github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/cloudwatch/require_iam_policy_change_alarm.go (about) 1 package cloudwatch 2 3 import ( 4 "github.com/khulnasoft-lab/defsec/internal/rules" 5 "github.com/khulnasoft-lab/defsec/pkg/framework" 6 "github.com/khulnasoft-lab/defsec/pkg/providers" 7 "github.com/khulnasoft-lab/defsec/pkg/providers/aws/cloudwatch" 8 "github.com/khulnasoft-lab/defsec/pkg/scan" 9 "github.com/khulnasoft-lab/defsec/pkg/severity" 10 "github.com/khulnasoft-lab/defsec/pkg/state" 11 "github.com/khulnasoft-lab/defsec/pkg/types" 12 ) 13 14 var requireIAMPolicyChangeAlarm = rules.Register( 15 scan.Rule{ 16 AVDID: "AVD-AWS-0150", 17 Provider: providers.AWSProvider, 18 Service: "cloudwatch", 19 ShortCode: "require-iam-policy-change-alarm", 20 Summary: "Ensure a log metric filter and alarm exist for IAM policy changes", 21 Impact: "IAM Policy changes could lead to excessive permissions and may have been performed maliciously.", 22 Resolution: "Create an alarm to alert on IAM Policy changes", 23 Frameworks: map[framework.Framework][]string{ 24 framework.CIS_AWS_1_2: { 25 "3.4", 26 }, 27 framework.CIS_AWS_1_4: { 28 "4.4", 29 }, 30 }, 31 Explanation: ` You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. 32 33 CIS recommends that you create a metric filter and alarm for changes made to IAM policies. Monitoring these changes helps ensure that authentication and authorization controls remain intact.`, 34 Links: []string{ 35 "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html", 36 }, 37 Terraform: &scan.EngineMetadata{}, 38 CloudFormation: &scan.EngineMetadata{}, 39 Severity: severity.Low, 40 }, 41 func(s *state.State) (results scan.Results) { 42 43 multiRegionTrails := s.AWS.CloudTrail.MultiRegionTrails() 44 for _, trail := range multiRegionTrails { 45 logGroup := s.AWS.CloudWatch.GetLogGroupByArn(trail.CloudWatchLogsLogGroupArn.Value()) 46 if logGroup == nil || trail.IsLogging.IsFalse() { 47 continue 48 } 49 50 var metricFilter cloudwatch.MetricFilter 51 var found bool 52 for _, filter := range logGroup.MetricFilters { 53 if filter.FilterPattern.Contains(`{($.eventName=DeleteGroupPolicy) || 54 ($.eventName=DeleteRolePolicy) || 55 ($.eventName=DeleteUserPolicy) || 56 ($.eventName=PutGroupPolicy) || 57 ($.eventName=PutRolePolicy) || 58 ($.eventName=PutUserPolicy) || 59 ($.eventName=CreatePolicy) || 60 ($.eventName=DeletePolicy) || 61 ($.eventName=CreatePolicyVersion) || 62 ($.eventName=DeletePolicyVersion) || 63 ($.eventName=AttachRolePolicy) || 64 ($.eventName=DetachRolePolicy) || 65 ($.eventName=AttachUserPolicy) || 66 ($.eventName=DetachUserPolicy) || 67 ($.eventName=AttachGroupPolicy) || 68 ($.eventName=DetachGroupPolicy)}`, types.IgnoreWhitespace) { 69 metricFilter = filter 70 found = true 71 break 72 } 73 } 74 75 if !found { 76 results.Add("Cloudtrail has no IAM policy change log filter", trail) 77 continue 78 } 79 80 if metricAlarm := s.AWS.CloudWatch.GetAlarmByMetricName(metricFilter.FilterName.Value()); metricAlarm == nil { 81 results.Add("Cloudtrail has no IAM Policy change alarm", trail) 82 continue 83 } 84 85 results.AddPassed(trail) 86 } 87 88 return 89 }, 90 )