From 6d6e0d24a5dede2a1668a3e9df76b2b252a7454d Mon Sep 17 00:00:00 2001 From: Brian969 <56414362+Brian969@users.noreply.github.com> Date: Thu, 4 Feb 2021 22:53:11 -0500 Subject: [PATCH] CW and SCP tweaks (#600) - add KMS SCP protection - add IAM IP CW Event - fix CW Event IP ranges and MFA example --- .../SAMPLE_CONFIGS/config.example.json | 20 +++++++++++++++++-- .../SAMPLE_CONFIGS/config.lite-example.json | 20 +++++++++++++++++-- .../config.multi-region-example.json | 20 +++++++++++++++++-- .../config.ultralite-example.json | 20 +++++++++++++++++-- .../SCPs/PBMMAccel-Guardrails-Part2.json | 2 +- 5 files changed, 73 insertions(+), 9 deletions(-) diff --git a/reference-artifacts/SAMPLE_CONFIGS/config.example.json b/reference-artifacts/SAMPLE_CONFIGS/config.example.json index 91b86a07a..cddba03e1 100644 --- a/reference-artifacts/SAMPLE_CONFIGS/config.example.json +++ b/reference-artifacts/SAMPLE_CONFIGS/config.example.json @@ -281,7 +281,7 @@ "accounts": ["master"], "regions": ["ca-central-1"], "loggroup-name": "/PBMMAccel/CloudTrail", - "filter-pattern": "{($.eventName=\"ConsoleLogin\") && ($.additionalEventData.MFAUsed !=\"Yes\")}", + "filter-pattern": "{($.eventName=\"ConsoleLogin\") && ($.additionalEventData.MFAUsed !=\"Yes\") && ($.userIdentity.type != \"AssumedRole\")}", "metric-namespace": "CloudTrailMetrics", "metric-name": "ConsoleSignInWithoutMfaCount", "metric-value": "1" @@ -341,11 +341,21 @@ "accounts": ["master"], "regions": ["ca-central-1"], "loggroup-name": "/PBMMAccel/CloudTrail", - "filter-pattern": "{ ($.eventSource=sso.amazonaws.com) && ($.eventName=Authenticate) && (($.sourceIPAddress != 10.10.10.*) || ($.sourceIPAddress != 10.10.*) || ($.sourceIPAddress != 10.*))}", + "filter-pattern": "{ ($.eventSource=sso.amazonaws.com) && ($.eventName=Authenticate) && ($.sourceIPAddress != 10.10.10.*) }", "metric-namespace": "CloudTrailMetrics", "metric-name": "SSOAuthUnapprovedIPCount", "metric-value": "1" }, + { + "filter-name": "IAMAuthUnapprovedIPMetric", + "accounts": ["master"], + "regions": ["ca-central-1"], + "loggroup-name": "/PBMMAccel/CloudTrail", + "filter-pattern": "{ ($.eventName=ConsoleLogin) && ($.userIdentity.type=IAMUser) && ($.sourceIPAddress != 10.10.10.*) }", + "metric-namespace": "CloudTrailMetrics", + "metric-name": "IAMAuthUnapprovedIPCount", + "metric-value": "1" + }, { "filter-name": "UnencryptedFilesystemCreatedMetric", "accounts": ["master"], @@ -472,6 +482,12 @@ "sns-alert-level": "High", "alarm-description": "Alarms when someone authenticates using AWS SSO from an unauthorized IP address range." }, + { + "alarm-name": "AWS-IAM-Authentication-From-Unapproved-IP", + "metric-name": "IAMAuthUnapprovedIPCount", + "sns-alert-level": "High", + "alarm-description": "Alarms when someone authenticates using AWS IAM from an unauthorized IP address range." + }, { "alarm-name": "AWS-Unencrypted-Filesystem-Created", "metric-name": "UnencryptedFilesystemCreatedCount", diff --git a/reference-artifacts/SAMPLE_CONFIGS/config.lite-example.json b/reference-artifacts/SAMPLE_CONFIGS/config.lite-example.json index 90cf5dabe..2e5a01ea0 100644 --- a/reference-artifacts/SAMPLE_CONFIGS/config.lite-example.json +++ b/reference-artifacts/SAMPLE_CONFIGS/config.lite-example.json @@ -281,7 +281,7 @@ "accounts": ["master"], "regions": ["ca-central-1"], "loggroup-name": "/PBMMAccel/CloudTrail", - "filter-pattern": "{($.eventName=\"ConsoleLogin\") && ($.additionalEventData.MFAUsed !=\"Yes\")}", + "filter-pattern": "{($.eventName=\"ConsoleLogin\") && ($.additionalEventData.MFAUsed !=\"Yes\") && ($.userIdentity.type != \"AssumedRole\")}", "metric-namespace": "CloudTrailMetrics", "metric-name": "ConsoleSignInWithoutMfaCount", "metric-value": "1" @@ -341,11 +341,21 @@ "accounts": ["master"], "regions": ["ca-central-1"], "loggroup-name": "/PBMMAccel/CloudTrail", - "filter-pattern": "{ ($.eventSource=sso.amazonaws.com) && ($.eventName=Authenticate) && (($.sourceIPAddress != 10.10.10.*) || ($.sourceIPAddress != 10.10.*) || ($.sourceIPAddress != 10.*))}", + "filter-pattern": "{ ($.eventSource=sso.amazonaws.com) && ($.eventName=Authenticate) && ($.sourceIPAddress != 10.10.10.*) }", "metric-namespace": "CloudTrailMetrics", "metric-name": "SSOAuthUnapprovedIPCount", "metric-value": "1" }, + { + "filter-name": "IAMAuthUnapprovedIPMetric", + "accounts": ["master"], + "regions": ["ca-central-1"], + "loggroup-name": "/PBMMAccel/CloudTrail", + "filter-pattern": "{ ($.eventName=ConsoleLogin) && ($.userIdentity.type=IAMUser) && ($.sourceIPAddress != 10.10.10.*) }", + "metric-namespace": "CloudTrailMetrics", + "metric-name": "IAMAuthUnapprovedIPCount", + "metric-value": "1" + }, { "filter-name": "UnencryptedFilesystemCreatedMetric", "accounts": ["master"], @@ -472,6 +482,12 @@ "sns-alert-level": "High", "alarm-description": "Alarms when someone authenticates using AWS SSO from an unauthorized IP address range." }, + { + "alarm-name": "AWS-IAM-Authentication-From-Unapproved-IP", + "metric-name": "IAMAuthUnapprovedIPCount", + "sns-alert-level": "High", + "alarm-description": "Alarms when someone authenticates using AWS IAM from an unauthorized IP address range." + }, { "alarm-name": "AWS-Unencrypted-Filesystem-Created", "metric-name": "UnencryptedFilesystemCreatedCount", diff --git a/reference-artifacts/SAMPLE_CONFIGS/config.multi-region-example.json b/reference-artifacts/SAMPLE_CONFIGS/config.multi-region-example.json index 22f4e3d1f..74ce82266 100644 --- a/reference-artifacts/SAMPLE_CONFIGS/config.multi-region-example.json +++ b/reference-artifacts/SAMPLE_CONFIGS/config.multi-region-example.json @@ -285,7 +285,7 @@ "accounts": ["master"], "regions": ["ca-central-1"], "loggroup-name": "/PBMMAccel/CloudTrail", - "filter-pattern": "{($.eventName=\"ConsoleLogin\") && ($.additionalEventData.MFAUsed !=\"Yes\")}", + "filter-pattern": "{($.eventName=\"ConsoleLogin\") && ($.additionalEventData.MFAUsed !=\"Yes\") && ($.userIdentity.type != \"AssumedRole\")}", "metric-namespace": "CloudTrailMetrics", "metric-name": "ConsoleSignInWithoutMfaCount", "metric-value": "1" @@ -345,11 +345,21 @@ "accounts": ["master"], "regions": ["ca-central-1"], "loggroup-name": "/PBMMAccel/CloudTrail", - "filter-pattern": "{ ($.eventSource=sso.amazonaws.com) && ($.eventName=Authenticate) && (($.sourceIPAddress != 10.10.10.*) || ($.sourceIPAddress != 10.10.*) || ($.sourceIPAddress != 10.*))}", + "filter-pattern": "{ ($.eventSource=sso.amazonaws.com) && ($.eventName=Authenticate) && ($.sourceIPAddress != 10.10.10.*) }", "metric-namespace": "CloudTrailMetrics", "metric-name": "SSOAuthUnapprovedIPCount", "metric-value": "1" }, + { + "filter-name": "IAMAuthUnapprovedIPMetric", + "accounts": ["master"], + "regions": ["ca-central-1"], + "loggroup-name": "/PBMMAccel/CloudTrail", + "filter-pattern": "{ ($.eventName=ConsoleLogin) && ($.userIdentity.type=IAMUser) && ($.sourceIPAddress != 10.10.10.*) }", + "metric-namespace": "CloudTrailMetrics", + "metric-name": "IAMAuthUnapprovedIPCount", + "metric-value": "1" + }, { "filter-name": "UnencryptedFilesystemCreatedMetric", "accounts": ["master"], @@ -476,6 +486,12 @@ "sns-alert-level": "High", "alarm-description": "Alarms when someone authenticates using AWS SSO from an unauthorized IP address range." }, + { + "alarm-name": "AWS-IAM-Authentication-From-Unapproved-IP", + "metric-name": "IAMAuthUnapprovedIPCount", + "sns-alert-level": "High", + "alarm-description": "Alarms when someone authenticates using AWS IAM from an unauthorized IP address range." + }, { "alarm-name": "AWS-Unencrypted-Filesystem-Created", "metric-name": "UnencryptedFilesystemCreatedCount", diff --git a/reference-artifacts/SAMPLE_CONFIGS/config.ultralite-example.json b/reference-artifacts/SAMPLE_CONFIGS/config.ultralite-example.json index c1b5d6ef5..e8f288ca1 100644 --- a/reference-artifacts/SAMPLE_CONFIGS/config.ultralite-example.json +++ b/reference-artifacts/SAMPLE_CONFIGS/config.ultralite-example.json @@ -260,7 +260,7 @@ "accounts": ["master"], "regions": ["ca-central-1"], "loggroup-name": "/PBMMAccel/CloudTrail", - "filter-pattern": "{($.eventName=\"ConsoleLogin\") && ($.additionalEventData.MFAUsed !=\"Yes\")}", + "filter-pattern": "{($.eventName=\"ConsoleLogin\") && ($.additionalEventData.MFAUsed !=\"Yes\") && ($.userIdentity.type != \"AssumedRole\")}", "metric-namespace": "CloudTrailMetrics", "metric-name": "ConsoleSignInWithoutMfaCount", "metric-value": "1" @@ -320,11 +320,21 @@ "accounts": ["master"], "regions": ["ca-central-1"], "loggroup-name": "/PBMMAccel/CloudTrail", - "filter-pattern": "{ ($.eventSource=sso.amazonaws.com) && ($.eventName=Authenticate) && (($.sourceIPAddress != 10.10.10.*) || ($.sourceIPAddress != 10.10.*) || ($.sourceIPAddress != 10.*))}", + "filter-pattern": "{ ($.eventSource=sso.amazonaws.com) && ($.eventName=Authenticate) && ($.sourceIPAddress != 10.10.10.*) }", "metric-namespace": "CloudTrailMetrics", "metric-name": "SSOAuthUnapprovedIPCount", "metric-value": "1" }, + { + "filter-name": "IAMAuthUnapprovedIPMetric", + "accounts": ["master"], + "regions": ["ca-central-1"], + "loggroup-name": "/PBMMAccel/CloudTrail", + "filter-pattern": "{ ($.eventName=ConsoleLogin) && ($.userIdentity.type=IAMUser) && ($.sourceIPAddress != 10.10.10.*) }", + "metric-namespace": "CloudTrailMetrics", + "metric-name": "IAMAuthUnapprovedIPCount", + "metric-value": "1" + }, { "filter-name": "UnencryptedFilesystemCreatedMetric", "accounts": ["master"], @@ -451,6 +461,12 @@ "sns-alert-level": "High", "alarm-description": "Alarms when someone authenticates using AWS SSO from an unauthorized IP address range." }, + { + "alarm-name": "AWS-IAM-Authentication-From-Unapproved-IP", + "metric-name": "IAMAuthUnapprovedIPCount", + "sns-alert-level": "High", + "alarm-description": "Alarms when someone authenticates using AWS IAM from an unauthorized IP address range." + }, { "alarm-name": "AWS-Unencrypted-Filesystem-Created", "metric-name": "UnencryptedFilesystemCreatedCount", diff --git a/reference-artifacts/SCPs/PBMMAccel-Guardrails-Part2.json b/reference-artifacts/SCPs/PBMMAccel-Guardrails-Part2.json index bfbb23729..e412d5821 100644 --- a/reference-artifacts/SCPs/PBMMAccel-Guardrails-Part2.json +++ b/reference-artifacts/SCPs/PBMMAccel-Guardrails-Part2.json @@ -103,7 +103,7 @@ }, { "Effect": "Deny", - "Action": ["kms:DeleteAlias", "kms:UpdateAlias", "kms:DisableKey", "kms:ImportKeyMaterial", "kms:PutKeyPolicy"], + "Action": ["kms:DeleteAlias", "kms:UpdateAlias", "kms:DisableKey", "kms:ImportKeyMaterial", "kms:PutKeyPolicy", "kms:ScheduleKeyDeletion"], "Resource": "arn:aws:kms:::alias/PBMMAccel*", "Condition": { "ArnNotLike": {