From e5df43d9e8d55ce279b9e407d3c3bc52892e095d Mon Sep 17 00:00:00 2001 From: Lawrence Cymbura Date: Fri, 11 Aug 2017 08:44:47 -0400 Subject: [PATCH 1/2] Add meterfilters and alarms for cloudwatch --- architecture/create-benchmark-rules.yaml | 345 ++++++++++++++++++++++- 1 file changed, 344 insertions(+), 1 deletion(-) diff --git a/architecture/create-benchmark-rules.yaml b/architecture/create-benchmark-rules.yaml index 87387ca..1c9120f 100644 --- a/architecture/create-benchmark-rules.yaml +++ b/architecture/create-benchmark-rules.yaml @@ -1720,7 +1720,8 @@ LogGroupName: !GetAtt ResourceForGetCloudTrailCloudWatchLog.LogName FilterPattern: "{ ($.eventName = \"ConsoleLogin\") && - ($.additionalEventData.MFAUsed != \"Yes\") + ($.additionalEventData.MFAUsed != \"Yes\") && + ($.responseElements.ConsoleLogin != \"Failure\") }" MetricTransformations: - @@ -1921,6 +1922,46 @@ Arn: !GetAtt FunctionToFormatCloudWatchEvent.Arn Id: TargetFunctionV1 + S3BucketPolicyChangesMetric: + Type: AWS::Logs::MetricFilter + DependsOn: + - ResourceForEvaluateCisBenchmarkingPreconditions + - ResourceForGetCloudTrailCloudWatchLog + Properties: + LogGroupName: !GetAtt ResourceForGetCloudTrailCloudWatchLog.LogName + FilterPattern: '{ + ($.eventSource = s3.amazonaws.com) && + (($.eventName = PutBucketAcl) || + ($.eventName = PutBucketPolicy) || + ($.eventName = PutBucketCors) || + ($.eventName = PutBucketLifecycle) || + ($.eventName = PutBucketReplication) || + ($.eventName = DeleteBucketPolicy) || + ($.eventName = DeleteBucketCors) || + ($.eventName = DeleteBucketLifecycle) || + ($.eventName = DeleteBucketReplication)) + }' + MetricTransformations: + - + MetricNamespace: CloudTrailMetrics + MetricName: S3BucketPolicyChangesMetric + MetricValue: 1 + + S3BucketPolicyChangesCloudWatchAlarm: + Type: AWS::CloudWatch::Alarm + Properties: + AlarmName: S3 Bucket Policy Changes + AlarmDescription: S3 Bucket Policy Changes + AlarmActions: + - !Ref SnsTopicForCloudWatchEvents + MetricName: S3BucketPolicyChangesMetric + Namespace: CloudTrailMetrics + ComparisonOperator: GreaterThanOrEqualToThreshold + EvaluationPeriods: 1 + Period: 60 + Statistic: Sum + Threshold: 1 + #================================================== # CIS 3.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes #================================================== @@ -1947,6 +1988,41 @@ Arn: !GetAtt FunctionToFormatCloudWatchEvent.Arn Id: TargetFunctionV1 + AwsConfigChangesMetric: + Type: AWS::Logs::MetricFilter + DependsOn: + - ResourceForEvaluateCisBenchmarkingPreconditions + - ResourceForGetCloudTrailCloudWatchLog + Properties: + LogGroupName: !GetAtt ResourceForGetCloudTrailCloudWatchLog.LogName + FilterPattern: '{ + ($.eventSource = config.amazonaws.com) && + (($.eventName=StopConfigurationRecorder) || + ($.eventName=DeleteDeliveryChannel) || + ($.eventName=PutDeliveryChannel) || + ($.eventName=PutConfigurationRecorder)) + }' + MetricTransformations: + - + MetricNamespace: CloudTrailMetrics + MetricName: AwsConfigChangesMetric + MetricValue: 1 + + AwsConfigChangesCloudWatchAlarm: + Type: AWS::CloudWatch::Alarm + Properties: + AlarmName: Aws Cfg Changes + AlarmDescription: Aws Cfg Changes + AlarmActions: + - !Ref SnsTopicForCloudWatchEvents + MetricName: AwsConfigChangesMetric + Namespace: CloudTrailMetrics + ComparisonOperator: GreaterThanOrEqualToThreshold + EvaluationPeriods: 1 + Period: 60 + Statistic: Sum + Threshold: 1 + #================================================== # KMS Key Use Detection #================================================== @@ -1992,6 +2068,41 @@ Arn: !GetAtt FunctionToFormatCloudWatchEvent.Arn Id: TargetFunctionV1 + CloudtrailCfgChangesMetric: + Type: AWS::Logs::MetricFilter + DependsOn: + - ResourceForEvaluateCisBenchmarkingPreconditions + - ResourceForGetCloudTrailCloudWatchLog + Properties: + LogGroupName: !GetAtt ResourceForGetCloudTrailCloudWatchLog.LogName + FilterPattern: '{ + ($.eventName = CreateTrail) || + ($.eventName = UpdateTrail) || + ($.eventName = DeleteTrail) || + ($.eventName = StartLogging) || + ($.eventName = StopLogging) + }' + MetricTransformations: + - + MetricNamespace: CloudTrailMetrics + MetricName: CloudtrailCfgChangesMetric + MetricValue: 1 + + CloudtrailCfgChangesCloudWatchAlarm: + Type: AWS::CloudWatch::Alarm + Properties: + AlarmName: Cloudtrail Cfg Changes + AlarmDescription: Cloudtrail Cfg Changes + AlarmActions: + - !Ref SnsTopicForCloudWatchEvents + MetricName: CloudtrailCfgChangesMetric + Namespace: CloudTrailMetrics + ComparisonOperator: GreaterThanOrEqualToThreshold + EvaluationPeriods: 1 + Period: 60 + Statistic: Sum + Threshold: 1 + #================================================== # CIS 3.4 Ensure a log metric filter and alarm exist for IAM policy changes #================================================== @@ -2030,6 +2141,52 @@ Arn: !GetAtt FunctionToFormatCloudWatchEvent.Arn Id: TargetFunctionV1 + IamChangesMetric: + Type: AWS::Logs::MetricFilter + DependsOn: + - ResourceForEvaluateCisBenchmarkingPreconditions + - ResourceForGetCloudTrailCloudWatchLog + Properties: + LogGroupName: !GetAtt ResourceForGetCloudTrailCloudWatchLog.LogName + FilterPattern: '{ + ($.eventName=DeleteGroupPolicy) || + ($.eventName=DeleteRolePolicy) || + ($.eventName=DeleteUserPolicy) || + ($.eventName = PutGroupPolicy) || + ($.eventName = PutRolePolicy) || + ($.eventName = PutUserPolicy) || + ($.eventName = CreatePolicy) || + ($.eventName = DeletePolicy) || + ($.eventName = CreatePolicyVersion) || + ($.eventName = DeletePolicyVersion) || + ($.eventName = AttachRolePolicy) || + ($.eventName = DetachRolePolicy) || + ($.eventName = AttachUserPolicy) || + ($.eventName = DetachUserPolicy) || + ($.eventName = AttachGroupPolicy) || + ($.eventName = DetachGroupPolicy) + }' + MetricTransformations: + - + MetricNamespace: CloudTrailMetrics + MetricName: IamChangesMetric + MetricValue: 1 + + IamChangesCloudWatchAlarm: + Type: AWS::CloudWatch::Alarm + Properties: + AlarmName: IAM Changes + AlarmDescription: IAM Changes + AlarmActions: + - !Ref SnsTopicForCloudWatchEvents + MetricName: IamChangesMetric + Namespace: CloudTrailMetrics + ComparisonOperator: GreaterThanOrEqualToThreshold + EvaluationPeriods: 1 + Period: 60 + Statistic: Sum + Threshold: 1 + #================================================== # Billing Change Detection #================================================== @@ -2104,6 +2261,42 @@ Arn: !GetAtt FunctionToFormatCloudWatchEvent.Arn Id: TargetFunctionV1 + SecurityGroupChangesMetric: + Type: AWS::Logs::MetricFilter + DependsOn: + - ResourceForEvaluateCisBenchmarkingPreconditions + - ResourceForGetCloudTrailCloudWatchLog + Properties: + LogGroupName: !GetAtt ResourceForGetCloudTrailCloudWatchLog.LogName + FilterPattern: '{ + ($.eventName = AuthorizeSecurityGroupIngress) || + ($.eventName = AuthorizeSecurityGroupEgress) || + ($.eventName = RevokeSecurityGroupIngress) || + ($.eventName = RevokeSecurityGroupEgress) || + ($.eventName = CreateSecurityGroup) || + ($.eventName = DeleteSecurityGroup) + }' + MetricTransformations: + - + MetricNamespace: CloudTrailMetrics + MetricName: SecurityGroupChangesMetric + MetricValue: 1 + + SecurityGroupChangesCloudWatchAlarm: + Type: AWS::CloudWatch::Alarm + Properties: + AlarmName: Security Group Changes + AlarmDescription: Security Group Changes + AlarmActions: + - !Ref SnsTopicForCloudWatchEvents + MetricName: SecurityGroupChangesMetric + Namespace: CloudTrailMetrics + ComparisonOperator: GreaterThanOrEqualToThreshold + EvaluationPeriods: 1 + Period: 60 + Statistic: Sum + Threshold: 1 + #================================================== # CIS 3.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) #================================================== @@ -2132,6 +2325,42 @@ Arn: !GetAtt FunctionToFormatCloudWatchEvent.Arn Id: TargetFunctionV1 + NaclChangesMetric: + Type: AWS::Logs::MetricFilter + DependsOn: + - ResourceForEvaluateCisBenchmarkingPreconditions + - ResourceForGetCloudTrailCloudWatchLog + Properties: + LogGroupName: !GetAtt ResourceForGetCloudTrailCloudWatchLog.LogName + FilterPattern: '{ + ($.eventName = CreateNetworkAcl) || + ($.eventName = CreateNetworkAclEntry) || + ($.eventName = DeleteNetworkAcl) || + ($.eventName = DeleteNetworkAclEntry) || + ($.eventName = ReplaceNetworkAclEntry) || + ($.eventName = ReplaceNetworkAclAssociation) + }' + MetricTransformations: + - + MetricNamespace: CloudTrailMetrics + MetricName: NaclChangesMetric + MetricValue: 1 + + NaclChangesCloudWatchAlarm: + Type: AWS::CloudWatch::Alarm + Properties: + AlarmName: NACL Changes + AlarmDescription: NACL Changes + AlarmActions: + - !Ref SnsTopicForCloudWatchEvents + MetricName: NaclChangesMetric + Namespace: CloudTrailMetrics + ComparisonOperator: GreaterThanOrEqualToThreshold + EvaluationPeriods: 1 + Period: 60 + Statistic: Sum + Threshold: 1 + #================================================== # CIS 3.12 Ensure a log metric filter and alarm exist for changes to network gateways # CIS 3.13 Ensure a log metric filter and alarm exist for route table changes @@ -2204,6 +2433,120 @@ Statistic: Sum Threshold: 1 + NetworkGwChangesMetric: + Type: AWS::Logs::MetricFilter + DependsOn: + - ResourceForEvaluateCisBenchmarkingPreconditions + - ResourceForGetCloudTrailCloudWatchLog + Properties: + LogGroupName: !GetAtt ResourceForGetCloudTrailCloudWatchLog.LogName + FilterPattern: '{ + ($.eventName = CreateCustomerGateway) || + ($.eventName = DeleteCustomerGateway) || + ($.eventName = AttachInternetGateway) || + ($.eventName = CreateInternetGateway) || + ($.eventName = DeleteInternetGateway) || + ($.eventName = DetachInternetGateway) + }' + MetricTransformations: + - + MetricNamespace: CloudTrailMetrics + MetricName: NetworkGwChangesMetric + MetricValue: 1 + + NetworkGwChangesCloudWatchAlarm: + Type: AWS::CloudWatch::Alarm + Properties: + AlarmName: Network GW Changes + AlarmDescription: Network GW Changes + AlarmActions: + - !Ref SnsTopicForCloudWatchEvents + MetricName: NetworkGwChangesMetric + Namespace: CloudTrailMetrics + ComparisonOperator: GreaterThanOrEqualToThreshold + EvaluationPeriods: 1 + Period: 60 + Statistic: Sum + Threshold: 1 + + RouteTableChangesMetric: + Type: AWS::Logs::MetricFilter + DependsOn: + - ResourceForEvaluateCisBenchmarkingPreconditions + - ResourceForGetCloudTrailCloudWatchLog + Properties: + LogGroupName: !GetAtt ResourceForGetCloudTrailCloudWatchLog.LogName + FilterPattern: '{ + ($.eventName = CreateRoute) || + ($.eventName = CreateRouteTable) || + ($.eventName = ReplaceRoute) || + ($.eventName = ReplaceRouteTableAssociation) || + ($.eventName = DeleteRouteTable) || + ($.eventName = DeleteRoute) || + ($.eventName = DisassociateRouteTable) + }' + MetricTransformations: + - + MetricNamespace: CloudTrailMetrics + MetricName: RouteTableChangesMetric + MetricValue: 1 + + RouteTableChangesCloudWatchAlarm: + Type: AWS::CloudWatch::Alarm + Properties: + AlarmName: Route Table Changes + AlarmDescription: Route Table Changes + AlarmActions: + - !Ref SnsTopicForCloudWatchEvents + MetricName: RouteTableChangesMetric + Namespace: CloudTrailMetrics + ComparisonOperator: GreaterThanOrEqualToThreshold + EvaluationPeriods: 1 + Period: 60 + Statistic: Sum + Threshold: 1 + + VpcChangesMetric: + Type: AWS::Logs::MetricFilter + DependsOn: + - ResourceForEvaluateCisBenchmarkingPreconditions + - ResourceForGetCloudTrailCloudWatchLog + Properties: + LogGroupName: !GetAtt ResourceForGetCloudTrailCloudWatchLog.LogName + FilterPattern: '{ + ($.eventName = CreateVpc) || + ($.eventName = DeleteVpc) || + ($.eventName = ModifyVpcAttribute) || + ($.eventName = AcceptVpcPeeringConnection) || + ($.eventName = CreateVpcPeeringConnection) || + ($.eventName = DeleteVpcPeeringConnection) || + ($.eventName = RejectVpcPeeringConnection) || + ($.eventName = AttachClassicLinkVpc) || + ($.eventName = DetachClassicLinkVpc) || + ($.eventName = DisableVpcClassicLink) || + ($.eventName = EnableVpcClassicLink) + }' + MetricTransformations: + - + MetricNamespace: CloudTrailMetrics + MetricName: VpcChangesMetric + MetricValue: 1 + + VpcChangesCloudWatchAlarm: + Type: AWS::CloudWatch::Alarm + Properties: + AlarmName: VPC Changes + AlarmDescription: VPC Changes + AlarmActions: + - !Ref SnsTopicForCloudWatchEvents + MetricName: VpcChangesMetric + Namespace: CloudTrailMetrics + ComparisonOperator: GreaterThanOrEqualToThreshold + EvaluationPeriods: 1 + Period: 60 + Statistic: Sum + Threshold: 1 + #================================================== # CIS 1.3 Ensure credentials unused for 90 days or greater are disabled # CIS 1.4 Ensure access keys are rotated every 90 days or less From 8ebbeb9863a55e6bf31ce6562092ca345fdb0666 Mon Sep 17 00:00:00 2001 From: Lawrence Cymbura Date: Tue, 29 Aug 2017 09:31:04 -0400 Subject: [PATCH 2/2] miss this conflict --- architecture/create-benchmark-rules.yaml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/architecture/create-benchmark-rules.yaml b/architecture/create-benchmark-rules.yaml index e7cfe52..c7b49d0 100644 --- a/architecture/create-benchmark-rules.yaml +++ b/architecture/create-benchmark-rules.yaml @@ -1723,12 +1723,8 @@ FilterPattern: "{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") && -<<<<<<< HEAD - ($.responseElements.ConsoleLogin != \"Failure\") -======= ($.responseElements.ConsoleLogin != \"Failure\") && ($.additionalEventData.SamlProviderArn NOT EXISTS) ->>>>>>> 1bcaa25e54d8d69558222fc120680c72d3c4804a }" MetricTransformations: -