adding a whitelist for particular IAM roles

8 changed files with 16 additions and 93 deletions
--- a/monitoring/cloudtrail-alarms/main.tf
+++ b/monitoring/cloudtrail-alarms/main.tf
@ -6,6 +6,11 @@ locals {
  metric_namespace = "CISBenchmarks"
  metric_value     = "1"

+  whitelist_iam_role_string = join(" && ", compact(concat(
+    [],
+    formatlist("$.userIdentity.sessionContext.sessionIssuer.userName != \"%s\"", var.whitelist_iam_roles)
+  )))
+
  metric_name = [
    "CIS-3.1-AuthorizationFailureCount",
    "CIS-3.8-S3BucketActivityEventCount",
@ -27,7 +32,7 @@ locals {
  ]

  filter_pattern = [
-    "{ ($.errorCode = \"*UnauthorizedOperation\") || ($.errorCode = \"AccessDenied*\") }",
+    "{ ($.errorCode = \"*UnauthorizedOperation\" || $.errorCode = \"AccessDenied*\") && ${local.whitelist_iam_role_string}}",
    "{ ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }",
    "{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) }",
    "{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) }",
--- a/monitoring/cloudtrail-alarms/variables.tf
+++ b/monitoring/cloudtrail-alarms/variables.tf
@ -17,3 +17,13 @@ variable "account_name" {
 variable "login_failures" {
  default = 3
 }
+variable "whitelist_iam_roles" {
+  default = [
+    "MissionCloudHealth",
+    "MissionCloudAware",
+    "security-guardduty-ss-exec",
+    "security-guardduty-ss-admin",
+    "config-recorder-role"
+  ]
+  description = "IAM role names that should not be alerted upon in CIS Benchmark alarms"
+}
--- a/monitoring/securityhub-notifications/README.md
+++ b/monitoring/securityhub-notifications/README.md
@ -1,35 +0,0 @@
-# securityhub-notifications
-
-This module sets up Cloudwatch Event rules which notify a given SNS topic to inform administrators of any SecurityHub findings.
-
-https://aws.amazon.com/security-hub/
-
-## Usage
-
-```
-module "sns-email-topic" {
-  source = "github.com/lalanza808/tf-modules.git/monitoring/sns-email-topic"
-}
-
-module "securityhub-notification" {
-  source = "github.com/lalanza808/tf-modules.git/monitoring/securityhub-notifications"
-  sns_topic_arn = module.sns-email-topic.topic_arn
-}
-```
-
-## Inputs
-
-You must provide one input, which is the SNS Topic ARN you wish to publish messages to.
-
-* `sns_topic_arn`
-
-You can provide these optional inputs:
-
-* `prefix`
-* `tags`
-
-See all inputs here: [variables.tf](./variables.tf)
-
-## Outputs
-
-None
--- a/monitoring/securityhub-notifications/main.tf
+++ b/monitoring/securityhub-notifications/main.tf
@ -1,25 +0,0 @@
-resource "aws_cloudwatch_event_rule" "health" {
-  name        = "${var.prefix}-aws-securityhub"
-  description = "Capture AWS SecurityHub incidents and notify operations SNS"
-
-  event_pattern = <<PATTERN
-{
-  "source": [
-    "aws.securityhub"
-  ],
-  "detail-type": [
-    "Security Hub Findings - Imported"
-  ]
-}
-PATTERN
-
-  tags = {
-    Terraform = "True"
-  }
-}
-
-resource "aws_cloudwatch_event_target" "sns" {
-  rule      = aws_cloudwatch_event_rule.health.name
-  target_id = "${var.prefix}-aws-securityhub"
-  arn       = var.sns_topic_arn
-}
--- a/monitoring/securityhub-notifications/variables.tf
+++ b/monitoring/securityhub-notifications/variables.tf
@ -1,12 +0,0 @@
-variable "sns_topic_arn" {
-  description = "ARN of the SNS topic to recieve notifications"
-}
-variable "tags" {
-  default     = {}
-  type        = map
-  description = "Optional set of tags to apply to the infrastructure"
-}
-variable "prefix" {
-  default     = "monitoring"
-  description = "String to prefix to all resources"
-}
--- a/security/iam-analyzer/main.tf
+++ b/security/iam-analyzer/main.tf
@ -1,4 +0,0 @@
-resource "aws_accessanalyzer_analyzer" "example" {
-  analyzer_name = var.name
-  tags = var.tags
-}
--- a/security/iam-analyzer/variables.tf
+++ b/security/iam-analyzer/variables.tf
@ -1,9 +0,0 @@
-variable "name" {
-  default = "ctay-iam-analyzer"
-}
-
-variable "tags" {
-  default     = {}
-  type        = map
-  description = "Optional tag mapping to apply to the infrastructure"
-}
--- a/security/securityhub/main.tf
+++ b/security/securityhub/main.tf
@ -1,7 +0,0 @@
-resource "aws_securityhub_account" "main" {}
-
-resource "aws_securityhub_standards_subscription" "cis" {
-  standards_arn = "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0"
-
-  depends_on = [aws_securityhub_account.main]
-}