CloudTrail Monitoring with CloudWatch

Setup with Terragrunt and Terraform

While studying AWS, I challenged myself to build the following CloudTrail monitoring with Terraform.

Basically, we create a trail tracking the management events and forward it to CloudWatch, from which we create metrics based on some security-related events, such as user creation and deletion, and security group activities, then create CloudWatch alarms with some simple threshold, and forward the alarm to SNS, and notify the user through email.

Toolings and directory structure

As we will create the base AWS resources, then test with different resource creation/deletion in the second step, I use the Terraform wrapper — Terragrunt to achieve this.

The directory structure is something like below,

.
├── cloudtrail-n-cloudwatch
│   ├── cloudwatch.tf
│   ├── provider.tf
│   ├── role.tf
│   ├── s3.tf
│   ├── sns.tf
│   ├── terraform.tfstate
│   ├── terraform.tfstate.backup
│   ├── terragrunt.hcl
│   └── trail.tf
├── security-groups
│   ├── provider.tf
│   ├── sg.tf
│   ├── terraform.tfstate
│   └── terragrunt.hcl
├── terragrunt.hcl
└── users
    ├── iam-user.tf
    ├── provider.tf
    ├── terraform.tfstate
    ├── terraform.tfstate.backup
    └── terragrunt.hcl