[PRMP 866] Alarm & Alerting for AWS Transfer Family kill switch (#523)

Co-authored-by: Robert Gaskin <[email protected]>

Author: PedroSoaresNHS

infrastructure/lambda-transfer-kill-switch.tf

@@ -1,10 +1,10 @@
-module "transfer_kill_switch_lambda" {
+module "transfer_family_kill_switch_lambda" {
   source  = "./modules/lambda"
-  name    = "TransferKillSwitch"
-  handler = "handlers.transfer_kill_switch_handler.lambda_handler"
+  name    = "TransferFamilyKillSwitch"
+  handler = "handlers.transfer_family_kill_switch_handler.lambda_handler"
 
   iam_role_policy_documents = [
-    aws_iam_policy.transfer_kill_switch.policy,
+    aws_iam_policy.transfer_family_kill_switch.policy,
     data.aws_iam_policy.aws_lambda_vpc_access_execution_role.policy,
   ]
 
@@ -22,7 +22,7 @@ module "transfer_kill_switch_lambda" {
   vpc_security_group_ids = length(data.aws_security_groups.virus_scanner_api.ids) == 1 ? [data.aws_security_groups.virus_scanner_api.ids[0]] : []
 
   depends_on = [
-    aws_iam_policy.transfer_kill_switch,
+    aws_iam_policy.transfer_family_kill_switch,
     # aws_transfer_server.your_transfer_server,  # if transfer family is ever defined in terraform
     aws_api_gateway_rest_api.ndr_doc_store_api,
     module.ndr-bulk-staging-store,

infrastructure/policies.tf

@@ -68,8 +68,8 @@ resource "aws_iam_policy" "administrator_permission_restrictions" {
   }
 }
 
-resource "aws_iam_policy" "transfer_kill_switch" {
-  name        = "${terraform.workspace}-transfer-kill-switch"
+resource "aws_iam_policy" "transfer_family_kill_switch" {
+  name        = "${terraform.workspace}-transfer-family-kill-switch"
   description = "Permissions for Transfer kill switch Lambda"
   policy = jsonencode({
     Version = "2012-10-17",
@@ -92,6 +92,19 @@ resource "aws_iam_policy" "transfer_kill_switch" {
           "transfer:ListServers",
         ],
         Resource = "*"
+      },
+      {
+        Sid    = "PublishTransferFamilyKillSwitchMetrics",
+        Effect = "Allow",
+        Action = [
+          "cloudwatch:PutMetricData",
+        ],
+        Resource = "*",
+        Condition = {
+          StringEquals = {
+            "cloudwatch:namespace" = "Custom/TransferFamilyKillSwitch"
+          }
+        }
       }
     ]
   })

infrastructure/transfer_alarms.tf

@@ -0,0 +1,28 @@
+resource "aws_cloudwatch_metric_alarm" "transfer_family_kill_switch_stopped_server" {
+  alarm_name          = "${terraform.workspace}_transfer_family_kill_switch_stopped"
+  namespace           = "Custom/TransferFamilyKillSwitch"
+  metric_name         = "ServerStopped"
+  statistic           = "Sum"
+  period              = 60 #check every 10 mins
+  evaluation_periods  = 1
+  comparison_operator = "GreaterThanThreshold"
+  threshold           = 0
+  treat_missing_data  = "notBreaching"
+
+  dimensions = {
+    Workspace = terraform.workspace
+  }
+
+  alarm_description = "Alarm when the Transfer Family kill switch stops a server in workspace ${terraform.workspace}."
+
+  alarm_actions = [module.sqs_alarm_lambda_topic.arn]
+  ok_actions    = [module.sqs_alarm_lambda_topic.arn]
+
+  tags = {
+    Name         = "${terraform.workspace}_transfer_family_kill_switch_stopped"
+    severity     = "high"
+    alarm_group  = "${terraform.workspace}-transfer-family-kill-switch"
+    alarm_metric = "ServerStopped"
+    is_kpi       = "false"
+  }
+}

infrastructure/variable.tf

@@ -314,9 +314,3 @@ variable "kms_deletion_window" {
   type        = number
   default     = 30
 }
-
-variable "transfer_server_id" {
-  description = "AWS Transfer Family server ID used by the kill switch Lambda (e.g. s-0123456789abcdef0). Leave empty to disable stopping."
-  type        = string
-  default     = ""
-}

infrastructure/virusscanner.tf

@@ -108,19 +108,19 @@ resource "aws_sns_topic_subscription" "proactive_virus_scanning_kill_switch" {
   count     = local.is_production ? 1 : 0
   topic_arn = module.cloud_storage_security[0].proactive_notifications_topic_arn
   protocol  = "lambda"
-  endpoint  = module.transfer_kill_switch_lambda.lambda_arn
+  endpoint  = module.transfer_family_kill_switch_lambda.lambda_arn
 
   filter_policy = jsonencode({
     "notificationType" : ["scanResult"],
     "scanResult" : ["Infected", "Error", "Unscannable", "Suspicious"]
   })
 }
 
-resource "aws_lambda_permission" "allow_sns_invoke_transfer_kill_switch" {
+resource "aws_lambda_permission" "allow_sns_invoke_transfer_family_kill_switch" {
   count         = local.is_production ? 1 : 0
   statement_id  = "AllowExecutionFromVirusScanSNS"
   action        = "lambda:InvokeFunction"
-  function_name = module.transfer_kill_switch_lambda.lambda_arn
+  function_name = module.transfer_family_kill_switch_lambda.lambda_arn
   principal     = "sns.amazonaws.com"
   source_arn    = module.cloud_storage_security[0].proactive_notifications_topic_arn
 }