github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/cloudwatch/require_unauthorised_api_call_alarm.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/cloudwatch/require_unauthorised_api_call_alarm.go (about)

     1  package cloudwatch
     2  
     3  import (
     4  	"github.com/khulnasoft-lab/defsec/internal/rules"
     5  	"github.com/khulnasoft-lab/defsec/pkg/framework"
     6  	"github.com/khulnasoft-lab/defsec/pkg/providers"
     7  	"github.com/khulnasoft-lab/defsec/pkg/providers/aws/cloudwatch"
     8  	"github.com/khulnasoft-lab/defsec/pkg/scan"
     9  	"github.com/khulnasoft-lab/defsec/pkg/severity"
    10  	"github.com/khulnasoft-lab/defsec/pkg/state"
    11  	"github.com/khulnasoft-lab/defsec/pkg/types"
    12  )
    13  
    14  var requireUnauthorizedApiCallAlarm = rules.Register(
    15  	scan.Rule{
    16  		AVDID:      "AVD-AWS-0147",
    17  		Provider:   providers.AWSProvider,
    18  		Service:    "cloudwatch",
    19  		ShortCode:  "require-unauthorised-api-call-alarm",
    20  		Summary:    "Ensure a log metric filter and alarm exist for unauthorized API calls",
    21  		Impact:     "Unauthorized API Calls may be attempted without being notified. CloudTrail logs these actions but without the alarm you aren't actively notified.",
    22  		Resolution: "Create an alarm to alert on unauthorized API calls",
    23  		Frameworks: map[framework.Framework][]string{
    24  			framework.CIS_AWS_1_2: {
    25  				"3.1",
    26  			},
    27  			framework.CIS_AWS_1_4: {
    28  				"4.1",
    29  			},
    30  		},
    31  		Explanation: `You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. You can have more than one VPC in an account, and you can create a peer connection between two VPCs, enabling network traffic to route between VPCs.
    32  
    33  CIS recommends that you create a metric filter and alarm for changes to VPCs. Monitoring these changes helps ensure that authentication and authorization controls remain intact.`,
    34  		Links: []string{
    35  			"https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/encrypt-log-data-kms.html",
    36  		},
    37  		Terraform:      &scan.EngineMetadata{},
    38  		CloudFormation: &scan.EngineMetadata{},
    39  		Severity:       severity.Low,
    40  	},
    41  	func(s *state.State) (results scan.Results) {
    42  
    43  		multiRegionTrails := s.AWS.CloudTrail.MultiRegionTrails()
    44  		for _, trail := range multiRegionTrails {
    45  			logGroup := s.AWS.CloudWatch.GetLogGroupByArn(trail.CloudWatchLogsLogGroupArn.Value())
    46  			if logGroup == nil || trail.IsLogging.IsFalse() {
    47  				continue
    48  			}
    49  
    50  			var metricFilter cloudwatch.MetricFilter
    51  			var found bool
    52  			for _, filter := range logGroup.MetricFilters {
    53  				if filter.FilterPattern.Contains(`($.errorCode = "*UnauthorizedOperation") || ($.errorCode = "AccessDenied*")`, types.IgnoreWhitespace) {
    54  					metricFilter = filter
    55  					found = true
    56  					break
    57  				}
    58  			}
    59  
    60  			if !found {
    61  				results.Add("Cloudtrail has no unauthorized API log filter", trail)
    62  				continue
    63  			}
    64  
    65  			if metricAlarm := s.AWS.CloudWatch.GetAlarmByMetricName(metricFilter.FilterName.Value()); metricAlarm == nil {
    66  				results.Add("Cloudtrail has no unauthorized API alarm", trail)
    67  				continue
    68  			}
    69  
    70  			results.AddPassed(trail)
    71  		}
    72  
    73  		return
    74  	},
    75  )