Day 9: CloudWatch Security Filters CloudTrail records API calls. CloudWatch makes them actionable. Here's a quick setup for the most critical security detection -- catching someone disabling your security controls: resource "aws_cloudwatch_log_metric_filter" "config_tampering" { name = "aws-config-changes" log_group_name = "/aws/cloudtrail/security" pattern = << PATTERN { ($.eventSource = config.amazonaws.com) && (($.eventName = StopConfigurationRecorder) || ($.eventName = DeleteDeliveryChannel)) } PATTERN metric_transformation { name = "ConfigTamperingCount" namespace = "Security/CIS" value = "1" } } resource "aws_cloudwatch_metric_alarm" "config_tampering" { alarm_name = "CRITICAL-ConfigTampering" namespace = "Security/CIS" metric_name = "ConfigTamperingCount" statistic = "Sum" period = 60 evaluation_periods = 1 threshold = 1 comparison_operator = "GreaterThanOrEqualToThreshold" treat_missing_data = "notBreaching" alarm_actions = [ aws_sns_topic . security .…