You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hello ! I just add a simple aws_cloudwatch_log_metric_filter in my application in order to create a alarm when the "FAILED" pattern is found in my log :
resource "aws_cloudwatch_log_metric_filter" "this" {
name = "events-failed"
log_group_name = "/aws/events/myappli"
pattern = "FAILED"
metric_transformation {
name = "ErrorCount"
namespace = "MYAPPLI/EventsFailed"
value = "1"
}
}
This new ressource generates many new findings about non existing log metric filters and alarms, for example :
CloudWatch Unauthorized Access Alarm Missing, Severity: HIGH, Results: 1
Description: Ensure a log metric filter and alarm exist for unauthorized API calls
Platform: Terraform
Learn more about this vulnerability: https://docs.kics.io/latest/queries/terraform-queries/aws/4c18a45b-4ab1-4790-9f83-399ac695f1e5
[1]: infrastructure/alarms.tf:1
001: resource "aws_cloudwatch_log_metric_filter" "this" {
002: name = "events-failed"
003: log_group_name = "/aws/events/myappli"
- 4c18a45b-4ab1-4790-9f83-399ac695f1e5 # CRITICAL Ensure a log metric filter and alarm exist for unauthorized API calls - https://docs.kics.io/latest/queries/terraform-queries/aws/4c18a45b-4ab1-4790-9f83-399ac695f1e5
- 5b8d7527-de8e-4114-b9dd-9d988f1f418f # MEDIUM Ensure a log metric filter and alarm exist for AWS Config configuration changes - https://docs.kics.io/latest/queries/terraform-queries/aws/5b8d7527-de8e-4114-b9dd-9d988f1f418f
- 0a8e8dc5-b6fc-44fc-b5a1-969ec950f9b0 # MEDIUM Ensure a log metric filter and alarm exist for changes to NACL - https://docs.kics.io/latest/queries/terraform-queries/aws/0a8e8dc5-b6fc-44fc-b5a1-969ec950f9b0
- 56a585f5-555c-48b2-8395-e64e4740a9cf # MEDIUM Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMK - https://docs.kics.io/latest/queries/terraform-queries/aws/56a585f5-555c-48b2-8395-e64e4740a9cf
- 5864d189-ee9a-4009-ac0c-8a582e6b7919 # MEDIUM Ensure a log metric filter and alarm exist for AWS Management Console authentication failures - https://docs.kics.io/latest/queries/terraform-queries/aws/5864d189-ee9a-4009-ac0c-8a582e6b7919
- 8b1b1e67-6248-4dca-bbad-93486bb181c0 # MEDIUM Ensure a log metric filter and alarm exist for root acount usage - https://docs.kics.io/latest/queries/terraform-queries/aws/8b1b1e67-6248-4dca-bbad-93486bb181c0
- 9d0d4512-1959-43a2-a17f-72360ff06d1b # MEDIUM Ensure a log metric filter and alarm exist for VPC changes - https://docs.kics.io/latest/queries/terraform-queries/aws/9d0d4512-1959-43a2-a17f-72360ff06d1b
- 0f6cbf69-41bb-47dc-93f3-3844640bf480 # MEDIUM Ensure a log metric filter and alarm exist for CloudTrail configuration changes - https://docs.kics.io/latest/queries/terraform-queries/aws/0f6cbf69-41bb-47dc-93f3-3844640bf480
- 4beaf898-9f8b-4237-89e2-5ffdc7ee6006 # MEDIUM Ensure a log metric filter and alarm exist for security group changes - https://docs.kics.io/latest/queries/terraform-queries/aws/4beaf898-9f8b-4237-89e2-5ffdc7ee6006
- 44ceb4fa-0897-4fd2-b676-30e7a58f2933 # LOW Ensure a log metric filter and alarm exist for management console sign-in without MFA - https://docs.kics.io/latest/queries/terraform-queries/aws/44ceb4fa-0897-4fd2-b676-30e7a58f2933
- eaaba502-2f94-411a-a3c2-83d63cc1776d # LOW Ensure a log metric filter and alarm exist for IAM policy changes - https://docs.kics.io/latest/queries/terraform-queries/aws/eaaba502-2f94-411a-a3c2-83d63cc1776d
- 6b6874fe-4c2f-4eea-8b90-7cceaa4a125e # LOW Ensure a log metric filter and alarm exist for network gateways changes - https://docs.kics.io/latest/queries/terraform-queries/aws/6b6874fe-4c2f-4eea-8b90-7cceaa4a125e
- 2285e608-ddbc-47f3-ba54-ce7121e31216 # LOW Ensure a log metric filter and alarm exist for route table changes - https://docs.kics.io/latest/queries/terraform-queries/aws/2285e608-ddbc-47f3-ba54-ce7121e31216
- 38b85c45-e772-4de8-a247-69619ca137b3 # INFO Ensure a log metric filter and alarm exist for AWS organizations changes - https://docs.kics.io/latest/queries/terraform-queries/aws/38b85c45-e772-4de8-a247-69619ca137b3
The global security of my aws account is managed by another team in another code repo, so I excluded all these findings.
Is this a normal behaviour ? Is there (another) way to avoid all these findings ?
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Hello ! I just add a simple aws_cloudwatch_log_metric_filter in my application in order to create a alarm when the "FAILED" pattern is found in my log :
This new ressource generates many new findings about non existing log metric filters and alarms, for example :
The global security of my aws account is managed by another team in another code repo, so I excluded all these findings.
Is this a normal behaviour ? Is there (another) way to avoid all these findings ?
Beta Was this translation helpful? Give feedback.
All reactions