wolfeidau · January 6, 2017 03:46
diff --git a/cloudwatch_alarms_cloudtrail.rb b/cloudwatch_alarms_cloudtrail.rb
 #!/usr/bin/env ruby

 require 'bundler/setup'
 require 'cloudformation-ruby-dsl/cfntemplate'
 require 'cloudformation-ruby-dsl/spotprice'
 require 'cloudformation-ruby-dsl/table'

 template do
  value AWSTemplateFormatVersion: '2010-09-09'

  value Description: 'AWS CloudTrail API Activity Alarm Template for CloudWatch Logs'

  parameter 'LogGroupName',
            Type: 'String',
            Default: 'CloudTrail/DefaultLogGroup',
            Description: 'Enter CloudWatch Logs log group name. Default is CloudTrail/DefaultLogGroup'

  parameter 'Email',
            Type: 'String',
            Description: 'Email address to notify when an API activity has triggered an alarm'

  resource 'SecurityGroupChangesMetricFilter', Type: 'AWS::Logs::MetricFilter', Properties: {
    LogGroupName: ref('LogGroupName'),
    FilterPattern: '{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) }',
    MetricTransformations: [
      {
        MetricNamespace: 'CloudTrailMetrics',
        MetricName: 'SecurityGroupEventCount',
        MetricValue: '1'
      }
    ]
  }

  resource 'SecurityGroupChangesAlarm', Type: 'AWS::CloudWatch::Alarm', Properties: {
    AlarmName: 'CloudTrailSecurityGroupChanges',
    AlarmDescription: 'Alarms when an API call is made to create, update or delete a Security Group.',
    AlarmActions: [ref('AlarmNotificationTopic')],
    MetricName: 'SecurityGroupEventCount',
    Namespace: 'CloudTrailMetrics',
    ComparisonOperator: 'GreaterThanOrEqualToThreshold',
    EvaluationPeriods: '1',
    Period: '300',
    Statistic: 'Sum',
    Threshold: '1'
  }

  resource 'NetworkAclChangesMetricFilter', Type: 'AWS::Logs::MetricFilter', Properties: {
    LogGroupName: ref('LogGroupName'),
    FilterPattern: '{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) }',
    MetricTransformations: [
      {
        MetricNamespace: 'CloudTrailMetrics',
        MetricName: 'NetworkAclEventCount',
        MetricValue: '1'
      }
    ]
  }

  resource 'NetworkAclChangesAlarm', Type: 'AWS::CloudWatch::Alarm', Properties: {
    AlarmName: 'CloudTrailNetworkAclChanges',
    AlarmDescription: 'Alarms when an API call is made to create, update or delete a Network ACL.',
    AlarmActions: [ref('AlarmNotificationTopic')],
    MetricName: 'NetworkAclEventCount',
    Namespace: 'CloudTrailMetrics',
    ComparisonOperator: 'GreaterThanOrEqualToThreshold',
    EvaluationPeriods: '1',
    Period: '300',
    Statistic: 'Sum',
    Threshold: '1'
  }

  resource 'GatewayChangesMetricFilter', Type: 'AWS::Logs::MetricFilter', Properties: {
    LogGroupName: ref('LogGroupName'),
    FilterPattern: '{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }',
    MetricTransformations: [
      {
        MetricNamespace: 'CloudTrailMetrics',
        MetricName: 'GatewayEventCount',
        MetricValue: '1'
      }
    ]
  }

  resource 'GatewayChangesAlarm', Type: 'AWS::CloudWatch::Alarm', Properties: {
    AlarmName: 'CloudTrailGatewayChanges',
    AlarmDescription: 'Alarms when an API call is made to create, update or delete a Customer or Internet Gateway.',
    AlarmActions: [ref('AlarmNotificationTopic')],
    MetricName: 'GatewayEventCount',
    Namespace: 'CloudTrailMetrics',
    ComparisonOperator: 'GreaterThanOrEqualToThreshold',
    EvaluationPeriods: '1',
    Period: '300',
    Statistic: 'Sum',
    Threshold: '1'
  }

  resource 'VpcChangesMetricFilter', Type: 'AWS::Logs::MetricFilter', Properties: {
    LogGroupName: ref('LogGroupName'),
    FilterPattern: '{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }',
    MetricTransformations: [
      {
        MetricNamespace: 'CloudTrailMetrics',
        MetricName: 'VpcEventCount',
        MetricValue: '1'
      }
    ]
  }

  resource 'VpcChangesAlarm', Type: 'AWS::CloudWatch::Alarm', Properties: {
    AlarmName: 'CloudTrailVpcChanges',
    AlarmDescription: 'Alarms when an API call is made to create, update or delete a VPC, VPC peering connection or VPC connection to classic.',
    AlarmActions: [ref('AlarmNotificationTopic')],
    MetricName: 'VpcEventCount',
    Namespace: 'CloudTrailMetrics',
    ComparisonOperator: 'GreaterThanOrEqualToThreshold',
    EvaluationPeriods: '1',
    Period: '300',
    Statistic: 'Sum',
    Threshold: '1'
  }

  resource 'EC2InstanceChangesMetricFilter', Type: 'AWS::Logs::MetricFilter', Properties: {
    LogGroupName: ref('LogGroupName'),
    FilterPattern: '{ ($.eventName = RunInstances) || ($.eventName = RebootInstances) || ($.eventName = StartInstances) || ($.eventName = StopInstances) || ($.eventName = TerminateInstances) }',
    MetricTransformations: [
      {
        MetricNamespace: 'CloudTrailMetrics',
        MetricName: 'EC2InstanceEventCount',
        MetricValue: '1'
      }
    ]
  }

  resource 'EC2InstanceChangesAlarm', Type: 'AWS::CloudWatch::Alarm', Properties: {
    AlarmName: 'CloudTrailEC2InstanceChanges',
    AlarmDescription: 'Alarms when an API call is made to create, terminate, start, stop or reboot an EC2 instance.',
    AlarmActions: [ref('AlarmNotificationTopic')],
    MetricName: 'EC2InstanceEventCount',
    Namespace: 'CloudTrailMetrics',
    ComparisonOperator: 'GreaterThanOrEqualToThreshold',
    EvaluationPeriods: '1',
    Period: '300',
    Statistic: 'Sum',
    Threshold: '1'
  }

  resource 'EC2LargeInstanceChangesMetricFilter', Type: 'AWS::Logs::MetricFilter', Properties: {
    LogGroupName: ref('LogGroupName'),
    FilterPattern: '{ ($.eventName = RunInstances) && (($.requestParameters.instanceType = *.8xlarge) || ($.requestParameters.instanceType = *.4xlarge)) }',
    MetricTransformations: [
      {
        MetricNamespace: 'CloudTrailMetrics',
        MetricName: 'EC2LargeInstanceEventCount',
        MetricValue: '1'
      }
    ]
  }

  resource 'EC2LargeInstanceChangesAlarm', Type: 'AWS::CloudWatch::Alarm', Properties: {
    AlarmName: 'CloudTrailEC2LargeInstanceChanges',
    AlarmDescription: 'Alarms when an API call is made to create, terminate, start, stop or reboot a 4x or 8x-large EC2 instance.',
    AlarmActions: [ref('AlarmNotificationTopic')],
    MetricName: 'EC2LargeInstanceEventCount',
    Namespace: 'CloudTrailMetrics',
    ComparisonOperator: 'GreaterThanOrEqualToThreshold',
    EvaluationPeriods: '1',
    Period: '300',
    Statistic: 'Sum',
    Threshold: '1'
  }

  resource 'CloudTrailChangesMetricFilter', Type: 'AWS::Logs::MetricFilter', Properties: {
    LogGroupName: ref('LogGroupName'),
    FilterPattern: '{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }',
    MetricTransformations: [
      {
        MetricNamespace: 'CloudTrailMetrics',
        MetricName: 'CloudTrailEventCount',
        MetricValue: '1'
      }
    ]
  }

  resource 'CloudTrailChangesAlarm', Type: 'AWS::CloudWatch::Alarm', Properties: {
    AlarmName: 'CloudTrailChanges',
    AlarmDescription: 'Alarms when an API call is made to create, update or delete a CloudTrail trail, or to start or stop logging to a trail.',
    AlarmActions: [ref('AlarmNotificationTopic')],
    MetricName: 'CloudTrailEventCount',
    Namespace: 'CloudTrailMetrics',
    ComparisonOperator: 'GreaterThanOrEqualToThreshold',
    EvaluationPeriods: '1',
    Period: '300',
    Statistic: 'Sum',
    Threshold: '1'
  }

  resource 'ConsoleSignInFailuresMetricFilter', Type: 'AWS::Logs::MetricFilter', Properties: {
    LogGroupName: ref('LogGroupName'),
    FilterPattern: '{ ($.eventName = ConsoleLogin) && ($.errorMessage = "Failed authentication") }',
    MetricTransformations: [
      {
        MetricNamespace: 'CloudTrailMetrics',
        MetricName: 'ConsoleSignInFailureCount',
        MetricValue: '1'
      }
    ]
  }

  resource 'ConsoleSignInFailuresAlarm', Type: 'AWS::CloudWatch::Alarm', Properties: {
    AlarmName: 'CloudTrailConsoleSignInFailures',
    AlarmDescription: 'Alarms when an unauthenticated API call is made to sign into the console.',
    AlarmActions: [ref('AlarmNotificationTopic')],
    MetricName: 'ConsoleSignInFailureCount',
    Namespace: 'CloudTrailMetrics',
    ComparisonOperator: 'GreaterThanOrEqualToThreshold',
    EvaluationPeriods: '1',
    Period: '300',
    Statistic: 'Sum',
    Threshold: '3'
  }

  resource 'AuthorizationFailuresMetricFilter', Type: 'AWS::Logs::MetricFilter', Properties: {
    LogGroupName: ref('LogGroupName'),
    FilterPattern: '{ ($.errorCode = "*UnauthorizedOperation") || ($.errorCode = "AccessDenied*") }',
    MetricTransformations: [
      {
        MetricNamespace: 'CloudTrailMetrics',
        MetricName: 'AuthorizationFailureCount',
        MetricValue: '1'
      }
    ]
  }

  resource 'AuthorizationFailuresAlarm', Type: 'AWS::CloudWatch::Alarm', Properties: {
    AlarmName: 'CloudTrailAuthorizationFailures',
    AlarmDescription: 'Alarms when an unauthorized API call is made.',
    AlarmActions: [ref('AlarmNotificationTopic')],
    MetricName: 'AuthorizationFailureCount',
    Namespace: 'CloudTrailMetrics',
    ComparisonOperator: 'GreaterThanOrEqualToThreshold',
    EvaluationPeriods: '1',
    Period: '300',
    Statistic: 'Sum',
    Threshold: '1'
  }

  resource 'IAMPolicyChangesMetricFilter', Type: 'AWS::Logs::MetricFilter', Properties: {
    LogGroupName: ref('LogGroupName'),
    FilterPattern: '{($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)}',
    MetricTransformations: [
      {
        MetricNamespace: 'CloudTrailMetrics',
        MetricName: 'IAMPolicyEventCount',
        MetricValue: '1'
      }
    ]
  }

  resource 'IAMPolicyChangesAlarm', Type: 'AWS::CloudWatch::Alarm', Properties: {
    AlarmName: 'CloudTrailIAMPolicyChanges',
    AlarmDescription: 'Alarms when an API call is made to change an IAM policy.',
    AlarmActions: [ref('AlarmNotificationTopic')],
    MetricName: 'IAMPolicyEventCount',
    Namespace: 'CloudTrailMetrics',
    ComparisonOperator: 'GreaterThanOrEqualToThreshold',
    EvaluationPeriods: '1',
    Period: '300',
    Statistic: 'Sum',
    Threshold: '1'
  }

  resource 'AlarmNotificationTopic', Type: 'AWS::SNS::Topic', Properties: {
    Subscription: [
      {
        Endpoint: ref('Email'),
        Protocol: 'email'
      }
    ]
  }
 end.exec!
	#!/usr/bin/env ruby

	require 'bundler/setup'
	require 'cloudformation-ruby-dsl/cfntemplate'
	require 'cloudformation-ruby-dsl/spotprice'
	require 'cloudformation-ruby-dsl/table'

	template do
	value AWSTemplateFormatVersion: '2010-09-09'

	value Description: 'AWS CloudTrail API Activity Alarm Template for CloudWatch Logs'

	parameter 'LogGroupName',
	Type: 'String',
	Default: 'CloudTrail/DefaultLogGroup',
	Description: 'Enter CloudWatch Logs log group name. Default is CloudTrail/DefaultLogGroup'

	parameter 'Email',
	Type: 'String',
	Description: 'Email address to notify when an API activity has triggered an alarm'

	resource 'SecurityGroupChangesMetricFilter', Type: 'AWS::Logs::MetricFilter', Properties: {
	LogGroupName: ref('LogGroupName'),
	FilterPattern: '{ ($.eventName = AuthorizeSecurityGroupIngress) \|\| ($.eventName = AuthorizeSecurityGroupEgress) \|\| ($.eventName = RevokeSecurityGroupIngress) \|\| ($.eventName = RevokeSecurityGroupEgress) \|\| ($.eventName = CreateSecurityGroup) \|\| ($.eventName = DeleteSecurityGroup) }',
	MetricTransformations: [
	{
	MetricNamespace: 'CloudTrailMetrics',
	MetricName: 'SecurityGroupEventCount',
	MetricValue: '1'
	}
	]
	}

	resource 'SecurityGroupChangesAlarm', Type: 'AWS::CloudWatch::Alarm', Properties: {
	AlarmName: 'CloudTrailSecurityGroupChanges',
	AlarmDescription: 'Alarms when an API call is made to create, update or delete a Security Group.',
	AlarmActions: [ref('AlarmNotificationTopic')],
	MetricName: 'SecurityGroupEventCount',
	Namespace: 'CloudTrailMetrics',
	ComparisonOperator: 'GreaterThanOrEqualToThreshold',
	EvaluationPeriods: '1',
	Period: '300',
	Statistic: 'Sum',
	Threshold: '1'
	}

	resource 'NetworkAclChangesMetricFilter', Type: 'AWS::Logs::MetricFilter', Properties: {
	LogGroupName: ref('LogGroupName'),
	FilterPattern: '{ ($.eventName = CreateNetworkAcl) \|\| ($.eventName = CreateNetworkAclEntry) \|\| ($.eventName = DeleteNetworkAcl) \|\| ($.eventName = DeleteNetworkAclEntry) \|\| ($.eventName = ReplaceNetworkAclEntry) \|\| ($.eventName = ReplaceNetworkAclAssociation) }',
	MetricTransformations: [
	{
	MetricNamespace: 'CloudTrailMetrics',
	MetricName: 'NetworkAclEventCount',
	MetricValue: '1'
	}
	]
	}

	resource 'NetworkAclChangesAlarm', Type: 'AWS::CloudWatch::Alarm', Properties: {
	AlarmName: 'CloudTrailNetworkAclChanges',
	AlarmDescription: 'Alarms when an API call is made to create, update or delete a Network ACL.',
	AlarmActions: [ref('AlarmNotificationTopic')],
	MetricName: 'NetworkAclEventCount',
	Namespace: 'CloudTrailMetrics',
	ComparisonOperator: 'GreaterThanOrEqualToThreshold',
	EvaluationPeriods: '1',
	Period: '300',
	Statistic: 'Sum',
	Threshold: '1'
	}

	resource 'GatewayChangesMetricFilter', Type: 'AWS::Logs::MetricFilter', Properties: {
	LogGroupName: ref('LogGroupName'),
	FilterPattern: '{ ($.eventName = CreateCustomerGateway) \|\| ($.eventName = DeleteCustomerGateway) \|\| ($.eventName = AttachInternetGateway) \|\| ($.eventName = CreateInternetGateway) \|\| ($.eventName = DeleteInternetGateway) \|\| ($.eventName = DetachInternetGateway) }',
	MetricTransformations: [
	{
	MetricNamespace: 'CloudTrailMetrics',
	MetricName: 'GatewayEventCount',
	MetricValue: '1'
	}
	]
	}

	resource 'GatewayChangesAlarm', Type: 'AWS::CloudWatch::Alarm', Properties: {
	AlarmName: 'CloudTrailGatewayChanges',
	AlarmDescription: 'Alarms when an API call is made to create, update or delete a Customer or Internet Gateway.',
	AlarmActions: [ref('AlarmNotificationTopic')],
	MetricName: 'GatewayEventCount',
	Namespace: 'CloudTrailMetrics',
	ComparisonOperator: 'GreaterThanOrEqualToThreshold',
	EvaluationPeriods: '1',
	Period: '300',
	Statistic: 'Sum',
	Threshold: '1'
	}

	resource 'VpcChangesMetricFilter', Type: 'AWS::Logs::MetricFilter', Properties: {
	LogGroupName: ref('LogGroupName'),
	FilterPattern: '{ ($.eventName = CreateVpc) \|\| ($.eventName = DeleteVpc) \|\| ($.eventName = ModifyVpcAttribute) \|\| ($.eventName = AcceptVpcPeeringConnection) \|\| ($.eventName = CreateVpcPeeringConnection) \|\| ($.eventName = DeleteVpcPeeringConnection) \|\| ($.eventName = RejectVpcPeeringConnection) \|\| ($.eventName = AttachClassicLinkVpc) \|\| ($.eventName = DetachClassicLinkVpc) \|\| ($.eventName = DisableVpcClassicLink) \|\| ($.eventName = EnableVpcClassicLink) }',
	MetricTransformations: [
	{
	MetricNamespace: 'CloudTrailMetrics',
	MetricName: 'VpcEventCount',
	MetricValue: '1'
	}
	]
	}

	resource 'VpcChangesAlarm', Type: 'AWS::CloudWatch::Alarm', Properties: {
	AlarmName: 'CloudTrailVpcChanges',
	AlarmDescription: 'Alarms when an API call is made to create, update or delete a VPC, VPC peering connection or VPC connection to classic.',
	AlarmActions: [ref('AlarmNotificationTopic')],
	MetricName: 'VpcEventCount',
	Namespace: 'CloudTrailMetrics',
	ComparisonOperator: 'GreaterThanOrEqualToThreshold',
	EvaluationPeriods: '1',
	Period: '300',
	Statistic: 'Sum',
	Threshold: '1'
	}

	resource 'EC2InstanceChangesMetricFilter', Type: 'AWS::Logs::MetricFilter', Properties: {
	LogGroupName: ref('LogGroupName'),
	FilterPattern: '{ ($.eventName = RunInstances) \|\| ($.eventName = RebootInstances) \|\| ($.eventName = StartInstances) \|\| ($.eventName = StopInstances) \|\| ($.eventName = TerminateInstances) }',
	MetricTransformations: [
	{
	MetricNamespace: 'CloudTrailMetrics',
	MetricName: 'EC2InstanceEventCount',
	MetricValue: '1'
	}
	]
	}

	resource 'EC2InstanceChangesAlarm', Type: 'AWS::CloudWatch::Alarm', Properties: {
	AlarmName: 'CloudTrailEC2InstanceChanges',
	AlarmDescription: 'Alarms when an API call is made to create, terminate, start, stop or reboot an EC2 instance.',
	AlarmActions: [ref('AlarmNotificationTopic')],
	MetricName: 'EC2InstanceEventCount',
	Namespace: 'CloudTrailMetrics',
	ComparisonOperator: 'GreaterThanOrEqualToThreshold',
	EvaluationPeriods: '1',
	Period: '300',
	Statistic: 'Sum',
	Threshold: '1'
	}

	resource 'EC2LargeInstanceChangesMetricFilter', Type: 'AWS::Logs::MetricFilter', Properties: {
	LogGroupName: ref('LogGroupName'),
	FilterPattern: '{ ($.eventName = RunInstances) && (($.requestParameters.instanceType = .8xlarge) \|\| ($.requestParameters.instanceType = .4xlarge)) }',
	MetricTransformations: [
	{
	MetricNamespace: 'CloudTrailMetrics',
	MetricName: 'EC2LargeInstanceEventCount',
	MetricValue: '1'
	}
	]
	}

	resource 'EC2LargeInstanceChangesAlarm', Type: 'AWS::CloudWatch::Alarm', Properties: {
	AlarmName: 'CloudTrailEC2LargeInstanceChanges',
	AlarmDescription: 'Alarms when an API call is made to create, terminate, start, stop or reboot a 4x or 8x-large EC2 instance.',
	AlarmActions: [ref('AlarmNotificationTopic')],
	MetricName: 'EC2LargeInstanceEventCount',
	Namespace: 'CloudTrailMetrics',
	ComparisonOperator: 'GreaterThanOrEqualToThreshold',
	EvaluationPeriods: '1',
	Period: '300',
	Statistic: 'Sum',
	Threshold: '1'
	}

	resource 'CloudTrailChangesMetricFilter', Type: 'AWS::Logs::MetricFilter', Properties: {
	LogGroupName: ref('LogGroupName'),
	FilterPattern: '{ ($.eventName = CreateTrail) \|\| ($.eventName = UpdateTrail) \|\| ($.eventName = DeleteTrail) \|\| ($.eventName = StartLogging) \|\| ($.eventName = StopLogging) }',
	MetricTransformations: [
	{
	MetricNamespace: 'CloudTrailMetrics',
	MetricName: 'CloudTrailEventCount',
	MetricValue: '1'
	}
	]
	}

	resource 'CloudTrailChangesAlarm', Type: 'AWS::CloudWatch::Alarm', Properties: {
	AlarmName: 'CloudTrailChanges',
	AlarmDescription: 'Alarms when an API call is made to create, update or delete a CloudTrail trail, or to start or stop logging to a trail.',
	AlarmActions: [ref('AlarmNotificationTopic')],
	MetricName: 'CloudTrailEventCount',
	Namespace: 'CloudTrailMetrics',
	ComparisonOperator: 'GreaterThanOrEqualToThreshold',
	EvaluationPeriods: '1',
	Period: '300',
	Statistic: 'Sum',
	Threshold: '1'
	}

	resource 'ConsoleSignInFailuresMetricFilter', Type: 'AWS::Logs::MetricFilter', Properties: {
	LogGroupName: ref('LogGroupName'),
	FilterPattern: '{ ($.eventName = ConsoleLogin) && ($.errorMessage = "Failed authentication") }',
	MetricTransformations: [
	{
	MetricNamespace: 'CloudTrailMetrics',
	MetricName: 'ConsoleSignInFailureCount',
	MetricValue: '1'
	}
	]
	}

	resource 'ConsoleSignInFailuresAlarm', Type: 'AWS::CloudWatch::Alarm', Properties: {
	AlarmName: 'CloudTrailConsoleSignInFailures',
	AlarmDescription: 'Alarms when an unauthenticated API call is made to sign into the console.',
	AlarmActions: [ref('AlarmNotificationTopic')],
	MetricName: 'ConsoleSignInFailureCount',
	Namespace: 'CloudTrailMetrics',
	ComparisonOperator: 'GreaterThanOrEqualToThreshold',
	EvaluationPeriods: '1',
	Period: '300',
	Statistic: 'Sum',
	Threshold: '3'
	}

	resource 'AuthorizationFailuresMetricFilter', Type: 'AWS::Logs::MetricFilter', Properties: {
	LogGroupName: ref('LogGroupName'),
	FilterPattern: '{ ($.errorCode = "UnauthorizedOperation") \|\| ($.errorCode = "AccessDenied") }',
	MetricTransformations: [
	{
	MetricNamespace: 'CloudTrailMetrics',
	MetricName: 'AuthorizationFailureCount',
	MetricValue: '1'
	}
	]
	}

	resource 'AuthorizationFailuresAlarm', Type: 'AWS::CloudWatch::Alarm', Properties: {
	AlarmName: 'CloudTrailAuthorizationFailures',
	AlarmDescription: 'Alarms when an unauthorized API call is made.',
	AlarmActions: [ref('AlarmNotificationTopic')],
	MetricName: 'AuthorizationFailureCount',
	Namespace: 'CloudTrailMetrics',
	ComparisonOperator: 'GreaterThanOrEqualToThreshold',
	EvaluationPeriods: '1',
	Period: '300',
	Statistic: 'Sum',
	Threshold: '1'
	}

	resource 'IAMPolicyChangesMetricFilter', Type: 'AWS::Logs::MetricFilter', Properties: {
	LogGroupName: ref('LogGroupName'),
	FilterPattern: '{($.eventName=DeleteGroupPolicy)\|\|($.eventName=DeleteRolePolicy)\|\|($.eventName=DeleteUserPolicy)\|\|($.eventName=PutGroupPolicy)\|\|($.eventName=PutRolePolicy)\|\|($.eventName=PutUserPolicy)\|\|($.eventName=CreatePolicy)\|\|($.eventName=DeletePolicy)\|\|($.eventName=CreatePolicyVersion)\|\|($.eventName=DeletePolicyVersion)\|\|($.eventName=AttachRolePolicy)\|\|($.eventName=DetachRolePolicy)\|\|($.eventName=AttachUserPolicy)\|\|($.eventName=DetachUserPolicy)\|\|($.eventName=AttachGroupPolicy)\|\|($.eventName=DetachGroupPolicy)}',
	MetricTransformations: [
	{
	MetricNamespace: 'CloudTrailMetrics',
	MetricName: 'IAMPolicyEventCount',
	MetricValue: '1'
	}
	]
	}

	resource 'IAMPolicyChangesAlarm', Type: 'AWS::CloudWatch::Alarm', Properties: {
	AlarmName: 'CloudTrailIAMPolicyChanges',
	AlarmDescription: 'Alarms when an API call is made to change an IAM policy.',
	AlarmActions: [ref('AlarmNotificationTopic')],
	MetricName: 'IAMPolicyEventCount',
	Namespace: 'CloudTrailMetrics',
	ComparisonOperator: 'GreaterThanOrEqualToThreshold',
	EvaluationPeriods: '1',
	Period: '300',
	Statistic: 'Sum',
	Threshold: '1'
	}

	resource 'AlarmNotificationTopic', Type: 'AWS::SNS::Topic', Properties: {
	Subscription: [
	{
	Endpoint: ref('Email'),
	Protocol: 'email'
	}
	]
	}
	end.exec!
No results found