def main():
# Do what you would typically do in Python!
cis_document = read_yaml()
# Log Group
log_group = cloudwatch.LogGroup("CISComplianceLogGroup")
# Careful not to create too many resources! xD
for key, value in cis_document['Resources'].items():
if value['Type'] == 'AWS::Logs::MetricFilter':
make_metric_filter(key, log_group.name, value['Properties'])
def enableFlowLoggingToCloudWatchLogs(self, trafficType: Input[str]):
"""
Enable VPC flow logging to CloudWatch Logs, for the specified traffic type
:param self: VPC instance
:param trafficType: The traffic type to log: "ALL", "ACCEPT" or "REJECT"
:return: None
"""
self.flow_logs_role = iam.Role(
f"{self.name}-flow-logs-role",
tags={
**self.base_tags, "Name": f"{self.description} VPC Flow Logs"
},
assume_role_policy=assume_role_policy_for_principal({
"Service":
"vpc-flow-logs.amazonaws.com",
}),
opts=pulumi.ResourceOptions(parent=self.vpc, ))
self.flow_logs_group = cloudwatch.LogGroup(
f"{self.name}-vpc-flow-logs",
tags={
**self.base_tags, "Name": f"{self.description} VPC Flow Logs"
},
opts=pulumi.ResourceOptions(parent=self.vpc, ))
iam.RolePolicy(f"{self.name}-flow-log-policy",
name="vpc-flow-logs",
role=self.flow_logs_role.id,
policy=json.dumps({
"Version":
"2012-10-17",
"Statement": [{
"Effect":
"Allow",
"Resource":
"*",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
]
}]
}),
opts=pulumi.ResourceOptions(parent=self.flow_logs_role))
ec2.FlowLog(f"{self.name}-flow-logs",
log_destination=self.flow_logs_group.arn,
iam_role_arn=self.flow_logs_role.arn,
vpc_id=self.vpc.id,
traffic_type=trafficType,
opts=pulumi.ResourceOptions(parent=self.flow_logs_role))
bucket_name = bucket.id
bucket_policy = s3.BucketPolicy(
"bucket-policy",
bucket=bucket_name,
policy=bucket_name.apply(bucket_policy_cloudtrial))
# s3 Block Public access
s3Access = s3.BucketPublicAccessBlock("Block Public access",
block_public_acls=True,
block_public_policy=True,
ignore_public_acls=True,
restrict_public_buckets=True,
bucket=bucket.id)
# Create cloudwatch log
cloudwatch_log = cloudwatch.LogGroup('LogGroup', name='S3BucketActivity')
# add log stream to cloudwatch log
log_stream = cloudwatch.LogStream("CloudWatch_log_stream",
log_group_name=cloudwatch_log.name,
name='818155059458_CloudTrail_eu-west-2')
# configure cloudwatch metrics
cloudwatch_metrics = cloudwatch.LogMetricFilter(
'Metrics',
log_group_name=cloudwatch_log.name,
metric_transformation={
'name': "S3Activity",
'namespace': "S3ActivityEventCount",
'value': "1"
},
## CloudWatch
logins_topic = sns.Topic("myloginstopic")
event_rule = cloudwatch.EventRule("myeventrule",
event_pattern=json.dumps({
"detail-type":
["AWS Console Sign In via CloudTrail"]
}))
event_target = cloudwatch.EventTarget("myeventtarget",
rule=event_rule.name,
target_id="SendToSNS",
arn=logins_topic.arn)
log_group = cloudwatch.LogGroup("myloggroup")
log_metric_filter = cloudwatch.LogMetricFilter(
"mylogmetricfilter",
pattern="",
log_group_name=log_group.name,
metric_transformation=cloudwatch.LogMetricFilterMetricTransformationArgs(
name="EventCount",
namespace="YourNamespace",
value="1",
))
log_stream = cloudwatch.LogStream("mylogstream", log_group_name=log_group.name)
metric_alart = cloudwatch.MetricAlarm(
"mymetricalarm",
ec2.RouteTableAssociation(
f"{APP}-rtb-assoc-app{i}",
route_table_id=rtb_priv.id,
subnet_id=subnets["app"][i]
)
ec2.RouteTableAssociation(
f"{APP}-rtb-assoc-data{i}",
route_table_id=rtb_priv.id,
subnet_id=subnets["data"][i]
)
log_group = cw.LogGroup(
f"{APP}-flowlog-lg",
name=f"/{get_project()}/flowlogs/{_env}",
retention_in_days=30,
tags={
'Name': f"{APP}-flowlog-lg",
'Environment': _env
}
)
cw_info = Output.all(log_group.arn)
policy_doc = cw_info.apply(
lambda info: """{{
"Version": "2012-10-17",
"Statement": [
{{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogGroups",
example_function = lambda_.Function(
"exampleFunction2",
# code="lambda.zip",
code="lambda_no_deps.zip",
source_code_hash=filebase64sha256("lambda_no_deps.zip"),
handler="handler.lambda_handler",
role=example_role.arn,
runtime="python3.8",
timeout=30,
opts=ResourceOptions(depends_on=[environment]),
**get_environment_function_args(environment),
)
logs = cloudwatch.LogGroup(
"exampleLogGroup",
name=example_function.name.apply(lambda name: f"/aws/lambda/{name}"),
)
# API Gateway
gateway = apigateway.RestApi("exampleApi")
resource = apigateway.Resource(
"exampleResource",
parent_id=gateway.root_resource_id,
path_part="{proxy+}",
rest_api=gateway.id,
)
resources = [resource.id, gateway.root_resource_id]
methods = []