Merge pull request #1 from trussworks/cblkwell-fixed-initial-work

Initial work for cloudtrail alarms module
trussworks · Mar 27, 2020 · efae492 · efae492
2 parents 1ff7ad5 + 543a150
commit efae492
Show file tree

Hide file tree

Showing 7 changed files with 725 additions and 1 deletion.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -0,0 +1,23 @@
+version: 2
+jobs:
+  validate:
+    docker:
+      - image: trussworks/circleci-docker-primary:4013bb8c2428b3e2755d90a922abb2a6cea37ab4
+    steps:
+      - checkout
+      - restore_cache:
+          keys:
+            - pre-commit-dot-cache-{{ checksum ".pre-commit-config.yaml" }}
+      - run:
+          name: Run pre-commit tests
+          command: pre-commit run --all-files --show-diff-on-failure
+      - save_cache:
+          key: pre-commit-dot-cache-{{ checksum ".pre-commit-config.yaml" }}
+          paths:
+            - ~/.cache/pre-commit
+
+workflows:
+  version: 2
+  validate:
+    jobs:
+      - validate
diff --git a/.markdownlintrc b/.markdownlintrc
@@ -0,0 +1,8 @@
+{
+  "default": true,
+  "first-header-h1": false,
+  "first-line-h1": false,
+  "line_length": false,
+  "no-multiple-blanks": false,
+  "no-inline-html": false
+}
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -0,0 +1,23 @@
+repos:
+  - repo: git://github.com/pre-commit/pre-commit-hooks
+    rev: v2.5.0
+    hooks:
+      - id: check-json
+      - id: check-merge-conflict
+      - id: check-yaml
+      - id: detect-private-key
+      - id: pretty-format-json
+        args:
+          - --autofix
+      - id: trailing-whitespace
+
+  - repo: git://github.com/igorshubovych/markdownlint-cli
+    rev: v0.22.0
+    hooks:
+      - id: markdownlint
+
+  - repo: git://github.com/antonbabenko/pre-commit-terraform
+    rev: v1.27.0
+    hooks:
+      - id: terraform_docs
+      - id: terraform_fmt
diff --git a/README.md b/README.md
@@ -1,2 +1,76 @@
 # terraform-aws-cloudtrail-alarms
-Provides CIS Benchmark-compliant Cloudwatch alarms for Cloudtrail events.
+
+This module creates a number of Cloudwatch alarms that alert on Cloudtrail
+events; they are meant to provide compliance with the AWS CIS benchmark.
+
+This module uses Cloudtrail logs which have been written to a Cloudwatch
+logs group; this means for organizations with an organization Cloudtrail,
+you only need to put this in the master account.
+
+The following alarms are available in this module; all can be toggled on
+or off, but by default all alarms are active.
+
+* AWS Config changes
+* Cloudtrail config changes
+* Console signin failures
+* Disabling or deleting CMK
+* IAM changes
+* Network ACL changes
+* Network gateway changes
+* No MFA console logins
+* Root account usage
+* Route table changes
+* S3 bucket policy changes
+* Security group changes
+* Unauthorized API calls
+* VPC changes
+
+These alarms were adapted from those in
+<https://github.com/nozaq/terraform-aws-secure-baseline>.
+
+## Usage
+
+```hcl
+module "cloudtrail_alarms" {
+  source         = "trussworks/cloudtrail-alarms/aws"
+  version        = "~> 1.0.0"
+
+  alarm_sns_topic_arn = aws_sns_topic.my_alerts.arn
+}
+```
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Providers
+
+| Name | Version |
+|------|---------|
+| aws | n/a |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:-----:|
+| alarm\_namespace | Namespace for generated Cloudwatch alarms | `string` | `"CISBenchmark"` | no |
+| alarm\_sns\_topic\_arn | SNS topic ARN for generated alarms | `string` | n/a | yes |
+| aws\_config\_changes | Toggle AWS Config changes alarm | `bool` | `true` | no |
+| cloudtrail\_cfg\_changes | Toggle Cloudtrail config changes alarm | `bool` | `true` | no |
+| cloudtrail\_log\_group\_name | Cloudwatch log group name for Cloudtrail logs | `string` | `"cloudtrail-events"` | no |
+| console\_signin\_failures | Toggle console signin failures alarm | `bool` | `true` | no |
+| disable\_or\_delete\_cmk | Toggle disable or delete CMK alarm | `bool` | `true` | no |
+| iam\_changes | Toggle IAM changes alarm | `bool` | `true` | no |
+| nacl\_changes | Toggle network ACL changes alarm | `bool` | `true` | no |
+| network\_gw\_changes | Toggle network gateway changes alarm | `bool` | `true` | no |
+| no\_mfa\_console\_login | Toggle no MFA console login alarm | `bool` | `true` | no |
+| root\_usage | Toggle root usage alarm | `bool` | `true` | no |
+| route\_table\_changes | Toggle route table changes alarm | `bool` | `true` | no |
+| s3\_bucket\_policy\_changes | Toggle S3 bucket policy changes alarm | `bool` | `true` | no |
+| security\_group\_changes | Toggle security group changes alarm | `bool` | `true` | no |
+| unauthorized\_api\_calls | Toggle unauthorized api calls alarm | `bool` | `true` | no |
+| vpc\_changes | Toggle VPC changes alarm | `bool` | `true` | no |
+
+## Outputs
+
+No output.
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+