[PRMP-1358] Pen Test - Alarms without Action (#578)

Author: steph-torres-nhs

infrastructure/alarms.tf

@@ -31,15 +31,15 @@ resource "aws_cloudwatch_metric_alarm" "api_gateway_alarm_5XX" {
   metric_name         = "5XXError"
   period              = 300
   statistic           = "Sum"
-  threshold           = 5
+  threshold           = 0
   treat_missing_data  = "notBreaching"
 
   dimensions = {
     ApiName = aws_api_gateway_rest_api.ndr_doc_store_api.name
     Stage   = var.environment
   }
 
-  alarm_description = "This alarm indicates that at least 5 5XX statuses have occurred on ${aws_api_gateway_rest_api.ndr_doc_store_api.name} within 5 minutes."
+  alarm_description = "This alarm indicates that at least 1 5XX status has occurred on ${aws_api_gateway_rest_api.ndr_doc_store_api.name} within 5 minutes."
   alarm_actions     = [aws_sns_topic.alarm_notifications_topic[0].arn]
 
   tags = {

infrastructure/lambda-access-audit.tf

@@ -23,12 +23,13 @@ module "access-audit-alarm" {
 
 
 module "access-audit-alarm-topic" {
-  source                = "./modules/sns"
-  sns_encryption_key_id = module.sns_encryption_key.id
-  topic_name            = "access-audit-alarms-topic"
-  topic_protocol        = "lambda"
-  topic_endpoint        = module.access-audit-lambda.lambda_arn
-  depends_on            = [module.sns_encryption_key]
+  source                 = "./modules/sns"
+  sns_encryption_key_id  = module.sns_encryption_key.id
+  topic_name             = "access-audit-alarms-topic"
+  depends_on             = [module.sns_encryption_key]
+  topic_protocol         = "email"
+  is_topic_endpoint_list = true
+  topic_endpoint_list    = local.is_sandbox ? [] : nonsensitive(split(",", data.aws_ssm_parameter.cloud_security_notification_email_list.value))
   delivery_policy = jsonencode({
     "Version" : "2012-10-17",
     "Statement" : [

infrastructure/lambda-authoriser.tf

@@ -44,11 +44,12 @@ module "authoriser-alarm" {
 
 
 module "authoriser-alarm-topic" {
-  source                = "./modules/sns"
-  sns_encryption_key_id = module.sns_encryption_key.id
-  topic_name            = "authoriser-alarms-topic"
-  topic_protocol        = "lambda"
-  topic_endpoint        = module.authoriser-lambda.lambda_arn
+  source                 = "./modules/sns"
+  sns_encryption_key_id  = module.sns_encryption_key.id
+  topic_name             = "authoriser-alarms-topic"
+  topic_protocol         = "email"
+  is_topic_endpoint_list = true
+  topic_endpoint_list    = local.is_sandbox ? [] : nonsensitive(split(",", data.aws_ssm_parameter.cloud_security_notification_email_list.value))
   delivery_policy = jsonencode({
     "Version" : "2012-10-17",
     "Statement" : [

infrastructure/lambda-back-channel-logout.tf

@@ -56,11 +56,12 @@ module "back_channel_logout_alarm" {
 
 
 module "back_channel_logout_alarm_topic" {
-  source                = "./modules/sns"
-  sns_encryption_key_id = module.sns_encryption_key.id
-  topic_name            = "back-channel-logout-alarms-topic"
-  topic_protocol        = "lambda"
-  topic_endpoint        = module.back_channel_logout_lambda.lambda_arn
+  source                 = "./modules/sns"
+  sns_encryption_key_id  = module.sns_encryption_key.id
+  topic_name             = "back-channel-logout-alarms-topic"
+  topic_protocol         = "email"
+  is_topic_endpoint_list = true
+  topic_endpoint_list    = local.is_sandbox ? [] : nonsensitive(split(",", data.aws_ssm_parameter.cloud_security_notification_email_list.value))
   delivery_policy = jsonencode({
     "Version" : "2012-10-17",
     "Statement" : [

infrastructure/lambda-bulk-upload-metadata-processor.tf

@@ -55,11 +55,12 @@ module "bulk-upload-metadata-processor-alarm" {
 }
 
 module "bulk-upload-metadata-processor-alarm-topic" {
-  source                = "./modules/sns"
-  sns_encryption_key_id = module.sns_encryption_key.id
-  topic_name            = "bulk-upload-metadata-processor-topic"
-  topic_protocol        = "lambda"
-  topic_endpoint        = module.bulk-upload-metadata-processor-lambda.lambda_arn
+  source                 = "./modules/sns"
+  sns_encryption_key_id  = module.sns_encryption_key.id
+  topic_name             = "bulk-upload-metadata-processor-topic"
+  topic_protocol         = "email"
+  is_topic_endpoint_list = true
+  topic_endpoint_list    = local.is_sandbox ? [] : nonsensitive(split(",", data.aws_ssm_parameter.cloud_security_notification_email_list.value))
   delivery_policy = jsonencode({
     "Version" : "2012-10-17",
     "Statement" : [

infrastructure/lambda-bulk-upload-metadata.tf

@@ -39,11 +39,12 @@ module "bulk-upload-metadata-alarm" {
 }
 
 module "bulk-upload-metadata-alarm-topic" {
-  source                = "./modules/sns"
-  sns_encryption_key_id = module.sns_encryption_key.id
-  topic_name            = "bulk-upload-metadata-topic"
-  topic_protocol        = "lambda"
-  topic_endpoint        = module.bulk-upload-metadata-lambda.lambda_arn
+  source                 = "./modules/sns"
+  sns_encryption_key_id  = module.sns_encryption_key.id
+  topic_name             = "bulk-upload-metadata-topic"
+  topic_protocol         = "email"
+  is_topic_endpoint_list = true
+  topic_endpoint_list    = local.is_sandbox ? [] : nonsensitive(split(",", data.aws_ssm_parameter.cloud_security_notification_email_list.value))
   delivery_policy = jsonencode({
     "Version" : "2012-10-17",
     "Statement" : [

infrastructure/lambda-bulk-upload-report.tf

@@ -60,11 +60,12 @@ module "bulk-upload-report-alarm" {
 }
 
 module "bulk-upload-report-alarm-topic" {
-  source                = "./modules/sns"
-  sns_encryption_key_id = module.sns_encryption_key.id
-  topic_name            = "bulk-upload-report-topic"
-  topic_protocol        = "lambda"
-  topic_endpoint        = module.bulk-upload-report-lambda.lambda_arn
+  source                 = "./modules/sns"
+  sns_encryption_key_id  = module.sns_encryption_key.id
+  topic_name             = "bulk-upload-report-topic"
+  topic_protocol         = "email"
+  is_topic_endpoint_list = true
+  topic_endpoint_list    = local.is_sandbox ? [] : nonsensitive(split(",", data.aws_ssm_parameter.cloud_security_notification_email_list.value))
   delivery_policy = jsonencode({
     "Version" : "2012-10-17",
     "Statement" : [

infrastructure/lambda-bulk-upload.tf

@@ -96,11 +96,12 @@ module "bulk-upload-alarm" {
 }
 
 module "bulk-upload-alarm-topic" {
-  source                = "./modules/sns"
-  sns_encryption_key_id = module.sns_encryption_key.id
-  topic_name            = "bulk-upload-topic"
-  topic_protocol        = "lambda"
-  topic_endpoint        = module.bulk-upload-lambda.lambda_arn
+  source                 = "./modules/sns"
+  sns_encryption_key_id  = module.sns_encryption_key.id
+  topic_name             = "bulk-upload-topic"
+  topic_protocol         = "email"
+  is_topic_endpoint_list = true
+  topic_endpoint_list    = local.is_sandbox ? [] : nonsensitive(split(",", data.aws_ssm_parameter.cloud_security_notification_email_list.value))
   delivery_policy = jsonencode({
     "Version" : "2012-10-17",
     "Statement" : [

infrastructure/lambda-create-doc-ref.tf

@@ -11,12 +11,13 @@ module "create_doc_alarm" {
 
 
 module "create_doc_alarm_topic" {
-  source                = "./modules/sns"
-  sns_encryption_key_id = module.sns_encryption_key.id
-  topic_name            = "create_doc-alarms-topic"
-  topic_protocol        = "lambda"
-  topic_endpoint        = module.create-doc-ref-lambda.lambda_arn
-  depends_on            = [module.sns_encryption_key]
+  source                 = "./modules/sns"
+  sns_encryption_key_id  = module.sns_encryption_key.id
+  topic_name             = "create_doc-alarms-topic"
+  topic_protocol         = "email"
+  is_topic_endpoint_list = true
+  topic_endpoint_list    = local.is_sandbox ? [] : nonsensitive(split(",", data.aws_ssm_parameter.cloud_security_notification_email_list.value))
+  depends_on             = [module.sns_encryption_key]
   delivery_policy = jsonencode({
     "Version" : "2012-10-17",
     "Statement" : [

infrastructure/lambda-data-collection.tf

@@ -10,11 +10,12 @@ module "data-collection-alarm" {
 }
 
 module "data-collection-alarm-topic" {
-  source                = "./modules/sns"
-  sns_encryption_key_id = module.sns_encryption_key.id
-  topic_name            = "data-collection-topic"
-  topic_protocol        = "lambda"
-  topic_endpoint        = module.data-collection-lambda.lambda_arn
+  source                 = "./modules/sns"
+  sns_encryption_key_id  = module.sns_encryption_key.id
+  topic_name             = "data-collection-topic"
+  topic_protocol         = "email"
+  is_topic_endpoint_list = true
+  topic_endpoint_list    = local.is_sandbox ? [] : nonsensitive(split(",", data.aws_ssm_parameter.cloud_security_notification_email_list.value))
   delivery_policy = jsonencode({
     "Version" : "2012-10-17",
     "Statement" : [