Skip to content

Latest commit

 

History

History
94 lines (81 loc) · 11.7 KB

File metadata and controls

94 lines (81 loc) · 11.7 KB

alarm-baseline

Set up CloudWatch alarms to notify you when critical changes happen in your AWS account.

Requirements

Name Version
terraform >= 0.13
aws >= 3.50.0

Providers

Name Version
aws 3.60.0

Modules

No modules.

Resources

Name Type
aws_cloudwatch_log_metric_filter.aws_config_changes resource
aws_cloudwatch_log_metric_filter.cloudtrail_cfg_changes resource
aws_cloudwatch_log_metric_filter.console_signin_failures resource
aws_cloudwatch_log_metric_filter.disable_or_delete_cmk resource
aws_cloudwatch_log_metric_filter.iam_changes resource
aws_cloudwatch_log_metric_filter.nacl_changes resource
aws_cloudwatch_log_metric_filter.network_gw_changes resource
aws_cloudwatch_log_metric_filter.no_mfa_console_signin resource
aws_cloudwatch_log_metric_filter.organizations_changes resource
aws_cloudwatch_log_metric_filter.root_usage resource
aws_cloudwatch_log_metric_filter.route_table_changes resource
aws_cloudwatch_log_metric_filter.s3_bucket_policy_changes resource
aws_cloudwatch_log_metric_filter.security_group_changes resource
aws_cloudwatch_log_metric_filter.unauthorized_api_calls resource
aws_cloudwatch_log_metric_filter.vpc_changes resource
aws_cloudwatch_metric_alarm.aws_config_changes resource
aws_cloudwatch_metric_alarm.cloudtrail_cfg_changes resource
aws_cloudwatch_metric_alarm.console_signin_failures resource
aws_cloudwatch_metric_alarm.disable_or_delete_cmk resource
aws_cloudwatch_metric_alarm.iam_changes resource
aws_cloudwatch_metric_alarm.nacl_changes resource
aws_cloudwatch_metric_alarm.network_gw_changes resource
aws_cloudwatch_metric_alarm.no_mfa_console_signin resource
aws_cloudwatch_metric_alarm.organizations_changes resource
aws_cloudwatch_metric_alarm.root_usage resource
aws_cloudwatch_metric_alarm.route_table_changes resource
aws_cloudwatch_metric_alarm.s3_bucket_policy_changes resource
aws_cloudwatch_metric_alarm.security_group_changes resource
aws_cloudwatch_metric_alarm.unauthorized_api_calls resource
aws_cloudwatch_metric_alarm.vpc_changes resource
aws_sns_topic.alarms resource
aws_sns_topic_policy.alarms resource
aws_caller_identity.current data source
aws_iam_policy_document.alarms-sns-policy data source
aws_region.current data source

Inputs

Name Description Type Default Required
alarm_namespace The namespace in which all alarms are set up. string "CISBenchmark" no
aws_config_changes_enabled The boolean flag whether the aws_config_changes alarm is enabled or not. No resources are created when set to false. bool true no
cloudtrail_cfg_changes_enabled The boolean flag whether the cloudtrail_cfg_changes alarm is enabled or not. No resources are created when set to false. bool true no
cloudtrail_log_group_name The name of the CloudWatch Logs group to which CloudTrail events are delivered. any n/a yes
console_signin_failures_enabled The boolean flag whether the console_signin_failures alarm is enabled or not. No resources are created when set to false. bool true no
disable_or_delete_cmk_enabled The boolean flag whether the disable_or_delete_cmk alarm is enabled or not. No resources are created when set to false. bool true no
enabled The boolean flag whether this module is enabled or not. No resources are created when set to false. bool true no
iam_changes_enabled The boolean flag whether the iam_changes alarm is enabled or not. No resources are created when set to false. bool true no
nacl_changes_enabled The boolean flag whether the nacl_changes alarm is enabled or not. No resources are created when set to false. bool true no
network_gw_changes_enabled The boolean flag whether the network_gw_changes alarm is enabled or not. No resources are created when set to false. bool true no
no_mfa_console_signin_enabled The boolean flag whether the no_mfa_console_signin alarm is enabled or not. No resources are created when set to false. bool true no
organizations_changes_enabled The boolean flag whether the organizations_changes alarm is enabled or not. No resources are created when set to false. bool true no
root_usage_enabled The boolean flag whether the root_usage alarm is enabled or not. No resources are created when set to false. bool true no
route_table_changes_enabled The boolean flag whether the route_table_changes alarm is enabled or not. No resources are created when set to false. bool true no
s3_bucket_policy_changes_enabled The boolean flag whether the s3_bucket_policy_changes alarm is enabled or not. No resources are created when set to false. bool true no
security_group_changes_enabled The boolean flag whether the security_group_changes alarm is enabled or not. No resources are created when set to false. bool true no
sns_topic_kms_master_key_id To enable SNS Topic encryption enter value with the ID of a custom master KMS key that is used for encryption any null no
sns_topic_name The name of the SNS Topic which will be notified when any alarm is performed. string "CISAlarm" no
tags Specifies object tags key and value. This applies to all resources created by this module. map
{
"Terraform": true
}
no
unauthorized_api_calls_enabled The boolean flag whether the unauthorized_api_calls alarm is enabled or not. No resources are created when set to false. bool true no
vpc_changes_enabled The boolean flag whether the vpc_changes alarm is enabled or not. No resources are created when set to false. bool true no

Outputs

Name Description
alarm_sns_topic The SNS topic to which CloudWatch Alarms will be sent.