github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/cloudwatch/require_s3_bucket_policy_change_alarm.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/cloudwatch/require_s3_bucket_policy_change_alarm.go (about)

     1  package cloudwatch
     2  
     3  import (
     4  	"github.com/khulnasoft-lab/defsec/internal/rules"
     5  	"github.com/khulnasoft-lab/defsec/pkg/framework"
     6  	"github.com/khulnasoft-lab/defsec/pkg/providers"
     7  	"github.com/khulnasoft-lab/defsec/pkg/providers/aws/cloudwatch"
     8  	"github.com/khulnasoft-lab/defsec/pkg/scan"
     9  	"github.com/khulnasoft-lab/defsec/pkg/severity"
    10  	"github.com/khulnasoft-lab/defsec/pkg/state"
    11  	"github.com/khulnasoft-lab/defsec/pkg/types"
    12  )
    13  
    14  var requireS3BucketPolicyChangeAlarm = rules.Register(
    15  	scan.Rule{
    16  		AVDID:      "AVD-AWS-0154",
    17  		Provider:   providers.AWSProvider,
    18  		Service:    "cloudwatch",
    19  		ShortCode:  "require-s3-bucket-policy-change-alarm",
    20  		Summary:    "Ensure a log metric filter and alarm exist for S3 bucket policy changes",
    21  		Impact:     "Misconfigured policies on S3 buckets could lead to data leakage, without alerting visibility of this is reduced.",
    22  		Resolution: "Create an alarm to alert on S3 Bucket policy changes",
    23  		Frameworks: map[framework.Framework][]string{
    24  			framework.CIS_AWS_1_2: {
    25  				"3.8",
    26  			},
    27  			framework.CIS_AWS_1_4: {
    28  				"4.8",
    29  			},
    30  		},
    31  		Explanation: `You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms.   
    32                                                                                
    33  CIS recommends that you create a metric filter and alarm for changes to S3 bucket policies. Monitoring these changes might reduce time to detect and correct permissive policies on sensitive S3 buckets.`,
    34  		Links: []string{
    35  			"https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html",
    36  		},
    37  		Terraform:      &scan.EngineMetadata{},
    38  		CloudFormation: &scan.EngineMetadata{},
    39  		Severity:       severity.Low,
    40  	},
    41  	func(s *state.State) (results scan.Results) {
    42  
    43  		multiRegionTrails := s.AWS.CloudTrail.MultiRegionTrails()
    44  		for _, trail := range multiRegionTrails {
    45  			logGroup := s.AWS.CloudWatch.GetLogGroupByArn(trail.CloudWatchLogsLogGroupArn.Value())
    46  			if logGroup == nil || trail.IsLogging.IsFalse() {
    47  				continue
    48  			}
    49  
    50  			var metricFilter cloudwatch.MetricFilter
    51  			var found bool
    52  			for _, filter := range logGroup.MetricFilters {
    53  				if filter.FilterPattern.Contains(`{($.eventSource=s3.amazonaws.com) && (($.eventName=PutBucketAcl) || 
    54  					($.eventName=PutBucketPolicy) || ($.eventName=PutBucketCors) || ($.eventName=PutBucketLifecycle) || 
    55  					($.eventName=PutBucketReplication) || ($.eventName=DeleteBucketPolicy) || ($.eventName=DeleteBucketCors) ||
    56  					 ($.eventName=DeleteBucketLifecycle) || ($.eventName=DeleteBucketReplication))}`, types.IgnoreWhitespace) {
    57  					metricFilter = filter
    58  					found = true
    59  					break
    60  				}
    61  			}
    62  
    63  			if !found {
    64  				results.Add("Cloudtrail has no S3 bucket policy change log filter", trail)
    65  				continue
    66  			}
    67  
    68  			if metricAlarm := s.AWS.CloudWatch.GetAlarmByMetricName(metricFilter.FilterName.Value()); metricAlarm == nil {
    69  				results.Add("Cloudtrail has no S3 bucket policy change alarm", trail)
    70  				continue
    71  			}
    72  
    73  			results.AddPassed(trail)
    74  		}
    75  
    76  		return
    77  	},
    78  )