cfn-guardian 0.1.0 → 0.3.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2605c1c68bc60955c63d620536adc746e75db45812783c641ee41a85cfc6693b
-  data.tar.gz: 50882bfd8151cc4cde52a0107509a8a9380bc15d8ab6d3805558f8a9578a928e
+  metadata.gz: 7b64db0c4a4a45a9432c2cf750ac07b2600b54938e080fc24e3a50201144bfaa
+  data.tar.gz: 8e6561a49bd7be8d9185fd64f55e6d3d1842683e325c6c12b6c61ebad1058e43
 SHA512:
-  metadata.gz: 1134950814ca8e006cac4e5b78a6d0d77e2e3a289e85fac71b981f60fafe0c332eb3f84c44cffa28763c9b5bd093f0e6b385fe19962920a895dcd833fbe81dd4
-  data.tar.gz: ee7616c707777d6fcdcc5d199ef2e821f8678464b4a0292b3ccd9fcd1f30785aa22057b59d39f543b36652b51ac529c65c1c25671cd8409d6892cf0d3fbc796e
+  metadata.gz: 4585cdc22260486afe530c5abd07f490d4d71a1a63f435d64e1bdc964ebb175a852b9d45af9b6ada79ee025bde0c7df88c1352ef2fc5bb799f507553186b3377
+  data.tar.gz: eca47bd9aab11dc4888e29aa7a4992512344db581ad06455d4283ec7009d1998a46dcb122191b37d5e300c60a6ee28bf0979a0c6a6c2cfc8281fe785b34ebafe

data/.dockerignore

@@ -0,0 +1 @@
+cfn-guardian-*.gem

data/Dockerfile

@@ -0,0 +1,19 @@
+FROM ruby:2.7-alpine
+
+ARG GUARDIAN_VERSION="0.2.2"
+
+COPY . /src
+
+WORKDIR /src
+
+RUN apk add --no-cache git \
+    && gem build cfn-guardian.gemspec \
+    && gem install cfn-guardian-${GUARDIAN_VERSION}.gem \
+    && rm -rf /src
+    
+RUN addgroup -g 1000 guardian && \
+    adduser -D -u 1000 -G guardian guardian
+
+USER guardian
+
+RUN cfndsl -u 11.5.0

data/Gemfile.lock

@@ -1,10 +1,14 @@
 PATH
   remote: .
   specs:
-    cfn-guardian (0.1.0)
-      aws-sdk-cloudformation (~> 1, < 2)
-      aws-sdk-s3 (~> 1, < 2)
+    cfn-guardian (0.3.1)
+      aws-sdk-cloudformation (~> 1.31, < 2)
+      aws-sdk-cloudwatch (~> 1.28, < 2)
+      aws-sdk-codecommit (~> 1.28, < 2)
+      aws-sdk-codepipeline (~> 1.28, < 2)
+      aws-sdk-s3 (~> 1.60, < 2)
       cfndsl (~> 1.0, < 2)
+      term-ansicolor (~> 1, < 2)
       terminal-table (~> 1, < 2)
       thor (~> 0.20)
 
@@ -12,33 +16,47 @@ GEM
   remote: https://rubygems.org/
   specs:
     aws-eventstream (1.0.3)
-    aws-partitions (1.236.0)
-    aws-sdk-cloudformation (1.26.0)
+    aws-partitions (1.281.0)
+    aws-sdk-cloudformation (1.31.0)
       aws-sdk-core (~> 3, >= 3.71.0)
       aws-sigv4 (~> 1.1)
-    aws-sdk-core (3.76.0)
+    aws-sdk-cloudwatch (1.34.0)
+      aws-sdk-core (~> 3, >= 3.71.0)
+      aws-sigv4 (~> 1.1)
+    aws-sdk-codecommit (1.31.0)
+      aws-sdk-core (~> 3, >= 3.71.0)
+      aws-sigv4 (~> 1.1)
+    aws-sdk-codepipeline (1.28.0)
+      aws-sdk-core (~> 3, >= 3.71.0)
+      aws-sigv4 (~> 1.1)
+    aws-sdk-core (3.91.0)
       aws-eventstream (~> 1.0, >= 1.0.2)
-      aws-partitions (~> 1, >= 1.228.0)
+      aws-partitions (~> 1, >= 1.239.0)
       aws-sigv4 (~> 1.1)
       jmespath (~> 1.0)
-    aws-sdk-kms (1.25.0)
+    aws-sdk-kms (1.30.0)
       aws-sdk-core (~> 3, >= 3.71.0)
       aws-sigv4 (~> 1.1)
-    aws-sdk-s3 (1.53.0)
-      aws-sdk-core (~> 3, >= 3.71.0)
+    aws-sdk-s3 (1.61.0)
+      aws-sdk-core (~> 3, >= 3.83.0)
       aws-sdk-kms (~> 1)
       aws-sigv4 (~> 1.1)
-    aws-sigv4 (1.1.0)
+    aws-sigv4 (1.1.1)
       aws-eventstream (~> 1.0, >= 1.0.2)
-    cfndsl (1.0.0)
+    cfndsl (1.0.5)
       hana (~> 1.3)
     hana (1.3.5)
     jmespath (1.4.0)
     rake (10.5.0)
+    sync (0.5.0)
+    term-ansicolor (1.7.1)
+      tins (~> 1.0)
     terminal-table (1.8.0)
       unicode-display_width (~> 1.1, >= 1.1.1)
     thor (0.20.3)
-    unicode-display_width (1.6.0)
+    tins (1.24.1)
+      sync
+    unicode-display_width (1.7.0)
 
 PLATFORMS
   ruby

data/README.md

@@ -5,6 +5,7 @@ CfnGuardian is a AWS monitoring tool with a few capabilities:
 - creates cloudwatch alarms through cloudformation based upon resources defined in a YAML config
 - alerting through SNS using 4 levels of severity [ Critical, Warning, Task, Informational ]  
 - has a standard set of default alarms across many AWS resources
+- creates cloudwatch log metric filters with default alarms
 - creates custom metrics for external checks through lambda functions such as
     - http endpoint availability
     - http status code matching 
@@ -13,6 +14,9 @@ CfnGuardian is a AWS monitoring tool with a few capabilities:
     - ssl expiry
     - sql query
     - nrpe
+    - sftp availability
+    - sftp file download
+    - tls version checking
 
 **Supported AWS Resources**
 
@@ -33,6 +37,7 @@ CfnGuardian is a AWS monitoring tool with a few capabilities:
 - RDS Instances
 - Redshift Cluster
 - SQS Queues
+- LogGroup Metric Filters
 
 ## Installation
 
@@ -44,6 +49,8 @@ gem install cfn-guardian
 
 **compile**
 
+Generates CloudFormation templates from the alarm configuration and output to the out/ directory.
+
 ```bash
 Usage:
   cfn-guardian compile c, --config=CONFIG
@@ -54,13 +61,13 @@ Options:
                                      # Default: true
       [--bucket=BUCKET]              # provide custom bucket name, will create a default bucket if not provided
   r, [--region=REGION]               # set the AWS region
-
-Description:
-  Generates CloudFormation templates from the alarm configuration and output to the out/ directory.
+      [--debug], [--no-debug]        # enable debug logging
 ```
 
 **deploy**
 
+Generates CloudFormation templates from the alarm configuration and output to the out/ directory. Then copies the files to the s3 bucket and deploys the Cloudformation.
+
 ```bash
 Usage:
   cfn-guardian deploy c, --config=CONFIG
@@ -69,58 +76,95 @@ Options:
   c, --config=CONFIG                           # yaml config file
       [--bucket=BUCKET]                        # provide custom bucket name, will create a default bucket if not provided
   r, [--region=REGION]                         # set the AWS region
-  r, [--stack-name=STACK_NAME]                 # set the Cloudformation stack name. Defaults to `guardian`
+  s, [--stack-name=STACK_NAME]                 # set the Cloudformation stack name. Defaults to `guardian`
       [--sns-critical=SNS_CRITICAL]            # sns topic arn for the critical alamrs
       [--sns-warning=SNS_WARNING]              # sns topic arn for the warning alamrs
       [--sns-task=SNS_TASK]                    # sns topic arn for the task alamrs
       [--sns-informational=SNS_INFORMATIONAL]  # sns topic arn for the informational alamrs
-
-Description:
-  Generates CloudFormation templates from the alarm configuration and output to the out/ directory. Then copies the files to the s3 bucket and deploys the cloudformation.
+      [--debug], [--no-debug]                  # enable debug logging
 ```
 
 **show-alarms**
 
+Displays the configured settings for each alarm. Can be filtered by resource group and alarm name. Defaults to show all configured alarms.
+
 ```bash
 Usage:
   cfn-guardian show-alarms c, --config=CONFIG
 
 Options:
-  c, --config=CONFIG        # yaml config file
-  g, [--group=GROUP]        # resource group
-  n, [--name=NAME]          # alarm name
-  r, [--resource=RESOURCE]  # resource id
+  c, --config=CONFIG                 # yaml config file
+  g, [--group=GROUP]                 # resource group
+  a, [--alarm=ALARM]                 # alarm name
+      [--id=ID]                      # resource id
+      [--compare], [--no-compare]    # compare config to deployed alarms
+      [--defaults], [--no-defaults]  # show default alarm and properites
+      [--debug], [--no-debug]        # enable debug logging
+```
+
+**show-history**
+
+Displays the alarm state or config history for the last 7 days. Alarms can be described in 2 different ways:
+
+1. Using the config to describe the alarms and filter via the group, alarm and resource id. 
+2. Supplying a list of alarm names with the `--alarm-names` option.
+
+*NOTE: Options 2 may find alarms not in the guardian stack.*
 
-Description:
-  Displays the configured settings for each alarm. Can be filtered by resource group, resource name and alarm name. Defaults to show all configured alarms.
+```bash
+Usage:
+  cfn-guardian show-history
+
+Options:
+  c, [--config=CONFIG]               # yaml config file
+  g, [--group=GROUP]                 # resource group
+  a, [--alarm=ALARM]                 # alarm name
+      [--alarm-names=one two three]  # CloudWatch alarm name if not providing config
+      [--id=ID]                      # resource id
+  t, [--type=TYPE]                   # filter by alarm state
+                                     # Default: state
+                                     # Possible values: state, config
+      [--debug], [--no-debug]        # enable debug logging
 ```
 
+**show-state**
+
+Displays the current CloudWatch alarm state. Alarms can be described in 3 different ways:
+
+1. Using the config to describe the alarms and filter via the group, alarm and resource id. 
+2. Supplying a list of alarm names with the `--alarm-names` option.
+3. Supplying the alarm name prefix using the `--alarm-prefix` option. For example `--alarm-prefix ECS` will find all the ECSCluster related alarms.
+
+*NOTE: Options 2 and 3 may find alarms not in the guardian stack.*
+
 ```bash
-  ECSCluster
-+--------------------------------------+-----------------------------------+
-|                    ECSContianerInstancesDisconnected                     |
-+--------------------------------------+-----------------------------------+
-| property                             | Value                             |
-+--------------------------------------+-----------------------------------+
-| actions_enabled                      | true                              |
-| alarm_action                         | Critical                          |
-| comparison_operator                  | GreaterThanThreshold              |
-| datapoints_to_alarm                  |                                   |
-| dimensions                           | {:ClusterName=>"MyCluster"}       |
-| enabled                              | true                              |
-| evaluate_low_sample_count_percentile |                                   |
-| evaluation_periods                   | 2                                 |
-| extended_statistic                   |                                   |
-| metric_name                          | ECSContianerInstancesDisconnected |
-| namespace                            | EcsCICheck                        |
-| period                               | 300                               |
-| resource                             | MyCluster                         |
-| resource_name                        | 3ccc504543e67a86f3fa43bb64cf592b  |
-| statistic                            | Maximum                           |
-| threshold                            | 0                                 |
-| treat_missing_data                   |                                   |
-| unit                                 |                                   |
-+--------------------------------------+-----------------------------------+
+Usage:
+  cfn-guardian show-state
+
+Options:
+  c, [--config=CONFIG]               # yaml config file
+  g, [--group=GROUP]                 # resource group
+  a, [--alarm=ALARM]                 # alarm name
+      [--id=ID]                      # resource id
+  s, [--state=STATE]                 # filter by alarm state
+                                     # Possible values: OK, ALARM, INSUFFICIENT_DATA
+      [--alarm-names=one two three]  # CloudWatch alarm name if not providing config
+      [--alarm-prefix=ALARM_PREFIX]  # CloudWatch alarm name prefix if not providing config
+      [--debug], [--no-debug]        # enable debug logging
+```
+
+**show-drift**
+
+Displays any Cloudformation drift detection in the CloudWatch alarms from the deployed stacks.
+
+```bash
+Usage:
+  cfn-guardian show-drift
+
+Options:
+  s, [--stack-name=STACK_NAME]  # set the Cloudformation stack name
+                                # Default: guardian
+      [--debug], [--no-debug]   # enable debug logging
 ```
 
 ## Configuration
@@ -170,11 +214,82 @@ Resources:
 | CloudFrontDistribution      | Id               |
 | SQSQueue                    | Id               |
 
+### Alarm Defaults
+
+To list the default alarms use the `show-alarms` command with the `--defaults` switch.
+The list can be filtered using the `--group ApplicationTargetGroup` and `--alarm TargetResponseTime` optional switches
+
+```sh
+cfn-guardian show-alarms --defaults --group ApplicationTargetGroup --alarm TargetResponseTime
+
++-------------------------+----------------------------------+
+|         ApplicationTargetGroup::TargetResponseTime         |
+| guardian-ApplicationTargetGroup-Default-TargetResponseTime |
++-------------------------+----------------------------------+
+| Property                | Config                           |
++-------------------------+----------------------------------+
+| ResourceId              | Default                          |
+| ResourceHash            | 7a1920d61156abc05a60135aefe8bc67 |
+| Enabled                 | true                             |
+| MetricName              | TargetResponseTime               |
+| Dimensions              |                                  |
+| Threshold               | 5                                |
+| Period                  | 60                               |
+| EvaluationPeriods       | 5                                |
+| ComparisonOperator      | GreaterThanThreshold             |
+| Statistic               | Maximum                          |
+| ActionsEnabled          | true                             |
+| AlarmAction             | Critical                         |
+| TreatMissingData        | notBreaching                     |
++-------------------------+----------------------------------+
+```
+
+### Friendly Resource Names
+
+You can set a friendly name which will replace the resource id in the alarm name.
+The resource id will still be available in the alarm description.
+
+```yaml
+Resources:
+  ApplicationTargetGroup:
+  - Id: target-group-id
+    Loadbalancer: app/application-loadbalancer-id
+    Name: webapp
+```
+
+### Log Group Metric Filters
+
+Metric filters creates the metric filter and a corresponding alarm.
+Cloudwatch NameSpace: `MetricFilters`
+
+AWS [documentation](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/FilterAndPatternSyntax.html) of pattern syntax
+
+```yaml
+Resources:
+  LogGroup:
+  # Log group name
+  - Id: /aws/lambda/myfuntion
+    # List of metric filters
+    MetricFilters:
+    # Name of the cloud watch metric
+    - MetricName: MyFunctionErrors
+      # search pattern, see aws docs for syntax
+      Pattern: error
+      # metric to push to cloudwatch. Optional as it defaults to 1
+      MetricValue: 1
+      
+Templates:
+  LogGroup:
+    # use the MetricName name to override the alarm defaults
+    MyFunctionErrors:
+      Threshold: 10
+```
+
 ### Custom Metric Resources
 
 These are also defined under the resources key but more detail is required and differs per group.
 
-**Http**
+#### Http
 
 Cloudwatch NameSpace: `HttpCheck`
 
@@ -187,6 +302,8 @@ Resources:
     StatusCode: 200
     # enables the SSL check
     Ssl: true
+    # boolean tp request a compressed response
+    Compressed: true
   - Id: https://www.example.com
     StatusCode: 301
   - Id: https://example.com
@@ -194,9 +311,80 @@ Resources:
     Ssl: true
     # enables the body regex check
     BodyRegex: 'helloworld'
+  - Id: http://www.example.com/images/cat.jpg
+    StatusCode: 200
+    # md5 hash of the image
+    BodyRegex: ae49b4246a89efcb5c639f00a013e812
+  - Id: https://api.example.com/user
+    StatusCode: 201
+    # default method is get but can be overridden to support post/put/head etc
+    Method: post
+    # specify headers using "key=value key=value"
+    Headers: content-type=application/json
+    # pass in custom payload for the request
+    Payload: '{"name": "john"}'
 ```
 
-**DomainExpiry**
+#### InternalHttp
+
+Cloudwatch NameSpace: `InternalHttpCheck`
+
+```yaml
+Resources:
+  InternalHttp:
+  # Array of host groups with the uniq identifier of Environment.
+  # This will create a nrpe lambda per group attach to the defined vpc and subnets
+  - Environment: Prod
+    # VPC id for the vpc the EC2 hosts are running in
+    VpcId: vpc-1234
+    # Array of subnets to attach to the lambda function. Supply multiple if you want to be multi AZ. 
+    # Multiple subnets from the same AZ cannot be used!
+    Subnets:
+      - subnet-abcd
+    Hosts:
+    # Array of resources defining the http endpoint with the Id: key
+    # All the same options as Http including ssl check on the internal endpoint
+    - Id: http://api.example.com
+```
+
+#### Port
+
+Cloudwatch NameSpace: `PortCheck`
+
+```yaml
+Resources:
+  Port:
+  # Array of resources defining the endpoint with the Id: key and Port: Int
+  - Id: api.example.com
+    Port: 443
+    # can override the default timeout of 120 seconds
+    Timeout: 60
+```
+
+#### InternalPort
+
+Cloudwatch NameSpace: `InternalPortCheck`
+
+```yaml
+Resources:
+  InternalPort:
+  # Array of host groups with the uniq identifier of Environment.
+  # This will create a nrpe lambda per group attach to the defined vpc and subnets
+  - Environment: Prod
+    # VPC id for the vpc the EC2 hosts are running in
+    VpcId: vpc-1234
+    # Array of subnets to attach to the lambda function. Supply multiple if you want to be multi AZ. 
+    # Multiple subnets from the same AZ cannot be used!
+    Subnets:
+      - subnet-abcd
+    Hosts:
+    # Array of resources defining the endpoint with the Id: key and Port: Int
+    # All the same options as Port
+    - Id: api.example.com
+      Port: 8080
+```
+
+#### DomainExpiry
 
 Cloudwatch NameSpace: `DNS`
 
@@ -207,7 +395,7 @@ Resources:
   - Id: example.com
 ```
 
-**Nrpe**
+#### Nrpe
 
 Cloudwatch NameSpace: `NRPE`
 
@@ -237,7 +425,7 @@ Resources:
         - check_disk
 ```
 
-**Sql**
+#### Sql
 
 Cloudwatch NameSpace: `SQL`
 
@@ -282,6 +470,90 @@ aws secretsmanager create-secret --name MyTestDatabaseSecret \
     --secret-string '{"connectionString":"sql://username:password@mydb:3306/information_schema"}'
 ```
 
+#### SFTP
+
+CloudWatch Namespace: `SftpCheck`
+
+```yaml
+Resources:
+  SFTP:
+    # sftp endpoint, can accept both ip address or dns endpoint
+  - Id: example.com
+    # sftp user to test connection with
+    User: user
+    # optionally set port, defaults to port 22
+    Port: 22
+    # for added security you can use allowed hosts when creating a 
+    # connection to the sftp by supplying the public key of the sftp server.
+    # this removes the security risk for man in the middle attacks.
+    ServerKey: public-server-key
+    # ssm parameter path for the password for the SFTP user. 
+    Password: /ssm/path/password
+    # ssm parameter path for the private key for the SFTP user
+    PrivateKey: /ssm/path/privatekey
+    # ssm parameter path for the password for the private key
+    PrivateKeyPass: /ssm/path/privatekey/password
+    # optionally set a file to check its existence and test the time it takes to get the file
+    File: file.txt
+    # optionally check for a regex match pattern in the body of the file
+    FileRegexMatch: ok
+```
+
+#### InternalSFTP
+
+CloudWatch Namespace: `InternalSftpCheck`
+
+```yaml
+Resources:
+  InternalSFTP:
+  # Array of host groups with the uniq identifier of Environment.
+  # This will create a sql lambda per group attach to the defined vpc and subnets
+  - Environment: Prod
+    # VPC id for the vpc the EC2 hosts are running in
+    VpcId: vpc-1234
+    # Array of subnets to attach to the lambda function. Supply multiple if you want to be multi AZ. 
+    # Multiple subnets from the same AZ cannot be used!
+    Subnets:
+      - subnet-1234
+    Hosts:
+    # Array of sftp hosts with the Id: key defining the host private ip address
+    - Id: example.com
+      User: user
+      Port: 22
+      ServerKey: public-server-key
+      Password: /ssm/path/password
+      PrivateKey: /ssm/path/privatekey
+      PrivateKeyPass: /ssm/path/privatekey/password
+      File: file.txt
+      FileRegexMatch: ok
+```
+
+#### TLS
+
+CloudWatch Namespace: `TLSVersionCheck`
+
+```yaml
+Resources:
+  TLS:
+    # endpoint
+  - Id: example.com
+    # port to check, defaults to 443
+    Port: 443
+    # list of tls versions to validate against
+    # there is a metric for each version with a 0 being no supported and 1 for supported
+    # alarm thresholds will have to be adjusted to suit your checking requirements
+    # defaults to all versions shown below
+    Versions:
+      - SSLv2
+      - SSLv3
+      - TLSv1
+      - TLSv1.1
+      - TLSv1.2
+    # checks and reports the max tls version supported as an int
+    # ['SSLv2 => 1', 'SSLv3 => 2', 'TLSv1 => 3','TLSv1.1 => 4', 'TLSv1.2 => 5']
+    MaxSupported: '1'
+```
+
 ## Alarm Templates
 
 Each resource group has a set of default alarm templates which defines all the cloudwatch alarm options such as Threshold, Statistic, EvaluationPeriods etc. These can be manipulated in a few ways to change the values or create new alarms. 
@@ -399,6 +671,133 @@ Topics:
   Informational: arn:aws:sns:ap-southeast-2:111111111111:Guardian-Informational
 ``` 
 
+## M Out Of N Metric Data Points
+
+This can be good to alert on groups of spikes with in a certain time frame without getting alerts for individual spikes.
+It works by setting the `EvaluationPeriods` as N value and `DatapointsToAlarm` as the M value. 
+The following example will trigger the alarm if 6 out of 10 data points crossed the threshold of 90% CPU utilisation in a 10 minute period.
+
+```yaml
+Templates:
+  Ec2Instance:
+    CPUUtilizationHigh:
+      Threshold: 90
+      Period: 60
+      EvaluationPeriods: 10
+      DatapointsToAlarm: 6
+```
+
+## Composite Alarms
+
+Composite alarms take into account a combination of alarm states and only alarm when all conditions in the rule are met. See AWS (documentation)[https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_PutCompositeAlarm.html] for rule syntax.
+
+Using the `Composites:` top level key, create the alarm using the following syntax. 
+
+**NOTE:** Each composite alarm cost $0.50/month
+
+```yaml
+Composites:
+  
+  # the key is used as the alarm name
+  AlarmName:
+    # Set the notification SNS topic, defaults to no notifications
+    Action: Informational
+    # Set a meaningful alarm description
+    Description: test
+    # Set the alarm rule by providing the alarm names. See above for rule syntax.
+    # Use the show-state command to get a list of the alarm names.
+    Rule: >-
+      ALARM(guardian-alarm-1)
+      AND
+      ALARM(guardian-alarm-2)
+```
+
+## Maintenance Mode
+
+CloudWatch alarms can be enabled and disabled to allow maintenance periods without getting alert notifications.
+Alarms can be provided to the function the following ways
+
+**Alarm Names**
+
+Alarm names be provided by a space delimited list using the `--alarms` switch.
+
+```bash
+cfn-guardian disable-alarms --group alarm-1 alarm-2
+cfn-guardian enable-alarms --group alarm-1 alarm-2
+```
+
+**Alarm Name Prefix**
+
+Alarm name prefix will find the alarms in the account and region that start with the provided string.
+This can be useful if required to disable all guardian alarms, disable all alarm for a resource group or for a specific resource.
+Alarm names are created using the following convention.
+
+`guardian` - `ResourceGroupName` - `ResourceId` or `FriendlyName` - `AlarmName` 
+
+The following example would disable/enable all alarms for all ECS Services
+
+```bash
+cfn-guardian disable-alarms --alarm-prefix guardian-ECSService
+cfn-guardian enable-alarms --alarm-prefix guardian-ECSService
+```
+
+The following example would disable/enable all alarms for the ECS Service app
+
+```bash
+cfn-guardian disable-alarms --alarm-prefix guardian-ECSService-app
+cfn-guardian enable-alarms --alarm-prefix guardian-ECSService-app
+```
+
+**Maintenance Groups**
+
+Maintenance groups are defined in the `alarms.yaml` config and creates a logical mapping between alarms.
+
+```yaml
+Resources:
+  
+  ApplicationTargetGroup:
+  - Id: app-tg
+    LoadBalancer: public-lb
+    
+  AutoScalingGroup:
+  - Id: ecs-asg
+  
+  ECSCluster:
+  - Id: prod
+  
+  ECSService:
+  - Id: app
+    Cluster: prod
+  
+  Http:
+  - Id: https://myapp.com
+    StatusCode: 200
+
+# Define the top level key
+MaintenaceGroups:
+  
+  # Define the group name
+  AppUpdate:
+    # Define the resource group
+    ECSService:
+      # define the alarms in the resource group
+      UnhealthyTaskCritical:
+      # define the resource id's
+      - Id: app
+      # or the friendly name
+      - Name: app
+    Http:
+      EndpointAvailable:
+      - Id: https://myapp.com
+      EndpointStatusCodeMatch:
+      - Id: https://myapp.com
+```
+
+```bash
+cfn-guardian disable-alarms --group AppUpdate
+cfn-guardian enable-alarms --group AppUpdate
+```
+
 ## Severities
 
 Severties are defined in each alarm sing the `AlarmAction` key. There are 4 options `[ Critical, Warning, Task, Informational ]`