DNXLabs · mvsnogueira-dnx · Aug 26, 2024 · Aug 20, 2024 · Aug 20, 2024 · Aug 21, 2024
diff --git a/_variables.tf b/_variables.tf
@@ -21,17 +21,20 @@ variable "sns_topic_name" {
   default     = "CISAlarmV2"
 }
 
-variable "chatbot_sns_topic" {
+variable "alarm_notification_sns_topic" {
   description = "The arn of the SNS Topic which will be notified when any alarm is performed."
   type        = string
   default     = ""
 }
 
-variable "emails" {
+variable "endpoints" {
   default = []
   type    = list(string)
 }
-
+variable "alarm_protocol" {
+  default = "email"
+  type    = string
+}
 variable "alarm_mode" {
   default     = "light"
   type        = string

diff --git a/alarms.tf → aws-alarms.tf b/alarms.tf → aws-alarms.tf
@@ -7,12 +7,12 @@
  numeric = false
 }

 resource "aws_cloudformation_stack" "cloudtrail_alarm" {
  name          = "cloudtrail-alarm-${random_string.cloudtrail_alarm_suffix.result}"
  template_body = var.alarm_mode == "full" ? file("${path.module}/cloudtrail-alarms-full.cf.json") : file("${path.module}/cloudtrail-alarms-light.cf.yml")
 
   parameters = {
     CloudTrailLogGroupName = var.cloudtrail_log_group_name
-    AlarmNotificationTopic = var.chatbot_sns_topic
+    AlarmNotificationTopic = length(var.alarm_notification_sns_topic) > 0 ? var.alarm_notification_sns_topic : try(aws_sns_topic.alarms[0].arn, "")
   }
 }
diff --git a/event_bridge.tf → aws-event_bridge.tf b/event_bridge.tf → aws-event_bridge.tf
@@ -1,5 +1,5 @@
 resource "aws_cloudwatch_event_rule" "alarm_notification" {
-  count       = length(var.emails) > 0 ? 1 : 0
+  count       = length(var.endpoints) > 0 ? 1 : 0
   name        = "cloudtrail_alarm_custom_notifications"
   description = "Will be notified with a custom message when any alarm is performed"
 
@@ -23,8 +23,8 @@ resource "aws_cloudwatch_event_rule" "alarm_notification" {
 }
 
 resource "aws_cloudwatch_event_target" "lambda_target" {
-  count     = length(var.emails) > 0 ? 1 : 0
+  count     = length(var.endpoints) > 0 ? 1 : 0
   rule      = aws_cloudwatch_event_rule.alarm_notification[0].name
-  target_id = "NotifyLambda"
+  target_id = "lambda_notification"
   arn       = aws_lambda_function.lambda[0].arn
 }
diff --git a/iam.tf → aws-iam.tf b/iam.tf → aws-iam.tf
@@ -1,5 +1,5 @@
 data "aws_iam_policy_document" "lambda_assume_role" {
-  count = length(var.emails) > 0 ? 1 : 0
+  count = length(var.endpoints) > 0 ? 1 : 0
   statement {
     actions = ["sts:AssumeRole"]
     principals {
@@ -10,14 +10,14 @@
 }
 
 resource "aws_iam_role" "iam_for_lambda" {
-  count              = length(var.emails) > 0 ? 1 : 0
+  count              = length(var.endpoints) > 0 ? 1 : 0
   name               = "cloudtrail-cn-role-${data.aws_region.current.name}"
   assume_role_policy = data.aws_iam_policy_document.lambda_assume_role[0].json
   tags               = var.tags
 }
 
 resource "aws_iam_policy" "lambda_cw" {
-  count       = length(var.emails) > 0 ? 1 : 0
+  count       = length(var.endpoints) > 0 ? 1 : 0
   name        = "cloudtrail-cn-policy-${data.aws_region.current.name}"
   path        = "/"
   description = "IAM policy for logging from a lambda"
@@ -53,7 +53,7 @@
 }
 
 resource "aws_iam_role_policy_attachment" "lambda_cw" {
-  count      = length(var.emails) > 0 ? 1 : 0
+  count      = length(var.endpoints) > 0 ? 1 : 0
   role       = aws_iam_role.iam_for_lambda[0].name
   policy_arn = aws_iam_policy.lambda_cw[0].arn
 }
diff --git a/main.tf → aws-lambda.tf b/main.tf → aws-lambda.tf
@@ -1,5 +1,5 @@
 resource "aws_lambda_function" "lambda" {
-  count            = length(var.emails) > 0 ? 1 : 0
+  count            = length(var.endpoints) > 0 ? 1 : 0
   filename         = "${path.module}/lambda.zip"
   function_name    = var.lambda_name
   role             = aws_iam_role.iam_for_lambda[0].arn
@@ -21,7 +21,7 @@
 }
 
 resource "aws_lambda_permission" "default" {
-  count         = length(var.emails) > 0 ? 1 : 0
+  count         = length(var.endpoints) > 0 ? 1 : 0
   statement_id  = "AllowExecutionFromEventBridge"
   action        = "lambda:InvokeFunction"
   function_name = aws_lambda_function.lambda[0].function_name
@@ -29,9 +29,10 @@
  source_arn    = aws_cloudwatch_event_rule.alarm_notification[0].arn
 }
 
 resource "aws_cloudwatch_log_group" "alarm_lambda" {
-  count             = length(var.emails) > 0 ? 1 : 0
+  count             = length(var.endpoints) > 0 ? 1 : 0
   name              = "/aws/lambda/${var.lambda_name}"
   retention_in_days = 365
+  kms_key_id        = var.kms_key
   tags              = var.tags
 }
diff --git a/sns.tf → aws-sns.tf b/sns.tf → aws-sns.tf
@@ -1,22 +1,22 @@
 # --------------------------------------------------------------------------------------------------
 # The SNS topic to which CloudWatch alarms send events.
 # --------------------------------------------------------------------------------------------------
 resource "aws_sns_topic" "alarms" {
-  count             = length(var.emails) > 0 ? 1 : 0
+  count             = length(var.endpoints) > 0 ? 1 : 0
   name              = var.sns_topic_name
   kms_master_key_id = var.kms_key #aws_kms_key.sns[0].id # default key does not allow cloudwatch alarms to publish
   tags              = var.tags
 }
 
 
 resource "aws_sns_topic_policy" "alarms" {
-  count  = length(var.emails) > 0 ? 1 : 0
+  count  = length(var.endpoints) > 0 ? 1 : 0
   arn    = aws_sns_topic.alarms[0].arn
   policy = data.aws_iam_policy_document.alarms_policy[0].json
 }
 
 data "aws_iam_policy_document" "alarms_policy" {
-  count     = length(var.emails) > 0 ? 1 : 0
+  count     = length(var.endpoints) > 0 ? 1 : 0
   policy_id = "allow-org-accounts"
 
   statement {
@@ -46,8 +46,8 @@
 }
 
 resource "aws_sns_topic_subscription" "cloudtrail_custom_alarm_email" {
-  for_each  = toset(var.emails)
+  for_each  = toset(var.endpoints)
   topic_arn = aws_sns_topic.alarms[0].arn
-  protocol  = "email"
+  protocol  = var.alarm_protocol
   endpoint  = each.value
 }
diff --git a/cloudtrail-alarms-full.cf.json b/cloudtrail-alarms-full.cf.json
@@ -285,7 +285,7 @@
                 "EvaluationPeriods" : "1",
                 "Period" : "300",
                 "Statistic" : "Sum",
-                "Threshold" : "1"
+                "Threshold" : "5"
 
             }
         },
@@ -483,7 +483,7 @@
           "Type": "AWS::Logs::MetricFilter",
           "Properties": {
               "LogGroupName": { "Ref" : "CloudTrailLogGroupName" },
-              "FilterPattern": "{ $.eventName = ConsoleLogin && $.additionalEventData.MFAUsed = No }",
+              "FilterPattern": "{ $.eventName = ConsoleLogin && $.additionalEventData.MFAUsed = No && $.userIdentity.type = IAMUser && $.responseElements.ConsoleLogin = Success }",
               "MetricTransformations": [
                   {
                       "MetricNamespace": "CloudTrailMetrics",