A CloudWatch Alarm that triggers when there are rejected SSH connections in a VPC (Default: 10 connections per hour). Requires VPC flow logs to be enabled.

Prerequisites: This Alarm requires VPC Flow Logs to be enabled, with events sent to a CloudWatch Log Group. See Related Items for configuration to enable VPC Flow Logs with CloudWatch logging, or enter the CloudWatch Log Group name under the Metric Filter Configuration section.

Items
3
Size
1.3 KB
Missing Parameters
AWSTemplateFormatVersion: '2010-09-09'
Description: ''
Resources:
  SnsTopicMetricFilterCloudWatchAlarm:
    Type: 'AWS::SNS::Topic'
    Properties:
      Subscription:
        - Endpoint: email@example.com
          Protocol: email
      TopicName: alarm-action
  CloudWatchAlarm:
    Type: 'AWS::CloudWatch::Alarm'
    Properties:
      AlarmName: cwalarm_rejected_ssh
      AlarmDescription: 'A CloudWatch Alarm that triggers when there are rejected SSH connections in a VPC (Default: 10 connections per hour). Requires VPC flow logs to be enabled.'
      MetricName: RejectedSSHCount
      Namespace: VPCFlowLogsMetrics
      Statistic: Sum
      Period: '3600'
      EvaluationPeriods: '1'
      Threshold: '10'
      ComparisonOperator: GreaterThanOrEqualToThreshold
      AlarmActions:
        - Ref: SnsTopicMetricFilterCloudWatchAlarm
      TreatMissingData: notBreaching
  MetricFilterCloudWatchAlarm:
    Type: 'AWS::Logs::MetricFilter'
    Properties:
      LogGroupName: ''
      FilterPattern: '[version, account, eni, source, destination, srcport, destport="22", protocol="6", packets, bytes, windowstart, windowend, action="REJECT", flowlogstatus]'
      MetricTransformations:
        - MetricValue: '1'
          MetricNamespace: VPCFlowLogsMetrics
          MetricName: RejectedSSHCount
Parameters: {}
Metadata: {}
Conditions: {}

Actions



Customize Template

Action Settings

Metric Filter Settings


Alarm Configuration

* Required field