From 02053501fcaa32130e0f8ea1b53b2d642f9e4a91 Mon Sep 17 00:00:00 2001
From: lza_menace <lza_menace@protonmail.com>
Date: Fri, 10 Jul 2020 08:21:44 -0700
Subject: [PATCH] adding a whitelist for particular IAM roles

---
 monitoring/cloudtrail-alarms/main.tf      |  7 ++++++-
 monitoring/cloudtrail-alarms/variables.tf | 10 ++++++++++
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/monitoring/cloudtrail-alarms/main.tf b/monitoring/cloudtrail-alarms/main.tf
index ae99672..0434dc6 100644
--- a/monitoring/cloudtrail-alarms/main.tf
+++ b/monitoring/cloudtrail-alarms/main.tf
@@ -6,6 +6,11 @@ locals {
   metric_namespace = "CISBenchmarks"
   metric_value     = "1"
 
+  whitelist_iam_role_string = join(" && ", compact(concat(
+    [],
+    formatlist("$.userIdentity.sessionContext.sessionIssuer.userName != \"%s\"", var.whitelist_iam_roles)
+  )))
+
   metric_name = [
     "CIS-3.1-AuthorizationFailureCount",
     "CIS-3.8-S3BucketActivityEventCount",
@@ -27,7 +32,7 @@ locals {
   ]
 
   filter_pattern = [
-    "{ ($.errorCode = \"*UnauthorizedOperation\") || ($.errorCode = \"AccessDenied*\") }",
+    "{ ($.errorCode = \"*UnauthorizedOperation\" || $.errorCode = \"AccessDenied*\") && ${local.whitelist_iam_role_string}}",
     "{ ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }",
     "{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) }",
     "{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) }",
diff --git a/monitoring/cloudtrail-alarms/variables.tf b/monitoring/cloudtrail-alarms/variables.tf
index e61f064..9dbb88a 100644
--- a/monitoring/cloudtrail-alarms/variables.tf
+++ b/monitoring/cloudtrail-alarms/variables.tf
@@ -17,3 +17,13 @@ variable "account_name" {
 variable "login_failures" {
   default = 3
 }
+variable "whitelist_iam_roles" {
+  default = [
+    "MissionCloudHealth",
+    "MissionCloudAware",
+    "security-guardduty-ss-exec",
+    "security-guardduty-ss-admin",
+    "config-recorder-role"
+  ]
+  description = "IAM role names that should not be alerted upon in CIS Benchmark alarms"
+}