github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/cloudwatch/require_non_mfa_login_alarm.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/cloudwatch/require_non_mfa_login_alarm.go (about)

     1  package cloudwatch
     2  
     3  import (
     4  	"github.com/khulnasoft-lab/defsec/internal/rules"
     5  	"github.com/khulnasoft-lab/defsec/pkg/framework"
     6  	"github.com/khulnasoft-lab/defsec/pkg/providers"
     7  	"github.com/khulnasoft-lab/defsec/pkg/providers/aws/cloudwatch"
     8  	"github.com/khulnasoft-lab/defsec/pkg/scan"
     9  	"github.com/khulnasoft-lab/defsec/pkg/severity"
    10  	"github.com/khulnasoft-lab/defsec/pkg/state"
    11  	"github.com/khulnasoft-lab/defsec/pkg/types"
    12  )
    13  
    14  var requireNonMFALoginAlarm = rules.Register(
    15  	scan.Rule{
    16  		AVDID:      "AVD-AWS-0148",
    17  		Provider:   providers.AWSProvider,
    18  		Service:    "cloudwatch",
    19  		ShortCode:  "require-non-mfa-login-alarm",
    20  		Summary:    "Ensure a log metric filter and alarm exist for AWS Management Console sign-in without MFA",
    21  		Impact:     "Not alerting on logins with no MFA allows the risk to go un-notified.",
    22  		Resolution: "Create an alarm to alert on non MFA logins",
    23  		Frameworks: map[framework.Framework][]string{
    24  			framework.CIS_AWS_1_2: {
    25  				"3.2",
    26  			},
    27  			framework.CIS_AWS_1_4: {
    28  				"4.2",
    29  			},
    30  		},
    31  		Explanation: `You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms.   
    32                                                                                
    33    CIS recommends that you create a metric filter and alarm console logins that  aren't protected by MFA. Monitoring for single-factor console logins increases visibility into accounts that aren't protected by MFA.`,
    34  		Links: []string{
    35  			"https://aws.amazon.com/iam/features/mfa/",
    36  		},
    37  		Terraform:      &scan.EngineMetadata{},
    38  		CloudFormation: &scan.EngineMetadata{},
    39  		Severity:       severity.Low,
    40  	},
    41  	func(s *state.State) (results scan.Results) {
    42  
    43  		multiRegionTrails := s.AWS.CloudTrail.MultiRegionTrails()
    44  		for _, trail := range multiRegionTrails {
    45  			logGroup := s.AWS.CloudWatch.GetLogGroupByArn(trail.CloudWatchLogsLogGroupArn.Value())
    46  			if logGroup == nil || trail.IsLogging.IsFalse() {
    47  				continue
    48  			}
    49  
    50  			var metricFilter cloudwatch.MetricFilter
    51  			var found bool
    52  			for _, filter := range logGroup.MetricFilters {
    53  				if filter.FilterPattern.Contains(`($.eventName = "ConsoleLogin") && 
    54  ($.additionalEventData.MFAUsed != "Yes") && 
    55  ($.userIdentity.type=="IAMUser") && 
    56  ($.responseElements.ConsoleLogin == "Success")`, types.IgnoreWhitespace) {
    57  					metricFilter = filter
    58  					found = true
    59  					break
    60  				}
    61  			}
    62  
    63  			if !found {
    64  				results.Add("Cloudtrail has no non-MFA login log filter", trail)
    65  				continue
    66  			}
    67  
    68  			if metricAlarm := s.AWS.CloudWatch.GetAlarmByMetricName(metricFilter.FilterName.Value()); metricAlarm == nil {
    69  				results.Add("Cloudtrail has no non-MFA login alarm", trail)
    70  				continue
    71  			}
    72  
    73  			results.AddPassed(trail)
    74  		}
    75  
    76  		return
    77  	},
    78  )