Skip to content

Commit 6d6e0d2

Browse files
Brian969Brian969
authored
CW and SCP tweaks (#600)
- add KMS SCP protection - add IAM IP CW Event - fix CW Event IP ranges and MFA example
1 parent f13b7c0 commit 6d6e0d2

File tree

5 files changed

+73
-9
lines changed

5 files changed

+73
-9
lines changed

reference-artifacts/SAMPLE_CONFIGS/config.example.json

Lines changed: 18 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -281,7 +281,7 @@
281281
"accounts": ["master"],
282282
"regions": ["ca-central-1"],
283283
"loggroup-name": "/PBMMAccel/CloudTrail",
284-
"filter-pattern": "{($.eventName=\"ConsoleLogin\") && ($.additionalEventData.MFAUsed !=\"Yes\")}",
284+
"filter-pattern": "{($.eventName=\"ConsoleLogin\") && ($.additionalEventData.MFAUsed !=\"Yes\") && ($.userIdentity.type != \"AssumedRole\")}",
285285
"metric-namespace": "CloudTrailMetrics",
286286
"metric-name": "ConsoleSignInWithoutMfaCount",
287287
"metric-value": "1"
@@ -341,11 +341,21 @@
341341
"accounts": ["master"],
342342
"regions": ["ca-central-1"],
343343
"loggroup-name": "/PBMMAccel/CloudTrail",
344-
"filter-pattern": "{ ($.eventSource=sso.amazonaws.com) && ($.eventName=Authenticate) && (($.sourceIPAddress != 10.10.10.*) || ($.sourceIPAddress != 10.10.*) || ($.sourceIPAddress != 10.*))}",
344+
"filter-pattern": "{ ($.eventSource=sso.amazonaws.com) && ($.eventName=Authenticate) && ($.sourceIPAddress != 10.10.10.*) }",
345345
"metric-namespace": "CloudTrailMetrics",
346346
"metric-name": "SSOAuthUnapprovedIPCount",
347347
"metric-value": "1"
348348
},
349+
{
350+
"filter-name": "IAMAuthUnapprovedIPMetric",
351+
"accounts": ["master"],
352+
"regions": ["ca-central-1"],
353+
"loggroup-name": "/PBMMAccel/CloudTrail",
354+
"filter-pattern": "{ ($.eventName=ConsoleLogin) && ($.userIdentity.type=IAMUser) && ($.sourceIPAddress != 10.10.10.*) }",
355+
"metric-namespace": "CloudTrailMetrics",
356+
"metric-name": "IAMAuthUnapprovedIPCount",
357+
"metric-value": "1"
358+
},
349359
{
350360
"filter-name": "UnencryptedFilesystemCreatedMetric",
351361
"accounts": ["master"],
@@ -472,6 +482,12 @@
472482
"sns-alert-level": "High",
473483
"alarm-description": "Alarms when someone authenticates using AWS SSO from an unauthorized IP address range."
474484
},
485+
{
486+
"alarm-name": "AWS-IAM-Authentication-From-Unapproved-IP",
487+
"metric-name": "IAMAuthUnapprovedIPCount",
488+
"sns-alert-level": "High",
489+
"alarm-description": "Alarms when someone authenticates using AWS IAM from an unauthorized IP address range."
490+
},
475491
{
476492
"alarm-name": "AWS-Unencrypted-Filesystem-Created",
477493
"metric-name": "UnencryptedFilesystemCreatedCount",

reference-artifacts/SAMPLE_CONFIGS/config.lite-example.json

Lines changed: 18 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -281,7 +281,7 @@
281281
"accounts": ["master"],
282282
"regions": ["ca-central-1"],
283283
"loggroup-name": "/PBMMAccel/CloudTrail",
284-
"filter-pattern": "{($.eventName=\"ConsoleLogin\") && ($.additionalEventData.MFAUsed !=\"Yes\")}",
284+
"filter-pattern": "{($.eventName=\"ConsoleLogin\") && ($.additionalEventData.MFAUsed !=\"Yes\") && ($.userIdentity.type != \"AssumedRole\")}",
285285
"metric-namespace": "CloudTrailMetrics",
286286
"metric-name": "ConsoleSignInWithoutMfaCount",
287287
"metric-value": "1"
@@ -341,11 +341,21 @@
341341
"accounts": ["master"],
342342
"regions": ["ca-central-1"],
343343
"loggroup-name": "/PBMMAccel/CloudTrail",
344-
"filter-pattern": "{ ($.eventSource=sso.amazonaws.com) && ($.eventName=Authenticate) && (($.sourceIPAddress != 10.10.10.*) || ($.sourceIPAddress != 10.10.*) || ($.sourceIPAddress != 10.*))}",
344+
"filter-pattern": "{ ($.eventSource=sso.amazonaws.com) && ($.eventName=Authenticate) && ($.sourceIPAddress != 10.10.10.*) }",
345345
"metric-namespace": "CloudTrailMetrics",
346346
"metric-name": "SSOAuthUnapprovedIPCount",
347347
"metric-value": "1"
348348
},
349+
{
350+
"filter-name": "IAMAuthUnapprovedIPMetric",
351+
"accounts": ["master"],
352+
"regions": ["ca-central-1"],
353+
"loggroup-name": "/PBMMAccel/CloudTrail",
354+
"filter-pattern": "{ ($.eventName=ConsoleLogin) && ($.userIdentity.type=IAMUser) && ($.sourceIPAddress != 10.10.10.*) }",
355+
"metric-namespace": "CloudTrailMetrics",
356+
"metric-name": "IAMAuthUnapprovedIPCount",
357+
"metric-value": "1"
358+
},
349359
{
350360
"filter-name": "UnencryptedFilesystemCreatedMetric",
351361
"accounts": ["master"],
@@ -472,6 +482,12 @@
472482
"sns-alert-level": "High",
473483
"alarm-description": "Alarms when someone authenticates using AWS SSO from an unauthorized IP address range."
474484
},
485+
{
486+
"alarm-name": "AWS-IAM-Authentication-From-Unapproved-IP",
487+
"metric-name": "IAMAuthUnapprovedIPCount",
488+
"sns-alert-level": "High",
489+
"alarm-description": "Alarms when someone authenticates using AWS IAM from an unauthorized IP address range."
490+
},
475491
{
476492
"alarm-name": "AWS-Unencrypted-Filesystem-Created",
477493
"metric-name": "UnencryptedFilesystemCreatedCount",

reference-artifacts/SAMPLE_CONFIGS/config.multi-region-example.json

Lines changed: 18 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -285,7 +285,7 @@
285285
"accounts": ["master"],
286286
"regions": ["ca-central-1"],
287287
"loggroup-name": "/PBMMAccel/CloudTrail",
288-
"filter-pattern": "{($.eventName=\"ConsoleLogin\") && ($.additionalEventData.MFAUsed !=\"Yes\")}",
288+
"filter-pattern": "{($.eventName=\"ConsoleLogin\") && ($.additionalEventData.MFAUsed !=\"Yes\") && ($.userIdentity.type != \"AssumedRole\")}",
289289
"metric-namespace": "CloudTrailMetrics",
290290
"metric-name": "ConsoleSignInWithoutMfaCount",
291291
"metric-value": "1"
@@ -345,11 +345,21 @@
345345
"accounts": ["master"],
346346
"regions": ["ca-central-1"],
347347
"loggroup-name": "/PBMMAccel/CloudTrail",
348-
"filter-pattern": "{ ($.eventSource=sso.amazonaws.com) && ($.eventName=Authenticate) && (($.sourceIPAddress != 10.10.10.*) || ($.sourceIPAddress != 10.10.*) || ($.sourceIPAddress != 10.*))}",
348+
"filter-pattern": "{ ($.eventSource=sso.amazonaws.com) && ($.eventName=Authenticate) && ($.sourceIPAddress != 10.10.10.*) }",
349349
"metric-namespace": "CloudTrailMetrics",
350350
"metric-name": "SSOAuthUnapprovedIPCount",
351351
"metric-value": "1"
352352
},
353+
{
354+
"filter-name": "IAMAuthUnapprovedIPMetric",
355+
"accounts": ["master"],
356+
"regions": ["ca-central-1"],
357+
"loggroup-name": "/PBMMAccel/CloudTrail",
358+
"filter-pattern": "{ ($.eventName=ConsoleLogin) && ($.userIdentity.type=IAMUser) && ($.sourceIPAddress != 10.10.10.*) }",
359+
"metric-namespace": "CloudTrailMetrics",
360+
"metric-name": "IAMAuthUnapprovedIPCount",
361+
"metric-value": "1"
362+
},
353363
{
354364
"filter-name": "UnencryptedFilesystemCreatedMetric",
355365
"accounts": ["master"],
@@ -476,6 +486,12 @@
476486
"sns-alert-level": "High",
477487
"alarm-description": "Alarms when someone authenticates using AWS SSO from an unauthorized IP address range."
478488
},
489+
{
490+
"alarm-name": "AWS-IAM-Authentication-From-Unapproved-IP",
491+
"metric-name": "IAMAuthUnapprovedIPCount",
492+
"sns-alert-level": "High",
493+
"alarm-description": "Alarms when someone authenticates using AWS IAM from an unauthorized IP address range."
494+
},
479495
{
480496
"alarm-name": "AWS-Unencrypted-Filesystem-Created",
481497
"metric-name": "UnencryptedFilesystemCreatedCount",

reference-artifacts/SAMPLE_CONFIGS/config.ultralite-example.json

Lines changed: 18 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -260,7 +260,7 @@
260260
"accounts": ["master"],
261261
"regions": ["ca-central-1"],
262262
"loggroup-name": "/PBMMAccel/CloudTrail",
263-
"filter-pattern": "{($.eventName=\"ConsoleLogin\") && ($.additionalEventData.MFAUsed !=\"Yes\")}",
263+
"filter-pattern": "{($.eventName=\"ConsoleLogin\") && ($.additionalEventData.MFAUsed !=\"Yes\") && ($.userIdentity.type != \"AssumedRole\")}",
264264
"metric-namespace": "CloudTrailMetrics",
265265
"metric-name": "ConsoleSignInWithoutMfaCount",
266266
"metric-value": "1"
@@ -320,11 +320,21 @@
320320
"accounts": ["master"],
321321
"regions": ["ca-central-1"],
322322
"loggroup-name": "/PBMMAccel/CloudTrail",
323-
"filter-pattern": "{ ($.eventSource=sso.amazonaws.com) && ($.eventName=Authenticate) && (($.sourceIPAddress != 10.10.10.*) || ($.sourceIPAddress != 10.10.*) || ($.sourceIPAddress != 10.*))}",
323+
"filter-pattern": "{ ($.eventSource=sso.amazonaws.com) && ($.eventName=Authenticate) && ($.sourceIPAddress != 10.10.10.*) }",
324324
"metric-namespace": "CloudTrailMetrics",
325325
"metric-name": "SSOAuthUnapprovedIPCount",
326326
"metric-value": "1"
327327
},
328+
{
329+
"filter-name": "IAMAuthUnapprovedIPMetric",
330+
"accounts": ["master"],
331+
"regions": ["ca-central-1"],
332+
"loggroup-name": "/PBMMAccel/CloudTrail",
333+
"filter-pattern": "{ ($.eventName=ConsoleLogin) && ($.userIdentity.type=IAMUser) && ($.sourceIPAddress != 10.10.10.*) }",
334+
"metric-namespace": "CloudTrailMetrics",
335+
"metric-name": "IAMAuthUnapprovedIPCount",
336+
"metric-value": "1"
337+
},
328338
{
329339
"filter-name": "UnencryptedFilesystemCreatedMetric",
330340
"accounts": ["master"],
@@ -451,6 +461,12 @@
451461
"sns-alert-level": "High",
452462
"alarm-description": "Alarms when someone authenticates using AWS SSO from an unauthorized IP address range."
453463
},
464+
{
465+
"alarm-name": "AWS-IAM-Authentication-From-Unapproved-IP",
466+
"metric-name": "IAMAuthUnapprovedIPCount",
467+
"sns-alert-level": "High",
468+
"alarm-description": "Alarms when someone authenticates using AWS IAM from an unauthorized IP address range."
469+
},
454470
{
455471
"alarm-name": "AWS-Unencrypted-Filesystem-Created",
456472
"metric-name": "UnencryptedFilesystemCreatedCount",

reference-artifacts/SCPs/PBMMAccel-Guardrails-Part2.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -103,7 +103,7 @@
103103
},
104104
{
105105
"Effect": "Deny",
106-
"Action": ["kms:DeleteAlias", "kms:UpdateAlias", "kms:DisableKey", "kms:ImportKeyMaterial", "kms:PutKeyPolicy"],
106+
"Action": ["kms:DeleteAlias", "kms:UpdateAlias", "kms:DisableKey", "kms:ImportKeyMaterial", "kms:PutKeyPolicy", "kms:ScheduleKeyDeletion"],
107107
"Resource": "arn:aws:kms:::alias/PBMMAccel*",
108108
"Condition": {
109109
"ArnNotLike": {

0 commit comments

Comments
 (0)