示例#1
0
def rule(event):
    # Check if this event is in scope
    if (
        not aws_cloudtrail_success(event)
        or event.get("eventName") not in IAM_ENTITY_CREATION_EVENTS
    ):
        return False

    # All IAM changes MUST go through CloudFormation
    if deep_get(event, "userIdentity", "invokedBy") != "cloudformation.amazonaws.com":
        return True

    # Only approved IAM Roles can make IAM Changes
    for admin_role_pattern in IAM_ADMIN_ROLE_PATTERNS:
        # Check if the arn matches any role patterns, return False if there is a match
        if (
            len(
                re.findall(
                    admin_role_pattern,
                    deep_get(event, "userIdentity", "sessionContext", "sessionIssuer", "arn"),
                )
            )
            > 0
        ):
            return False

    return (
        deep_get(event, "userIdentity", "sessionContext", "sessionIssuer", "arn")
        not in IAM_ADMIN_ROLES
    )
示例#2
0
def rule(event):
    # Only check IAM events, as the next check is relatively computationally
    # expensive and can often be skipped
    if not aws_cloudtrail_success(
            event) or event.get("eventSource") != "iam.amazonaws.com":
        return False

    return any((event.get("eventName", "").startswith(action)
                for action in IAM_CHANGE_ACTIONS))
示例#3
0
def rule(event):
    return aws_cloudtrail_success(event) and (
        event.get("eventName") in SG_CHANGE_EVENTS.keys()
        and event.get("recipientAccountId") in PROD_ACCOUNT_IDS and
        # Validate the deployment mechanism (Console, CloudFormation, or Terraform)
        not (pattern_match_list(event.get("userAgent"), ALLOWED_USER_AGENTS)
             and
             # Validate the IAM Role used is in our acceptable list
             any(role in deep_get(event, "userIdentity", "arn")
                 for role in ALLOWED_ROLE_NAMES)))
示例#4
0
def rule(event):
    # Only check successful actions creating a new Network ACL entry
    if not aws_cloudtrail_success(
            event) or event.get("eventName") != "CreateNetworkAclEntry":
        return False

    # Check if this new NACL entry is allowing traffic from anywhere
    return (deep_get(event, "requestParameters", "cidrBlock") == "0.0.0.0/0"
            and deep_get(event, "requestParameters", "ruleAction") == "allow"
            and deep_get(event, "requestParameters", "egress") is False)
示例#5
0
def rule(event):
    # Only considering successful AssumeRole action
    if not aws_cloudtrail_success(event) or event.get("eventName") != "AssumeRole":
        return False

    # Only considering user actions
    if deep_get(event, "userIdentity", "type") not in ["IAMUser", "FederatedUser"]:
        return False

    return deep_get(event, "requestParameters", "roleArn") in ASSUME_ROLE_BLOCKLIST
示例#6
0
def rule(event):
    if not aws_cloudtrail_success(event):
        return False

    parameters = event.get("requestParameters", {})
    # Ignore events that are missing request params
    if not parameters:
        return False

    policy = ""

    # S3
    if event["eventName"] == "PutBucketPolicy":
        return policy_is_internet_accessible(parameters.get("bucketPolicy"))

    # ECR
    if event["eventName"] == "SetRepositoryPolicy":
        policy = parameters.get("policyText", {})

    # Elasticsearch
    if event["eventName"] in [
            "CreateElasticsearchDomain", "UpdateElasticsearchDomainConfig"
    ]:
        policy = parameters.get("accessPolicies", {})

    # KMS
    if event["eventName"] in ["CreateKey", "PutKeyPolicy"]:
        policy = parameters.get("policy", {})

    # S3 Glacier
    if event["eventName"] == "SetVaultAccessPolicy":
        policy = deep_get(parameters, "policy", "policy", default={})

    # SNS & SQS
    if event["eventName"] in ["SetQueueAttributes", "CreateTopic"]:
        policy = deep_get(parameters, "attributes", "Policy", default={})

    # SNS
    if (event["eventName"] == "SetTopicAttributes"
            and parameters.get("attributeName", "") == "Policy"):
        policy = parameters.get("attributeValue", {})

    # SecretsManager
    if event["eventName"] == "PutResourcePolicy":
        policy = parameters.get("resourcePolicy", {})

    if not policy:
        return False

    return policy_is_internet_accessible(json.loads(policy))
示例#7
0
def rule(event):
    # Only check successful ModiyImageAttribute events
    if not aws_cloudtrail_success(
            event) or event.get("eventName") != "ModifyImageAttribute":
        return False

    added_perms = deep_get(event,
                           "requestParameters",
                           "launchPermission",
                           "add",
                           "items",
                           default=[])

    for item in added_perms:
        if item.get("group") == "all":
            return True

    return False
示例#8
0
def rule(event):
    if not aws_cloudtrail_success(event):
        return False

    for entry in ALLOW_LIST:
        if fnmatch(
                deep_get(
                    event,
                    "userIdentity",
                    "sessionContext",
                    "sessionIssuer",
                    "userName",
                    default="",
                ),
                entry["userName"],
        ):
            if fnmatch(event.get("eventName"), entry["eventName"]):
                return False

    if event.get("eventName") == "UpdateDetector":
        return not deep_get(event, "requestParameters", "enable", default=True)

    return event.get("eventName") in SECURITY_CONFIG_ACTIONS
示例#9
0
def rule(event):
    if not aws_cloudtrail_success(event):
        return False

    # EC2 Volume snapshot made public
    if event.get("eventName") == "ModifySnapshotAttribute":
        parameters = event.get("requestParameters", {})
        if parameters.get("attributeType") != "CREATE_VOLUME_PERMISSION":
            return False

        items = deep_get(parameters, "createVolumePermission", "add", "items", default=[])
        for item in items:
            if not isinstance(item, (Mapping, dict)):
                continue
            if item.get("group") == "all":
                return True
        return False

    # RDS snapshot made public
    if event.get("eventName") == "ModifyDBClusterSnapshotAttribute":
        return "all" in deep_get(event, "requestParameters", "valuesToAdd", default=[])

    return False
示例#10
0
def rule(event):
    return aws_cloudtrail_success(event) and event.get(
        "eventName") in CLOUDTRAIL_CREATE_UPDATE
示例#11
0
def rule(event):
    return (deep_get(event, "userIdentity", "type") == "Root"
            and aws_cloudtrail_success(event)
            and deep_get(event, "userIdentity", "invokedBy") is None
            and event.get("eventType") != "AwsServiceEvent"
            and event.get("eventName") not in EVENT_ALLOW_LIST)
示例#12
0
def rule(event):
    return (
        aws_cloudtrail_success(event)
        and event.get("eventName") in CONFIG_SERVICE_DISABLE_DELETE_EVENTS
    )
示例#13
0
def rule(event):
    return aws_cloudtrail_success(event) and event.get(
        "eventName") in KMS_LOSS_EVENTS
示例#14
0
def rule(event):
    return event.get(
        "eventName") in S3_POLICY_CHANGE_EVENTS and aws_cloudtrail_success(
            event)
示例#15
0
def rule(event):
    # Capture DeleteBucket, DeleteBucketPolicy, DeleteBucketWebsite
    return event.get("eventName").startswith(
        "DeleteBucket") and aws_cloudtrail_success(event)
示例#16
0
def rule(event):
    return event.get("eventName") in UPDATE_EVENTS and aws_cloudtrail_success(
        event)
示例#17
0
def rule(event):
    return aws_cloudtrail_success(event) and event.get("eventName") in EC2_GATEWAY_MODIFIED_EVENTS
示例#18
0
def rule(event):
    return aws_cloudtrail_success(event) and event.get(
        "eventName") in CONFIG_SERVICE_CREATE_EVENTS
示例#19
0
def rule(event):
    return aws_cloudtrail_success(event) and event.get("eventName") in CLOUDTRAIL_STOP_DELETE