Merge pull request #18 from confusdcodr/metric-alarms

Add metric filters & alarms. Migrate support user/policy to a IAM group

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 0.0.3
+current_version = 0.0.4
 commit = True
 message = Bumps version to {new_version}
 tag = False

CHANGELOG.md

@@ -4,6 +4,19 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](http://keepachangelog.com/) and this project adheres to [Semantic Versioning](http://semver.org/).
 
+### 0.0.4
+
+**Commit Delta**: [Change from 0.0.3 release](https://github.com/plus3it/tardigrade/compare/0.0.3...0.0.4)
+
+**Released**: 2020.01.08
+
+**Summary**:
+
+*   Add metric filters
+*   Remove unused variables
+*   Add metric alarms
+*   Remove AWSSupportAccess policy from user and add it to a group instead
+
 ### 0.0.3
 
 **Commit Delta**: [Change from 0.0.2 release](https://github.com/plus3it/tardigrade/compare/0.0.2...0.0.3)

tardigrade/roots/aws/baseline/main.tf

@@ -30,40 +30,16 @@ locals {
   create_keystore_bucket   = true
   create_config            = ! local.handsoff
   create_config_rules      = ! local.handsoff
-  create_iam_roles         = true
   create_vpc_endpoints     = false
-  create_saml_provider     = true
   create_inspector         = true
-  create_tgw_attachment    = ! local.handsoff
-
-  # services only in aws partition
-  #   peering connection
-  #   bastion sg
-  #   route53 subzone
-  #   codebuild
-  #   ram resource share
-
-  create_peering_connection        = ! local.handsoff && var.partition == "aws"
-  create_bastion_sg                = ! local.handsoff && var.partition == "aws"
-  create_route53_subzone           = ! local.handsoff && var.partition == "aws"
-  create_route53_query_log         = ! local.handsoff && var.partition == "aws"
-  create_config_authorization      = ! local.handsoff && var.partition == "aws"
-  create_guardduty_member          = ! local.handsoff && var.partition == "aws"
-  create_ram_principal_association = ! local.handsoff && var.partition == "aws"
-  create_resolver_rule_association = ! local.handsoff && var.partition == "aws"
+  create_metric_filter     = true
+  create_metric_alarm      = true
+
   excluded_config_rules = {
     "handsoff"   = []
     "aws"        = []
     "aws-us-gov" = []
   }
-  iam_service_url_suffix = {
-    "aws"        = "amazonaws.com"
-    "aws-us-gov" = "amazonaws.com"
-  }
-  iam_saml_audience = {
-    "aws"        = "https://signin.aws.amazon.com/saml"
-    "aws-us-gov" = "https://signin.amazonaws-us-gov.com/saml"
-  }
 }
 
 locals {
@@ -195,15 +171,9 @@ locals {
   # setup users to be created
   users = [{
     name        = "support-user",
-    policy_arns = [data.aws_iam_policy.this.arn]
   }]
 }
 
-# get ARN for AWSSupportAccess AWS Managed policy
-data "aws_iam_policy" "this" {
-  arn = "arn:${data.aws_partition.this.partition}:iam::${data.aws_partition.this.partition}:policy/AWSSupportAccess"
-}
-
 module "iam_users" {
   source = "git::https://github.com/plus3it/terraform-aws-tardigrade-iam-principals.git?ref=3.0.0"
 
@@ -222,6 +192,33 @@ module "iam_users" {
   template_paths = []
 }
 
+# create support-users group
+resource "aws_iam_group" "this" {
+  name = "support-users"
+}
+
+# add created users to the support-users group
+resource "aws_iam_user_group_membership" "this" {
+  for_each = module.iam_users.users
+
+  user = each.value.name
+
+  groups = [
+    aws_iam_group.this.name
+  ]
+}
+
+# get ARN for AWSSupportAccess AWS Managed policy
+data "aws_iam_policy" "this" {
+  arn = "arn:${data.aws_partition.this.partition}:iam::${data.aws_partition.this.partition}:policy/AWSSupportAccess"
+}
+
+# attached policy to support-users group
+resource "aws_iam_group_policy_attachment" "this" {
+  group      = aws_iam_group.this.name
+  policy_arn = data.aws_iam_policy.this.arn
+}
+
 ##### VPC #####
 module "vpc" {
   source = "github.com/plus3it/terraform-aws-vpc?ref=v2.15.0"
@@ -334,7 +331,7 @@ module "cloudtrail_bucket" {
 }
 
 module "cloudtrail" {
-  source = "git::https://github.com/plus3it/terraform-aws-tardigrade-cloudtrail.git?ref=2.2.2"
+  source = "git::https://github.com/plus3it/terraform-aws-tardigrade-cloudtrail.git?ref=2.2.3"
 
   providers = {
     aws = aws
@@ -418,6 +415,210 @@ module "inspector" {
   tags             = local.tags
 }
 
+##### METRIC FILTERS #####
+locals {
+  # due to limitations in prowlers checking of filter_patterns within metric filters, very long strings
+  # are being used as opposed to heredocs
+  metric_filters = [
+    {
+      name           = "terraform-cis-unauthorized-operations"
+      filter_pattern = "{ ($.errorCode = \"*UnauthorizedOperation\") || ($.errorCode = \"AccessDenied*\") }"
+      log_group_name = module.cloudtrail.log_group.name
+      metric_transformation = {
+        name          = "Unauthorized Operations"
+        namespace     = "CISBenchmark"
+        value         = 1
+        default_value = 0
+      }
+    },
+    {
+      name           = "terraform-cis-console-login-without-mfa"
+      filter_pattern = "{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") }"
+      log_group_name = module.cloudtrail.log_group.name
+      metric_transformation = {
+        name          = "Console Logins w/o MFA"
+        namespace     = "CISBenchmark"
+        value         = 1
+        default_value = 0
+      }
+    },
+    {
+      name           = "terraform-cis-root-account-usage"
+      filter_pattern = "{ $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" }"
+      log_group_name = module.cloudtrail.log_group.name
+      metric_transformation = {
+        name          = "Root Account Usage"
+        namespace     = "CISBenchmark"
+        value         = 1
+        default_value = 0
+      }
+    },
+    {
+      name           = "terraform-cis-iam-policy-changes"
+      filter_pattern = "{($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)|| ($.eventName=DeleteUserPolicy) ||($.eventName=PutGroupPolicy) || ($.eventName=PutRolePolicy)|| ($.eventName=PutUserPolicy) ||($.eventName=CreatePolicy) || ($.eventName=DeletePolicy) || ($.eventName=CreatePolicyVersion) ||($.eventName=DeletePolicyVersion) || ($.eventName=AttachRolePolicy) || ($.eventName=DetachRolePolicy) ||($.eventName=AttachUserPolicy) || ($.eventName=DetachUserPolicy) || ($.eventName=AttachGroupPolicy) ||($.eventName=DetachGroupPolicy)}"
+      log_group_name = module.cloudtrail.log_group.name
+      metric_transformation = {
+        name          = "IAM Policy Changes"
+        namespace     = "CISBenchmark"
+        value         = 1
+        default_value = 0
+      }
+    },
+    {
+      name           = "terraform-cis-cloudtrail-configuration-changes"
+      filter_pattern = "{($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) ||($.eventName = StartLogging) || ($.eventName = StopLogging)}"
+
+      log_group_name = module.cloudtrail.log_group.name
+      metric_transformation = {
+        name          = "CloudTrail Configuration Changes"
+        namespace     = "CISBenchmark"
+        value         = 1
+        default_value = 0
+      }
+    },
+    {
+      name           = "terraform-cis-console-authentication-failures"
+      filter_pattern = "{ ($.eventName = ConsoleLogin) && ($.errorMessage = \"Failed authentication\") }"
+      log_group_name = module.cloudtrail.log_group.name
+      metric_transformation = {
+        name          = "Console Authentication Failures"
+        namespace     = "CISBenchmark"
+        value         = 1
+        default_value = 0
+      }
+    },
+    {
+      name           = "terraform-cis-removing-cmks"
+      filter_pattern = "{($.eventSource = kms.amazonaws.com) && (($.eventName=DisableKey)||($.eventName=ScheduleKeyDeletion)) }"
+      log_group_name = module.cloudtrail.log_group.name
+      metric_transformation = {
+        name          = "Disabling/Scheduled Deletion of CMKs"
+        namespace     = "CISBenchmark"
+        value         = 1
+        default_value = 0
+      }
+    },
+    {
+      name           = "terraform-cis-s3-bucket-policy-changes"
+      filter_pattern = "{ ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) ||($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) ||($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) ||($.eventName = DeleteBucketReplication)) }"
+      log_group_name = module.cloudtrail.log_group.name
+      metric_transformation = {
+        name          = "S3 Bucket Policy Changes"
+        namespace     = "CISBenchmark"
+        value         = 1
+        default_value = 0
+      }
+    },
+    {
+      name           = "terraform-cis-aws-config-configuration-changes"
+      filter_pattern = "{ ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder) ||($.eventName=DeleteDeliveryChannel) || ($.eventName=PutDeliveryChannel) ||($.eventName=PutConfigurationRecorder)) }"
+      log_group_name = module.cloudtrail.log_group.name
+      metric_transformation = {
+        name          = "AWS Config Configuration Changes"
+        namespace     = "CISBenchmark"
+        value         = 1
+        default_value = 0
+      }
+    },
+    {
+      name           = "terraform-cis-security-group-changes"
+      filter_pattern = "{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) ||($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) ||($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) }"
+      log_group_name = module.cloudtrail.log_group.name
+      metric_transformation = {
+        name          = "Security Group Changes"
+        namespace     = "CISBenchmark"
+        value         = 1
+        default_value = 0
+      }
+    },
+    {
+      name           = "terraform-cis-nacl-changes"
+      filter_pattern = "{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) ||($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) ||($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) }"
+      log_group_name = module.cloudtrail.log_group.name
+      metric_transformation = {
+        name          = "NACL Changes"
+        namespace     = "CISBenchmark"
+        value         = 1
+        default_value = 0
+      }
+    },
+    {
+      name           = "terraform-cis-network-gateway-changes"
+      filter_pattern = "{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) ||($.eventName = AttachInternetGateway) ||  ($.eventName = CreateInternetGateway) ||($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }"
+      log_group_name = module.cloudtrail.log_group.name
+      metric_transformation = {
+        name          = "Network Gateway Changes"
+        namespace     = "CISBenchmark"
+        value         = 1
+        default_value = 0
+      }
+    },
+    {
+      name           = "terraform-cis-route-table-changes"
+      filter_pattern = "{ ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) ||($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) ||($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) }"
+
+      log_group_name = module.cloudtrail.log_group.name
+      metric_transformation = {
+        name          = "Route Table Changes"
+        namespace     = "CISBenchmark"
+        value         = 1
+        default_value = 0
+      }
+    },
+    {
+      name           = "terraform-cis-vpc-changes"
+      filter_pattern = "{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) ||($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) ||($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) ||($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) ||($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }"
+      log_group_name = module.cloudtrail.log_group.name
+      metric_transformation = {
+        name          = "VPC Changes"
+        namespace     = "CISBenchmark"
+        value         = 1
+        default_value = 0
+      }
+    }
+  ]
+}
+
+module "metric_filters" {
+  source = "git::https://github.com/plus3it/terraform-aws-tardigrade-cloudwatch-log-metric-filter.git?ref=0.0.0"
+
+  providers = {
+    aws = aws
+  }
+
+  # Member
+  create_metric_filter = local.create_metric_filter
+  metric_filters       = local.metric_filters
+}
+
+##### METRIC ALARMS #####
+locals {
+  alarms = [
+    for metric in module.metric_filters.metric_filters :
+    {
+      alarm_name          = metric.name,
+      comparison_operator = "GreaterThanOrEqualToThreshold",
+      evaluation_periods  = "1",
+      metric_name         = metric.metric_transformation[0].name,
+      namespace           = metric.metric_transformation[0].namespace,
+      period              = "300",
+      statistic           = "Sum",
+      threshold           = "1"
+    }
+  ]
+}
+
+module "metric_alarms" {
+  source = "git::https://github.com/plus3it/terraform-aws-tardigrade-cloudwatch-metric-alarm.git?ref=0.0.0"
+
+  providers = {
+    aws = aws
+  }
+
+  create_metric_alarm = local.create_metric_alarm
+  metric_alarms       = local.alarms
+}
+
 ##### DATA SOURCES #####
 data "aws_caller_identity" "this" {}