-
Notifications
You must be signed in to change notification settings - Fork 3
/
accountalarms.csv
We can make this file beautiful and searchable if this error is corrected: Illegal quoting in line 4.
15 lines (15 loc) · 6.06 KB
/
accountalarms.csv
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
Name, Type, LogGroup, FilterPattern, MetricNameSpace, MetricName, EvalutationPeriods, Period, Statistic, Threshold,AlarmDescription,Paging
RootLogin,CloudTrail,CloudTrail/Logs,{ $.userIdentity.type = Root && $.userIdentity.invokedBy NOT EXISTS && $.eventType != AwsServiceEvent },RootLoginCount,CloudTrailMetrics,1,300,Sum,1,This alarm indicates that an individual has logged into an AWS account using the root user.,TRUE
AuthenticationWithoutMfa,CloudTrail,CloudTrail/Logs,{ $.userIdentity.sessionContext.attributes.mfaAuthenticated != true },NoMFALoginCount,CloudTrailMetrics,1,300,Sum,1,This alarm indicates that an individual has logged into an AWS account without the use of an MFA device.,TRUE
ExcessiveAuthorizationFailures,CloudTrail,CloudTrail/Logs,{ ($.eventName = ConsoleLogin) && ($.errorMessage = "Failed authentication") },SignInFailureCount,CloudTrailMetrics,1,300,Sum,25,This alarm indicates that there have recently been a high number of console sign in failures.,TRUE
UnauthorizedApiCalls,CloudTrail,CloudTrail/Logs,{ ($.errorCode = *UnauthorizedOperation) || ($.errorCode = AccessDenied*) },UnauthorizedAPICallCount,CloudTrailMetrics,1,300,Sum,1,This alarm indicates that an authenticated user or system has attempted a call they did not have access to.,TRUE
IamPolicyChanges,CloudTrail,CloudTrail/Logs,{ ($.eventName=DeleteGroupPolicy) || ($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)},IAMPolicyEventCount,CloudTrailMetrics,1,300,Sum,1,This alarm indicates that a priviledged user or system has modified an IAM attribute.,TRUE
CloudTrailChanges,CloudTrail,CloudTrail/Logs,{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) },CloudTrailEventCount,CloudTrailMetrics,1,300,Sum,1,This alarm indicates that a priviledged user or system has modified a CloudTrail attribute.,TRUE
ConfigChanges,CloudTrail,CloudTrail/Logs,{ ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder))},ConfigEventCount,CloudTrailMetrics,1,300,Sum,1,This alarm indicates that a priviledged user or system has modified a Config attribute.,TRUE
S3BucketPolicyChanges,CloudTrail,CloudTrail/Logs,{ ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) },S3BucketPolicyEventCount,CloudTrailMetrics,1,300,Sum,1,"This alarm indicates that a priviledged user or system has modified a S3 Bucket Policy, ACL, or similar.",TRUE
KmsKeyDisabledOrDeleted,CloudTrail,CloudTrail/Logs,{ ($.eventSource = kms.amazonaws.com) && (($.eventName=DisableKey)||($.eventName=ScheduleKeyDeletion))},KMSKeyEventCount,CloudTrailMetrics,1,300,Sum,1,This alarm indicates that a priviledged user or system has modified a Customer Managed Key and marked it for scheduled deletion or disable.,TRUE
SecurityGroupChanges,CloudTrail,CloudTrail/Logs,{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup)},SecurityGroupEventCount,CloudTrailMetrics,1,300,Sum,1,This alarm indicates that a priviledged user or system has modified a security group.,TRUE
NetworkAclChanges,CloudTrail,CloudTrail/Logs,{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) },NetworkAclEventCount,CloudTrailMetrics,1,300,Sum,1,This alarm indicates that a priviledged user or system has modified a VPC network access control list.,TRUE
GatewayChanges,CloudTrail,CloudTrail/Logs,{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) || ($.eventName = AttachNATGateway) || ($.eventName = CreateNATGateway) || ($.eventName = DeleteNATGateway) || ($.eventName = DetachNATGateway) },GatewayEventCount,CloudTrailMetrics,1,300,Sum,1,This alarm indicates that a priviledged user or system has modified a VPC gateway (internet / nat).,TRUE
RouteTableChanges,CloudTrail,CloudTrail/Logs,{ ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) },RouteTableEventCount,CloudTrailMetrics,1,300,Sum,1,This alarm indicates that a priviledged user or system has modified a VPC's route tables.,TRUE
VpcChanges,CloudTrail,CloudTrail/Logs,{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) },VpcEventCount,CloudTrailMetrics,1,300,Sum,1,This alarm indicates that a priviledged user or system has modified a generic VPC attribute.,TRUE