Skip to content

Commit

Permalink
new: added policy ecc-aws-077-sign_in_without_mfa_alarm_exist
Browse files Browse the repository at this point in the history
  • Loading branch information
@anna-shcherbak
anna-shcherbak committed Dec 12, 2023
1 parent caffecf commit 3477e96
Show file tree
Hide file tree
Showing 19 changed files with 357 additions and 51 deletions.
20 changes: 0 additions & 20 deletions non-compatible-policies/ecc-aws-077-sign_in_without_mfa_alarm_exist.yml
View file

This file was deleted.

22 changes: 22 additions & 0 deletions policies/ecc-aws-077-sign_in_without_mfa_alarm_exist.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
# Copyright (c) 2023 EPAM Systems, Inc.
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.

policies:
- name: ecc-aws-077-sign_in_without_mfa_alarm_exist
comment: '010016012500'
description: |
Log metric filter and alarm do not exist for Management Console sign-in without MFA
resource: aws.account
filters:
- type: check-cloudtrail
multi-region: true
running: true
include-management-events: true
log-metric-filter-pattern:
type: value
op: regex
value: '{ ?\(? ?\$\.eventName ?= ?\"ConsoleLogin\" ?\)? ?&& ?\(? ?\$\.additionalEventData.MFAUsed ?[!]= ?\"Yes\" ?\)?( ?&& ?\(? ?\$\.userIdentity\.type ?= ?\"IAMUser\" ?\)? ?&& ?\(? ?\$.responseElements\.ConsoleLogin ?= ?\"Success\" ?\)?)? ?}'

21 changes: 8 additions & 13 deletions terraform/ecc-aws-077-sign_in_without_mfa_alarm_exist/green/sns.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,17 +2,12 @@ resource "aws_sns_topic" "this" {
name = "077-sns-green"
}

resource "null_resource" "this" {
provisioner "local-exec" {
command = join(" ", [
"aws sns subscribe",
"--topic-arn ${aws_sns_topic.this.arn}",
"--protocol email",
"--notification-endpoint ${var.test-email}",
"--profile ${var.profile}",
"--region ${var.default-region}"

]
)
}
resource "aws_sqs_queue" "this" {
name = "077-sqs-green"
}

resource "aws_sns_topic_subscription" "this" {
topic_arn = aws_sns_topic.this.arn
protocol = "sqs"
endpoint = aws_sqs_queue.this.arn
}
6 changes: 6 additions & 0 deletions terraform/ecc-aws-077-sign_in_without_mfa_alarm_exist/green/trail.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,12 @@ resource "aws_cloudtrail" "this" {
aws_s3_bucket.this,
aws_s3_bucket_policy.this
]
advanced_event_selector {
field_selector {
field = "eventCategory"
equals = ["Management"]
}
}
}

resource "aws_s3_bucket" "this" {
Expand Down
9 changes: 4 additions & 5 deletions terraform/ecc-aws-077-sign_in_without_mfa_alarm_exist/iam/077-policy.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,17 +4,16 @@
{
"Effect": "Allow",
"Action": [
"iam:ListAccountAliases",
"cloudtrail:DescribeTrails",
"cloudtrail:GetTrailStatus",
"cloudtrail:GetEventSelectors",
"sns:GetTopicAttributes",
"sns:ListTopics",
"cloudwatch:DescribeAlarms",
"logs:DescribeMetricFilters",
"logs:DescribeLogGroups",
"iam:ListAccountAliases"
"cloudwatch:DescribeAlarmsForMetric",
"sns:GetTopicAttributes"
],
"Resource": "*"
}
]
}
}
21 changes: 8 additions & 13 deletions terraform/ecc-aws-077-sign_in_without_mfa_alarm_exist/red1/sns.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,17 +2,12 @@ resource "aws_sns_topic" "this" {
name = "077-sns-red1"
}

resource "null_resource" "this" {
provisioner "local-exec" {
command = join(" ", [
"aws sns subscribe",
"--topic-arn ${aws_sns_topic.this.arn}",
"--protocol email",
"--notification-endpoint ${var.test-email}",
"--profile ${var.profile}",
"--region ${var.default-region}"

]
)
}
resource "aws_sqs_queue" "this" {
name = "077-sqs-red1"
}

resource "aws_sns_topic_subscription" "this" {
topic_arn = aws_sns_topic.this.arn
protocol = "sqs"
endpoint = aws_sqs_queue.this.arn
}
22 changes: 22 additions & 0 deletions ...cc-aws-077-sign_in_without_mfa_alarm_exist/placebo-green/cloudtrail.DescribeTrails_1.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
{
"status_code": 200,
"data": {
"trailList": [
{
"Name": "c7n-077-cloudtrail-green",
"S3BucketName": "077-bucket-1608649-green",
"IncludeGlobalServiceEvents": true,
"IsMultiRegionTrail": true,
"HomeRegion": "us-east-1",
"TrailARN": "arn:aws:cloudtrail:us-east-1:644160558196:trail/c7n-077-cloudtrail-green",
"LogFileValidationEnabled": false,
"CloudWatchLogsLogGroupArn": "arn:aws:logs:us-east-1:644160558196:log-group:077_log_group_green:*",
"CloudWatchLogsRoleArn": "arn:aws:iam::644160558196:role/077_role_green",
"HasCustomEventSelectors": true,
"HasInsightSelectors": false,
"IsOrganizationTrail": false
}
],
"ResponseMetadata": {}
}
}
19 changes: 19 additions & 0 deletions ...aws-077-sign_in_without_mfa_alarm_exist/placebo-green/cloudtrail.GetEventSelectors_1.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
{
"status_code": 200,
"data": {
"TrailARN": "arn:aws:cloudtrail:us-east-1:644160558196:trail/c7n-077-cloudtrail-green",
"AdvancedEventSelectors": [
{
"FieldSelectors": [
{
"Field": "eventCategory",
"Equals": [
"Management"
]
}
]
}
],
"ResponseMetadata": {}
}
}
43 changes: 43 additions & 0 deletions ...cc-aws-077-sign_in_without_mfa_alarm_exist/placebo-green/cloudtrail.GetTrailStatus_1.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
{
"status_code": 200,
"data": {
"IsLogging": true,
"LatestDeliveryTime": {
"__class__": "datetime",
"year": 2023,
"month": 12,
"day": 12,
"hour": 16,
"minute": 3,
"second": 21,
"microsecond": 764000
},
"StartLoggingTime": {
"__class__": "datetime",
"year": 2023,
"month": 12,
"day": 12,
"hour": 15,
"minute": 9,
"second": 5,
"microsecond": 694000
},
"LatestCloudWatchLogsDeliveryTime": {
"__class__": "datetime",
"year": 2023,
"month": 12,
"day": 12,
"hour": 16,
"minute": 4,
"second": 32,
"microsecond": 266000
},
"LatestDeliveryAttemptTime": "2023-12-12T14:03:21Z",
"LatestNotificationAttemptTime": "",
"LatestNotificationAttemptSucceeded": "",
"LatestDeliveryAttemptSucceeded": "2023-12-12T14:03:21Z",
"TimeLoggingStarted": "2023-12-12T13:09:05Z",
"TimeLoggingStopped": "",
"ResponseMetadata": {}
}
}
10 changes: 10 additions & 0 deletions ...s/ecc-aws-077-sign_in_without_mfa_alarm_exist/placebo-green/iam.ListAccountAliases_1.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
{
"status_code": 200,
"data": {
"AccountAliases": [
"test"
],
"IsTruncated": false,
"ResponseMetadata": {}
}
}
22 changes: 22 additions & 0 deletions ...c-aws-077-sign_in_without_mfa_alarm_exist/placebo-green/logs.DescribeMetricFilters_1.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
{
"status_code": 200,
"data": {
"metricFilters": [
{
"filterName": "077_Console_Sign_in_without_MFA_green",
"filterPattern": "{($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") && ($.userIdentity.type = \"IAMUser\") && ($.responseElements.ConsoleLogin = \"Success\")}",
"metricTransformations": [
{
"metricName": "077_Console_Sign_in_without_MFA_green",
"metricNamespace": "Console_Sign_in_without_MFA",
"metricValue": "1",
"unit": "None"
}
],
"creationTime": 1702386538672,
"logGroupName": "077_log_group_green"
}
],
"ResponseMetadata": {}
}
}
59 changes: 59 additions & 0 deletions ...7-sign_in_without_mfa_alarm_exist/placebo-green/monitoring.DescribeAlarmsForMetric_1.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
{
"status_code": 200,
"data": {
"MetricAlarms": [
{
"AlarmName": "077_Console_Sign_in_without_MFA_green",
"AlarmArn": "arn:aws:cloudwatch:us-east-1:644160558196:alarm:077_Console_Sign_in_without_MFA_green",
"AlarmConfigurationUpdatedTimestamp": {
"__class__": "datetime",
"year": 2023,
"month": 12,
"day": 12,
"hour": 13,
"minute": 8,
"second": 59,
"microsecond": 894000
},
"ActionsEnabled": true,
"OKActions": [],
"AlarmActions": [
"arn:aws:sns:us-east-1:644160558196:077-sns-green"
],
"InsufficientDataActions": [],
"StateValue": "INSUFFICIENT_DATA",
"StateReason": "Unchecked: Initial alarm creation",
"StateUpdatedTimestamp": {
"__class__": "datetime",
"year": 2023,
"month": 12,
"day": 12,
"hour": 13,
"minute": 8,
"second": 59,
"microsecond": 894000
},
"MetricName": "077_Console_Sign_in_without_MFA_green",
"Namespace": "Console_Sign_in_without_MFA",
"Statistic": "Sum",
"Dimensions": [],
"Period": 300,
"EvaluationPeriods": 1,
"Threshold": 1.0,
"ComparisonOperator": "GreaterThanOrEqualToThreshold",
"TreatMissingData": "missing",
"StateTransitionedTimestamp": {
"__class__": "datetime",
"year": 2023,
"month": 12,
"day": 12,
"hour": 13,
"minute": 8,
"second": 59,
"microsecond": 894000
}
}
],
"ResponseMetadata": {}
}
}
21 changes: 21 additions & 0 deletions ...s/ecc-aws-077-sign_in_without_mfa_alarm_exist/placebo-green/sns.GetTopicAttributes_1.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
{
"status_code": 200,
"data": {
"Attributes": {
"Policy": "{\"Version\":\"2008-10-17\",\"Id\":\"__default_policy_ID\",\"Statement\":[{\"Sid\":\"__default_statement_ID\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"*\"},\"Action\":[\"SNS:GetTopicAttributes\",\"SNS:SetTopicAttributes\",\"SNS:AddPermission\",\"SNS:RemovePermission\",\"SNS:DeleteTopic\",\"SNS:Subscribe\",\"SNS:ListSubscriptionsByTopic\",\"SNS:Publish\"],\"Resource\":\"arn:aws:sns:us-east-1:644160558196:077-sns-green\",\"Condition\":{\"StringEquals\":{\"AWS:SourceOwner\":\"644160558196\"}}}]}",
"LambdaSuccessFeedbackSampleRate": "0",
"Owner": "644160558196",
"SubscriptionsPending": "0",
"TopicArn": "arn:aws:sns:us-east-1:644160558196:077-sns-green",
"EffectiveDeliveryPolicy": "{\"http\":{\"defaultHealthyRetryPolicy\":{\"minDelayTarget\":20,\"maxDelayTarget\":20,\"numRetries\":3,\"numMaxDelayRetries\":0,\"numNoDelayRetries\":0,\"numMinDelayRetries\":0,\"backoffFunction\":\"linear\"},\"disableSubscriptionOverrides\":false,\"defaultRequestPolicy\":{\"headerContentType\":\"text/plain; charset=UTF-8\"}}}",
"FirehoseSuccessFeedbackSampleRate": "0",
"SubscriptionsConfirmed": "1",
"SQSSuccessFeedbackSampleRate": "0",
"HTTPSuccessFeedbackSampleRate": "0",
"ApplicationSuccessFeedbackSampleRate": "0",
"DisplayName": "",
"SubscriptionsDeleted": "0"
},
"ResponseMetadata": {}
}
}
22 changes: 22 additions & 0 deletions .../ecc-aws-077-sign_in_without_mfa_alarm_exist/placebo-red/cloudtrail.DescribeTrails_1.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
{
"status_code": 200,
"data": {
"trailList": [
{
"Name": "c7n-077-cloudtrail-red1",
"S3BucketName": "077-bucket-416900-red1",
"IncludeGlobalServiceEvents": true,
"IsMultiRegionTrail": false,
"HomeRegion": "us-east-1",
"TrailARN": "arn:aws:cloudtrail:us-east-1:644160558196:trail/c7n-077-cloudtrail-red1",
"LogFileValidationEnabled": false,
"CloudWatchLogsLogGroupArn": "arn:aws:logs:us-east-1:644160558196:log-group:077_log_group_red1:*",
"CloudWatchLogsRoleArn": "arn:aws:iam::644160558196:role/077_role_red1",
"HasCustomEventSelectors": false,
"HasInsightSelectors": false,
"IsOrganizationTrail": false
}
],
"ResponseMetadata": {}
}
}
19 changes: 19 additions & 0 deletions ...c-aws-077-sign_in_without_mfa_alarm_exist/placebo-red/cloudtrail.GetEventSelectors_1.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
{
"status_code": 200,
"data": {
"TrailARN": "arn:aws:cloudtrail:us-east-1:644160558196:trail/c7n-077-cloudtrail-red1",
"AdvancedEventSelectors": [
{
"FieldSelectors": [
{
"Field": "eventCategory",
"Equals": [
"Management"
]
}
]
}
],
"ResponseMetadata": {}
}
}
Loading

0 comments on commit 3477e96

Please sign in to comment.