feat(core): Creating Metrics and Alarms (#363)

* Creating CloudWatch LogGroup MetricFilters and Alarms (#363)

Author: naveenkoppula

reference-artifacts/master-config-sample-snippets/sample_snippets.json

@@ -16,6 +16,48 @@ Config File Examples:  {Not in sample config file}
           "exclusions": ["def/*"]
         }
       ],
+************************************CloudWatch MetricFilters and Alarms
+    "central-log-services": {
+      "cloudwatch": {
+        "metrics": [{
+            "filter-name": "SecurityGroupChangeMetricTest",
+            "accounts": [
+              "master"
+            ],
+            "regions": [
+              "ca-central-1"
+            ],
+            "loggroup-name": "/PBMMAccel/CloudTrailTest",
+            "filter-pattern": "{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) }",
+            "metric-namespace": "CloudTrailMetrics",
+            "metric-name": "SecurityGroupEventCountTest",
+            "metric-value": "1",
+            "default-value": 0
+        }],
+        "alarms": {
+          "default-accounts": [
+            "master"
+          ],
+          "default-regions": [
+            "ca-central-1"
+          ],
+          "default-namespace": "CloudTrailMetrics",
+          "default-statistic": "Sum",
+          "default-period": 300,
+          "default-threshold-type": "Static",
+          "default-comparison-operator": "GreaterThanOrEqualToThreshold",
+          "default-threshold": 1,
+          "default-evaluation-periods": 1,
+          "default-treat-missing-data": "notBreaching",
+          "definitions": [{
+              "alarm-name": "AWS-Security-Group-Changed",
+              "metric-name": "SecurityGroupEventCount",
+              "sns-alert-level": "Low",
+              "alarm-description": "Alarms when one or more API calls are made to create, update or delete a Security Group (in any account, any region of your AWS Organization)."
+          }]
+        }
+      }
+    }
 ************************************Additional regions for Amazon CloudWatch Central Logging to S3
     "additional-cwl-regions": {
       "us-east-1": {

src/deployments/cdk/package.json

@@ -57,6 +57,7 @@
     "@aws-cdk/aws-securityhub": "1.46.0",
     "@aws-cdk/aws-sns": "1.46.0",
     "@aws-cdk/aws-ssm": "1.46.0",
+    "@aws-cdk/aws-cloudwatch": "1.46.0",
     "@aws-cdk/core": "1.46.0",
     "@aws-cdk/custom-resources": "1.46.0",
     "@aws-cdk/aws-events": "1.46.0",
@@ -106,6 +107,7 @@
     "@aws-accelerator/custom-resource-guardduty-admin-setup": "workspace:^0.0.1",
     "@aws-accelerator/custom-resource-vpc-default-security-group": "workspace:^0.0.1",
     "@aws-accelerator/custom-resource-ssm-session-manager-document": "workspace:^0.0.1",
+    "@aws-accelerator/custom-resource-logs-metric-filter": "workspace:^0.0.1",
     "@types/cfn-response": "^1.0.3",
     "colors": "1.4.0",
     "constructs": "2.0.1",

src/deployments/cdk/src/apps/phase--1.ts

@@ -12,6 +12,8 @@ import * as globalRoles from '../deployments/iam';
  *   - Creating required roles for createSSMDocument custom resource
  *   - Creating required roles for createLogGroup custom resource
  *   - Creating required roles for CWLCentralLoggingSubscriptionFilterRole custom resource
+ *   - Creating required roles for createLogsMetricFilter custom resource
+ *   - Creating required roles for SnsSubscriberLambda custom resource
  */
 export async function deploy({ acceleratorConfig, accountStacks, accounts }: PhaseInput) {
   // creates roles for macie custom resources
@@ -64,4 +66,10 @@ export async function deploy({ acceleratorConfig, accountStacks, accounts }: Pha
     accounts,
     config: acceleratorConfig,
   });
+
+  // Creates role for createLogsMetricFilter custom resource
+  await globalRoles.createLogsMetricFilterRole({
+    accountStacks,
+    accounts,
+  });
 }

src/deployments/cdk/src/apps/phase-2.ts

@@ -289,17 +289,17 @@ export async function deploy({ acceleratorConfig, accountStacks, accounts, conte
       accounts,
       outputs,
     });
-
-    /**
-     * Creating required SNS Topics in Log accont if baseline is Organizations
-     */
-    await snsDeployment.step1({
-      accountStacks,
-      config: acceleratorConfig,
-      outputs,
-    });
   }
 
+  /**
+   * Creating required SNS Topics in Log accont
+   */
+  await snsDeployment.step1({
+    accountStacks,
+    config: acceleratorConfig,
+    outputs,
+  });
+
   const logBucket = accountBuckets[acceleratorConfig['global-options']['central-log-services'].account];
   await guardDutyDeployment.step3({
     accountStacks,

src/deployments/cdk/src/apps/phase-4.ts

@@ -5,6 +5,7 @@ import { getStackJsonOutput, ResolversOutput, MadRuleOutput } from '@aws-acceler
 import { Route53ResolverRuleSharing } from '../common/r53-resolver-rule-sharing';
 import { PhaseInput } from './shared';
 import * as securityHub from '../deployments/security-hub';
+import * as cloudWatchDeployment from '../deployments/cloud-watch';
 
 type ResolversOutputs = ResolversOutput[];
 
@@ -96,4 +97,14 @@ export async function deploy({ acceleratorConfig, accounts, accountStacks, outpu
     config: acceleratorConfig,
     outputs,
   });
+
+  /**
+   *  CloudWatch Deployment step-1
+   *  Creates CloudWatch Metrics on LogGroups
+   */
+  await cloudWatchDeployment.step1({
+    accountStacks,
+    config: acceleratorConfig,
+    outputs,
+  });
 }

src/deployments/cdk/src/apps/phase-5.ts

@@ -13,6 +13,7 @@ import { RdgwArtifactsOutput } from './phase-4';
 import * as cwlCentralLoggingToS3 from '../deployments/central-services/central-logging-s3';
 import { ArtifactOutputFinder } from '../deployments/artifacts/outputs';
 import { ImageIdOutputFinder } from '@aws-accelerator/common-outputs/src/ami-output';
+import * as cloudWatchDeployment from '../deployments/cloud-watch';
 
 export async function deploy({ acceleratorConfig, accountStacks, accounts, context, outputs }: PhaseInput) {
   const accountNames = acceleratorConfig
@@ -170,4 +171,14 @@ export async function deploy({ acceleratorConfig, accountStacks, accounts, conte
       });
     }
   }
+
+  /**
+   *  CloudWatch Deployment step-2
+   *  Creates CloudWatch Alarms
+   */
+  await cloudWatchDeployment.step2({
+    accountStacks,
+    config: acceleratorConfig,
+    accounts,
+  });
 }

src/deployments/cdk/src/deployments/cloud-watch/index.ts

@@ -0,0 +1,2 @@
+export * from './step-1';
+export * from './step-2';

src/deployments/cdk/src/deployments/cloud-watch/step-1.ts

@@ -0,0 +1,67 @@
+import * as c from '@aws-accelerator/common-config';
+import { AccountStacks } from '../../common/account-stacks';
+import { IamRoleOutputFinder } from '@aws-accelerator/common-outputs/src/iam-role';
+import { StackOutput } from '@aws-accelerator/common-outputs/src/stack-output';
+import { LogsMetricFilter } from '@aws-accelerator/custom-resource-logs-metric-filter';
+import { createName } from '@aws-accelerator/cdk-accelerator/src/core/accelerator-name-generator';
+export interface CloudWatchStep1Props {
+  accountStacks: AccountStacks;
+  config: c.AcceleratorConfig;
+  outputs: StackOutput[];
+}
+
+export async function step1(props: CloudWatchStep1Props) {
+  const { accountStacks, config, outputs } = props;
+  const globalOptions = config['global-options'];
+  if (!globalOptions.cloudwatch) {
+    console.log(`No Configuration defined for CloudWatch Deployment`);
+    return;
+  }
+  const metricsConfig = globalOptions.cloudwatch.metrics;
+  metricsConfig.forEach((metricConfig, _) => {
+    const accountKeys: string[] = [];
+    const regions: string[] = [];
+    if (metricConfig.accounts && metricConfig.accounts.includes('ALL')) {
+      // TODO Ignore for now implementation will come in phase 2
+    } else {
+      accountKeys.push(...metricConfig.accounts);
+    }
+
+    if (metricConfig.regions && metricConfig.regions.includes('ALL')) {
+      // TODO Ignore for now implementation will come in phase 2
+    } else {
+      regions.push(...metricConfig.regions);
+    }
+    for (const accountKey of accountKeys) {
+      const metricFilterRole = IamRoleOutputFinder.tryFindOneByName({
+        outputs,
+        accountKey,
+        roleKey: 'LogsMetricFilterRole',
+      });
+      if (!metricFilterRole) {
+        console.error(`Role is not created for LogsMetricFilter CustomResource in account: ${accountKey}`);
+        continue;
+      }
+      for (const region of regions) {
+        const accountStack = accountStacks.tryGetOrCreateAccountStack(accountKey, region);
+        if (!accountStack) {
+          console.error(`Cannot find account stack ${accountKey}: ${region}, while deploying CloudWatch Metric Filter`);
+          continue;
+        }
+        new LogsMetricFilter(accountStack, `LogGroupMetricFilter${metricConfig['metric-name']}`, {
+          roleArn: metricFilterRole.roleArn,
+          defaultValue: metricConfig['default-value'],
+          metricValue: metricConfig['metric-value'],
+          filterPattern: metricConfig['filter-pattern'].trim(),
+          metricName: metricConfig['metric-name'],
+          metricNamespace: metricConfig['metric-namespace'],
+          filterName: createName({
+            name: metricConfig['filter-name'],
+            suffixLength: 0,
+          }),
+          logGroupName: metricConfig['loggroup-name'],
+        });
+      }
+    }
+  });
+}

src/deployments/cdk/src/deployments/cloud-watch/step-2.ts

@@ -0,0 +1,69 @@
+import * as c from '@aws-accelerator/common-config';
+import { AccountStacks } from '../../common/account-stacks';
+import * as cdk from '@aws-cdk/core';
+import * as cloudwatch from '@aws-cdk/aws-cloudwatch';
+import { Account, getAccountId } from '@aws-accelerator/common-outputs/src/accounts';
+import { createName, createSnsTopicName } from '@aws-accelerator/cdk-accelerator/src/core/accelerator-name-generator';
+
+export interface CloudWatchStep2Props {
+  accountStacks: AccountStacks;
+  config: c.AcceleratorConfig;
+  accounts: Account[];
+}
+
+export async function step2(props: CloudWatchStep2Props) {
+  const { accountStacks, config, accounts } = props;
+  const globalOptions = config['global-options'];
+  const centralLogServices = globalOptions['central-log-services'];
+  if (!globalOptions.cloudwatch) {
+    console.log(`No Configuration defined for CloudWatch Deployment`);
+    return;
+  }
+  const alarmsConfig = globalOptions.cloudwatch.alarms;
+  const alarmDefaultDefinition: c.CloudWatchDefaultAlarmDefinition = alarmsConfig;
+  for (const alarmconfig of alarmsConfig.definitions) {
+    const accountKeys: string[] = [];
+    const regions: string[] = [];
+    if (alarmconfig.accounts && alarmconfig.accounts.includes('ALL')) {
+      // TODO Ignore for now implementation will come in phase 2
+    } else {
+      accountKeys.push(...(alarmconfig.accounts || alarmDefaultDefinition['default-accounts']));
+    }
+
+    if (alarmconfig.regions && alarmconfig.regions.includes('ALL')) {
+      // TODO Ignore for now implementation will come in phase 2
+    } else {
+      regions.push(...(alarmconfig.regions || alarmDefaultDefinition['default-regions']));
+    }
+    for (const accountKey of accountKeys) {
+      for (const region of regions) {
+        const accountStack = accountStacks.tryGetOrCreateAccountStack(accountKey, region);
+        if (!accountStack) {
+          console.error(`Cannot find account stack ${accountKey}: ${region}, while deploying CloudWatch Alarm`);
+          continue;
+        }
+        new cloudwatch.CfnAlarm(accountStack, `CloudAlarm${alarmconfig['alarm-name']}`, {
+          alarmDescription: alarmconfig['alarm-description'],
+          alarmName: createName({
+            name: alarmconfig['alarm-name'],
+            suffixLength: 0,
+          }),
+          metricName: alarmconfig['metric-name'],
+          evaluationPeriods: alarmconfig['evaluation-periods'] || alarmDefaultDefinition['default-evaluation-periods'],
+          comparisonOperator:
+            alarmconfig['comparison-operator'] || alarmDefaultDefinition['default-comparison-operator'],
+          namespace: alarmconfig.namespace || alarmDefaultDefinition['default-namespace'],
+          statistic: alarmconfig.statistic || alarmDefaultDefinition['default-statistic'],
+          period: alarmconfig.period || alarmDefaultDefinition['default-period'],
+          treatMissingData: alarmconfig['treat-missing-data'] || alarmDefaultDefinition['default-treat-missing-data'],
+          threshold: alarmconfig.threshold || alarmDefaultDefinition['default-threshold'],
+          alarmActions: [
+            `arn:aws:sns:${cdk.Aws.REGION}:${getAccountId(accounts, centralLogServices.account)}:${createSnsTopicName(
+              alarmconfig['sns-alert-level'],
+            )}`,
+          ],
+        });
+      }
+    }
+  }
+}

src/deployments/cdk/src/deployments/iam/index.ts

@@ -9,4 +9,5 @@ export * from './ssm-document-roles';
 export * from './log-group-role';
 export * from './cwl-central-logging-roles';
 export * from './cwl-add-subscription-filter-role';
+export * from './logs-metric-filter-role';
 export * from './sns-subscriber-lambda-role';