Class CloudWatchConfig

SecurityConfig / CloudWatchConfig

AWS CloudWatch configuration

Example

cloudWatch:
  metricSets:
    - regions:
        - us-east-1
      deploymentTargets:
        organizationalUnits:
          - Root
      metrics:
        - filterName: MetricFilter
          logGroupName: aws-controltower/CloudTrailLogs
          filterPattern: '{$.userIdentity.type="Root" && $.userIdentity.invokedBy NOT EXISTS && $.eventType !="AwsServiceEvent"}'
          metricNamespace: LogMetrics
          metricName: RootAccountUsage
          metricValue: "1"
          treatMissingData: notBreaching
  alarmSets:
    - regions:
        - us-east-1
      deploymentTargets:
        organizationalUnits:
          - Root
      alarms:
        - alarmName: CIS-1.1-RootAccountUsage
          alarmDescription: Alarm for usage of "root" account
          snsAlertLevel: Low
          metricName: RootAccountUsage
          namespace: LogMetrics
          comparisonOperator: GreaterThanOrEqualToThreshold
          evaluationPeriods: 1
          period: 300
          statistic: Sum
          threshold: 1
          treatMissingData: notBreaching
  logGroups:
    - name: Log1
      terminationProtected: true
      encryption:
         kmsKeyName: key1
      deploymentTargets:
        accounts:
          - Production
    - name: Log2
      terminationProtected: false
      deploymentTargets:
        organizationalUnits:
          - Infrastructure

Hierarchy

  • CloudWatchConfig

Implements

Constructors

constructor

Properties

alarmSets logGroups metricSets

Constructors

constructor

Properties

Readonly alarmSets

alarmSets: AlarmSetConfig[] = []

List AWS CloudWatch Alarms configuration

Following example will create CIS-1.1-RootAccountUsage alarm for RootAccountUsage metric with notification level low

Example

alarms:
        # CIS 1.1Avoid the use of the "root" account
        - alarmName: CIS-1.1-RootAccountUsage
          alarmDescription: Alarm for usage of "root" account
          snsAlertLevel: Low (Deprecated)
          snsTopicName: Alarms
          metricName: RootAccountUsage
          namespace: LogMetrics
          comparisonOperator: GreaterThanOrEqualToThreshold
          evaluationPeriods: 1
          period: 300
          statistic: Sum
          threshold: 1
          treatMissingData: notBreaching

Readonly logGroups

logGroups: undefined | LogGroupsConfig[] = undefined

(OPTIONAL) List CloudWatch Logs configuration

The Following is an example of deploying CloudWatch Logs to multiple regions

Example

  logGroups:
    - logGroupName: Log1
      terminationProtected: true
      encryption:
        useLzaManagedKey: true
      deploymentTarget:
        account: Production
    - logGroupName: Log2
      terminationProtected: false
      deploymentTarget:
        organization: Infrastructure

Readonly metricSets

metricSets: MetricSetConfig[] = []

List AWS CloudWatch Metrics configuration

Following example will create metric filter RootAccountMetricFilter for aws-controltower/CloudTrailLogs log group

Example

metrics:
        # CIS 1.1Avoid the use of the "root" account
        - filterName: RootAccountMetricFilter
          logGroupName: aws-controltower/CloudTrailLogs
          filterPattern: '{$.userIdentity.type="Root" && $.userIdentity.invokedBy NOT EXISTS && $.eventType !="AwsServiceEvent"}'
          metricNamespace: LogMetrics
          metricName: RootAccount
          metricValue: "1"

Settings

Member Visibility

Theme

Generated using TypeDoc