The following repository contains a Terraform module that creates CloudWatch alarms for the AWS account baseline. The alarms are based on the CIS AWS Foundations Benchmark v1.4.0. Notifications for these can be sent to email, Slack and or Microsoft teams.
module "account_baseline_alarms" {
source = "appvia/alarm-baseline/aws"
version = "0.0.1"
notification = {
email = {
addresses = ["[email protected]"]
}
}
enable_no_mfa_console_signin = true
}| Name | Version |
|---|---|
| aws | ~> 5.0 |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| notification | The configuration for how to send notifications. | object({ |
n/a | yes |
| tags | A map of tags to add to all resources | map(string) |
n/a | yes |
| accounts_id_to_name | A mapping of account id and account name - used by notification lamdba to map an account ID to a human readable name | map(string) |
{} |
no |
| alarm_namespace | The cloudwatch alarm namespace. | string |
"cis-benchmark" |
no |
| cloudtrail_log_group_name | The name of the CloudTrail log group to filter on. | string |
"aws-controltower/CloudTrailLogs" |
no |
| cloudwatch_log_group_retention | The retention period for the cloudwatch log group (for lambda function logs) in days | string |
"0" |
no |
| create_sns_topic | The boolean flag whether to create the SNS topic for alarms. | bool |
true |
no |
| enable_administrator_sso_activity | The boolean flag whether the administrator_sso_activity alarm is enabled or not. | bool |
true |
no |
| enable_aws_config_changes | The boolean flag whether the aws_config_changes alarm is enabled or not. | bool |
true |
no |
| enable_breakglass_activity | The boolean flag whether the breakglass_logins alarm is enabled or not. | bool |
true |
no |
| enable_cloudtrail_cfg_changes | The boolean flag whether the cloudtrail_cfg_changes alarm is enabled or not. | bool |
true |
no |
| enable_console_signin_failures | The boolean flag whether the console_signin_failures alarm is enabled or not. | bool |
true |
no |
| enable_disable_or_delete_cmk | The boolean flag whether the disable_or_delete_cmk alarm is enabled or not. | bool |
true |
no |
| enable_iam_changes | The boolean flag whether the iam_changes alarm is enabled or not. | bool |
true |
no |
| enable_mfa_console_signin_allow_sso | The boolean flag whether the no_mfa_console_signin alarm allows SSO auth to be ignored. | bool |
false |
no |
| enable_nacl_changes | The boolean flag whether the nacl_changes alarm is enabled or not. | bool |
true |
no |
| enable_network_gw_changes | The boolean flag whether the network_gw_changes alarm is enabled or not. | bool |
true |
no |
| enable_no_mfa_console_signin | The boolean flag whether the no_mfa_console_signin alarm is enabled or not. | bool |
true |
no |
| enable_organizations_changes | The boolean flag whether the organizations_changes alarm is enabled or not. | bool |
true |
no |
| enable_root_usage | The boolean flag whether the root_usage alarm is enabled or not. | bool |
true |
no |
| enable_route_table_changes | The boolean flag whether the route_table_changes alarm is enabled or not. | bool |
true |
no |
| enable_s3_bucket_policy_changes | The boolean flag whether the s3_bucket_policy_changes alarm is enabled or not. | bool |
true |
no |
| enable_security_group_changes | The boolean flag whether the security_group_changes alarm is enabled or not. | bool |
true |
no |
| enable_unauthorized_api_calls | The boolean flag whether the unauthorized_api_calls alarm is enabled or not. | bool |
true |
no |
| enable_vpc_changes | The boolean flag whether the vpc_changes alarm is enabled or not. | bool |
true |
no |
| identity_center_role | The name of the role to use when redirecting through Identity Center | string |
null |
no |
| identity_center_start_url | The start URL of your Identity Center instance | string |
null |
no |
| sns_topic_name | The name of the SNS topic to create for alarms. | string |
"cis-benchmark-alarms" |
no |
| Name | Description |
|---|---|
| sns_topic_arn | The ARN of the SNS topic |