|
249 | 249 | "metrics": [ |
250 | 250 | { |
251 | 251 | "filter-name": "SecurityGroupChangeMetric", |
252 | | - "accounts": ["ALL"], |
| 252 | + "accounts": ["management"], |
253 | 253 | "regions": ["${HOME_REGION}"], |
254 | 254 | "loggroup-name": "aws-controltower/CloudTrailLogs", |
255 | 255 | "filter-pattern": "{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) }", |
|
259 | 259 | }, |
260 | 260 | { |
261 | 261 | "filter-name": "NetworkAclChangeMetric", |
262 | | - "accounts": ["ALL"], |
| 262 | + "accounts": ["management"], |
263 | 263 | "regions": ["${HOME_REGION}"], |
264 | 264 | "loggroup-name": "aws-controltower/CloudTrailLogs", |
265 | 265 | "filter-pattern": "{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation)}", |
|
269 | 269 | }, |
270 | 270 | { |
271 | 271 | "filter-name": "GatewayChangeMetric", |
272 | | - "accounts": ["ALL"], |
| 272 | + "accounts": ["management"], |
273 | 273 | "regions": ["${HOME_REGION}"], |
274 | 274 | "loggroup-name": "aws-controltower/CloudTrailLogs", |
275 | 275 | "filter-pattern": "{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway)}", |
|
279 | 279 | }, |
280 | 280 | { |
281 | 281 | "filter-name": "VpcChangeMetric", |
282 | | - "accounts": ["ALL"], |
| 282 | + "accounts": ["management"], |
283 | 283 | "regions": ["${HOME_REGION}"], |
284 | 284 | "loggroup-name": "aws-controltower/CloudTrailLogs", |
285 | 285 | "filter-pattern": "{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }", |
|
289 | 289 | }, |
290 | 290 | { |
291 | 291 | "filter-name": "Ec2InstanceChangeMetric", |
292 | | - "accounts": ["ALL"], |
| 292 | + "accounts": ["management"], |
293 | 293 | "regions": ["${HOME_REGION}"], |
294 | 294 | "loggroup-name": "aws-controltower/CloudTrailLogs", |
295 | 295 | "filter-pattern": "{ ($.eventName = RunInstances) || ($.eventName = RebootInstances)|| ($.eventName = StartInstances) || ($.eventName = StopInstances) || ($.eventName= TerminateInstances) }", |
|
299 | 299 | }, |
300 | 300 | { |
301 | 301 | "filter-name": "Ec2LargeInstanceChangeMetric", |
302 | | - "accounts": ["ALL"], |
| 302 | + "accounts": ["management"], |
303 | 303 | "regions": ["${HOME_REGION}"], |
304 | 304 | "loggroup-name": "aws-controltower/CloudTrailLogs", |
305 | 305 | "filter-pattern": "{ (($.eventName = RunInstances) || ($.eventName = RebootInstances)|| ($.eventName = StartInstances) || ($.eventName = StopInstances) || ($.eventName= TerminateInstances)) && (($.requestParameters.instanceType= *.32xlarge) || ($.requestParameters.instanceType= *.24xlarge) || ($.requestParameters.instanceType= *.18xlarge) || ($.requestParameters.instanceType= *.16xlarge) || ($.requestParameters.instanceType= *.12xlarge) || ($.requestParameters.instanceType= *.10xlarge) || ($.requestParameters.instanceType= *.9xlarge) || ($.requestParameters.instanceType= *.8xlarge) || ($.requestParameters.instanceType = *.4xlarge)) }", |
|
309 | 309 | }, |
310 | 310 | { |
311 | 311 | "filter-name": "CloudTrailChangeMetric", |
312 | | - "accounts": ["ALL"], |
| 312 | + "accounts": ["management"], |
313 | 313 | "regions": ["${HOME_REGION}"], |
314 | 314 | "loggroup-name": "aws-controltower/CloudTrailLogs", |
315 | 315 | "filter-pattern": "{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail)|| ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName= StopLogging) }", |
|
319 | 319 | }, |
320 | 320 | { |
321 | 321 | "filter-name": "ConsoleSignInFailureMetric", |
322 | | - "accounts": ["ALL"], |
| 322 | + "accounts": ["management"], |
323 | 323 | "regions": ["${HOME_REGION}"], |
324 | 324 | "loggroup-name": "aws-controltower/CloudTrailLogs", |
325 | 325 | "filter-pattern": "{ ($.eventName = ConsoleLogin) && ($.errorMessage = \"Failed authentication\") }", |
|
329 | 329 | }, |
330 | 330 | { |
331 | 331 | "filter-name": "AuthorizationFailureMetric", |
332 | | - "accounts": ["ALL"], |
| 332 | + "accounts": ["management"], |
333 | 333 | "regions": ["${HOME_REGION}"], |
334 | 334 | "loggroup-name": "aws-controltower/CloudTrailLogs", |
335 | 335 | "filter-pattern": "{ (($.errorCode = \"*UnauthorizedOperation\") || ($.errorCode =\"AccessDenied*\") && ($.userIdentity.principalId != \"*AWSConfig-BucketConfigCheck\")) }", |
|
339 | 339 | }, |
340 | 340 | { |
341 | 341 | "filter-name": "IamPolicyChangesMetric", |
342 | | - "accounts": ["ALL"], |
| 342 | + "accounts": ["management"], |
343 | 343 | "regions": ["${HOME_REGION}"], |
344 | 344 | "loggroup-name": "aws-controltower/CloudTrailLogs", |
345 | 345 | "filter-pattern": "{($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)}", |
|
349 | 349 | }, |
350 | 350 | { |
351 | 351 | "filter-name": "ConsoleSignInWithoutMfaMetric", |
352 | | - "accounts": ["ALL"], |
| 352 | + "accounts": ["management"], |
353 | 353 | "regions": ["${HOME_REGION}"], |
354 | 354 | "loggroup-name": "aws-controltower/CloudTrailLogs", |
355 | 355 | "filter-pattern": "{($.eventName=\"ConsoleLogin\") && ($.additionalEventData.MFAUsed !=\"Yes\") && ($.userIdentity.type != \"AssumedRole\")}", |
|
359 | 359 | }, |
360 | 360 | { |
361 | 361 | "filter-name": "RootLoginMetric", |
362 | | - "accounts": ["ALL"], |
| 362 | + "accounts": ["management"], |
363 | 363 | "regions": ["${HOME_REGION}"], |
364 | 364 | "loggroup-name": "aws-controltower/CloudTrailLogs", |
365 | 365 | "filter-pattern": "{ $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" }", |
|
369 | 369 | }, |
370 | 370 | { |
371 | 371 | "filter-name": "DisableOrDeleteCMKMetric", |
372 | | - "accounts": ["ALL"], |
| 372 | + "accounts": ["management"], |
373 | 373 | "regions": ["${HOME_REGION}"], |
374 | 374 | "loggroup-name": "aws-controltower/CloudTrailLogs", |
375 | 375 | "filter-pattern": "{($.eventSource=kms.amazonaws.com) && (($.eventName=DisableKey) || ($.eventName=ScheduleKeyDeletion))}", |
|
379 | 379 | }, |
380 | 380 | { |
381 | 381 | "filter-name": "AWSConfigChangesMetric", |
382 | | - "accounts": ["ALL"], |
| 382 | + "accounts": ["management"], |
383 | 383 | "regions": ["${HOME_REGION}"], |
384 | 384 | "loggroup-name": "aws-controltower/CloudTrailLogs", |
385 | 385 | "filter-pattern": "{($.eventSource=config.amazonaws.com) && (($.eventName=StopConfigurationRecorder) || ($.eventName=DeleteDeliveryChannel) || ($.eventName=PutDeliveryChannel) || ($.eventName=PutConfigurationRecorder))}", |
|
389 | 389 | }, |
390 | 390 | { |
391 | 391 | "filter-name": "RouteTableChangesMetric", |
392 | | - "accounts": ["ALL"], |
| 392 | + "accounts": ["management"], |
393 | 393 | "regions": ["${HOME_REGION}"], |
394 | 394 | "loggroup-name": "aws-controltower/CloudTrailLogs", |
395 | 395 | "filter-pattern": "{($.eventName=CreateRoute) || ($.eventName=CreateRouteTable) || ($.eventName=ReplaceRoute) || ($.eventName=ReplaceRouteTableAssociation) || ($.eventName=DeleteRouteTable) || ($.eventName=DeleteRoute) || ($.eventName=DisassociateRouteTable)}", |
|
399 | 399 | }, |
400 | 400 | { |
401 | 401 | "filter-name": "S3BucketPolicyChangesMetric", |
402 | | - "accounts": ["ALL"], |
| 402 | + "accounts": ["management"], |
403 | 403 | "regions": ["${HOME_REGION}"], |
404 | 404 | "loggroup-name": "aws-controltower/CloudTrailLogs", |
405 | 405 | "filter-pattern": "{($.eventSource=s3.amazonaws.com) && (($.eventName=PutBucketAcl) || ($.eventName=PutBucketPolicy) || ($.eventName=PutBucketCors) || ($.eventName=PutBucketLifecycle) || ($.eventName=PutBucketReplication) || ($.eventName=DeleteBucketPolicy) || ($.eventName=DeleteBucketCors) || ($.eventName=DeleteBucketLifecycle) || ($.eventName=DeleteBucketReplication))}", |
|
409 | 409 | }, |
410 | 410 | { |
411 | 411 | "filter-name": "SSOAuthUnapprovedIPMetric", |
412 | | - "accounts": ["ALL"], |
| 412 | + "accounts": ["management"], |
413 | 413 | "regions": ["${HOME_REGION}"], |
414 | 414 | "loggroup-name": "aws-controltower/CloudTrailLogs", |
415 | 415 | "filter-pattern": "{ ($.eventSource=sso.amazonaws.com) && ($.eventName=Authenticate) && ($.sourceIPAddress != ${ALARM-NOT-IP}) }", |
|
419 | 419 | }, |
420 | 420 | { |
421 | 421 | "filter-name": "IAMAuthUnapprovedIPMetric", |
422 | | - "accounts": ["ALL"], |
| 422 | + "accounts": ["management"], |
423 | 423 | "regions": ["${HOME_REGION}"], |
424 | 424 | "loggroup-name": "aws-controltower/CloudTrailLogs", |
425 | 425 | "filter-pattern": "{ ($.eventName=ConsoleLogin) && ($.userIdentity.type=IAMUser) && ($.sourceIPAddress != ${ALARM-NOT-IP}) }", |
|
429 | 429 | }, |
430 | 430 | { |
431 | 431 | "filter-name": "UnencryptedFilesystemCreatedMetric", |
432 | | - "accounts": ["ALL"], |
| 432 | + "accounts": ["management"], |
433 | 433 | "regions": ["${HOME_REGION}"], |
434 | 434 | "loggroup-name": "aws-controltower/CloudTrailLogs", |
435 | 435 | "filter-pattern": "{ ($.eventName = CreateFileSystem) && ($.responseElements.encrypted IS FALSE) } ", |
|
439 | 439 | }, |
440 | 440 | { |
441 | 441 | "filter-name": "IgnoreAuthorizationFailureMetric", |
442 | | - "accounts": ["ALL"], |
| 442 | + "accounts": ["management"], |
443 | 443 | "regions": ["${HOME_REGION}"], |
444 | 444 | "loggroup-name": "aws-controltower/CloudTrailLogs", |
445 | 445 | "filter-pattern": "{($.errorCode=\"*UnauthorizedOperation\") || ($.errorCode=\"AccessDenied*\")}", |
|
449 | 449 | }, |
450 | 450 | { |
451 | 451 | "filter-name": "IgnoreConsoleSignInWithoutMfaMetric", |
452 | | - "accounts": ["ALL"], |
| 452 | + "accounts": ["management"], |
453 | 453 | "regions": ["${HOME_REGION}"], |
454 | 454 | "loggroup-name": "aws-controltower/CloudTrailLogs", |
455 | 455 | "filter-pattern": "{($.eventName=\"ConsoleLogin\") && ($.additionalEventData.MFAUsed !=\"Yes\")}", |
|
459 | 459 | } |
460 | 460 | ], |
461 | 461 | "alarms": { |
462 | | - "default-accounts": ["ALL"], |
| 462 | + "default-accounts": ["management"], |
463 | 463 | "default-regions": ["${HOME_REGION}"], |
464 | 464 | "default-namespace": "CloudTrailMetrics", |
465 | 465 | "default-statistic": "Sum", |
|
0 commit comments