Terraform AWS Account Baseline Alarms

The following repository contains a Terraform module that creates CloudWatch alarms for the AWS account baseline. The alarms are based on the CIS AWS Foundations Benchmark v1.4.0. Notifications for these can be sent to email, Slack and or Microsoft teams.

Usage

module "account_baseline_alarms" {
  source  = "appvia/alarm-baseline/aws"
  version = "0.0.1"

  notification = {
    email = {
      addresses = ["security@example.com"]
    }
  }

  enable_no_mfa_console_signin = true
}

Requirements

Name	Version
terraform	>= 1.0
aws	~> 5.0

Providers

Name	Version
aws	~> 5.0

Modules

Name	Source	Version
notifications	appvia/notifications/aws	0.1.6

Resources

Name	Type
aws_cloudwatch_log_metric_filter.admin_sso_activity	resource
aws_cloudwatch_log_metric_filter.aws_config_changes	resource
aws_cloudwatch_log_metric_filter.breakglass_activity	resource
aws_cloudwatch_log_metric_filter.cloudtrail_cfg_changes	resource
aws_cloudwatch_log_metric_filter.console_signin_failures	resource
aws_cloudwatch_log_metric_filter.disable_or_delete_cmk	resource
aws_cloudwatch_log_metric_filter.iam_changes	resource
aws_cloudwatch_log_metric_filter.nacl_changes	resource
aws_cloudwatch_log_metric_filter.network_gw_changes	resource
aws_cloudwatch_log_metric_filter.no_mfa_console_signin	resource
aws_cloudwatch_log_metric_filter.organizations_changes	resource
aws_cloudwatch_log_metric_filter.root_usage	resource
aws_cloudwatch_log_metric_filter.route_table_changes	resource
aws_cloudwatch_log_metric_filter.s3_bucket_policy_changes	resource
aws_cloudwatch_log_metric_filter.security_group_changes	resource
aws_cloudwatch_log_metric_filter.unauthorized_api_calls	resource
aws_cloudwatch_log_metric_filter.vpc_changes	resource
aws_cloudwatch_metric_alarm.admin_sso_activity	resource
aws_cloudwatch_metric_alarm.aws_config_changes	resource
aws_cloudwatch_metric_alarm.breakglass_activity	resource
aws_cloudwatch_metric_alarm.cloudtrail_cfg_changes	resource
aws_cloudwatch_metric_alarm.console_signin_failures	resource
aws_cloudwatch_metric_alarm.disable_or_delete_cmk	resource
aws_cloudwatch_metric_alarm.iam_changes	resource
aws_cloudwatch_metric_alarm.nacl_changes	resource
aws_cloudwatch_metric_alarm.network_gw_changes	resource
aws_cloudwatch_metric_alarm.no_mfa_console_signin	resource
aws_cloudwatch_metric_alarm.organizations_changes	resource
aws_cloudwatch_metric_alarm.root_usage	resource
aws_cloudwatch_metric_alarm.route_table_changes	resource
aws_cloudwatch_metric_alarm.s3_bucket_policy_changes	resource
aws_cloudwatch_metric_alarm.security_group_changes	resource
aws_cloudwatch_metric_alarm.unauthorized_api_calls	resource
aws_cloudwatch_metric_alarm.vpc_changes	resource
aws_caller_identity.current	data source

Inputs

Name	Description	Type	Default	Required
notification	The configuration for how to send notifications.	object({ email = optional(object({ addresses = list(string) }), null) slack = optional(object({ channel = string lambda_name = optional(string, "alarms-notifications") webhook_url = string }), null) teams = optional(object({ webhook_url = string }), null) })	n/a	yes
tags	A map of tags to add to all resources	map(string)	n/a	yes
alarm_namespace	The cloudwatch alarm namespace.	string	"cis-benchmark"	no
cloudtrail_log_group_name	The name of the CloudTrail log group to filter on.	string	"aws-controltower/CloudTrailLogs"	no
create_sns_topic	The boolean flag whether to create the SNS topic for alarms.	bool	true	no
enable_administrator_sso_activity	The boolean flag whether the administrator_sso_activity alarm is enabled or not.	bool	true	no
enable_aws_config_changes	The boolean flag whether the aws_config_changes alarm is enabled or not.	bool	true	no
enable_breakglass_activity	The boolean flag whether the breakglass_logins alarm is enabled or not.	bool	true	no
enable_cloudtrail_cfg_changes	The boolean flag whether the cloudtrail_cfg_changes alarm is enabled or not.	bool	true	no
enable_console_signin_failures	The boolean flag whether the console_signin_failures alarm is enabled or not.	bool	true	no
enable_disable_or_delete_cmk	The boolean flag whether the disable_or_delete_cmk alarm is enabled or not.	bool	true	no
enable_iam_changes	The boolean flag whether the iam_changes alarm is enabled or not.	bool	true	no
enable_mfa_console_signin_allow_sso	The boolean flag whether the no_mfa_console_signin alarm allows SSO auth to be ignored.	bool	false	no
enable_nacl_changes	The boolean flag whether the nacl_changes alarm is enabled or not.	bool	true	no
enable_network_gw_changes	The boolean flag whether the network_gw_changes alarm is enabled or not.	bool	true	no
enable_no_mfa_console_signin	The boolean flag whether the no_mfa_console_signin alarm is enabled or not.	bool	true	no
enable_organizations_changes	The boolean flag whether the organizations_changes alarm is enabled or not.	bool	true	no
enable_root_usage	The boolean flag whether the root_usage alarm is enabled or not.	bool	true	no
enable_route_table_changes	The boolean flag whether the route_table_changes alarm is enabled or not.	bool	true	no
enable_s3_bucket_policy_changes	The boolean flag whether the s3_bucket_policy_changes alarm is enabled or not.	bool	true	no
enable_security_group_changes	The boolean flag whether the security_group_changes alarm is enabled or not.	bool	true	no
enable_unauthorized_api_calls	The boolean flag whether the unauthorized_api_calls alarm is enabled or not.	bool	true	no
enable_vpc_changes	The boolean flag whether the vpc_changes alarm is enabled or not.	bool	true	no
sns_topic_name	The name of the SNS topic to create for alarms.	string	"cis-benchmark-alarms"	no

Outputs

Name	Description
sns_topic_arn	The ARN of the SNS topic