AWSTemplateFormatVersion: 2010-09-09 Description: Construye dashboard Cloudwatch de Alertas CIS utilizando Insight rules Parameters: CloudWatchLogGroup: Type: AWS::SSM::Parameter::Value Description: Nombre del grupo de logs de cloudwatch usado por el trail Default: /seguridad/cloudtrail/cloudwatchlogs Resources: # ========================== # Dashboard de alertas CIS # ========================== # =========================================== # CIS 1.1/3.1 - Llamadas API no autorizadas # =========================================== ReglaInsightCIS31: Type: AWS::CloudWatch::InsightRule Properties: RuleBody: !Sub | { "Schema": { "Name": "CloudWatchLogRule", "Version": 1 }, "AggregateOn": "Count", "Contribution": { "Filters": [ { "In": [ "AccessDenied", "UnauthorizedOperation" ], "Match": "$.errorCode" } ], "Keys": [ "$.userIdentity.arn", "$.eventName" ] }, "LogFormat": "JSON", "LogGroupNames": [ "${CloudWatchLogGroup}" ] } RuleName: CIS-3.1-LlamadasAPI-NoAutorizadas RuleState: ENABLED # ================================================= # CIS 3.2 - Inicio en sesion de consola AWS sin MFA # ================================================= ReglaInsightCIS32: Type: AWS::CloudWatch::InsightRule Properties: RuleBody: !Sub | { "Schema": { "Name": "CloudWatchLogRule", "Version": 1 }, "AggregateOn": "Count", "Contribution": { "Filters": [ { "In": [ "ConsoleLogin" ], "Match": "$.eventName" }, { "NotIn": [ "Yes" ], "Match": "$.additionalEventData.MFAUsed" } ], "Keys": [ "$.userIdentity.userName", "$.sourceIPAddress" ] }, "LogFormat": "JSON", "LogGroupNames": [ "${CloudWatchLogGroup}" ] } RuleName: CIS-3.2-SesionConsola-NoMFA RuleState: ENABLED # ============================== # CIS 3.3 - Uso del usuario raiz # ============================== ReglaInsightCIS33: Type: AWS::CloudWatch::InsightRule Properties: RuleBody: !Sub | { "Schema": { "Name": "CloudWatchLogRule", "Version": 1 }, "AggregateOn": "Count", "Contribution": { "Filters": [ { "In": [ "Root" ], "Match": "$.userIdentity.type" }, { "IsPresent": false, "Match": "$.userIdentity.invokedBy" }, { "NotIn": [ "AwsServiceEvent" ], "Match": "$.eventType" } ], "Keys": [ "$.userIdentity.type", "$.eventName" ] }, "LogFormat": "JSON", "LogGroupNames": [ "${CloudWatchLogGroup}" ] } RuleName: CIS-3.3-Actividad-UsuarioRaiz RuleState: ENABLED # ======================================== # CIS34: No compatible con reglas Insights # ======================================== # ==================================================== # CIS 3.5 - Cambio en configuracion de AWS CloudTrail # ==================================================== ReglaInsightCIS35: Type: AWS::CloudWatch::InsightRule Properties: RuleBody: !Sub | { "Schema": { "Name": "CloudWatchLogRule", "Version": 1 }, "AggregateOn": "Count", "Contribution": { "Filters": [ { "In": [ "CreateTrail", "UpdateTrail", "DeleteTrail", "StartLogging", "StopLogging" ], "Match": "$.eventName" } ], "Keys": [ "$.userIdentity.sessionContext.sessionIssuer.arn", "$.sourceIPAddress" ] }, "LogFormat": "JSON", "LogGroupNames": [ "${CloudWatchLogGroup}" ] } RuleName: CIS-3.5-CambiosCloudTrail RuleState: ENABLED # ============================================= # CIS 3.6 Inicio de sesion en consola denegado # ============================================= ReglaInsightCIS36: Type: AWS::CloudWatch::InsightRule Properties: RuleBody: !Sub | { "Schema": { "Name": "CloudWatchLogRule", "Version": 1 }, "AggregateOn": "Count", "Contribution": { "Filters": [ { "In": [ "ConsoleLogin" ], "Match": "$.eventName" }, { "In": [ "Failed authentication" ], "Match": "$.errorMessage" } ], "Keys": [ "$.userIdentity.userName", "$.sourceIPAddress" ] }, "LogFormat": "JSON", "LogGroupNames": [ "${CloudWatchLogGroup}" ] } RuleName: CIS-3.6-SesionConsola-Denegado RuleState: ENABLED # ============================================================== # CIS 3.7 Llaves KMS deshabilitadas o marcadas para eliminacion # ============================================================== ReglaInsightCIS37: Type: AWS::CloudWatch::InsightRule Properties: RuleBody: !Sub | { "Schema": { "Name": "CloudWatchLogRule", "Version": 1 }, "AggregateOn": "Count", "Contribution": { "Filters": [ { "In": [ "kms.amazonaws.com" ], "Match": "$.eventSource" }, { "In": [ "DisableKey", "ScheduleKeyDeletion" ], "Match": "$.eventName" } ], "Keys": [ "$.userIdentity.arn", "$.sourceIPAddress" ] }, "LogFormat": "JSON", "LogGroupNames": [ "${CloudWatchLogGroup}" ] } RuleName: CIS-3.7-EliminacionDeshabilitacionLlaves RuleState: ENABLED # ========================================== # CIS 3.8 Cambios en politicas de bucket S3 # ========================================== ReglaInsightCIS38: Type: AWS::CloudWatch::InsightRule Properties: RuleBody: !Sub | { "Schema": { "Name": "CloudWatchLogRule", "Version": 1 }, "AggregateOn": "Count", "Contribution": { "Filters": [ { "In": [ "s3.amazonaws.com" ], "Match": "$.eventSource" }, { "In": [ "PutBucketAcl", "PutBucketPolicy", "PutBucketCors", "PutBucketLifecycle", "PutBucketReplication", "DeleteBucketPolicy", "DeleteBucketCors", "DeleteBucketLifecycle", "DeleteBucketReplication" ], "Match": "$.eventName" } ], "Keys": [ "$.userIdentity.sessionContext.sessionIssuer.arn", "$.sourceIPAddress" ] }, "LogFormat": "JSON", "LogGroupNames": [ "${CloudWatchLogGroup}" ] } RuleName: CIS-3.8-CambioPoliticasBucketS3 RuleState: ENABLED # =============================================== # CIS 3.9 Cambios en configuracion de AWS Config # =============================================== ReglaInsightCIS39: Type: AWS::CloudWatch::InsightRule Properties: RuleBody: !Sub | { "Schema": { "Name": "CloudWatchLogRule", "Version": 1 }, "AggregateOn": "Count", "Contribution": { "Filters": [ { "In": [ "config.amazonaws.com" ], "Match": "$.eventSource" }, { "In": [ "StopConfigurationRecorder", "DeleteDeliveryChannel", "PutDeliveryChannel", "PutConfigurationRecorder" ], "Match": "$.eventName" } ], "Keys": [ "$.userIdentity.arn", "$.sourceIPAddress" ] }, "LogFormat": "JSON", "LogGroupNames": [ "${CloudWatchLogGroup}" ] } RuleName: CIS-3.9-CambiosAWSConfig RuleState: ENABLED # =================================== # CIS 3.10 Cambios en Security groups # =================================== ReglaInsightCIS310: Type: AWS::CloudWatch::InsightRule Properties: RuleBody: !Sub | { "Schema": { "Name": "CloudWatchLogRule", "Version": 1 }, "AggregateOn": "Count", "Contribution": { "Filters": [ { "In": [ "AuthorizeSecurityGroupIngress", "AuthorizeSecurityGroupEgress", "RevokeSecurityGroupIngress", "RevokeSecurityGroupEgress", "CreateSecurityGroup", "DeleteSecurityGroup" ], "Match": "$.eventName" } ], "Keys": [ "$.userIdentity.sessionContext.sessionIssuer.arn", "$.sourceIPAddress" ] }, "LogFormat": "JSON", "LogGroupNames": [ "${CloudWatchLogGroup}" ] } RuleName: CIS-3.10-CambiosSecurityGroups RuleState: ENABLED # ============================================================================ # CIS 3.11 Cambios en configuracion de lista de control de acceso a red (NACL) # ============================================================================ ReglaInsightCIS311: Type: AWS::CloudWatch::InsightRule Properties: RuleBody: !Sub | { "Schema": { "Name": "CloudWatchLogRule", "Version": 1 }, "AggregateOn": "Count", "Contribution": { "Filters": [ { "In": [ "CreateNetworkAcl", "CreateNetworkAclEntry", "DeleteNetworkAcl", "DeleteNetworkAclEntry", "ReplaceNetworkAclEntry", "ReplaceNetworkAclAssociation" ], "Match": "$.eventName" } ], "Keys": [ "$.userIdentity.arn", "$.sourceIPAddress" ] }, "LogFormat": "JSON", "LogGroupNames": [ "${CloudWatchLogGroup}" ] } RuleName: CIS-3.11-CambiosACLRed RuleState: ENABLED # ======================================================== # CIS 3.12 Cambios en puertas de salida (gateways) de red # ======================================================== ReglaInsightCIS312: Type: AWS::CloudWatch::InsightRule Properties: RuleBody: !Sub | { "Schema": { "Name": "CloudWatchLogRule", "Version": 1 }, "AggregateOn": "Count", "Contribution": { "Filters": [ { "In": [ "CreateCustomerGateway", "DeleteCustomerGateway", "AttachInternetGateway", "CreateInternetGateway", "DeleteInternetGateway", "DetachInternetGateway" ], "Match": "$.eventName" } ], "Keys": [ "$.userIdentity.arn", "$.sourceIPAddress" ] }, "LogFormat": "JSON", "LogGroupNames": [ "${CloudWatchLogGroup}" ] } RuleName: CIS-3.12-CambiosGatewayRed RuleState: ENABLED # ==================================== # CIS 3.13 Cambios en tablas de ruteo # ==================================== ReglaInsightCIS313: Type: AWS::CloudWatch::InsightRule Properties: RuleBody: !Sub | { "Schema": { "Name": "CloudWatchLogRule", "Version": 1 }, "AggregateOn": "Count", "Contribution": { "Filters": [ { "In": [ "CreateRoute", "CreateRouteTable", "ReplaceRoute", "ReplaceRouteTableAssociation", "DeleteRouteTable", "DeleteRoute", "DisassociateRouteTable" ], "Match": "$.eventName" } ], "Keys": [ "$.userIdentity.arn", "$.sourceIPAddress" ] }, "LogFormat": "JSON", "LogGroupNames": [ "${CloudWatchLogGroup}" ] } RuleName: CIS-3.13-CambiosTablasRuteoVPC RuleState: ENABLED # ======================== # CIS 3.14 Cambios en VPC # ======================== ReglaInsightCIS314: Type: AWS::CloudWatch::InsightRule Properties: RuleBody: !Sub | { "Schema": { "Name": "CloudWatchLogRule", "Version": 1 }, "AggregateOn": "Count", "Contribution": { "Filters": [ { "StartsWith": [ "CreateVpc", "DeleteVpc", "ModifyVpcAttribute", "AcceptVpcPeeringConnection", "RejectVpcPeeringConnection", "AttachClassicLinkVpc", "DetachClassicLinkVpc", "DisableVpcClassicLink", "EnableVpcClassicLink" ], "Match": "$.eventName" } ], "Keys": [ "$.userIdentity.arn", "$.sourceIPAddress" ] }, "LogFormat": "JSON", "LogGroupNames": [ "${CloudWatchLogGroup}" ] } RuleName: CIS-3.14-CambiosVPC RuleState: ENABLED # ==========================# # CloudWatch Dashboard # # ==========================# #-------------------------------------------------------# # Display widgets containing reports from Insight Rules # #-------------------------------------------------------# CISDashboard: Type: AWS::CloudWatch::Dashboard DependsOn: - ReglaInsightCIS31 - ReglaInsightCIS32 - ReglaInsightCIS33 - ReglaInsightCIS35 - ReglaInsightCIS36 - ReglaInsightCIS37 - ReglaInsightCIS38 - ReglaInsightCIS39 - ReglaInsightCIS310 - ReglaInsightCIS311 - ReglaInsightCIS312 - ReglaInsightCIS313 - ReglaInsightCIS314 Properties: DashboardBody: !Sub | { "widgets": [ { "type": "metric", "x": 0, "y": 12, "width": 12, "height": 6, "properties": { "period": 60, "insightRule": { "maxContributorCount": 10, "orderBy": "Sum", "ruleName": "${ReglaInsightCIS31.RuleName}" }, "stacked": false, "view": "timeSeries", "yAxis": { "left": { "showUnits": false }, "right": { "showUnits": false } }, "region": "${AWS::Region}", "title": "Llamadas API no autorizadas", "legend": { "position": "right" } } }, { "type": "metric", "x": 0, "y": 12, "width": 12, "height": 6, "properties": { "period": 60, "insightRule": { "maxContributorCount": 10, "orderBy": "Sum", "ruleName": "${ReglaInsightCIS32.RuleName}" }, "stacked": false, "view": "timeSeries", "yAxis": { "left": { "showUnits": false }, "right": { "showUnits": false } }, "region": "${AWS::Region}", "title": "Sesion en consola sin MFA", "legend": { "position": "right" } } }, { "type": "metric", "x": 0, "y": 12, "width": 12, "height": 6, "properties": { "period": 60, "insightRule": { "maxContributorCount": 10, "orderBy": "Sum", "ruleName": "${ReglaInsightCIS33.RuleName}" }, "stacked": false, "view": "timeSeries", "yAxis": { "left": { "showUnits": false }, "right": { "showUnits": false } }, "region": "${AWS::Region}", "title": "Actividad de usuario raiz", "legend": { "position": "right" } } }, { "type": "metric", "x": 0, "y": 12, "width": 12, "height": 6, "properties": { "period": 60, "insightRule": { "maxContributorCount": 10, "orderBy": "Sum", "ruleName": "${ReglaInsightCIS35.RuleName}" }, "stacked": false, "view": "timeSeries", "yAxis": { "left": { "showUnits": false }, "right": { "showUnits": false } }, "region": "${AWS::Region}", "title": "Cambios en configuracion de CloudTrail", "legend": { "position": "right" } } }, { "type": "metric", "x": 0, "y": 12, "width": 12, "height": 6, "properties": { "period": 60, "insightRule": { "maxContributorCount": 10, "orderBy": "Sum", "ruleName": "${ReglaInsightCIS36.RuleName}" }, "stacked": false, "view": "timeSeries", "yAxis": { "left": { "showUnits": false }, "right": { "showUnits": false } }, "region": "${AWS::Region}", "title": "Sesion en consola denegado", "legend": { "position": "right" } } }, { "type": "metric", "x": 0, "y": 12, "width": 12, "height": 6, "properties": { "period": 60, "insightRule": { "maxContributorCount": 10, "orderBy": "Sum", "ruleName": "${ReglaInsightCIS37.RuleName}" }, "stacked": false, "view": "timeSeries", "yAxis": { "left": { "showUnits": false }, "right": { "showUnits": false } }, "region": "${AWS::Region}", "title": "Llave de encripcion eliminada o deshabilitada", "legend": { "position": "right" } } }, { "type": "metric", "x": 0, "y": 12, "width": 12, "height": 6, "properties": { "period": 60, "insightRule": { "maxContributorCount": 10, "orderBy": "Sum", "ruleName": "${ReglaInsightCIS38.RuleName}" }, "stacked": false, "view": "timeSeries", "yAxis": { "left": { "showUnits": false }, "right": { "showUnits": false } }, "region": "${AWS::Region}", "title": "Cambio en politica de bucket s3", "legend": { "position": "right" } } }, { "type": "metric", "x": 0, "y": 12, "width": 12, "height": 6, "properties": { "period": 60, "insightRule": { "maxContributorCount": 10, "orderBy": "Sum", "ruleName": "${ReglaInsightCIS39.RuleName}" }, "stacked": false, "view": "timeSeries", "yAxis": { "left": { "showUnits": false }, "right": { "showUnits": false } }, "region": "${AWS::Region}", "title": "Cambio en configuracion de AWS Config", "legend": { "position": "right" } } }, { "type": "metric", "x": 0, "y": 12, "width": 12, "height": 6, "properties": { "period": 60, "insightRule": { "maxContributorCount": 10, "orderBy": "Sum", "ruleName": "${ReglaInsightCIS310.RuleName}" }, "stacked": false, "view": "timeSeries", "yAxis": { "left": { "showUnits": false }, "right": { "showUnits": false } }, "region": "${AWS::Region}", "title": "Ccambio en security groups", "legend": { "position": "right" } } }, { "type": "metric", "x": 0, "y": 12, "width": 12, "height": 6, "properties": { "period": 60, "insightRule": { "maxContributorCount": 10, "orderBy": "Sum", "ruleName": "${ReglaInsightCIS311.RuleName}" }, "stacked": false, "view": "timeSeries", "yAxis": { "left": { "showUnits": false }, "right": { "showUnits": false } }, "region": "${AWS::Region}", "title": "Cambio en ACL de red", "legend": { "position": "right" } } }, { "type": "metric", "x": 0, "y": 12, "width": 12, "height": 6, "properties": { "period": 60, "insightRule": { "maxContributorCount": 10, "orderBy": "Sum", "ruleName": "${ReglaInsightCIS312.RuleName}" }, "stacked": false, "view": "timeSeries", "yAxis": { "left": { "showUnits": false }, "right": { "showUnits": false } }, "region": "${AWS::Region}", "title": "Cambio en configuracion de gateway de red", "legend": { "position": "right" } } }, { "type": "metric", "x": 0, "y": 12, "width": 12, "height": 6, "properties": { "period": 60, "insightRule": { "maxContributorCount": 10, "orderBy": "Sum", "ruleName": "${ReglaInsightCIS313.RuleName}" }, "stacked": false, "view": "timeSeries", "yAxis": { "left": { "showUnits": false }, "right": { "showUnits": false } }, "region": "${AWS::Region}", "title": "Cambio en tablas de ruteo", "legend": { "position": "right" } } }, { "type": "metric", "x": 0, "y": 12, "width": 12, "height": 6, "properties": { "period": 60, "insightRule": { "maxContributorCount": 10, "orderBy": "Sum", "ruleName": "${ReglaInsightCIS314.RuleName}" }, "stacked": false, "view": "timeSeries", "yAxis": { "left": { "showUnits": false }, "right": { "showUnits": false } }, "region": "${AWS::Region}", "title": "Cambio en VPC", "legend": { "position": "right" } } } ] } DashboardName: Dashboard-AlertaCIS Outputs: OutputDashboardURI: Description: Enlace al dashboard CloudWatch de Alerta CIS Value: !Sub 'https://console.aws.amazon.com/cloudwatch/home?region=${AWS::Region}#dashboards:name=${CISDashboard}'