-
Notifications
You must be signed in to change notification settings - Fork 1
/
cloudformation.yml
37 lines (37 loc) · 1.48 KB
/
cloudformation.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
AWSTemplateFormatVersion: 2010-09-09
Parameters:
CloudTrailLogGroup:
Type: String
Description: "The CloudWatch log group where CloudTrail writes the logs"
SNSTopic:
Type: String
Description: "The SNS topic to send notifications to"
Resources:
LoginMetricFilter:
Type: AWS::Logs::MetricFilter
Properties:
LogGroupName: !Ref CloudTrailLogGroup
FilterPattern: '{$.errorCode = "AccessDenied" && ($.userIdentity.type != "AWSAccount" || $.userIdentity.principalId != "")}'
MetricTransformations:
- MetricValue: 1
MetricNamespace: !Sub "${AWS::StackName}"
MetricName: AccessDenieds
AccessDeniedAlarm:
Type: AWS::CloudWatch::Alarm
Properties:
ComparisonOperator: GreaterThanThreshold
EvaluationPeriods: 1
Threshold: 0
Namespace: !Sub "${AWS::StackName}"
MetricName: AccessDenieds
Statistic: Maximum
Period: 60
TreatMissingData: notBreaching
ActionsEnabled: true
AlarmActions:
- !Ref SNSTopic
Outputs:
LogsURL:
Value: !Sub
- "https://${AWS::Region}.console.aws.amazon.com/cloudwatch/home#logsV2:log-groups/log-group/${CloudTrailLogGroupEscaped}/log-events/$3FfilterPattern$3D$257B$2524.errorCode+$253D+$2522AccessDenied$2522+$2526$2526+$2528$2524.userIdentity.type+$2521$253D+$2522AWSAccount$2522+$257C$257C+$2524.userIdentity.principalId+$2521$253D+$2522$2522$2529$257D"
- CloudTrailLogGroupEscaped: !Join [ '$252F', !Split [ '/', !Ref CloudTrailLogGroup ] ]