notification |
The configuration for how to send notifications. |
object({ email = optional(object({ addresses = list(string) }), null) slack = optional(object({ lambda_name = optional(string, "alarms-notifications") webhook_url = string }), null) teams = optional(object({ webhook_url = string }), null) }) |
n/a |
yes |
tags |
A map of tags to add to all resources |
map(string) |
n/a |
yes |
accounts_id_to_name |
A mapping of account id and account name - used by notification lamdba to map an account ID to a human readable name |
map(string) |
{} |
no |
alarm_namespace |
The cloudwatch alarm namespace. |
string |
"cis-benchmark" |
no |
cloudtrail_log_group_name |
The name of the CloudTrail log group to filter on. |
string |
"aws-controltower/CloudTrailLogs" |
no |
cloudwatch_log_group_retention |
The retention period for the cloudwatch log group (for lambda function logs) in days |
string |
"0" |
no |
create_sns_topic |
The boolean flag whether to create the SNS topic for alarms. |
bool |
true |
no |
enable_administrator_sso_activity |
The boolean flag whether the administrator_sso_activity alarm is enabled or not. |
bool |
true |
no |
enable_aws_config_changes |
The boolean flag whether the aws_config_changes alarm is enabled or not. |
bool |
true |
no |
enable_breakglass_activity |
The boolean flag whether the breakglass_logins alarm is enabled or not. |
bool |
true |
no |
enable_cloudtrail_cfg_changes |
The boolean flag whether the cloudtrail_cfg_changes alarm is enabled or not. |
bool |
true |
no |
enable_console_signin_failures |
The boolean flag whether the console_signin_failures alarm is enabled or not. |
bool |
true |
no |
enable_disable_or_delete_cmk |
The boolean flag whether the disable_or_delete_cmk alarm is enabled or not. |
bool |
true |
no |
enable_iam_changes |
The boolean flag whether the iam_changes alarm is enabled or not. |
bool |
true |
no |
enable_mfa_console_signin_allow_sso |
The boolean flag whether the no_mfa_console_signin alarm allows SSO auth to be ignored. |
bool |
false |
no |
enable_nacl_changes |
The boolean flag whether the nacl_changes alarm is enabled or not. |
bool |
true |
no |
enable_network_gw_changes |
The boolean flag whether the network_gw_changes alarm is enabled or not. |
bool |
true |
no |
enable_no_mfa_console_signin |
The boolean flag whether the no_mfa_console_signin alarm is enabled or not. |
bool |
true |
no |
enable_organizations_changes |
The boolean flag whether the organizations_changes alarm is enabled or not. |
bool |
true |
no |
enable_root_usage |
The boolean flag whether the root_usage alarm is enabled or not. |
bool |
true |
no |
enable_route_table_changes |
The boolean flag whether the route_table_changes alarm is enabled or not. |
bool |
true |
no |
enable_s3_bucket_policy_changes |
The boolean flag whether the s3_bucket_policy_changes alarm is enabled or not. |
bool |
true |
no |
enable_security_group_changes |
The boolean flag whether the security_group_changes alarm is enabled or not. |
bool |
true |
no |
enable_unauthorized_api_calls |
The boolean flag whether the unauthorized_api_calls alarm is enabled or not. |
bool |
true |
no |
enable_vpc_changes |
The boolean flag whether the vpc_changes alarm is enabled or not. |
bool |
true |
no |
identity_center_role |
The name of the role to use when redirecting through Identity Center |
string |
null |
no |
identity_center_start_url |
The start URL of your Identity Center instance |
string |
null |
no |
sns_topic_name |
The name of the SNS topic to create for alarms. |
string |
"cis-benchmark-alarms" |
no |