Increase threshold for "unauthorized" metric alarm (#6220, PR #6233)

DataBiosphere · May 9, 2024 · d4f909f · d4f909f
2 parents 6066f81 + c6d3a42
commit d4f909f
Showing 1 changed file with 7 additions and 3 deletions.
diff --git a/terraform/shared/shared.tf.json.template.py b/terraform/shared/shared.tf.json.template.py
@@ -24,6 +24,8 @@ class CloudTrailAlarm(NamedTuple):
     name: str
     statistic: str
     filter_pattern: str
+    threshold: int = 1
+    period: int = 5 * 60
 
     @property
     def metric_name(self) -> str:
@@ -41,7 +43,9 @@ def conformance_pack(name: str) -> str:
     # https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-3.1
     CloudTrailAlarm(name='api_unauthorized',
                     statistic='Average',
-                    filter_pattern='{($.errorCode="*UnauthorizedOperation") || ($.errorCode="AccessDenied*")}'),
+                    filter_pattern='{($.errorCode="*UnauthorizedOperation") || ($.errorCode="AccessDenied*")}',
+                    threshold=12,
+                    period=24 * 60 * 60),
     # https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-3.2
     CloudTrailAlarm(name='console_no_mfa',
                     statistic='Sum',
@@ -522,10 +526,10 @@ def conformance_pack(name: str) -> str:
                     'namespace': 'LogMetrics',
                     'statistic': a.statistic,
                     'treat_missing_data': 'notBreaching',
-                    'threshold': 1,
+                    'threshold': a.threshold,
                     # The CIS documentation does not specify a period. 5 minutes is
                     # the default value when creating the alarm via the console UI.
-                    'period': 5 * 60,
+                    'period': a.period,
                     'alarm_actions': ['${aws_sns_topic.monitoring.arn}'],
                     'ok_actions': ['${aws_sns_topic.monitoring.arn}']
                 }