Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/rhythmictech/terraform-aws-cis-cloudwatch-monitors

Creates CloudWatch metric filters and alerts as required by the CIS AWS Benchmark
https://github.com/rhythmictech/terraform-aws-cis-cloudwatch-monitors

aws cloudwatch terraform terraform-module terraform-modules

Last synced: 3 days ago
JSON representation

Creates CloudWatch metric filters and alerts as required by the CIS AWS Benchmark

Host: GitHub
URL: https://github.com/rhythmictech/terraform-aws-cis-cloudwatch-monitors
Owner: rhythmictech
License: mit
Created: 2019-06-02T17:56:07.000Z (over 5 years ago)
Default Branch: master
Last Pushed: 2021-08-13T13:59:21.000Z (over 3 years ago)
Last Synced: 2023-03-02T22:06:03.396Z (over 1 year ago)
Topics: aws, cloudwatch, terraform, terraform-module, terraform-modules
Language: HCL
Homepage: https://registry.terraform.io/modules/rhythmictech/cloudwatch-monitors/cis
Size: 37.1 KB
Stars: 7
Watchers: 2
Forks: 2
Open Issues: 1
Metadata Files:
- Readme: README.md
- License: LICENSE
- Codeowners: .github/CODEOWNERS

Awesome Lists containing this project

README

        # terraform-aws-cis-cloudwatch-monitors

[![](https://github.com/rhythmictech/terraform-aws-cis-cloudwatch-monitors/workflows/check/badge.svg)](https://github.com/rhythmictech/terraform-aws-cis-cloudwatch-monitors/actions)

Creates CloudWatch metric filters and alerts as required by the CIS AWS Benchmark.

This module assumes that all of your CloudTrail logs (from all regions) are routing into a single CloudWatch log group specified in `log_group`. Use the `name_prefix` var if you

need to create this module for additional log groups.

## Requirements

| Name | Version |

|------|---------|

| terraform | >= 0.13 |

| aws | >= 2.63.0 |

## Providers

| Name | Version |

|------|---------|

| aws | >= 2.63.0 |

## Inputs

| Name | Description | Type | Default | Required |

|------|-------------|------|---------|:--------:|

| log\_group | Name of CloudWatch Log Group to look for CloudTrail alerts in. | `string` | n/a | yes |

| notification\_arn | ARN of SNS topic to route notifications to. | `string` | n/a | yes |

| alarm\_threshold\_aws\_config\_change | The value against which the specified statistic is compared. | `number` | `1` | no |

| alarm\_threshold\_cloudtrail\_config\_change | The value against which the specified statistic is compared. | `number` | `1` | no |

| alarm\_threshold\_console\_access\_without\_mfa | The value against which the specified statistic is compared. | `number` | `1` | no |

| alarm\_threshold\_disable\_or\_delete\_cmk | The value against which the specified statistic is compared. | `number` | `1` | no |

| alarm\_threshold\_failed\_console\_login | The value against which the specified statistic is compared. | `number` | `1` | no |

| alarm\_threshold\_iam\_policy\_change | The value against which the specified statistic is compared. | `number` | `1` | no |

| alarm\_threshold\_nacl\_change | The value against which the specified statistic is compared. | `number` | `1` | no |

| alarm\_threshold\_network\_gateway\_change | The value against which the specified statistic is compared. | `number` | `1` | no |

| alarm\_threshold\_root\_access | The value against which the specified statistic is compared. | `number` | `1` | no |

| alarm\_threshold\_root\_account\_usage | The value against which the specified statistic is compared. | `number` | `1` | no |

| alarm\_threshold\_route\_table\_change | The value against which the specified statistic is compared. | `number` | `1` | no |

| alarm\_threshold\_s3\_bucket\_policy\_change | The value against which the specified statistic is compared. | `number` | `1` | no |

| alarm\_threshold\_security\_group\_change | The value against which the specified statistic is compared. | `number` | `1` | no |

| alarm\_threshold\_unauthorized\_cloudtrail\_calls | The value against which the specified statistic is compared. | `number` | `1` | no |

| alarm\_threshold\_vpc\_change | The value against which the specified statistic is compared. | `number` | `1` | no |

| core\_alarms\_only | Set to true to only get the core/important alarms | `bool` | `false` | no |

| datapoints\_to\_alarm\_aws\_config\_change | (Optional) The number of datapoints that must be breaching to trigger the alarm. | `number` | `null` | no |

| datapoints\_to\_alarm\_cloudtrail\_config\_change | (Optional) The number of datapoints that must be breaching to trigger the alarm. | `number` | `null` | no |

| datapoints\_to\_alarm\_console\_access\_without\_mfa | (Optional) The number of datapoints that must be breaching to trigger the alarm. | `number` | `null` | no |

| datapoints\_to\_alarm\_disable\_or\_delete\_cmk | (Optional) The number of datapoints that must be breaching to trigger the alarm. | `number` | `null` | no |

| datapoints\_to\_alarm\_failed\_console\_login | (Optional) The number of datapoints that must be breaching to trigger the alarm. | `number` | `null` | no |

| datapoints\_to\_alarm\_iam\_policy\_change | (Optional) The number of datapoints that must be breaching to trigger the alarm. | `number` | `null` | no |

| datapoints\_to\_alarm\_nacl\_change | (Optional) The number of datapoints that must be breaching to trigger the alarm. | `number` | `null` | no |

| datapoints\_to\_alarm\_network\_gateway\_change | (Optional) The number of datapoints that must be breaching to trigger the alarm. | `number` | `null` | no |

| datapoints\_to\_alarm\_root\_access | (Optional) The number of datapoints that must be breaching to trigger the alarm. | `number` | `null` | no |

| datapoints\_to\_alarm\_root\_account\_usage | (Optional) The number of datapoints that must be breaching to trigger the alarm. | `number` | `null` | no |

| datapoints\_to\_alarm\_route\_table\_change | (Optional) The number of datapoints that must be breaching to trigger the alarm. | `number` | `null` | no |

| datapoints\_to\_alarm\_s3\_bucket\_policy\_change | (Optional) The number of datapoints that must be breaching to trigger the alarm. | `number` | `null` | no |

| datapoints\_to\_alarm\_security\_group\_change | (Optional) The number of datapoints that must be breaching to trigger the alarm. | `number` | `null` | no |

| datapoints\_to\_alarm\_unauthorized\_cloudtrail\_calls | (Optional) The number of datapoints that must be breaching to trigger the alarm. | `number` | `null` | no |

| datapoints\_to\_alarm\_vpc\_change | (Optional) The number of datapoints that must be breaching to trigger the alarm. | `number` | `null` | no |

| default\_period | Period (in seconds) over which to look for threshold events. | `number` | `300` | no |

| metric\_namespace | Namespace to define all metrics in. | `string` | `"cis-cloudwatch-metrics"` | no |

| name\_prefix | Prefix for all metric filters, metrics and alarms. This is not required but may be useful if you need to create this module multiple times for different log groups. | `string` | `""` | no |

| tags | Tags to apply to supported resources. | `map(string)` | `{}` | no |

## Outputs

No output.