def rule(event): # Check if this event is in scope if ( not aws_cloudtrail_success(event) or event.get("eventName") not in IAM_ENTITY_CREATION_EVENTS ): return False # All IAM changes MUST go through CloudFormation if deep_get(event, "userIdentity", "invokedBy") != "cloudformation.amazonaws.com": return True # Only approved IAM Roles can make IAM Changes for admin_role_pattern in IAM_ADMIN_ROLE_PATTERNS: # Check if the arn matches any role patterns, return False if there is a match if ( len( re.findall( admin_role_pattern, deep_get(event, "userIdentity", "sessionContext", "sessionIssuer", "arn"), ) ) > 0 ): return False return ( deep_get(event, "userIdentity", "sessionContext", "sessionIssuer", "arn") not in IAM_ADMIN_ROLES )
def rule(event): # Only check IAM events, as the next check is relatively computationally # expensive and can often be skipped if not aws_cloudtrail_success( event) or event.get("eventSource") != "iam.amazonaws.com": return False return any((event.get("eventName", "").startswith(action) for action in IAM_CHANGE_ACTIONS))
def rule(event): return aws_cloudtrail_success(event) and ( event.get("eventName") in SG_CHANGE_EVENTS.keys() and event.get("recipientAccountId") in PROD_ACCOUNT_IDS and # Validate the deployment mechanism (Console, CloudFormation, or Terraform) not (pattern_match_list(event.get("userAgent"), ALLOWED_USER_AGENTS) and # Validate the IAM Role used is in our acceptable list any(role in deep_get(event, "userIdentity", "arn") for role in ALLOWED_ROLE_NAMES)))
def rule(event): # Only check successful actions creating a new Network ACL entry if not aws_cloudtrail_success( event) or event.get("eventName") != "CreateNetworkAclEntry": return False # Check if this new NACL entry is allowing traffic from anywhere return (deep_get(event, "requestParameters", "cidrBlock") == "0.0.0.0/0" and deep_get(event, "requestParameters", "ruleAction") == "allow" and deep_get(event, "requestParameters", "egress") is False)
def rule(event): # Only considering successful AssumeRole action if not aws_cloudtrail_success(event) or event.get("eventName") != "AssumeRole": return False # Only considering user actions if deep_get(event, "userIdentity", "type") not in ["IAMUser", "FederatedUser"]: return False return deep_get(event, "requestParameters", "roleArn") in ASSUME_ROLE_BLOCKLIST
def rule(event): if not aws_cloudtrail_success(event): return False parameters = event.get("requestParameters", {}) # Ignore events that are missing request params if not parameters: return False policy = "" # S3 if event["eventName"] == "PutBucketPolicy": return policy_is_internet_accessible(parameters.get("bucketPolicy")) # ECR if event["eventName"] == "SetRepositoryPolicy": policy = parameters.get("policyText", {}) # Elasticsearch if event["eventName"] in [ "CreateElasticsearchDomain", "UpdateElasticsearchDomainConfig" ]: policy = parameters.get("accessPolicies", {}) # KMS if event["eventName"] in ["CreateKey", "PutKeyPolicy"]: policy = parameters.get("policy", {}) # S3 Glacier if event["eventName"] == "SetVaultAccessPolicy": policy = deep_get(parameters, "policy", "policy", default={}) # SNS & SQS if event["eventName"] in ["SetQueueAttributes", "CreateTopic"]: policy = deep_get(parameters, "attributes", "Policy", default={}) # SNS if (event["eventName"] == "SetTopicAttributes" and parameters.get("attributeName", "") == "Policy"): policy = parameters.get("attributeValue", {}) # SecretsManager if event["eventName"] == "PutResourcePolicy": policy = parameters.get("resourcePolicy", {}) if not policy: return False return policy_is_internet_accessible(json.loads(policy))
def rule(event): # Only check successful ModiyImageAttribute events if not aws_cloudtrail_success( event) or event.get("eventName") != "ModifyImageAttribute": return False added_perms = deep_get(event, "requestParameters", "launchPermission", "add", "items", default=[]) for item in added_perms: if item.get("group") == "all": return True return False
def rule(event): if not aws_cloudtrail_success(event): return False for entry in ALLOW_LIST: if fnmatch( deep_get( event, "userIdentity", "sessionContext", "sessionIssuer", "userName", default="", ), entry["userName"], ): if fnmatch(event.get("eventName"), entry["eventName"]): return False if event.get("eventName") == "UpdateDetector": return not deep_get(event, "requestParameters", "enable", default=True) return event.get("eventName") in SECURITY_CONFIG_ACTIONS
def rule(event): if not aws_cloudtrail_success(event): return False # EC2 Volume snapshot made public if event.get("eventName") == "ModifySnapshotAttribute": parameters = event.get("requestParameters", {}) if parameters.get("attributeType") != "CREATE_VOLUME_PERMISSION": return False items = deep_get(parameters, "createVolumePermission", "add", "items", default=[]) for item in items: if not isinstance(item, (Mapping, dict)): continue if item.get("group") == "all": return True return False # RDS snapshot made public if event.get("eventName") == "ModifyDBClusterSnapshotAttribute": return "all" in deep_get(event, "requestParameters", "valuesToAdd", default=[]) return False
def rule(event): return aws_cloudtrail_success(event) and event.get( "eventName") in CLOUDTRAIL_CREATE_UPDATE
def rule(event): return (deep_get(event, "userIdentity", "type") == "Root" and aws_cloudtrail_success(event) and deep_get(event, "userIdentity", "invokedBy") is None and event.get("eventType") != "AwsServiceEvent" and event.get("eventName") not in EVENT_ALLOW_LIST)
def rule(event): return ( aws_cloudtrail_success(event) and event.get("eventName") in CONFIG_SERVICE_DISABLE_DELETE_EVENTS )
def rule(event): return aws_cloudtrail_success(event) and event.get( "eventName") in KMS_LOSS_EVENTS
def rule(event): return event.get( "eventName") in S3_POLICY_CHANGE_EVENTS and aws_cloudtrail_success( event)
def rule(event): # Capture DeleteBucket, DeleteBucketPolicy, DeleteBucketWebsite return event.get("eventName").startswith( "DeleteBucket") and aws_cloudtrail_success(event)
def rule(event): return event.get("eventName") in UPDATE_EVENTS and aws_cloudtrail_success( event)
def rule(event): return aws_cloudtrail_success(event) and event.get("eventName") in EC2_GATEWAY_MODIFIED_EVENTS
def rule(event): return aws_cloudtrail_success(event) and event.get( "eventName") in CONFIG_SERVICE_CREATE_EVENTS
def rule(event): return aws_cloudtrail_success(event) and event.get("eventName") in CLOUDTRAIL_STOP_DELETE