Merge pull request #2 from trussworks/cblkwell-silence-assumed-role-l…

…ogins Adding option to disable assumed-role console login alerts
trussworks · Apr 2, 2020 · 7df2228 · 7df2228
2 parents efae492 + 09112d1
commit 7df2228
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -56,6 +56,7 @@ module "cloudtrail_alarms" {
 | cloudtrail\_cfg\_changes | Toggle Cloudtrail config changes alarm | `bool` | `true` | no |
 | cloudtrail\_log\_group\_name | Cloudwatch log group name for Cloudtrail logs | `string` | `"cloudtrail-events"` | no |
 | console\_signin\_failures | Toggle console signin failures alarm | `bool` | `true` | no |
+| disable\_assumed\_role\_login\_alerts | Toggle to disable assumed role console login alerts - violates CIS Benchmark | `bool` | `false` | no |
 | disable\_or\_delete\_cmk | Toggle disable or delete CMK alarm | `bool` | `true` | no |
 | iam\_changes | Toggle IAM changes alarm | `bool` | `true` | no |
 | nacl\_changes | Toggle network ACL changes alarm | `bool` | `true` | no |

diff --git a/main.tf b/main.tf
@@ -33,8 +33,8 @@ resource "aws_cloudwatch_metric_alarm" "unauthorized_api_calls" {
   }
 }
 
-resource "aws_cloudwatch_log_metric_filter" "no_mfa_console_signin" {
-  count = var.no_mfa_console_login ? 1 : 0
+resource "aws_cloudwatch_log_metric_filter" "no_mfa_console_signin_assumed_role" {
+  count = var.no_mfa_console_login && ! var.disable_assumed_role_login_alerts ? 1 : 0
 
   name           = "NoMFAConsoleSignin"
   pattern        = "{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") }"
@@ -47,13 +47,27 @@ resource "aws_cloudwatch_log_metric_filter" "no_mfa_console_signin" {
   }
 }
 
+resource "aws_cloudwatch_log_metric_filter" "no_mfa_console_signin_no_assumed_role" {
+  count = var.no_mfa_console_login && var.disable_assumed_role_login_alerts ? 1 : 0
+
+  name           = "NoMFAConsoleSignin"
+  pattern        = "{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") && ($.userIdentity.arn != \"*assumed-role*\") }"
+  log_group_name = var.cloudtrail_log_group_name
+
+  metric_transformation {
+    name      = "NoMFAConsoleSignin"
+    namespace = var.alarm_namespace
+    value     = "1"
+  }
+}
+
 resource "aws_cloudwatch_metric_alarm" "no_mfa_console_signin" {
   count = var.no_mfa_console_login ? 1 : 0
 
   alarm_name                = "NoMFAConsoleSignin"
   comparison_operator       = "GreaterThanOrEqualToThreshold"
   evaluation_periods        = "1"
-  metric_name               = aws_cloudwatch_log_metric_filter.no_mfa_console_signin[0].id
+  metric_name               = var.disable_assumed_role_login_alerts ? aws_cloudwatch_log_metric_filter.no_mfa_console_signin_no_assumed_role[0].id : aws_cloudwatch_log_metric_filter.no_mfa_console_signin_assumed_role[0].id
   namespace                 = var.alarm_namespace
   period                    = "300"
   statistic                 = "Sum"

diff --git a/variables.tf b/variables.tf
@@ -17,6 +17,14 @@ variable "cloudtrail_log_group_name" {
   default     = "cloudtrail-events"
 }
 
+# Behavior Toggles
+
+variable "disable_assumed_role_login_alerts" {
+  description = "Toggle to disable assumed role console login alerts - violates CIS Benchmark"
+  type        = bool
+  default     = false
+}
+
 # Alarm Toggles
 
 variable "aws_config_changes" {