PSA-compliant CloudWatch module with mandatory log encryption, automated EC2 alarms, and secure SNS notification channels.
Explore the docs »
View Demo
·
Report Bug
·
Request Feature
Full auto-generated documentation of inputs, outputs, and resources: TERRAFORM-DOCS.md
Table of Contents
This module provides a unified monitoring and logging foundation for AWS environments. it manages CloudWatch Log Groups with mandatory encryption and retention, and creates standard alarms for resource health and performance.
- Encrypted Logging: CloudWatch Log Groups support mandatory SSE-KMS encryption.
- Automated EC2 Alarms: Built-in alarms for CPU and system health for a list of instances.
- Custom Metric Alarms: flexible support for defining project-specific alarms via map.
- Secure Notifications: Encrypted SNS topics for alarm delivery with restrictive policies.
- Log Retention: Enforced retention policies to manage log volume and audit compliance.
module "monitoring" {
source = "./terraform-aws-cloudwatch"
name_prefix = "myapp-prod"
enable_application_logs = true
log_retention_days = 30
sns_email_endpoints = ["devops@example.com"]
}module "custom_monitoring" {
source = "./terraform-aws-cloudwatch"
name_prefix = "ecommerce"
custom_metrics = {
high_4xx_errors = {
metric_name = "4xxError"
namespace = "AWS/ApiGateway"
statistic = "Sum"
threshold = 100
comparison_operator = "GreaterThanThreshold"
evaluation_periods = 1
period = 60
description = "High rate of client errors detected"
dimensions = { ApiName = "core-api" }
}
}
}- Mandatory Encryption: Log Groups and SNS topics are encrypted at rest using KMS.
- Least Privilege Policy: SNS policies only allow the
cloudwatch.amazonaws.comservice to publish alarms. - SSL Enforcement: The SNS notification channel enforces HTTPS/SSL for all actions.
- Retention Guardrails: Prevents "infinite" log retention by requiring an explicit window (default 30 days).
This module implements the following PSA compliance features (referencing 01-Strukturierte_PSA_Anforderungen_Allgemein.pdf):
- Req 3.66-05 (Logging): Centralized and mandatory logging for all managed applications.
- Req 3.50-01 (Encryption): KMS integration for all stored log data.
- Req 3.37-04 (Protocolling): Logging of security-relevant events via custom metric filters (configurable).
- Req 9 (Audit Logging): All alarm state changes are recorded and notify authorized endpoints.
- Verify that the metric is actually being emitted to CloudWatch.
- Check if the dimensions in your
custom_metricsconfiguration match the emitted metric exactly.
- Verify the email addresses in
sns_email_endpointshave confirmed their subscription. - Ensure the SNS topic encryption key allows CloudWatch to access it.
| Name | Version |
|---|---|
| terraform | >=1.3 |
| Name | Version |
|---|---|
| aws | n/a |
No modules.
| Name | Type |
|---|---|
| aws_cloudwatch_log_group.application_logs | resource |
| aws_cloudwatch_metric_alarm.custom | resource |
| aws_cloudwatch_metric_alarm.ec2_high_cpu | resource |
| aws_cloudwatch_metric_alarm.ec2_low_cpu | resource |
| aws_sns_topic.cloudwatch_alarms | resource |
| aws_sns_topic_policy.allow_cloudwatch | resource |
| aws_sns_topic_subscription.email | resource |
| aws_caller_identity.current | data source |
| aws_iam_policy_document.sns_topic_policy | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| alarm_datapoints_to_alarm | Number of datapoints that must be breaching to trigger the alarm | number |
2 |
no |
| alarm_evaluation_periods | Number of periods over which data is compared to the threshold | number |
2 |
no |
| alarm_period | Period in seconds over which the statistic is applied | number |
300 |
no |
| custom_metrics | Custom CloudWatch metrics to create alarms for | map(object({ |
{} |
no |
| ec2_high_cpu_threshold | CPU utilization threshold for high CPU alarm (percentage) | number |
80 |
no |
| ec2_instance_ids | List of EC2 instance IDs to monitor | list(string) |
[] |
no |
| ec2_low_cpu_threshold | CPU utilization threshold for low CPU alarm (percentage) | number |
10 |
no |
| enable_application_logs | Enable application log group creation | bool |
true |
no |
| enable_detailed_monitoring | Enable detailed monitoring for EC2 instances | bool |
false |
no |
| enable_sns_encryption | Enable encryption for SNS topic | bool |
true |
no |
| environment | Environment (e.g., prod, dev, test) | string |
n/a | yes |
| log_group_kms_key_id | The ARN of the KMS Key to use when encrypting log data | string |
"" |
no |
| log_retention_days | Number of days to retain logs in CloudWatch | number |
30 |
no |
| name_prefix | Prefix for resource names (if not provided, will use project-environment pattern) | string |
"" |
no |
| project_name | Name of the project | string |
n/a | yes |
| sns_email_endpoints | List of email addresses to subscribe to SNS topic | list(string) |
[] |
no |
| sns_kms_key_id | KMS key ID for SNS topic encryption (if enable_sns_encryption=true) | string |
"alias/aws/sns" |
no |
| tags | Additional tags for all resources | map(string) |
{} |
no |
| Name | Description |
|---|---|
| alarm_arns | Map of CloudWatch alarm names to their ARNs |
| cpu_alarm_ids | The IDs of the CPU alarms created |
| custom_alarm_ids | The IDs of the custom alarms created |
| log_group_arn | The ARN of the CloudWatch Log Group |
| log_group_name | The name of the CloudWatch Log Group |
| low_cpu_alarm_ids | The IDs of the low CPU alarms created |
| sns_subscription_arns | Map of SNS email subscription endpoints to their ARNs |
| sns_topic_arn | The ARN of the SNS topic used for alarms |