This module contains alert definitions to comply with the CIS AWS Foundations Benchmark - AWS Security Hub.
module "cis_alarms" {
source = "makandra/aws-cloudtrail-cis-alarms"
alarm_action_arns = module.sns_topic.topic_arn
log_group_name = "cloud-trail-logs"
}Further examples can be found in the examples directory.
You can add additional rules or overwrite existing rules by passing a map of rules via rule_overrides parameter. There is no deep merge. When adding an object with a key that exist in rules.tf, the whole rule is reset with the parameters set in rule_overrides.
module "cis_alarms" {
source = "../../"
rule_overrides = {
FancyRule = {
pattern = "{$.errorCode = \"Fancy\"}"
description = "My fancy rule"
period = 300
}
}
}| Name | Version |
|---|---|
| terraform | >= 1.5.0 |
| aws | ~> 5.0 |
| Name | Version |
|---|---|
| aws | ~> 5.0 |
No modules.
| Name | Type |
|---|---|
| aws_cloudwatch_log_metric_filter.this | resource |
| aws_cloudwatch_metric_alarm.this | resource |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| alarm_action_arns | list of arns for alarm actions | list(any) |
n/a | yes |
| alarm_namespace | Namespace where the alarms belong to | string |
"CIS-Benchmark" |
no |
| log_group_name | The log group name where the CloudTrail logs are stored | string |
n/a | yes |
| rule_overrides | override rule settings | map(object({ |
{} |
no |
| Name | Description |
|---|---|
| alarm_arns | n/a |