terrafying-components 2.4.0 → 2.4.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/terrafying/components/security/trail.rb +34 -19
- data/lib/terrafying/components/version.rb +1 -1
- metadata +1 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 54e9a54d483122c73e531eb71de1e836da614748c970cbb5c64c75e778466016
|
|
4
|
+
data.tar.gz: e140143b7d45fd6e6252f4a6f0f54471441c9ab55dff377cbc5d0038677ce1c8
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 637f8520bb3044ad8997adeabb4479e83bb2bd5135447d7a897f776d87c736c5173183875cb6bbb222febfac316a9c8408b6dd1e4e2555202b3b84e6c181e603
|
|
7
|
+
data.tar.gz: b87a4aabca22ecf942c60bd264b21513615d4b4c478f882b7bae661531c4dd7831fc2b9e5c397130a767b96d6846e917cd0223c925418f0dbc1a6783b0d8a957
|
|
@@ -143,7 +143,7 @@ module Terrafying
|
|
|
143
143
|
policy_arn: log_role_policy["arn"],
|
|
144
144
|
}
|
|
145
145
|
|
|
146
|
-
|
|
146
|
+
data_event_selectors = event_selector(ignore_buckets)
|
|
147
147
|
|
|
148
148
|
resource :aws_cloudtrail, "#{name}", {
|
|
149
149
|
name: "#{name}",
|
|
@@ -158,36 +158,25 @@ module Terrafying
|
|
|
158
158
|
cloud_watch_logs_group_arn: "#{@log_group["arn"]}:*",
|
|
159
159
|
cloud_watch_logs_role_arn: log_role["arn"],
|
|
160
160
|
|
|
161
|
-
|
|
162
|
-
{
|
|
163
|
-
read_write_type: "All",
|
|
164
|
-
include_management_events: true,
|
|
165
|
-
|
|
166
|
-
data_resource: {
|
|
167
|
-
type: "AWS::Lambda::Function",
|
|
168
|
-
values: ["arn:aws:lambda"],
|
|
169
|
-
},
|
|
170
|
-
},
|
|
171
|
-
],
|
|
172
|
-
|
|
173
|
-
}.deep_merge(s3_data_selectors)
|
|
161
|
+
}.deep_merge(data_event_selectors)
|
|
174
162
|
self
|
|
175
163
|
end
|
|
176
164
|
|
|
177
|
-
def
|
|
165
|
+
def event_selector(buckets)
|
|
178
166
|
buckets = Array(buckets)
|
|
179
167
|
|
|
180
|
-
return
|
|
168
|
+
return basic_selector if buckets.empty?
|
|
181
169
|
|
|
182
170
|
{
|
|
183
171
|
advanced_event_selector: [
|
|
184
172
|
ignore_buckets_selectors(buckets),
|
|
185
173
|
management_events_selector,
|
|
174
|
+
lambda_events
|
|
186
175
|
]
|
|
187
176
|
}
|
|
188
177
|
end
|
|
189
178
|
|
|
190
|
-
def
|
|
179
|
+
def basic_selector
|
|
191
180
|
{
|
|
192
181
|
event_selector: [
|
|
193
182
|
{
|
|
@@ -198,6 +187,15 @@ module Terrafying
|
|
|
198
187
|
type: "AWS::S3::Object",
|
|
199
188
|
values: ["arn:aws:s3:::"],
|
|
200
189
|
}
|
|
190
|
+
},
|
|
191
|
+
{
|
|
192
|
+
read_write_type: "All",
|
|
193
|
+
include_management_events: true,
|
|
194
|
+
|
|
195
|
+
data_resource: {
|
|
196
|
+
type: "AWS::Lambda::Function",
|
|
197
|
+
values: ["arn:aws:lambda"],
|
|
198
|
+
},
|
|
201
199
|
}
|
|
202
200
|
]
|
|
203
201
|
}
|
|
@@ -211,7 +209,7 @@ module Terrafying
|
|
|
211
209
|
}
|
|
212
210
|
|
|
213
211
|
{
|
|
214
|
-
name:
|
|
212
|
+
name: 'Log all S3 buckets objects events except these',
|
|
215
213
|
|
|
216
214
|
field_selector: [
|
|
217
215
|
{
|
|
@@ -232,7 +230,7 @@ module Terrafying
|
|
|
232
230
|
|
|
233
231
|
def management_events_selector
|
|
234
232
|
{
|
|
235
|
-
name:
|
|
233
|
+
name: 'Log readOnly and writeOnly management events',
|
|
236
234
|
|
|
237
235
|
field_selector: [
|
|
238
236
|
{
|
|
@@ -243,6 +241,23 @@ module Terrafying
|
|
|
243
241
|
}
|
|
244
242
|
end
|
|
245
243
|
|
|
244
|
+
def lambda_events
|
|
245
|
+
{
|
|
246
|
+
name: 'Log Lambda data events',
|
|
247
|
+
|
|
248
|
+
field_selector: [
|
|
249
|
+
{
|
|
250
|
+
field: 'eventCategory',
|
|
251
|
+
equals: ['Data']
|
|
252
|
+
},
|
|
253
|
+
{
|
|
254
|
+
field: 'resources.type',
|
|
255
|
+
equals: ['AWS::Lambda::Function']
|
|
256
|
+
}
|
|
257
|
+
]
|
|
258
|
+
}
|
|
259
|
+
end
|
|
260
|
+
|
|
246
261
|
def alert!(name:, pattern:, threshold: 1, topic: @topic)
|
|
247
262
|
|
|
248
263
|
ident = "cloudwatch-#{@name}-#{name}"
|