cloudwatch

Documentation

Index

• Variables

Variables

var CheckLogGroupCustomerKey = rules.Register(
	scan.Rule{
		AVDID:       "AVD-AWS-0017",
		Provider:    providers.AWSProvider,
		Service:     "cloudwatch",
		ShortCode:   "log-group-customer-key",
		Summary:     "CloudWatch log groups should be encrypted using CMK",
		Impact:      "Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.",
		Resolution:  "Enable CMK encryption of CloudWatch Log Groups",
		Explanation: `CloudWatch log groups are encrypted by default, however, to get the full benefit of controlling key rotation and other KMS aspects a KMS CMK should be used.`,
		Links: []string{
			"https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/encrypt-log-data-kms.html",
		},
		Terraform: &scan.EngineMetadata{
			GoodExamples:        terraformLogGroupCustomerKeyGoodExamples,
			BadExamples:         terraformLogGroupCustomerKeyBadExamples,
			Links:               terraformLogGroupCustomerKeyLinks,
			RemediationMarkdown: terraformLogGroupCustomerKeyRemediationMarkdown,
		},
		CloudFormation: &scan.EngineMetadata{
			GoodExamples:        cloudFormationLogGroupCustomerKeyGoodExamples,
			BadExamples:         cloudFormationLogGroupCustomerKeyBadExamples,
			Links:               cloudFormationLogGroupCustomerKeyLinks,
			RemediationMarkdown: cloudFormationLogGroupCustomerKeyRemediationMarkdown,
		},
		Severity: severity.Low,
	},
	func(s *state.State) (results scan.Results) {
		for _, group := range s.AWS.CloudWatch.LogGroups {
			if group.KMSKeyID.IsEmpty() {
				results.Add(
					"Log group is not encrypted.",
					group.KMSKeyID,
				)
			} else {
				results.AddPassed(&group)
			}
		}
		return
	},
)

var CheckRequireOrgChangesAlarm = rules.Register(
	scan.Rule{
		AVDID:      "AVD-AWS-0174",
		Provider:   providers.AWSProvider,
		Service:    "cloudwatch",
		ShortCode:  "require-org-changes-alarm",
		Summary:    "Ensure a log metric filter and alarm exist for organisation changes",
		Impact:     "Lack of observability into critical organisation changes",
		Resolution: "Create an alarm to alert on organisation changes",
		Frameworks: map[framework.Framework][]string{
			framework.CIS_AWS_1_4: {
				"4.15",
			},
		},
		Explanation: `
Monitoring AWS Organizations changes can help you prevent any unwanted, accidental or
intentional modifications that may lead to unauthorized access or other security breaches.
This monitoring technique helps you to ensure that any unexpected changes performed
within your AWS Organizations can be investigated and any unwanted changes can be
rolled back.
`,
		Links: []string{
			"https://docs.aws.amazon.com/organizations/latest/userguide/orgs_security_incident-response.html",
		},
		Severity: severity.Low,
	},
	func(s *state.State) (results scan.Results) {
		for _, trail := range s.AWS.CloudTrail.MultiRegionTrails() {
			logGroup := s.AWS.CloudWatch.GetLogGroupByArn(trail.CloudWatchLogsLogGroupArn.Value())
			if logGroup == nil || trail.IsLogging.IsFalse() {
				continue
			}

			var metricFilter cloudwatch.MetricFilter
			var found bool
			for _, filter := range logGroup.MetricFilters {
				if filter.FilterPattern.Contains(`$.eventSource = organizations.amazonaws.com`, types.IgnoreWhitespace) {
					metricFilter = filter
					found = true
					break
				}
				if filter.FilterPattern.Contains(`$.eventSource = "organizations.amazonaws.com"`, types.IgnoreWhitespace) {
					metricFilter = filter
					found = true
					break
				}
			}

			if !found {
				results.Add("Cloudwatch has no organisation changes log filter", trail)
				continue
			}

			if metricAlarm := s.AWS.CloudWatch.GetAlarmByMetricName(metricFilter.FilterName.Value()); metricAlarm == nil {
				results.Add("Cloudwatch has organisation changes alarm", trail)
				continue
			}

			results.AddPassed(trail)
		}
		return
	},
)