Skip to content

Create AWS users that only have permission to view CloudWatch logs related to BOD 18-01 scanning

License

Notifications You must be signed in to change notification settings

cisagov/bod-18-01-cloudwatch-users

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

bod-18-01-cloudwatch-users

GitHub Build Status

This is a Terraform project for creating AWS users that only have permission to view CloudWatch logs related to BOD 18-01 scanning.

Pre-requisites

  • Terraform installed on your system.
  • AWS CLI access configured for the appropriate account on your system.
  • An accessible AWS S3 bucket to store Terraform state (specified in backend.tf).
  • An accessible AWS DynamoDB database to store the Terraform state lock (specified in backend.tf).
  • User accounts for all users must have been created previously. We recommend using the cisagov/cyhy-users-non-admin repository to create users.

Customizing Your Environment

Create a terraform variables file to be used for your environment (e.g. production.tfvars), based on the variables listed in Inputs below. Here is a sample of what that file might look like:

aws_region = "us-east-2"

usernames = ["firstname1.lastname1", "firstname2.lastname2"]

scan_types = ["pshtt", "trustymail"]
lambda_function_names = {
  "pshtt"      = "task_pshtt",
  "trustymail" = "task_trustymail"
}

tags = {
  Team        = "CISA Development Team"
  Application = "BOD 18-01 Scanning"
  Workspace   = "production"
}

Building the Terraform-based infrastructure

  1. Create a Terraform workspace (if you haven't already done so) by running:

    terraform workspace new <workspace_name>`
  2. Create a <workspace_name>.tfvars file with all of the required variables and any optional variables desired (see Inputs below for details).

  3. Run the command terraform init.

  4. Create the Terraform infrastructure by running the command:

    terraform apply -var-file=<workspace_name>.tfvars

Tearing down the Terraform-based infrastructure

  1. Select the appropriate Terraform workspace by running terraform workspace select <workspace_name>.
  2. Destroy the Terraform infrastructure in that workspace by running terraform destroy -var-file=<workspace_name>.tfvars.

Requirements

Name Version
terraform ~> 1.1
aws ~> 4.9

Providers

Name Version
aws ~> 4.9

Modules

No modules.

Resources

Name Type
aws_iam_group.bod_log_watchers resource
aws_iam_group_policy_attachment.bodlambdalogreadaccess_policy_attachment resource
aws_iam_policy.bodlambdalogreadaccess_policy resource
aws_iam_user_group_membership.user resource
aws_caller_identity.current data source
aws_cloudwatch_log_group.bod_lambda_logs data source
aws_iam_policy_document.bodlambdalogreadaccess_policy_doc data source
aws_iam_user.users data source

Inputs

Name Description Type Default Required
aws_availability_zone The AWS availability zone to deploy into (e.g. a, b, c, etc.). string "a" no
aws_region The AWS region to deploy into (e.g. us-east-1). string "us-east-1" no
bod_lambdas A map whose keys are the names of the BOD scan types and whose values are the names of the corresponding AWS Lambdas. Example: { "pshtt" = "task_pshtt" } map(string) n/a yes
bod_log_watchers_group_name The base name of the group to be created for BOD 18-01 Lambda log access users. Note that in production workspaces, '-production' is automatically appended this group name. In non-production workspaces, '-<workspace_name>' is automatically appended to this group name. string "bod_log_watchers" no
bodlambdalogreadaccess_policy_description The description to associate with the IAM policy that allows read access to the BOD 18-01 Lambda logs. string "Allows read access to the BOD 18-01 Lambda logs." no
bodlambdalogreadaccess_policy_name The base name to associate with the IAM policy that allows read access to the BOD 18-01 Lambda logs. Note that in production workspaces, '-production' is automatically appended this policy name. In non-production workspaces, '-<workspace_name>' is automatically appended to this policy name. string "BODLambdaLogReadAccess" no
tags Tags to apply to all AWS resources created. map(string) {} no
users A list of the usernames for the users that should be given access to the BOD 18-01 CloudWatch logs. Example: ["firstname1.lastname1", "firstname2.lastname2"] list(string) n/a yes

Outputs

No outputs.

Notes

Running pre-commit requires running terraform init in every directory that contains Terraform code. In this repository, this is only the main directory.

Contributing

We welcome contributions! Please see CONTRIBUTING.md for details.

License

This project is in the worldwide public domain.

This project is in the public domain within the United States, and copyright and related rights in the work worldwide are waived through the CC0 1.0 Universal public domain dedication.

All contributions to this project will be released under the CC0 dedication. By submitting a pull request, you are agreeing to comply with this waiver of copyright interest.

About

Create AWS users that only have permission to view CloudWatch logs related to BOD 18-01 scanning

Topics

Resources

License

Security policy

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published