Skip to content

Commit

Permalink
Naming, sns, version updates
Browse files Browse the repository at this point in the history
  • Loading branch information
@adenot
adenot committed Jul 16, 2024
1 parent 6f7deb6 commit ea59c52
Show file tree
Hide file tree
Showing 8 changed files with 104 additions and 81 deletions.
1 change: 1 addition & 0 deletions _data.tf
View file
Original file line number Diff line number Diff line change
@@ -1 +1,2 @@
data "aws_caller_identity" "current" {}
data "aws_region" "current" {}
24 changes: 24 additions & 0 deletions _variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,24 @@ variable "sns_topic_name" {
default = "CISAlarmV2"
}

variable "chatbot_sns_topic" {
description = "The arn of the SNS Topic which will be notified when any alarm is performed."
type = string
default = ""
}

# variable "email_sns_topic" {
# description = "The arn of the SNS Topic which will be notified when any alarm is performed via email."
# type = string
# default = ""
# }

variable "emails" {
default = []
type = list(string)
}


variable "alarm_account_ids" {
default = []
type = list(string)
Expand All @@ -45,3 +63,9 @@ variable "tags" {
"Terraform" = true
}
}

variable "kms_key" {
default = ""
type = string
description = "kms used to encrypt SNS topic"
}
3 changes: 2 additions & 1 deletion _versions.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,8 @@ terraform {

required_providers {
aws = {
source = "hashicorp/aws"
source = "hashicorp/aws"
version = ">= 4.0.0"
}
random = {
source = "hashicorp/random"
Expand Down
79 changes: 2 additions & 77 deletions alarms.tf
View file
Original file line number Diff line number Diff line change
@@ -1,86 +1,11 @@
# --------------------------------------------------------------------------------------------------
# The SNS topic to which CloudWatch alarms send events.
# --------------------------------------------------------------------------------------------------
resource "aws_sns_topic" "alarms" {
count = var.enabled ? 1 : 0
name = var.sns_topic_name
kms_master_key_id = aws_kms_key.sns[0].id # default key does not allow cloudwatch alarms to publish
tags = var.tags
}

data "aws_iam_policy_document" "kms_policy_sns" {
count = var.enabled ? 1 : 0
statement {
sid = "Enable IAM User Permissions"
effect = "Allow"
principals {
type = "AWS"
identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
}
actions = ["kms:*"]
resources = ["*"]
}
statement {
actions = ["kms:Decrypt", "kms:GenerateDataKey*"]
principals {
type = "Service"
identifiers = ["cloudwatch.amazonaws.com"]
}
resources = ["*"]
sid = "allow-cloudwatch-kms"
}
}

resource "aws_kms_key" "sns" {
count = var.enabled ? 1 : 0
deletion_window_in_days = 7
description = "SNS CMK Encryption Key"
enable_key_rotation = true
policy = data.aws_iam_policy_document.kms_policy_sns[0].json
}

resource "aws_sns_topic_policy" "alarms" {
count = var.enabled ? 1 : 0
arn = aws_sns_topic.alarms[0].arn
policy = data.aws_iam_policy_document.alarms_policy[0].json
}

data "aws_iam_policy_document" "alarms_policy" {
count = var.enabled ? 1 : 0
policy_id = "allow-org-accounts"

statement {
actions = [
"SNS:GetTopicAttributes",
"SNS:SetTopicAttributes",
"SNS:AddPermission",
"SNS:RemovePermission",
"SNS:DeleteTopic",
"SNS:Subscribe",
"SNS:ListSubscriptionsByTopic",
"SNS:Publish",
"SNS:Receive"
]
condition {
test = "StringEquals"
variable = "AWS:SourceOwner"
values = var.alarm_account_ids
}
principals {
type = "AWS"
identifiers = ["*"]
}
resources = [aws_sns_topic.alarms[0].arn]
sid = "allow-org-accounts"
}
}

resource "random_string" "cloudtrail_alarm_suffix" {
count = var.enabled ? 1 : 0
length = 8
special = false
lower = true
upper = false
numeric = false
}

resource "aws_cloudformation_stack" "cloudtrail_alarm" {

Check failure on line 11 in alarms.tf

View workflow job for this annotation

GitHub Actions / scan 

CKV_AWS_124: "Ensure that CloudFormation stacks are sending event notifications to an SNS topic"
Expand All @@ -90,6 +15,6 @@ resource "aws_cloudformation_stack" "cloudtrail_alarm" {

parameters = {
CloudTrailLogGroupName = var.cloudtrail_log_group_name
AlarmNotificationTopic = aws_sns_topic.alarms[0].id
AlarmNotificationTopic = var.chatbot_sns_topic # aws_sns_topic.alarms[0].id
}
}
17 changes: 17 additions & 0 deletions cloudtrail-alarms-full.cf.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@
"Type": "AWS::CloudWatch::Alarm",
"Properties": {
"AlarmName" : "CloudTrailSecurityGroupChangesV2",
"AlarmActions": [{"Ref" : "AlarmNotificationTopic"}],
"AlarmDescription" : "Alarms when an API call is made to create, update or delete a Security Group.",
"MetricName" : "SecurityGroupEventCount",
"Namespace" : "CloudTrailMetrics",
Expand Down Expand Up @@ -60,6 +61,7 @@
"Type": "AWS::CloudWatch::Alarm",
"Properties": {
"AlarmName" : "CloudTrailNetworkAclChangesV2",
"AlarmActions": [{"Ref" : "AlarmNotificationTopic"}],
"AlarmDescription" : "Alarms when an API call is made to create, update or delete a Network ACL.",
"MetricName" : "NetworkAclEventCount",
"Namespace" : "CloudTrailMetrics",
Expand Down Expand Up @@ -89,6 +91,7 @@
"Type": "AWS::CloudWatch::Alarm",
"Properties": {
"AlarmName" : "CloudTrailGatewayChangesV2",
"AlarmActions": [{"Ref" : "AlarmNotificationTopic"}],
"AlarmDescription" : "Alarms when an API call is made to create, update or delete a Customer or Internet Gateway.",
"MetricName" : "GatewayEventCount",
"Namespace" : "CloudTrailMetrics",
Expand Down Expand Up @@ -118,6 +121,7 @@
"Type": "AWS::CloudWatch::Alarm",
"Properties": {
"AlarmName" : "CloudTrailVpcChangesV2",
"AlarmActions": [{"Ref" : "AlarmNotificationTopic"}],
"AlarmDescription" : "Alarms when an API call is made to create, update or delete a VPC, VPC peering connection or VPC connection to classic.",
"MetricName" : "VpcEventCount",
"Namespace" : "CloudTrailMetrics",
Expand Down Expand Up @@ -147,6 +151,7 @@
"Type": "AWS::CloudWatch::Alarm",
"Properties": {
"AlarmName" : "CloudTrailEC2InstanceChangesV2",
"AlarmActions": [{"Ref" : "AlarmNotificationTopic"}],
"AlarmDescription" : "Alarms when an API call is made to create, terminate, start, stop or reboot an EC2 instance.",
"MetricName" : "EC2InstanceEventCount",
"Namespace" : "CloudTrailMetrics",
Expand Down Expand Up @@ -176,6 +181,7 @@
"Type": "AWS::CloudWatch::Alarm",
"Properties": {
"AlarmName" : "CloudTrailEC2LargeInstanceChangesV2",
"AlarmActions": [{"Ref" : "AlarmNotificationTopic"}],
"AlarmDescription" : "Alarms when an API call is made to create, terminate, start, stop or reboot a 4x or 8x-large EC2 instance.",
"MetricName" : "EC2LargeInstanceEventCount",
"Namespace" : "CloudTrailMetrics",
Expand Down Expand Up @@ -205,6 +211,7 @@
"Type": "AWS::CloudWatch::Alarm",
"Properties": {
"AlarmName" : "CloudTrailChangesV2",
"AlarmActions": [{"Ref" : "AlarmNotificationTopic"}],
"AlarmDescription" : "Alarms when an API call is made to create, update or delete a CloudTrail trail, or to start or stop logging to a trail.",
"MetricName" : "CloudTrailEventCount",
"Namespace" : "CloudTrailMetrics",
Expand Down Expand Up @@ -235,6 +242,7 @@
"Type": "AWS::CloudWatch::Alarm",
"Properties": {
"AlarmName" : "CloudTrailConsoleSignInFailuresV2",
"AlarmActions": [{"Ref" : "AlarmNotificationTopic"}],
"AlarmDescription" : "Alarms when an unauthenticated API call is made to sign into the console.",
"MetricName" : "ConsoleSignInFailureCount",
"Namespace" : "CloudTrailMetrics",
Expand Down Expand Up @@ -265,6 +273,7 @@
"Properties": {
"AlarmName" : "CloudTrailAuthorizationFailuresV2",
"AlarmDescription" : "Alarms when an unauthorized API call is made.",
"AlarmActions": [{"Ref" : "AlarmNotificationTopic"}],
"MetricName" : "AuthorizationFailureCount",
"Namespace" : "CloudTrailMetrics",
"ComparisonOperator" : "GreaterThanOrEqualToThreshold",
Expand Down Expand Up @@ -294,6 +303,7 @@
"Type": "AWS::CloudWatch::Alarm",
"Properties": {
"AlarmName" : "CloudTrailIAMPolicyChangesV2",
"AlarmActions": [{"Ref" : "AlarmNotificationTopic"}],
"AlarmDescription" : "Alarms when an API call is made to change an IAM policy.",
"MetricName" : "IAMPolicyEventCount",
"Namespace" : "CloudTrailMetrics",
Expand Down Expand Up @@ -323,6 +333,7 @@
"Type": "AWS::CloudWatch::Alarm",
"Properties": {
"AlarmName" : "CloudTrailRouteTableChangesV2",
"AlarmActions": [{"Ref" : "AlarmNotificationTopic"}],
"AlarmDescription" : "Alarms when an API call is made to create, update or delete a Route Table.",
"MetricName" : "RouteTableEventCount",
"Namespace" : "CloudTrailMetrics",
Expand Down Expand Up @@ -352,6 +363,7 @@
"Type": "AWS::CloudWatch::Alarm",
"Properties": {
"AlarmName" : "CMKChangesV2",
"AlarmActions": [{"Ref" : "AlarmNotificationTopic"}],
"AlarmDescription" : "Alarms each time when a CMK configuration change is made.",
"MetricName" : "CMKEventCount",
"Namespace" : "CloudTrailMetrics",
Expand Down Expand Up @@ -381,6 +393,7 @@
"Type": "AWS::CloudWatch::Alarm",
"Properties": {
"AlarmName" : "RootAccountUsageAlarmV2",
"AlarmActions": [{"Ref" : "AlarmNotificationTopic"}],
"AlarmDescription" : "Alarms each time when Root Account is used.",
"MetricName" : "RootAccountUsageEventCount",
"Namespace" : "CloudTrailMetrics",
Expand Down Expand Up @@ -412,6 +425,7 @@
"Type": "AWS::CloudWatch::Alarm",
"Properties": {
"AlarmName" : "AWSConfigChangesAlarmV2",
"AlarmActions": [{"Ref" : "AlarmNotificationTopic"}],
"AlarmDescription" : "Triggered by AWS Config changes.",
"MetricName" : "ConfigEventCount",
"Namespace" : "CloudTrailMetrics",
Expand Down Expand Up @@ -444,6 +458,7 @@
"Type": "AWS::CloudWatch::Alarm",
"Properties": {
"AlarmName" : "S3BucketConfigChangesAlarmV2",
"AlarmActions": [{"Ref" : "AlarmNotificationTopic"}],
"AlarmDescription" : "Triggered by AWS S3 Bucket config changes.",
"MetricName" : "S3BucketEventCount",
"Namespace" : "CloudTrailMetrics",
Expand Down Expand Up @@ -477,6 +492,7 @@
"Type": "AWS::CloudWatch::Alarm",
"Properties": {
"AlarmName" : "ConsoleSignInWithoutMfaAlarmV2",
"AlarmActions": [{"Ref" : "AlarmNotificationTopic"}],
"AlarmDescription" : "Triggered by sign-in requests made without MFA.",
"MetricName" : "ConsoleSignInWithoutMfaCount",
"Namespace" : "CloudTrailMetrics",
Expand Down Expand Up @@ -510,6 +526,7 @@
"Type": "AWS::CloudWatch::Alarm",
"Properties": {
"AlarmName" : "OrganizationsChangesAlarmV2",
"AlarmActions": [{"Ref" : "AlarmNotificationTopic"}],
"AlarmDescription" : "Triggered by AWS Organizations events.",
"MetricName" : "OrganizationsEvents",
"Namespace" : "CloudTrailMetrics",
Expand Down
4 changes: 2 additions & 2 deletions iam.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,13 +9,13 @@ data "aws_iam_policy_document" "lambda_assume_role" {
}

resource "aws_iam_role" "iam_for_lambda" {
name = "iam_for_lambda"
name = "cloudtrail-cn-role-${data.aws_region.current.name}"
assume_role_policy = data.aws_iam_policy_document.lambda_assume_role.json
tags = var.tags
}

resource "aws_iam_policy" "lambda_cw" {

Check failure on line 17 in iam.tf

View workflow job for this annotation

GitHub Actions / scan 

CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"

Check failure on line 17 in iam.tf

View workflow job for this annotation

GitHub Actions / scan 

CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
name = "lambda_cw"
name = "cloudtrail-cn-policy-${data.aws_region.current.name}"
path = "/"
description = "IAM policy for logging from a lambda"
policy = jsonencode({
Expand Down
2 changes: 1 addition & 1 deletion main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ resource "aws_lambda_function" "lambda" {
handler = "index.handler"
timeout = var.lambda_timeout
source_code_hash = filebase64sha256("${path.module}/lambda.zip")
runtime = "nodejs20.x"
runtime = "nodejs18.x"
tags = var.tags
tracing_config {
mode = "Active"
Expand Down
55 changes: 55 additions & 0 deletions sns.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
# --------------------------------------------------------------------------------------------------
# The SNS topic to which CloudWatch alarms send events.
# --------------------------------------------------------------------------------------------------
resource "aws_sns_topic" "alarms" {

Check failure on line 4 in sns.tf

View workflow job for this annotation

GitHub Actions / scan 

CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
count = var.enabled ? 1 : 0
name = var.sns_topic_name
kms_master_key_id = var.kms_key #aws_kms_key.sns[0].id # default key does not allow cloudwatch alarms to publish
tags = var.tags
}


resource "aws_sns_topic_policy" "alarms" {
count = var.enabled ? 1 : 0
arn = aws_sns_topic.alarms[0].arn
policy = data.aws_iam_policy_document.alarms_policy[0].json
}

data "aws_iam_policy_document" "alarms_policy" {
count = var.enabled ? 1 : 0
policy_id = "allow-org-accounts"

statement {
actions = [
"SNS:GetTopicAttributes",
"SNS:SetTopicAttributes",
"SNS:AddPermission",
"SNS:RemovePermission",
"SNS:DeleteTopic",
"SNS:Subscribe",
"SNS:ListSubscriptionsByTopic",
"SNS:Publish",
"SNS:Receive"
]
condition {
test = "StringEquals"
variable = "AWS:SourceOwner"
values = var.alarm_account_ids
}
principals {
type = "AWS"
identifiers = ["*"]
}
resources = [aws_sns_topic.alarms[0].arn]
sid = "allow-org-accounts"
}
}


resource "aws_sns_topic_subscription" "cloudtrail_cutom_alarm_email" {
#for_each = {for email in var.emails : var.emails => email}
for_each = toset(var.emails)
topic_arn = aws_sns_topic.alarms[0].arn
protocol = "email"
endpoint = each.value
}

0 comments on commit ea59c52

Please sign in to comment.