github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/cloudwatch/require_root_user_usage_alarm.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/cloudwatch/require_root_user_usage_alarm.go (about)

     1  package cloudwatch
     2  
     3  import (
     4  	"github.com/khulnasoft-lab/defsec/internal/rules"
     5  	"github.com/khulnasoft-lab/defsec/pkg/framework"
     6  	"github.com/khulnasoft-lab/defsec/pkg/providers"
     7  	"github.com/khulnasoft-lab/defsec/pkg/providers/aws/cloudwatch"
     8  	"github.com/khulnasoft-lab/defsec/pkg/scan"
     9  	"github.com/khulnasoft-lab/defsec/pkg/severity"
    10  	"github.com/khulnasoft-lab/defsec/pkg/state"
    11  	"github.com/khulnasoft-lab/defsec/pkg/types"
    12  )
    13  
    14  var requireRootUserUsageAlarm = rules.Register(
    15  	scan.Rule{
    16  		AVDID:      "AVD-AWS-0149",
    17  		Provider:   providers.AWSProvider,
    18  		Service:    "cloudwatch",
    19  		ShortCode:  "require-root-user-usage-alarm",
    20  		Summary:    "Ensure a log metric filter and alarm exist for usage of root user",
    21  		Impact:     "The root user has significant permissions and should not be used for day to day tasks.",
    22  		Resolution: "Create an alarm to alert on root user login",
    23  		Frameworks: map[framework.Framework][]string{
    24  			framework.CIS_AWS_1_2: {
    25  				"3.3",
    26  			},
    27  			framework.CIS_AWS_1_4: {
    28  				"4.3",
    29  			},
    30  		},
    31  		Explanation: ` You can do real-time monitoring of API calls directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms.   
    32                                                                                
    33  CIS recommends that you create a metric filter and alarm for root user login attempts. Monitoring for root user logins provides visibility into the use of a fully privileged account and an opportunity to reduce the use of it.`,
    34  		Links: []string{
    35  			"https://aws.amazon.com/iam/features/mfa/",
    36  		},
    37  		Terraform:      &scan.EngineMetadata{},
    38  		CloudFormation: &scan.EngineMetadata{},
    39  		Severity:       severity.Low,
    40  	},
    41  	func(s *state.State) (results scan.Results) {
    42  
    43  		multiRegionTrails := s.AWS.CloudTrail.MultiRegionTrails()
    44  		for _, trail := range multiRegionTrails {
    45  			logGroup := s.AWS.CloudWatch.GetLogGroupByArn(trail.CloudWatchLogsLogGroupArn.Value())
    46  			if logGroup == nil || trail.IsLogging.IsFalse() {
    47  				continue
    48  			}
    49  
    50  			var metricFilter cloudwatch.MetricFilter
    51  			var found bool
    52  			for _, filter := range logGroup.MetricFilters {
    53  				if filter.FilterPattern.Contains(`$.userIdentity.type = "Root" && $.userIdentity.invokedBy NOT EXISTS && &.eventType != "AwsServiceEvent"`, types.IgnoreWhitespace) {
    54  					metricFilter = filter
    55  					found = true
    56  					break
    57  				}
    58  			}
    59  
    60  			if !found {
    61  				results.Add("Cloudtrail has no root user usage log filter", trail)
    62  				continue
    63  			}
    64  
    65  			if metricAlarm := s.AWS.CloudWatch.GetAlarmByMetricName(metricFilter.FilterName.Value()); metricAlarm == nil {
    66  				results.Add("Cloudtrail has no root user usage alarm", trail)
    67  				continue
    68  			}
    69  
    70  			results.AddPassed(trail)
    71  		}
    72  
    73  		return
    74  	},
    75  )