cfn-guardian 0.6.10 → 0.6.11

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 355680f054f4e9550f1709780e0b3a5d72c8773c0222bb2307621080a76728b2
-  data.tar.gz: 840685a1d7f15409e809e71944c90e433d428123d204e38c37113444c9508d44
+  metadata.gz: bc62d2d0be60b4f28ab5da32207415340db06de99ee00f2a326174903e2d7a8b
+  data.tar.gz: d6bf90ce725692e2396ed0e337a4cd773f3b187402e2d1ab081f219bc1898c85
 SHA512:
-  metadata.gz: 5c8bb52fbeed1bcad2b05776798e5bd21861e08631801e607b6219bb93c5c1e53993355826b9f561aa6099364af09e9e1defa0ddf93f829db325499cc359ba3d
-  data.tar.gz: eff695bda7e0e2e9325f0f7ef332f6e2c7f12a1a32ed8dabfca0a04d7c61a93c5616df8711a7daff6f64bcbbf8b3808b9d01b080334d80c163bcc2712f7431cb
+  metadata.gz: d9b1c3ad0dc61891ca602b2156fbd523cdccc77296d6d959a420e66d2dfbcd449983160f11e8c33b4f4380e56930eacde37f35e0d048935b5aaf969736f2fd9a
+  data.tar.gz: 657b0c5a4eb265e58a36173157b1850a41a6d311d471fe5f9363d18b25420d97126c219057cd22cd6b1a4456140da5abdaa539969e8ce9b6759f54808653876a

data/lib/cfnguardian/compile.rb

@@ -16,6 +16,7 @@ require 'cfnguardian/resources/dynamodb_table'
 require 'cfnguardian/resources/ec2_instance'
 require 'cfnguardian/resources/ecs_cluster'
 require 'cfnguardian/resources/ecs_service'
+require 'cfnguardian/resources/eks_container_insights'
 require 'cfnguardian/resources/elastic_file_system'
 require 'cfnguardian/resources/elasticache_replication_group'
 require 'cfnguardian/resources/elastic_loadbalancer'
@@ -42,9 +43,11 @@ require 'cfnguardian/resources/glue'
 require 'cfnguardian/resources/step_functions'
 require 'cfnguardian/resources/vpn_tunnel'
 require 'cfnguardian/resources/vpn_connection'
+require 'cfnguardian/resources/elastic_search'
 require 'cfnguardian/version'
 require 'cfnguardian/error'
 
+
 module CfnGuardian
   class Compile
     include Logging

data/lib/cfnguardian/config/defaults.yaml

@@ -28,12 +28,20 @@ Resources:
   ECSCluster:
   - Id: Default
   ECSService:
+  - Id: Default
+    Cluster: Default
+  EKSContainerInsightsCluster:
+  - Id: Default
+  EKSContainerInsightsNamespace:
   - Id: Default
     Cluster: Default
   ElasticFileSystem:
   - Id: Default
   ElasticLoadBalancer:
   - Id: Default
+  ElasticSearch:
+  - Id: Default
+  - Domain: Default
   ElastiCacheReplicationGroup:
   - Id: Default
   Http:

data/lib/cfnguardian/models/alarm.rb

@@ -203,7 +203,28 @@ module CfnGuardian
         }
       end
     end
+
+    class EKSContainerInsightsClusterAlarm < BaseAlarm
+      def initialize(resource)
+        super(resource)
+        @group = 'EKSContainerInsightsCluster'
+        @namespace = 'ContainerInsights'
+        @dimensions = { ClusterName: resource['Id'] }
+      end
+    end
     
+    class EKSContainerInsightsNamespaceAlarm < BaseAlarm
+      def initialize(resource)
+        super(resource)
+        @group = 'EKSContainerInsightsNamespace'
+        @namespace = 'ContainerInsights'
+        @dimensions = { 
+          ClusterName: resource['Cluster'],
+          Namespace: resource['Id']
+        }
+      end
+    end
+
     class ElastiCacheReplicationGroupAlarm < BaseAlarm
       def initialize(resource)
         super(resource)
@@ -212,6 +233,21 @@ module CfnGuardian
         @dimensions = { CacheClusterId: resource['Id'] }
       end
     end
+
+    class ElasticSearchAlarm < BaseAlarm
+      def initialize(resource)
+        super(resource)
+        @group = 'ElasticSearch'
+        @namespace = 'AWS/ElasticSearch'
+        @dimensions = { DomainName: resource['Domain'], ClientId: resource['Id']}
+        @comparison_operator = 'GreaterThanThreshold'
+        @threshold = 1
+        @evaluation_periods = 5
+        @treat_missing_data = 'breaching'
+        @period = 60
+        @data_points_to_alarm = 1
+      end
+    end
     
     class ElasticLoadBalancerAlarm < BaseAlarm
       def initialize(resource)

data/lib/cfnguardian/resources/eks_container_insights.rb

@@ -0,0 +1,99 @@
+module CfnGuardian::Resource
+  class EKSContainerInsightsCluster < Base
+
+    def default_alarms
+
+      alarm = CfnGuardian::Models::EKSContainerInsightsClusterAlarm.new(@resource)
+      alarm.name = 'NodeCpuUtilisationBase'
+      alarm.metric_name = 'node_cpu_utilization'
+      alarm.comparison_operator = 'GreaterThanThreshold'
+      alarm.statistic = 'Maximum'
+      alarm.threshold = 75
+      alarm.evaluation_periods = 60
+      alarm.alarm_action = 'Warning'
+      @alarms.push(alarm)
+
+      alarm = CfnGuardian::Models::EKSContainerInsightsClusterAlarm.new(@resource)
+      alarm.name = 'NodeCpuUtilisationSpike'
+      alarm.metric_name = 'node_cpu_utilization'
+      alarm.comparison_operator = 'GreaterThanThreshold'
+      alarm.statistic = 'Maximum'
+      alarm.threshold = 95
+      alarm.evaluation_periods = 5
+      @alarms.push(alarm)
+
+      alarm = CfnGuardian::Models::EKSContainerInsightsClusterAlarm.new(@resource)
+      alarm.name = 'NodeFileSystemUtilisationCrit'
+      alarm.metric_name = 'node_filesystem_utilization'
+      alarm.comparison_operator = 'GreaterThanThreshold'
+      alarm.statistic = 'Maximum'
+      alarm.threshold = 90
+      alarm.evaluation_periods = 1
+      @alarms.push(alarm)
+
+      alarm = CfnGuardian::Models::EKSContainerInsightsClusterAlarm.new(@resource)
+      alarm.name = 'NodeFileSystemUtilisationWarning'
+      alarm.metric_name = 'node_filesystem_utilization'
+      alarm.comparison_operator = 'GreaterThanThreshold'
+      alarm.statistic = 'Maximum'
+      alarm.threshold = 75
+      alarm.evaluation_periods = 1
+      alarm.alarm_action = 'Warning'
+      @alarms.push(alarm)
+
+      alarm = CfnGuardian::Models::EKSContainerInsightsClusterAlarm.new(@resource)
+      alarm.name = 'NodeMemoryUtilisationBase'
+      alarm.metric_name = 'node_memory_utilization'
+      alarm.comparison_operator = 'GreaterThanThreshold'
+      alarm.statistic = 'Maximum'
+      alarm.threshold = 80
+      alarm.evaluation_periods = 60
+      alarm.alarm_action = 'Warning'
+      @alarms.push(alarm)
+
+      alarm = CfnGuardian::Models::EKSContainerInsightsClusterAlarm.new(@resource)
+      alarm.name = 'NodeMemoryUtilisationSpike'
+      alarm.metric_name = 'node_memory_utilization'
+      alarm.comparison_operator = 'GreaterThanThreshold'
+      alarm.statistic = 'Maximum'
+      alarm.threshold = 90
+      alarm.evaluation_periods = 5
+      @alarms.push(alarm)
+
+      alarm = CfnGuardian::Models::EKSContainerInsightsClusterAlarm.new(@resource)
+      alarm.name = 'ClusterFailedNodeCount'
+      alarm.metric_name = 'cluster_failed_node_count'
+      alarm.comparison_operator = 'GreaterThanThreshold'
+      alarm.statistic = 'Minimum'
+      alarm.threshold = 0
+      alarm.evaluation_periods = 1
+      @alarms.push(alarm)
+
+    end
+  end
+
+  class EKSContainerInsightsNamespace < Base
+
+    def default_alarms
+
+      alarm = CfnGuardian::Models::EKSContainerInsightsNamespaceAlarm.new(@resource)
+      alarm.name = 'PodCpuUtilisation'
+      alarm.metric_name = 'pod_cpu_utilization'
+      alarm.comparison_operator = 'GreaterThanThreshold'
+      alarm.statistic = 'Maximum'
+      alarm.threshold = 90
+      alarm.evaluation_periods = 5
+      @alarms.push(alarm)
+
+      alarm = CfnGuardian::Models::EKSContainerInsightsNamespaceAlarm.new(@resource)
+      alarm.name = 'PodMemoryUtilisation'
+      alarm.metric_name = 'pod_memory_utilization'
+      alarm.comparison_operator = 'GreaterThanThreshold'
+      alarm.statistic = 'Maximum'
+      alarm.threshold = 90
+      alarm.evaluation_periods = 5
+      @alarms.push(alarm)
+
+    end
+  end
+end 

data/lib/cfnguardian/resources/elastic_search.rb

@@ -0,0 +1,137 @@
+module CfnGuardian::Resource
+    class ElasticSearch < Base
+
+      def default_alarms    
+        alarm = CfnGuardian::Models::ElasticSearchAlarm.new(@resource)
+        alarm.name = 'NodeCount'
+        alarm.metric_name = 'Nodes'
+        alarm.threshold = 3
+        alarm.evaluation_periods = 1440 # 24 hours
+        alarm.data_points_to_alarm = 1
+        alarm.comparison_operator = 'LessThanOrEqualToThreshold'
+        alarm.alarm_action = 'Critical'
+        alarm.enabled = false
+        @alarms.push(alarm)
+
+        alarm = CfnGuardian::Models::ElasticSearchAlarm.new(@resource)
+        alarm.name = 'JVMMemoryPressureWarning'
+        alarm.metric_name = 'JVMMemoryPressure'
+        alarm.threshold = 72
+        alarm.evaluation_periods = 5
+        alarm.data_points_to_alarm = 3
+        alarm.alarm_action = 'Warning'
+        @alarms.push(alarm)
+
+        alarm = CfnGuardian::Models::ElasticSearchAlarm.new(@resource)
+        alarm.name = 'JVMMemoryPressureCrit'
+        alarm.metric_name = 'JVMMemoryPressure'
+        alarm.threshold = 92
+        alarm.evaluation_periods = 5
+        alarm.alarm_action = 'Critical'
+        @alarms.push(alarm)
+
+        alarm = CfnGuardian::Models::ElasticSearchAlarm.new(@resource)
+        alarm.name = 'ClusterIndexWritesBlocked'
+        alarm.metric_name = 'ClusterIndexWritesBlocked'
+        alarm.threshold = 1
+        alarm.evaluation_periods = 5
+        alarm.alarm_action = 'Critical'
+        @alarms.push(alarm)  
+        
+        alarm = CfnGuardian::Models::ElasticSearchAlarm.new(@resource)
+        alarm.name = 'MasterNodeCPUUtilisationWarning'
+        alarm.metric_name = 'MasterCPUUtilization'
+        alarm.threshold = 75
+        alarm.evaluation_periods = 60
+        alarm.alarm_action = 'Warning'
+        @alarms.push(alarm)  
+
+        alarm = CfnGuardian::Models::ElasticSearchAlarm.new(@resource)
+        alarm.name = 'MasterNodeCPUUtilisationCrit'
+        alarm.metric_name = 'MasterCPUUtilization'
+        alarm.threshold = 95
+        alarm.evaluation_periods = 10
+        alarm.alarm_action = 'Critical'
+        @alarms.push(alarm)  
+
+        alarm = CfnGuardian::Models::ElasticSearchAlarm.new(@resource)
+        alarm.name = 'FreeStorageSpaceWarning'
+        alarm.metric_name = 'FreeStorageSpace'
+        alarm.threshold = 50000
+        alarm.evaluation_periods = 1
+        alarm.alarm_action = 'Warning'
+        alarm.statistic = 'Minimum'
+        @alarms.push(alarm)  
+
+        alarm = CfnGuardian::Models::ElasticSearchAlarm.new(@resource)
+        alarm.name = 'FreeStorageSpaceCrit'
+        alarm.metric_name = 'FreeStorageSpace'
+        alarm.threshold = 25000
+        alarm.evaluation_periods = 1
+        alarm.alarm_action = 'Critical'
+        @alarms.push(alarm)  
+       
+        alarm = CfnGuardian::Models::ElasticSearchAlarm.new(@resource)
+        alarm.name = 'CPUUtilizationWarning'
+        alarm.metric_name = 'CPUUtilization'
+        alarm.threshold = 75
+        alarm.evaluation_periods = 15
+        alarm.data_points_to_alarm = 3
+        alarm.alarm_action = 'Warning'
+        alarm.statistic = 'Average'
+        @alarms.push(alarm)  
+
+        alarm = CfnGuardian::Models::ElasticSearchAlarm.new(@resource)
+        alarm.name = 'CPUUtilizationCrit'
+        alarm.metric_name = 'CPUUtilization'
+        alarm.threshold = 95
+        alarm.evaluation_periods = 5
+        alarm.data_points_to_alarm = 3
+        alarm.alarm_action = 'Critical'
+        alarm.statistic = 'Average'
+        @alarms.push(alarm)  
+
+        alarm = CfnGuardian::Models::ElasticSearchAlarm.new(@resource)
+        alarm.name = 'KMSKeyError'
+        alarm.metric_name = 'KMSKeyError'
+        alarm.threshold = 1
+        alarm.evaluation_periods = 1
+        alarm.alarm_action = 'Warning'
+        alarm.statistic = 'Minimum'
+        alarm.comparison_operator = 'GreaterThanOrEqualToThreshold'
+        @alarms.push(alarm)  
+
+        alarm = CfnGuardian::Models::ElasticSearchAlarm.new(@resource)
+        alarm.name = 'KMSKeyInaccessible'
+        alarm.metric_name = 'KMSKeyInaccessible'
+        alarm.threshold = 1
+        alarm.evaluation_periods = 1
+        alarm.alarm_action = 'Critical'
+        alarm.statistic = 'Minimum'
+        alarm.comparison_operator = 'GreaterThanOrEqualToThreshold'
+        alarm.enabled = false
+        @alarms.push(alarm)  
+
+        alarm = CfnGuardian::Models::ElasticSearchAlarm.new(@resource)
+        alarm.name = 'ClusterStatusRed'
+        alarm.metric_name = 'ClusterStatus.red'
+        alarm.threshold = 1
+        alarm.evaluation_periods = 1
+        alarm.alarm_action = 'Critical'
+        alarm.statistic = 'Minimum'
+        alarm.comparison_operator = 'GreaterThanOrEqualToThreshold'
+        @alarms.push(alarm)  
+
+        alarm = CfnGuardian::Models::ElasticSearchAlarm.new(@resource)
+        alarm.name = 'ClusterStatusYellow'
+        alarm.metric_name = 'ClusterStatus.yellow'
+        alarm.threshold = 1
+        alarm.evaluation_periods = 1
+        alarm.alarm_action = 'Warning'
+        alarm.statistic = 'Minimum'
+        alarm.comparison_operator = 'GreaterThanOrEqualToThreshold'
+        @alarms.push(alarm)  
+
+    end
+  end
+end

data/lib/cfnguardian/version.rb

@@ -1,4 +1,4 @@
 module CfnGuardian
-  VERSION = "0.6.10"
+  VERSION = "0.6.11"
   CHANGE_SET_VERSION = VERSION.gsub('.', '-').freeze
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: cfn-guardian
 version: !ruby/object:Gem::Version
-  version: 0.6.10
+  version: 0.6.11
 platform: ruby
 authors:
 - Guslington
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2021-06-25 00:00:00.000000000 Z
+date: 2021-06-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: thor
@@ -285,8 +285,10 @@ files:
 - lib/cfnguardian/resources/ec2_instance.rb
 - lib/cfnguardian/resources/ecs_cluster.rb
 - lib/cfnguardian/resources/ecs_service.rb
+- lib/cfnguardian/resources/eks_container_insights.rb
 - lib/cfnguardian/resources/elastic_file_system.rb
 - lib/cfnguardian/resources/elastic_loadbalancer.rb
+- lib/cfnguardian/resources/elastic_search.rb
 - lib/cfnguardian/resources/elasticache_replication_group.rb
 - lib/cfnguardian/resources/glue.rb
 - lib/cfnguardian/resources/http.rb