{"id":23436889,"url":"https://github.com/lincolnloop/terraform-aws-cloudwatch-alarm-controls","last_synced_at":"2026-01-22T21:07:47.900Z","repository":{"id":186150192,"uuid":"671234925","full_name":"lincolnloop/terraform-aws-cloudwatch-alarm-controls","owner":"lincolnloop","description":"Terraform configuration to enable the recommended Cloudwatch controls https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html","archived":false,"fork":false,"pushed_at":"2024-09-20T21:59:11.000Z","size":8,"stargazers_count":0,"open_issues_count":0,"forks_count":2,"subscribers_count":13,"default_branch":"main","last_synced_at":"2025-04-09T18:54:26.863Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/lincolnloop.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-07-26T21:20:20.000Z","updated_at":"2024-05-06T14:50:42.000Z","dependencies_parsed_at":null,"dependency_job_id":"d034f41b-026c-4e9f-a447-33563e22ad6e","html_url":"https://github.com/lincolnloop/terraform-aws-cloudwatch-alarm-controls","commit_stats":null,"previous_names":["lincolnloop/terraform-aws-cloudwatch-alarm-controls"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/lincolnloop/terraform-aws-cloudwatch-alarm-controls","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lincolnloop%2Fterraform-aws-cloudwatch-alarm-controls","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lincolnloop%2Fterraform-aws-cloudwatch-alarm-controls/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lincolnloop%2Fterraform-aws-cloudwatch-alarm-controls/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lincolnloop%2Fterraform-aws-cloudwatch-alarm-controls/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/lincolnloop","download_url":"https://codeload.github.com/lincolnloop/terraform-aws-cloudwatch-alarm-controls/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lincolnloop%2Fterraform-aws-cloudwatch-alarm-controls/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28671331,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-22T20:48:19.482Z","status":"ssl_error","status_checked_at":"2026-01-22T20:48:14.968Z","response_time":144,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-12-23T13:34:44.124Z","updated_at":"2026-01-22T21:07:47.885Z","avatar_url":"https://github.com/lincolnloop.png","language":"HCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Terraform AWS CloudWatch Alerts\n\nThis module creates the Cloudwatch alerts [recommended by the various Security Hub standards](https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html).\n## Usage\n\n```hcl\nmodule \"cloudwatch_alarms\" {\n  source                       = \"github.com/lincolnloop/terraform-aws-cloudwatch-alarm-controls\"\n  alarms                       = var.alarms\n  tags                         = var.tags\n  log_group_name               = \"/cloudtrail\"\n  alarm_action_arns            = [arn::..] \n}\n\n```\n\n## Inputs\n\n| Name | Description | Type | Default | Required |\n|------|-------------|------|---------|:--------:|\n| alarm_action_arns | List of ARNs for the alarm actions (e.g., SNS topic ARNs) | `list(string)` | no | yes |\n| tags | Configuration for resources tags. | `object` | Review next section for default value | yes |\n| alarms | Configuration for CloudWatch alarms. | `object` | Review next section for default value | yes |\n| log_group_name | Name for the CloudWatch log group to use as input for the alarms. | `string` | no | yes |\n\n### Variable `tags`\n\nThis input variable controls the tags that will be added to all the resources.\n```\n  tags = {\n    Application = \"cloudwatch-alarms\"\n  }\n```\n\nDefault value is shown here\n\n### Variable `alarms`\n\nThis input variable controls the Cloudwatch alarm configuration.\n\nDefault value is shown here\n```\n  alarms = {\n    \"Cloudwatch.1-RootAccountUsage\" = {\n      description = \"Cloudwatch.1 - Ensure a log metric filter and alarm exist for usage of \\\"root\\\" account\"\n      pattern     = \"{$.userIdentity.type=\\\"Root\\\" \u0026\u0026 $.userIdentity.invokedBy NOT EXISTS \u0026\u0026 $.eventType !=\\\"AwsServiceEvent\\\"}\"\n    }\n    \"Cloudwatch.2-UnauthorizedAPICalls\" = {\n      description = \"Cloudwatch.2 - Ensure a log metric filter and alarm exist for unauthorized API calls \"\n      pattern     = \"{($.errorCode=\\\"*UnauthorizedOperation\\\") || ($.errorCode=\\\"AccessDenied*\\\")}\"\n      threshold   = 5\n    }\n    \"Cloudwatch.3-ConsoleSigninWithoutMFA\" = {\n      description = \"Cloudwatch.3 - Ensure a log metric filter and alarm exist for AWS Management Console sign-in without MFA \"\n      pattern     = \"{($.eventName=\\\"ConsoleLogin\\\") \u0026\u0026 ($.additionalEventData.MFAUsed !=\\\"Yes\\\") \u0026\u0026 \u0026\u0026 ($.userIdentity.type = \\\"IAMUser\\\") \u0026\u0026 ($.responseElements.ConsoleLogin = \\\"Success\\\")}\"\n    }\n    \"CloudWatch.4-IAMPolicyChanges\" = {\n      description = \"Cloudwatch.4 - Ensure a log metric filter and alarm exist for IAM policy changes\"\n      pattern     = \"{($.eventName=DeleteGroupPolicy) || ($.eventName=DeleteRolePolicy) || ($.eventName=DeleteUserPolicy) || ($.eventName=PutGroupPolicy) || ($.eventName=PutRolePolicy) || ($.eventName=PutUserPolicy) || ($.eventName=CreatePolicy) || ($.eventName=DeletePolicy) || ($.eventName=CreatePolicyVersion) || ($.eventName=DeletePolicyVersion) || ($.eventName=AttachRolePolicy) || ($.eventName=DetachRolePolicy) || ($.eventName=AttachUserPolicy) || ($.eventName=DetachUserPolicy) || ($.eventName=AttachGroupPolicy) || ($.eventName=DetachGroupPolicy)}\"\n    }\n    \"CloudWatch.5-CloudTrailChanges\" = {\n      description = \"Cloudwatch.5 - Ensure a log metric filter and alarm exist for CloudTrail configuration changes\"\n      pattern     = \"{($.eventName=CreateTrail) || ($.eventName=UpdateTrail) || ($.eventName=DeleteTrail) || ($.eventName=StartLogging) || ($.eventName=StopLogging)}\"\n    }\n    \"CloudWatch.6-ConsoleAuthenticationFailure\" = {\n      description = \"Cloudwatch.6 - Ensure a log metric filter and alarm exist for AWS Management Console authentication failures\"\n      pattern     = \"{($.eventName=ConsoleLogin) \u0026\u0026 ($.errorMessage=\\\"Failed authentication\\\")}\"\n      threshold   = 5\n    }\n    \"CloudWatch.7-DisableOrDeleteCMK\" = {\n      description = \"Cloudwatch.7 - Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs\"\n      pattern     = \"{($.eventSource=kms.amazonaws.com) \u0026\u0026 (($.eventName=DisableKey) || ($.eventName=ScheduleKeyDeletion))}\"\n    }\n    \"CloudWatch.8-S3BucketPolicyChanges\" = {\n      description = \"Cloudwatch.8 - Ensure a log metric filter and alarm exist for S3 bucket policy changes\"\n      pattern     = \"{($.eventSource=s3.amazonaws.com) \u0026\u0026 (($.eventName=PutBucketAcl) || ($.eventName=PutBucketPolicy) || ($.eventName=PutBucketCors) || ($.eventName=PutBucketLifecycle) || ($.eventName=PutBucketReplication) || ($.eventName=DeleteBucketPolicy) || ($.eventName=DeleteBucketCors) || ($.eventName=DeleteBucketLifecycle) || ($.eventName=DeleteBucketReplication))}\"\n    }\n    \"CloudWatch.9-AWSConfigChanges\" = {\n      description = \"Cloudwatch.9 - Ensure a log metric filter and alarm exist for AWS Config configuration changes\"\n      pattern     = \"{($.eventSource=config.amazonaws.com) \u0026\u0026 (($.eventName=StopConfigurationRecorder) || ($.eventName=DeleteDeliveryChannel) || ($.eventName=PutDeliveryChannel) || ($.eventName=PutConfigurationRecorder))}\"\n    }\n    \"CloudWatch.10-SecurityGroupChanges\" = {\n      description = \"Cloudwatch.10 - Ensure a log metric filter and alarm exist for security group changes\"\n      pattern     = \"{($.eventName=AuthorizeSecurityGroupIngress) || ($.eventName=AuthorizeSecurityGroupEgress) || ($.eventName=RevokeSecurityGroupIngress) || ($.eventName=RevokeSecurityGroupEgress) || ($.eventName=CreateSecurityGroup) || ($.eventName=DeleteSecurityGroup)}\"\n    }\n    \"CloudWatch.11-NetworkACLChanges\" = {\n      description = \"Cloudwatch.11 - Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)\"\n      pattern     = \"{($.eventName=CreateNetworkAcl) || ($.eventName=CreateNetworkAclEntry) || ($.eventName=DeleteNetworkAcl) || ($.eventName=DeleteNetworkAclEntry) || ($.eventName=ReplaceNetworkAclEntry) || ($.eventName=ReplaceNetworkAclAssociation)}\"\n    }\n    \"CloudWatch.12-NetworkGatewayChanges\" = {\n      description = \"Cloudwatch.12 - Ensure a log metric filter and alarm exist for changes to network gateways\"\n      pattern     = \"{($.eventName=CreateCustomerGateway) || ($.eventName=DeleteCustomerGateway) || ($.eventName=AttachInternetGateway) || ($.eventName=CreateInternetGateway) || ($.eventName=DeleteInternetGateway) || ($.eventName=DetachInternetGateway)}\"\n    }\n    \"CloudWatch.13-RouteTableChanges\" = {\n      description = \"Cloudwatch.13 - Ensure a log metric filter and alarm exist for route table changes\"\n      pattern     = \"{($.eventName=CreateRoute) || ($.eventName=CreateRouteTable) || ($.eventName=ReplaceRoute) || ($.eventName=ReplaceRouteTableAssociation) || ($.eventName=DeleteRouteTable) || ($.eventName=DeleteRoute) || ($.eventName=DisassociateRouteTable)}\"\n    }\n    \"CloudWatch.14-VPCChanges\" = {\n      description = \"Cloudwatch.14 – Ensure a log metric filter and alarm exist for VPC changes\"\n      pattern     = \"{($.eventName=CreateVpc) || ($.eventName=DeleteVpc) || ($.eventName=ModifyVpcAttribute) || ($.eventName=AcceptVpcPeeringConnection) || ($.eventName=CreateVpcPeeringConnection) || ($.eventName=DeleteVpcPeeringConnection) || ($.eventName=RejectVpcPeeringConnection) || ($.eventName=AttachClassicLinkVpc) || ($.eventName=DetachClassicLinkVpc) || ($.eventName=DisableVpcClassicLink) || ($.eventName=EnableVpcClassicLink)}\"\n    }\n  }\n```\n## Requirements\n\n- Terraform 1.4 or newer\n- AWS Provider 4.67 or newer","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flincolnloop%2Fterraform-aws-cloudwatch-alarm-controls","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Flincolnloop%2Fterraform-aws-cloudwatch-alarm-controls","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flincolnloop%2Fterraform-aws-cloudwatch-alarm-controls/lists"}