Terraform module for creating CloudWatch Alarms for SecurityHub that comply with the CIS AWS Foundations Benchmark v1.2.0 rules, which are:
- 1.1 – Avoid the use of the "root" account as a by-product of CIS 3.3 remediation
- 3.1 - Ensure a log metric filter and alarm exist for unauthorized API calls
- 3.2 - Ensure a log metric filter and alarm exist for Management Console sign-in without MFA
- 3.3 - Ensure a log metric filter and alarm exist for usage of "root" account and
- 3.4 - Ensure a log metric filter and alarm exist for IAM policy changes
- 3.5 - Ensure a log metric filter and alarm exist for CloudTrail configuration changes
- 3.6 - Ensure a log metric filter and alarm exist for AWS Management Console authentication failures
- 3.7 - Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs
- 3.8 - Ensure a log metric filter and alarm exist for S3 bucket policy changes
- 3.9 - Ensure a log metric filter and alarm exist for AWS Config configuration changes
- 3.10 - Ensure a log metric filter and alarm exist for security group changes
- 3.11 - Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)
- 3.12 - Ensure a log metric filter and alarm exist for changes to network gateways
- 3.13 - Ensure a log metric filter and alarm exist for route table changes
- 3.14 - Ensure a log metric filter and alarm exist for VPC changes
module "securityhub-alarms" {
source = "github.com/ministryofjustice/modernisation-platform-terraform-baselines//modules/securityhub-alarms"
}
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| tags | Tags to apply to resources | map | {} | no |
| Name | Description | Sensitive |
|---|---|---|
| sns_topic_arn | Security benchmark Cloudwatch alarms SNS topic ARN | No |
If you're looking to raise an issue with this module, please create a new issue in the Modernisation Platform repository.