From a83f53ff6d988af6b9e248ec912aab314ecbcd84 Mon Sep 17 00:00:00 2001
From: x <x@airbnb.com>
Date: Tue, 24 Oct 2017 14:49:11 -0700
Subject: [PATCH] sync s3 bucket acl changes

---
 .../cloudtrail/cloudtrail_put_bucket_acl.py   |  11 +-
 .../cloudtrail/cloudtrail_put_bucket_acl.json | 280 +++++++-----------
 2 files changed, 111 insertions(+), 180 deletions(-)

diff --git a/rules/community/cloudtrail/cloudtrail_put_bucket_acl.py b/rules/community/cloudtrail/cloudtrail_put_bucket_acl.py
index e826450ca..ea9b6b9b8 100644
--- a/rules/community/cloudtrail/cloudtrail_put_bucket_acl.py
+++ b/rules/community/cloudtrail/cloudtrail_put_bucket_acl.py
@@ -22,12 +22,13 @@ def cloudtrail_put_bucket_acl(rec):
                   (c) if not, remove the bucket ACL and investigate access logs
     """
     if rec['detail']['eventName'] != 'PutBucketAcl':
+        # check the event type early to avoid unnecessary performance impact
         return False
     elif rec['detail']['requestParameters'] is None:
-        # `requestParameters` can be defined with a value of null
+        # requestParameters can be defined with a value of null
         return False
 
-    insecure_acl_list = {
+    denied_acls = {
         'http://acs.amazonaws.com/groups/global/AuthenticatedUsers',
         'http://acs.amazonaws.com/groups/global/AllUsers'
     }
@@ -38,11 +39,11 @@ def cloudtrail_put_bucket_acl(rec):
         return False
 
     grants = access_control_policy['AccessControlList']['Grant']
-    insecure_buckets = []
+    bad_bucket_permissions = []
 
     for grant in grants:
         grantee = grant.get('Grantee', [])
         if 'URI' in grantee:
-            insecure_buckets.append(grantee['URI'] in insecure_acl_list)
+            bad_bucket_permissions.append(grantee['URI'] in denied_acls)
 
-    return any(insecure_buckets)
+    return any(bad_bucket_permissions)
diff --git a/tests/integration/rules/cloudtrail/cloudtrail_put_bucket_acl.json b/tests/integration/rules/cloudtrail/cloudtrail_put_bucket_acl.json
index df1422869..4c99a20cd 100644
--- a/tests/integration/rules/cloudtrail/cloudtrail_put_bucket_acl.json
+++ b/tests/integration/rules/cloudtrail/cloudtrail_put_bucket_acl.json
@@ -3,285 +3,215 @@
     {
       "data": {
         "account": 12345,
-        "region": "...",
-        "detail-type": "...",
-        "source": "...",
-        "version": "...",
-        "time": "...",
-        "id": "12345",
-        "resources": {
-          "test": "..."
-        },
         "detail": {
-          "eventVersion": "...",
-          "userIdentity": {
-            "type": "...",
-            "principalId": "...",
-            "arn": "...",
-            "accountId": "12345",
-            "userName": "...",
-            "sessionContext": {
-              "attributes": {
-                "mfaAuthenticated": "true",
-                "creationDate": "..."
-              }
-            },
-            "invokedBy": "..."
-          },
-          "eventTime": "...",
-          "eventSource": "...",
+          "awsRegion": "us-east-1",
+          "eventID": "...",
           "eventName": "PutBucketAcl",
-          "awsRegion": "...",
-          "sourceIPAddress": "...",
-          "userAgent": "...",
+          "eventSource": "s3.amazonaws.com",
+          "eventTime": "...",
+          "eventType": "...",
+          "eventVersion": "...",
+          "recipientAccountId": "12345",
+          "requestID": "...",
           "requestParameters": {
-            "bucketName": "...",
             "AccessControlPolicy": {
               "AccessControlList": {
                 "Grant": [
                   {
                     "Grantee": {
-                      "xsi:type": "CanonicalUser",
                       "DisplayName": "...",
+                      "ID": "...",
                       "xmlns:xsi": "http://www.w3.org/2001/XMLSchema-instance",
-                      "ID": "..."
+                      "xsi:type": "CanonicalUser"
                     },
                     "Permission": "FULL_CONTROL"
                   },
                   {
                     "Grantee": {
-                      "xsi:type": "Group",
+                      "URI": "http://acs.amazonaws.com/groups/global/AuthenticatedUsers",
                       "xmlns:xsi": "http://www.w3.org/2001/XMLSchema-instance",
-                      "URI": "http://acs.amazonaws.com/groups/global/AllUsers"
+                      "xsi:type": "Group"
                     },
                     "Permission": "READ"
                   },
                   {
                     "Grantee": {
-                      "xsi:type": "Group",
+                      "URI": "http://acs.amazonaws.com/groups/global/AuthenticatedUsers",
                       "xmlns:xsi": "http://www.w3.org/2001/XMLSchema-instance",
-                      "URI": "http://acs.amazonaws.com/groups/global/AllUsers"
+                      "xsi:type": "Group"
                     },
                     "Permission": "READ_ACP"
-                  }
-                ]
-              },
-              "xmlns": "http://s3.amazonaws.com/doc/2006-03-01/",
-              "Owner": {
-                "DisplayName": "...",
-                "ID": "..."
-              }
-            },
-            "acl": [
-              ""
-            ]
-          },
-          "responseElements": null,
-          "requestID": "...",
-          "eventID": "...",
-          "eventType": "AwsApiCall",
-          "recipientAccountId": "12345"
-        }
-      },
-      "description": "An AWS S3 bucket with 'AllUsers' permission(s) will create an alert.",
-      "log": "cloudwatch:events",
-      "source": "prefix_cluster1_stream_alert_kinesis",
-      "service": "kinesis",
-      "trigger_rules": ["cloudtrail_put_bucket_acl"]
-    },
-    {
-      "data": {
-        "account": 12345,
-        "region": "...",
-        "detail-type": "...",
-        "source": "...",
-        "version": "...",
-        "time": "...",
-        "id": "12345",
-        "resources": {
-          "test": "..."
-        },
-        "detail": {
-          "eventVersion": "...",
-          "userIdentity": {
-            "type": "...",
-            "principalId": "...",
-            "arn": "...",
-            "accountId": "12345",
-            "userName": "...",
-            "sessionContext": {
-              "attributes": {
-                "mfaAuthenticated": "true",
-                "creationDate": "..."
-              }
-            },
-            "invokedBy": "..."
-          },
-          "eventTime": "...",
-          "eventSource": "...",
-          "eventName": "PutBucketAcl",
-          "awsRegion": "...",
-          "sourceIPAddress": "...",
-          "userAgent": "...",
-          "requestParameters": {
-            "bucketName": "...",
-            "AccessControlPolicy": {
-              "AccessControlList": {
-                "Grant": [
-                  {
-                    "Grantee": {
-                      "xsi:type": "CanonicalUser",
-                      "DisplayName": "...",
-                      "xmlns:xsi": "http://www.w3.org/2001/XMLSchema-instance",
-                      "ID": "..."
-                    },
-                    "Permission": "FULL_CONTROL"
                   },
                   {
                     "Grantee": {
-                      "xsi:type": "Group",
+                      "URI": "http://acs.amazonaws.com/groups/global/AllUsers",
                       "xmlns:xsi": "http://www.w3.org/2001/XMLSchema-instance",
-                      "URI": "http://acs.amazonaws.com/groups/global/AuthenticatedUsers"
+                      "xsi:type": "Group"
                     },
                     "Permission": "READ"
                   },
                   {
                     "Grantee": {
-                      "xsi:type": "Group",
+                      "URI": "http://acs.amazonaws.com/groups/global/AllUsers",
                       "xmlns:xsi": "http://www.w3.org/2001/XMLSchema-instance",
-                      "URI": "http://acs.amazonaws.com/groups/global/AuthenticatedUsers"
+                      "xsi:type": "Group"
                     },
                     "Permission": "READ_ACP"
                   }
                 ]
               },
-              "xmlns": "http://s3.amazonaws.com/doc/2006-03-01/",
               "Owner": {
                 "DisplayName": "...",
                 "ID": "..."
-              }
+              },
+              "xmlns": "http://s3.amazonaws.com/doc/2006-03-01/"
             },
             "acl": [
               ""
-            ]
+            ],
+            "bucketName": "..."
           },
           "responseElements": null,
-          "requestID": "...",
-          "eventID": "...",
-          "eventType": "AwsApiCall",
-          "recipientAccountId": "12345"
-        }
+          "sourceIPAddress": "...",
+          "userAgent": "...",
+          "userIdentity": {
+            "accountId": "12345",
+            "arn": "...",
+            "invokedBy": "...",
+            "principalId": "...",
+            "sessionContext": {
+              "attributes": {
+                "creationDate": "...",
+                "mfaAuthenticated": "true"
+              }
+            },
+            "type": "IAMUser",
+            "userName": "..."
+          }
+        },
+        "detail-type": "...",
+        "id": "12345",
+        "region": "us-east-1",
+        "resources": {
+          "test": "..."
+        },
+        "source": "...",
+        "time": "...",
+        "version": "..."
       },
-      "description": "An AWS S3 bucket with 'AuthenticatedUsers' permission(s) will create an alert.",
+      "description": "Modifying an S3 bucket to have a bucket ACL of AllUsers or AuthenticatedUsers should create an alert.",
       "log": "cloudwatch:events",
-      "source": "prefix_cluster1_stream_alert_kinesis",
       "service": "kinesis",
-      "trigger_rules": ["cloudtrail_put_bucket_acl"]
+      "source": "prefix_cluster1_stream_alert_kinesis",
+      "trigger_rules": [
+        "cloudtrail_put_bucket_acl"
+      ]
     },
     {
       "data": {
         "account": 12345,
-        "region": "...",
-        "detail-type": "...",
-        "source": "...",
-        "version": "...",
-        "time": "...",
-        "id": "12345",
-        "resources": {
-          "test": "..."
-        },
         "detail": {
-          "eventVersion": "...",
-          "userIdentity": {
-            "type": "...",
-            "principalId": "...",
-            "arn": "...",
-            "accountId": "12345",
-            "userName": "...",
-            "sessionContext": {
-              "attributes": {
-                "mfaAuthenticated": "true",
-                "creationDate": "..."
-              }
-            },
-            "invokedBy": "..."
-          },
-          "eventTime": "...",
-          "eventSource": "...",
+          "awsRegion": "us-east-1",
+          "eventID": "...",
           "eventName": "PutBucketAcl",
-          "awsRegion": "...",
-          "sourceIPAddress": "...",
-          "userAgent": "...",
+          "eventSource": "...",
+          "eventTime": "...",
+          "eventType": "...",
+          "eventVersion": "...",
+          "recipientAccountId": "12345",
+          "requestID": "...",
           "requestParameters": {
-            "bucketName": "...",
             "AccessControlPolicy": {
               "AccessControlList": {
                 "Grant": [
                   {
                     "Grantee": {
-                      "xsi:type": "CanonicalUser",
                       "DisplayName": "...",
+                      "ID": "...",
                       "xmlns:xsi": "http://www.w3.org/2001/XMLSchema-instance",
-                      "ID": "..."
+                      "xsi:type": "CanonicalUser"
                     },
                     "Permission": "FULL_CONTROL"
                   },
                   {
                     "Grantee": {
-                      "xsi:type": "Group",
+                      "URI": "http://acs.amazonaws.com/groups/s3/LogDelivery",
                       "xmlns:xsi": "http://www.w3.org/2001/XMLSchema-instance",
-                      "URI": "http://acs.amazonaws.com/groups/s3/LogDelivery"
+                      "xsi:type": "Group"
                     },
                     "Permission": "READ"
                   },
                   {
                     "Grantee": {
-                      "xsi:type": "Group",
+                      "URI": "http://acs.amazonaws.com/groups/s3/LogDelivery",
                       "xmlns:xsi": "http://www.w3.org/2001/XMLSchema-instance",
-                      "URI": "http://acs.amazonaws.com/groups/s3/LogDelivery"
+                      "xsi:type": "Group"
                     },
                     "Permission": "READ_ACP"
                   },
                   {
                     "Grantee": {
-                      "xsi:type": "Group",
+                      "URI": "http://acs.amazonaws.com/groups/s3/LogDelivery",
                       "xmlns:xsi": "http://www.w3.org/2001/XMLSchema-instance",
-                      "URI": "http://acs.amazonaws.com/groups/s3/LogDelivery"
+                      "xsi:type": "Group"
                     },
                     "Permission": "READ"
                   },
                   {
                     "Grantee": {
-                      "xsi:type": "Group",
+                      "URI": "http://acs.amazonaws.com/groups/s3/LogDelivery",
                       "xmlns:xsi": "http://www.w3.org/2001/XMLSchema-instance",
-                      "URI": "http://acs.amazonaws.com/groups/s3/LogDelivery"
+                      "xsi:type": "Group"
                     },
                     "Permission": "READ_ACP"
                   }
                 ]
               },
-              "xmlns": "http://s3.amazonaws.com/doc/2006-03-01/",
               "Owner": {
                 "DisplayName": "...",
                 "ID": "..."
-              }
+              },
+              "xmlns": "http://s3.amazonaws.com/doc/2006-03-01/"
             },
             "acl": [
               ""
-            ]
+            ],
+            "bucketName": "..."
           },
           "responseElements": null,
-          "requestID": "...",
-          "eventID": "...",
-          "eventType": "AwsApiCall",
-          "recipientAccountId": "12345"
-        }
+          "sourceIPAddress": "...",
+          "userAgent": "...",
+          "userIdentity": {
+            "accountId": "12345",
+            "arn": "...",
+            "invokedBy": "...",
+            "principalId": "...",
+            "sessionContext": {
+              "attributes": {
+                "creationDate": "...",
+                "mfaAuthenticated": "true"
+              }
+            },
+            "type": "IAMUser",
+            "userName": "..."
+          }
+        },
+        "detail-type": "...",
+        "id": "12345",
+        "region": "us-east-1",
+        "resources": {
+          "test": "..."
+        },
+        "source": "...",
+        "time": "...",
+        "version": "..."
       },
-      "description": "An AWS PutBucketAcl call without 'AuthenticatedUsers' & 'AllUsers' will not create an alert.",
+      "description": "Modifying an S3 bucket ACL without use of AllUsers or AuthenticatedUsers should not create an alert.",
       "log": "cloudwatch:events",
-      "source": "prefix_cluster1_stream_alert_kinesis",
       "service": "kinesis",
-      "trigger_rules": []
+      "source": "prefix_cluster1_stream_alert_kinesis",
+      "trigger_rules": [
+      ]
     }
   ]
 }