github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/cloudwatch/require_cloudtrail_change_alarm.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/cloudwatch/require_cloudtrail_change_alarm.go (about)

     1  package cloudwatch
     2  
     3  import (
     4  	"github.com/khulnasoft-lab/defsec/internal/rules"
     5  	"github.com/khulnasoft-lab/defsec/pkg/framework"
     6  	"github.com/khulnasoft-lab/defsec/pkg/providers"
     7  	"github.com/khulnasoft-lab/defsec/pkg/providers/aws/cloudwatch"
     8  	"github.com/khulnasoft-lab/defsec/pkg/scan"
     9  	"github.com/khulnasoft-lab/defsec/pkg/severity"
    10  	"github.com/khulnasoft-lab/defsec/pkg/state"
    11  	"github.com/khulnasoft-lab/defsec/pkg/types"
    12  )
    13  
    14  var requireCloudTrailChangeAlarm = rules.Register(
    15  	scan.Rule{
    16  		AVDID:      "AVD-AWS-0151",
    17  		Provider:   providers.AWSProvider,
    18  		Service:    "cloudwatch",
    19  		ShortCode:  "require-cloud-trail-change-alarm",
    20  		Summary:    "Ensure a log metric filter and alarm exist for CloudTrail configuration changes",
    21  		Impact:     "CloudTrail tracks all changes through the API, attempts to change the configuration may indicate malicious activity. Without alerting on changes, visibility of this activity is reduced.",
    22  		Resolution: "Create an alarm to alert on CloudTrail configuration changes",
    23  		Frameworks: map[framework.Framework][]string{
    24  			framework.CIS_AWS_1_2: {
    25  				"3.5",
    26  			},
    27  			framework.CIS_AWS_1_4: {
    28  				"4.5",
    29  			},
    30  		},
    31  		Explanation: `You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms.   
    32                                                                                
    33  CIS recommends that you create a metric filter and alarm for changes to CloudTrail configuration settings. Monitoring these changes helps ensure sustained visibility to activities in the account.`,
    34  		Links: []string{
    35  			"https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html",
    36  		},
    37  		Terraform:      &scan.EngineMetadata{},
    38  		CloudFormation: &scan.EngineMetadata{},
    39  		Severity:       severity.Low,
    40  	},
    41  	func(s *state.State) (results scan.Results) {
    42  
    43  		multiRegionTrails := s.AWS.CloudTrail.MultiRegionTrails()
    44  		for _, trail := range multiRegionTrails {
    45  			logGroup := s.AWS.CloudWatch.GetLogGroupByArn(trail.CloudWatchLogsLogGroupArn.Value())
    46  			if logGroup == nil || trail.IsLogging.IsFalse() {
    47  				continue
    48  			}
    49  
    50  			var metricFilter cloudwatch.MetricFilter
    51  			var found bool
    52  			for _, filter := range logGroup.MetricFilters {
    53  				if filter.FilterPattern.Contains(`{($.eventName=CreateTrail) || ($.eventName=UpdateTrail) || ($.eventName=DeleteTrail) || ($.eventName=StartLogging) || ($.eventName=StopLogging)}`, types.IgnoreWhitespace) {
    54  					metricFilter = filter
    55  					found = true
    56  					break
    57  				}
    58  			}
    59  
    60  			if !found {
    61  				results.Add("Cloudtrail has no IAM policy change log filter", trail)
    62  				continue
    63  			}
    64  
    65  			if metricAlarm := s.AWS.CloudWatch.GetAlarmByMetricName(metricFilter.FilterName.Value()); metricAlarm == nil {
    66  				results.Add("Cloudtrail has no IAM Policy change alarm", trail)
    67  				continue
    68  			}
    69  
    70  			results.AddPassed(trail)
    71  		}
    72  
    73  		return
    74  	},
    75  )