feat: audit suspicious events and add alarm

[patheard]

Summary

• Add logging for events that are suspicious if more than a certain threshold occur.
• Add a CloudWatch alarm that triggers if more than 5 suspicious events are logged in a 5 minute period.
• Add a CloudWatch log insight query to view suspicious events.

Related

• cds-snc/url-shortener-documentation#69

[github-actions[bot]]

Staging: alarms

✅   Terraform Init: success ✅   Terraform Validate: success ✅   Terraform Format: success ✅   Terraform Plan: success ✅   Conftest: success

Plan: 3 to add, 1 to change, 0 to destroy

Show summary

| CHANGE | NAME | |--------|-----------------------------------------------------------------| | add | `aws_cloudwatch_log_metric_filter.url_shortener_api_suspicious` | | | `aws_cloudwatch_metric_alarm.url_shoretener_api_suspicious` | | | `aws_cloudwatch_query_definition.api_suspicious` | | update | `aws_cloudwatch_metric_alarm.url_shoretener_api_warning` |

Show plan

```terraform Resource actions are indicated with the following symbols: + create ~ update in-place Terraform will perform the following actions: # aws_cloudwatch_log_metric_filter.url_shortener_api_suspicious will be created + resource "aws_cloudwatch_log_metric_filter" "url_shortener_api_suspicious" { + id = (known after apply) + log_group_name = "/aws/lambda/url-shortener-api" + name = "Suspicious" + pattern = "SUSPICIOUS" + metric_transformation { + name = "Suspicious" + namespace = "UrlShortener" + unit = "None" + value = "1" } } # aws_cloudwatch_metric_alarm.url_shoretener_api_suspicious will be created + resource "aws_cloudwatch_metric_alarm" "url_shoretener_api_suspicious" { + actions_enabled = true + alarm_actions = [ + "arn:aws:sns:ca-central-1:843973686572:cloudwatch-alarms-warning", ] + alarm_description = "Suspicious activity by users of the URL Shortener API lambda function over 5 minutes" + alarm_name = "URL Shortener API Suspicious" + arn = (known after apply) + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluate_low_sample_count_percentiles = (known after apply) + evaluation_periods = 1 + id = (known after apply) + metric_name = "Suspicious" + namespace = "UrlShortener" + ok_actions = [ + "arn:aws:sns:ca-central-1:843973686572:cloudwatch-alarms-warning", ] + period = 300 + statistic = "Sum" + tags_all = (known after apply) + threshold = 5 + treat_missing_data = "notBreaching" } # aws_cloudwatch_metric_alarm.url_shoretener_api_warning will be updated in-place ~ resource "aws_cloudwatch_metric_alarm" "url_shoretener_api_warning" { id = "URL Shortener API Warnings" tags = {} ~ threshold = 5 -> 10 # (17 unchanged attributes hidden) } # aws_cloudwatch_query_definition.api_suspicious will be created + resource "aws_cloudwatch_query_definition" "api_suspicious" { + id = (known after apply) + log_group_names = [ + "/aws/lambda/url-shortener-api", ] + name = "Suspicious activity API" + query_definition_id = (known after apply) + query_string = <<-EOT fields @timestamp, @message, @logStream | filter @message like /SUSPICIOUS/ | sort @timestamp desc | limit 20 EOT } Plan: 3 to add, 1 to change, 0 to destroy. ───────────────────────────────────────────────────────────────────────────── Saved the plan to: plan.tfplan To perform exactly these actions, run the following command to apply: terraform apply "plan.tfplan" ```

Show Conftest results

```sh WARN - plan.json - main - Cloudwatch log metric pattern is invalid: ["aws_cloudwatch_log_metric_filter.url_shortener_api_error"] WARN - plan.json - main - Cloudwatch log metric pattern is invalid: ["aws_cloudwatch_log_metric_filter.url_shortener_api_warning"] WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.url_shoretener_api_suspicious"] WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.url_shoretener_api_warning"] WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.url_shortener_api_error"] WARN - plan.json - main - Missing Common Tags: ["aws_sns_topic.cloudwatch_warning"] WARN - plan.json - main - Missing Common Tags: ["module.cloudwatch_alarms_slack.aws_cloudwatch_log_group.notify_slack_lambda"] WARN - plan.json - main - Missing Common Tags: ["module.cloudwatch_alarms_slack.aws_iam_policy.notify_slack_lambda"] WARN - plan.json - main - Missing Common Tags: ["module.cloudwatch_alarms_slack.aws_iam_role.notify_slack_lambda"] WARN - plan.json - main - Missing Common Tags: ["module.cloudwatch_alarms_slack.aws_lambda_function.notify_slack"] 26 tests, 16 passed, 10 warnings, 0 failures, 0 exceptions ```