feat: CIS benchmark alerts using Eventbridge

[mglotov]

PR Description

• Added possibility to notify via email about some changes in infrastructure (based on AWS CIS Benchmark, control ID: 4.1-4.15). Disabled by default.

A scheme looks like:

• Added Cloudtrail configuration because some alerts require configured Trail (for example - events from Secrets Manager)
• Wasn't able to use https://github.com/terraform-aws-modules/terraform-aws-s3-bucket to create bucket. The latest available version has political slogan. The latest version without political slogans is v2.14.1. However, it requires an AWS provider version ~> 3.69. We've recently updated aws provider to "4.10.0". That's why I created "raw" terraform resource to describe the s3 bucket configuration.
• Sonarcube and tfsec complain about SNS resource-based policy. However, it has condition + this is a default attached policy when you try to create SNS topic via AWS UI.
• An example of received alerts:

{"version":"0","id":"**************c","detail-type":"AWS API Call via CloudTrail","source":"aws.secretsmanager","account":"********","time":"2022-05-06T06:44:25Z","region":"us-east-1","resources":[],"detail":{"eventVersion":"1.08","userIdentity":{"type":"AssumedRole","principalId":"****:[******](mailto:******)","arn":"arn:aws:sts::******:[assumed-role/******/********](mailto:assumed-role/*******/*********)","accountId":"*********","accessKeyId":"**********","sessionContext":{"sessionIssuer":{"type":"Role","principalId":"**********","arn":"arn:aws:iam::**********:role/*********","accountId":"**********","userName":"********"},"webIdFederationData":{},"attributes":{"creationDate":"2022-05-06T06:11:53Z","mfaAuthenticated":"true"}}},"eventTime":"2022-05-06T06:44:25Z","eventSource":"[secretsmanager.amazonaws.com](http://secretsmanager.amazonaws.com/)","eventName":"PutSecretValue","awsRegion":"us-east-1","sourceIPAddress":"AWS Internal","userAgent":"AWS Internal","requestParameters":{"clientRequestToken":"*********","secretId":"arn:aws:secretsmanager:us-east-1:**********:secret:/***********"},"responseElements":{"arn":"arn:aws:secretsmanager:us-east-1:******:secret:/*********"},"requestID":"********","eventID":"************","readOnly":false,"eventType":"AwsApiCall","managementEvent":true,"recipientAccountId":"********","eventCategory":"Management","sessionCredentialFromConsole":"true"}}

Fixes #281

Type of change

• New feature (non-breaking change which adds functionality)
• Documentation update

Checklist

• My code follows the style guidelines of this project
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation

[sonarcloud]

Kudos, SonarCloud Quality Gate passed!   

0 Bugs
0 Vulnerabilities
0 Security Hotspots
0 Code Smells

No Coverage information
0.0% Duplication