Change filter expressions as per CIS Benchmark guide #9
Comments
|
This issue should be closed as it has been fixed now. |
|
Closing out as this seems to have been fixed for a long while. Thanks folks. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We are using a tool that audits the alarms implemented in our environment as per CIS Banchmark guide ( https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf).
It matches exact expression that are defined in CIS Banchmark including parentheses. There are 3 filters in alarms.tf that have mismatch.
Please change the following filter expressions as per CIS Banchmark guide.
3.2 Ensure a log metric filter and alarm exist for Management Console sign-in without MFA (Scored)
Page 92:
CIS Banchmark Guide: "{ ($.eventName = "ConsoleLogin") &&($ .additionalEventData.MFAUsed != "Yes") }"$.eventName = "ConsoleLogin" && $ .additionalEventData.MFAUsed = "No" }"
alarms.tf : "{
3.7 Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs (Scored)
Page 112:
CIS Banchmark Guide: "{($.eventSource = kms.amazonaws.com) && (($ .eventName=DisableKey)||($.eventName=ScheduleKeyDeletion)) }"$.eventSource = kms* && $ .errorMessage = "* is pending deletion."}"
alarms.tf : "{
3.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes (Scored)
page 120:
CIS Banchmark Guide: "{ ($.eventSource = config.amazonaws.com) &&(($ .eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($ .eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder))}"$.eventSource = config.amazonaws.com && (($ .eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel) ||($ .eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) }"
alarms.tf : "{
The text was updated successfully, but these errors were encountered: