Skip to content

Commit

Permalink
CW and SCP tweaks (#600)
Browse files Browse the repository at this point in the history 
- add KMS SCP protection
- add IAM IP CW Event
- fix CW Event IP ranges and MFA example
  • Loading branch information
@Brian969
Brian969 authored Feb 5, 2021
1 parent f13b7c0 commit 6d6e0d2
Show file tree
Hide file tree
Showing 5 changed files with 73 additions and 9 deletions.
20 changes: 18 additions & 2 deletions reference-artifacts/SAMPLE_CONFIGS/config.example.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -281,7 +281,7 @@
"accounts": ["master"],
"regions": ["ca-central-1"],
"loggroup-name": "/PBMMAccel/CloudTrail",
"filter-pattern": "{($.eventName=\"ConsoleLogin\") && ($.additionalEventData.MFAUsed !=\"Yes\")}",
"filter-pattern": "{($.eventName=\"ConsoleLogin\") && ($.additionalEventData.MFAUsed !=\"Yes\") && ($.userIdentity.type != \"AssumedRole\")}",
"metric-namespace": "CloudTrailMetrics",
"metric-name": "ConsoleSignInWithoutMfaCount",
"metric-value": "1"
Expand Down Expand Up @@ -341,11 +341,21 @@
"accounts": ["master"],
"regions": ["ca-central-1"],
"loggroup-name": "/PBMMAccel/CloudTrail",
"filter-pattern": "{ ($.eventSource=sso.amazonaws.com) && ($.eventName=Authenticate) && (($.sourceIPAddress != 10.10.10.*) || ($.sourceIPAddress != 10.10.*) || ($.sourceIPAddress != 10.*))}",
"filter-pattern": "{ ($.eventSource=sso.amazonaws.com) && ($.eventName=Authenticate) && ($.sourceIPAddress != 10.10.10.*) }",
"metric-namespace": "CloudTrailMetrics",
"metric-name": "SSOAuthUnapprovedIPCount",
"metric-value": "1"
},
{
"filter-name": "IAMAuthUnapprovedIPMetric",
"accounts": ["master"],
"regions": ["ca-central-1"],
"loggroup-name": "/PBMMAccel/CloudTrail",
"filter-pattern": "{ ($.eventName=ConsoleLogin) && ($.userIdentity.type=IAMUser) && ($.sourceIPAddress != 10.10.10.*) }",
"metric-namespace": "CloudTrailMetrics",
"metric-name": "IAMAuthUnapprovedIPCount",
"metric-value": "1"
},
{
"filter-name": "UnencryptedFilesystemCreatedMetric",
"accounts": ["master"],
Expand Down Expand Up @@ -472,6 +482,12 @@
"sns-alert-level": "High",
"alarm-description": "Alarms when someone authenticates using AWS SSO from an unauthorized IP address range."
},
{
"alarm-name": "AWS-IAM-Authentication-From-Unapproved-IP",
"metric-name": "IAMAuthUnapprovedIPCount",
"sns-alert-level": "High",
"alarm-description": "Alarms when someone authenticates using AWS IAM from an unauthorized IP address range."
},
{
"alarm-name": "AWS-Unencrypted-Filesystem-Created",
"metric-name": "UnencryptedFilesystemCreatedCount",
Expand Down
20 changes: 18 additions & 2 deletions reference-artifacts/SAMPLE_CONFIGS/config.lite-example.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -281,7 +281,7 @@
"accounts": ["master"],
"regions": ["ca-central-1"],
"loggroup-name": "/PBMMAccel/CloudTrail",
"filter-pattern": "{($.eventName=\"ConsoleLogin\") && ($.additionalEventData.MFAUsed !=\"Yes\")}",
"filter-pattern": "{($.eventName=\"ConsoleLogin\") && ($.additionalEventData.MFAUsed !=\"Yes\") && ($.userIdentity.type != \"AssumedRole\")}",
"metric-namespace": "CloudTrailMetrics",
"metric-name": "ConsoleSignInWithoutMfaCount",
"metric-value": "1"
Expand Down Expand Up @@ -341,11 +341,21 @@
"accounts": ["master"],
"regions": ["ca-central-1"],
"loggroup-name": "/PBMMAccel/CloudTrail",
"filter-pattern": "{ ($.eventSource=sso.amazonaws.com) && ($.eventName=Authenticate) && (($.sourceIPAddress != 10.10.10.*) || ($.sourceIPAddress != 10.10.*) || ($.sourceIPAddress != 10.*))}",
"filter-pattern": "{ ($.eventSource=sso.amazonaws.com) && ($.eventName=Authenticate) && ($.sourceIPAddress != 10.10.10.*) }",
"metric-namespace": "CloudTrailMetrics",
"metric-name": "SSOAuthUnapprovedIPCount",
"metric-value": "1"
},
{
"filter-name": "IAMAuthUnapprovedIPMetric",
"accounts": ["master"],
"regions": ["ca-central-1"],
"loggroup-name": "/PBMMAccel/CloudTrail",
"filter-pattern": "{ ($.eventName=ConsoleLogin) && ($.userIdentity.type=IAMUser) && ($.sourceIPAddress != 10.10.10.*) }",
"metric-namespace": "CloudTrailMetrics",
"metric-name": "IAMAuthUnapprovedIPCount",
"metric-value": "1"
},
{
"filter-name": "UnencryptedFilesystemCreatedMetric",
"accounts": ["master"],
Expand Down Expand Up @@ -472,6 +482,12 @@
"sns-alert-level": "High",
"alarm-description": "Alarms when someone authenticates using AWS SSO from an unauthorized IP address range."
},
{
"alarm-name": "AWS-IAM-Authentication-From-Unapproved-IP",
"metric-name": "IAMAuthUnapprovedIPCount",
"sns-alert-level": "High",
"alarm-description": "Alarms when someone authenticates using AWS IAM from an unauthorized IP address range."
},
{
"alarm-name": "AWS-Unencrypted-Filesystem-Created",
"metric-name": "UnencryptedFilesystemCreatedCount",
Expand Down
20 changes: 18 additions & 2 deletions reference-artifacts/SAMPLE_CONFIGS/config.multi-region-example.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -285,7 +285,7 @@
"accounts": ["master"],
"regions": ["ca-central-1"],
"loggroup-name": "/PBMMAccel/CloudTrail",
"filter-pattern": "{($.eventName=\"ConsoleLogin\") && ($.additionalEventData.MFAUsed !=\"Yes\")}",
"filter-pattern": "{($.eventName=\"ConsoleLogin\") && ($.additionalEventData.MFAUsed !=\"Yes\") && ($.userIdentity.type != \"AssumedRole\")}",
"metric-namespace": "CloudTrailMetrics",
"metric-name": "ConsoleSignInWithoutMfaCount",
"metric-value": "1"
Expand Down Expand Up @@ -345,11 +345,21 @@
"accounts": ["master"],
"regions": ["ca-central-1"],
"loggroup-name": "/PBMMAccel/CloudTrail",
"filter-pattern": "{ ($.eventSource=sso.amazonaws.com) && ($.eventName=Authenticate) && (($.sourceIPAddress != 10.10.10.*) || ($.sourceIPAddress != 10.10.*) || ($.sourceIPAddress != 10.*))}",
"filter-pattern": "{ ($.eventSource=sso.amazonaws.com) && ($.eventName=Authenticate) && ($.sourceIPAddress != 10.10.10.*) }",
"metric-namespace": "CloudTrailMetrics",
"metric-name": "SSOAuthUnapprovedIPCount",
"metric-value": "1"
},
{
"filter-name": "IAMAuthUnapprovedIPMetric",
"accounts": ["master"],
"regions": ["ca-central-1"],
"loggroup-name": "/PBMMAccel/CloudTrail",
"filter-pattern": "{ ($.eventName=ConsoleLogin) && ($.userIdentity.type=IAMUser) && ($.sourceIPAddress != 10.10.10.*) }",
"metric-namespace": "CloudTrailMetrics",
"metric-name": "IAMAuthUnapprovedIPCount",
"metric-value": "1"
},
{
"filter-name": "UnencryptedFilesystemCreatedMetric",
"accounts": ["master"],
Expand Down Expand Up @@ -476,6 +486,12 @@
"sns-alert-level": "High",
"alarm-description": "Alarms when someone authenticates using AWS SSO from an unauthorized IP address range."
},
{
"alarm-name": "AWS-IAM-Authentication-From-Unapproved-IP",
"metric-name": "IAMAuthUnapprovedIPCount",
"sns-alert-level": "High",
"alarm-description": "Alarms when someone authenticates using AWS IAM from an unauthorized IP address range."
},
{
"alarm-name": "AWS-Unencrypted-Filesystem-Created",
"metric-name": "UnencryptedFilesystemCreatedCount",
Expand Down
20 changes: 18 additions & 2 deletions reference-artifacts/SAMPLE_CONFIGS/config.ultralite-example.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -260,7 +260,7 @@
"accounts": ["master"],
"regions": ["ca-central-1"],
"loggroup-name": "/PBMMAccel/CloudTrail",
"filter-pattern": "{($.eventName=\"ConsoleLogin\") && ($.additionalEventData.MFAUsed !=\"Yes\")}",
"filter-pattern": "{($.eventName=\"ConsoleLogin\") && ($.additionalEventData.MFAUsed !=\"Yes\") && ($.userIdentity.type != \"AssumedRole\")}",
"metric-namespace": "CloudTrailMetrics",
"metric-name": "ConsoleSignInWithoutMfaCount",
"metric-value": "1"
Expand Down Expand Up @@ -320,11 +320,21 @@
"accounts": ["master"],
"regions": ["ca-central-1"],
"loggroup-name": "/PBMMAccel/CloudTrail",
"filter-pattern": "{ ($.eventSource=sso.amazonaws.com) && ($.eventName=Authenticate) && (($.sourceIPAddress != 10.10.10.*) || ($.sourceIPAddress != 10.10.*) || ($.sourceIPAddress != 10.*))}",
"filter-pattern": "{ ($.eventSource=sso.amazonaws.com) && ($.eventName=Authenticate) && ($.sourceIPAddress != 10.10.10.*) }",
"metric-namespace": "CloudTrailMetrics",
"metric-name": "SSOAuthUnapprovedIPCount",
"metric-value": "1"
},
{
"filter-name": "IAMAuthUnapprovedIPMetric",
"accounts": ["master"],
"regions": ["ca-central-1"],
"loggroup-name": "/PBMMAccel/CloudTrail",
"filter-pattern": "{ ($.eventName=ConsoleLogin) && ($.userIdentity.type=IAMUser) && ($.sourceIPAddress != 10.10.10.*) }",
"metric-namespace": "CloudTrailMetrics",
"metric-name": "IAMAuthUnapprovedIPCount",
"metric-value": "1"
},
{
"filter-name": "UnencryptedFilesystemCreatedMetric",
"accounts": ["master"],
Expand Down Expand Up @@ -451,6 +461,12 @@
"sns-alert-level": "High",
"alarm-description": "Alarms when someone authenticates using AWS SSO from an unauthorized IP address range."
},
{
"alarm-name": "AWS-IAM-Authentication-From-Unapproved-IP",
"metric-name": "IAMAuthUnapprovedIPCount",
"sns-alert-level": "High",
"alarm-description": "Alarms when someone authenticates using AWS IAM from an unauthorized IP address range."
},
{
"alarm-name": "AWS-Unencrypted-Filesystem-Created",
"metric-name": "UnencryptedFilesystemCreatedCount",
Expand Down
2 changes: 1 addition & 1 deletion reference-artifacts/SCPs/PBMMAccel-Guardrails-Part2.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -103,7 +103,7 @@
},
{
"Effect": "Deny",
"Action": ["kms:DeleteAlias", "kms:UpdateAlias", "kms:DisableKey", "kms:ImportKeyMaterial", "kms:PutKeyPolicy"],
"Action": ["kms:DeleteAlias", "kms:UpdateAlias", "kms:DisableKey", "kms:ImportKeyMaterial", "kms:PutKeyPolicy", "kms:ScheduleKeyDeletion"],
"Resource": "arn:aws:kms:::alias/PBMMAccel*",
"Condition": {
"ArnNotLike": {
Expand Down

0 comments on commit 6d6e0d2

Please sign in to comment.