Overview

A CloudWatch Alarm that triggers when there are rejected SSH connections in a VPC (Default: 10 connections per hour). Requires VPC flow logs to be enabled.

Configuration Templates

Items
2
Size
1.1 KB
Missing Parameters
AWSTemplateFormatVersion: '2010-09-09'
Description: ''
Resources:
  CloudWatchAlarm:
    Type: 'AWS::CloudWatch::Alarm'
    Properties:
      AlarmName: cwalarm_rejected_ssh
      AlarmDescription: >-
        A CloudWatch Alarm that triggers when there are rejected SSH connections
        in a VPC (Default: 10 connections per hour). Requires VPC flow logs to
        be enabled.
      MetricName: RejectedSSHCount
      Namespace: VPCFlowLogsMetrics
      Statistic: Sum
      Period: '3600'
      EvaluationPeriods: '1'
      Threshold: '10'
      ComparisonOperator: GreaterThanOrEqualToThreshold
      AlarmActions:
        - ''
      TreatMissingData: notBreaching
  MetricFilter:
    Type: 'AWS::Logs::MetricFilter'
    Properties:
      LogGroupName: ''
      FilterPattern: >-
        [version, account, eni, source, destination, srcport, destport="22",
        protocol="6", packets, bytes, windowstart, windowend, action="REJECT",
        flowlogstatus]
      MetricTransformations:
        - MetricValue: '1'
          MetricNamespace: VPCFlowLogsMetrics
          MetricName: RejectedSSHCount
Parameters: {}
Metadata: {}
Conditions: {}

Actions


Customize Cf Template

Alarm Configuration


Metric Filter Configuration


* Required field

Sources and Documentation

Configuration Source: AWS Documentation

Additional Documentation: