GRACE Alerting provides basic CloudWatch Event Rules and Log Metric Filters that assist with the monitoring of an AWS environment. Results are dispatched to the provided email address using AWS Simple Notification Service, providing a minimalistic alert monitoring solution.
- Security Compliance
- Supported Alerts
- Repository contents
- Usage
- Terraform Module Inputs
- Terraform Module Outputs
The GRACE Alerting subcomponent provides various levels of coverage for several NIST Special Publication 800-53 (Rev. 4) Security Controls. These security controls are designated for FIPS 199 Moderate Impact Systems. Additional information regarding the implementation method utilized can be found within the GRACE Component Control Coverage Repository. Component ATO status: draft
Relevant controls:
| Control | CSP/AWS | HOST/OS | App/DB | How is it implemented? |
|---|---|---|---|---|
| AC-2(g, h) | ╳ | Employs the use of CloudWatch Event Rules to continuously monitor for root login events and modifications to the IAM configuration for the system environment. The event information captured from the CloudWatch Event Rules is formatted and passed on to a user-defined email recipient via the Amazon Simple Notification Service (SNS). | ||
| AC-2(4) | ╳ | A CloudWatch Event Rule is used to continuously monitor for IAM actions related to account creation, modification, enabling, disabling, and removal. The event information captured from this CloudWatch Event Rule is formatted and passed on to a user-defined email recipient via the Amazon Simple Notification Service (SNS). | ||
| CM-6(d) | ╳ | The use of CloudWatch Event Rules provides partial coverage for the monitoring of system configurations related to the following services and resources: S3 bucket access and permissions, CloudTrail settings, AWS Config settings, and IAM configurations. There are CloudWatch Event Rules available that can also provide monitoring and alerting on compliance status changes to AWS Config Rules and send notifications on any system findings generated by the Amazon GuardDuty service. |
Note: The period and threshold are adjustable for all metric alarms.
| Rule Name | Description |
|---|---|
| root_login | Alert when the root user logs in to the environment |
| console_signin_failures | Alert on console login failures |
| disable_or_delete_kms_key | Alert when a KMS Key is disabled or scheduled for deletion |
| console_signin_without_mfa | Alert when a user signs into the AWS Console without using multi-factor authentication |
| Rule Name | Description |
|---|---|
| scp_changes | This event rule is only useful when your account is also the AWS Organization's Master Account. Alert on Attach, Detach, Update, Disable, and Enable Service Control Policies and Types |
| s3_bucket_changes | Alert on S3 Bucket access and permission related changes |
| config_compliance_changes | Alert on changes to AWS Config Rule compliance states |
| cloudtrail_configuration_changes | Alert on changes to CloudTrail Logging Configuration |
| config_configuration_changes | Alert on destructive changes to AWS Config service configuration |
| iam_configuration_changes | Alert on changes to AWS IAM configuration |
| guardduty_findings | Alert on findings provided by GuardDuty |
- sns.tf contains the CloudFormation stack declaration for the
alerting-topicSNS Topic - metrics.tf contains all of the declarations for CloudWatch metrics filters and alarms
- events.tf contains all of the declarations for CloudWatch event rules and targets
- guardduty.tf contains the AWS Guard Duty detector declaration
- variables.tf contains all configurable variables
- outputs.tf contains all Terraform output variables
Simply import grace-alerting as a module into your Terraform for the destination AWS Environment.
module "alerting" {
source = "github.com/GSA/grace-alerting?ref=v0.0.1"
cloudtrail_log_group_name = "<log_group_name>"
recipient = "<email_address>"
}
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| cloudtrail_log_group_name | The CloudTrail Log Group name | string | yes | |
| recipient | The Email Address that should receive alerts | string | yes | |
| guardduty_enabled | The boolean value indicating whether to enable guardduty for the account | bool | true | no |
| alert_on_root_login | Alert when the root user logs in to the environment | bool | true | no |
| root_login_period | Duration in seconds to capture events before resetting the count | number | 300 | no |
| root_login_threshold | Number of captured events required before triggering the alarm | number | 1 | no |
| alert_on_console_login_failures | Alert on console login failures | bool | true | no |
| console_login_failures_period | Duration in seconds to capture events before resetting the count | number | 300 | no |
| console_login_failures_threshold | Number of captured events required before triggering the alarm | number | 5 | no |
| alert_on_disable_or_delete_kms_key | Alert when a KMS Key is disabled or scheduled for deletion | bool | true | no |
| disable_or_delete_kms_key_period | Duration in seconds to capture events before resetting the count | number | 300 | no |
| disable_or_delete_kms_key_threshold | Number of captured events required before triggering the alarm | number | 1 | no |
| alert_on_console_login_without_mfa | Alert when a user signs into the AWS Console without using multi-factor authentication | bool | true | no |
| console_login_without_mfa_period | Duration in seconds to capture events before resetting the count | number | 300 | no |
| console_login_without_mfa_threshold | Number of captured events required before triggering the alarm | number | 1 | no |
| alert_on_scp_changes | Alert on Attach, Detach, Update, Disable, and Enable Service Control Policies and Types | bool | false | no |
| alert_on_s3_bucket_changes | Alert on S3 Bucket access and permission related changes | bool | true | no |
| alert_on_config_compliance_changes | Alert on changes to AWS Config Rule compliance states | bool | true | no |
| alert_on_cloudtrail_configuration_changes | Alert on changes to CloudTrail Logging Configuration | bool | true | no |
| alert_on_config_configuration_changes | Alert on destructive changes to AWS Config service configuration | bool | true | no |
| alert_on_iam_configuration_changes | Alert on changes to AWS IAM configuration | bool | true | no |
| alert_on_guardduty_findings | Alert on findings provided by GuardDuty | bool | true | no |
| Name | Description |
|---|---|
| alerting_topic_arn | The Amazon Resource Name (ARN) identifying the Alerting SNS Topic |
This project is in the worldwide public domain. As stated in CONTRIBUTING:
This project is in the public domain within the United States, and copyright and related rights in the work worldwide are waived through the CC0 1.0 Universal public domain dedication.
All contributions to this project will be released under the CC0 dedication. By submitting a pull request, you are agreeing to comply with this waiver of copyright interest.