From 8e3bad0f3378c98012bcc570753e99c6c25884e4 Mon Sep 17 00:00:00 2001 From: Serhii Freidin Date: Thu, 28 Mar 2024 17:02:26 +0200 Subject: [PATCH] feat: guardduty_member ignore fields, alarm-baseline vars for patterns --- modules/alarm-baseline/main.tf | 33 +++++----- modules/alarm-baseline/variables.tf | 95 ++++++++++++++++++++++++++++- modules/guardduty-baseline/main.tf | 6 ++ 3 files changed, 115 insertions(+), 19 deletions(-) diff --git a/modules/alarm-baseline/main.tf b/modules/alarm-baseline/main.tf index 2d12e970..6a9e962f 100644 --- a/modules/alarm-baseline/main.tf +++ b/modules/alarm-baseline/main.tf @@ -43,7 +43,7 @@ resource "aws_cloudwatch_log_metric_filter" "unauthorized_api_calls" { count = var.unauthorized_api_calls_enabled ? 1 : 0 name = "UnauthorizedAPICalls" - pattern = "{(($.errorCode = \"*UnauthorizedOperation\") || ($.errorCode = \"AccessDenied*\")) && (($.sourceIPAddress!=\"delivery.logs.amazonaws.com\") && ($.eventName!=\"HeadBucket\"))}" + pattern = var.unauthorized_api_calls_pattern log_group_name = var.cloudtrail_log_group_name metric_transformation { @@ -76,10 +76,7 @@ resource "aws_cloudwatch_log_metric_filter" "no_mfa_console_signin" { count = var.no_mfa_console_signin_enabled ? 1 : 0 name = "NoMFAConsoleSignin" - pattern = join(" ", [ - "{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\")", - var.mfa_console_signin_allow_sso ? "&& ($.userIdentity.type = \"IAMUser\") && ($.responseElements.ConsoleLogin = \"Success\") }" : "}", - ]) + pattern = var.no_mfa_console_signin_pattern log_group_name = var.cloudtrail_log_group_name metric_transformation { @@ -112,7 +109,7 @@ resource "aws_cloudwatch_log_metric_filter" "root_usage" { count = var.root_usage_enabled ? 1 : 0 name = "RootUsage" - pattern = "{ $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" }" + pattern = var.root_usage_pattern log_group_name = var.cloudtrail_log_group_name metric_transformation { @@ -145,7 +142,7 @@ resource "aws_cloudwatch_log_metric_filter" "iam_changes" { count = var.iam_changes_enabled ? 1 : 0 name = "IAMChanges" - pattern = "{($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)}" + pattern = var.iam_changes_pattern log_group_name = var.cloudtrail_log_group_name metric_transformation { @@ -178,7 +175,7 @@ resource "aws_cloudwatch_log_metric_filter" "cloudtrail_cfg_changes" { count = var.cloudtrail_cfg_changes_enabled ? 1 : 0 name = "CloudTrailCfgChanges" - pattern = "{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }" + pattern = var.cloudtrail_cfg_changes_pattern log_group_name = var.cloudtrail_log_group_name metric_transformation { @@ -211,7 +208,7 @@ resource "aws_cloudwatch_log_metric_filter" "console_signin_failures" { count = var.console_signin_failures_enabled ? 1 : 0 name = "ConsoleSigninFailures" - pattern = "{ ($.eventName = ConsoleLogin) && ($.errorMessage = \"Failed authentication\") }" + pattern = var.console_signin_failures_pattern log_group_name = var.cloudtrail_log_group_name metric_transformation { @@ -244,7 +241,7 @@ resource "aws_cloudwatch_log_metric_filter" "disable_or_delete_cmk" { count = var.disable_or_delete_cmk_enabled ? 1 : 0 name = "DisableOrDeleteCMK" - pattern = "{ ($.eventSource = kms.amazonaws.com) && (($.eventName = DisableKey) || ($.eventName = ScheduleKeyDeletion)) }" + pattern = var.disable_or_delete_cmk_pattern log_group_name = var.cloudtrail_log_group_name metric_transformation { @@ -277,7 +274,7 @@ resource "aws_cloudwatch_log_metric_filter" "s3_bucket_policy_changes" { count = var.s3_bucket_policy_changes_enabled ? 1 : 0 name = "S3BucketPolicyChanges" - pattern = "{ ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }" + pattern = var.s3_bucket_policy_changes_pattern log_group_name = var.cloudtrail_log_group_name metric_transformation { @@ -310,7 +307,7 @@ resource "aws_cloudwatch_log_metric_filter" "aws_config_changes" { count = var.aws_config_changes_enabled ? 1 : 0 name = "AWSConfigChanges" - pattern = "{ ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) }" + pattern = var.aws_config_changes_pattern log_group_name = var.cloudtrail_log_group_name metric_transformation { @@ -343,7 +340,7 @@ resource "aws_cloudwatch_log_metric_filter" "security_group_changes" { count = var.security_group_changes_enabled ? 1 : 0 name = "SecurityGroupChanges" - pattern = "{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup)}" + pattern = var.security_group_changes_pattern log_group_name = var.cloudtrail_log_group_name metric_transformation { @@ -376,7 +373,7 @@ resource "aws_cloudwatch_log_metric_filter" "nacl_changes" { count = var.nacl_changes_enabled ? 1 : 0 name = "NACLChanges" - pattern = "{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) }" + pattern = var.nacl_changes_pattern log_group_name = var.cloudtrail_log_group_name metric_transformation { @@ -409,7 +406,7 @@ resource "aws_cloudwatch_log_metric_filter" "network_gw_changes" { count = var.network_gw_changes_enabled ? 1 : 0 name = "NetworkGWChanges" - pattern = "{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }" + pattern = var.network_gw_changes_pattern log_group_name = var.cloudtrail_log_group_name metric_transformation { @@ -442,7 +439,7 @@ resource "aws_cloudwatch_log_metric_filter" "route_table_changes" { count = var.route_table_changes_enabled ? 1 : 0 name = "RouteTableChanges" - pattern = "{ ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) }" + pattern = var.route_table_changes_pattern log_group_name = var.cloudtrail_log_group_name metric_transformation { @@ -475,7 +472,7 @@ resource "aws_cloudwatch_log_metric_filter" "vpc_changes" { count = var.vpc_changes_enabled ? 1 : 0 name = "VPCChanges" - pattern = "{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }" + pattern = var.vpc_changes_pattern log_group_name = var.cloudtrail_log_group_name metric_transformation { @@ -508,7 +505,7 @@ resource "aws_cloudwatch_log_metric_filter" "organizations_changes" { count = var.organizations_changes_enabled ? 1 : 0 name = "OrganizationsChanges" - pattern = "{ ($.eventSource = organizations.amazonaws.com) && (($.eventName = \"AcceptHandshake\") || ($.eventName = \"AttachPolicy\") || ($.eventName = \"CreateAccount\") || ($.eventName = \"CreateOrganizationalUnit\") || ($.eventName= \"CreatePolicy\") || ($.eventName = \"DeclineHandshake\") || ($.eventName = \"DeleteOrganization\") || ($.eventName = \"DeleteOrganizationalUnit\") || ($.eventName = \"DeletePolicy\") || ($.eventName = \"DetachPolicy\") || ($.eventName = \"DisablePolicyType\") || ($.eventName = \"EnablePolicyType\") || ($.eventName = \"InviteAccountToOrganization\") || ($.eventName = \"LeaveOrganization\") || ($.eventName = \"MoveAccount\") || ($.eventName = \"RemoveAccountFromOrganization\") || ($.eventName = \"UpdatePolicy\") || ($.eventName =\"UpdateOrganizationalUnit\")) }" + pattern = var.organizations_changes_pattern log_group_name = var.cloudtrail_log_group_name metric_transformation { diff --git a/modules/alarm-baseline/variables.tf b/modules/alarm-baseline/variables.tf index c1c651b6..c003a89e 100644 --- a/modules/alarm-baseline/variables.tf +++ b/modules/alarm-baseline/variables.tf @@ -120,7 +120,100 @@ variable "sns_topic_kms_master_key_id" { variable "tags" { description = "Specifies object tags key and value. This applies to all resources created by this module." type = map(string) - default = { + default = { "Terraform" = "true" } } + +variable "unauthorized_api_calls_pattern" { + description = "Pattern for unauthorized api calls" + type = string + default = "{(($.errorCode = \"*UnauthorizedOperation\") || ($.errorCode = \"AccessDenied*\")) && (($.sourceIPAddress!=\"delivery.logs.amazonaws.com\") && ($.eventName!=\"HeadBucket\"))}" +} + +variable "no_mfa_console_signin_pattern" { + description = "Pattern for No MFA console signin" + type = string + default = join(" ", [ + "{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\")", + var.mfa_console_signin_allow_sso ? "&& ($.userIdentity.type = \"IAMUser\") && ($.responseElements.ConsoleLogin = \"Success\") }" : "}", + ]) +} + +variable "root_usage_pattern" { + description = "Pattern for root usage" + type = string + default = "{ $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" }" +} + +variable "iam_changes_pattern" { + description = "" + type = string + default = "{($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)}" +} + +variable "cloudtrail_cfg_changes_pattern" { + description = "Pattern for CloudTrail config changes" + type = string + default = "{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }" +} + +variable "console_signin_failures_pattern" { + description = "Pattern for Console signin failures" + type = string + default = "{ ($.eventName = ConsoleLogin) && ($.errorMessage = \"Failed authentication\") }" +} + +variable "disable_or_delete_cmk_pattern" { + description = "Pattern for Disable or Delete cmk" + type = string + default = "{ ($.eventSource = kms.amazonaws.com) && (($.eventName = DisableKey) || ($.eventName = ScheduleKeyDeletion)) }" +} + +variable "s3_bucket_policy_changes_pattern" { + description = "Pattern for S3 Bucket Policy changes" + type = string + default = "{ ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }" +} + +variable "aws_config_changes_pattern" { + description = "Pattern for AWS Config changes" + type = string + default = "{ ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) }" +} + +variable "security_group_changes_pattern" { + description = "Pattern for Security Group changes" + type = string + default = "{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup)}" +} + +variable "nacl_changes_pattern" { + description = "Pattern for NACL changes" + type = string + default = "{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) }" +} + +variable "network_gw_changes_pattern" { + description = "Pattern for Network GW changes" + type = string + default = "{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }" +} + +variable "route_table_changes_pattern" { + description = "Pattern for Route Table changes" + type = string + default = "{ ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) }" +} + +variable "vpc_changes_pattern" { + description = "Pattern for VPC changes" + type = string + default = "{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }" +} + +variable "organizations_changes_pattern" { + description = "Pattern for Organizations changes" + type = string + default = "{ ($.eventSource = organizations.amazonaws.com) && (($.eventName = \"AcceptHandshake\") || ($.eventName = \"AttachPolicy\") || ($.eventName = \"CreateAccount\") || ($.eventName = \"CreateOrganizationalUnit\") || ($.eventName= \"CreatePolicy\") || ($.eventName = \"DeclineHandshake\") || ($.eventName = \"DeleteOrganization\") || ($.eventName = \"DeleteOrganizationalUnit\") || ($.eventName = \"DeletePolicy\") || ($.eventName = \"DetachPolicy\") || ($.eventName = \"DisablePolicyType\") || ($.eventName = \"EnablePolicyType\") || ($.eventName = \"InviteAccountToOrganization\") || ($.eventName = \"LeaveOrganization\") || ($.eventName = \"MoveAccount\") || ($.eventName = \"RemoveAccountFromOrganization\") || ($.eventName = \"UpdatePolicy\") || ($.eventName =\"UpdateOrganizationalUnit\")) }" +} diff --git a/modules/guardduty-baseline/main.tf b/modules/guardduty-baseline/main.tf index 1bb6d4df..1d71fa87 100644 --- a/modules/guardduty-baseline/main.tf +++ b/modules/guardduty-baseline/main.tf @@ -25,6 +25,12 @@ resource "aws_guardduty_member" "members" { disable_email_notification = var.disable_email_notification email = var.member_accounts[count.index].email invitation_message = var.invitation_message + # because of https://github.com/hashicorp/terraform-provider-aws/issues/13906#issuecomment-653613521 + lifecycle { + ignore_changes = [ + email + ] + } } resource "aws_guardduty_invite_accepter" "master" {