AWSTemplateFormatVersion: 2010-09-09 Description: Construye alertas para CIS Parameters: CorreoSeguridad: Type: AWS::SSM::Parameter::Value Description: Correo electronico para envio de alertasd Default: /seguridad/correo AccountPrefix: Type: AWS::SSM::Parameter::Value Description: Parametro con la abreviatura del nombre de la cuenta Default: /cuenta/prefijo CloudWatchLogGroup: Type: AWS::SSM::Parameter::Value Description: Nombre del grupo de logs de cloudwatch usado por el trail Default: /seguridad/cloudtrail/cloudwatchlogs LlaveTopicoAlertaCIS: Type: AWS::SSM::Parameter::Value Description: Nombre del grupo de logs de cloudwatch usado por el trail Default: /seguridad/llaves/LlaveTopicoAlertaCIS # ========== # Recursos # ========== Resources: # ================================ # Topico SNS para envio de alertas # ================================ TopicoAlertaCIS: Type: AWS::SNS::Topic Properties: TopicName: !Sub ${AccountPrefix}-sns-alertacis KmsMasterKeyId: !Ref LlaveTopicoAlertaCIS Subscription: - Endpoint: !Ref CorreoSeguridad Protocol: email Tags: - Key: Name Value: TopicoAlertasCIS # ============================================= # Politica del topico SNS para envio de alerta # ============================================= PoliticaTopicoAlertaCIS: Type: AWS::SNS::TopicPolicy Properties: Topics: - !Ref TopicoAlertaCIS PolicyDocument: Version: 2012-10-17 Id: Politica-TopicoAlertaCIS Statement: - Sid: "Permitir publicar alarmas" Effect: Allow Principal: Service: cloudwatch.amazonaws.com Action: sns:Publish Resource: !Ref TopicoAlertaCIS Condition: ArnLike: aws:SourceArn: - !Sub "arn:aws:cloudwatch:${AWS::Region}:${AWS::AccountId}:alarm:CIS-3.1-LlamadasAPI-NoAutorizadas" - !Sub "arn:aws:cloudwatch:${AWS::Region}:${AWS::AccountId}:alarm:CIS-3.2-SesionConsola-NoMFA" - !Sub "arn:aws:cloudwatch:${AWS::Region}:${AWS::AccountId}:alarm:CIS-3.2-SesionConsola-NoMFA" - !Sub "arn:aws:cloudwatch:${AWS::Region}:${AWS::AccountId}:alarm:CIS-3.3-Actividad-UsuarioRaiz" - !Sub "arn:aws:cloudwatch:${AWS::Region}:${AWS::AccountId}:alarm:CIS-3.4-CambiosPoliticasIAM" - !Sub "arn:aws:cloudwatch:${AWS::Region}:${AWS::AccountId}:alarm:CIS-3.5-CambiosCloudTrail" - !Sub "arn:aws:cloudwatch:${AWS::Region}:${AWS::AccountId}:alarm:CIS-3.6-SesionConsola-Denegado" - !Sub "arn:aws:cloudwatch:${AWS::Region}:${AWS::AccountId}:alarm:CIS-3.7-EliminacionDeshabilitacionLlaves" - !Sub "arn:aws:cloudwatch:${AWS::Region}:${AWS::AccountId}:alarm:CIS-3.8-CambioPoliticasBucketS3" - !Sub "arn:aws:cloudwatch:${AWS::Region}:${AWS::AccountId}:alarm:CIS-3.9-CambiosAWSConfig" - !Sub "arn:aws:cloudwatch:${AWS::Region}:${AWS::AccountId}:alarm:CIS-3.10-CambiosSecurityGroups" - !Sub "arn:aws:cloudwatch:${AWS::Region}:${AWS::AccountId}:alarm:CIS-3.11-CambiosACLRed" - !Sub "arn:aws:cloudwatch:${AWS::Region}:${AWS::AccountId}:alarm:CIS-3.12-CambiosGatewayRed" - !Sub "arn:aws:cloudwatch:${AWS::Region}:${AWS::AccountId}:alarm:CIS-3.13-CambiosTablasRuteoVPC" - !Sub "arn:aws:cloudwatch:${AWS::Region}:${AWS::AccountId}:alarm:CIS-3.14-CambiosVPC" # =================== # ALARMAS y METRICAS # =================== # =========================================== # CIS 1.1/3.1 - Llamadas API no autorizadas # =========================================== AlarmaCIS31: Type: 'AWS::CloudWatch::Alarm' Properties: AlarmName: CIS-3.1-LlamadasAPI-NoAutorizadas AlarmDescription: >- Alerta de llamadas API no autorizadas MetricName: LlamadasAPI-NoAutorizadas Namespace: MetricasCIS Statistic: Sum Period: '60' EvaluationPeriods: '1' Threshold: '1' ComparisonOperator: GreaterThanOrEqualToThreshold AlarmActions: - Ref: TopicoAlertaCIS TreatMissingData: notBreaching Metadata: cfn_nag: rules_to_suppress: - id: W28 reason: "No updates que requieran reemplazar este recurso. Para reemplazar utilizar nuevo nombre" MetricaCIS31: Type: 'AWS::Logs::MetricFilter' Properties: LogGroupName: Ref: CloudWatchLogGroup FilterPattern: >- {($.errorCode="*UnauthorizedOperation") || ($.errorCode="AccessDenied*")} MetricTransformations: - MetricValue: '1' MetricNamespace: MetricasCIS MetricName: LlamadasAPI-NoAutorizadas # ================================================= # CIS 3.2 - Inicio en sesion de consola AWS sin MFA # ================================================= AlarmaCIS32: Type: 'AWS::CloudWatch::Alarm' Properties: AlarmName: CIS-3.2-SesionConsola-NoMFA AlarmDescription: >- Alerta de inicio de sesion en consola AWS sin MFA MetricName: SesionConsola-NoMFA Namespace: MetricasCIS Statistic: Sum Period: '300' EvaluationPeriods: '1' Threshold: '1' ComparisonOperator: GreaterThanOrEqualToThreshold AlarmActions: - Ref: TopicoAlertaCIS TreatMissingData: notBreaching Metadata: cfn_nag: rules_to_suppress: - id: W28 reason: "No updates que requieran reemplazar este recurso. Para reemplazar utilizar nuevo nombre" MetricaCIS32: Type: 'AWS::Logs::MetricFilter' Properties: LogGroupName: Ref: CloudWatchLogGroup FilterPattern: >- {($.eventName="ConsoleLogin") && ($.additionalEventData.MFAUsed !="Yes")} MetricTransformations: - MetricValue: '1' MetricNamespace: MetricasCIS MetricName: SesionConsola-NoMFA # ============================== # CIS 3.3 - Uso del usuario raiz # ============================== AlarmaCIS33: Type: 'AWS::CloudWatch::Alarm' Properties: AlarmName: CIS-3.3-Actividad-UsuarioRaiz AlarmDescription: Alerta de actividad con usuario raiz MetricName: Actividad-UsuarioRaiz Namespace: MetricasCIS Statistic: Sum Period: '300' EvaluationPeriods: '1' Threshold: '1' ComparisonOperator: GreaterThanOrEqualToThreshold AlarmActions: - Ref: TopicoAlertaCIS TreatMissingData: notBreaching Metadata: cfn_nag: rules_to_suppress: - id: W28 reason: "No updates que requieran reemplazar este recurso. Para reemplazar utilizar nuevo nombre" MetricaCIS33: Type: 'AWS::Logs::MetricFilter' Properties: LogGroupName: Ref: CloudWatchLogGroup FilterPattern: >- {$.userIdentity.type="Root" && $.userIdentity.invokedBy NOT EXISTS && $.eventType !="AwsServiceEvent"} MetricTransformations: - MetricValue: '1' MetricNamespace: MetricasCIS MetricName: Actividad-UsuarioRaiz # ================================== # CIS 3.4 - Cambios en politicas IAM # ================================== AlarmaCIS34: Type: 'AWS::CloudWatch::Alarm' Properties: AlarmName: CIS-3.4-CambiosPoliticasIAM AlarmDescription: >- Alerta de cambios en politicas de IAM MetricName: CambiosPoliticasIAM Namespace: MetricasCIS Statistic: Sum Period: '300' EvaluationPeriods: '1' Threshold: '1' ComparisonOperator: GreaterThanOrEqualToThreshold AlarmActions: - Ref: TopicoAlertaCIS TreatMissingData: notBreaching Metadata: cfn_nag: rules_to_suppress: - id: W28 reason: "No updates que requieran reemplazar este recurso. Para reemplazar utilizar nuevo nombre" MetricaCIS34: Type: 'AWS::Logs::MetricFilter' Properties: LogGroupName: Ref: CloudWatchLogGroup FilterPattern: >- {($.eventName=DeleteGroupPolicy) || ($.eventName=DeleteRolePolicy) || ($.eventName=DeleteUserPolicy) || ($.eventName=PutGroupPolicy) || ($.eventName=PutRolePolicy) || ($.eventName=PutUserPolicy) || ($.eventName=CreatePolicy) || ($.eventName=DeletePolicy) || ($.eventName=CreatePolicyVersion) || ($.eventName=DeletePolicyVersion) || ($.eventName=AttachRolePolicy) || ($.eventName=DetachRolePolicy) || ($.eventName=AttachUserPolicy) || ($.eventName=DetachUserPolicy) || ($.eventName=AttachGroupPolicy) || ($.eventName=DetachGroupPolicy)} MetricTransformations: - MetricValue: '1' MetricNamespace: MetricasCIS MetricName: CambiosPoliticasIAM # ==================================================== # CIS 3.5 - Cambio en configuracion de AWS CloudTrail # ==================================================== AlarmaCIS35: Type: 'AWS::CloudWatch::Alarm' Properties: AlarmName: CIS-3.5-CambiosCloudTrail AlarmDescription: Alerta cambios a configuracion CloudTrail MetricName: CambiosCloudTrail Namespace: MetricasCIS Statistic: Sum Period: '300' EvaluationPeriods: '1' Threshold: '1' ComparisonOperator: GreaterThanOrEqualToThreshold AlarmActions: - Ref: TopicoAlertaCIS TreatMissingData: notBreaching Metadata: cfn_nag: rules_to_suppress: - id: W28 reason: "No updates que requieran reemplazar este recurso. Para reemplazar utilizar nuevo nombre" MetricaCIS35: Type: 'AWS::Logs::MetricFilter' Properties: LogGroupName: Ref: CloudWatchLogGroup FilterPattern: >- {($.eventName=CreateTrail) || ($.eventName=UpdateTrail) || ($.eventName=DeleteTrail) || ($.eventName=StartLogging) || ($.eventName=StopLogging)} MetricTransformations: - MetricValue: '1' MetricNamespace: MetricasCIS MetricName: CambiosCloudTrail # ============================================= # CIS 3.6 Inicio de sesion en consola denegado # ============================================= AlarmaCIS36: Type: 'AWS::CloudWatch::Alarm' Properties: AlarmName: CIS-3.6-SesionConsola-Denegado AlarmDescription: >- Alerta de inicio de sesion en consola denegado MetricName: SesionConsola-Denegado Namespace: MetricasCIS Statistic: Sum Period: '300' EvaluationPeriods: '1' Threshold: '3' ComparisonOperator: GreaterThanOrEqualToThreshold AlarmActions: - Ref: TopicoAlertaCIS TreatMissingData: notBreaching Metadata: cfn_nag: rules_to_suppress: - id: W28 reason: "No updates que requieran reemplazar este recurso. Para reemplazar utilizar nuevo nombre" MetricaCIS36: Type: 'AWS::Logs::MetricFilter' Properties: LogGroupName: Ref: CloudWatchLogGroup FilterPattern: >- {($.eventName=ConsoleLogin) && ($.errorMessage="Failed authentication")} MetricTransformations: - MetricValue: '1' MetricNamespace: MetricasCIS MetricName: SesionConsola-Denegado # ============================================================== # CIS 3.7 Llaves KMS deshabilitadas o marcadas para eliminacion # ============================================================== AlarmaCIS37: Type: 'AWS::CloudWatch::Alarm' Properties: AlarmName: CIS-3.7-EliminacionDeshabilitacionLlaves AlarmDescription: >- Alerta de llaves deshabilitadas o marcadas para eliminacion MetricName: EliminacionDeshabilitacionLlaves Namespace: MetricasCIS Statistic: Sum Period: '300' EvaluationPeriods: '1' Threshold: '1' ComparisonOperator: GreaterThanOrEqualToThreshold AlarmActions: - Ref: TopicoAlertaCIS TreatMissingData: notBreaching Metadata: cfn_nag: rules_to_suppress: - id: W28 reason: "No updates que requieran reemplazar este recurso. Para reemplazar utilizar nuevo nombre" MetricaCIS37: Type: 'AWS::Logs::MetricFilter' Properties: LogGroupName: Ref: CloudWatchLogGroup FilterPattern: >- {($.eventSource=kms.amazonaws.com) && (($.eventName=DisableKey) || ($.eventName=ScheduleKeyDeletion))} MetricTransformations: - MetricValue: '1' MetricNamespace: MetricasCIS MetricName: EliminacionDeshabilitacionLlaves # ========================================== # CIS 3.8 Cambios en politicas de bucket S3 # ========================================== AlarmaCIS38: Type: 'AWS::CloudWatch::Alarm' Properties: AlarmName: CIS-3.8-CambioPoliticasBucketS3 AlarmDescription: Alerta de cambios a politicas en buckets s3 MetricName: CambioPoliticasBucketS3 Namespace: MetricasCIS Statistic: Sum Period: '300' EvaluationPeriods: '1' Threshold: '1' ComparisonOperator: GreaterThanOrEqualToThreshold AlarmActions: - Ref: TopicoAlertaCIS TreatMissingData: notBreaching Metadata: cfn_nag: rules_to_suppress: - id: W28 reason: "No updates que requieran reemplazar este recurso. Para reemplazar utilizar nuevo nombre" MetricaCIS38: Type: 'AWS::Logs::MetricFilter' Properties: LogGroupName: Ref: CloudWatchLogGroup FilterPattern: >- {($.eventSource=s3.amazonaws.com) && (($.eventName=PutBucketAcl) || ($.eventName=PutBucketPolicy) || ($.eventName=PutBucketCors) || ($.eventName=PutBucketLifecycle) || ($.eventName=PutBucketReplication) || ($.eventName=DeleteBucketPolicy) || ($.eventName=DeleteBucketCors) || ($.eventName=DeleteBucketLifecycle) || ($.eventName=DeleteBucketReplication))} MetricTransformations: - MetricValue: '1' MetricNamespace: MetricasCIS MetricName: CambioPoliticasBucketS3 # =============================================== # CIS 3.9 Cambios en configuracion de AWS Config # =============================================== AlarmaCIS39: Type: 'AWS::CloudWatch::Alarm' Properties: AlarmName: CIS-3.9-CambiosAWSConfig AlarmDescription: Alerta de cambios a AWS Config MetricName: CambiosAWSConfig Namespace: MetricasCIS Statistic: Sum Period: '300' EvaluationPeriods: '1' Threshold: '1' ComparisonOperator: GreaterThanOrEqualToThreshold AlarmActions: - Ref: TopicoAlertaCIS TreatMissingData: notBreaching Metadata: cfn_nag: rules_to_suppress: - id: W28 reason: "No updates que requieran reemplazar este recurso. Para reemplazar utilizar nuevo nombre" MetricaCIS39: Type: 'AWS::Logs::MetricFilter' Properties: LogGroupName: Ref: CloudWatchLogGroup FilterPattern: >- {($.eventSource=config.amazonaws.com) && (($.eventName=StopConfigurationRecorder) || ($.eventName=DeleteDeliveryChannel) || ($.eventName=PutDeliveryChannel) || ($.eventName=PutConfigurationRecorder))} MetricTransformations: - MetricValue: '1' MetricNamespace: MetricasCIS MetricName: CambiosAWSConfig # =================================== # CIS 3.10 Cambios en Security groups # =================================== AlarmaCIS310: Type: 'AWS::CloudWatch::Alarm' Properties: AlarmName: CIS-3.10-CambiosSecurityGroups AlarmDescription: >- Alerta de cambios a Security Groups MetricName: CambiosSecurityGroups Namespace: MetricasCIS Statistic: Sum Period: '300' EvaluationPeriods: '1' Threshold: '1' ComparisonOperator: GreaterThanOrEqualToThreshold AlarmActions: - Ref: TopicoAlertaCIS TreatMissingData: notBreaching Metadata: cfn_nag: rules_to_suppress: - id: W28 reason: "No updates que requieran reemplazar este recurso. Para reemplazar utilizar nuevo nombre" MetricaCIS310: Type: 'AWS::Logs::MetricFilter' Properties: LogGroupName: Ref: CloudWatchLogGroup FilterPattern: >- {($.eventName=AuthorizeSecurityGroupIngress) || ($.eventName=AuthorizeSecurityGroupEgress) || ($.eventName=RevokeSecurityGroupIngress) || ($.eventName=RevokeSecurityGroupEgress) || ($.eventName=CreateSecurityGroup) || ($.eventName=DeleteSecurityGroup)} MetricTransformations: - MetricValue: '1' MetricNamespace: MetricasCIS MetricName: CambiosSecurityGroups # ============================================================================ # CIS 3.11 Cambios en configuracion de lista de control de acceso a red (NACL) # ============================================================================ AlarmaCIS311: Type: 'AWS::CloudWatch::Alarm' Properties: AlarmName: CIS-3.11-CambiosACLRed AlarmDescription: Alerta de cambios a listas de control de acceso a red MetricName: CambiosACLRed Namespace: MetricasCIS Statistic: Sum Period: '300' EvaluationPeriods: '1' Threshold: '1' ComparisonOperator: GreaterThanOrEqualToThreshold AlarmActions: - Ref: TopicoAlertaCIS TreatMissingData: notBreaching Metadata: cfn_nag: rules_to_suppress: - id: W28 reason: "No updates que requieran reemplazar este recurso. Para reemplazar utilizar nuevo nombre" MetricaCIS311: Type: 'AWS::Logs::MetricFilter' Properties: LogGroupName: Ref: CloudWatchLogGroup FilterPattern: >- {($.eventName=CreateNetworkAcl) || ($.eventName=CreateNetworkAclEntry) || ($.eventName=DeleteNetworkAcl) || ($.eventName=DeleteNetworkAclEntry) || ($.eventName=ReplaceNetworkAclEntry) || ($.eventName=ReplaceNetworkAclAssociation)} MetricTransformations: - MetricValue: '1' MetricNamespace: MetricasCIS MetricName: CambiosACLRed # ======================================================== # CIS 3.12 Cambios en puertas de salida (gateways) de red # ======================================================== AlarmaCIS312: Type: 'AWS::CloudWatch::Alarm' Properties: AlarmName: CIS-3.12-CambiosGatewayRed AlarmDescription: >- Alerta de cambios a Customer o Internet Gateway MetricName: CambiosGatewayRed Namespace: MetricasCIS Statistic: Sum Period: '300' EvaluationPeriods: '1' Threshold: '1' ComparisonOperator: GreaterThanOrEqualToThreshold AlarmActions: - Ref: TopicoAlertaCIS TreatMissingData: notBreaching Metadata: cfn_nag: rules_to_suppress: - id: W28 reason: "No updates que requieran reemplazar este recurso. Para reemplazar utilizar nuevo nombre" MetricaCIS312: Type: 'AWS::Logs::MetricFilter' Properties: LogGroupName: Ref: CloudWatchLogGroup FilterPattern: >- {($.eventName=CreateCustomerGateway) || ($.eventName=DeleteCustomerGateway) || ($.eventName=AttachInternetGateway) || ($.eventName=CreateInternetGateway) || ($.eventName=DeleteInternetGateway) || ($.eventName=DetachInternetGateway)} MetricTransformations: - MetricValue: '1' MetricNamespace: MetricasCIS MetricName: CambiosGatewayRed # ==================================== # CIS 3.13 Cambios en tablas de ruteo # ==================================== AlarmaCIS313: Type: 'AWS::CloudWatch::Alarm' Properties: AlarmName: CIS-3.13-CambiosTablasRuteoVPC AlarmDescription: >- Alerta de cambios a tablas de ruteo de VPC MetricName: CambiosTablasRuteoVPC Namespace: MetricasCIS Statistic: Sum Period: '300' EvaluationPeriods: '1' Threshold: '1' ComparisonOperator: GreaterThanOrEqualToThreshold AlarmActions: - Ref: TopicoAlertaCIS TreatMissingData: notBreaching Metadata: cfn_nag: rules_to_suppress: - id: W28 reason: "No updates que requieran reemplazar este recurso. Para reemplazar utilizar nuevo nombre" MetricaCIS313: Type: 'AWS::Logs::MetricFilter' Properties: LogGroupName: Ref: CloudWatchLogGroup FilterPattern: >- {($.eventName=CreateRoute) || ($.eventName=CreateRouteTable) || ($.eventName=ReplaceRoute) || ($.eventName=ReplaceRouteTableAssociation) || ($.eventName=DeleteRouteTable) || ($.eventName=DeleteRoute) || ($.eventName=DisassociateRouteTable)} MetricTransformations: - MetricValue: '1' MetricNamespace: MetricasCIS MetricName: CambiosTablasRuteoVPC # ======================== # CIS 3.14 Cambios en VPC # ======================== AlarmaCIS314: Type: 'AWS::CloudWatch::Alarm' Properties: AlarmName: CIS-3.14-CambiosVPC AlarmDescription: Alerta de cambios en VPC MetricName: CambiosVPC Namespace: MetricasCIS Statistic: Sum Period: '300' EvaluationPeriods: '1' Threshold: '1' ComparisonOperator: GreaterThanOrEqualToThreshold AlarmActions: - Ref: TopicoAlertaCIS TreatMissingData: notBreaching Metadata: cfn_nag: rules_to_suppress: - id: W28 reason: "No updates que requieran reemplazar este recurso. Para reemplazar utilizar nuevo nombre" MetricaCIS314: Type: 'AWS::Logs::MetricFilter' Properties: LogGroupName: Ref: CloudWatchLogGroup FilterPattern: >- {($.eventName=CreateVpc) || ($.eventName=DeleteVpc) || ($.eventName=ModifyVpcAttribute) || ($.eventName=AcceptVpcPeeringConnection) || ($.eventName=CreateVpcPeeringConnection) || ($.eventName=DeleteVpcPeeringConnection) || ($.eventName=RejectVpcPeeringConnection) || ($.eventName=AttachClassicLinkVpc) || ($.eventName=DetachClassicLinkVpc) || ($.eventName=DisableVpcClassicLink) || ($.eventName=EnableVpcClassicLink)} MetricTransformations: - MetricValue: '1' MetricNamespace: MetricasCIS MetricName: CambiosVPC