github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/cloudwatch/require_org_changes_alarm.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/cloudwatch/require_org_changes_alarm.go (about)

     1  package cloudwatch
     2  
     3  import (
     4  	"github.com/khulnasoft-lab/defsec/internal/rules"
     5  	"github.com/khulnasoft-lab/defsec/pkg/framework"
     6  	"github.com/khulnasoft-lab/defsec/pkg/providers"
     7  	"github.com/khulnasoft-lab/defsec/pkg/providers/aws/cloudwatch"
     8  	"github.com/khulnasoft-lab/defsec/pkg/scan"
     9  	"github.com/khulnasoft-lab/defsec/pkg/severity"
    10  	"github.com/khulnasoft-lab/defsec/pkg/state"
    11  	"github.com/khulnasoft-lab/defsec/pkg/types"
    12  )
    13  
    14  var CheckRequireOrgChangesAlarm = rules.Register(
    15  	scan.Rule{
    16  		AVDID:      "AVD-AWS-0174",
    17  		Provider:   providers.AWSProvider,
    18  		Service:    "cloudwatch",
    19  		ShortCode:  "require-org-changes-alarm",
    20  		Summary:    "Ensure a log metric filter and alarm exist for organisation changes",
    21  		Impact:     "Lack of observability into critical organisation changes",
    22  		Resolution: "Create an alarm to alert on organisation changes",
    23  		Frameworks: map[framework.Framework][]string{
    24  			framework.CIS_AWS_1_4: {
    25  				"4.15",
    26  			},
    27  		},
    28  		Explanation: `
    29  Monitoring AWS Organizations changes can help you prevent any unwanted, accidental or
    30  intentional modifications that may lead to unauthorized access or other security breaches.
    31  This monitoring technique helps you to ensure that any unexpected changes performed
    32  within your AWS Organizations can be investigated and any unwanted changes can be
    33  rolled back.
    34  `,
    35  		Links: []string{
    36  			"https://docs.aws.amazon.com/organizations/latest/userguide/orgs_security_incident-response.html",
    37  		},
    38  		Severity: severity.Low,
    39  	},
    40  	func(s *state.State) (results scan.Results) {
    41  		for _, trail := range s.AWS.CloudTrail.MultiRegionTrails() {
    42  			logGroup := s.AWS.CloudWatch.GetLogGroupByArn(trail.CloudWatchLogsLogGroupArn.Value())
    43  			if logGroup == nil || trail.IsLogging.IsFalse() {
    44  				continue
    45  			}
    46  
    47  			var metricFilter cloudwatch.MetricFilter
    48  			var found bool
    49  			for _, filter := range logGroup.MetricFilters {
    50  				if filter.FilterPattern.Contains(`$.eventSource = organizations.amazonaws.com`, types.IgnoreWhitespace) {
    51  					metricFilter = filter
    52  					found = true
    53  					break
    54  				}
    55  				if filter.FilterPattern.Contains(`$.eventSource = "organizations.amazonaws.com"`, types.IgnoreWhitespace) {
    56  					metricFilter = filter
    57  					found = true
    58  					break
    59  				}
    60  			}
    61  
    62  			if !found {
    63  				results.Add("Cloudwatch has no organisation changes log filter", trail)
    64  				continue
    65  			}
    66  
    67  			if metricAlarm := s.AWS.CloudWatch.GetAlarmByMetricName(metricFilter.FilterName.Value()); metricAlarm == nil {
    68  				results.Add("Cloudwatch has organisation changes alarm", trail)
    69  				continue
    70  			}
    71  
    72  			results.AddPassed(trail)
    73  		}
    74  		return
    75  	},
    76  )