Skip to content

Commit 396d774

Browse files
ab77ab77
committed
implement organisations change metric/alarm
required by ISO 27001 2022 and SOC 2 under: * AVA-01 * NET-02 * NET-04
1 parent ccb3f45 commit 396d774

File tree

1 file changed

+32
-0
lines changed

1 file changed

+32
-0
lines changed

security/cloudtrail.yaml

Lines changed: 32 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -43,6 +43,7 @@ Metadata:
4343
- DisableNetworkGatewayChangeAlarm
4444
- DisableRouteTableChangeAlarm
4545
- DisableVpcChangeAlarm
46+
- DisableOrganizationsChangeAlarm
4647
- Label:
4748
default: 'Permission Parameters'
4849
Parameters:
@@ -143,6 +144,11 @@ Parameters:
143144
Type: String
144145
Default: 'false'
145146
AllowedValues: ['true', 'false']
147+
DisableOrganizationsChangeAlarm:
148+
Description: 'Disable AVA-01, NET-02, NET-04 alarms (ISO 27001 2022/SOC 2).'
149+
Type: String
150+
Default: 'false'
151+
AllowedValues: ['true', 'false']
146152
S3DataEvents:
147153
Description: 'Record data events of all S3 buckets? (Warning: additional charges apply.)'
148154
Type: String
@@ -172,6 +178,7 @@ Conditions:
172178
HasNetworkGatewayChangeAlarm: !And [!Equals [!Ref DisableNetworkGatewayChangeAlarm, 'false'], !Condition HasAlertTopic]
173179
HasRouteTableChangeAlarm: !And [!Equals [!Ref DisableRouteTableChangeAlarm, 'false'], !Condition HasAlertTopic]
174180
HasVpcChangeAlarm: !And [!Equals [!Ref DisableVpcChangeAlarm, 'false'], !Condition HasAlertTopic]
181+
HasOrganizationsChangeAlarm: !And [!Equals [!Ref DisableOrganizationsChangeAlarm, 'false'], !Condition HasAlertTopic]
175182
Resources:
176183
TrailBucket:
177184
Condition: InternalBucket
@@ -643,6 +650,31 @@ Resources:
643650
AlarmActions:
644651
- {'Fn::ImportValue': !Sub '${ParentAlertStack}-TopicARN'}
645652
TreatMissingData: notBreaching
653+
OrganizationsChangeMetricFilter: # ISO 27001 2022; SOC 2 (AVA-01, NET-02, NET-04)
654+
Condition: HasOrganizationsChangeAlarm
655+
Type: 'AWS::Logs::MetricFilter'
656+
Properties:
657+
FilterPattern: '{($.eventSource = organizations.amazonaws.com) && (($.eventName = AcceptHandshake) || ($.eventName = AttachPolicy) || ($.eventName = CreateAccount) || ($.eventName = CreateOrganizationalUnit) || ($.eventName = CreatePolicy) || ($.eventName = DeclineHandshake) || ($.eventName = DeleteOrganization) || ($.eventName = DeleteOrganizationalUnit) || ($.eventName = DeletePolicy) || ($.eventName = DetachPolicy) || ($.eventName = DisablePolicyType) || ($.eventName = EnablePolicyType) || ($.eventName = InviteAccountToOrganization) || ($.eventName = LeaveOrganization) || ($.eventName = MoveAccount) || ($.eventName = RemoveAccountFromOrganization) || ($.eventName = UpdatePolicy) || ($.eventName = UpdateOrganizationalUnit))}'
658+
LogGroupName: !Ref TrailLogGroup
659+
MetricTransformations:
660+
- MetricValue: '1'
661+
MetricNamespace: !Ref 'AWS::StackName'
662+
MetricName: 'OrganizationsChangeCount'
663+
OrganizationsChangeAlarm:
664+
Condition: HasOrganizationsChangeAlarm
665+
Type: 'AWS::CloudWatch::Alarm'
666+
Properties:
667+
AlarmDescription: 'CloudTrail: changes to Organizations detected'
668+
Namespace: !Ref 'AWS::StackName'
669+
MetricName: OrganizationsChangeCount
670+
Statistic: Sum
671+
Period: 300
672+
EvaluationPeriods: 1
673+
ComparisonOperator: GreaterThanThreshold
674+
Threshold: 0
675+
AlarmActions:
676+
- {'Fn::ImportValue': !Sub '${ParentAlertStack}-TopicARN'}
677+
TreatMissingData: notBreaching
646678
Outputs:
647679
TemplateID:
648680
Description: 'cloudonaut.io template id.'

0 commit comments

Comments
 (0)