This repository was archived by the owner on Mar 6, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 35
/
Copy pathCIS-alarms-cfn.yml
667 lines (653 loc) · 28.2 KB
/
CIS-alarms-cfn.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
---
AWSTemplateFormatVersion: 2010-09-09
Description: CIS AWS Foundations Benchmark Metric Alarms
Parameters:
AlarmNotificationTopicARN:
Description: Replace Default value with the ARN for your SNS alarm
Default: 'arn:aws:sns:aws-region:your-account#:your-CIS-Alarms'
Type: String
CloudtrailLogGroupName:
Description: Replace Default value with the name (not ARN) for your CloudTrail's CloudWatch Log Group
Default: 'Example-Cloudwatch-For-Trail-LogGroup'
Type: String
Resources:
#===============================================================================================================================
# MetricFilter and CloudWatch Alarm Section
#===============================================================================================================================
# ------------------------------------------------------------------------------------------------------------------------------------
# CIS AWS Foundations Benchmark - 3.1 Ensure a log metric filter and alarm exist for unauthorized API calls (Scored)
# ------------------------------------------------------------------------------------------------------------------------------------
UnauthorizedApiCallsAlarm:
Type: AWS::CloudWatch::Alarm
Properties:
AlarmName: CIS-Unauthorized Activity Attempt
AlarmDescription: Alarm if Multiple unauthorized actions or logins attempted
MetricName: UnauthorizedAttemptCount
Namespace: CloudTrailMetrics
Statistic: Sum
Period: 300
EvaluationPeriods: 1
Threshold: 1
TreatMissingData: notBreaching
AlarmActions:
- !Ref AlarmNotificationTopicARN
ComparisonOperator: GreaterThanOrEqualToThreshold
UnauthorizedApiCallsFilter:
Type: AWS::Logs::MetricFilter
Properties:
LogGroupName: !Ref CloudtrailLogGroupName
FilterPattern: |-
{
($.errorCode = "*UnauthorizedOperation") ||
($.errorCode = "AccessDenied*")
}
MetricTransformations:
- MetricValue: '1'
MetricNamespace: CloudTrailMetrics
MetricName: UnauthorizedAttemptCount
UnauthorizedApiCallsQuery:
Type: AWS::Logs::QueryDefinition
Properties:
Name: CIS-Alarms/CIS-Unauthorized Activity Attempt
LogGroupNames:
- !Ref CloudtrailLogGroupName
QueryString: |-
fields @timestamp, @message |
sort @timestamp desc |
filter errorCode == '*UnauthorizedOperation' or errorCode == 'AccessDenied*'
# ------------------------------------------------------------------------------------------------------------------------------------
# CIS AWS Foundations Benchmark - 3.2 Ensure a log metric filter and alarm exist for Management Console sign-in without MFA (Scored)
# ------------------------------------------------------------------------------------------------------------------------------------
NoMfaConsoleLoginsAlarm:
Type: AWS::CloudWatch::Alarm
Properties:
AlarmName: CIS-Console Signin Without MFA
AlarmDescription: Alarm if there is a Management Console sign-in without MFA
MetricName: ConsoleSigninWithoutMFA
Namespace: CloudTrailMetrics
Statistic: Sum
Period: 300
EvaluationPeriods: 1
Threshold: 1
TreatMissingData: notBreaching
AlarmActions:
- !Ref AlarmNotificationTopicARN
ComparisonOperator: GreaterThanOrEqualToThreshold
NoMfaConsoleLoginsFilter:
Type: AWS::Logs::MetricFilter
Properties:
LogGroupName: !Ref CloudtrailLogGroupName
FilterPattern: |-
{
($.eventName = "ConsoleLogin") &&
($.additionalEventData.MFAUsed != "Yes")
}
MetricTransformations:
- MetricValue: '1'
MetricNamespace: CloudTrailMetrics
MetricName: ConsoleSigninWithoutMFA
NoMfaConsoleLoginsQuery:
Type: AWS::Logs::QueryDefinition
Properties:
Name: CIS-Alarms/CIS-Console Signin Without MFA
LogGroupNames:
- !Ref CloudtrailLogGroupName
QueryString: |-
fields @timestamp, @message |
sort @timestamp desc |
filter eventName == 'ConsoleLogin' and responseElements.ConsoleLogin == 'Success' and additionalEventData.MFAUsed != 'Yes'
# ------------------------------------------------------------------------------------------------------------------------------------
# CIS AWS Foundations Benchmark - 1.1 Avoid the use of the "root" account (Scored)
# CIS AWS Foundations Benchmark - 3.3 Ensure a log metric filter and alarm exist for usage of "root" account (Scored)
# ------------------------------------------------------------------------------------------------------------------------------------
RootAccountLoginsAlarm:
Type: AWS::CloudWatch::Alarm
DependsOn:
- NoMfaConsoleLoginsAlarm
Properties:
AlarmName: CIS-Root Activity
AlarmDescription: Alarm if a 'root' user uses the account
MetricName: RootUserEventCount
Namespace: CloudTrailMetrics
Statistic: Sum
Period: 300
EvaluationPeriods: 1
Threshold: 1
TreatMissingData: notBreaching
AlarmActions:
- !Ref AlarmNotificationTopicARN
ComparisonOperator: GreaterThanOrEqualToThreshold
RootAccountLoginsFilter:
Type: AWS::Logs::MetricFilter
Properties:
LogGroupName: !Ref CloudtrailLogGroupName
FilterPattern: |-
{
$.userIdentity.type = "Root" &&
$.userIdentity.invokedBy NOT EXISTS &&
$.eventType != "AwsServiceEvent"
}
MetricTransformations:
- MetricValue: '1'
MetricNamespace: CloudTrailMetrics
MetricName: RootUserEventCount
RootAccountLoginsQuery:
Type: AWS::Logs::QueryDefinition
Properties:
Name: CIS-Alarms/CIS-Root Activity
LogGroupNames:
- !Ref CloudtrailLogGroupName
QueryString: |-
fields @timestamp, @message |
sort @timestamp desc |
filter userIdentity.type == 'Root' and eventType != 'AwsServiceEvent'
# --------------------------------------------------------------------------------------------------------------------------------------------
# CIS AWS Foundations Benchmark - 3.4 Ensure a log metric filter and alarm exist for IAM policy changes (Scored)
# --------------------------------------------------------------------------------------------------------------------------------------------
IAMPolicyChangesAlarm:
Type: AWS::CloudWatch::Alarm
Properties:
AlarmName: CIS-IAM Policy Changes
AlarmDescription: Alarm if an IAM policy changes
MetricName: IAMPolicyChangeEventCount
Namespace: CloudTrailMetrics
Statistic: Sum
Period: 300
EvaluationPeriods: 1
Threshold: 1
TreatMissingData: notBreaching
AlarmActions:
- !Ref AlarmNotificationTopicARN
ComparisonOperator: GreaterThanOrEqualToThreshold
IAMPolicyChangesFilter:
Type: AWS::Logs::MetricFilter
Properties:
LogGroupName: !Ref CloudtrailLogGroupName
FilterPattern: |-
{
($.eventName=DeleteGroupPolicy) ||
($.eventName=DeleteRolePolicy) ||
($.eventName=DeleteUserPolicy) ||
($.eventName=PutGroupPolicy) ||
($.eventName=PutRolePolicy) ||
($.eventName=PutUserPolicy) ||
($.eventName=CreatePolicy) ||
($.eventName=DeletePolicy) ||
($.eventName=CreatePolicyVersion) ||
($.eventName=DeletePolicyVersion) ||
($.eventName=AttachRolePolicy) ||
($.eventName=DetachRolePolicy) ||
($.eventName=AttachUserPolicy) ||
($.eventName=DetachUserPolicy) ||
($.eventName=AttachGroupPolicy) ||
($.eventName=DetachGroupPolicy)
}
MetricTransformations:
- MetricValue: '1'
MetricNamespace: CloudTrailMetrics
MetricName: IAMPolicyChangeEventCount
IAMPolicyChangesQuery:
Type: AWS::Logs::QueryDefinition
Properties:
Name: CIS-Alarms/CIS-IAM Policy Changes
LogGroupNames:
- !Ref CloudtrailLogGroupName
QueryString: |-
fields @timestamp, @message |
sort @timestamp desc |
filter eventName in ['AttachGroupPolicy', 'AttachRolePolicy', 'AttachUserPolicy', 'CreatePolicy', 'CreatePolicyVersion', 'DeleteGroupPolicy', 'DeletePolicy', 'DeletePolicyVersion', 'DeleteRolePolicy', 'DeleteUserPolicy', 'DetachGroupPolicy', 'DetachRolePolicy', 'DetachUserPolicy', 'PutGroupPolicy', 'PutRolePolicy', 'PutUserPolicy']
# --------------------------------------------------------------------------------------------------------------------------------------------
# CIS AWS Foundations Benchmark - 3.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes (Scored)
# --------------------------------------------------------------------------------------------------------------------------------------------
CloudtrailConfigChangesAlarm:
Type: AWS::CloudWatch::Alarm
Properties:
AlarmName: CIS-Cloudtrail Config Changes
AlarmDescription: Alarm if the configuration for Cloudtrail changes
MetricName: CloudtrailConfigChangeEventCount
Namespace: CloudTrailMetrics
Statistic: Sum
Period: 300
EvaluationPeriods: 1
Threshold: 1
TreatMissingData: notBreaching
AlarmActions:
- !Ref AlarmNotificationTopicARN
ComparisonOperator: GreaterThanOrEqualToThreshold
CloudtrailConfigChangesFilter:
Type: AWS::Logs::MetricFilter
Properties:
LogGroupName: !Ref CloudtrailLogGroupName
FilterPattern: |-
{
($.eventName = CreateTrail) ||
($.eventName = UpdateTrail) ||
($.eventName = DeleteTrail) ||
($.eventName = StartLogging) ||
($.eventName = StopLogging)
}
MetricTransformations:
- MetricValue: '1'
MetricNamespace: CloudTrailMetrics
MetricName: CloudtrailConfigChangeEventCount
CloudtrailConfigChangesQuery:
Type: AWS::Logs::QueryDefinition
Properties:
Name: CIS-Alarms/CIS-Cloudtrail Config Changes
LogGroupNames:
- !Ref CloudtrailLogGroupName
QueryString: |-
fields @timestamp, @message |
sort @timestamp desc |
filter eventName in ['CreateTrail', 'DeleteTrail', 'StartLogging', 'StopLogging', 'UpdateTrail']
# --------------------------------------------------------------------------------------------------------------------------------------------
# CIS AWS Foundations Benchmark - 3.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures (Scored)
# --------------------------------------------------------------------------------------------------------------------------------------------
FailedConsoleLoginsAlarm:
Type: AWS::CloudWatch::Alarm
DependsOn:
- RootAccountLoginsAlarm
Properties:
AlarmName: CIS-Console Login Failures
AlarmDescription: Alarm if there are AWS Management Console authentication failures
MetricName: ConsoleLoginFailures
Namespace: CloudTrailMetrics
Statistic: Sum
Period: 300
EvaluationPeriods: 1
Threshold: 1
TreatMissingData: notBreaching
AlarmActions:
- !Ref AlarmNotificationTopicARN
ComparisonOperator: GreaterThanOrEqualToThreshold
FailedConsoleLoginsFilter:
Type: AWS::Logs::MetricFilter
Properties:
LogGroupName: !Ref CloudtrailLogGroupName
FilterPattern: |-
{
($.eventName = ConsoleLogin) &&
($.errorMessage = "Failed authentication")
}
MetricTransformations:
- MetricValue: '1'
MetricNamespace: CloudTrailMetrics
MetricName: ConsoleLoginFailures
FailedConsoleLoginsQuery:
Type: AWS::Logs::QueryDefinition
Properties:
Name: CIS-Alarms/CIS-Console Login Failures
LogGroupNames:
- !Ref CloudtrailLogGroupName
QueryString: |-
fields @timestamp, @message |
sort @timestamp desc |
filter eventName == 'ConsoleLogin' and errorMessage == 'Failed authentication'
# -------------------------------------------------------------------------------------------------------------------------------------------------------
# CIS AWS Foundations Benchmark - 3.7 Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs (Scored)
# -------------------------------------------------------------------------------------------------------------------------------------------------------
DisabledOrDeletedCmksAlarm:
Type: AWS::CloudWatch::Alarm
DependsOn:
- FailedConsoleLoginsAlarm
Properties:
AlarmName: CIS-KMS Key Disabled or Scheduled for Deletion
AlarmDescription: Alarm if customer created CMKs get disabled or scheduled for
deletion
MetricName: KMSCustomerKeyDeletion
Namespace: CloudTrailMetrics
Statistic: Sum
Period: 60
EvaluationPeriods: 1
Threshold: 1
TreatMissingData: notBreaching
AlarmActions:
- !Ref AlarmNotificationTopicARN
ComparisonOperator: GreaterThanOrEqualToThreshold
DisabledOrDeletedCmksFilter:
Type: AWS::Logs::MetricFilter
Properties:
LogGroupName: !Ref CloudtrailLogGroupName
FilterPattern: |-
{
($.eventSource = kms.amazonaws.com) &&
(($.eventName=DisableKey) || ($.eventName=ScheduleKeyDeletion))
}
MetricTransformations:
- MetricValue: '1'
MetricNamespace: CloudTrailMetrics
MetricName: KMSCustomerKeyDeletion
DisabledOrDeletedCmksQuery:
Type: AWS::Logs::QueryDefinition
Properties:
Name: CIS-Alarms/CIS-KMS Key Disabled or Scheduled for Deletion
LogGroupNames:
- !Ref CloudtrailLogGroupName
QueryString: |-
fields @timestamp, @message |
sort @timestamp desc |
filter eventSource == 'kms.amazonaws.com' and eventName in ['DisableKey', 'ScheduleKeyDeletion']
# -------------------------------------------------------------------------------------------------------------------------------------------------------
# CIS AWS Foundations Benchmark - 3.8 Ensure a log metric filter and alarm exist for S3 bucket policy changes (Scored)
# -------------------------------------------------------------------------------------------------------------------------------------------------------
S3BucketPolicyChangeAlarm:
Type: AWS::CloudWatch::Alarm
Properties:
AlarmName: CIS-S3 Bucket Policy Changed
AlarmDescription: Alarm if any S3 bucket policies are changed
MetricName: S3BucketPolicyChanges
Namespace: CloudTrailMetrics
Statistic: Sum
Period: 300
EvaluationPeriods: 1
Threshold: 1
TreatMissingData: notBreaching
AlarmActions:
- !Ref AlarmNotificationTopicARN
ComparisonOperator: GreaterThanOrEqualToThreshold
S3BucketPolicyChangeFilter:
Type: AWS::Logs::MetricFilter
Properties:
LogGroupName: !Ref CloudtrailLogGroupName
FilterPattern: |-
{
($.eventSource = s3.amazonaws.com) &&
(($.eventName = PutBucketAcl) ||
($.eventName = PutBucketPolicy) ||
($.eventName = PutBucketCors) ||
($.eventName = PutBucketLifecycle) ||
($.eventName = PutBucketReplication) ||
($.eventName = DeleteBucketPolicy) ||
($.eventName = DeleteBucketCors) ||
($.eventName = DeleteBucketLifecycle) ||
($.eventName = DeleteBucketReplication))
}
MetricTransformations:
- MetricValue: '1'
MetricNamespace: CloudTrailMetrics
MetricName: S3BucketPolicyChanges
S3BucketPolicyChangeQuery:
Type: AWS::Logs::QueryDefinition
Properties:
Name: CIS-Alarms/CIS-S3 Bucket Policy Changed
LogGroupNames:
- !Ref CloudtrailLogGroupName
QueryString: |-
fields @timestamp, @message |
sort @timestamp desc |
filter eventSource = 's3.amazonaws.com' and eventName in ['DeleteBucketCors', 'DeleteBucketLifecycle', 'DeleteBucketPolicy', 'DeleteBucketReplication', 'PutBucketAcl', 'PutBucketCors', 'PutBucketLifecycle', 'PutBucketPolicy', 'PutBucketReplication']
# -------------------------------------------------------------------------------------------------------------------------------------------------------
# CIS AWS Foundations Benchmark - 3.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes (Scored)
# -------------------------------------------------------------------------------------------------------------------------------------------------------
AWSConfigConfigurationChangeAlarm:
Type: AWS::CloudWatch::Alarm
Properties:
AlarmName: CIS-AWS Config Configuration has changed
AlarmDescription: Alarm if the configuration for AWS Config changes
MetricName: AWSConfigConfigurationChanges
Namespace: CloudTrailMetrics
Statistic: Sum
Period: 300
EvaluationPeriods: 1
Threshold: 1
TreatMissingData: notBreaching
AlarmActions:
- !Ref AlarmNotificationTopicARN
ComparisonOperator: GreaterThanOrEqualToThreshold
AWSConfigConfigurationChangeFilter:
Type: AWS::Logs::MetricFilter
Properties:
LogGroupName: !Ref CloudtrailLogGroupName
FilterPattern: |-
{
($.eventSource = config.amazonaws.com) &&
(($.eventName=StopConfigurationRecorder)||
($.eventName=DeleteDeliveryChannel)||
($.eventName=PutDeliveryChannel)||
($.eventName=PutConfigurationRecorder))
}
MetricTransformations:
- MetricValue: '1'
MetricNamespace: CloudTrailMetrics
MetricName: AWSConfigConfigurationChanges
AWSConfigConfigurationChangeQuery:
Type: AWS::Logs::QueryDefinition
Properties:
Name: CIS-Alarms/CIS-AWS Config Configuration has changed
LogGroupNames:
- !Ref CloudtrailLogGroupName
QueryString: |-
fields @timestamp, @message |
sort @timestamp desc |
filter eventSource = 'config.amazonaws.com' and eventName in ['DeleteDeliveryChannel', 'StopConfigurationRecorder', 'PutConfigurationRecorder', 'PutDeliveryChannel']
# -------------------------------------------------------------------------------------------------------------------------------------------------------
# CIS AWS Foundations Benchmark - 3.10 Ensure a log metric filter and alarm exist for security group changes (Scored)
# -------------------------------------------------------------------------------------------------------------------------------------------------------
SecurityGroupChangeAlarm:
Type: AWS::CloudWatch::Alarm
Properties:
AlarmName: CIS-Security Groups Have Changed
AlarmDescription: Alarm if there are any changes to security groups
MetricName: SecurityGroupChanges
Namespace: CloudTrailMetrics
Statistic: Sum
Period: 300
EvaluationPeriods: 1
Threshold: 1
TreatMissingData: notBreaching
AlarmActions:
- !Ref AlarmNotificationTopicARN
ComparisonOperator: GreaterThanOrEqualToThreshold
SecurityGroupChangeFilter:
Type: AWS::Logs::MetricFilter
Properties:
LogGroupName: !Ref CloudtrailLogGroupName
FilterPattern: |-
{
($.eventName = AuthorizeSecurityGroupIngress) ||
($.eventName = AuthorizeSecurityGroupEgress) ||
($.eventName = RevokeSecurityGroupIngress) ||
($.eventName = RevokeSecurityGroupEgress) ||
($.eventName = CreateSecurityGroup) ||
($.eventName = DeleteSecurityGroup)
}
MetricTransformations:
- MetricValue: '1'
MetricNamespace: CloudTrailMetrics
MetricName: SecurityGroupChanges
SecurityGroupChangeQuery:
Type: AWS::Logs::QueryDefinition
Properties:
Name: CIS-Alarms/CIS-Security Groups Have Changed
LogGroupNames:
- !Ref CloudtrailLogGroupName
QueryString: |-
fields @timestamp, @message |
sort @timestamp desc |
filter eventName in ['AuthorizeSecurityGroupIngress', 'AuthorizeSecurityGroupEgress', 'CreateSecurityGroup', 'DeleteSecurityGroup', 'RevokeSecurityGroupIngress', 'RevokeSecurityGroupEgress']
# -------------------------------------------------------------------------------------------------------------------------------------------------------
# CIS AWS Foundations Benchmark - 3.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) (Scored)
# -------------------------------------------------------------------------------------------------------------------------------------------------------
NACLChangeAlarm:
Type: AWS::CloudWatch::Alarm
Properties:
AlarmName: CIS-NACLs Have Changed
AlarmDescription: Alarm if there are any changes to Network ACLs (NACLs)
MetricName: NACLChanges
Namespace: CloudTrailMetrics
Statistic: Sum
Period: 300
EvaluationPeriods: 1
Threshold: 1
TreatMissingData: notBreaching
AlarmActions:
- !Ref AlarmNotificationTopicARN
ComparisonOperator: GreaterThanOrEqualToThreshold
NACLChangeFilter:
Type: AWS::Logs::MetricFilter
Properties:
LogGroupName: !Ref CloudtrailLogGroupName
FilterPattern: |-
{
($.eventName = CreateNetworkAcl) ||
($.eventName = CreateNetworkAclEntry) ||
($.eventName = DeleteNetworkAcl) ||
($.eventName = DeleteNetworkAclEntry) ||
($.eventName = ReplaceNetworkAclEntry) ||
($.eventName = ReplaceNetworkAclAssociation)
}
MetricTransformations:
- MetricValue: '1'
MetricNamespace: CloudTrailMetrics
MetricName: NACLChanges
NACLChangeQuery:
Type: AWS::Logs::QueryDefinition
Properties:
Name: CIS-Alarms/CIS-NACLs Have Changed
LogGroupNames:
- !Ref CloudtrailLogGroupName
QueryString: |-
fields @timestamp, @message |
sort @timestamp desc |
filter eventName in ['CreateNetworkAcl', 'CreateNetworkAclEntry', 'DeleteNetworkAcl', 'DeleteNetworkAclEntry', 'ReplaceNetworkAclEntry', 'ReplaceNetworkAclAssociation']
# -------------------------------------------------------------------------------------------------------------------------------------------------------
# CIS AWS Foundations Benchmark - 3.12 Ensure a log metric filter and alarm exist for changes to network gateways (Scored)
# -------------------------------------------------------------------------------------------------------------------------------------------------------
NetworkGatewayChangeAlarm:
Type: AWS::CloudWatch::Alarm
Properties:
AlarmName: CIS-Network Gateways Have Changed
AlarmDescription: Alarm if there are any changes to network gateways
MetricName: NetworkGatewayChanges
Namespace: CloudTrailMetrics
Statistic: Sum
Period: 300
EvaluationPeriods: 1
Threshold: 1
TreatMissingData: notBreaching
AlarmActions:
- !Ref AlarmNotificationTopicARN
ComparisonOperator: GreaterThanOrEqualToThreshold
NetworkGatewayChangeFilter:
Type: AWS::Logs::MetricFilter
Properties:
LogGroupName: !Ref CloudtrailLogGroupName
FilterPattern: |-
{
($.eventName = CreateCustomerGateway) ||
($.eventName = DeleteCustomerGateway) ||
($.eventName = AttachInternetGateway) ||
($.eventName = CreateInternetGateway) ||
($.eventName = DeleteInternetGateway) ||
($.eventName = DetachInternetGateway)
}
MetricTransformations:
- MetricValue: '1'
MetricNamespace: CloudTrailMetrics
MetricName: NetworkGatewayChanges
NetworkGatewayChangeQuery:
Type: AWS::Logs::QueryDefinition
Properties:
Name: CIS-Alarms/CIS-Network Gateways Have Changed
LogGroupNames:
- !Ref CloudtrailLogGroupName
QueryString: |-
fields @timestamp, @message |
sort @timestamp desc |
filter eventName in ['AttachInternetGateway', 'CreateCustomerGateway', 'CreateInternetGateway', 'DeleteCustomerGateway', 'DeleteInternetGateway', 'DetachInternetGateway']
# -------------------------------------------------------------------------------------------------------------------------------------------------------
# CIS AWS Foundations Benchmark - 3.13 Ensure a log metric filter and alarm exist for route table changes (Scored)
# -------------------------------------------------------------------------------------------------------------------------------------------------------
RouteTableChangeAlarm:
Type: AWS::CloudWatch::Alarm
Properties:
AlarmName: CIS-Route Tables Have Changed
AlarmDescription: Alarm if there are any changes to route tables
MetricName: RouteTableChanges
Namespace: CloudTrailMetrics
Statistic: Sum
Period: 300
EvaluationPeriods: 1
Threshold: 1
TreatMissingData: notBreaching
AlarmActions:
- !Ref AlarmNotificationTopicARN
ComparisonOperator: GreaterThanOrEqualToThreshold
RouteTableChangeFilter:
Type: AWS::Logs::MetricFilter
Properties:
LogGroupName: !Ref CloudtrailLogGroupName
FilterPattern: |-
{
($.eventName = CreateRoute) ||
($.eventName = CreateRouteTable) ||
($.eventName = ReplaceRoute) ||
($.eventName = ReplaceRouteTableAssociation) ||
($.eventName = DeleteRouteTable) ||
($.eventName = DeleteRoute) ||
($.eventName = DisassociateRouteTable)
}
MetricTransformations:
- MetricValue: '1'
MetricNamespace: CloudTrailMetrics
MetricName: RouteTableChanges
RouteTableChangeQuery:
Type: AWS::Logs::QueryDefinition
Properties:
Name: CIS-Alarms/CIS-Route Tables Have Changed
LogGroupNames:
- !Ref CloudtrailLogGroupName
QueryString: |-
fields @timestamp, @message |
sort @timestamp desc |
filter eventName in ['CreateRoute', 'CreateRouteTable', 'DeleteRoute', 'DeleteRouteTable', 'DisassociateRouteTable', 'ReplaceRoute', 'ReplaceRouteTableAssociation']
# -------------------------------------------------------------------------------------------------------------------------------------------------------
# CIS AWS Foundations Benchmark - 3.14 Ensure a log metric filter and alarm exist for VPC changes (Scored)
# -------------------------------------------------------------------------------------------------------------------------------------------------------
VPCChangeAlarm:
Type: AWS::CloudWatch::Alarm
Properties:
AlarmName: CIS-VPC Has Changed
AlarmDescription: Alarm if there are any changes to any VPCs
MetricName: VPCChanges
Namespace: CloudTrailMetrics
Statistic: Sum
Period: 300
EvaluationPeriods: 1
Threshold: 1
TreatMissingData: notBreaching
AlarmActions:
- !Ref AlarmNotificationTopicARN
ComparisonOperator: GreaterThanOrEqualToThreshold
VPCChangeFilter:
Type: AWS::Logs::MetricFilter
Properties:
LogGroupName: !Ref CloudtrailLogGroupName
FilterPattern: |-
{
($.eventName = CreateVpc) ||
($.eventName = DeleteVpc) ||
($.eventName = ModifyVpcAttribute) ||
($.eventName = AcceptVpcPeeringConnection) ||
($.eventName = CreateVpcPeeringConnection) ||
($.eventName = DeleteVpcPeeringConnection) ||
($.eventName = RejectVpcPeeringConnection) ||
($.eventName = AttachClassicLinkVpc) ||
($.eventName = DetachClassicLinkVpc) ||
($.eventName = DisableVpcClassicLink) ||
($.eventName = EnableVpcClassicLink)
}
MetricTransformations:
- MetricValue: '1'
MetricNamespace: CloudTrailMetrics
MetricName: VPCChanges
VPCChangeQuery:
Type: AWS::Logs::QueryDefinition
Properties:
Name: CIS-Alarms/CIS-VPC Has Changed
LogGroupNames:
- !Ref CloudtrailLogGroupName
QueryString: |-
fields @timestamp, @message |
sort @timestamp desc |
filter eventName in ['AcceptVpcPeeringConnection', 'AttachClassicLinkVpc', 'CreateVpc', 'CreateVpcPeeringConnection', 'DeleteVpc', 'DeleteVpcPeeringConnection', 'DetachClassicLinkVpc', 'DisableVpcClassicLink', 'EnableVpcClassicLink', 'ModifyVpcAttribute', 'RejectVpcPeeringConnection']