lza_menace
/
tf-modules
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

merge into: lza_menace:master
Branches Tags
lza_menace:ctalarms-whitelist
lza_menace:master
lza_menace:v0.0.1
...
pull from: lza_menace:ctalarms-whitelist
Branches Tags
lza_menace:ctalarms-whitelist
lza_menace:master
lza_menace:v0.0.1

1 Commits
master ... ctalarms-w

Author SHA1 Message Date
lza_menace 02053501fc adding a whitelist for particular IAM roles 4 years ago
2 changed files with 16 additions and 1 deletions
Show Stats

7
monitoring/cloudtrail-alarms/main.tf
Unescape Escape View File

@ -6,6 +6,11 @@ locals {
metric_namespace = "CISBenchmarks"
metric_value = "1"
whitelist_iam_role_string = join(" && ", compact(concat(
[],
formatlist("$.userIdentity.sessionContext.sessionIssuer.userName != \"%s\"", var.whitelist_iam_roles)
)))
metric_name = [
"CIS-3.1-AuthorizationFailureCount",
"CIS-3.8-S3BucketActivityEventCount",
@ -27,7 +32,7 @@ locals {
]
filter_pattern = [
"{ ($.errorCode = \"*UnauthorizedOperation\") || ($.errorCode = \"AccessDenied*\") }",
"{ ($.errorCode = \"*UnauthorizedOperation\" || $.errorCode = \"AccessDenied*\") && ${local.whitelist_iam_role_string}}",
"{ ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }",
"{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) }",
"{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) }",

10
monitoring/cloudtrail-alarms/variables.tf
Unescape Escape View File

@ -17,3 +17,13 @@ variable "account_name" {
variable "login_failures" {
default = 3
}
variable "whitelist_iam_roles" {
default = [
"MissionCloudHealth",
"MissionCloudAware",
"security-guardduty-ss-exec",
"security-guardduty-ss-admin",
"config-recorder-role"
]
description = "IAM role names that should not be alerted upon in CIS Benchmark alarms"
}

Write Preview
Loading…
Cancel
Save