Merge pull request #49 from rstalets/main

Documentation & Terraform Fix

Author: kmcquade

docs/risks/ebs.md

@@ -70,6 +70,15 @@ After an EBS Snapshot is made public, an attacker can then:
 
 Also, consider using [Cloudsplaining](https://github.com/salesforce/cloudsplaining/#cloudsplaining) to identify violations of least privilege in IAM policies. This can help limit the IAM principals that have access to the actions that could perform Resource Exposure activities. See the example report [here](https://opensource.salesforce.com/cloudsplaining/)
 
+## Basic Detection
+The following CloudWatch Log Insights query will include exposure actions taken by endgame:
+```
+fields eventTime, eventSource, eventName, userIdentity.arn, userAgent
+| filter eventSource='ec2.amazonaws.com' and (eventName='ModifySnapshotAttribute' and requestParameters.attributeType='CREATE_VOLUME_PERMISSION') 
+```
+
+This query assumes that your CloudTrail logs are being sent to CloudWatch and that you have selected the correct log group.
+
 ## References
 
 * [Sharing an Unencrypted Snapshot using the Console](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modifying-snapshot-permissions.html#share-unencrypted-snapshot)

docs/risks/ec2-amis.md

@@ -63,6 +63,15 @@ After an EC2 AMI is made public, an attacker can then:
 
 Also, consider using [Cloudsplaining](https://github.com/salesforce/cloudsplaining/#cloudsplaining) to identify violations of least privilege in IAM policies. This can help limit the IAM principals that have access to the actions that could perform Resource Exposure activities. See the example report [here](https://opensource.salesforce.com/cloudsplaining/)
 
+## Basic Detection
+The following CloudWatch Log Insights query will include exposure actions taken by endgame:
+```
+fields eventTime, eventSource, eventName, userIdentity.arn, userAgent
+| filter eventSource='ec2.amazonaws.com' and (eventName='ModifyImageAttribute' and requestParameters.attributeType='launchPermission') 
+```
+
+This query assumes that your CloudTrail logs are being sent to CloudWatch and that you have selected the correct log group.
+
 ## References
 
 - [aws ec2 modify-image-attribute](https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-image-attribute.html)

docs/risks/ecr.md

@@ -80,6 +80,22 @@ TODO
 
 Also, consider using [Cloudsplaining](https://github.com/salesforce/cloudsplaining/#cloudsplaining) to identify violations of least privilege in IAM policies. This can help limit the IAM principals that have access to the actions that could perform Resource Exposure activities. See the example report [here](https://opensource.salesforce.com/cloudsplaining/)
 
+## Basic Detection
+The following CloudWatch Log Insights query will include exposure actions taken by endgame:
+```
+fields eventTime, eventSource, eventName, userIdentity.arn, userAgent 
+| filter eventSource='ecr.amazonaws.com' and (eventName='SetRepositoryPolicy' or eventName='DeleteRepositoryPolicy' 
+or eventName='PutRegistryPolicy' or eventName='DeleteRegistryPolicy') 
+```
+
+The following query detects policy modifications which include the default IOC string:
+```
+fields eventTime, eventSource, eventName, userIdentity.arn, userAgent
+| filter eventSource='ecr.amazonaws.com' and (eventName='SetRepositoryPolicy' and responseElements.policyText like 'Endgame')
+```
+
+This query assumes that your CloudTrail logs are being sent to CloudWatch and that you have selected the correct log group.
+
 ## References
 
 * [set-repository-policy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ecr/set-repository-policy.html)

docs/risks/elasticfilesystem.md

@@ -94,6 +94,21 @@ TODO
 
 Also, consider using [Cloudsplaining](https://github.com/salesforce/cloudsplaining/#cloudsplaining) to identify violations of least privilege in IAM policies. This can help limit the IAM principals that have access to the actions that could perform Resource Exposure activities. See the example report [here](https://opensource.salesforce.com/cloudsplaining/)
 
+## Basic Detection
+The following CloudWatch Log Insights query will include exposure actions taken by endgame:
+```
+fields eventTime, eventSource, eventName, userIdentity.arn, userAgent
+| filter eventSource='elasticfilesystem.amazonaws.com' and eventName='PutFileSystemPolicy'
+```
+
+The following query detects policy modifications which include the default IOC string:
+```
+fields eventTime, eventSource, eventName, userIdentity.arn, userAgent
+| filter eventSource='elasticfilesystem.amazonaws.com' and (eventName='PutFileSystemPolicy' and requestParameters.policy like 'Endgame')
+```
+
+This query assumes that your CloudTrail logs are being sent to CloudWatch and that you have selected the correct log group.
+
 ## References
 
 * [put-filesystem-policy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/efs/put-file-system-policy.html)

docs/risks/elasticsearch.md

@@ -43,6 +43,15 @@ However, if **Public Access** _is_ necessary, follow the steps below to remediat
 
 Also, consider using [Cloudsplaining](https://github.com/salesforce/cloudsplaining/#cloudsplaining) to identify violations of least privilege in IAM policies. This can help limit the IAM principals that have access to the actions that could perform Resource Exposure activities. See the example report [here](https://opensource.salesforce.com/cloudsplaining/)
 
+## Basic Detection
+The following CloudWatch Log Insights query will include exposure actions taken by endgame:
+```
+fields eventTime, eventSource, eventName, userIdentity.arn, userAgent
+| filter eventSource='es.amazonaws.com' and eventName='UpdateElasticsearchDomainConfig'
+```
+
+This query assumes that your CloudTrail logs are being sent to CloudWatch and that you have selected the correct log group.
+
 ## References
 
 * [ElasticSearch Resource-based Policies](https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-ac.html#es-ac-types-resource)

docs/risks/glacier.md

@@ -54,6 +54,21 @@ TODO
 
 Also, consider using [Cloudsplaining](https://github.com/salesforce/cloudsplaining/#cloudsplaining) to identify violations of least privilege in IAM policies. This can help limit the IAM principals that have access to the actions that could perform Resource Exposure activities. See the example report [here](https://opensource.salesforce.com/cloudsplaining/)
 
+## Basic Detection
+The following CloudWatch Log Insights query will include exposure actions taken by endgame:
+```
+fields eventTime, eventSource, eventName, userIdentity.arn, userAgent
+| filter eventSource='glacier.amazonaws.com' and eventName='SetVaultAccessPolicy'
+```
+
+The following query detects policy modifications which include the default IOC string:
+```
+fields eventTime, eventSource, eventName, userIdentity.arn, userAgent
+| filter eventSource='glacier.amazonaws.com' and (eventName='SetVaultAccessPolicy' and requestParameters.policy.policy like 'Endgame')
+```
+
+This query assumes that your CloudTrail logs are being sent to CloudWatch and that you have selected the correct log group.
+
 ## References
 
 * [set-vault-access-policy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/glacier/set-vault-access-policy.html)

docs/risks/iam.md

@@ -163,6 +163,16 @@ aws sts get-caller-identity
 
 Also, consider using [Cloudsplaining](https://github.com/salesforce/cloudsplaining/#cloudsplaining) to identify violations of least privilege in IAM policies. This can help limit the IAM principals that have access to the actions that could perform Resource Exposure activities. See the example report [here](https://opensource.salesforce.com/cloudsplaining/)
 
+## Basic Detection
+The following CloudWatch Log Insights query will include exposure actions taken by endgame:
+```
+fields eventTime, eventSource, eventName, userIdentity.arn, userAgent
+| filter eventSource='iam.amazonaws.com' and eventName='UpdateAssumeRolePolicy'
+```
+
+This query assumes that your CloudTrail logs are being sent to CloudWatch and that you have selected the correct log group.
+
 ## References
 
-* [update-assume-role-policy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/update-assume-role-policy.html)
+* [update-assume-role-policy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/update-assume-role-policy.html)
+* [Learn more about IAM cross-account trust](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_aws-accounts.html)

docs/risks/kms.md

@@ -59,6 +59,21 @@ TODO
 
 Also, consider using [Cloudsplaining](https://github.com/salesforce/cloudsplaining/#cloudsplaining) to identify violations of least privilege in IAM policies. This can help limit the IAM principals that have access to the actions that could perform Resource Exposure activities. See the example report [here](https://opensource.salesforce.com/cloudsplaining/)
 
+## Basic Detection
+The following CloudWatch Log Insights query will include exposure actions taken by endgame:
+```
+fields eventTime, eventSource, eventName, userIdentity.arn, userAgent
+| filter eventSource='kms.amazonaws.com' and eventName='PutKeyPolicy'
+```
+
+The following query detects policy modifications which include the default IOC string:
+```
+fields eventTime, eventSource, eventName, userIdentity.arn, userAgent 
+| filter eventSource='kms.amazonaws.com' and (eventName='PutKeyPolicy' and requestParameters.policy like 'Endgame')
+```
+
+This query assumes that your CloudTrail logs are being sent to CloudWatch and that you have selected the correct log group.
+
 ## References
 
 * [put-key-policy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/put-key-policy.html)

docs/risks/lambda-functions.md

@@ -91,6 +91,21 @@ aws lambda invoke --function-name $VICTIM_LAMBDA
 
 Also, consider using [Cloudsplaining](https://github.com/salesforce/cloudsplaining/#cloudsplaining) to identify violations of least privilege in IAM policies. This can help limit the IAM principals that have access to the actions that could perform Resource Exposure. See the example report [here](https://opensource.salesforce.com/cloudsplaining/)
 
+## Basic Detection
+The following CloudWatch Log Insights query will include exposure actions taken by endgame:
+```
+fields eventTime, eventSource, eventName, userIdentity.arn, userAgent
+| filter eventSource='lambda.amazonaws.com' and eventName like 'AddPermission'
+```
+
+The following query detects policy modifications which include the default IOC string:
+```
+fields eventTime, eventSource, eventName, userIdentity.arn, userAgent
+| filter eventSource='lambda.amazonaws.com' and (eventName like 'AddPermission' and requestParameters.statementId='Endgame')
+```
+
+This query assumes that your CloudTrail logs are being sent to CloudWatch and that you have selected the correct log group.
+
 ## References
 
 * [aws lambda add-permission](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lambda/add-permission.html)

docs/risks/rds-snapshots.md

@@ -57,11 +57,20 @@ After the RDS snapshot is public or shared with the rogue user account, an attac
   - [rds:DescribeDbClusterSnapshots](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DescribeDBClusterSnapshots.html): _Grants permission to return information about DB cluster snapshots._
   - [rds:DescribeDbSnapshotAttributes](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DescribeDBSnapshotAttributes.html): _Grants permission to return a list of DB snapshot attribute names and values for a manual DB snapshot. This includes information on which AWS Accounts have access to the snapshot._
   - [rds:DescribeDbSnapshots](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DescribeDBSnapshots.html): _Grants permission to return information about DB snapshots_
-  - [rds:ModifyDbSnapshotAttribute](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBSnapshotAttribute.html): _Grants permission to add an attribute and values to, or removes an attribute and values from, a manual DB snapshot. This includes the ability to share snapshots with other AWS Accounts._
-  - [rds:ModifyDbClusterSnapshotAttribute](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBClusterSnapshotAttribute.html): _Grants permission to add an attribute and values to, or removes an attribute and values from, a manual DB cluster snapshot. This includes the ability to share snapshots with other AWS Accounts._
+  - [rds:ModifyDBSnapshotAttribute](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBSnapshotAttribute.html): _Grants permission to add an attribute and values to, or removes an attribute and values from, a manual DB snapshot. This includes the ability to share snapshots with other AWS Accounts._
+  - [rds:ModifyDBClusterSnapshotAttribute](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBClusterSnapshotAttribute.html): _Grants permission to add an attribute and values to, or removes an attribute and values from, a manual DB cluster snapshot. This includes the ability to share snapshots with other AWS Accounts._
 
 Also, consider using [Cloudsplaining](https://github.com/salesforce/cloudsplaining/#cloudsplaining) to identify violations of least privilege in IAM policies. This can help limit the IAM principals that have access to the actions that could perform Resource Exposure activities. See the example report [here](https://opensource.salesforce.com/cloudsplaining/)
 
+## Basic Detection
+The following CloudWatch Log Insights query will include exposure actions taken by endgame:
+```
+fields eventTime, eventSource, eventName, userIdentity.arn, userAgent 
+| filter eventSource='rds.amazonaws.com' AND (eventName='ModifyDBSnapshotAttribute' or eventName='ModifyDBClusterSnapshotAttribute' and requestParameters.attributeName='restore')
+```
+
+This query assumes that your CloudTrail logs are being sent to CloudWatch and that you have selected the correct log group.
+
 ## References
 
 - [aws rds modify-db-cluster-snapshot-attribute](https://docs.aws.amazon.com/cli/latest/reference/rds/modify-db-cluster-snapshot-attribute.html)

docs/risks/s3.md

@@ -48,6 +48,22 @@ TODO
 
 Also, consider using [Cloudsplaining](https://github.com/salesforce/cloudsplaining/#cloudsplaining) to identify violations of least privilege in IAM policies. This can help limit the IAM principals that have access to the actions that could perform Resource Exposure activities. See the example report [here](https://opensource.salesforce.com/cloudsplaining/)
 
+## Basic Detection
+The following CloudWatch Log Insights query will include exposure actions taken by endgame:
+```
+fields eventTime, eventSource, eventName, userIdentity.arn, userAgent 
+| filter eventSource='s3.amazonaws.com' AND eventName='PutBucketPolicy'
+```
+
+The following query detects policy modifications which include the default IOC string:
+```
+fields eventTime, eventSource, eventName, userIdentity.arn, userAgent 
+| filter eventSource='s3.amazonaws.com' AND (eventName='PutBucketPolicy' and @message like 'Endgame')
+```
+(More specific queries related to the policy contents do not work due to how CWL parses the requestParameters object on these calls)
+
+This query assumes that your CloudTrail logs are being sent to CloudWatch and that you have selected the correct log group.
+
 ## References
 
 - [aws s3api put-bucket-policy](https://docs.aws.amazon.com/cli/latest/reference/s3api/put-bucket-policy.html)

docs/risks/secretsmanager.md

@@ -90,6 +90,21 @@ aws secretsmanager get-secret-value --secret-id $VICTIM_RESOURCE
 
 Also, consider using [Cloudsplaining](https://github.com/salesforce/cloudsplaining/#cloudsplaining) to identify violations of least privilege in IAM policies. This can help limit the IAM principals that have access to the actions that could perform Resource Exposure activities. See the example report [here](https://opensource.salesforce.com/cloudsplaining/)
 
+## Basic Detection
+The following CloudWatch Log Insights query will include exposure actions taken by endgame:
+```
+fields eventTime, eventSource, eventName, userIdentity.arn, userAgent 
+| filter eventSource='secretsmanager.amazonaws.com' AND (eventName='PutResourcePolicy' or eventName='DeleteResourcePolicy')
+```
+
+The following query detects policy modifications which include the default IOC string:
+```
+fields eventTime, eventSource, eventName, userIdentity.arn, userAgent 
+| filter eventSource='secretsmanager.amazonaws.com' AND (eventName='PutResourcePolicy' and requestParameters.resourcePolicy like 'Endgame')
+```
+
+This query assumes that your CloudTrail logs are being sent to CloudWatch and that you have selected the correct log group.
+
 ## References
 
 * [aws secretsmanager get-resource-policy](https://docs.aws.amazon.com/cli/latest/reference/secretsmanager/get-resource-policy.html)

docs/risks/ses.md

@@ -74,6 +74,21 @@ The policy below allows the Evil Principal (`arn:aws:iam::999988887777:user/evil
 
 Also, consider using [Cloudsplaining](https://github.com/salesforce/cloudsplaining/#cloudsplaining) to identify violations of least privilege in IAM policies. This can help limit the IAM principals that have access to the actions that could perform Resource Exposure activities. See the example report [here](https://opensource.salesforce.com/cloudsplaining/)
 
+## Basic Detection
+The following CloudWatch Log Insights query will include exposure actions taken by endgame:
+```
+fields eventTime, eventSource, eventName, userIdentity.arn, userAgent 
+| filter eventSource='ses.amazonaws.com' AND (eventName='PutIdentityPolicy' or eventName='DeleteIdentityPolicy')
+```
+
+The following query detects policy modifications which include the default IOC string:
+```
+fields eventTime, eventSource, eventName, userIdentity.arn, userAgent 
+| filter eventSource='ses.amazonaws.com' AND (eventName='PutIdentityPolicy' and requestParameters.policyName='Endgame')
+```
+
+This query assumes that your CloudTrail logs are being sent to CloudWatch and that you have selected the correct log group.
+
 ## References
 
 * [put-identity-policy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ses/put-identity-policy.html)

docs/risks/sns.md

@@ -89,6 +89,15 @@ TODO
 
 Also, consider using [Cloudsplaining](https://github.com/salesforce/cloudsplaining/#cloudsplaining) to identify violations of least privilege in IAM policies. This can help limit the IAM principals that have access to the actions that could perform Resource Exposure activities. See the example report [here](https://opensource.salesforce.com/cloudsplaining/)
 
+## Basic Detection
+The following CloudWatch Log Insights query will include exposure actions taken by endgame:
+```
+fields eventTime, eventSource, eventName, userIdentity.arn, userAgent 
+| filter eventSource='ses.amazonaws.com' AND (eventName='PutIdentityPolicy' or eventName='DeleteIdentityPolicy')
+```
+
+This query assumes that your CloudTrail logs are being sent to CloudWatch and that you have selected the correct log group.
+
 ## References
 
 * [add-permission](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sns/add-permission.html)

docs/risks/sqs.md

@@ -54,6 +54,15 @@ TODO
 
 Also, consider using [Cloudsplaining](https://github.com/salesforce/cloudsplaining/#cloudsplaining) to identify violations of least privilege in IAM policies. This can help limit the IAM principals that have access to the actions that could perform Resource Exposure activities. See the example report [here](https://opensource.salesforce.com/cloudsplaining/)
 
+## Basic Detection
+The following CloudWatch Log Insights query will include exposure actions taken by endgame:
+```
+fields eventTime, eventSource, eventName, userIdentity.arn, userAgent 
+| filter eventSource='sqs.amazonaws.com' AND (eventName='AddPermission' or eventName='RemovePermission')
+```
+
+This query assumes that your CloudTrail logs are being sent to CloudWatch and that you have selected the correct log group.
+
 ## References
 
 * [aws sqs add-permission](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sqs/add-permission.html)