Пример #1
0
def main():
    # Do what you would typically do in Python!
    cis_document = read_yaml()

    # Log Group
    log_group = cloudwatch.LogGroup("CISComplianceLogGroup")

    # Careful not to create too many resources! xD
    for key, value in cis_document['Resources'].items():
        if value['Type'] == 'AWS::Logs::MetricFilter':
            make_metric_filter(key, log_group.name, value['Properties'])
Пример #2
0
    def enableFlowLoggingToCloudWatchLogs(self, trafficType: Input[str]):
        """
        Enable VPC flow logging to CloudWatch Logs, for the specified traffic type
        :param self: VPC instance
        :param trafficType: The traffic type to log: "ALL", "ACCEPT" or "REJECT"
        :return: None
        """
        self.flow_logs_role = iam.Role(
            f"{self.name}-flow-logs-role",
            tags={
                **self.base_tags, "Name": f"{self.description} VPC Flow Logs"
            },
            assume_role_policy=assume_role_policy_for_principal({
                "Service":
                "vpc-flow-logs.amazonaws.com",
            }),
            opts=pulumi.ResourceOptions(parent=self.vpc, ))

        self.flow_logs_group = cloudwatch.LogGroup(
            f"{self.name}-vpc-flow-logs",
            tags={
                **self.base_tags, "Name": f"{self.description} VPC Flow Logs"
            },
            opts=pulumi.ResourceOptions(parent=self.vpc, ))

        iam.RolePolicy(f"{self.name}-flow-log-policy",
                       name="vpc-flow-logs",
                       role=self.flow_logs_role.id,
                       policy=json.dumps({
                           "Version":
                           "2012-10-17",
                           "Statement": [{
                               "Effect":
                               "Allow",
                               "Resource":
                               "*",
                               "Action": [
                                   "logs:CreateLogGroup",
                                   "logs:CreateLogStream",
                                   "logs:PutLogEvents",
                                   "logs:DescribeLogGroups",
                                   "logs:DescribeLogStreams",
                               ]
                           }]
                       }),
                       opts=pulumi.ResourceOptions(parent=self.flow_logs_role))

        ec2.FlowLog(f"{self.name}-flow-logs",
                    log_destination=self.flow_logs_group.arn,
                    iam_role_arn=self.flow_logs_role.arn,
                    vpc_id=self.vpc.id,
                    traffic_type=trafficType,
                    opts=pulumi.ResourceOptions(parent=self.flow_logs_role))
bucket_name = bucket.id
bucket_policy = s3.BucketPolicy(
    "bucket-policy",
    bucket=bucket_name,
    policy=bucket_name.apply(bucket_policy_cloudtrial))

# s3 Block Public access
s3Access = s3.BucketPublicAccessBlock("Block Public access",
                                      block_public_acls=True,
                                      block_public_policy=True,
                                      ignore_public_acls=True,
                                      restrict_public_buckets=True,
                                      bucket=bucket.id)

# Create cloudwatch log
cloudwatch_log = cloudwatch.LogGroup('LogGroup', name='S3BucketActivity')

# add log stream to cloudwatch log
log_stream = cloudwatch.LogStream("CloudWatch_log_stream",
                                  log_group_name=cloudwatch_log.name,
                                  name='818155059458_CloudTrail_eu-west-2')

# configure cloudwatch metrics
cloudwatch_metrics = cloudwatch.LogMetricFilter(
    'Metrics',
    log_group_name=cloudwatch_log.name,
    metric_transformation={
        'name': "S3Activity",
        'namespace': "S3ActivityEventCount",
        'value': "1"
    },
Пример #4
0
## CloudWatch
logins_topic = sns.Topic("myloginstopic")

event_rule = cloudwatch.EventRule("myeventrule",
                                  event_pattern=json.dumps({
                                      "detail-type":
                                      ["AWS Console Sign In via CloudTrail"]
                                  }))

event_target = cloudwatch.EventTarget("myeventtarget",
                                      rule=event_rule.name,
                                      target_id="SendToSNS",
                                      arn=logins_topic.arn)

log_group = cloudwatch.LogGroup("myloggroup")

log_metric_filter = cloudwatch.LogMetricFilter(
    "mylogmetricfilter",
    pattern="",
    log_group_name=log_group.name,
    metric_transformation=cloudwatch.LogMetricFilterMetricTransformationArgs(
        name="EventCount",
        namespace="YourNamespace",
        value="1",
    ))

log_stream = cloudwatch.LogStream("mylogstream", log_group_name=log_group.name)

metric_alart = cloudwatch.MetricAlarm(
    "mymetricalarm",
Пример #5
0
        ec2.RouteTableAssociation(
            f"{APP}-rtb-assoc-app{i}",
            route_table_id=rtb_priv.id,
            subnet_id=subnets["app"][i]
        )
        ec2.RouteTableAssociation(
            f"{APP}-rtb-assoc-data{i}",
            route_table_id=rtb_priv.id,
            subnet_id=subnets["data"][i]
        )

log_group = cw.LogGroup(
    f"{APP}-flowlog-lg",
    name=f"/{get_project()}/flowlogs/{_env}",
    retention_in_days=30,
    tags={
        'Name': f"{APP}-flowlog-lg",
        'Environment': _env
    }
)

cw_info = Output.all(log_group.arn)
policy_doc = cw_info.apply(
    lambda info: """{{
    "Version": "2012-10-17",
    "Statement": [
        {{
            "Action": [
                "logs:CreateLogStream",
                "logs:PutLogEvents",
                "logs:DescribeLogGroups",
Пример #6
0
example_function = lambda_.Function(
    "exampleFunction2",
    # code="lambda.zip",
    code="lambda_no_deps.zip",
    source_code_hash=filebase64sha256("lambda_no_deps.zip"),
    handler="handler.lambda_handler",
    role=example_role.arn,
    runtime="python3.8",
    timeout=30,
    opts=ResourceOptions(depends_on=[environment]),
    **get_environment_function_args(environment),
)

logs = cloudwatch.LogGroup(
    "exampleLogGroup",
    name=example_function.name.apply(lambda name: f"/aws/lambda/{name}"),
)

# API Gateway

gateway = apigateway.RestApi("exampleApi")

resource = apigateway.Resource(
    "exampleResource",
    parent_id=gateway.root_resource_id,
    path_part="{proxy+}",
    rest_api=gateway.id,
)

resources = [resource.id, gateway.root_resource_id]
methods = []