Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: guardduty_member ignore fields, alarm-baseline vars for patterns #326

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat: guardduty_member ignore fields, alarm-baseline vars for patterns #326

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 15 additions & 18 deletions modules/alarm-baseline/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@ resource "aws_cloudwatch_log_metric_filter" "unauthorized_api_calls" {
count = var.unauthorized_api_calls_enabled ? 1 : 0

name = "UnauthorizedAPICalls"
pattern = "{(($.errorCode = \"*UnauthorizedOperation\") || ($.errorCode = \"AccessDenied*\")) && (($.sourceIPAddress!=\"delivery.logs.amazonaws.com\") && ($.eventName!=\"HeadBucket\"))}"
pattern = var.unauthorized_api_calls_pattern
log_group_name = var.cloudtrail_log_group_name

metric_transformation {
Expand Down Expand Up @@ -76,10 +76,7 @@ resource "aws_cloudwatch_log_metric_filter" "no_mfa_console_signin" {
count = var.no_mfa_console_signin_enabled ? 1 : 0

name = "NoMFAConsoleSignin"
pattern = join(" ", [
"{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\")",
var.mfa_console_signin_allow_sso ? "&& ($.userIdentity.type = \"IAMUser\") && ($.responseElements.ConsoleLogin = \"Success\") }" : "}",
])
pattern = var.no_mfa_console_signin_pattern
log_group_name = var.cloudtrail_log_group_name

metric_transformation {
Expand Down Expand Up @@ -112,7 +109,7 @@ resource "aws_cloudwatch_log_metric_filter" "root_usage" {
count = var.root_usage_enabled ? 1 : 0

name = "RootUsage"
pattern = "{ $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" }"
pattern = var.root_usage_pattern
log_group_name = var.cloudtrail_log_group_name

metric_transformation {
Expand Down Expand Up @@ -145,7 +142,7 @@ resource "aws_cloudwatch_log_metric_filter" "iam_changes" {
count = var.iam_changes_enabled ? 1 : 0

name = "IAMChanges"
pattern = "{($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)}"
pattern = var.iam_changes_pattern
log_group_name = var.cloudtrail_log_group_name

metric_transformation {
Expand Down Expand Up @@ -178,7 +175,7 @@ resource "aws_cloudwatch_log_metric_filter" "cloudtrail_cfg_changes" {
count = var.cloudtrail_cfg_changes_enabled ? 1 : 0

name = "CloudTrailCfgChanges"
pattern = "{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }"
pattern = var.cloudtrail_cfg_changes_pattern
log_group_name = var.cloudtrail_log_group_name

metric_transformation {
Expand Down Expand Up @@ -211,7 +208,7 @@ resource "aws_cloudwatch_log_metric_filter" "console_signin_failures" {
count = var.console_signin_failures_enabled ? 1 : 0

name = "ConsoleSigninFailures"
pattern = "{ ($.eventName = ConsoleLogin) && ($.errorMessage = \"Failed authentication\") }"
pattern = var.console_signin_failures_pattern
log_group_name = var.cloudtrail_log_group_name

metric_transformation {
Expand Down Expand Up @@ -244,7 +241,7 @@ resource "aws_cloudwatch_log_metric_filter" "disable_or_delete_cmk" {
count = var.disable_or_delete_cmk_enabled ? 1 : 0

name = "DisableOrDeleteCMK"
pattern = "{ ($.eventSource = kms.amazonaws.com) && (($.eventName = DisableKey) || ($.eventName = ScheduleKeyDeletion)) }"
pattern = var.disable_or_delete_cmk_pattern
log_group_name = var.cloudtrail_log_group_name

metric_transformation {
Expand Down Expand Up @@ -277,7 +274,7 @@ resource "aws_cloudwatch_log_metric_filter" "s3_bucket_policy_changes" {
count = var.s3_bucket_policy_changes_enabled ? 1 : 0

name = "S3BucketPolicyChanges"
pattern = "{ ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }"
pattern = var.s3_bucket_policy_changes_pattern
log_group_name = var.cloudtrail_log_group_name

metric_transformation {
Expand Down Expand Up @@ -310,7 +307,7 @@ resource "aws_cloudwatch_log_metric_filter" "aws_config_changes" {
count = var.aws_config_changes_enabled ? 1 : 0

name = "AWSConfigChanges"
pattern = "{ ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) }"
pattern = var.aws_config_changes_pattern
log_group_name = var.cloudtrail_log_group_name

metric_transformation {
Expand Down Expand Up @@ -343,7 +340,7 @@ resource "aws_cloudwatch_log_metric_filter" "security_group_changes" {
count = var.security_group_changes_enabled ? 1 : 0

name = "SecurityGroupChanges"
pattern = "{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup)}"
pattern = var.security_group_changes_pattern
log_group_name = var.cloudtrail_log_group_name

metric_transformation {
Expand Down Expand Up @@ -376,7 +373,7 @@ resource "aws_cloudwatch_log_metric_filter" "nacl_changes" {
count = var.nacl_changes_enabled ? 1 : 0

name = "NACLChanges"
pattern = "{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) }"
pattern = var.nacl_changes_pattern
log_group_name = var.cloudtrail_log_group_name

metric_transformation {
Expand Down Expand Up @@ -409,7 +406,7 @@ resource "aws_cloudwatch_log_metric_filter" "network_gw_changes" {
count = var.network_gw_changes_enabled ? 1 : 0

name = "NetworkGWChanges"
pattern = "{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }"
pattern = var.network_gw_changes_pattern
log_group_name = var.cloudtrail_log_group_name

metric_transformation {
Expand Down Expand Up @@ -442,7 +439,7 @@ resource "aws_cloudwatch_log_metric_filter" "route_table_changes" {
count = var.route_table_changes_enabled ? 1 : 0

name = "RouteTableChanges"
pattern = "{ ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) }"
pattern = var.route_table_changes_pattern
log_group_name = var.cloudtrail_log_group_name

metric_transformation {
Expand Down Expand Up @@ -475,7 +472,7 @@ resource "aws_cloudwatch_log_metric_filter" "vpc_changes" {
count = var.vpc_changes_enabled ? 1 : 0

name = "VPCChanges"
pattern = "{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }"
pattern = var.vpc_changes_pattern
log_group_name = var.cloudtrail_log_group_name

metric_transformation {
Expand Down Expand Up @@ -508,7 +505,7 @@ resource "aws_cloudwatch_log_metric_filter" "organizations_changes" {
count = var.organizations_changes_enabled ? 1 : 0

name = "OrganizationsChanges"
pattern = "{ ($.eventSource = organizations.amazonaws.com) && (($.eventName = \"AcceptHandshake\") || ($.eventName = \"AttachPolicy\") || ($.eventName = \"CreateAccount\") || ($.eventName = \"CreateOrganizationalUnit\") || ($.eventName= \"CreatePolicy\") || ($.eventName = \"DeclineHandshake\") || ($.eventName = \"DeleteOrganization\") || ($.eventName = \"DeleteOrganizationalUnit\") || ($.eventName = \"DeletePolicy\") || ($.eventName = \"DetachPolicy\") || ($.eventName = \"DisablePolicyType\") || ($.eventName = \"EnablePolicyType\") || ($.eventName = \"InviteAccountToOrganization\") || ($.eventName = \"LeaveOrganization\") || ($.eventName = \"MoveAccount\") || ($.eventName = \"RemoveAccountFromOrganization\") || ($.eventName = \"UpdatePolicy\") || ($.eventName =\"UpdateOrganizationalUnit\")) }"
pattern = var.organizations_changes_pattern
log_group_name = var.cloudtrail_log_group_name

metric_transformation {
Expand Down
95 changes: 94 additions & 1 deletion modules/alarm-baseline/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -120,7 +120,100 @@ variable "sns_topic_kms_master_key_id" {
variable "tags" {
description = "Specifies object tags key and value. This applies to all resources created by this module."
type = map(string)
default = {
default = {
"Terraform" = "true"
}
}

variable "unauthorized_api_calls_pattern" {
description = "Pattern for unauthorized api calls"
type = string
default = "{(($.errorCode = \"*UnauthorizedOperation\") || ($.errorCode = \"AccessDenied*\")) && (($.sourceIPAddress!=\"delivery.logs.amazonaws.com\") && ($.eventName!=\"HeadBucket\"))}"
}

variable "no_mfa_console_signin_pattern" {
description = "Pattern for No MFA console signin"
type = string
default = join(" ", [
"{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\")",
var.mfa_console_signin_allow_sso ? "&& ($.userIdentity.type = \"IAMUser\") && ($.responseElements.ConsoleLogin = \"Success\") }" : "}",
])
}

variable "root_usage_pattern" {
description = "Pattern for root usage"
type = string
default = "{ $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" }"
}

variable "iam_changes_pattern" {
description = ""
type = string
default = "{($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)}"
}

variable "cloudtrail_cfg_changes_pattern" {
description = "Pattern for CloudTrail config changes"
type = string
default = "{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }"
}

variable "console_signin_failures_pattern" {
description = "Pattern for Console signin failures"
type = string
default = "{ ($.eventName = ConsoleLogin) && ($.errorMessage = \"Failed authentication\") }"
}

variable "disable_or_delete_cmk_pattern" {
description = "Pattern for Disable or Delete cmk"
type = string
default = "{ ($.eventSource = kms.amazonaws.com) && (($.eventName = DisableKey) || ($.eventName = ScheduleKeyDeletion)) }"
}

variable "s3_bucket_policy_changes_pattern" {
description = "Pattern for S3 Bucket Policy changes"
type = string
default = "{ ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }"
}

variable "aws_config_changes_pattern" {
description = "Pattern for AWS Config changes"
type = string
default = "{ ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) }"
}

variable "security_group_changes_pattern" {
description = "Pattern for Security Group changes"
type = string
default = "{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup)}"
}

variable "nacl_changes_pattern" {
description = "Pattern for NACL changes"
type = string
default = "{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) }"
}

variable "network_gw_changes_pattern" {
description = "Pattern for Network GW changes"
type = string
default = "{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }"
}

variable "route_table_changes_pattern" {
description = "Pattern for Route Table changes"
type = string
default = "{ ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) }"
}

variable "vpc_changes_pattern" {
description = "Pattern for VPC changes"
type = string
default = "{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }"
}

variable "organizations_changes_pattern" {
description = "Pattern for Organizations changes"
type = string
default = "{ ($.eventSource = organizations.amazonaws.com) && (($.eventName = \"AcceptHandshake\") || ($.eventName = \"AttachPolicy\") || ($.eventName = \"CreateAccount\") || ($.eventName = \"CreateOrganizationalUnit\") || ($.eventName= \"CreatePolicy\") || ($.eventName = \"DeclineHandshake\") || ($.eventName = \"DeleteOrganization\") || ($.eventName = \"DeleteOrganizationalUnit\") || ($.eventName = \"DeletePolicy\") || ($.eventName = \"DetachPolicy\") || ($.eventName = \"DisablePolicyType\") || ($.eventName = \"EnablePolicyType\") || ($.eventName = \"InviteAccountToOrganization\") || ($.eventName = \"LeaveOrganization\") || ($.eventName = \"MoveAccount\") || ($.eventName = \"RemoveAccountFromOrganization\") || ($.eventName = \"UpdatePolicy\") || ($.eventName =\"UpdateOrganizationalUnit\")) }"
}
6 changes: 6 additions & 0 deletions modules/guardduty-baseline/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,12 @@ resource "aws_guardduty_member" "members" {
disable_email_notification = var.disable_email_notification
email = var.member_accounts[count.index].email
invitation_message = var.invitation_message
# because of https://github.com/hashicorp/terraform-provider-aws/issues/13906#issuecomment-653613521
lifecycle {
ignore_changes = [
email
]
}
}

resource "aws_guardduty_invite_accepter" "master" {
Expand Down