From a83f53ff6d988af6b9e248ec912aab314ecbcd84 Mon Sep 17 00:00:00 2001 From: x <x@airbnb.com> Date: Tue, 24 Oct 2017 14:49:11 -0700 Subject: [PATCH] sync s3 bucket acl changes --- .../cloudtrail/cloudtrail_put_bucket_acl.py | 11 +- .../cloudtrail/cloudtrail_put_bucket_acl.json | 280 +++++++----------- 2 files changed, 111 insertions(+), 180 deletions(-) diff --git a/rules/community/cloudtrail/cloudtrail_put_bucket_acl.py b/rules/community/cloudtrail/cloudtrail_put_bucket_acl.py index e826450ca..ea9b6b9b8 100644 --- a/rules/community/cloudtrail/cloudtrail_put_bucket_acl.py +++ b/rules/community/cloudtrail/cloudtrail_put_bucket_acl.py @@ -22,12 +22,13 @@ def cloudtrail_put_bucket_acl(rec): (c) if not, remove the bucket ACL and investigate access logs """ if rec['detail']['eventName'] != 'PutBucketAcl': + # check the event type early to avoid unnecessary performance impact return False elif rec['detail']['requestParameters'] is None: - # `requestParameters` can be defined with a value of null + # requestParameters can be defined with a value of null return False - insecure_acl_list = { + denied_acls = { 'http://acs.amazonaws.com/groups/global/AuthenticatedUsers', 'http://acs.amazonaws.com/groups/global/AllUsers' } @@ -38,11 +39,11 @@ def cloudtrail_put_bucket_acl(rec): return False grants = access_control_policy['AccessControlList']['Grant'] - insecure_buckets = [] + bad_bucket_permissions = [] for grant in grants: grantee = grant.get('Grantee', []) if 'URI' in grantee: - insecure_buckets.append(grantee['URI'] in insecure_acl_list) + bad_bucket_permissions.append(grantee['URI'] in denied_acls) - return any(insecure_buckets) + return any(bad_bucket_permissions) diff --git a/tests/integration/rules/cloudtrail/cloudtrail_put_bucket_acl.json b/tests/integration/rules/cloudtrail/cloudtrail_put_bucket_acl.json index df1422869..4c99a20cd 100644 --- a/tests/integration/rules/cloudtrail/cloudtrail_put_bucket_acl.json +++ b/tests/integration/rules/cloudtrail/cloudtrail_put_bucket_acl.json @@ -3,285 +3,215 @@ { "data": { "account": 12345, - "region": "...", - "detail-type": "...", - "source": "...", - "version": "...", - "time": "...", - "id": "12345", - "resources": { - "test": "..." - }, "detail": { - "eventVersion": "...", - "userIdentity": { - "type": "...", - "principalId": "...", - "arn": "...", - "accountId": "12345", - "userName": "...", - "sessionContext": { - "attributes": { - "mfaAuthenticated": "true", - "creationDate": "..." - } - }, - "invokedBy": "..." - }, - "eventTime": "...", - "eventSource": "...", + "awsRegion": "us-east-1", + "eventID": "...", "eventName": "PutBucketAcl", - "awsRegion": "...", - "sourceIPAddress": "...", - "userAgent": "...", + "eventSource": "s3.amazonaws.com", + "eventTime": "...", + "eventType": "...", + "eventVersion": "...", + "recipientAccountId": "12345", + "requestID": "...", "requestParameters": { - "bucketName": "...", "AccessControlPolicy": { "AccessControlList": { "Grant": [ { "Grantee": { - "xsi:type": "CanonicalUser", "DisplayName": "...", + "ID": "...", "xmlns:xsi": "http://www.w3.org/2001/XMLSchema-instance", - "ID": "..." + "xsi:type": "CanonicalUser" }, "Permission": "FULL_CONTROL" }, { "Grantee": { - "xsi:type": "Group", + "URI": "http://acs.amazonaws.com/groups/global/AuthenticatedUsers", "xmlns:xsi": "http://www.w3.org/2001/XMLSchema-instance", - "URI": "http://acs.amazonaws.com/groups/global/AllUsers" + "xsi:type": "Group" }, "Permission": "READ" }, { "Grantee": { - "xsi:type": "Group", + "URI": "http://acs.amazonaws.com/groups/global/AuthenticatedUsers", "xmlns:xsi": "http://www.w3.org/2001/XMLSchema-instance", - "URI": "http://acs.amazonaws.com/groups/global/AllUsers" + "xsi:type": "Group" }, "Permission": "READ_ACP" - } - ] - }, - "xmlns": "http://s3.amazonaws.com/doc/2006-03-01/", - "Owner": { - "DisplayName": "...", - "ID": "..." - } - }, - "acl": [ - "" - ] - }, - "responseElements": null, - "requestID": "...", - "eventID": "...", - "eventType": "AwsApiCall", - "recipientAccountId": "12345" - } - }, - "description": "An AWS S3 bucket with 'AllUsers' permission(s) will create an alert.", - "log": "cloudwatch:events", - "source": "prefix_cluster1_stream_alert_kinesis", - "service": "kinesis", - "trigger_rules": ["cloudtrail_put_bucket_acl"] - }, - { - "data": { - "account": 12345, - "region": "...", - "detail-type": "...", - "source": "...", - "version": "...", - "time": "...", - "id": "12345", - "resources": { - "test": "..." - }, - "detail": { - "eventVersion": "...", - "userIdentity": { - "type": "...", - "principalId": "...", - "arn": "...", - "accountId": "12345", - "userName": "...", - "sessionContext": { - "attributes": { - "mfaAuthenticated": "true", - "creationDate": "..." - } - }, - "invokedBy": "..." - }, - "eventTime": "...", - "eventSource": "...", - "eventName": "PutBucketAcl", - "awsRegion": "...", - "sourceIPAddress": "...", - "userAgent": "...", - "requestParameters": { - "bucketName": "...", - "AccessControlPolicy": { - "AccessControlList": { - "Grant": [ - { - "Grantee": { - "xsi:type": "CanonicalUser", - "DisplayName": "...", - "xmlns:xsi": "http://www.w3.org/2001/XMLSchema-instance", - "ID": "..." - }, - "Permission": "FULL_CONTROL" }, { "Grantee": { - "xsi:type": "Group", + "URI": "http://acs.amazonaws.com/groups/global/AllUsers", "xmlns:xsi": "http://www.w3.org/2001/XMLSchema-instance", - "URI": "http://acs.amazonaws.com/groups/global/AuthenticatedUsers" + "xsi:type": "Group" }, "Permission": "READ" }, { "Grantee": { - "xsi:type": "Group", + "URI": "http://acs.amazonaws.com/groups/global/AllUsers", "xmlns:xsi": "http://www.w3.org/2001/XMLSchema-instance", - "URI": "http://acs.amazonaws.com/groups/global/AuthenticatedUsers" + "xsi:type": "Group" }, "Permission": "READ_ACP" } ] }, - "xmlns": "http://s3.amazonaws.com/doc/2006-03-01/", "Owner": { "DisplayName": "...", "ID": "..." - } + }, + "xmlns": "http://s3.amazonaws.com/doc/2006-03-01/" }, "acl": [ "" - ] + ], + "bucketName": "..." }, "responseElements": null, - "requestID": "...", - "eventID": "...", - "eventType": "AwsApiCall", - "recipientAccountId": "12345" - } + "sourceIPAddress": "...", + "userAgent": "...", + "userIdentity": { + "accountId": "12345", + "arn": "...", + "invokedBy": "...", + "principalId": "...", + "sessionContext": { + "attributes": { + "creationDate": "...", + "mfaAuthenticated": "true" + } + }, + "type": "IAMUser", + "userName": "..." + } + }, + "detail-type": "...", + "id": "12345", + "region": "us-east-1", + "resources": { + "test": "..." + }, + "source": "...", + "time": "...", + "version": "..." }, - "description": "An AWS S3 bucket with 'AuthenticatedUsers' permission(s) will create an alert.", + "description": "Modifying an S3 bucket to have a bucket ACL of AllUsers or AuthenticatedUsers should create an alert.", "log": "cloudwatch:events", - "source": "prefix_cluster1_stream_alert_kinesis", "service": "kinesis", - "trigger_rules": ["cloudtrail_put_bucket_acl"] + "source": "prefix_cluster1_stream_alert_kinesis", + "trigger_rules": [ + "cloudtrail_put_bucket_acl" + ] }, { "data": { "account": 12345, - "region": "...", - "detail-type": "...", - "source": "...", - "version": "...", - "time": "...", - "id": "12345", - "resources": { - "test": "..." - }, "detail": { - "eventVersion": "...", - "userIdentity": { - "type": "...", - "principalId": "...", - "arn": "...", - "accountId": "12345", - "userName": "...", - "sessionContext": { - "attributes": { - "mfaAuthenticated": "true", - "creationDate": "..." - } - }, - "invokedBy": "..." - }, - "eventTime": "...", - "eventSource": "...", + "awsRegion": "us-east-1", + "eventID": "...", "eventName": "PutBucketAcl", - "awsRegion": "...", - "sourceIPAddress": "...", - "userAgent": "...", + "eventSource": "...", + "eventTime": "...", + "eventType": "...", + "eventVersion": "...", + "recipientAccountId": "12345", + "requestID": "...", "requestParameters": { - "bucketName": "...", "AccessControlPolicy": { "AccessControlList": { "Grant": [ { "Grantee": { - "xsi:type": "CanonicalUser", "DisplayName": "...", + "ID": "...", "xmlns:xsi": "http://www.w3.org/2001/XMLSchema-instance", - "ID": "..." + "xsi:type": "CanonicalUser" }, "Permission": "FULL_CONTROL" }, { "Grantee": { - "xsi:type": "Group", + "URI": "http://acs.amazonaws.com/groups/s3/LogDelivery", "xmlns:xsi": "http://www.w3.org/2001/XMLSchema-instance", - "URI": "http://acs.amazonaws.com/groups/s3/LogDelivery" + "xsi:type": "Group" }, "Permission": "READ" }, { "Grantee": { - "xsi:type": "Group", + "URI": "http://acs.amazonaws.com/groups/s3/LogDelivery", "xmlns:xsi": "http://www.w3.org/2001/XMLSchema-instance", - "URI": "http://acs.amazonaws.com/groups/s3/LogDelivery" + "xsi:type": "Group" }, "Permission": "READ_ACP" }, { "Grantee": { - "xsi:type": "Group", + "URI": "http://acs.amazonaws.com/groups/s3/LogDelivery", "xmlns:xsi": "http://www.w3.org/2001/XMLSchema-instance", - "URI": "http://acs.amazonaws.com/groups/s3/LogDelivery" + "xsi:type": "Group" }, "Permission": "READ" }, { "Grantee": { - "xsi:type": "Group", + "URI": "http://acs.amazonaws.com/groups/s3/LogDelivery", "xmlns:xsi": "http://www.w3.org/2001/XMLSchema-instance", - "URI": "http://acs.amazonaws.com/groups/s3/LogDelivery" + "xsi:type": "Group" }, "Permission": "READ_ACP" } ] }, - "xmlns": "http://s3.amazonaws.com/doc/2006-03-01/", "Owner": { "DisplayName": "...", "ID": "..." - } + }, + "xmlns": "http://s3.amazonaws.com/doc/2006-03-01/" }, "acl": [ "" - ] + ], + "bucketName": "..." }, "responseElements": null, - "requestID": "...", - "eventID": "...", - "eventType": "AwsApiCall", - "recipientAccountId": "12345" - } + "sourceIPAddress": "...", + "userAgent": "...", + "userIdentity": { + "accountId": "12345", + "arn": "...", + "invokedBy": "...", + "principalId": "...", + "sessionContext": { + "attributes": { + "creationDate": "...", + "mfaAuthenticated": "true" + } + }, + "type": "IAMUser", + "userName": "..." + } + }, + "detail-type": "...", + "id": "12345", + "region": "us-east-1", + "resources": { + "test": "..." + }, + "source": "...", + "time": "...", + "version": "..." }, - "description": "An AWS PutBucketAcl call without 'AuthenticatedUsers' & 'AllUsers' will not create an alert.", + "description": "Modifying an S3 bucket ACL without use of AllUsers or AuthenticatedUsers should not create an alert.", "log": "cloudwatch:events", - "source": "prefix_cluster1_stream_alert_kinesis", "service": "kinesis", - "trigger_rules": [] + "source": "prefix_cluster1_stream_alert_kinesis", + "trigger_rules": [ + ] } ] }