-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #25 from cloudgraphdev/feature/CG-1109
feat: Included 3.x rules for aws cis 1.4.0
- Loading branch information
Showing
18 changed files
with
1,740 additions
and
38 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,118 @@ | ||
| // AWS CIS 1.2.0 Rule equivalent 2.1 | ||
| export default { | ||
| id: 'aws-cis-1.4.0-3.1', | ||
| title: 'AWS CIS 3.1 Ensure CloudTrail is enabled in all regions', | ||
| description: `AWS CloudTrail is a web service that records AWS API calls for your account and delivers | ||
| log files to you. The recorded information includes the identity of the API caller, the time of | ||
| the API call, the source IP address of the API caller, the request parameters, and the | ||
| response elements returned by the AWS service. CloudTrail provides a history of AWS API | ||
| calls for an account, including API calls made via the Management Console, SDKs, command | ||
| line tools, and higher-level AWS services (such as CloudFormation).`, | ||
| audit: `Perform the following to determine if CloudTrail is enabled for all regions: | ||
| Via the management Console | ||
| 1. Sign in to the AWS Management Console and open the CloudTrail console at https://console.aws.amazon.com/cloudtrail | ||
| 2. Click on *Trails* on the left navigation pane | ||
| - You will be presented with a list of trails across all regions | ||
| 3. Ensure at least one Trail has *All* specified in the *Region* column | ||
| 4. Click on a trail via the link in the *Name* column | ||
| 5. Ensure *Logging* is set to *ON* | ||
| 6. Ensure *Apply trail to all regions* is set to *Yes* | ||
| 7. In section *Management Events* ensure *Read/Write Events* set to *ALL* | ||
| Via CLI | ||
| aws cloudtrail describe-trails | ||
| Ensure *IsMultiRegionTrail* is set to *true* | ||
| aws cloudtrail get-trail-status --name <trailname shown in describe-trails> | ||
| Ensure *IsLogging* is set to *true* | ||
| aws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails> | ||
| Ensure there is at least one Event Selector for a Trail with *IncludeManagementEvents* set to *true* and *ReadWriteType* set to *All*`, | ||
| rationale: `The AWS API call history produced by CloudTrail enables security analysis, resource change tracking, and compliance auditing. Additionally, | ||
| - ensuring that a multi-regions trail exists will ensure that unexpected activity occurring in otherwise unused regions is detected | ||
| - ensuring that a multi-regions trail exists will ensure that Global Service Logging is enabled for a trail by default to capture recording of events generated on AWS global services | ||
| - for a multi-regions trail, ensuring that management events configured for all type of Read/Writes ensures recording of management operations that are performed on all resources in an AWS account`, | ||
| remediation: `Perform the following to enable global (Multi-region) CloudTrail logging: | ||
| Via the management Console | ||
| 1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/cloudtrail | ||
| 2. Click on *Trails* on the left navigation pane | ||
| 3. Click *Get Started Now*, if presented | ||
| - Click *Add new trail* | ||
| - Enter a trail name in the *Trail* name box | ||
| - Set the *Apply trail to all regions* option to Yes | ||
| - Specify an S3 bucket name in the *S3 bucket* box | ||
| - Click *Create* | ||
| 4. If 1 or more trails already exist, select the target trail to enable for global logging | ||
| 5. Click the edit icon (pencil) next to *Apply trail to all regions* , Click *Yes* and Click *Save*. | ||
| 6. Click the edit icon (pencil) next to *Management Events* click All for setting Read/Write Events and Click *Save*. | ||
| Via CLI | ||
| aws cloudtrail create-trail --name <trail_name> --bucket-name <s3_bucket_for_cloudtrail> --is-multi-region-trail | ||
| aws cloudtrail update-trail --name <trail_name> --is-multi-region-trail | ||
| Note: Creating CloudTrail via CLI without providing any overriding options configures *Management Events* to set *All* type of *Read/Writes* by default.`, | ||
| references: [ | ||
| 'CCE-78913-1', | ||
| 'https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-concepts.html#cloudtrail-concepts-management-events', | ||
| 'https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-management-and-data-events-with-cloudtrail.html?icmpid=docs_cloudtrail_console#logging-management-events', | ||
| 'https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-supported-services.html#cloud-trail-supported-services-data-events', | ||
| ], | ||
| gql: `{ | ||
| queryawsAccount { | ||
| id | ||
| __typename | ||
| cloudtrail { | ||
| isMultiRegionTrail | ||
| status { | ||
| isLogging | ||
| } | ||
| eventSelectors { | ||
| readWriteType | ||
| includeManagementEvents | ||
| } | ||
| } | ||
| } | ||
| }`, | ||
| resource: 'queryawsAccount[*]', | ||
| severity: 'medium', | ||
| conditions: { | ||
| path: '@.cloudtrail', | ||
| array_any: { | ||
| and: [ | ||
| { | ||
| path: '[*].isMultiRegionTrail', | ||
| equal: 'Yes', | ||
| }, | ||
| { | ||
| path: '[*].status.isLogging', | ||
| equal: true, | ||
| }, | ||
| { | ||
| path: '[*].eventSelectors', | ||
| array_any: { | ||
| and: [ | ||
| { path: '[*].readWriteType', equal: 'All' }, | ||
| { | ||
| path: '[*].includeManagementEvents', | ||
| equal: true, | ||
| }, | ||
| ], | ||
| }, | ||
| }, | ||
| ], | ||
| }, | ||
| }, | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,93 @@ | ||
| // NIST 800-53 rev4 Rule equivalent 6.13 | ||
| export default { | ||
| id: 'aws-cis-1.4.0-3.10', | ||
| title: 'AWS CIS 3.10 Ensure that Object-level logging for write events is enabled for S3 bucket', | ||
|
|
||
| description: 'S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events. By default, CloudTrail trails don\'t log data events and so it is recommended to enable Object-level logging for S3 buckets.', | ||
|
|
||
| audit: `**From Console:** | ||
| 1. Login to the AWS Management Console and navigate to S3 dashboard at https://console.aws.amazon.com/s3/ | ||
| 2. In the left navigation panel, click *buckets* and then click on the S3 Bucket Name that you want to examine. | ||
| 3. Click *Properties* tab to see in detail bucket configuration. | ||
| 4. If the current status for *Object-level* logging is set to Disabled, then object-level logging of write events for the selected s3 bucket is not set. | ||
| 5. Repeat steps 2 to 4 to verify object level logging status of other S3 buckets. | ||
| **From Command Line:** | ||
| 1. Run *list-trails* command to list the names of all Amazon CloudTrail trails currently available in the selected AWS region: | ||
| aws cloudtrail list-trails --region <region-name> --query Trails[*].Name | ||
| 2. The command output will be a list of the requested trail names. | ||
| 3. Run *get-event-selectors* command using the name of the trail returned at the previous step and custom query filters to determine if Data events logging feature is enabled within the selected CloudTrail trail configuration for s3bucket resources: | ||
| aws cloudtrail get-event-selectors --region <region-name> --trail-name <trail-name> --query EventSelectors[*].DataResources[] | ||
| 4. The command output should be an array that contains the configuration of the AWS resource(S3 bucket) defined for the Data events selector. | ||
| 5. If the *get-event-selectors* command returns an empty array '[]', the Data events are not included into the selected AWS Cloudtrail trail logging configuration, therefore the S3 object-level API operations performed within your AWS account are not recorded. | ||
| 6. Repeat steps 1 to 5 for auditing each s3 bucket to identify other trails that are missing the capability to log Data events. | ||
| 7. Change the AWS region by updating the *--region* command parameter and perform the audit process for other regions.`, | ||
|
|
||
| rationale: 'Enabling object-level logging will help you meet data compliance requirements within your organization, perform comprehensive security analysis, monitor specific patterns of user behavior in your AWS account or take immediate actions on any object-level API activity within your S3 Buckets using Amazon CloudWatch Events.', | ||
|
|
||
| remediation: `**From Console:** | ||
| 1. Login to the AWS Management Console and navigate to S3 dashboard at https://console.aws.amazon.com/s3/ | ||
| 2. In the left navigation panel, click *buckets* and then click on the S3 Bucket Name that you want to examine. | ||
| 3. Click *Properties* tab to see in detail bucket configuration. | ||
| 4. Click on the *Object-level* logging setting, enter the CloudTrail name for the recording activity. You can choose an existing Cloudtrail or create a new one by navigating to the Cloudtrail console link https://console.aws.amazon.com/cloudtrail/ | ||
| 5. Once the Cloudtrail is selected, check the *Write* event checkbox, so that *object-level* logging for Write events is enabled. | ||
| 6. Repeat steps 2 to 5 to enable object-level logging of write events for other S3 buckets. | ||
| **From Command Line:** | ||
| 1. To enable *object-level* data events logging for S3 buckets within your AWS account, run *put-event-selectors* command using the name of the trail that you want to reconfigure as identifier: | ||
| aws cloudtrail put-event-selectors --region <region-name> --trail-name <trail-name> --event-selectors '[{ "ReadWriteType": "WriteOnly", "IncludeManagementEvents":true, "DataResources": [{ "Type": "AWS::S3::Object", "Values": ["arn:aws:s3:::<s3-bucket-name>/"] }] }]' | ||
| 2. The command output will be *object-level* event trail configuration. | ||
| 3. If you want to enable it for all buckets at once then change Values parameter to *["arn:aws:s3"]* in command given above. | ||
| 4. Repeat step 1 for each s3 bucket to update *object-level* logging of write events. | ||
| 5. Change the AWS region by updating the *--region* command parameter and perform the process for other regions.`, | ||
|
|
||
| references: ['https://docs.aws.amazon.com/AmazonS3/latest/user-guide/enable-cloudtrail-events.html'], | ||
| gql: `{ | ||
| queryawsAccount { | ||
| id | ||
| __typename | ||
| cloudtrail { | ||
| eventSelectors { | ||
| readWriteType | ||
| dataResources { | ||
| type | ||
| } | ||
| } | ||
| } | ||
| } | ||
| }`, | ||
| resource: 'queryawsAccount[*]', | ||
| severity: 'high', | ||
| conditions: { | ||
| path: '@.cloudtrail', | ||
| array_any: { | ||
| path: '[*].eventSelectors', | ||
| array_any: { | ||
| and: [ | ||
| { | ||
| path: '[*].includeManagementEvents', | ||
| equal: true, | ||
| }, | ||
| { | ||
| path: '[*].readWriteType', | ||
| in: ['WriteOnly', 'All'], | ||
| }, | ||
| { | ||
| path: '[*].dataResources', | ||
| isEmpty: false, | ||
| }, | ||
| ], | ||
| }, | ||
| } | ||
| }, | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,94 @@ | ||
| // NIST 800-53 rev4 Rule equivalent 6.12 | ||
| export default { | ||
| id: 'aws-cis-1.4.0-3.11', | ||
| title: 'AWS CIS 3.11 Ensure that Object-level logging for read events is enabled for S3 bucket', | ||
|
|
||
| description: 'S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events. By default, CloudTrail trails don\'t log data events and so it is recommended to enable Object-level logging for S3 buckets.', | ||
|
|
||
| audit: `**From Console:** | ||
| 1. Login to the AWS Management Console and navigate to S3 dashboard at https://console.aws.amazon.com/s3/ | ||
| 2. In the left navigation panel, click buckets and then click on the S3 Bucket Name that you want to examine. | ||
| 3. Click *Properties* tab to see in detail bucket configuration. | ||
| 4. If the current status for *Object-level* logging is set to *Disabled*, then object-level logging of read events for the selected s3 bucket is not set. | ||
| 5. If the current status for *Object-level* logging is set to *Enabled*, but the Read event check-box is unchecked, then object-level logging of read events for the selected s3 bucket is not set. | ||
| 6. Repeat steps 2 to 5 to verify *object-level* logging for *read* events of your other S3 buckets. | ||
| **From Command Line:** | ||
| 1. Run *describe-trails* command to list the names of all Amazon CloudTrail trails currently available in the selected AWS region: | ||
| aws cloudtrail describe-trails --region <region-name> --output table --query trailList[*].Name | ||
| 2. The command output will be table of the requested trail names. | ||
| 3. Run *get-event-selectors* command using the name of the trail returned at the previous step and custom query filters to determine if Data events logging feature is enabled within the selected CloudTrail trail configuration for s3 bucket resources: | ||
| aws cloudtrail get-event-selectors --region <region-name> --trail-name <trail-name> --query EventSelectors[*].DataResources[] | ||
| 4. The command output should be an array that contains the configuration of the AWS resource(S3 bucket) defined for the Data events selector. | ||
| 5. If the *get-event-selectors* command returns an empty array, the Data events are not included into the selected AWS Cloudtrail trail logging configuration, therefore the S3 object-level API operations performed within your AWS account are not recorded. | ||
| 6. Repeat steps 1 to 5 for auditing each s3 bucket to identify other trails that are missing the capability to log Data events. | ||
| 7. Change the AWS region by updating the *--region* command parameter and perform the audit process for other regions.`, | ||
|
|
||
| rationale: 'Enabling object-level logging will help you meet data compliance requirements within your organization, perform comprehensive security analysis, monitor specific patterns of user behavior in your AWS account or take immediate actions on any object-level API activity using Amazon CloudWatch Events.', | ||
|
|
||
| remediation: `**From Console:** | ||
| 1. Login to the AWS Management Console and navigate to S3 dashboard at https://console.aws.amazon.com/s3/ | ||
| 2. In the left navigation panel, click buckets and then click on the S3 Bucket Name that you want to examine. | ||
| 3. Click *Properties* tab to see in detail bucket configuration. | ||
| 4. Click on the *Object-level* logging setting, enter the CloudTrail name for the recording activity. You can choose an existing Cloudtrail or create a new one by navigating to the Cloudtrail console link https://console.aws.amazon.com/cloudtrail/ | ||
| 5. Once the Cloudtrail is selected, check the Read event checkbox, so that *object-level* logging for *Read* events is enabled. | ||
| 6. Repeat steps 2 to 5 to enable *object-level* logging of read events for other S3 buckets. | ||
| **From Command Line:** | ||
| 1. To enable object-level data events logging for S3 buckets within your AWS account, run put-event-selectors command using the name of the trail that you want to reconfigure as identifier: | ||
| aws cloudtrail put-event-selectors --region <region-name> --trail-name <trail-name> --event-selectors '[{ "ReadWriteType": "ReadOnly", "IncludeManagementEvents":true, "DataResources": [{ "Type": "AWS::S3::Object", "Values": ["arn:aws:s3:::<s3-bucket-name>/"] }] }]' | ||
| 2. The command output will be *object-level* event trail configuration. | ||
| 3. If you want to enable it for all buckets at ones then change Values parameter to *["arn:aws:s3"]* in command given above. | ||
| 4. Repeat step 1 for each s3 bucket to update *object-level* logging of read events. | ||
| 5. Change the AWS region by updating the *--region* command parameter and perform the process for other regions.`, | ||
|
|
||
| references: ['https://docs.aws.amazon.com/AmazonS3/latest/user-guide/enable-cloudtrail-events.html'], | ||
| gql: `{ | ||
| queryawsAccount { | ||
| id | ||
| __typename | ||
| cloudtrail { | ||
| eventSelectors { | ||
| readWriteType | ||
| dataResources { | ||
| type | ||
| } | ||
| } | ||
| } | ||
| } | ||
| }`, | ||
| resource: 'queryawsAccount[*]', | ||
| severity: 'high', | ||
| conditions: { | ||
| path: '@.cloudtrail', | ||
| array_any: { | ||
| path: '[*].eventSelectors', | ||
| array_any: { | ||
| and: [ | ||
| { | ||
| path: '[*].includeManagementEvents', | ||
| equal: true, | ||
| }, | ||
| { | ||
| path: '[*].readWriteType', | ||
| in: ['ReadOnly', 'All'], | ||
| }, | ||
| { | ||
| path: '[*].dataResources', | ||
| isEmpty: false, | ||
| }, | ||
| ], | ||
| }, | ||
| } | ||
| }, | ||
| } |
Oops, something went wrong.