template.yaml

AWSTemplateFormatVersion: 2010-09-09
Transform: AWS::Serverless-2016-10-31

Description: SAM-BinaryAlert

Metadata:
  AWS::ServerlessRepo::Application:
    Name: SAM-BinaryAlert
    Description: |-
      SAM-BinaryAlert wraps BinaryAlert for deployment with SAR or SAM CLI. (BinaryAlert uses cool Terraform)
      BinaryAlert is a serverless, real-time framework for detecting malicious files. (http://www.binaryalert.io/)
    Author: Keisuke Konishi
    SpdxLicenseId: Apache-2.0
    ReadmeUrl: docs/README4SAR.md
    LicenseUrl: LICENSE
    Labels: [Serverless, Anti-malware, s3, Lambda, Apache2, MadeInJapan]
    SemanticVersion: 0.2.1-snapshot
    HomePageUrl: https://github.com/komikoni/sam-binaryalert#readme
    SourceCodeUrl: https://github.com/komikoni/sam-binaryalert.git

Parameters:
  # terraform.tfvars mapping
  NamePrefix: # name_prefix
    Description: (Require) Prefix used in all resource names (required for uniqueness). E.g. "company_team"
    Type: String
    MinLength: 3
    MaxLength: 50
    AllowedPattern: ^[a-z][a-z0-9_]+$

  S3LogBucket: # s3_log_bucket
    Description: (Option) Pre-existing bucket in which to store S3 access logs. If not specified, one will be created.
    Type: String
    Default: ""

  S3LogPrefix: # s3_log_prefix
    Description: (Option) Log files will be stored in S3 with this prefix.
    Type: String
    Default: "s3-access-logs/"

  S3LogExpirationDays: # s3_log_expiration_days
    Description: (Option) Access logs expire after this many days. Has no effect if using pre-existing bucket for logs.
    Type: Number
    Default: 90

  LambdaLogRetentionDays: # lambda_log_retention_days
    Description: (Option) How long to retain Lambda function logs.
    Type: Number
    Default: 14

  TaggedName: # tagged_name
    Description: |
      (Option) =Advanced Configuration=
      Tags make it easier to organize resources, view grouped billing information, etc.
      All supported resources (Dyanmo, KMS, Lambda, S3, SQS) are tagged with
      Name = [YOUR_VALUE_BELOW]
    Type: String
    Default: BinaryAlert

  MetricAlarmSnsTopicArn: # metric_alarm_sns_topic_arn
    Description: |
      (Option) =Alarms=
      Use an existing SNS topic for metric alarms (instead of creating one automatically).
      ex) arn:aws:sns:ap-northeast-1:999999999999:Topic_Name-0123456789
    # ConstraintDescription: Malformed input-Parameter MyParameter must match pattern ^arn:(aws[a-zA-Z-]*)?:sns:[a-z]{2}((-gov)|(-iso(b?)))?-[a-z]+-\d{1}:\d{12}:[a-zA-Z0-9-_]{1,256}$
    # AllowedPattern: ^arn:(aws[a-zA-Z-]*)?:sns:[a-z]{2}-[a-z]+-\d{1}:\d{12}:[a-zA-Z0-9-_]{1,256}$
    Type: String
    Default: ""

  ExpectedAnalysisFrequencySeconds: # expected_analysis_frequency_minutes  Minutes => Seconds
    Description: (Option) Alarm if no binaries are analyzed for this amount of time.
    Type: Number
    Default: 1800 # 30Minutes * 60

  DynamoReadCapacity: # dynamo_read_capacity
    Description: |
      (Option) =DynamoDB=
      Provisioned read/write capacity for the Dynamo table which stores match results.
      Capacity is (very roughly) maximum number of operations per second. See Dynamo documentation.
      Since there will likely be very few matches, these numbers can be quite low.
    Type: Number
    Default: 10

  DynamoWriteCapacity: # dynamo_write_capacity
    Description: (Option)
    Type: Number
    Default: 5

  LambdaAnalyzeMemoryMb: # lambda_analyze_memory_mb
    Description: (Option) Memory, time, and concurrency limits for the analyzer function. (128MB - 3008MB Step 64MB)
    Type: Number
    MinValue: 128
    MaxValue: 3008
    AllowedValues:
      [
        128,
        192,
        256,
        320,
        384,
        448,
        512,
        576,
        640,
        704,
        768,
        832,
        896,
        960,
        1024,
        1088,
        1152,
        1216,
        1280,
        1344,
        1408,
        1472,
        1536,
        1600,
        1664,
        1728,
        1792,
        1856,
        1920,
        1984,
        2048,
        2112,
        2176,
        2240,
        2304,
        2368,
        2432,
        2496,
        2560,
        2624,
        2688,
        2752,
        2816,
        2880,
        2944,
        3008,
      ]
    Default: 1024

  LambdaAnalyzeTimeoutSec: # lambda_analyze_timeout_sec
    Description: "(Option) "
    Type: Number
    Default: 300

  LambdaAnalyzeTimeoutSecPlus2Sec: # lambda_analyze_timeout_sec +2 Sec
    Description: "(Option) "
    Type: Number
    Default: 302

  LambdaAnalyzeConcurrencyLimit: # lambda_analyze_concurrency_limit
    Description: "(Option) "
    Type: Number
    Default: 100

  ExternalS3BucketResources: # external_s3_bucket_resources
    Description: |
      (Option) If using BinaryAlert to scan existing S3 buckets, add the S3 and KMS resource ARNs here (separater is "," No spaces before or after the comma)
      ex) arn:aws:s3:::bucket-name1/*,arn:aws:s3:::bucket-name2/*
    # CommaDelimitedList is not used because the merge of the array will cause a syntax error in the policy document and validation cannot be performed.
    Type: String
    Default: ""

  ExternalKmsKeyResources: # external_kms_key_resources
    Description: |
      (Option)  If using BinaryAlert to scan existing S3 buckets, add the S3 and KMS resource ARNs here (separater is "," No spaces before or after the comma)
      ex) arn:aws:kms:ap-northeast-1:999999999999:key/xxxxx,arn:aws:kms:ap-northeast-1:111122223333:alias/ExampleAlias
    # CommaDelimitedList is not used because the merge of the array will cause a syntax error in the policy document and validation cannot be performed.
    Type: String
    Default: ""

  EnableNegativeMatchAlerts: # enable_negative_match_alerts
    Description: (Option) =SNS= Create a separate SNS topic which reports files that do NOT match any YARA rules. (true or false)
    Type: String
    AllowedValues:
      - "true"
      - "false"
    Default: "false"

  AnalyzeQueueBatchSize: # analyze_queue_batch_size
    Description: (Option) =SQS= Maximum number of messages that will be received by each invocation of the respective function.
    Type: Number
    Default: 10

  AnalyzeQueueRetentionSecs: # analyze_queue_retention_secs
    Description: (Option) Messages in the queue will be retained and retried for the specified duration until expiring.
    Type: Number
    Default: 86400

  AnalyzeQueueRetentionSecs75Percent: # analyze_queue_retention_secs * 0.75
    Description: (Option) AnalyzeQueueRetentionSecs * 0.75
    Type: Number
    Default: 64800

  EnableCarbonBlackDownloader: # enable_carbon_black_downloader
    Type: String
    AllowedValues:
      - "true"
      - "false"
    Default: "false"
    Description: Optional CarbonBlack Downloader
  CarbonBlackUrl: # carbon_black_url
    Description: URL of the CarbonBlack server.
    Type: String
    Default: ""
  CarbonBlackTimeout: # carbon_black_timeout
    Description: |
      Timeout to use for Carbon Black API client.
      The client default is 60, so set to something lower if desired.
    Type: Number
    Default: 60
  EncryptedCarbonBlackApiToken: # encrypted_carbon_black_api_token
    Description: The encrypted CarbonBlack API token will automatically be generated and saved here.
    Type: String
    Default: ""
  LambdaDownloadMemoryMb: # lambda_download_memory_mb
    Description: Memory, time, and concurrency limits for the downloader function.
    Type: Number
    MinValue: 128
    MaxValue: 3008
    AllowedValues:
      [
        128,
        192,
        256,
        320,
        384,
        448,
        512,
        576,
        640,
        704,
        768,
        832,
        896,
        960,
        1024,
        1088,
        1152,
        1216,
        1280,
        1344,
        1408,
        1472,
        1536,
        1600,
        1664,
        1728,
        1792,
        1856,
        1920,
        1984,
        2048,
        2112,
        2176,
        2240,
        2304,
        2368,
        2432,
        2496,
        2560,
        2624,
        2688,
        2752,
        2816,
        2880,
        2944,
        3008,
      ]
    Default: 256
  LambdaDownloadTimeoutSec: # lambda_download_timeout_sec
    Description: ""
    Type: Number
    Default: 300
  LambdaDownloadConcurrencyLimit: # lambda_download_concurrency_limit
    Description: ""
    Type: Number
    Default: 100
  DownloadQueueBatchSize: # download_queue_batch_size
    Description: =SQS=
    Type: Number
    Default: 1
  DownloadQueueRetentionSecs: # download_queue_retention_secs
    Description: ""
    Type: Number
    Default: 86400
  DownloadQueueRetentionSecs75Percent: # download_queue_retention_secs * 0.75
    Description: (Option) DownloadQueueRetentionSecs * 0.75
    Type: Number
    Default: 64800
  DownloadQueueMaxReceives: # download_queue_max_receives
    Description: |
      If an SQS message is not deleted (successfully processed) after the max number of receive
      attempts, the message is delivered to the SQS dead-letter queue.
      Retries are common due to race-conditions with binaries landing on the Carbon Black server
    Type: Number
    Default: 100

  ##### The following parameters are not supported.
  #
  # ObjectsPerRetroMessage: # objects_per_retro_message
  #   Description: During a retroactive scan, number of S3 objects to pack into a single SQS message.
  #   Type: Number
  #   Default: 4
  # ForceDestroy: # force_destroy
  #   Description: |
  #     =S3=
  #     WARNING: If force destroy is enabled, all objects in the S3 bucket(s) will be deleted during
  #   Type: String
  #   AllowedValues:
  #     - "true"
  #     - "false"
  #   Default: "true"

Conditions:
  EmptyS3LogBucketCondition: !Equals [!Ref S3LogBucket, ""]
  EmptyMetricAlarmSnsTopicArnCondition:
    !Equals [!Ref MetricAlarmSnsTopicArn, ""]
  EnableNegativeMatchAlertsCondition:
    !Equals [!Ref EnableNegativeMatchAlerts, "true"]
  EmptyExternalS3BucketResourcesCondition:
    !Equals [!Ref ExternalS3BucketResources, ""]
  EmptyExternalKmsKeyResourcesCondition:
    !Equals [!Ref ExternalKmsKeyResources, ""]
  EnableCarbonBlackDownloaderCondition:
    !Equals [!Ref EnableCarbonBlackDownloader, "true"]

Resources:
  S3BucketBinaryalertBinaries: # s3.tf resource aws_s3_bucket binaryalert_binaries
    Type: AWS::S3::Bucket
    DependsOn:
      - SQSQueuePolicyAnalyzer # The queue policy must be created before we can configure the S3 notification.
    Properties:
      BucketName: !Join
        - ""
        - - !Join [".", !Split ["_", !Ref NamePrefix]] # replace "_" to "."
          - .binaryalert-binaries.
          - !Ref AWS::Region
      Tags:
        - Key: Name
          Value: !Ref TaggedName
      AccessControl: Private
      LoggingConfiguration:
        DestinationBucketName: !If
          - EmptyS3LogBucketCondition
          - !Ref S3BucketBinaryalertLog
          - !Ref S3LogBucket
        LogFilePrefix: !Ref S3LogPrefix
      LifecycleConfiguration:
        Rules:
          - Id: delete_old_versions
            Status: Enabled
            NoncurrentVersionExpirationInDays: 1
            # https://github.com/aws-cloudformation/aws-cloudformation-coverage-roadmap/issues/132
            # ExpiredObjectDeleteMarker: true
          - Id: delete_old_inventory
            Status: Enabled
            ExpirationInDays: 7
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: aws:kms
              KMSMasterKeyID: !GetAtt KMSKeySseS3.Arn
      InventoryConfigurations:
        - Destination:
            # BucketArn: !Sub arn:aws:s3:::${NamePrefix}.binaryalert-binaries.${AWS::Region} # self reference
            BucketArn: !Join
              - ""
              - - "arn:aws:s3:::"
                - !Join [".", !Split ["_", !Ref NamePrefix]] # replace "_" to "."
                - .binaryalert-binaries.
                - !Ref AWS::Region
            Format: CSV
            Prefix: inventory
          Enabled: true
          Id: EntireBucketDaily
          IncludedObjectVersions: Current
          ScheduleFrequency: Daily
      NotificationConfiguration:
        QueueConfigurations:
          - Event: s3:ObjectCreated:*
            Queue: !GetAtt SQSQueueAnalyzer.Arn
      VersioningConfiguration:
        Status: Enabled

  S3BucketPolicyBinaryalertBinaries: # s3.tf resource aws_s3_bucket_policy allow_inventory
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref S3BucketBinaryalertBinaries
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Sid: AllowSelfInventory
            Effect: Allow
            Principal:
              Service: s3.amazonaws.com
            Action: s3:PutObject
            Resource: !Sub ${S3BucketBinaryalertBinaries.Arn}/inventory/*
            Condition:
              StringEquals:
                s3:x-amz-acl: bucket-owner-full-control
                aws:SourceAccount: !Ref AWS::AccountId
              ArnLike:
                aws:SourceArn: !GetAtt S3BucketBinaryalertBinaries.Arn
          - Sid: ForceSSLOnlyAccess
            Effect: Deny
            Principal:
              AWS: "*"
            Action: s3:*
            Resource:
              - !GetAtt S3BucketBinaryalertBinaries.Arn
              - !Sub ${S3BucketBinaryalertBinaries.Arn}/*
            Condition:
              Bool:
                aws:SecureTransport: false

  S3BucketBinaryalertLog: # s3.tf resource aws_s3_bucket binaryalert_log_bucket
    Type: AWS::S3::Bucket
    Condition: EmptyS3LogBucketCondition
    Properties:
      # BucketName: !Sub ${S3BucketBinaryalertBinaries}.access-logs
      BucketName: !Join
        - ""
        - - !Join [".", !Split ["_", !Ref NamePrefix]] # replace "_" to "."
          - .binaryalert-binaries.
          - !Ref AWS::Region
          - .access-logs
      Tags:
        - Key: Name
          Value: !Ref TaggedName
      AccessControl: LogDeliveryWrite
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: AES256
      LifecycleConfiguration:
        Rules:
          - Id: log_expiration
            Status: Enabled
            Transitions:
              - TransitionInDays: 30
                StorageClass: STANDARD_IA
            ExpirationInDays: !Ref S3LogExpirationDays
            NoncurrentVersionExpirationInDays: 1
      LoggingConfiguration:
        LogFilePrefix: self/
      VersioningConfiguration:
        Status: Enabled

  S3BucketPolicyBinaryalertLog: # s3.tf resource aws_s3_bucket_policy force_ssl_only_access
    Type: AWS::S3::BucketPolicy
    Condition: EmptyS3LogBucketCondition
    Properties:
      Bucket: !Ref S3BucketBinaryalertLog
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Sid: ForceSSLOnlyAccess
            Effect: Deny
            Principal:
              AWS: "*"
            Action: s3:*
            Resource:
              - !GetAtt S3BucketBinaryalertLog.Arn
              - !Sub ${S3BucketBinaryalertLog.Arn}/*
            Condition:
              Bool:
                aws:SecureTransport: false

  SQSQueueAnalyzer: # sqs.tf resource aws_sqs_queue analyzer_queue
    Type: AWS::SQS::Queue
    Properties:
      QueueName: !Sub ${NamePrefix}_binaryalert_analyzer_queue
      Tags:
        - Key: Name
          Value: !Ref TaggedName
      KmsMasterKeyId: !GetAtt KMSKeySseSqs.Arn
      MessageRetentionPeriod: !Ref AnalyzeQueueRetentionSecs
      VisibilityTimeout: !Ref LambdaAnalyzeTimeoutSecPlus2Sec

  SQSQueuePolicyAnalyzer: # sqs.tf resource aws_sqs_queue_policy analyzer_queue_policy
    Type: AWS::SQS::QueuePolicy
    Properties:
      Queues:
        - !Ref SQSQueueAnalyzer
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Sid: AllowBinaryAlertBucketToNotifySQS
            Effect: Allow
            Principal:
              AWS: "*"
            Action:
              - sqs:SendMessage
            Resource: !GetAtt SQSQueueAnalyzer.Arn
            Condition:
              ArnEquals:
                # aws:SourceArn: !Sub arn:aws:s3:::${S3BucketBinaryalertBinaries} # circular reference
                aws:SourceArn: !Join
                  - ""
                  - - "arn:aws:s3:::"
                    - !Join [".", !Split ["_", !Ref NamePrefix]] # replace "_" to "."
                    - .binaryalert-binaries.
                    - !Ref AWS::Region

  LambdaFunctionAnalyzer: # lambda.tf module binaryalert_analyzer
    Type: AWS::Serverless::Function
    Metadata:
      BuildMethod: makefile
    # DependOn: IAMPolicy # Not Work https://github.com/awslabs/serverless-application-model/issues/68
    Properties:
      Description: Analyze a binary with a set of YARA rules
      FunctionName: !Sub ${NamePrefix}_binaryalert_analyzer
      Tags:
        Name: !Ref TaggedName
      CodeUri: binaryalert/
      Handler: lambda_functions.analyzer.main.analyze_lambda_handler
      Runtime: python3.7
      MemorySize: !Ref LambdaAnalyzeMemoryMb
      Timeout: !Ref LambdaAnalyzeTimeoutSec
      ReservedConcurrentExecutions: !Ref LambdaAnalyzeConcurrencyLimit
      # Role: !GetAtt IAMRole.Arn
      Policies:
        - CloudWatchPutMetricPolicy: {}
        - SQSPollerPolicy:
            QueueName: !GetAtt SQSQueueAnalyzer.QueueName
        - DynamoDBCrudPolicy:
            TableName: DynamoDBTableYaraMatches
        - Statement:
          - Sid: QueryAndUpdateDynamo
            Effect: Allow
            Action:
              - dynamodb:UpdateItem
              - dynamodb:Query
              - dynamodb:PutItem
            Resource: !GetAtt DynamoDBTableYaraMatches.Arn
          - Sid: DecryptSSE
            Effect: Allow
            Action:
              - kms:Decrypt
              - kms:Describe*
            Resource: !If
              - EmptyExternalKmsKeyResourcesCondition
              - - !GetAtt KMSKeySseSqs.Arn
                - !GetAtt KMSKeySseS3.Arn
              - !Split
                - ","
                - !Join
                  - ","
                  - - !GetAtt KMSKeySseSqs.Arn
                    - !GetAtt KMSKeySseS3.Arn
                    - !Ref ExternalKmsKeyResources
          - Sid: GetFromS3Bucket
            Effect: Allow
            Action:
              - s3:GetObject*
              - s3:HeadObject
            Resource: !If
              - EmptyExternalS3BucketResourcesCondition
              - !Sub ${S3BucketBinaryalertBinaries.Arn}/*
              - !Split
                - ","
                - !Join
                  - ","
                  - - !Sub ${S3BucketBinaryalertBinaries.Arn}/*
                    - !Ref ExternalS3BucketResources
          - Sid: PublishAlertsToSNS
            Effect: Allow
            Action: sns:Publish
            Resource:
              - !Ref SNSTopicYaraMatchAlerts
              - !If
                - EnableNegativeMatchAlertsCondition
                - !Ref SNSTopicNoYaraMatchAlerts
                - !Ref AWS::NoValue

      AutoPublishAlias: Production
      Events:
        AppEvent:
          Type: SQS
          Properties:
            BatchSize: !Ref AnalyzeQueueBatchSize
            Queue: !GetAtt SQSQueueAnalyzer.Arn
            Enabled: true
      Environment:
        Variables:
          YARA_ALERTS_SNS_TOPIC_ARN: !Ref SNSTopicYaraMatchAlerts
          YARA_MATCHES_DYNAMO_TABLE_NAME: !Ref DynamoDBTableYaraMatches
          NO_MATCHES_SNS_TOPIC_ARN: !If
            - EnableNegativeMatchAlertsCondition
            - !Ref SNSTopicNoYaraMatchAlerts
            - ""
  CloudWatchLogsLogGroupLambdaAnalyzer: # main.tf resource aws_cloudwatch_log_group lambda_log_group
    Type: AWS::Logs::LogGroup
    Properties:
      LogGroupName: !Sub /aws/lambda/${LambdaFunctionAnalyzer}
      RetentionInDays: !Ref LambdaLogRetentionDays

  CloudWatchAlarmLambdaAnalyzerErrors: # main.tf resource aws_cloudwatch_metric_alarm lambda_errors
    Type: AWS::CloudWatch::Alarm
    Properties:
      AlarmName: !Sub ${LambdaFunctionAnalyzer}_errors
      AlarmDescription: !Sub ${LambdaFunctionAnalyzer} has a high error rate. Check the CloudWatch logs.
      AlarmActions:
        - !If
          - EmptyMetricAlarmSnsTopicArnCondition
          - !Ref SNSTopicMetricAlarms
          - !Ref MetricAlarmSnsTopicArn
      MetricName: Errors
      Namespace: AWS/Lambda
      Statistic: Sum
      Dimensions:
        - Name: FunctionName
          Value: !Ref LambdaFunctionAnalyzer
        - Name: Resource
          Value: !Sub ${LambdaFunctionAnalyzer}:Production
      Period: 300
      EvaluationPeriods: 1
      Threshold: 10
      ComparisonOperator: GreaterThanOrEqualToThreshold
      TreatMissingData: missing

  DynamoDBTableYaraMatches: # dynamo.tf resource aws_dynamodb_table binaryalert_yara_matches
    Type: AWS::DynamoDB::Table
    Properties:
      TableName: !Sub ${NamePrefix}_binaryalert_matches
      KeySchema:
        - AttributeName: SHA256
          KeyType: HASH
        - AttributeName: AnalyzerVersion
          KeyType: RANGE
      ProvisionedThroughput:
        ReadCapacityUnits: !Ref DynamoReadCapacity
        WriteCapacityUnits: !Ref DynamoWriteCapacity
      AttributeDefinitions:
        - AttributeName: AnalyzerVersion
          AttributeType: N
        - AttributeName: SHA256
          AttributeType: S
      SSESpecification:
        SSEEnabled: true
        SSEType: KMS
      Tags:
        - Key: Name
          Value: !Ref TaggedName

  SNSTopicYaraMatchAlerts: # sns.tf resource aws_sns_topic yara_match_alerts
    Type: AWS::SNS::Topic
    Properties:
      DisplayName: YARA match alerts will be published to this SNS topic.
      TopicName: !Sub ${NamePrefix}_binaryalert_yara_match_alerts

  SNSTopicPolicyYaraMatchAlerts:
    Type: AWS::SNS::TopicPolicy
    Properties:
      Topics:
        - !Ref SNSTopicYaraMatchAlerts
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Sid: __default_statement_ID
            Effect: Allow
            Principal:
              AWS: "*"
            Action:
              - SNS:GetTopicAttributes
              - SNS:SetTopicAttributes
              - SNS:AddPermission
              - SNS:RemovePermission
              - SNS:DeleteTopic
              - SNS:Subscribe
              - SNS:ListSubscriptionsByTopic
              - SNS:Publish
              - SNS:Receive
            Resource: !Ref SNSTopicYaraMatchAlerts
            Condition:
              StringEquals:
                AWS:SourceOwner: !Sub ${AWS::AccountId}

  SNSTopicNoYaraMatchAlerts: # sns.tf resource aws_sns_topic no_yara_match
    Type: AWS::SNS::Topic
    Condition: EnableNegativeMatchAlertsCondition
    Properties:
      DisplayName: If a file does NOT match any YARA rules, notify this SNS topic.
      TopicName: !Sub ${NamePrefix}_binaryalert_no_yara_match

  SNSTopicPolicyNoYaraMatchAlerts:
    Type: AWS::SNS::TopicPolicy
    Condition: EnableNegativeMatchAlertsCondition
    Properties:
      Topics:
        - !Ref SNSTopicNoYaraMatchAlerts
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Sid: __default_statement_ID
            Effect: Allow
            Principal:
              AWS: "*"
            Action:
              - SNS:GetTopicAttributes
              - SNS:SetTopicAttributes
              - SNS:AddPermission
              - SNS:RemovePermission
              - SNS:DeleteTopic
              - SNS:Subscribe
              - SNS:ListSubscriptionsByTopic
              - SNS:Publish
              - SNS:Receive
            Resource: !Ref SNSTopicNoYaraMatchAlerts
            Condition:
              StringEquals:
                AWS:SourceOwner: !Sub ${AWS::AccountId}

  SNSTopicMetricAlarms: # sns.tf resource aws_sns_topic metric_alarms
    Type: AWS::SNS::Topic
    Condition: EmptyMetricAlarmSnsTopicArnCondition
    Properties:
      DisplayName: CloudWatch metric alarms notify this SNS topic (created only if an existing one is not specified)
      TopicName: !Sub ${NamePrefix}_binaryalert_metric_alarms

  SNSTopicPolicyMetricAlarms:
    Type: AWS::SNS::TopicPolicy
    Condition: EmptyMetricAlarmSnsTopicArnCondition
    Properties:
      Topics:
        - !Ref SNSTopicMetricAlarms
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Sid: __default_statement_ID
            Effect: Allow
            Principal:
              AWS: "*"
            Action:
              - SNS:GetTopicAttributes
              - SNS:SetTopicAttributes
              - SNS:AddPermission
              - SNS:RemovePermission
              - SNS:DeleteTopic
              - SNS:Subscribe
              - SNS:ListSubscriptionsByTopic
              - SNS:Publish
              - SNS:Receive
            Resource: !Ref SNSTopicMetricAlarms
            Condition:
              StringEquals:
                AWS:SourceOwner: !Sub ${AWS::AccountId}

  # IAMRole: # main.tf resource aws_iam_role role
  #   Type: AWS::IAM::Role
  #   Properties:
  #     Path: /
  #     # RoleName: !Sub ${NamePrefix}_binaryalert_analyzer_role # Only works with CAPABILITY_IAM
  #     AssumeRolePolicyDocument:
  #       Version: 2012-10-17
  #       Statement:
  #         - Sid: AllowLambdaToAssumeRole
  #           Effect: Allow
  #           Principal:
  #             Service: lambda.amazonaws.com
  #           Action: sts:AssumeRole
  #     ManagedPolicyArns:
  #       - arn:aws:iam::aws:policy/service-role/AWSLambdaSQSQueueExecutionRole # add
  #       - !Ref IAMManagedPolicy

  # IAMManagedPolicy: # lambda_iam.tf resource aws_iam_policy base_policy
  #   Type: AWS::IAM::ManagedPolicy
  #   Properties:
  #     # ManagedPolicyName: !Sub ${NamePrefix}_binaryalert_base_policy # Only works with CAPABILITY_IAM
  #     Path: /
  #     PolicyDocument:
  #       Version: 2012-10-17
  #       Statement:
  #         - Sid: EnableLogsAndMetrics
  #           Effect: Allow
  #           Action:
  #             - logs:PutLogEvents
  #             - logs:CreateLogStream
  #             - logs:CreateLogGroup
  #             - cloudwatch:PutMetricData
  #           Resource: "*"

  # IAMPolicy: # lambda_iam.tf resource aws_iam_role_policy binaryalert_analyzer_policy
  #   Type: AWS::IAM::Policy
  #   Properties:
  #     PolicyName: !Sub ${LambdaFunctionAnalyzer}_policy
  #     Roles:
  #       - !Ref IAMRole
  #     PolicyDocument:
  #       Version: 2012-10-17
  #       Statement:
  #         - Sid: QueryAndUpdateDynamo
  #           Effect: Allow
  #           Action:
  #             - dynamodb:UpdateItem
  #             - dynamodb:Query
  #             - dynamodb:PutItem
  #           Resource: !GetAtt DynamoDBTableYaraMatches.Arn
  #         - Sid: DecryptSSE
  #           Effect: Allow
  #           Action:
  #             - kms:Decrypt
  #             - kms:Describe*
  #           Resource: !If
  #             - EmptyExternalKmsKeyResourcesCondition
  #             - - !GetAtt KMSKeySseSqs.Arn
  #               - !GetAtt KMSKeySseS3.Arn
  #             - !Split
  #               - ","
  #               - !Join
  #                 - ","
  #                 - - !GetAtt KMSKeySseSqs.Arn
  #                   - !GetAtt KMSKeySseS3.Arn
  #                   - !Ref ExternalKmsKeyResources
  #         - Sid: GetFromS3Bucket
  #           Effect: Allow
  #           Action:
  #             - s3:GetObject*
  #             - s3:HeadObject
  #           Resource: !If
  #             - EmptyExternalS3BucketResourcesCondition
  #             - !Sub ${S3BucketBinaryalertBinaries.Arn}/*
  #             - !Split
  #               - ","
  #               - !Join
  #                 - ","
  #                 - - !Sub ${S3BucketBinaryalertBinaries.Arn}/*
  #                   - !Ref ExternalS3BucketResources
  #         - Sid: PublishAlertsToSNS
  #           Effect: Allow
  #           Action: sns:Publish
  #           Resource:
  #             - !Ref SNSTopicYaraMatchAlerts
  #             - !If
  #               - EnableNegativeMatchAlertsCondition
  #               - !Ref SNSTopicNoYaraMatchAlerts
  #               - !Ref AWS::NoValue
  #         - Sid: ProcessSQSMessages
  #           Effect: Allow
  #           Action:
  #             - sqs:ReceiveMessage
  #             - sqs:GetQueueAttributes
  #             - sqs:DeleteMessage
  #             - sqs:ChangeMessageVisibility
  #           Resource: !GetAtt SQSQueueAnalyzer.Arn

  KMSKeySseS3: # kms.tf resource aws_kms_key sse_s3
    Type: AWS::KMS::Key
    Properties:
      Enabled: true
      Description: BinaryAlert Server-Side Encryption - S3
      EnableKeyRotation: true
      Tags:
        - Key: Name
          Value: !Ref TaggedName
      KeyPolicy:
        Version: 2012-10-17
        Statement:
          - Sid: Enable IAM User Permissions
            Effect: Allow
            Principal:
              AWS: !Sub arn:aws:iam::${AWS::AccountId}:root
            Action: kms:*
            Resource: "*"
          - Sid: AllowS3ToUseKey
            Effect: Allow
            Principal:
              Service: s3.amazonaws.com
            Action:
              - kms:Decrypt
              - kms:GenerateDataKey*
            Resource: "*"

  KMSAliasSseS3: # kms.tf resource aws_kms_alias sse_s3_alias
    Type: AWS::KMS::Alias
    Properties:
      AliasName: !Sub arn:aws:kms:${AWS::Region}:${AWS::AccountId}:alias/${NamePrefix}_binaryalert_sse_s3
      TargetKeyId: !Ref KMSKeySseS3

  KMSKeySseSqs: # kms.tf resource aws_kms_key sse_sqs
    Type: AWS::KMS::Key
    Properties:
      Enabled: true
      Description: BinaryAlert Server-Side Encryption - SQS
      EnableKeyRotation: true
      Tags:
        - Key: Name
          Value: !Ref TaggedName
      KeyPolicy:
        Version: 2012-10-17
        Statement:
          - Sid: Enable IAM User Permissions
            Effect: Allow
            Principal:
              AWS: !Sub arn:aws:iam::${AWS::AccountId}:root
            Action: kms:*
            Resource: "*"
          - Sid: AllowS3ToUseKey
            Effect: Allow
            Principal:
              Service: s3.amazonaws.com
            Action:
              - kms:Decrypt
              - kms:GenerateDataKey*
            Resource: "*"

  KMSAliasSseSqs: # kms.tf resource aws_kms_alias sse_sqs_alias
    Type: AWS::KMS::Alias
    Properties:
      AliasName: !Sub arn:aws:kms:${AWS::Region}:${AWS::AccountId}:alias/${NamePrefix}_binaryalert_sse_sqs
      TargetKeyId: !Ref KMSKeySseSqs

  CloudWatchAlarmNoAnalyzedBinaries: # cloudwatch_metric_alarm.tf resource aws_cloudwatch_metric_alarm analyzed_binaries
    Type: AWS::CloudWatch::Alarm
    Properties:
      AlarmName: !Sub ${LambdaFunctionAnalyzer}_no_analyzed_binaries
      AlarmDescription: !Sub |
        ${LambdaFunctionAnalyzer} is not analyzing any binaries!
          - If any BinaryAlert Lambda function was recently deployed, roll it back via the AWS console.
          - Binaries may not be arriving in the S3 bucket.

      Namespace: BinaryAlert
      MetricName: AnalyzedBinaries
      Statistic: Sum
      ComparisonOperator: LessThanOrEqualToThreshold
      Threshold: 0
      Period: !Ref ExpectedAnalysisFrequencySeconds
      EvaluationPeriods: 1

      AlarmActions:
        - !If
          - EmptyMetricAlarmSnsTopicArnCondition
          - !Ref SNSTopicMetricAlarms
          - !Ref MetricAlarmSnsTopicArn

      InsufficientDataActions:
        - !If
          - EmptyMetricAlarmSnsTopicArnCondition
          - !Ref SNSTopicMetricAlarms
          - !Ref MetricAlarmSnsTopicArn

  CloudWatchAlarmAnalyzerSqsAge: # cloudwatch_metric_alarm.tf resource aws_cloudwatch_metric_alarm analyzer_sqs_age
    Type: AWS::CloudWatch::Alarm
    Properties:
      AlarmName: !Sub ${SQSQueueAnalyzer.QueueName}_old_age
      AlarmDescription: !Sub |
        The queue ${SQSQueueAnalyzer.QueueName} is not being processed quickly enough:
        messages are reaching 75% of the queue retention and may be expired soon.
          - Consider increasing the lambda_analyze_concurrency_limit to process more events
          - Consider raising the retention period for this queue

      Namespace: AWS/SQS
      MetricName: ApproximateAgeOfOldestMessage
      Statistic: Minimum
      Dimensions:
        - Name: QueueName
          Value: !GetAtt SQSQueueAnalyzer.QueueName
      ComparisonOperator: GreaterThanThreshold
      Threshold: !Ref AnalyzeQueueRetentionSecs75Percent
      Period: 60
      EvaluationPeriods: 10
      AlarmActions:
        - !If
          - EmptyMetricAlarmSnsTopicArnCondition
          - !Ref SNSTopicMetricAlarms
          - !Ref MetricAlarmSnsTopicArn
      InsufficientDataActions:
        - !If
          - EmptyMetricAlarmSnsTopicArnCondition
          - !Ref SNSTopicMetricAlarms
          - !Ref MetricAlarmSnsTopicArn

  CloudWatchAlarmYaraRules: # cloudwatch_metric_alarm.tf resource aws_cloudwatch_metric_alarm yara_rules
    Type: AWS::CloudWatch::Alarm
    Properties:
      AlarmName: !Sub ${LambdaFunctionAnalyzer}_too_few_yara_rules
      AlarmDescription: |
        The number of YARA rules in BinaryAlert is surprisingly low.
        Check if a recent deploy accidentally removed most YARA rules.

      Namespace: BinaryAlert
      MetricName: YaraRules
      Statistic: Maximum
      ComparisonOperator: LessThanThreshold
      Threshold: 5
      Period: 300
      EvaluationPeriods: 1
      AlarmActions:
        - !If
          - EmptyMetricAlarmSnsTopicArnCondition
          - !Ref SNSTopicMetricAlarms
          - !Ref MetricAlarmSnsTopicArn

  CloudWatchAlarmDynamoThrottles: # cloudwatch_metric_alarm.tf resource aws_cloudwatch_metric_alarm dynamo_throttles
    Type: AWS::CloudWatch::Alarm
    Properties:
      AlarmName: !Sub ${DynamoDBTableYaraMatches}_throttles
      AlarmDescription: |
        Read or write requests to the BinaryAlert DynamoDB table are being throttled.
          - Check the ReadThrottleEvents and WriteThrottleEvents Dynamo metrics to understand which
            operation is causing throttles.
          - If there was a recent deploy with new YARA rules, there may be more matches than Dynamo has been
            provisioned to handle. In this case, rollback the analyzer in the AWS Console and fix the rules.
          - If this is normal/expected behavior, increase the dynamo_read_capacity in the BinaryAlet config.

      Namespace: AWS/DynamoDB
      MetricName: ThrottledRequests
      Statistic: Sum
      Dimensions:
        - Name: TableName
          Value: !Ref DynamoDBTableYaraMatches
      ComparisonOperator: GreaterThanThreshold
      Threshold: 0
      Period: 60
      EvaluationPeriods: 1
      AlarmActions:
        - !If
          - EmptyMetricAlarmSnsTopicArnCondition
          - !Ref SNSTopicMetricAlarms
          - !Ref MetricAlarmSnsTopicArn

  KMSKeyCarbonBlackCredentials: # kms.tf resource aws_kms_key carbon_black_credentials
    Type: AWS::KMS::Key
    Condition: EnableCarbonBlackDownloaderCondition
    Properties:
      Enabled: true
      Tags:
        - Key: Name
          Value: !Ref TaggedName
      Description: Encrypts CarbonBlack credentials for the BinaryAlert downloader.
      KeyUsage: ENCRYPT_DECRYPT
      KeyPolicy:
        Version: 2012-10-17
        Statement:
          - Sid: Enable IAM User Permissions
            Effect: Allow
            Principal:
              AWS: !Sub arn:aws:iam::${AWS::AccountId}:root
            Action: kms:*
            Resource: "*"

  KMSAliasCarbonBlackCredentials: # kms.tf resource aws_kms_alias encrypt_credentials_alias
    Type: AWS::KMS::Alias
    Condition: EnableCarbonBlackDownloaderCondition
    Properties:
      AliasName: !Sub arn:aws:kms:${AWS::Region}:${AWS::AccountId}:alias/${NamePrefix}_binaryalert_carbonblack_credentials
      TargetKeyId: !Ref KMSKeyCarbonBlackCredentials

  # IAMRole2: # main.tf resource aws_iam_role role
  #   Type: AWS::IAM::Role
  #   Condition: EnableCarbonBlackDownloaderCondition
  #   Properties:
  #     Path: /
  #     # RoleName: !Sub "${NamePrefix}_binaryalert_downloader_role"  # Only works with CAPABILITY_IAM
  #     AssumeRolePolicyDocument:
  #       Version: 2012-10-17
  #       Statement:
  #         - Sid: AllowLambdaToAssumeRole
  #           Effect: Allow
  #           Principal:
  #             Service: lambda.amazonaws.com
  #           Action: sts:AssumeRole
  #     ManagedPolicyArns:
  #       - arn:aws:iam::aws:policy/service-role/AWSLambdaSQSQueueExecutionRole
  #       - !Ref IAMManagedPolicy

  # IAMPolicy2: # lambda_iam.tf resource aws_iam_role_policy binaryalert_downloader_policy
  #   Type: AWS::IAM::Policy
  #   Condition: EnableCarbonBlackDownloaderCondition
  #   Properties:
  #     PolicyName: !Sub ${LambdaFunctionDownloader}_policy
  #     Roles:
  #       - !Ref IAMRole2
  #     PolicyDocument:
  #       Version: 2012-10-17
  #       Statement:
  #         - Sid: AllowSSE
  #           Effect: Allow
  #           Action:
  #             - kms:GenerateDataKey
  #             - kms:Decrypt
  #           Resource:
  #             - - !GetAtt KMSKeySseSqs.Arn
  #               - !GetAtt KMSKeySseS3.Arn
  #         - Sid: DecryptCarbonBlackCredentials
  #           Effect: Allow
  #           Action: kms:Decrypt
  #           Resource: !GetAtt KMSKeyCarbonBlackCredentials.Arn
  #         - Sid: UploadToBinaryAlertBucket
  #           Effect: Allow
  #           Action: s3:PutObject
  #           Resource: !Sub ${S3BucketBinaryalertBinaries.Arn}/*
  #         - Sid: ProcessSQSMessages
  #           Effect: Allow
  #           Action:
  #             - sqs:ReceiveMessage
  #             - sqs:GetQueueAttributes
  #             - sqs:DeleteMessage
  #             - sqs:ChangeMessageVisibility
  #           Resource: !GetAtt SQSQueueDownloader.Arn

  LambdaFunctionDownloader: # lambda.tf module binaryalert_downloader
    Type: AWS::Serverless::Function
    Condition: EnableCarbonBlackDownloaderCondition
    # DependOn: # Not Work https://github.com/awslabs/serverless-application-model/issues/68
    #   - IAMPolicy2
    #   - SQSQueueDownloader
    Properties:
      Description: Copies binaries from CarbonBlack into the BinaryAlert S3 bucket
      FunctionName: !Sub ${NamePrefix}_binaryalert_downloader
      Tags:
        Name: !Ref TaggedName
      CodeUri: binaryalert/lambda_functions/downloader
      Handler: lambda_functions.downloader.main.download_lambda_handler
      Runtime: python3.7
      MemorySize: !Ref LambdaDownloadMemoryMb
      Timeout: !Ref LambdaDownloadTimeoutSec
      ReservedConcurrentExecutions: !Ref LambdaDownloadConcurrencyLimit
      # Role: !GetAtt IAMRole2.Arn
      Policies:
        - CloudWatchPutMetricPolicy: {}
        - SQSPollerPolicy:
            QueueName: !GetAtt SQSQueueDownloader.QueueName
        - KMSDecryptPolicy:
            KeyId: !Ref KMSKeyCarbonBlackCredentials
        - S3WritePolicy:
            BucketName: !Ref S3BucketBinaryalertBinaries
        - Statement:
            - Sid: AllowSSE
              Effect: Allow
              Action:
                - kms:GenerateDataKey
                - kms:Decrypt
              Resource:
                - !GetAtt KMSKeySseSqs.Arn
                - !GetAtt KMSKeySseS3.Arn
      AutoPublishAlias: Production
      Events:
        AppEvent:
          Type: SQS
          Properties:
            BatchSize: !Ref DownloadQueueBatchSize
            Queue: !GetAtt SQSQueueDownloader.Arn
            Enabled: true
      Environment:
        Variables:
          TARGET_S3_BUCKET: !Ref S3BucketPolicyBinaryalertBinaries
          CARBON_BLACK_URL: !Ref CarbonBlackUrl
          CARBON_BLACK_TIMEOUT: !Ref CarbonBlackTimeout
          ENCRYPTED_CARBON_BLACK_API_TOKEN: !Ref EncryptedCarbonBlackApiToken

  LogsLogGroupLambdaDownloader: # main.tf resource aws_cloudwatch_log_group lambda_log_group
    Type: AWS::Logs::LogGroup
    Condition: EnableCarbonBlackDownloaderCondition
    Properties:
      LogGroupName: !Sub /aws/lambda/${LambdaFunctionDownloader}
      RetentionInDays: !Ref LambdaLogRetentionDays

  SQSQueueDownloader: # sqs.tf resource aws_sqs_queue downloader_queue
    Type: AWS::SQS::Queue
    Condition: EnableCarbonBlackDownloaderCondition
    Properties:
      QueueName: !Sub ${NamePrefix}_binaryalert_downloader_queue
      Tags:
        - Key: Name
          Value: !Ref TaggedName
      KmsMasterKeyId: !GetAtt KMSKeySseSqs.Arn
      MessageRetentionPeriod: !Ref DownloadQueueRetentionSecs
      VisibilityTimeout: !Ref LambdaAnalyzeTimeoutSecPlus2Sec
      RedrivePolicy:
        deadLetterTargetArn: !GetAtt SQSQueueDeadLetter.Arn
        maxReceiveCount: !Ref DownloadQueueMaxReceives

  SQSQueueDeadLetter: # sqs.tf resource aws_sqs_queue dead_letter_queue
    Type: AWS::SQS::Queue
    Condition: EnableCarbonBlackDownloaderCondition
    Properties:
      QueueName: !Sub ${NamePrefix}_binaryalert_sqs_dead_letter_queue
      Tags:
        - Key: Name
          Value: !Ref TaggedName
      KmsMasterKeyId: !GetAtt KMSKeySseSqs.Arn
      MessageRetentionPeriod: 1209600

  CloudWatchAlarmLambdaDownloaderErrors: # main.tf resource aws_cloudwatch_metric_alarm lambda_errors
    Type: AWS::CloudWatch::Alarm
    Condition: EnableCarbonBlackDownloaderCondition
    Properties:
      AlarmName: !Sub ${LambdaFunctionDownloader}_errors
      AlarmDescription: !Sub ${LambdaFunctionDownloader} has a high error rate. Check the CloudWatch logs.
      Namespace: AWS/Lambda
      MetricName: Errors
      Statistic: Sum
      Dimensions:
        - Name: FunctionName
          Value: !Ref LambdaFunctionDownloader
        - Name: Resource
          Value: !Sub ${LambdaFunctionDownloader}:Production
      ComparisonOperator: GreaterThanOrEqualToThreshold
      Threshold: 500
      Period: 300
      EvaluationPeriods: 1
      AlarmActions:
        - !If
          - EmptyMetricAlarmSnsTopicArnCondition
          - !Ref SNSTopicMetricAlarms
          - !Ref MetricAlarmSnsTopicArn

  CloudWatchAlarmDownloaderSqsAge: # cloudwatch_metric_alarm.tf resource aws_cloudwatch_metric_alarm downloader_sqs_age
    Type: AWS::CloudWatch::Alarm
    Condition: EnableCarbonBlackDownloaderCondition
    Properties:
      AlarmName: !Sub ${LambdaFunctionDownloader}_queue_old_age
      AlarmDescription: !Sub |
        The queue ${LambdaFunctionDownloader}_queue is not being processed quickly enough:
        messages are reaching 75% of the queue retention and may be expired soon.
          - Consider increasing the lambda_download_concurrency_limit to process more events
          - Consider raising the retention period for this queue
      Namespace: AWS/SQS
      MetricName: ApproximateAgeOfOldestMessage
      Statistic: Minimum
      Dimensions:
        - Name: QueueName
          Value: !Sub ${LambdaFunctionDownloader}_queue
      ComparisonOperator: GreaterThanThreshold
      Threshold: !Ref DownloadQueueRetentionSecs75Percent
      Period: 60
      EvaluationPeriods: 10
      AlarmActions:
        - !If
          - EmptyMetricAlarmSnsTopicArnCondition
          - !Ref SNSTopicMetricAlarms
          - !Ref MetricAlarmSnsTopicArn
      InsufficientDataActions:
        - !If
          - EmptyMetricAlarmSnsTopicArnCondition
          - !Ref SNSTopicMetricAlarms
          - !Ref MetricAlarmSnsTopicArn

  CloudWatchDashboard: # cloudwatch_dashboard.tf resource aws_cloudwatch_dashboard binaryalert
    Type: AWS::CloudWatch::Dashboard
    Properties:
      DashboardName: !Sub ${NamePrefix}_BinaryAlert # add NamePrefix_
      DashboardBody: !Sub
        - >-
          {
            "widgets": [
              ${s3_bucket_stats},     ${yara_rules},
              ${analyzed_binaries},   ${sns_publications},
              ${sqs_analyzer},        ${sqs_analyzer_age},
              ${downloader_section}
              ${lambda_invocations},  ${max_lambda_duration},
              ${lambda_errors},       ${lambda_throttles},
              ${s3_download_latency}, ${log_bytes}
            ]
          }
        - s3_bucket_stats: !Sub >-
            {
              "type": "metric",
              "width": 12,
              "height": 3,
              "properties": {
                "title": "S3: ${S3BucketBinaryalertBinaries}",
                "region": "${AWS::Region}",
                "stat": "Average",
                "period": 86400,
                "view": "singleValue",
                "metrics": [
                  [
                    "AWS/S3", "NumberOfObjects",
                    "BucketName", "${S3BucketBinaryalertBinaries}",
                    "StorageType", "AllStorageTypes"
                  ],
                  [".", "BucketSizeBytes", ".", ".", ".", "StandardStorage"]
                ]
              }
            }
          yara_rules: !Sub >-
            {
              "type": "metric",
              "width": 12,
              "height": 3,
              "properties": {
                "title": "YARA Rules",
                "region": "${AWS::Region}",
                "stat": "Average",
                "period": 60,
                "view": "singleValue",
                "metrics": [
                  ["BinaryAlert", "YaraRules", {"label": "YARA Rules"}]
                ]
              }
            }
          analyzed_binaries: !Sub >-
            {
              "type": "metric",
              "width": 12,
              "properties": {
                "title": "Analyzed Binaries",
                "region": "${AWS::Region}",
                "stat": "Sum",
                "metrics": [
                  ["BinaryAlert", "AnalyzedBinaries"],
                  [".", "MatchedBinaries"]
                ]
              }
            }
          sns_publications: !Sub
            - >-
              {
                "type": "metric",
                "width": 12,
                "properties": {
                  "title": "SNS Publications",
                  "region": "${AWS::Region}",
                  "stat": "Sum",
                  "metrics": [
                    [
                      "AWS/SNS", "NumberOfMessagesPublished",
                      "TopicName", "${SNSTopicYaraMatchAlerts.TopicName}",
                      {"label": "YARA Match Alerts"}
                    ],
                    [".", ".", ".", "${AlarmTargetTopicName}", {"label": "Metric Alarms"}]
                  ]
                }
              }
            - AlarmTargetTopicName: !If
                - EmptyMetricAlarmSnsTopicArnCondition
                - !GetAtt SNSTopicMetricAlarms.TopicName
                - !Select [5, !Split [":", !Ref MetricAlarmSnsTopicArn]]
          sqs_analyzer: !Sub >-
            {
              "type": "metric",
              "width": 12,
              "properties": {
                "title": "SQS: ${SQSQueueAnalyzer.QueueName}",
                "region": "${AWS::Region}",
                "stat": "Sum",
                "metrics": [
                  ["AWS/SQS", "NumberOfMessagesSent", "QueueName", "${SQSQueueAnalyzer.QueueName}"],
                  [".", "NumberOfMessagesReceived", ".", "."],
                  [".", "ApproximateNumberOfMessagesVisible", ".", ".", {"stat": "Average"}]
                ]
              }
            }
          sqs_analyzer_age: !Sub >-
            {
              "type": "metric",
              "width": 12,
              "properties": {
                "title": "Analyzer SQS - Age Of Oldest Message",
                "region": "${AWS::Region}",
                "stat": "Average",
                "metrics": [
                  [
                    "AWS/SQS", "ApproximateAgeOfOldestMessage",
                    "QueueName", "${SQSQueueAnalyzer.QueueName}"
                  ]
                ],
                "annotations": {
                  "horizontal": [
                    {
                      "label": "Max",
                      "value": ${AnalyzeQueueRetentionSecs}
                    },
                    {
                      "label": "Alarm",
                      "value": ${AnalyzeQueueRetentionSecs75Percent}
                    }
                  ]
                }
              }
            }
          lambda_invocations: !Sub >-
            {
              "type": "metric",
              "width": 12,
              "properties": {
                "title": "Lambda Invocations",
                "region": "${AWS::Region}",
                "stat": "Sum",
                "metrics": [
                  [
                    "AWS/Lambda", "Invocations",
                    "FunctionName", "${LambdaFunctionAnalyzer}",
                    {"label": "Analyzer"}
                  ]
                ]
              }
            }
          max_lambda_duration: !Sub >-
            {
              "type": "metric",
              "width": 12,
              "properties": {
                "title": "Maximum Lambda Duration",
                "region": "${AWS::Region}",
                "stat": "Maximum",
                "metrics": [
                  [
                    "AWS/Lambda", "Duration",
                    "FunctionName", "${LambdaFunctionAnalyzer}",
                    {"label": "Analyzer"}
                  ]
                ],
                "annotations": {
                  "horizontal": [
                    {
                      "label": "Max",
                      "value": 300000
                    }
                  ]
                }
              }
            }
          lambda_errors: !Sub >-
            {
              "type": "metric",
              "width": 12,
              "properties": {
                "title": "Lambda Errors",
                "region": "${AWS::Region}",
                "stat": "Sum",
                "metrics": [
                  [
                    "AWS/Lambda", "Errors",
                    "FunctionName", "${LambdaFunctionAnalyzer}",
                    {"label": "Analyzer"}
                  ]
                ]
              }
            }
          lambda_throttles: !Sub >-
            {
              "type": "metric",
              "width": 12,
              "properties": {
                "title": "Lambda Throttles",
                "region": "${AWS::Region}",
                "stat": "Sum",
                "metrics": [
                  [
                    "AWS/Lambda", "Throttles",
                    "FunctionName", "${LambdaFunctionAnalyzer}",
                    {"label": "Analyzer"}
                  ]
                ]
              }
            }
          s3_download_latency: !Sub >-
            {
              "type": "metric",
              "width": 12,
              "properties": {
                "title": "S3 Download Latency",
                "region": "${AWS::Region}",
                "metrics": [
                  ["BinaryAlert", "S3DownloadLatency", {"label": "Minimum", "stat": "Minimum"}],
                  [".", ".", {"label": "Average", "stat": "Average"}],
                  [".", ".", {"label": "Maximum", "stat": "Maximum"}]
                ]
              }
            }
          log_bytes: !Sub >-
            {
              "type": "metric",
              "width": 12,
              "properties": {
                "title": "BinaryAlert Logs",
                "region": "${AWS::Region}",
                "stacked": true,
                "stat": "Sum",
                "metrics": [
                  [
                    "AWS/Logs", "IncomingBytes",
                    "LogGroupName", "/aws/lambda/${LambdaFunctionAnalyzer}",
                    {"label": "Analyzer"}
                  ]
                ]
              }
            }
          downloader_section: !If
            - EnableCarbonBlackDownloaderCondition
            - !Sub
              - ${sqs_downloader}, ${sqs_downloader_age},
              - sqs_downloader: !Sub >-
                  {
                    "type": "metric",
                    "width": 12,
                    "properties": {
                      "title": "SQS: ${SQSQueueDownloader.QueueName}",
                      "region": "${AWS::Region}",
                      "stat": "Sum",
                      "metrics": [
                        ["AWS/SQS", "NumberOfMessagesSent", "QueueName", "${SQSQueueDownloader.QueueName}"],
                        [".", "NumberOfMessagesReceived", ".", "."],
                        [".", "ApproximateNumberOfMessagesVisible", ".", ".", {"stat": "Average"}]
                      ]
                    }
                  }
                sqs_downloader_age: !Sub >-
                  {
                    "type": "metric",
                    "width": 12,
                    "properties": {
                      "title": "Downloader SQS - Age Of Oldest Message",
                      "region": "${AWS::Region}",
                      "stat": "Average",
                      "metrics": [
                        [
                          "AWS/SQS", "ApproximateAgeOfOldestMessage",
                          "QueueName", "${SQSQueueDownloader.QueueName}"
                        ]
                      ],
                      "annotations": {
                        "horizontal": [
                          {
                            "label": "Max",
                            "value": ${DownloadQueueRetentionSecs}
                          },
                          {
                            "label": "Alarm",
                            "value": ${DownloadQueueRetentionSecs75Percent}
                          }
                        ]
                      }
                    }
                  }
            - ""

Outputs:
  CloudWatchDashboardUrl:
    Description: CloudWatch dashboard for BinaryAlert
    Value: !Sub https://${AWS::Region}.console.aws.amazon.com/cloudwatch/home?region=${AWS::Region}#dashboards:name=${CloudWatchDashboard}
  TerraformTfvars:
    Description: terraform.tfvars for BinaryAlert
    Value: !Sub |
      aws_account_id="${AWS::AccountId}"
      aws_region="${AWS::Region}"
      name_prefix="${NamePrefix}"
      enable_carbon_black_downloader=${EnableCarbonBlackDownloader}
      carbon_black_url="${CarbonBlackUrl}"
      carbon_black_timeout=${CarbonBlackTimeout}
      encrypted_carbon_black_api_token="${EncryptedCarbonBlackApiToken}"
      s3_log_bucket="${S3LogBucket}"
      s3_log_prefix="${S3LogPrefix}"
      s3_log_expiration_days=${S3LogExpirationDays}
      lambda_log_retention_days=${LambdaLogRetentionDays}
      tagged_name="${TaggedName}"
      metric_alarm_sns_topic_arn="${MetricAlarmSnsTopicArn}"
      expected_analysis_frequency_minutes=${ExpectedAnalysisFrequencySeconds} / 60 
      dynamo_read_capacity=${DynamoReadCapacity}
      dynamo_write_capacity=${DynamoWriteCapacity}
      lambda_analyze_memory_mb=${LambdaAnalyzeMemoryMb}
      lambda_analyze_timeout_sec=${LambdaAnalyzeTimeoutSec}
      lambda_analyze_concurrency_limit=${LambdaAnalyzeConcurrencyLimit}
      lambda_download_memory_mb=${LambdaDownloadMemoryMb}
      lambda_download_timeout_sec=${LambdaDownloadTimeoutSec}
      lambda_download_concurrency_limit=${LambdaDownloadConcurrencyLimit}
      force_destroy=true
      external_s3_bucket_resources=[${ExternalS3BucketResources}]
      external_kms_key_resources=[${ExternalKmsKeyResources}]
      enable_negative_match_alerts=${EnableNegativeMatchAlerts}
      analyze_queue_batch_size=${AnalyzeQueueBatchSize}
      download_queue_batch_size=${DownloadQueueBatchSize}
      analyze_queue_retention_secs=${AnalyzeQueueRetentionSecs}
      download_queue_retention_secs=${DownloadQueueRetentionSecs}
      objects_per_retro_message=4
      download_queue_max_receives=${DownloadQueueMaxReceives}