-
Notifications
You must be signed in to change notification settings - Fork 0
/
k9_daily_review.dashboard.xml
145 lines (145 loc) · 5.17 KB
/
k9_daily_review.dashboard.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
<dashboard version="1.1" theme="light">
<label>k9 Security - AWS Access Review</label>
<fieldset submitButton="false">
<input type="time" token="timeRange" searchWhenChanged="true">
<label>Time Range</label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
<input type="dropdown" token="aws_account_id" searchWhenChanged="true">
<label>AWS Account</label>
<fieldForLabel>AWS Account ID</fieldForLabel>
<fieldForValue>aws_account_id</fieldForValue>
<search>
<query>index="k9_security"
source="*_principal-access-summaries.*.csv"
*
| eval fields=split(principal_arn, ":") | eval aws_account_id=mvindex(fields,4) | dedup aws_account_id | sort aws_account_id | table aws_account_id</query>
<earliest>-1w@w</earliest>
<latest>now</latest>
</search>
<choice value="">All Accounts</choice>
<default></default>
</input>
</fieldset>
<row>
<panel>
<single>
<title>Count of IAM Administrators</title>
<search>
<query>index="k9_security"
service_name=IAM access_capability=administer-resource
| where principal_arn like "arn:aws:iam::$aws_account_id$%"
| sort principal_arn
| dedup principal_arn
| timechart span=1d count(principal_arn)</query>
<earliest>$timeRange.earliest$</earliest>
<latest>$timeRange.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</single>
</panel>
<panel>
<table>
<title>IAM Administrators</title>
<search>
<query>index="k9_security"
service_name=IAM access_capability=administer-resource
| where principal_arn like "arn:aws:iam::$aws_account_id$%"
| sort principal_arn | dedup principal_arn | table principal_arn</query>
<earliest>$timeRange.earliest$</earliest>
<latest>$timeRange.latest$</latest>
</search>
<option name="count">5</option>
<option name="drilldown">none</option>
<option name="rowNumbers">true</option>
</table>
</panel>
</row>
<row>
<panel>
<single>
<title>Count of Unused IAM Principals</title>
<search>
<query>index="k9_security"
source="*principals.*.csv"
| where principal_arn like "arn:aws:iam::$aws_account_id$%"
| where isnull('principal_last_used')
| dedup principal_arn
| timechart span=1d count(principal_arn)</query>
<earliest>$timeRange.earliest$</earliest>
<latest>$timeRange.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</single>
</panel>
<panel>
<table>
<title>Unused IAM Principals</title>
<search>
<query>index="k9_security"
source="*principals.*.csv"
| where principal_arn like "arn:aws:iam::$aws_account_id$%"
| where isnull('principal_last_used')
| dedup principal_arn
| table principal_arn</query>
<earliest>$timeRange.earliest$</earliest>
<latest>$timeRange.latest$</latest>
</search>
<option name="count">5</option>
<option name="drilldown">none</option>
<option name="rowNumbers">true</option>
</table>
</panel>
</row>
<row>
<panel>
<table>
<title>KMS Encryption Key Access</title>
<search>
<query>index="k9_security"
service_name=KMS
resource_arn="*"
source="*resource-access-summaries.*.csv"
| where principal_arn like "arn:aws:iam::$aws_account_id$%"
| dedup resource_name, resource_arn, access_capability, principal_name
| sort resource_name, resource_arn, access_capability, principal_name
| table resource_name, resource_arn, access_capability, principal_name</query>
<earliest>$timeRange.earliest$</earliest>
<latest>$timeRange.latest$</latest>
</search>
<option name="drilldown">row</option>
<option name="refresh.display">progressbar</option>
<option name="totalsRow">true</option>
</table>
</panel>
</row>
<row>
<panel>
<table>
<title>S3 Bucket Access by Confidentiality</title>
<search>
<query>index="k9_security"
service_name="S3"
resource_arn="*"
source="*resource-access-summaries.*.csv"
```| where resource_arn like "%qm-sandbox-cm-%"```
| where principal_arn like "arn:aws:iam::$aws_account_id$%"
| join resource_arn [SEARCH index="k9_security" source="*_resources.*.csv" resource_type="S3Bucket" | FIELDS resource_arn, resource_tag_confidentiality]
| where isnotnull(resource_tag_confidentiality)
| dedup resource_name, resource_arn, access_capability, principal_name
| sort resource_name, resource_arn, resource_tag_confidentiality, access_capability, principal_name,
| table resource_name, resource_tag_confidentiality, access_capability, principal_name</query>
<earliest>$timeRange.earliest$</earliest>
<latest>$timeRange.latest$</latest>
</search>
<option name="drilldown">row</option>
<option name="totalsRow">true</option>
</table>
</panel>
</row>
</dashboard>