Skip to content

Commit

Permalink
feat: Included 7.x rules for aws nist 800-53 rev4
Browse files Browse the repository at this point in the history
  • Loading branch information
m-pizarro committed Apr 26, 2022
1 parent ca64ba2 commit bfc130c
Show file tree
Hide file tree
Showing 16 changed files with 3,172 additions and 30 deletions.
73 changes: 43 additions & 30 deletions src/aws/nist-800-53-rev4/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -56,33 +56,46 @@ Policy Pack based on the [800-53 Rev. 4](https://csrc.nist.gov/publications/deta

## Available Ruleset

| Rule | Description |
| ------------ | -------------------------------------------------------------------------------------------------------- |
| AWS NIS 1.1 | IAM role trust policies should not allow all principals to assume the role |
| AWS NIS 1.2 | IAM roles attached to instance profiles should not allow broad list actions on S3 buckets |
| AWS NIS 1.3 | S3 bucket ACLs should not have public access on S3 buckets that store CloudTrail log files |
| AWS NIS 2.1 | Auto Scaling groups should span two or more availability zones |
| AWS NIS 2.2 | ELBv1 load balancer cross zone load balancing should be enabled |
| AWS NIS 2.3 | RDS Aurora cluster multi-AZ should be enabled |
| AWS NIS 2.4 | Require Multi Availability Zones turned on for RDS Instances |
| AWS NIS 2.5 | S3 bucket replication (cross-region or same-region) should be enabled |
| AWS NIS 3.1 | CloudTrail log files should be encrypted with customer managed KMS keys |
| AWS NIS 3.2 | CloudWatch log groups should be encrypted with customer managed KMS keys |
| AWS NIS 3.3 | DynamoDB tables should be encrypted with AWS or customer managed KMS keys |
| AWS NIS 3.4 | EBS volume encryption should be enabled |
| AWS NIS 3.5 | RDS instances should be encrypted |
| AWS NIS 3.6 | S3 bucket server-side encryption should be enabled |
| AWS NIS 3.7 | SQS queue server-side encryption should be enabled with KMS keys |
| AWS NIS 4.1 | CloudFront distribution origin should be set to S3 or origin protocol policy should be set to https-only |
| AWS NIS 4.2 | CloudFront viewer protocol policy should be set to https-only or redirect-to-https |
| AWS NIS 4.3 | ElastiCache transport encryption should be enabled |
| AWS NIS 4.4 | ELBv1 listener protocol should not be set to http |
| AWS NIS 4.5 | S3 bucket policies should only allow requests that use HTTPS |
| AWS NIS 4.6 | SNS subscriptions should deny access via HTTP |
| AWS NIS 6.1 | CloudFront access logging should be enabled |
| AWS NIS 6.4 | CloudTrail should have at least one CloudTrail trail set to a multi-region trail |
| AWS NIS 6.6 | CloudTrail trails should be configured to log management events |
| AWS NIS 6.8 | Exactly one CloudTrail trail should monitor global services |
| AWS NIS 6.9 | Load balancer access logging should be enabled |
| AWS NIS 6.12 | S3 bucket object-level logging for read events should be enabled |
| AWS NIS 6.13 | S3 bucket object-level logging for write events should be enabled |
| Rule | Description |
| ------------- | ---------------------------------------------------------------------------------------------------------------- |
| AWS NIST 1.1 | IAM role trust policies should not allow all principals to assume the role |
| AWS NIST 1.2 | IAM roles attached to instance profiles should not allow broad list actions on S3 buckets |
| AWS NIST 1.3 | S3 bucket ACLs should not have public access on S3 buckets that store CloudTrail log files |
| AWS NIST 2.1 | Auto Scaling groups should span two or more availability zones |
| AWS NIST 2.2 | ELBv1 load balancer cross zone load balancing should be enabled |
| AWS NIST 2.3 | RDS Aurora cluster multi-AZ should be enabled |
| AWS NIST 2.4 | Require Multi Availability Zones turned on for RDS Instances |
| AWS NIST 2.5 | S3 bucket replication (cross-region or same-region) should be enabled |
| AWS NIST 3.1 | CloudTrail log files should be encrypted with customer managed KMS keys |
| AWS NIST 3.2 | CloudWatch log groups should be encrypted with customer managed KMS keys |
| AWS NIST 3.3 | DynamoDB tables should be encrypted with AWS or customer managed KMS keys |
| AWS NIST 3.4 | EBS volume encryption should be enabled |
| AWS NIST 3.5 | RDS instances should be encrypted |
| AWS NIST 3.6 | S3 bucket server-side encryption should be enabled |
| AWS NIST 3.7 | SQS queue server-side encryption should be enabled with KMS keys |
| AWS NIST 4.1 | CloudFront distribution origin should be set to S3 or origin protocol policy should be set to https-only |
| AWS NIST 4.2 | CloudFront viewer protocol policy should be set to https-only or redirect-to-https |
| AWS NIST 4.3 | ElastiCache transport encryption should be enabled |
| AWS NIST 4.4 | ELBv1 listener protocol should not be set to http |
| AWS NIST 4.5 | S3 bucket policies should only allow requests that use HTTPS |
| AWS NIST 4.6 | SNS subscriptions should deny access via HTTP |
| AWS NIST 6.1 | CloudFront access logging should be enabled |
| AWS NIST 6.4 | CloudTrail should have at least one CloudTrail trail set to a multi-region trail |
| AWS NIST 6.6 | CloudTrail trails should be configured to log management events |
| AWS NIST 6.8 | Exactly one CloudTrail trail should monitor global services |
| AWS NIST 6.9 | Load balancer access logging should be enabled |
| AWS NIST 6.12 | S3 bucket object-level logging for read events should be enabled |
| AWS NIST 6.13 | S3 bucket object-level logging for write events should be enabled |
| AWS NIST 7.1 | Alarm for denied connections in CloudFront logs should be configured |
| AWS NIST 7.3 | CloudWatch log metric filter and alarm for AWS Organizations changes should be configured for the master account |
| AWS NIST 7.3 | CloudWatch log metric filter and alarm for changes to VPC NACLs should be configured |
| AWS NIST 7.4 | CloudWatch log metric filter and alarm for changes to VPC network gateways should be configured |
| AWS NIST 7.5 | CloudWatch log metric filter and alarm for CloudTrail configuration changes should be configured |
| AWS NIST 7.7 | CloudWatch log metric filter and alarm for IAM policy changes should be configured |
| AWS NIST 7.8 | CloudWatch log metric filter and alarm for Management Console authentication failures should be configured |
| AWS NIST 7.9 | CloudWatch log metric filter and alarm for Management Console sign-in without MFA should be configured |
| AWS NIST 7.10 | CloudWatch log metric filter and alarm for unauthorized API calls should be configured |
| AWS NIST 7.11 | CloudWatch log metric filter and alarm for usage of root account should be configured |
| AWS NIST 7.12 | CloudWatch log metric filter and alarm for VPC changes should be configured |
| AWS NIST 7.13 | CloudWatch log metric filter and alarm for VPC route table changes should be configured |
| AWS NIST 7.14 | CloudWatch log metric filter and alarm for VPC security group changes should be configured |
62 changes: 62 additions & 0 deletions src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-7.1.ts
Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
export default {
id: 'aws-nist-800-53-rev4-7.1',
title: 'AWS NIST 7.1 Alarm for denied connections in CloudFront logs should be configured',

description: 'Alarms should be configured to alert users to denied connections to CloudFront distributions so users can investigate anomalous traffic.',

audit: '',

rationale: '',

remediation: `**Console Remediation Steps**
- Navigate to [CloudFront](https://console.aws.amazon.com/cloudfront).
- Under Reports & analytics, select Alarms.
- Click Create Alarm.
- In the Metric drop-down, select 4xx Error Rate.
- In the Distribution drop-down, select your distribution.
- In the Name of alarm field, provide a name for your alarm.
- Determine if you wish to send a notification to an SNS topic and select the topic in the drop down menu.
- Use the Whenever Sum of Requests drop down and text box to set your threshold.
- Use the For at least text box and consecutive period(s) of drop-down to set your period.
- Click Create Alarm.
- Note you may also use [CloudWatch](https://console.aws.amazon.com/cloudwatch) to create alarms.
**CLI Remediation Steps**
Create a CloudWatch alarm to trigger on HTTP 4xx error codes to alert when client behavior is outside your expectations.
aws cloudwatch put-metric-alarm --alarm-name <name> --evaluation-periods <number-of-samples> --comparison-operator <comparison-operator> --metric-name 4xxErrorRate --namespace "AWS/CloudFront" --period <evaluated-every-x> --threshold <your-expectation> --statistic <aggregated-by> --unit <unit-of-measure>
Similarly, create a CloudWatch alarm to trigger on HTTP 5xx error codes when your system internal errors are outside your expectations.
aws cloudwatch put-metric-alarm --alarm-name <name> --evaluation-periods <number-of-samples> --comparison-operator <comparison-operator> --metric-name 5xxErrorRate --namespace "AWS/CloudFront" --period <evaluated-every-x> --threshold <your-expectation> --statistic <aggregated-by> --unit <unit-of-measure>`,

references: [
'https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html',
'https://docs.aws.amazon.com/cli/latest/reference/cloudwatch/put-metric-alarm.html',
],
gql: `{
queryawsCloudfront {
id
arn
accountId
__typename
cloudwatches {
metric
}
}
}`,
resource: 'queryawsCloudfront[*]',
severity: 'medium',
conditions: {
jq: '.cloudwatches | map(select(.metric == "4xxErrorRate" or .metric == "5xxErrorRate")) | { "twoOrMore" : (length >= 2) }',
path: '@',
and: [
{
path: '@.twoOrMore',
equal: true,
},
],
}
}
176 changes: 176 additions & 0 deletions src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-7.10.ts
Original file line number Diff line number Diff line change
@@ -0,0 +1,176 @@
// AWS CIS 1.2.0 Rule equivalent 3.1
export default {
id: 'aws-nist-800-53-rev4-7.10',
title: 'AWS NIST 7.10 CloudWatch log metric filter and alarm for unauthorized API calls should be configured',

description: `Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to
CloudWatch Logs and establishing corresponding metric filters and alarms. It is
recommended that a metric filter and alarm be established for unauthorized API calls.`,

audit: `Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:
1. Identify the log group name configured for use with active multi-region CloudTrail:
- List all CloudTrails: *aws cloudtrail describe-trails*
- Identify Multi region Cloudtrails: *Trails with "IsMultiRegionTrail" set to true*
- From value associated with CloudWatchLogsLogGroupArn note *<cloudtrail_log_group_name>*
Example: for CloudWatchLogsLogGroupArn that looks like *arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*, <cloudtrail_log_group_name>* would be *NewGroup*
- Ensure Identified Multi region CloudTrail is active
*aws cloudtrail get-trail-status --name <Name_of_a_Multi-region_CloudTrail>* ensure *IsLogging* is set to *TRUE*
- Ensure identified Multi-region Cloudtrail captures all Management Events
*aws cloudtrail get-event-selectors --trail-name <trailname_shown_in_describe-trails>*
Ensure there is at least one Event Selector for a Trail with *IncludeManagementEvents* set to *true* and *ReadWriteType* set to *All*
2. Get a list of all associated metric filters for this *<cloudtrail_log_group_name>*:
aws logs describe-metric-filters --log-group-name "<cloudtrail_log_group_name>"
3. Ensure the output from the above command contains the following:
"filterPattern": "{ ($.errorCode = "*UnauthorizedOperation") || ($.errorCode = "AccessDenied*") }"
4. Note the *<unauthorized_api_calls_metric>* value associated with the filterPattern found in step 3.
5. Get a list of CloudWatch alarms and filter on the *<unauthorized_api_calls_metric>* captured in step 4.
aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== "<unauthorized_api_calls_metric>"]'
6. Note the *AlarmActions* value - this will provide the SNS topic ARN value.
7. Ensure there is at least one active subscriber to the SNS topic
aws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn>
at least one subscription should have "SubscriptionArn" with valid aws ARN.
Example of valid "SubscriptionArn": "arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>"`,

rationale: 'Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.',

remediation: `Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
1. Create a metric filter based on the filter pattern provided which checks for unauthorized API calls and the *<cloudtrail_log_group_name>* taken from audit step 1.
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> -- filter-name "<unauthorized_api_calls_metric>" --metric-transformations metricName= "<unauthorized_api_calls_metric>",metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.errorCode = "*UnauthorizedOperation") || ($.errorCode = "AccessDenied*") }'
**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
2. Create an SNS topic that the alarm will notify
aws sns create-topic --name <sns_topic_name>
**Note** : you can execute this command once and then re-use the same topic for all monitoring alarms.
3. Create an SNS subscription to the topic created in step 2
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> -- notification-endpoint <sns_subscription_endpoints>
**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2
aws cloudwatch put-metric-alarm --alarm-name "<unauthorized_api_calls_alarm>" --metric-name "<unauthorized_api_calls_metric>" --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 -- namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>`,
references: [
'https://aws.amazon.com/sns/',
'https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html',
'https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html',
'https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html',
],
gql: `{
queryawsAccount {
id
__typename
cloudtrail {
isMultiRegionTrail
status {
isLogging
}
eventSelectors {
id
readWriteType
includeManagementEvents
}
cloudwatchLog {
arn
metricFilters {
id
filterName
filterPattern
metricTransformations {
metricName
}
}
cloudwatch {
metric
arn
actions
sns {
arn
subscriptions {
arn
}
}
}
}
}
}
}`,
resource: 'queryawsAccount[*]',
severity: 'medium',
conditions: {
path: '@.cloudtrail',
array_any: {
and: [
{
path: '[*].isMultiRegionTrail',
equal: 'Yes',
},
{
path: '[*].status.isLogging',
equal: true,
},
{
path: '[*].eventSelectors',
array_any: {
and: [
{ path: '[*].readWriteType', equal: 'All' },
{
path: '[*].includeManagementEvents',
equal: true,
},
],
},
},
{
path: '[*].cloudwatchLog',
jq: '[.[].metricFilters[] + .[].cloudwatch[] | select(.metricTransformations[].metricName == .metric)]',
array_any: {
and: [
{
path: '[*].filterPattern',
match: /(\$.errorCode)\s*=\s*"UnauthorizedOperation"/,
},
{
path: '[*].filterPattern',
match: /(\$.errorCode)\s*=\s*"AccessDenied"/,
},
{
path: '[*].sns',
array_any: {
path: '[*].subscriptions',
array_any: {
path: '[*].arn',
match: /^arn:aws:.*$/,
},
},
},
],
},
},
],
},
},
}
Loading

0 comments on commit bfc130c

Please sign in to comment.