SecurityConfig / CloudWatchConfig

Description

AWS CloudWatch configuration

Example

cloudWatch:
metricSets:
- regions:
- us-east-1
deploymentTargets:
organizationalUnits:
- Root
metrics:
- filterName: MetricFilter
logGroupName: aws-controltower/CloudTrailLogs
filterPattern: '{$.userIdentity.type="Root" && $.userIdentity.invokedBy NOT EXISTS && $.eventType !="AwsServiceEvent"}'
metricNamespace: LogMetrics
metricName: RootAccountUsage
metricValue: "1"
treatMissingData: notBreaching
alarmSets:
- regions:
- us-east-1
deploymentTargets:
organizationalUnits:
- Root
alarms:
- alarmName: CIS-1.1-RootAccountUsage
alarmDescription: Alarm for usage of "root" account
snsAlertLevel: Low
metricName: RootAccountUsage
namespace: LogMetrics
comparisonOperator: GreaterThanOrEqualToThreshold
evaluationPeriods: 1
period: 300
statistic: Sum
threshold: 1
treatMissingData: notBreaching
logGroups:
- name: Log1
terminationProtected: true
encryption:
kmsKeyName: key1
deploymentTargets:
accounts:
- Production
- name: Log2
terminationProtected: false
deploymentTargets:
organizationalUnits:
- Infrastructure

Hierarchy

  • CloudWatchConfig

Implements

Constructors

Properties

Constructors

Properties

alarmSets: AlarmSetConfig[] = []

List AWS CloudWatch Alarms configuration

Following example will create CIS-1.1-RootAccountUsage alarm for RootAccountUsage metric with notification level low

Example

alarms:
# CIS 1.1Avoid the use of the "root" account
- alarmName: CIS-1.1-RootAccountUsage
alarmDescription: Alarm for usage of "root" account
snsAlertLevel: Low (Deprecated)
snsTopicName: Alarms
metricName: RootAccountUsage
namespace: LogMetrics
comparisonOperator: GreaterThanOrEqualToThreshold
evaluationPeriods: 1
period: 300
statistic: Sum
threshold: 1
treatMissingData: notBreaching
logGroups: undefined | LogGroupsConfig[] = undefined

(OPTIONAL) List CloudWatch Logs configuration

The Following is an example of deploying CloudWatch Logs to multiple regions

Example

  logGroups:
- logGroupName: Log1
terminationProtected: true
encryption:
useLzaManagedKey: true
deploymentTarget:
account: Production
- logGroupName: Log2
terminationProtected: false
deploymentTarget:
organization: Infrastructure
metricSets: MetricSetConfig[] = []

List AWS CloudWatch Metrics configuration

Following example will create metric filter RootAccountMetricFilter for aws-controltower/CloudTrailLogs log group

Example

metrics:
# CIS 1.1Avoid the use of the "root" account
- filterName: RootAccountMetricFilter
logGroupName: aws-controltower/CloudTrailLogs
filterPattern: '{$.userIdentity.type="Root" && $.userIdentity.invokedBy NOT EXISTS && $.eventType !="AwsServiceEvent"}'
metricNamespace: LogMetrics
metricName: RootAccount
metricValue: "1"

Generated using TypeDoc