-account" - - alarm_defaults = { - period = 300 // 5 min - threshold = 1 - comparison_operator = "GreaterThanOrEqualToThreshold" - evaluation_periods = 1 - statistic = "Sum" - treat_missing_data = "notBreaching" - } - - metrics = { - for metric in var.metrics : local.alarm_suffix != null ? join("-", tolist([lookup(metric, "metric_name", null), local.alarm_suffix])) : lookup(metric, "metric_name", null) => { - metric_name = lookup(metric, "metric_name", null) - filter_pattern = lookup(metric, "filter_pattern", null) - metric_namespace = var.metric_namespace != null ? var.metric_namespace : lookup(metric, "metric_namespace", null) - metric_value = lookup(metric, "metric_value", null) - alarm_name = local.alarm_suffix != null ? join("-", tolist([lookup(metric, "metric_name", null), local.alarm_suffix, "alarm"])) : "${lookup(metric, "metric_name", null)}-alarm" - alarm_comparison_operator = lookup(metric, "alarm_comparison_operator", null) - alarm_evaluation_periods = lookup(metric, "alarm_evaluation_periods", null) - alarm_period = lookup(metric, "alarm_period", local.alarm_defaults["period"]) - alarm_statistic = lookup(metric, "alarm_statistic", null) - alarm_treat_missing_data = lookup(metric, "alarm_treat_missing_data", null) - alarm_threshold = lookup(metric, "alarm_threshold", local.alarm_defaults["threshold"]) - alarm_description = lookup(metric, "alarm_description", null) - alarm_comparison_operator = lookup(metric, "alarm_comparison_operator", local.alarm_defaults["comparison_operator"]) - alarm_evaluation_periods = lookup(metric, "alarm_evaluation_periods", local.alarm_defaults["evaluation_periods"]) - alarm_statistic = lookup(metric, "alarm_statistic", local.alarm_defaults["statistic"]) - alarm_treat_missing_data = lookup(metric, "alarm_treat_missing_data", local.alarm_defaults["treat_missing_data"]) - } - } - - tags = { - Terraform = "true" - Environment = var.environment - } -} diff --git a/apps-devstg/us-east-1/security-audit/logs.tf b/apps-devstg/us-east-1/security-audit/logs.tf deleted file mode 100644 index ecc92feb0..000000000 --- a/apps-devstg/us-east-1/security-audit/logs.tf +++ /dev/null @@ -1,23 +0,0 @@ -module "s3_bucket_alb_logs" { - source = "github.com/binbashar/terraform-aws-s3-bucket.git?ref=v3.7.0" - count = var.create_alb_logs_bucket ? 1 : 0 - - bucket = "${var.project}-${var.environment}-alb-logs" - acl = "log-delivery-write" - - versioning = { - enabled = true - } - - # Allow deletion of non-empty bucket - force_destroy = true - - attach_elb_log_delivery_policy = true # Required for ALB logs - attach_lb_log_delivery_policy = true # Required for ALB/NLB logs - - # S3 bucket-level Public Access Block configuration - block_public_acls = true - block_public_policy = true - ignore_public_acls = true - restrict_public_buckets = true -} diff --git a/apps-devstg/us-east-1/security-audit/metrics.auto.tfvars b/apps-devstg/us-east-1/security-audit/metrics.auto.tfvars deleted file mode 100644 index f949d81e7..000000000 --- a/apps-devstg/us-east-1/security-audit/metrics.auto.tfvars +++ /dev/null @@ -1,102 +0,0 @@ -metrics = [ - { - metric_name = "AuthorizationFailureCount" - metric_value = "1" - alarm_description = "Alarms when an unauthorized API call is made." - filter_pattern = "{ ($.errorCode = \"*UnauthorizedOperation\") || ($.errorCode = \"AccessDenied*\") }" - alarm_period = "120" - alarm_threshold = "10" - }, - { - metric_name = "S3BucketActivityEventCount" - metric_value = "1" - alarm_description = "Alarms when an API call is made to S3 to put or delete a Bucket, Bucket Policy or Bucket ACL." - filter_pattern = "{ ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }" - }, - { - metric_name = "SecurityGroupEventCount" - metric_value = "1" - alarm_description = "Alarms when an API call is made to create, update or delete a Security Group." - filter_pattern = "{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) }" - }, - { - metric_name = "NetworkAclEventCount", - metric_value = "1" - alarm_description = "Alarms when an API call is made to create, update or delete a Network ACL." - filter_pattern = "{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) }" - }, - { - metric_name = "GatewayEventCount" - metric_value = "1" - alarm_description = "Alarms when an API call is made to create, update or delete a Customer or Internet Gateway." - filter_pattern = "{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }" - }, - { - metric_name = "VpcEventCount" - metric_value = "1" - alarm_description = "Alarms when an API call is made to create, update or delete a VPC, VPC peering connection or VPC connection to classic." - filter_pattern = "{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }", - - }, - { - metric_name = "EC2InstanceEventCount" - metric_value = "1" - alarm_description = "Alarms when an API call is made to create, terminate, start, stop or reboot an EC2 instance." - filter_pattern = "{ ($.eventName = RunInstances) || ($.eventName = RebootInstances) || ($.eventName = StartInstances) || ($.eventName = StopInstances) || ($.eventName = TerminateInstances) }" - }, - { - metric_name = "EC2LargeInstanceEventCount" - metric_value = "1" - alarm_description = "Alarms when an API call is made to create, terminate, start, stop or reboot a 4x-large or greater EC2 instance." - filter_pattern = "{ ($.eventName = RunInstances) && (($.requestParameters.instanceType = *.8xlarge) || ($.requestParameters.instanceType = *.4xlarge) || ($.requestParameters.instanceType = *.16xlarge) || ($.requestParameters.instanceType = *.10xlarge) || ($.requestParameters.instanceType = *.12xlarge) || ($.requestParameters.instanceType = *.24xlarge)) }" - }, - { - metric_name = "CloudTrailEventCount" - metric_value = "1" - alarm_description = "Alarms when an API call is made to create, update or delete a .cloudtrail. trail, or to start or stop logging to a trail." - filter_pattern = "{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }" - }, - { - metric_name = "ConsoleSignInFailureCount" - metric_value = "1" - alarm_description = "Alarms when an unauthenticated API call is made to sign into the console." - filter_pattern = "{ ($.eventName = ConsoleLogin) && ($.errorMessage = \"Failed authentication\") }" - }, - { - metric_name = "IAMPolicyEventCount" - metric_value = "1" - alarm_description = "Alarms when an API call is made to change an IAM policy." - filter_pattern = "{ ($.eventName = DeleteGroupPolicy) || ($.eventName = DeleteRolePolicy) ||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)}" - }, - { - metric_name = "ConsoleSignInWithoutMfaCount" - metric_value = "1" - alarm_description = "Alarms when a user logs into the console without MFA." - filter_pattern = "{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") }" - }, - { - metric_name = "RootAccountUsageCount" - metric_value = "1" - alarm_description = "Alarms when a root account usage is detected." - filter_pattern = "{ $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" }" - }, - { - metric_name = "KMSKeyPendingDeletionErrorCount" - metric_value = "1" - alarm_description = "Alarms when a customer created KMS key is pending deletion." - filter_pattern = "{($.eventSource = kms.amazonaws.com) && (($.eventName=DisableKey)||($.eventName=ScheduleKeyDeletion))}" - }, - { - metric_name = "AWSConfigChangeCount" - metric_value = "1" - alarm_description = "Alarms when AWS Config changes." - filter_pattern = "{($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder))}" - }, - { - metric_name = "RouteTableChangesCount" - metric_value = "1" - alarm_description = "Alarms when route table changes are detected." - filter_pattern = "{ ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) }" - }, -] - diff --git a/apps-devstg/us-east-1/security-audit/variables.tf b/apps-devstg/us-east-1/security-audit/variables.tf deleted file mode 100644 index bbf09bd06..000000000 --- a/apps-devstg/us-east-1/security-audit/variables.tf +++ /dev/null @@ -1,25 +0,0 @@ -#===========================================# -# Security # -#===========================================# -variable "metric_namespace" { - type = string - description = "A namespace for grouping all of the metrics together" - default = "CISBenchmark" -} - -variable "create_dashboard" { - type = bool - description = "When true a dashboard that displays the statistics as a line graph will be created in CloudWatch" - default = false -} - -variable "metrics" { - type = any - description = "Metrics definitions" - default = {} -} - -variable "create_alb_logs_bucket" { - type = bool - default = false -} diff --git a/apps-prd/us-east-1/security-audit/.terraform.lock.hcl b/apps-prd/us-east-1/security-audit/.terraform.lock.hcl deleted file mode 100644 index 122923871..000000000 --- a/apps-prd/us-east-1/security-audit/.terraform.lock.hcl +++ /dev/null @@ -1,68 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/hashicorp/aws" { - version = "4.46.0" - constraints = ">= 2.0.0, >= 3.0.0, ~> 4.10" - hashes = [ - "h1:1+HdnLUAzb8FDfWs/Mpyv8r2OjYh9Fpyu9Dgj8v+ZuA=", - "h1:EZB4OgvytV38JpWyye9zoMQ0bfT9yB9xSXM5NY3Lrws=", - "zh:1678e6a4bdb3d81a6713adc62ca0fdb8250c584e10c10d1daca72316e9db8df2", - "zh:329903acf86ef6072502736dff4c43c2b50f762a958f76aa924e2d74c7fca1e3", - "zh:33db8131fe0ec7e1d9f30bc9f65c2440e9c1f708d681b6062757a351f1df7ce6", - "zh:3a3b010bc393784c16f4b6cdce7f76db93d5efa323fce4920bfea9e9ba6abe44", - "zh:979e2713a5759a7483a065e149e3cb69db9225326fc0457fa3fc3a48aed0c63f", - "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:9efcf0067e16ad53da7504178a05eb2118770b4ae00c193c10ecad4cbfce308e", - "zh:a10655bf1b6376ab7f3e55efadf54dc70f7bd07ca11369557c312095076f9d62", - "zh:b0394dd42cbd2a718a7dd7ae0283f04769aaf8b3d52664e141da59c0171a11ab", - "zh:b958e614c2cf6d9c05a6ad5e94dc5c04b97ebfb84415da068be5a081b5ebbe24", - "zh:ba5069e624210c63ad9e633a8eb0108b21f2322bc4967ba2b82d09168c466888", - "zh:d7dfa597a17186e7f4d741dd7111849f1c0dd6f7ebc983043d8262d2fb37b408", - "zh:e8a641ca2c99f96d64fa2725875e797273984981d3e54772a2823541c44e3cd3", - "zh:f89898b7067c4246293a8007f59f5cfcac7b8dd251d39886c7a53ba596251466", - "zh:fb1e1df1d5cc208e08a850f8e84423bce080f01f5e901791c79df369d3ed52f2", - ] -} - -provider "registry.terraform.io/hashicorp/local" { - version = "2.2.3" - constraints = ">= 1.3.0" - hashes = [ - "h1:aWp5iSUxBGgPv1UnV5yag9Pb0N+U1I0sZb38AXBFO8A=", - "h1:m79NYOmoeeLZfRMRCmOoCe2bcCuCwuMppPpj1g5mHLU=", - "zh:04f0978bb3e052707b8e82e46780c371ac1c66b689b4a23bbc2f58865ab7d5c0", - "zh:6484f1b3e9e3771eb7cc8e8bab8b35f939a55d550b3f4fb2ab141a24269ee6aa", - "zh:78a56d59a013cb0f7eb1c92815d6eb5cf07f8b5f0ae20b96d049e73db915b238", - "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:8aa9950f4c4db37239bcb62e19910c49e47043f6c8587e5b0396619923657797", - "zh:996beea85f9084a725ff0e6473a4594deb5266727c5f56e9c1c7c62ded6addbb", - "zh:9a7ef7a21f48fabfd145b2e2a4240ca57517ad155017e86a30860d7c0c109de3", - "zh:a63e70ac052aa25120113bcddd50c1f3cfe61f681a93a50cea5595a4b2cc3e1c", - "zh:a6e8d46f94108e049ad85dbed60354236dc0b9b5ec8eabe01c4580280a43d3b8", - "zh:bb112ce7efbfcfa0e65ed97fa245ef348e0fd5bfa5a7e4ab2091a9bd469f0a9e", - "zh:d7bec0da5c094c6955efed100f3fe22fca8866859f87c025be1760feb174d6d9", - "zh:fb9f271b72094d07cef8154cd3d50e9aa818a0ea39130bc193132ad7b23076fd", - ] -} - -provider "registry.terraform.io/hashicorp/null" { - version = "3.2.1" - constraints = ">= 2.0.0" - hashes = [ - "h1:FbGfc+muBsC17Ohy5g806iuI1hQc4SIexpYCrQHQd8w=", - "h1:nwEVpUhaxWeG5C81lwaI5buwrp1NI/mH1FFqsB2nOHg=", - "zh:58ed64389620cc7b82f01332e27723856422820cfd302e304b5f6c3436fb9840", - "zh:62a5cc82c3b2ddef7ef3a6f2fedb7b9b3deff4ab7b414938b08e51d6e8be87cb", - "zh:63cff4de03af983175a7e37e52d4bd89d990be256b16b5c7f919aff5ad485aa5", - "zh:74cb22c6700e48486b7cabefa10b33b801dfcab56f1a6ac9b6624531f3d36ea3", - "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:79e553aff77f1cfa9012a2218b8238dd672ea5e1b2924775ac9ac24d2a75c238", - "zh:a1e06ddda0b5ac48f7e7c7d59e1ab5a4073bbcf876c73c0299e4610ed53859dc", - "zh:c37a97090f1a82222925d45d84483b2aa702ef7ab66532af6cbcfb567818b970", - "zh:e4453fbebf90c53ca3323a92e7ca0f9961427d2f0ce0d2b65523cc04d5d999c2", - "zh:e80a746921946d8b6761e77305b752ad188da60688cfd2059322875d363be5f5", - "zh:fbdb892d9822ed0e4cb60f2fedbdbb556e4da0d88d3b942ae963ed6ff091e48f", - "zh:fca01a623d90d0cad0843102f9b8b9fe0d3ff8244593bd817f126582b52dd694", - ] -} diff --git a/apps-prd/us-east-1/security-audit/awscloudtrail.tf b/apps-prd/us-east-1/security-audit/awscloudtrail.tf deleted file mode 100644 index 65db702e0..000000000 --- a/apps-prd/us-east-1/security-audit/awscloudtrail.tf +++ /dev/null @@ -1,86 +0,0 @@ -module "cloudtrail" { - source = "github.com/binbashar/terraform-aws-cloudtrail.git?ref=0.20.1" - namespace = var.project - stage = var.environment - name = "cloudtrail-org" - enable_logging = true - enable_log_file_validation = true - include_global_service_events = true - is_multi_region_trail = true - s3_bucket_name = data.terraform_remote_state.security_audit.outputs.bucket_id - cloud_watch_logs_group_arn = "${aws_cloudwatch_log_group.cloudtrail.arn}:*" - cloud_watch_logs_role_arn = aws_iam_role.cloudtrail_cloudwatch_events.arn - kms_key_arn = data.terraform_remote_state.security_keys.outputs.aws_kms_key_arn -} - -module "cloudtrail_api_alarms" { - source = "github.com/binbashar/terraform-aws-cloudtrail-cloudwatch-alarms.git?ref=0.14.3" - log_group_region = var.region - log_group_name = aws_cloudwatch_log_group.cloudtrail.name - metric_namespace = var.metric_namespace - dashboard_enabled = var.create_dashboard - - # Uncomment if /notifications SNS is configured and you want to send notifications via slack - sns_topic_arn = data.terraform_remote_state.notifications.outputs.sns_topic_arn_monitoring_sec - metrics = local.metrics - - # KMS key use for encrypting the Amazon SNS topic. - kms_master_key_id = data.terraform_remote_state.keys.outputs.aws_kms_key_id -} - -#==================================================================# -# setup cloudwatch logs group in order to receive cloudtrail events -#==================================================================# -resource "aws_cloudwatch_log_group" "cloudtrail" { - name = "${var.project}-${var.environment}-cloudtrail" - retention_in_days = "14" - kms_key_id = data.terraform_remote_state.keys.outputs.aws_kms_key_arn - - tags = local.tags -} - -#==================================================================# -# setup role and policy to allow cloudtrail to write to cloudwatch -#==================================================================# -resource "aws_iam_role" "cloudtrail_cloudwatch_events" { - name = "CloudtrailCloudwatchEvents" - assume_role_policy = data.aws_iam_policy_document.assume_policy.json -} - -data "aws_iam_policy_document" "assume_policy" { - statement { - effect = "Allow" - actions = ["sts:AssumeRole"] - - principals { - type = "Service" - identifiers = ["cloudtrail.amazonaws.com"] - } - } -} - -resource "aws_iam_role_policy" "cloudtrail_cloudwatch_events_policy" { - name = "CloudtrailCloudwatchEvents" - role = aws_iam_role.cloudtrail_cloudwatch_events.id - policy = data.aws_iam_policy_document.cloudtrail_role_policy.json -} - -data "aws_iam_policy_document" "cloudtrail_role_policy" { - statement { - effect = "Allow" - actions = ["logs:CreateLogStream"] - - resources = [ - "arn:aws:logs:${var.region}:${var.accounts.apps-prd.id}:log-group:${aws_cloudwatch_log_group.cloudtrail.name}:log-stream:*", - ] - } - - statement { - effect = "Allow" - actions = ["logs:PutLogEvents"] - - resources = [ - "arn:aws:logs:${var.region}:${var.accounts.apps-prd.id}:log-group:${aws_cloudwatch_log_group.cloudtrail.name}:log-stream:*", - ] - } -} diff --git a/apps-prd/us-east-1/security-audit/common-variables.tf b/apps-prd/us-east-1/security-audit/common-variables.tf deleted file mode 120000 index 81b884acd..000000000 --- a/apps-prd/us-east-1/security-audit/common-variables.tf +++ /dev/null @@ -1 +0,0 @@ -../../../config/common-variables.tf \ No newline at end of file diff --git a/apps-prd/us-east-1/security-audit/config.tf b/apps-prd/us-east-1/security-audit/config.tf deleted file mode 100644 index 506468ec8..000000000 --- a/apps-prd/us-east-1/security-audit/config.tf +++ /dev/null @@ -1,75 +0,0 @@ -#=============================# -# AWS Provider Settings # -#=============================# -provider "aws" { - region = var.region - profile = var.profile -} - -#=============================# -# Backend Config (partial) # -#=============================# -terraform { - required_version = "~> 1.2.7" - - required_providers { - aws = "~> 4.10" - } - - backend "s3" { - key = "apps-prd/security-audit/terraform.tfstate" - } -} - -#=============================# -# Data sources # -#=============================# -data "aws_caller_identity" "current" {} -data "aws_region" "current" {} - -# -# data type from output for notifications -# -data "terraform_remote_state" "notifications" { - backend = "s3" - - config = { - region = var.region - profile = var.profile - bucket = var.bucket - key = "${var.environment}/notifications/terraform.tfstate" - } -} - -data "terraform_remote_state" "keys" { - backend = "s3" - - config = { - region = var.region - profile = var.profile - bucket = var.bucket - key = "${var.environment}/security-keys/terraform.tfstate" - } -} - -data "terraform_remote_state" "security_audit" { - backend = "s3" - - config = { - region = var.region - profile = "${var.project}-security-devops" - bucket = "${var.project}-security-terraform-backend" - key = "security/security-audit/terraform.tfstate" - } -} - -data "terraform_remote_state" "security_keys" { - backend = "s3" - - config = { - region = var.region - profile = "${var.project}-security-devops" - bucket = "${var.project}-security-terraform-backend" - key = "security/security-keys/terraform.tfstate" - } -} diff --git a/apps-prd/us-east-1/security-audit/locals.tf b/apps-prd/us-east-1/security-audit/locals.tf deleted file mode 100644 index d0560bd67..000000000 --- a/apps-prd/us-east-1/security-audit/locals.tf +++ /dev/null @@ -1,41 +0,0 @@ -locals { - - region = var.region == null ? data.aws_region.current.name : var.region - - alarm_suffix = "${var.environment}-account" - - alarm_defaults = { - period = 300 // 5 min - threshold = 1 - comparison_operator = "GreaterThanOrEqualToThreshold" - evaluation_periods = 1 - statistic = "Sum" - treat_missing_data = "notBreaching" - } - - metrics = { - for metric in var.metrics : local.alarm_suffix != null ? join("-", tolist([lookup(metric, "metric_name", null), local.alarm_suffix])) : lookup(metric, "metric_name", null) => { - metric_name = lookup(metric, "metric_name", null) - filter_pattern = lookup(metric, "filter_pattern", null) - metric_namespace = var.metric_namespace != null ? var.metric_namespace : lookup(metric, "metric_namespace", null) - metric_value = lookup(metric, "metric_value", null) - alarm_name = local.alarm_suffix != null ? join("-", tolist([lookup(metric, "metric_name", null), local.alarm_suffix, "alarm"])) : "${lookup(metric, "metric_name", null)}-alarm" - alarm_comparison_operator = lookup(metric, "alarm_comparison_operator", null) - alarm_evaluation_periods = lookup(metric, "alarm_evaluation_periods", null) - alarm_period = lookup(metric, "alarm_period", local.alarm_defaults["period"]) - alarm_statistic = lookup(metric, "alarm_statistic", null) - alarm_treat_missing_data = lookup(metric, "alarm_treat_missing_data", null) - alarm_threshold = lookup(metric, "alarm_threshold", local.alarm_defaults["threshold"]) - alarm_description = lookup(metric, "alarm_description", null) - alarm_comparison_operator = lookup(metric, "alarm_comparison_operator", local.alarm_defaults["comparison_operator"]) - alarm_evaluation_periods = lookup(metric, "alarm_evaluation_periods", local.alarm_defaults["evaluation_periods"]) - alarm_statistic = lookup(metric, "alarm_statistic", local.alarm_defaults["statistic"]) - alarm_treat_missing_data = lookup(metric, "alarm_treat_missing_data", local.alarm_defaults["treat_missing_data"]) - } - } - - tags = { - Terraform = "true" - Environment = var.environment - } -} diff --git a/apps-prd/us-east-1/security-audit/metrics.auto.tfvars b/apps-prd/us-east-1/security-audit/metrics.auto.tfvars deleted file mode 100644 index f949d81e7..000000000 --- a/apps-prd/us-east-1/security-audit/metrics.auto.tfvars +++ /dev/null @@ -1,102 +0,0 @@ -metrics = [ - { - metric_name = "AuthorizationFailureCount" - metric_value = "1" - alarm_description = "Alarms when an unauthorized API call is made." - filter_pattern = "{ ($.errorCode = \"*UnauthorizedOperation\") || ($.errorCode = \"AccessDenied*\") }" - alarm_period = "120" - alarm_threshold = "10" - }, - { - metric_name = "S3BucketActivityEventCount" - metric_value = "1" - alarm_description = "Alarms when an API call is made to S3 to put or delete a Bucket, Bucket Policy or Bucket ACL." - filter_pattern = "{ ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }" - }, - { - metric_name = "SecurityGroupEventCount" - metric_value = "1" - alarm_description = "Alarms when an API call is made to create, update or delete a Security Group." - filter_pattern = "{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) }" - }, - { - metric_name = "NetworkAclEventCount", - metric_value = "1" - alarm_description = "Alarms when an API call is made to create, update or delete a Network ACL." - filter_pattern = "{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) }" - }, - { - metric_name = "GatewayEventCount" - metric_value = "1" - alarm_description = "Alarms when an API call is made to create, update or delete a Customer or Internet Gateway." - filter_pattern = "{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }" - }, - { - metric_name = "VpcEventCount" - metric_value = "1" - alarm_description = "Alarms when an API call is made to create, update or delete a VPC, VPC peering connection or VPC connection to classic." - filter_pattern = "{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }", - - }, - { - metric_name = "EC2InstanceEventCount" - metric_value = "1" - alarm_description = "Alarms when an API call is made to create, terminate, start, stop or reboot an EC2 instance." - filter_pattern = "{ ($.eventName = RunInstances) || ($.eventName = RebootInstances) || ($.eventName = StartInstances) || ($.eventName = StopInstances) || ($.eventName = TerminateInstances) }" - }, - { - metric_name = "EC2LargeInstanceEventCount" - metric_value = "1" - alarm_description = "Alarms when an API call is made to create, terminate, start, stop or reboot a 4x-large or greater EC2 instance." - filter_pattern = "{ ($.eventName = RunInstances) && (($.requestParameters.instanceType = *.8xlarge) || ($.requestParameters.instanceType = *.4xlarge) || ($.requestParameters.instanceType = *.16xlarge) || ($.requestParameters.instanceType = *.10xlarge) || ($.requestParameters.instanceType = *.12xlarge) || ($.requestParameters.instanceType = *.24xlarge)) }" - }, - { - metric_name = "CloudTrailEventCount" - metric_value = "1" - alarm_description = "Alarms when an API call is made to create, update or delete a .cloudtrail. trail, or to start or stop logging to a trail." - filter_pattern = "{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }" - }, - { - metric_name = "ConsoleSignInFailureCount" - metric_value = "1" - alarm_description = "Alarms when an unauthenticated API call is made to sign into the console." - filter_pattern = "{ ($.eventName = ConsoleLogin) && ($.errorMessage = \"Failed authentication\") }" - }, - { - metric_name = "IAMPolicyEventCount" - metric_value = "1" - alarm_description = "Alarms when an API call is made to change an IAM policy." - filter_pattern = "{ ($.eventName = DeleteGroupPolicy) || ($.eventName = DeleteRolePolicy) ||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)}" - }, - { - metric_name = "ConsoleSignInWithoutMfaCount" - metric_value = "1" - alarm_description = "Alarms when a user logs into the console without MFA." - filter_pattern = "{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") }" - }, - { - metric_name = "RootAccountUsageCount" - metric_value = "1" - alarm_description = "Alarms when a root account usage is detected." - filter_pattern = "{ $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" }" - }, - { - metric_name = "KMSKeyPendingDeletionErrorCount" - metric_value = "1" - alarm_description = "Alarms when a customer created KMS key is pending deletion." - filter_pattern = "{($.eventSource = kms.amazonaws.com) && (($.eventName=DisableKey)||($.eventName=ScheduleKeyDeletion))}" - }, - { - metric_name = "AWSConfigChangeCount" - metric_value = "1" - alarm_description = "Alarms when AWS Config changes." - filter_pattern = "{($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder))}" - }, - { - metric_name = "RouteTableChangesCount" - metric_value = "1" - alarm_description = "Alarms when route table changes are detected." - filter_pattern = "{ ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) }" - }, -] - diff --git a/apps-prd/us-east-1/security-audit/variables.tf b/apps-prd/us-east-1/security-audit/variables.tf deleted file mode 100644 index 18780deea..000000000 --- a/apps-prd/us-east-1/security-audit/variables.tf +++ /dev/null @@ -1,20 +0,0 @@ -#===========================================# -# Security # -#===========================================# -variable "metric_namespace" { - type = string - description = "A namespace for grouping all of the metrics together" - default = "CISBenchmark" -} - -variable "create_dashboard" { - type = bool - description = "When true a dashboard that displays the statistics as a line graph will be created in CloudWatch" - default = false -} - -variable "metrics" { - type = any - description = "Metrics definitions" - default = {} -} diff --git a/management/global/organizations/.terraform.lock.hcl b/management/global/organizations/.terraform.lock.hcl index 9c5019fa1..932256e3e 100644 --- a/management/global/organizations/.terraform.lock.hcl +++ b/management/global/organizations/.terraform.lock.hcl @@ -2,43 +2,43 @@ # Manual edits may be lost in future updates. provider "registry.terraform.io/hashicorp/aws" { - version = "4.67.0" - constraints = "~> 4.0" + version = "5.73.0" + constraints = "~> 5.0" hashes = [ - "h1:dCRc4GqsyfqHEMjgtlM1EympBcgTmcTkWaJmtd91+KA=", - "zh:0843017ecc24385f2b45f2c5fce79dc25b258e50d516877b3affee3bef34f060", - "zh:19876066cfa60de91834ec569a6448dab8c2518b8a71b5ca870b2444febddac6", - "zh:24995686b2ad88c1ffaa242e36eee791fc6070e6144f418048c4ce24d0ba5183", - "zh:4a002990b9f4d6d225d82cb2fb8805789ffef791999ee5d9cb1fef579aeff8f1", - "zh:559a2b5ace06b878c6de3ecf19b94fbae3512562f7a51e930674b16c2f606e29", - "zh:6a07da13b86b9753b95d4d8218f6dae874cf34699bca1470d6effbb4dee7f4b7", - "zh:768b3bfd126c3b77dc975c7c0e5db3207e4f9997cf41aa3385c63206242ba043", - "zh:7be5177e698d4b547083cc738b977742d70ed68487ce6f49ecd0c94dbf9d1362", - "zh:8b562a818915fb0d85959257095251a05c76f3467caa3ba95c583ba5fe043f9b", + "h1:j7FKP03yef+XO3EqgVs67emtFJZaxWEVYBepJdKOnLA=", + "zh:0d24edc51ab6600f56d759831658a9d7a8f69b53900546b75038fc8e3f312406", + "zh:1f8b8414f710a8c5a8777cb1ef1cad1cb4293bc035deb804734a8ec698b0850d", + "zh:2cf76b03564051ee86ef5fbdaea1949e3af549f8836e56371fe94335cf795e1c", + "zh:2ffe05c62b4ae6292dda66cd3a3cbe3e290a1a04369f3e6f74812e885cf3f2f0", + "zh:3564069d9bc918e5bded252d65b6a8758d08b309e1ac54bf7c8e5947a94cdadc", + "zh:4eb5395d52cfcb3c78e86c4ca3759bf9736e0e8dfa6955b0e1a59d9a7f41d805", + "zh:6cd14cbabbcf8b1c15fa73f9ebba4d4df41215ef92bf8d14a3780a7cb571e5c4", + "zh:6f7dc212dee1be2edb4620d352d9b0ea759744b5be08b84012a7621efa262052", + "zh:7468a490d6df04a401f49422c86b46ef91eba00878cc9a5ec3ee4a12fe9447d0", "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:9c385d03a958b54e2afd5279cd8c7cbdd2d6ca5c7d6a333e61092331f38af7cf", - "zh:b3ca45f2821a89af417787df8289cb4314b273d29555ad3b2a5ab98bb4816b3b", - "zh:da3c317f1db2469615ab40aa6baba63b5643bae7110ff855277a1fb9d8eb4f2c", - "zh:dc6430622a8dc5cdab359a8704aec81d3825ea1d305bbb3bbd032b1c6adfae0c", - "zh:fac0d2ddeadf9ec53da87922f666e1e73a603a611c57bcbc4b86ac2821619b1d", + "zh:b440ff1be9fc62235b2dcb522dd922cefe751065ba4a601415130462e79fb68e", + "zh:d53dfd7311d8f130f0ce3184ed50461c34086d3490913a0d80d63574dac104a6", + "zh:de9a130dd684aed5b89edc7ce44aef37fa38eca06549035cf387cde9d3937432", + "zh:e0922d81fbed02062a74ea126d3cc6830fa0c8eac92108825d1120a262980831", + "zh:fdd6cdabcf5e9bedb3a419ac18bd12b5b02d8371ba0fb2a6123420937354c8e1", ] } provider "registry.terraform.io/hashicorp/null" { - version = "3.2.1" + version = "3.2.3" hashes = [ - "h1:FbGfc+muBsC17Ohy5g806iuI1hQc4SIexpYCrQHQd8w=", - "zh:58ed64389620cc7b82f01332e27723856422820cfd302e304b5f6c3436fb9840", - "zh:62a5cc82c3b2ddef7ef3a6f2fedb7b9b3deff4ab7b414938b08e51d6e8be87cb", - "zh:63cff4de03af983175a7e37e52d4bd89d990be256b16b5c7f919aff5ad485aa5", - "zh:74cb22c6700e48486b7cabefa10b33b801dfcab56f1a6ac9b6624531f3d36ea3", + "h1:+AnORRgFbRO6qqcfaQyeX80W0eX3VmjadjnUFUJTiXo=", + "zh:22d062e5278d872fe7aed834f5577ba0a5afe34a3bdac2b81f828d8d3e6706d2", + "zh:23dead00493ad863729495dc212fd6c29b8293e707b055ce5ba21ee453ce552d", + "zh:28299accf21763ca1ca144d8f660688d7c2ad0b105b7202554ca60b02a3856d3", + "zh:55c9e8a9ac25a7652df8c51a8a9a422bd67d784061b1de2dc9fe6c3cb4e77f2f", + "zh:756586535d11698a216291c06b9ed8a5cc6a4ec43eee1ee09ecd5c6a9e297ac1", "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:79e553aff77f1cfa9012a2218b8238dd672ea5e1b2924775ac9ac24d2a75c238", - "zh:a1e06ddda0b5ac48f7e7c7d59e1ab5a4073bbcf876c73c0299e4610ed53859dc", - "zh:c37a97090f1a82222925d45d84483b2aa702ef7ab66532af6cbcfb567818b970", - "zh:e4453fbebf90c53ca3323a92e7ca0f9961427d2f0ce0d2b65523cc04d5d999c2", - "zh:e80a746921946d8b6761e77305b752ad188da60688cfd2059322875d363be5f5", - "zh:fbdb892d9822ed0e4cb60f2fedbdbb556e4da0d88d3b942ae963ed6ff091e48f", - "zh:fca01a623d90d0cad0843102f9b8b9fe0d3ff8244593bd817f126582b52dd694", + "zh:9d5eea62fdb587eeb96a8c4d782459f4e6b73baeece4d04b4a40e44faaee9301", + "zh:a6355f596a3fb8fc85c2fb054ab14e722991533f87f928e7169a486462c74670", + "zh:b5a65a789cff4ada58a5baffc76cb9767dc26ec6b45c00d2ec8b1b027f6db4ed", + "zh:db5ab669cf11d0e9f81dc380a6fdfcac437aea3d69109c7aef1a5426639d2d65", + "zh:de655d251c470197bcbb5ac45d289595295acb8f829f6c781d4a75c8c8b7c7dd", + "zh:f5c68199f2e6076bce92a12230434782bf768103a427e9bb9abee99b116af7b5", ] } diff --git a/management/global/organizations/config.tf b/management/global/organizations/config.tf index 274bf843e..a2580f091 100644 --- a/management/global/organizations/config.tf +++ b/management/global/organizations/config.tf @@ -13,7 +13,7 @@ terraform { required_version = "~> 1.2" required_providers { - aws = "~> 4.0" + aws = "~> 5.0" } backend "s3" { diff --git a/management/global/organizations/organization.tf b/management/global/organizations/organization.tf index a2c73c2da..740d718df 100644 --- a/management/global/organizations/organization.tf +++ b/management/global/organizations/organization.tf @@ -15,6 +15,8 @@ resource "aws_organizations_organization" "main" { "sso.amazonaws.com", "fms.amazonaws.com", "inspector2.amazonaws.com", + "cost-optimization-hub.bcm.amazonaws.com", + "securityhub.amazonaws.com", ] # Enable all feature set to enable SCPs @@ -43,4 +45,8 @@ resource "aws_organizations_delegated_administrator" "delegated_administrator" { resource "aws_iam_service_linked_role" "linked_roles" { for_each = toset(local.delegated_services) aws_service_name = each.key -} \ No newline at end of file +} + +resource "aws_cloudtrail_organization_delegated_admin_account" "main" { + account_id = aws_organizations_account.accounts["security"].id +} diff --git a/management/us-east-1/security-audit/awscloudtrail.tf b/management/us-east-1/security-audit/awscloudtrail.tf deleted file mode 100644 index 0f69dd677..000000000 --- a/management/us-east-1/security-audit/awscloudtrail.tf +++ /dev/null @@ -1,86 +0,0 @@ -module "cloudtrail" { - source = "github.com/binbashar/terraform-aws-cloudtrail.git?ref=0.20.1" - namespace = var.project - stage = var.environment - name = "cloudtrail-org" - enable_logging = "true" - enable_log_file_validation = "true" - include_global_service_events = "true" - is_multi_region_trail = "true" - s3_bucket_name = data.terraform_remote_state.security_audit.outputs.bucket_id - cloud_watch_logs_group_arn = "${aws_cloudwatch_log_group.cloudtrail.arn}:*" - cloud_watch_logs_role_arn = aws_iam_role.cloudtrail_cloudwatch_events.arn - kms_key_arn = data.terraform_remote_state.security_keys.outputs.aws_kms_key_arn -} - -module "cloudtrail_api_alarms" { - source = "github.com/binbashar/terraform-aws-cloudtrail-cloudwatch-alarms.git?ref=0.14.3" - log_group_region = var.region - log_group_name = aws_cloudwatch_log_group.cloudtrail.name - metric_namespace = var.metric_namespace - dashboard_enabled = var.create_dashboard - - # Uncomment if /notifications SNS is configured and you want to send notifications via slack - sns_topic_arn = data.terraform_remote_state.notifications.outputs.sns_topic_arn_monitoring_sec - metrics = local.metrics - - # KMS key use for encrypting the Amazon SNS topic. - kms_master_key_id = data.terraform_remote_state.keys.outputs.aws_kms_key_id -} - -#==================================================================# -# setup cloudwatch logs group in order to receive cloudtrail events -#==================================================================# -resource "aws_cloudwatch_log_group" "cloudtrail" { - name = "${var.project}-${var.environment}-cloudtrail" - retention_in_days = "14" - kms_key_id = data.terraform_remote_state.keys.outputs.aws_kms_key_arn - - tags = local.tags -} - -#==================================================================# -# setup role and policy to allow cloudtrail to write to cloudwatch -#==================================================================# -resource "aws_iam_role" "cloudtrail_cloudwatch_events" { - name = "CloudtrailCloudwatchEvents" - assume_role_policy = data.aws_iam_policy_document.assume_policy.json -} - -data "aws_iam_policy_document" "assume_policy" { - statement { - effect = "Allow" - actions = ["sts:AssumeRole"] - - principals { - type = "Service" - identifiers = ["cloudtrail.amazonaws.com"] - } - } -} - -resource "aws_iam_role_policy" "cloudtrail_cloudwatch_events_policy" { - name = "CloudtrailCloudwatchEvents" - role = aws_iam_role.cloudtrail_cloudwatch_events.id - policy = data.aws_iam_policy_document.cloudtrail_role_policy.json -} - -data "aws_iam_policy_document" "cloudtrail_role_policy" { - statement { - effect = "Allow" - actions = ["logs:CreateLogStream"] - - resources = [ - "arn:aws:logs:${var.region}:${var.accounts.root.id}:log-group:${aws_cloudwatch_log_group.cloudtrail.name}:log-stream:*", - ] - } - - statement { - effect = "Allow" - actions = ["logs:PutLogEvents"] - - resources = [ - "arn:aws:logs:${var.region}:${var.accounts.root.id}:log-group:${aws_cloudwatch_log_group.cloudtrail.name}:log-stream:*", - ] - } -} diff --git a/management/us-east-1/security-audit/common-variables.tf b/management/us-east-1/security-audit/common-variables.tf deleted file mode 120000 index 81b884acd..000000000 --- a/management/us-east-1/security-audit/common-variables.tf +++ /dev/null @@ -1 +0,0 @@ -../../../config/common-variables.tf \ No newline at end of file diff --git a/management/us-east-1/security-audit/config.tf b/management/us-east-1/security-audit/config.tf deleted file mode 100644 index c3983dae7..000000000 --- a/management/us-east-1/security-audit/config.tf +++ /dev/null @@ -1,72 +0,0 @@ -#=============================# -# AWS Provider Settings # -#=============================# -provider "aws" { - region = var.region - profile = var.profile -} - -#=============================# -# Backend Config (partial) # -#=============================# -terraform { - required_version = "~> 1.2.7" - - required_providers { - aws = "~> 4.10" - } - - backend "s3" { - key = "root/security-audit/terraform.tfstate" - } -} - -#=============================# -# Data sources # -#=============================# -data "aws_caller_identity" "current" {} -data "aws_region" "current" {} - -data "terraform_remote_state" "keys" { - backend = "s3" - - config = { - region = var.region - profile = var.profile - bucket = var.bucket - key = "${var.environment}/security-keys/terraform.tfstate" - } -} - -data "terraform_remote_state" "notifications" { - backend = "s3" - - config = { - region = var.region - profile = var.profile - bucket = var.bucket - key = "${var.environment}/notifications/terraform.tfstate" - } -} - -data "terraform_remote_state" "security_audit" { - backend = "s3" - - config = { - region = var.region - profile = "${var.project}-security-devops" - bucket = "${var.project}-security-terraform-backend" - key = "security/security-audit/terraform.tfstate" - } -} - -data "terraform_remote_state" "security_keys" { - backend = "s3" - - config = { - region = var.region - profile = "${var.project}-security-devops" - bucket = "${var.project}-security-terraform-backend" - key = "security/security-keys/terraform.tfstate" - } -} diff --git a/management/us-east-1/security-audit/locals.tf b/management/us-east-1/security-audit/locals.tf deleted file mode 100644 index d0560bd67..000000000 --- a/management/us-east-1/security-audit/locals.tf +++ /dev/null @@ -1,41 +0,0 @@ -locals { - - region = var.region == null ? data.aws_region.current.name : var.region - - alarm_suffix = "${var.environment}-account" - - alarm_defaults = { - period = 300 // 5 min - threshold = 1 - comparison_operator = "GreaterThanOrEqualToThreshold" - evaluation_periods = 1 - statistic = "Sum" - treat_missing_data = "notBreaching" - } - - metrics = { - for metric in var.metrics : local.alarm_suffix != null ? join("-", tolist([lookup(metric, "metric_name", null), local.alarm_suffix])) : lookup(metric, "metric_name", null) => { - metric_name = lookup(metric, "metric_name", null) - filter_pattern = lookup(metric, "filter_pattern", null) - metric_namespace = var.metric_namespace != null ? var.metric_namespace : lookup(metric, "metric_namespace", null) - metric_value = lookup(metric, "metric_value", null) - alarm_name = local.alarm_suffix != null ? join("-", tolist([lookup(metric, "metric_name", null), local.alarm_suffix, "alarm"])) : "${lookup(metric, "metric_name", null)}-alarm" - alarm_comparison_operator = lookup(metric, "alarm_comparison_operator", null) - alarm_evaluation_periods = lookup(metric, "alarm_evaluation_periods", null) - alarm_period = lookup(metric, "alarm_period", local.alarm_defaults["period"]) - alarm_statistic = lookup(metric, "alarm_statistic", null) - alarm_treat_missing_data = lookup(metric, "alarm_treat_missing_data", null) - alarm_threshold = lookup(metric, "alarm_threshold", local.alarm_defaults["threshold"]) - alarm_description = lookup(metric, "alarm_description", null) - alarm_comparison_operator = lookup(metric, "alarm_comparison_operator", local.alarm_defaults["comparison_operator"]) - alarm_evaluation_periods = lookup(metric, "alarm_evaluation_periods", local.alarm_defaults["evaluation_periods"]) - alarm_statistic = lookup(metric, "alarm_statistic", local.alarm_defaults["statistic"]) - alarm_treat_missing_data = lookup(metric, "alarm_treat_missing_data", local.alarm_defaults["treat_missing_data"]) - } - } - - tags = { - Terraform = "true" - Environment = var.environment - } -} diff --git a/management/us-east-1/security-audit/metrics.auto.tfvars b/management/us-east-1/security-audit/metrics.auto.tfvars deleted file mode 100644 index 31d10f0c0..000000000 --- a/management/us-east-1/security-audit/metrics.auto.tfvars +++ /dev/null @@ -1,102 +0,0 @@ -metrics = [ - { - metric_name = "AuthorizationFailureCount" - metric_value = "1" - alarm_description = "Alarms when an unauthorized API call is made." - filter_pattern = "{ ($.errorCode = \"*UnauthorizedOperation\") || ($.errorCode = \"AccessDenied*\") }" - alarm_period = "120" - alarm_threshold = "10" - }, - { - metric_name = "S3BucketActivityEventCount" - metric_value = "1" - alarm_description = "Alarms when an API call is made to S3 to put or delete a Bucket, Bucket Policy or Bucket ACL." - filter_pattern = "{ ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }" - }, - { - metric_name = "SecurityGroupEventCount" - metric_value = "1" - alarm_description = "Alarms when an API call is made to create, update or delete a Security Group." - filter_pattern = "{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) }" - }, - { - metric_name = "NetworkAclEventCount", - metric_value = "1" - alarm_description = "Alarms when an API call is made to create, update or delete a Network ACL." - filter_pattern = "{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) }" - }, - { - metric_name = "GatewayEventCount" - metric_value = "1" - alarm_description = "Alarms when an API call is made to create, update or delete a Customer or Internet Gateway." - filter_pattern = "{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }" - }, - { - metric_name = "VpcEventCount" - metric_value = "1" - alarm_description = "Alarms when an API call is made to create, update or delete a VPC, VPC peering connection or VPC connection to classic." - filter_pattern = "{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }", - - }, - { - metric_name = "EC2InstanceEventCount" - metric_value = "1" - alarm_description = "Alarms when an API call is made to create, terminate, start, stop or reboot an EC2 instance." - filter_pattern = "{ ($.eventName = RunInstances) || ($.eventName = RebootInstances) || ($.eventName = StartInstances) || ($.eventName = StopInstances) || ($.eventName = TerminateInstances) }" - }, - { - metric_name = "EC2LargeInstanceEventCount" - metric_value = "1" - alarm_description = "Alarms when an API call is made to create, terminate, start, stop or reboot a 4x-large or greater EC2 instance." - filter_pattern = "{ ($.eventName = RunInstances) && (($.requestParameters.instanceType = *.8xlarge) || ($.requestParameters.instanceType = *.4xlarge) || ($.requestParameters.instanceType = *.16xlarge) || ($.requestParameters.instanceType = *.10xlarge) || ($.requestParameters.instanceType = *.12xlarge) || ($.requestParameters.instanceType = *.24xlarge)) }" - }, - { - metric_name = "CloudTrailEventCount" - metric_value = "1" - alarm_description = "Alarms when an API call is made to create, update or delete a .cloudtrail. trail, or to start or stop logging to a trail." - filter_pattern = "{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }" - }, - { - metric_name = "ConsoleSignInFailureCount" - metric_value = "1" - alarm_description = "Alarms when an unauthenticated API call is made to sign into the console." - filter_pattern = "{ ($.eventName = ConsoleLogin) && ($.errorMessage = \"Failed authentication\") }" - }, - { - metric_name = "IAMPolicyEventCount" - metric_value = "1" - alarm_description = "Alarms when an API call is made to change an IAM policy." - filter_pattern = "{ ($.eventName = DeleteGroupPolicy) || ($.eventName = DeleteRolePolicy) ||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)}" - }, - { - metric_name = "ConsoleSignInWithoutMfaCount" - metric_value = "1" - alarm_description = "Alarms when a user logs into the console without MFA." - filter_pattern = "{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") && $.userIdentity.arn != \"*AWSReservedSSO*\" }" - }, - { - metric_name = "RootAccountUsageCount" - metric_value = "1" - alarm_description = "Alarms when a root account usage is detected." - filter_pattern = "{ $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" }" - }, - { - metric_name = "KMSKeyPendingDeletionErrorCount" - metric_value = "1" - alarm_description = "Alarms when a customer created KMS key is pending deletion." - filter_pattern = "{($.eventSource = kms.amazonaws.com) && (($.eventName=DisableKey)||($.eventName=ScheduleKeyDeletion))}" - }, - { - metric_name = "AWSConfigChangeCount" - metric_value = "1" - alarm_description = "Alarms when AWS Config changes." - filter_pattern = "{($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder))}" - }, - { - metric_name = "RouteTableChangesCount" - metric_value = "1" - alarm_description = "Alarms when route table changes are detected." - filter_pattern = "{ ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) }" - }, -] - diff --git a/management/us-east-1/security-audit/variables.tf b/management/us-east-1/security-audit/variables.tf deleted file mode 100644 index 18780deea..000000000 --- a/management/us-east-1/security-audit/variables.tf +++ /dev/null @@ -1,20 +0,0 @@ -#===========================================# -# Security # -#===========================================# -variable "metric_namespace" { - type = string - description = "A namespace for grouping all of the metrics together" - default = "CISBenchmark" -} - -variable "create_dashboard" { - type = bool - description = "When true a dashboard that displays the statistics as a line graph will be created in CloudWatch" - default = false -} - -variable "metrics" { - type = any - description = "Metrics definitions" - default = {} -} diff --git a/network/us-east-1/security-audit/.terraform.lock.hcl b/network/us-east-1/security-audit/.terraform.lock.hcl deleted file mode 100644 index 0153828a1..000000000 --- a/network/us-east-1/security-audit/.terraform.lock.hcl +++ /dev/null @@ -1,62 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/hashicorp/aws" { - version = "4.36.0" - constraints = ">= 2.0.0, >= 3.0.0, ~> 4.10" - hashes = [ - "h1:22Ha2jCqtHjc2MRsGQZWggDDb61kKgI98I5ddho8rq0=", - "zh:07f96a0f4a7b6c1a0f77e27c10b566fe95d77673eff0f0d55cda2ce736ef0ffa", - "zh:64d60fba58515708f06eb97b310951d1c021f4d7a25c74d82274acb61494a984", - "zh:6dbc3e14521013920228e1e689527d30ce3ff91b3102014dea4a90e94a25dd1b", - "zh:6e3eaf4d2b3a9fd934193202f5b1d2122cacfc0db83602d60933b50445d00457", - "zh:6e6d824b4911df25e90555c06a9330875796ddb14e4ea925ea8683530dcaad78", - "zh:8324c3f45662fb46ab2c194536f4c02e13927e8d08ab69abc610e938ce2742eb", - "zh:83d85aa05832db2ab7ada74f677148b62c155dd269e105945a613068656072db", - "zh:87e6d5c876ad5ac24029fab7b5f187ade00f7d93329d048a192c18b8d317be58", - "zh:886d5dbf8b71bbd7c6fac80e7df998961d1c1cd217e5314d8bcb5c7b7d44418b", - "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:aca15934b6e3631cbc846a4331e87ed37dfa4209cfd4552caf5ac6120219b2c4", - "zh:bc7b4b30b085f12b463ea13ad3878c6dd8d027520c8c0fd919bd688dfe118b39", - ] -} - -provider "registry.terraform.io/hashicorp/local" { - version = "2.2.3" - constraints = ">= 1.3.0" - hashes = [ - "h1:aWp5iSUxBGgPv1UnV5yag9Pb0N+U1I0sZb38AXBFO8A=", - "zh:04f0978bb3e052707b8e82e46780c371ac1c66b689b4a23bbc2f58865ab7d5c0", - "zh:6484f1b3e9e3771eb7cc8e8bab8b35f939a55d550b3f4fb2ab141a24269ee6aa", - "zh:78a56d59a013cb0f7eb1c92815d6eb5cf07f8b5f0ae20b96d049e73db915b238", - "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:8aa9950f4c4db37239bcb62e19910c49e47043f6c8587e5b0396619923657797", - "zh:996beea85f9084a725ff0e6473a4594deb5266727c5f56e9c1c7c62ded6addbb", - "zh:9a7ef7a21f48fabfd145b2e2a4240ca57517ad155017e86a30860d7c0c109de3", - "zh:a63e70ac052aa25120113bcddd50c1f3cfe61f681a93a50cea5595a4b2cc3e1c", - "zh:a6e8d46f94108e049ad85dbed60354236dc0b9b5ec8eabe01c4580280a43d3b8", - "zh:bb112ce7efbfcfa0e65ed97fa245ef348e0fd5bfa5a7e4ab2091a9bd469f0a9e", - "zh:d7bec0da5c094c6955efed100f3fe22fca8866859f87c025be1760feb174d6d9", - "zh:fb9f271b72094d07cef8154cd3d50e9aa818a0ea39130bc193132ad7b23076fd", - ] -} - -provider "registry.terraform.io/hashicorp/null" { - version = "3.1.1" - constraints = ">= 2.0.0" - hashes = [ - "h1:71sNUDvmiJcijsvfXpiLCz0lXIBSsEJjMxljt7hxMhw=", - "zh:063466f41f1d9fd0dd93722840c1314f046d8760b1812fa67c34de0afcba5597", - "zh:08c058e367de6debdad35fc24d97131c7cf75103baec8279aba3506a08b53faf", - "zh:73ce6dff935150d6ddc6ac4a10071e02647d10175c173cfe5dca81f3d13d8afe", - "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:8fdd792a626413502e68c195f2097352bdc6a0df694f7df350ed784741eb587e", - "zh:976bbaf268cb497400fd5b3c774d218f3933271864345f18deebe4dcbfcd6afa", - "zh:b21b78ca581f98f4cdb7a366b03ae9db23a73dfa7df12c533d7c19b68e9e72e5", - "zh:b7fc0c1615dbdb1d6fd4abb9c7dc7da286631f7ca2299fb9cd4664258ccfbff4", - "zh:d1efc942b2c44345e0c29bc976594cb7278c38cfb8897b344669eafbc3cddf46", - "zh:e356c245b3cd9d4789bab010893566acace682d7db877e52d40fc4ca34a50924", - "zh:ea98802ba92fcfa8cf12cbce2e9e7ebe999afbf8ed47fa45fc847a098d89468b", - "zh:eff8872458806499889f6927b5d954560f3d74bf20b6043409edf94d26cd906f", - ] -} diff --git a/network/us-east-1/security-audit/awscloudtrail.tf b/network/us-east-1/security-audit/awscloudtrail.tf deleted file mode 100644 index c88014d06..000000000 --- a/network/us-east-1/security-audit/awscloudtrail.tf +++ /dev/null @@ -1,86 +0,0 @@ -module "cloudtrail" { - source = "github.com/binbashar/terraform-aws-cloudtrail.git?ref=0.20.1" - namespace = var.project - stage = var.environment - name = "cloudtrail-org" - enable_logging = true - enable_log_file_validation = true - include_global_service_events = true - is_multi_region_trail = true - s3_bucket_name = data.terraform_remote_state.security_audit.outputs.bucket_id - cloud_watch_logs_group_arn = "${aws_cloudwatch_log_group.cloudtrail.arn}:*" - cloud_watch_logs_role_arn = aws_iam_role.cloudtrail_cloudwatch_events.arn - kms_key_arn = data.terraform_remote_state.security_keys.outputs.aws_kms_key_arn -} - -module "cloudtrail_api_alarms" { - source = "github.com/binbashar/terraform-aws-cloudtrail-cloudwatch-alarms.git?ref=0.14.3" - log_group_region = var.region - log_group_name = aws_cloudwatch_log_group.cloudtrail.name - metric_namespace = var.metric_namespace - dashboard_enabled = var.create_dashboard - - # Uncomment if /notifications SNS is configured and you want to send notifications via slack - sns_topic_arn = data.terraform_remote_state.notifications.outputs.sns_topic_arn_monitoring_sec - metrics = local.metrics - - # KMS key use for encrypting the Amazon SNS topic. - kms_master_key_id = data.terraform_remote_state.keys.outputs.aws_kms_key_id -} - -#==================================================================# -# setup cloudwatch logs group in order to receive cloudtrail events -#==================================================================# -resource "aws_cloudwatch_log_group" "cloudtrail" { - name = "${var.project}-${var.environment}-cloudtrail" - retention_in_days = "14" - kms_key_id = data.terraform_remote_state.keys.outputs.aws_kms_key_arn - - tags = local.tags -} - -#==================================================================# -# setup role and policy to allow cloudtrail to write to cloudwatch -#==================================================================# -resource "aws_iam_role" "cloudtrail_cloudwatch_events" { - name = "CloudtrailCloudwatchEvents" - assume_role_policy = data.aws_iam_policy_document.assume_policy.json -} - -data "aws_iam_policy_document" "assume_policy" { - statement { - effect = "Allow" - actions = ["sts:AssumeRole"] - - principals { - type = "Service" - identifiers = ["cloudtrail.amazonaws.com"] - } - } -} - -resource "aws_iam_role_policy" "cloudtrail_cloudwatch_events_policy" { - name = "CloudtrailCloudwatchEvents" - role = aws_iam_role.cloudtrail_cloudwatch_events.id - policy = data.aws_iam_policy_document.cloudtrail_role_policy.json -} - -data "aws_iam_policy_document" "cloudtrail_role_policy" { - statement { - effect = "Allow" - actions = ["logs:CreateLogStream"] - - resources = [ - "arn:aws:logs:${var.region}:${var.accounts.network.id}:log-group:${aws_cloudwatch_log_group.cloudtrail.name}:log-stream:*", - ] - } - - statement { - effect = "Allow" - actions = ["logs:PutLogEvents"] - - resources = [ - "arn:aws:logs:${var.region}:${var.accounts.network.id}:log-group:${aws_cloudwatch_log_group.cloudtrail.name}:log-stream:*", - ] - } -} diff --git a/network/us-east-1/security-audit/common-variables.tf b/network/us-east-1/security-audit/common-variables.tf deleted file mode 120000 index 81b884acd..000000000 --- a/network/us-east-1/security-audit/common-variables.tf +++ /dev/null @@ -1 +0,0 @@ -../../../config/common-variables.tf \ No newline at end of file diff --git a/network/us-east-1/security-audit/config.tf b/network/us-east-1/security-audit/config.tf deleted file mode 100644 index f63ab06e2..000000000 --- a/network/us-east-1/security-audit/config.tf +++ /dev/null @@ -1,75 +0,0 @@ -#=============================# -# AWS Provider Settings # -#=============================# -provider "aws" { - region = var.region - profile = var.profile -} - -#=============================# -# Backend Config (partial) # -#=============================# -terraform { - required_version = "~> 1.2.7" - - required_providers { - aws = "~> 4.10" - } - - backend "s3" { - key = "network/security-audit/terraform.tfstate" - } -} - -#=============================# -# Data sources # -#=============================# -data "aws_caller_identity" "current" {} -data "aws_region" "current" {} - -# -# data type from output for notifications -# -data "terraform_remote_state" "notifications" { - backend = "s3" - - config = { - region = var.region - profile = var.profile - bucket = var.bucket - key = "${var.environment}/notifications/terraform.tfstate" - } -} - -data "terraform_remote_state" "keys" { - backend = "s3" - - config = { - region = var.region - profile = var.profile - bucket = var.bucket - key = "${var.environment}/security-keys/terraform.tfstate" - } -} - -data "terraform_remote_state" "security_audit" { - backend = "s3" - - config = { - region = var.region - profile = "${var.project}-security-devops" - bucket = "${var.project}-security-terraform-backend" - key = "security/security-audit/terraform.tfstate" - } -} - -data "terraform_remote_state" "security_keys" { - backend = "s3" - - config = { - region = var.region - profile = "${var.project}-security-devops" - bucket = "${var.project}-security-terraform-backend" - key = "security/security-keys/terraform.tfstate" - } -} diff --git a/network/us-east-1/security-audit/locals.tf b/network/us-east-1/security-audit/locals.tf deleted file mode 100644 index 97a0dd0ad..000000000 --- a/network/us-east-1/security-audit/locals.tf +++ /dev/null @@ -1,40 +0,0 @@ -locals { - - region = var.region == null ? data.aws_region.current.name : var.region - - alarm_suffix = "${var.environment}-account" - - alarm_defaults = { - period = 300 // 5 min - threshold = 1 - comparison_operator = "GreaterThanOrEqualToThreshold" - evaluation_periods = 1 - statistic = "Sum" - treat_missing_data = "notBreaching" - } - - metrics = { - for metric in var.metrics : local.alarm_suffix != null ? join("-", tolist([lookup(metric, "metric_name", null), local.alarm_suffix])) : lookup(metric, "metric_name", null) => { - metric_name = lookup(metric, "metric_name", null) - filter_pattern = lookup(metric, "filter_pattern", null) - metric_namespace = var.metric_namespace != null ? var.metric_namespace : lookup(metric, "metric_namespace", null) - metric_value = lookup(metric, "metric_value", null) - alarm_name = local.alarm_suffix != null ? join("-", tolist([lookup(metric, "metric_name", null), local.alarm_suffix, "alarm"])) : "${lookup(metric, "metric_name", null)}-alarm" - alarm_comparison_operator = lookup(metric, "alarm_comparison_operator", null) - alarm_evaluation_periods = lookup(metric, "alarm_evaluation_periods", null) - alarm_period = lookup(metric, "alarm_period", local.alarm_defaults["period"]) - alarm_statistic = lookup(metric, "alarm_statistic", null) - alarm_treat_missing_data = lookup(metric, "alarm_treat_missing_data", null) - alarm_threshold = lookup(metric, "alarm_threshold", local.alarm_defaults["threshold"]) - alarm_description = lookup(metric, "alarm_description", null) - alarm_comparison_operator = lookup(metric, "alarm_comparison_operator", local.alarm_defaults["comparison_operator"]) - alarm_evaluation_periods = lookup(metric, "alarm_evaluation_periods", local.alarm_defaults["evaluation_periods"]) - alarm_statistic = lookup(metric, "alarm_statistic", local.alarm_defaults["statistic"]) - alarm_treat_missing_data = lookup(metric, "alarm_treat_missing_data", local.alarm_defaults["treat_missing_data"]) - } - } - tags = { - Terraform = "true" - Environment = var.environment - } -} diff --git a/network/us-east-1/security-audit/metrics.auto.tfvars b/network/us-east-1/security-audit/metrics.auto.tfvars deleted file mode 100644 index f949d81e7..000000000 --- a/network/us-east-1/security-audit/metrics.auto.tfvars +++ /dev/null @@ -1,102 +0,0 @@ -metrics = [ - { - metric_name = "AuthorizationFailureCount" - metric_value = "1" - alarm_description = "Alarms when an unauthorized API call is made." - filter_pattern = "{ ($.errorCode = \"*UnauthorizedOperation\") || ($.errorCode = \"AccessDenied*\") }" - alarm_period = "120" - alarm_threshold = "10" - }, - { - metric_name = "S3BucketActivityEventCount" - metric_value = "1" - alarm_description = "Alarms when an API call is made to S3 to put or delete a Bucket, Bucket Policy or Bucket ACL." - filter_pattern = "{ ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }" - }, - { - metric_name = "SecurityGroupEventCount" - metric_value = "1" - alarm_description = "Alarms when an API call is made to create, update or delete a Security Group." - filter_pattern = "{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) }" - }, - { - metric_name = "NetworkAclEventCount", - metric_value = "1" - alarm_description = "Alarms when an API call is made to create, update or delete a Network ACL." - filter_pattern = "{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) }" - }, - { - metric_name = "GatewayEventCount" - metric_value = "1" - alarm_description = "Alarms when an API call is made to create, update or delete a Customer or Internet Gateway." - filter_pattern = "{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }" - }, - { - metric_name = "VpcEventCount" - metric_value = "1" - alarm_description = "Alarms when an API call is made to create, update or delete a VPC, VPC peering connection or VPC connection to classic." - filter_pattern = "{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }", - - }, - { - metric_name = "EC2InstanceEventCount" - metric_value = "1" - alarm_description = "Alarms when an API call is made to create, terminate, start, stop or reboot an EC2 instance." - filter_pattern = "{ ($.eventName = RunInstances) || ($.eventName = RebootInstances) || ($.eventName = StartInstances) || ($.eventName = StopInstances) || ($.eventName = TerminateInstances) }" - }, - { - metric_name = "EC2LargeInstanceEventCount" - metric_value = "1" - alarm_description = "Alarms when an API call is made to create, terminate, start, stop or reboot a 4x-large or greater EC2 instance." - filter_pattern = "{ ($.eventName = RunInstances) && (($.requestParameters.instanceType = *.8xlarge) || ($.requestParameters.instanceType = *.4xlarge) || ($.requestParameters.instanceType = *.16xlarge) || ($.requestParameters.instanceType = *.10xlarge) || ($.requestParameters.instanceType = *.12xlarge) || ($.requestParameters.instanceType = *.24xlarge)) }" - }, - { - metric_name = "CloudTrailEventCount" - metric_value = "1" - alarm_description = "Alarms when an API call is made to create, update or delete a .cloudtrail. trail, or to start or stop logging to a trail." - filter_pattern = "{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }" - }, - { - metric_name = "ConsoleSignInFailureCount" - metric_value = "1" - alarm_description = "Alarms when an unauthenticated API call is made to sign into the console." - filter_pattern = "{ ($.eventName = ConsoleLogin) && ($.errorMessage = \"Failed authentication\") }" - }, - { - metric_name = "IAMPolicyEventCount" - metric_value = "1" - alarm_description = "Alarms when an API call is made to change an IAM policy." - filter_pattern = "{ ($.eventName = DeleteGroupPolicy) || ($.eventName = DeleteRolePolicy) ||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)}" - }, - { - metric_name = "ConsoleSignInWithoutMfaCount" - metric_value = "1" - alarm_description = "Alarms when a user logs into the console without MFA." - filter_pattern = "{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") }" - }, - { - metric_name = "RootAccountUsageCount" - metric_value = "1" - alarm_description = "Alarms when a root account usage is detected." - filter_pattern = "{ $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" }" - }, - { - metric_name = "KMSKeyPendingDeletionErrorCount" - metric_value = "1" - alarm_description = "Alarms when a customer created KMS key is pending deletion." - filter_pattern = "{($.eventSource = kms.amazonaws.com) && (($.eventName=DisableKey)||($.eventName=ScheduleKeyDeletion))}" - }, - { - metric_name = "AWSConfigChangeCount" - metric_value = "1" - alarm_description = "Alarms when AWS Config changes." - filter_pattern = "{($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder))}" - }, - { - metric_name = "RouteTableChangesCount" - metric_value = "1" - alarm_description = "Alarms when route table changes are detected." - filter_pattern = "{ ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) }" - }, -] - diff --git a/network/us-east-1/security-audit/variables.tf b/network/us-east-1/security-audit/variables.tf deleted file mode 100644 index ce8d2e65f..000000000 --- a/network/us-east-1/security-audit/variables.tf +++ /dev/null @@ -1,26 +0,0 @@ -#===========================================# -# Security # -#===========================================# -variable "metric_namespace" { - type = string - description = "A namespace for grouping all of the metrics together" - default = "CISBenchmark" -} - -variable "create_dashboard" { - type = bool - description = "When true a dashboard that displays the statistics as a line graph will be created in CloudWatch" - default = false -} - -variable "metrics" { - type = any - description = "Metrics definitions" - default = {} -} - -variable "alarm_suffix" { - type = string - description = "Alarm name suffix. You can use it to separate different AWS account. Set to `null` to avoid adding a suffix." - default = null -} diff --git a/security/us-east-1/security-audit/awscloudtrail.tf b/security/us-east-1/security-audit/cloudtrail.tf similarity index 55% rename from security/us-east-1/security-audit/awscloudtrail.tf rename to security/us-east-1/security-audit/cloudtrail.tf index 4c6e65f21..4622a6928 100644 --- a/security/us-east-1/security-audit/awscloudtrail.tf +++ b/security/us-east-1/security-audit/cloudtrail.tf @@ -1,60 +1,76 @@ +# +# Create a centralized, multi-region, organizational trail in the Security account. +# IMPORTANT: before you can enable this, you must delegate the administration to +# the Security account from the Management account. +# module "cloudtrail" { - source = "github.com/binbashar/terraform-aws-cloudtrail.git?ref=0.20.1" - namespace = var.project - stage = var.environment - name = "cloudtrail-org" - enable_logging = true - enable_log_file_validation = true + source = "github.com/binbashar/terraform-aws-cloudtrail.git?ref=0.24.0" + name = "${var.project}-${var.environment}-cloudtrail-org" + + # Include global services such as Route 53 or IAM include_global_service_events = true is_multi_region_trail = true + is_organization_trail = true + + # Enable to S3 and CloudWatch Logs (and store log validation files) + enable_logging = true + enable_log_file_validation = true + + # Send event logs to S3 s3_bucket_name = module.cloudtrail_s3_bucket.bucket_id + kms_key_arn = data.terraform_remote_state.keys.outputs.aws_kms_key_arn + + # Enable for API alarms cloud_watch_logs_group_arn = "${aws_cloudwatch_log_group.cloudtrail.arn}:*" cloud_watch_logs_role_arn = aws_iam_role.cloudtrail_cloudwatch_events.arn - kms_key_arn = data.terraform_remote_state.keys.outputs.aws_kms_key_arn - #is_organization_trail = true } +# +# Create an S3 bucket for storing CloudTrail event logs. +# This is typically used for setting a longer retention period than the 90 +# days that CloudTrail provides by default. +# module "cloudtrail_s3_bucket" { source = "github.com/binbashar/terraform-aws-cloudtrail-s3-bucket.git?ref=0.26.4" - namespace = var.project - stage = var.environment - name = "cloudtrail-org" + name = "${var.project}-${var.environment}-cloudtrail-org" lifecycle_rule_enabled = var.lifecycle_rule_enabled versioning_enabled = true - # - # NOTE: Had to pass null here because there seems to be an issue with the - # module which is trying to set tags to lifecycle policies - # - lifecycle_tags = null - - # - # NOTE: this actually isn't supported by the module. The issue is reported - # here: https://github.com/cloudposse/terraform-aws-cloudtrail-s3-bucket/issues/19 - # - # policy = data.aws_iam_policy_document.cloudtrail_s3_bucket.json - acl = "private" - expiration_days = 120 + acl = "private" + expiration_days = 120 + tags = local.tags } +# +# Set up CloudWatch Alarms based on specific CloudTrail events. +# Refer to the file "metrics.auto.tfvars" to view the list of alarms and their specs. +# module "cloudtrail_api_alarms" { source = "github.com/binbashar/terraform-aws-cloudtrail-cloudwatch-alarms.git?ref=0.14.3" + + # The log group whose logs will be used for configuring metric filters and alarms log_group_region = var.region log_group_name = aws_cloudwatch_log_group.cloudtrail.name + + # The custom metrics that will be created via metric filters + metrics = local.metrics + + # The namespace under which the custom metrics will live metric_namespace = var.metric_namespace + + # Whether to enable a custom dashboard using the custom metrics that will be created dashboard_enabled = var.create_dashboard - # Uncomment if /notifications SNS is configured and you want to send notifications via slack - sns_topic_arn = data.terraform_remote_state.notifications.outputs.sns_topic_arn_monitoring_sec - metrics = local.metrics + # Pass a custom SNS topic that will be hooked to the alarms that the module will create, + # otherwise the module will use its own topic + sns_topic_arn = data.terraform_remote_state.notifications.outputs.sns_topic_arn_monitoring_sec - # KMS key use for encrypting the Amazon SNS topic. + # A KMS key that will be used for encrypting messages writtent to the SNS topic kms_master_key_id = data.terraform_remote_state.keys.outputs.aws_kms_key_id - } -#==================================================================# -# setup cloudwatch logs group in order to receive cloudtrail events -#==================================================================# +# +# Set up a CloudWatch log group to receive CloudTrail events +# resource "aws_cloudwatch_log_group" "cloudtrail" { name = "${var.project}-${var.environment}-cloudtrail" retention_in_days = "14" @@ -63,9 +79,9 @@ resource "aws_cloudwatch_log_group" "cloudtrail" { tags = local.tags } -#==================================================================# -# setup role and policy to allow cloudtrail to write to cloudwatch -#==================================================================# +# +# Create a role & policy for CloudTrail to write its logs to CloudWatch logs +# resource "aws_iam_role" "cloudtrail_cloudwatch_events" { name = "CloudtrailCloudwatchEvents" assume_role_policy = data.aws_iam_policy_document.assume_policy.json @@ -91,18 +107,16 @@ resource "aws_iam_role_policy" "cloudtrail_cloudwatch_events_policy" { data "aws_iam_policy_document" "cloudtrail_role_policy" { statement { - effect = "Allow" - actions = ["logs:CreateLogStream"] - + effect = "Allow" + actions = [ "logs:CreateLogStream" ] resources = [ "arn:aws:logs:${var.region}:${var.accounts.security.id}:log-group:${aws_cloudwatch_log_group.cloudtrail.name}:log-stream:*", ] } statement { - effect = "Allow" - actions = ["logs:PutLogEvents"] - + effect = "Allow" + actions = [ "logs:PutLogEvents" ] resources = [ "arn:aws:logs:${var.region}:${var.accounts.security.id}:log-group:${aws_cloudwatch_log_group.cloudtrail.name}:log-stream:*", ] diff --git a/security/us-east-1/security-audit/config.tf b/security/us-east-1/security-audit/config.tf index c3147dac8..3e10c1224 100644 --- a/security/us-east-1/security-audit/config.tf +++ b/security/us-east-1/security-audit/config.tf @@ -13,7 +13,7 @@ terraform { required_version = "~> 1.3" required_providers { - aws = "~> 4.10" + aws = "~> 5.0" } backend "s3" { diff --git a/security/us-east-1/security-audit/metrics.auto.tfvars b/security/us-east-1/security-audit/metrics.auto.tfvars index 709a68f85..d6775e10e 100644 --- a/security/us-east-1/security-audit/metrics.auto.tfvars +++ b/security/us-east-1/security-audit/metrics.auto.tfvars @@ -99,4 +99,3 @@ metrics = [ filter_pattern = "{ ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) }" }, ] - diff --git a/security/us-east-1/security-keys/config.tf b/security/us-east-1/security-keys/config.tf index d51812d0f..1dd350373 100644 --- a/security/us-east-1/security-keys/config.tf +++ b/security/us-east-1/security-keys/config.tf @@ -10,10 +10,10 @@ provider "aws" { # Backend Config (partial) # #=============================# terraform { - required_version = "~> 1.2.7" + required_version = "~> 1.3" required_providers { - aws = "~> 4.10" + aws = "~> 5.0" } backend "s3" { diff --git a/security/us-east-1/security-keys/kms.tf b/security/us-east-1/security-keys/kms.tf index 2511f2689..ca179b0b9 100644 --- a/security/us-east-1/security-keys/kms.tf +++ b/security/us-east-1/security-keys/kms.tf @@ -16,7 +16,7 @@ module "kms_key" { data "aws_iam_policy_document" "kms" { statement { - sid = "Enable IAM User Permissions" + sid = "Grant full access to the owner account" effect = "Allow" actions = ["kms:*"] resources = ["*"] @@ -28,7 +28,7 @@ data "aws_iam_policy_document" "kms" { } statement { - sid = "Enable CloudTrail Service" + sid = "Grant usage permissions to CloudTrail" effect = "Allow" actions = [ "kms:GenerateDataKey*", @@ -47,12 +47,7 @@ data "aws_iam_policy_document" "kms" { test = "StringLike" variable = "kms:EncryptionContext:aws:cloudtrail:arn" values = [ - "arn:aws:cloudtrail:*:${var.accounts.security.id}:trail/*", - "arn:aws:cloudtrail:*:${var.accounts.shared.id}:trail/*", - "arn:aws:cloudtrail:*:${var.accounts.network.id}:trail/*", - "arn:aws:cloudtrail:*:${var.accounts.root.id}:trail/*", - "arn:aws:cloudtrail:*:${var.accounts.apps-devstg.id}:trail/*", - "arn:aws:cloudtrail:*:${var.accounts.apps-prd.id}:trail/*" + "arn:aws:cloudtrail:*:*:trail/${var.project}-${var.environment}-cloudtrail-org" ] } } diff --git a/security/us-east-2/security-audit/config.tf b/security/us-east-2/security-audit/config.tf index cdf014599..0c1b186fd 100644 --- a/security/us-east-2/security-audit/config.tf +++ b/security/us-east-2/security-audit/config.tf @@ -16,7 +16,7 @@ provider "aws" { # Backend Config (partial) # #=============================# terraform { - required_version = ">= 1.0.9" + required_version = ">= 1.3" required_providers { aws = "~> 3.0" diff --git a/security/us-east-2/security-audit/variables.tf b/security/us-east-2/security-audit/variables.tf index 77d6a7ed9..9d9407907 100644 --- a/security/us-east-2/security-audit/variables.tf +++ b/security/us-east-2/security-audit/variables.tf @@ -4,5 +4,5 @@ variable "enable_cloudtrail_bucket_replication" { type = bool description = "Enable CloudTrail bucket replication" - default = true + default = false } diff --git a/shared/us-east-1/security-audit/.terraform.lock.hcl b/shared/us-east-1/security-audit/.terraform.lock.hcl deleted file mode 100644 index 18470e7fa..000000000 --- a/shared/us-east-1/security-audit/.terraform.lock.hcl +++ /dev/null @@ -1,65 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/hashicorp/aws" { - version = "4.46.0" - constraints = ">= 2.0.0, >= 3.0.0, ~> 4.10" - hashes = [ - "h1:EZB4OgvytV38JpWyye9zoMQ0bfT9yB9xSXM5NY3Lrws=", - "zh:1678e6a4bdb3d81a6713adc62ca0fdb8250c584e10c10d1daca72316e9db8df2", - "zh:329903acf86ef6072502736dff4c43c2b50f762a958f76aa924e2d74c7fca1e3", - "zh:33db8131fe0ec7e1d9f30bc9f65c2440e9c1f708d681b6062757a351f1df7ce6", - "zh:3a3b010bc393784c16f4b6cdce7f76db93d5efa323fce4920bfea9e9ba6abe44", - "zh:979e2713a5759a7483a065e149e3cb69db9225326fc0457fa3fc3a48aed0c63f", - "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:9efcf0067e16ad53da7504178a05eb2118770b4ae00c193c10ecad4cbfce308e", - "zh:a10655bf1b6376ab7f3e55efadf54dc70f7bd07ca11369557c312095076f9d62", - "zh:b0394dd42cbd2a718a7dd7ae0283f04769aaf8b3d52664e141da59c0171a11ab", - "zh:b958e614c2cf6d9c05a6ad5e94dc5c04b97ebfb84415da068be5a081b5ebbe24", - "zh:ba5069e624210c63ad9e633a8eb0108b21f2322bc4967ba2b82d09168c466888", - "zh:d7dfa597a17186e7f4d741dd7111849f1c0dd6f7ebc983043d8262d2fb37b408", - "zh:e8a641ca2c99f96d64fa2725875e797273984981d3e54772a2823541c44e3cd3", - "zh:f89898b7067c4246293a8007f59f5cfcac7b8dd251d39886c7a53ba596251466", - "zh:fb1e1df1d5cc208e08a850f8e84423bce080f01f5e901791c79df369d3ed52f2", - ] -} - -provider "registry.terraform.io/hashicorp/local" { - version = "2.2.3" - constraints = ">= 1.3.0" - hashes = [ - "h1:aWp5iSUxBGgPv1UnV5yag9Pb0N+U1I0sZb38AXBFO8A=", - "zh:04f0978bb3e052707b8e82e46780c371ac1c66b689b4a23bbc2f58865ab7d5c0", - "zh:6484f1b3e9e3771eb7cc8e8bab8b35f939a55d550b3f4fb2ab141a24269ee6aa", - "zh:78a56d59a013cb0f7eb1c92815d6eb5cf07f8b5f0ae20b96d049e73db915b238", - "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:8aa9950f4c4db37239bcb62e19910c49e47043f6c8587e5b0396619923657797", - "zh:996beea85f9084a725ff0e6473a4594deb5266727c5f56e9c1c7c62ded6addbb", - "zh:9a7ef7a21f48fabfd145b2e2a4240ca57517ad155017e86a30860d7c0c109de3", - "zh:a63e70ac052aa25120113bcddd50c1f3cfe61f681a93a50cea5595a4b2cc3e1c", - "zh:a6e8d46f94108e049ad85dbed60354236dc0b9b5ec8eabe01c4580280a43d3b8", - "zh:bb112ce7efbfcfa0e65ed97fa245ef348e0fd5bfa5a7e4ab2091a9bd469f0a9e", - "zh:d7bec0da5c094c6955efed100f3fe22fca8866859f87c025be1760feb174d6d9", - "zh:fb9f271b72094d07cef8154cd3d50e9aa818a0ea39130bc193132ad7b23076fd", - ] -} - -provider "registry.terraform.io/hashicorp/null" { - version = "3.2.1" - constraints = ">= 2.0.0" - hashes = [ - "h1:FbGfc+muBsC17Ohy5g806iuI1hQc4SIexpYCrQHQd8w=", - "zh:58ed64389620cc7b82f01332e27723856422820cfd302e304b5f6c3436fb9840", - "zh:62a5cc82c3b2ddef7ef3a6f2fedb7b9b3deff4ab7b414938b08e51d6e8be87cb", - "zh:63cff4de03af983175a7e37e52d4bd89d990be256b16b5c7f919aff5ad485aa5", - "zh:74cb22c6700e48486b7cabefa10b33b801dfcab56f1a6ac9b6624531f3d36ea3", - "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:79e553aff77f1cfa9012a2218b8238dd672ea5e1b2924775ac9ac24d2a75c238", - "zh:a1e06ddda0b5ac48f7e7c7d59e1ab5a4073bbcf876c73c0299e4610ed53859dc", - "zh:c37a97090f1a82222925d45d84483b2aa702ef7ab66532af6cbcfb567818b970", - "zh:e4453fbebf90c53ca3323a92e7ca0f9961427d2f0ce0d2b65523cc04d5d999c2", - "zh:e80a746921946d8b6761e77305b752ad188da60688cfd2059322875d363be5f5", - "zh:fbdb892d9822ed0e4cb60f2fedbdbb556e4da0d88d3b942ae963ed6ff091e48f", - "zh:fca01a623d90d0cad0843102f9b8b9fe0d3ff8244593bd817f126582b52dd694", - ] -} diff --git a/shared/us-east-1/security-audit/awscloudtrail.tf b/shared/us-east-1/security-audit/awscloudtrail.tf deleted file mode 100644 index 844db634d..000000000 --- a/shared/us-east-1/security-audit/awscloudtrail.tf +++ /dev/null @@ -1,87 +0,0 @@ -module "cloudtrail" { - source = "github.com/binbashar/terraform-aws-cloudtrail.git?ref=0.20.1" - namespace = var.project - stage = var.environment - name = "cloudtrail-org" - enable_logging = true - enable_log_file_validation = true - include_global_service_events = true - is_multi_region_trail = true - s3_bucket_name = data.terraform_remote_state.security_audit.outputs.bucket_id - cloud_watch_logs_group_arn = "${aws_cloudwatch_log_group.cloudtrail.arn}:*" - cloud_watch_logs_role_arn = aws_iam_role.cloudtrail_cloudwatch_events.arn - kms_key_arn = data.terraform_remote_state.security_keys.outputs.aws_kms_key_arn -} - -module "cloudtrail_api_alarms" { - source = "github.com/binbashar/terraform-aws-cloudtrail-cloudwatch-alarms.git?ref=0.14.3" - - log_group_region = var.region - log_group_name = aws_cloudwatch_log_group.cloudtrail.name - metric_namespace = var.metric_namespace - dashboard_enabled = var.create_dashboard - - # Uncomment if /notifications SNS is configured and you want to send notifications via slack - sns_topic_arn = data.terraform_remote_state.notifications.outputs.sns_topic_arn_monitoring_sec - metrics = local.metrics - - # KMS key use for encrypting the Amazon SNS topic. - kms_master_key_id = data.terraform_remote_state.keys.outputs.aws_kms_key_id -} - -#==================================================================# -# setup cloudwatch logs group in order to receive cloudtrail events -#==================================================================# -resource "aws_cloudwatch_log_group" "cloudtrail" { - name = "${var.project}-${var.environment}-cloudtrail" - retention_in_days = "14" - kms_key_id = data.terraform_remote_state.keys.outputs.aws_kms_key_arn - - tags = local.tags -} - -#==================================================================# -# setup role and policy to allow cloudtrail to write to cloudwatch -#==================================================================# -resource "aws_iam_role" "cloudtrail_cloudwatch_events" { - name = "CloudtrailCloudwatchEvents" - assume_role_policy = data.aws_iam_policy_document.assume_policy.json -} - -data "aws_iam_policy_document" "assume_policy" { - statement { - effect = "Allow" - actions = ["sts:AssumeRole"] - - principals { - type = "Service" - identifiers = ["cloudtrail.amazonaws.com"] - } - } -} - -resource "aws_iam_role_policy" "cloudtrail_cloudwatch_events_policy" { - name = "CloudtrailCloudwatchEvents" - role = aws_iam_role.cloudtrail_cloudwatch_events.id - policy = data.aws_iam_policy_document.cloudtrail_role_policy.json -} - -data "aws_iam_policy_document" "cloudtrail_role_policy" { - statement { - effect = "Allow" - actions = ["logs:CreateLogStream"] - - resources = [ - "arn:aws:logs:${var.region}:${var.accounts.shared.id}:log-group:${aws_cloudwatch_log_group.cloudtrail.name}:log-stream:*", - ] - } - - statement { - effect = "Allow" - actions = ["logs:PutLogEvents"] - - resources = [ - "arn:aws:logs:${var.region}:${var.accounts.shared.id}:log-group:${aws_cloudwatch_log_group.cloudtrail.name}:log-stream:*", - ] - } -} diff --git a/shared/us-east-1/security-audit/common-variables.tf b/shared/us-east-1/security-audit/common-variables.tf deleted file mode 120000 index 81b884acd..000000000 --- a/shared/us-east-1/security-audit/common-variables.tf +++ /dev/null @@ -1 +0,0 @@ -../../../config/common-variables.tf \ No newline at end of file diff --git a/shared/us-east-1/security-audit/config.tf b/shared/us-east-1/security-audit/config.tf deleted file mode 100644 index 4f425662d..000000000 --- a/shared/us-east-1/security-audit/config.tf +++ /dev/null @@ -1,75 +0,0 @@ -#=============================# -# AWS Provider Settings # -#=============================# -provider "aws" { - region = var.region - profile = var.profile -} - -#=============================# -# Backend Config (partial) # -#=============================# -terraform { - required_version = "~> 1.2.7" - - required_providers { - aws = "~> 4.10" - } - - backend "s3" { - key = "shared/security-audit/terraform.tfstate" - } -} - -#=============================# -# Data sources # -#=============================# -data "aws_caller_identity" "current" {} -data "aws_region" "current" {} - -# -# data type from output for notifications -# -data "terraform_remote_state" "notifications" { - backend = "s3" - - config = { - region = var.region - profile = var.profile - bucket = var.bucket - key = "${var.environment}/notifications/terraform.tfstate" - } -} - -data "terraform_remote_state" "keys" { - backend = "s3" - - config = { - region = var.region - profile = var.profile - bucket = var.bucket - key = "${var.environment}/security-keys/terraform.tfstate" - } -} - -data "terraform_remote_state" "security_audit" { - backend = "s3" - - config = { - region = var.region - profile = "${var.project}-security-devops" - bucket = "${var.project}-security-terraform-backend" - key = "security/security-audit/terraform.tfstate" - } -} - -data "terraform_remote_state" "security_keys" { - backend = "s3" - - config = { - region = var.region - profile = "${var.project}-security-devops" - bucket = "${var.project}-security-terraform-backend" - key = "security/security-keys/terraform.tfstate" - } -} diff --git a/shared/us-east-1/security-audit/locals.tf b/shared/us-east-1/security-audit/locals.tf deleted file mode 100644 index 97a0dd0ad..000000000 --- a/shared/us-east-1/security-audit/locals.tf +++ /dev/null @@ -1,40 +0,0 @@ -locals { - - region = var.region == null ? data.aws_region.current.name : var.region - - alarm_suffix = "${var.environment}-account" - - alarm_defaults = { - period = 300 // 5 min - threshold = 1 - comparison_operator = "GreaterThanOrEqualToThreshold" - evaluation_periods = 1 - statistic = "Sum" - treat_missing_data = "notBreaching" - } - - metrics = { - for metric in var.metrics : local.alarm_suffix != null ? join("-", tolist([lookup(metric, "metric_name", null), local.alarm_suffix])) : lookup(metric, "metric_name", null) => { - metric_name = lookup(metric, "metric_name", null) - filter_pattern = lookup(metric, "filter_pattern", null) - metric_namespace = var.metric_namespace != null ? var.metric_namespace : lookup(metric, "metric_namespace", null) - metric_value = lookup(metric, "metric_value", null) - alarm_name = local.alarm_suffix != null ? join("-", tolist([lookup(metric, "metric_name", null), local.alarm_suffix, "alarm"])) : "${lookup(metric, "metric_name", null)}-alarm" - alarm_comparison_operator = lookup(metric, "alarm_comparison_operator", null) - alarm_evaluation_periods = lookup(metric, "alarm_evaluation_periods", null) - alarm_period = lookup(metric, "alarm_period", local.alarm_defaults["period"]) - alarm_statistic = lookup(metric, "alarm_statistic", null) - alarm_treat_missing_data = lookup(metric, "alarm_treat_missing_data", null) - alarm_threshold = lookup(metric, "alarm_threshold", local.alarm_defaults["threshold"]) - alarm_description = lookup(metric, "alarm_description", null) - alarm_comparison_operator = lookup(metric, "alarm_comparison_operator", local.alarm_defaults["comparison_operator"]) - alarm_evaluation_periods = lookup(metric, "alarm_evaluation_periods", local.alarm_defaults["evaluation_periods"]) - alarm_statistic = lookup(metric, "alarm_statistic", local.alarm_defaults["statistic"]) - alarm_treat_missing_data = lookup(metric, "alarm_treat_missing_data", local.alarm_defaults["treat_missing_data"]) - } - } - tags = { - Terraform = "true" - Environment = var.environment - } -} diff --git a/shared/us-east-1/security-audit/metrics.auto.tfvars b/shared/us-east-1/security-audit/metrics.auto.tfvars deleted file mode 100644 index f949d81e7..000000000 --- a/shared/us-east-1/security-audit/metrics.auto.tfvars +++ /dev/null @@ -1,102 +0,0 @@ -metrics = [ - { - metric_name = "AuthorizationFailureCount" - metric_value = "1" - alarm_description = "Alarms when an unauthorized API call is made." - filter_pattern = "{ ($.errorCode = \"*UnauthorizedOperation\") || ($.errorCode = \"AccessDenied*\") }" - alarm_period = "120" - alarm_threshold = "10" - }, - { - metric_name = "S3BucketActivityEventCount" - metric_value = "1" - alarm_description = "Alarms when an API call is made to S3 to put or delete a Bucket, Bucket Policy or Bucket ACL." - filter_pattern = "{ ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }" - }, - { - metric_name = "SecurityGroupEventCount" - metric_value = "1" - alarm_description = "Alarms when an API call is made to create, update or delete a Security Group." - filter_pattern = "{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) }" - }, - { - metric_name = "NetworkAclEventCount", - metric_value = "1" - alarm_description = "Alarms when an API call is made to create, update or delete a Network ACL." - filter_pattern = "{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) }" - }, - { - metric_name = "GatewayEventCount" - metric_value = "1" - alarm_description = "Alarms when an API call is made to create, update or delete a Customer or Internet Gateway." - filter_pattern = "{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }" - }, - { - metric_name = "VpcEventCount" - metric_value = "1" - alarm_description = "Alarms when an API call is made to create, update or delete a VPC, VPC peering connection or VPC connection to classic." - filter_pattern = "{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }", - - }, - { - metric_name = "EC2InstanceEventCount" - metric_value = "1" - alarm_description = "Alarms when an API call is made to create, terminate, start, stop or reboot an EC2 instance." - filter_pattern = "{ ($.eventName = RunInstances) || ($.eventName = RebootInstances) || ($.eventName = StartInstances) || ($.eventName = StopInstances) || ($.eventName = TerminateInstances) }" - }, - { - metric_name = "EC2LargeInstanceEventCount" - metric_value = "1" - alarm_description = "Alarms when an API call is made to create, terminate, start, stop or reboot a 4x-large or greater EC2 instance." - filter_pattern = "{ ($.eventName = RunInstances) && (($.requestParameters.instanceType = *.8xlarge) || ($.requestParameters.instanceType = *.4xlarge) || ($.requestParameters.instanceType = *.16xlarge) || ($.requestParameters.instanceType = *.10xlarge) || ($.requestParameters.instanceType = *.12xlarge) || ($.requestParameters.instanceType = *.24xlarge)) }" - }, - { - metric_name = "CloudTrailEventCount" - metric_value = "1" - alarm_description = "Alarms when an API call is made to create, update or delete a .cloudtrail. trail, or to start or stop logging to a trail." - filter_pattern = "{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }" - }, - { - metric_name = "ConsoleSignInFailureCount" - metric_value = "1" - alarm_description = "Alarms when an unauthenticated API call is made to sign into the console." - filter_pattern = "{ ($.eventName = ConsoleLogin) && ($.errorMessage = \"Failed authentication\") }" - }, - { - metric_name = "IAMPolicyEventCount" - metric_value = "1" - alarm_description = "Alarms when an API call is made to change an IAM policy." - filter_pattern = "{ ($.eventName = DeleteGroupPolicy) || ($.eventName = DeleteRolePolicy) ||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)}" - }, - { - metric_name = "ConsoleSignInWithoutMfaCount" - metric_value = "1" - alarm_description = "Alarms when a user logs into the console without MFA." - filter_pattern = "{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") }" - }, - { - metric_name = "RootAccountUsageCount" - metric_value = "1" - alarm_description = "Alarms when a root account usage is detected." - filter_pattern = "{ $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" }" - }, - { - metric_name = "KMSKeyPendingDeletionErrorCount" - metric_value = "1" - alarm_description = "Alarms when a customer created KMS key is pending deletion." - filter_pattern = "{($.eventSource = kms.amazonaws.com) && (($.eventName=DisableKey)||($.eventName=ScheduleKeyDeletion))}" - }, - { - metric_name = "AWSConfigChangeCount" - metric_value = "1" - alarm_description = "Alarms when AWS Config changes." - filter_pattern = "{($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder))}" - }, - { - metric_name = "RouteTableChangesCount" - metric_value = "1" - alarm_description = "Alarms when route table changes are detected." - filter_pattern = "{ ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) }" - }, -] - diff --git a/shared/us-east-1/security-audit/variables.tf b/shared/us-east-1/security-audit/variables.tf deleted file mode 100644 index 001cc9252..000000000 --- a/shared/us-east-1/security-audit/variables.tf +++ /dev/null @@ -1,26 +0,0 @@ -#================================# -# Local variables # -#================================# -variable "metric_namespace" { - type = string - description = "A namespace for grouping all of the metrics together" - default = "CISBenchmark" -} - -variable "create_dashboard" { - type = bool - description = "When true a dashboard that displays the statistics as a line graph will be created in CloudWatch" - default = false -} - -variable "metrics" { - type = any - description = "Metrics definitions" - default = {} -} - -variable "alarm_suffix" { - type = string - description = "Alarm name suffix. You can use it to separate different AWS account. Set to `null` to avoid adding a suffix." - default = null -}