-
Notifications
You must be signed in to change notification settings - Fork 334
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #1140 from jack1902/rules/aws_config
[rules] Added AWS Config Compliance and Remediation Rules
- Loading branch information
Showing
4 changed files
with
284 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,47 @@ | ||
"""Alert on AWS Config""" | ||
from rules.matchers.matchers import AwsConfigMatcher | ||
from streamalert.shared.rule import rule | ||
|
||
|
||
# Populate this list to alert on specific Config Rules, otherwise all rules will be in-scope | ||
# Also consider the use of Lookup-Tables | ||
RULES_TO_ALERT_ON = [] | ||
|
||
|
||
@rule(logs=["cloudtrail:events"], matchers=[AwsConfigMatcher.is_config_compliance]) | ||
def config_compliance(record): | ||
""" | ||
author: jack (jack1902) | ||
description: Alert on AWS Config Complaince Change events of NON_COMPLIANT | ||
testing: From the Config page (https://console.aws.amazon.com/config/home) | ||
ensure recording is turned on. And you have a basic rule you can | ||
trigger as compliant or non-compliant. | ||
""" | ||
|
||
non_compliance_present = any( | ||
evaluation["complianceType"] == "NON_COMPLIANT" | ||
for evaluation in record["requestParameters"]["evaluations"] | ||
) | ||
|
||
if RULES_TO_ALERT_ON: | ||
# Alert on specific rule names. Useful when some Config Rules are just TOO noisy. | ||
rule_name = record["additionalEventData"]["configRuleName"] | ||
result = rule_name in RULES_TO_ALERT_ON and non_compliance_present | ||
else: | ||
# Alert on ALL config rules regardless of their name | ||
result = non_compliance_present | ||
|
||
return result | ||
|
||
|
||
@rule(logs=["cloudtrail:events"], matchers=[AwsConfigMatcher.is_auto_remediation]) | ||
def config_auto_remediation(_): | ||
""" | ||
author: jack (jack1902) | ||
description: Alert on AWS Config Auto Remediation | ||
testing: From the Config page (https://console.aws.amazon.com/config/home) | ||
ensure recording is turned on. And you have a basic rule you can | ||
trigger as compliant or non-compliant. Then trigger the remediation | ||
either manually or have it done automatically. | ||
""" | ||
return True |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
199 changes: 199 additions & 0 deletions
199
tests/integration/rules/cloudtrail/cloudtrail_aws_config.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,199 @@ | ||
[ | ||
{ | ||
"data": { | ||
"Records": [ | ||
{ | ||
"additionalEventData": { | ||
"configRuleArn": "...", | ||
"configRuleInputParameters": "{}", | ||
"configRuleName": "s3-bucket-logging-enabled", | ||
"notificationJobType": "SCHEDULED_NOTIFICATION" | ||
}, | ||
"awsRegion": "...", | ||
"eventID": "...", | ||
"eventName": "PutEvaluations", | ||
"eventSource": "config.amazonaws.com", | ||
"eventTime": "...", | ||
"eventType": "AwsApiCall", | ||
"eventVersion": "1.05", | ||
"recipientAccountId": "...", | ||
"requestID": "...", | ||
"requestParameters": { | ||
"evaluations": [ | ||
{ | ||
"complianceResourceId": "BUCKET_ONE", | ||
"complianceResourceType": "AWS::S3::Bucket", | ||
"complianceType": "NON_COMPLIANT", | ||
"orderingTimestamp": "..." | ||
}, | ||
{ | ||
"complianceResourceId": "BUCKET_TWO", | ||
"complianceResourceType": "AWS::S3::Bucket", | ||
"complianceType": "COMPLIANT", | ||
"orderingTimestamp": "..." | ||
} | ||
], | ||
"resultToken": "...", | ||
"testMode": false | ||
}, | ||
"responseElements": null, | ||
"sourceIPAddress": "...", | ||
"userAgent": "...", | ||
"userIdentity": { | ||
"accessKeyId": "...", | ||
"accountId": "...", | ||
"arn": "...", | ||
"principalId": "...", | ||
"sessionContext": { | ||
"attributes": { | ||
"creationDate": "..." | ||
}, | ||
"sessionIssuer": { | ||
"accountId": "...", | ||
"arn": "...", | ||
"principalId": "...", | ||
"type": "Role", | ||
"userName": "..." | ||
}, | ||
"webIdFederationData": {} | ||
}, | ||
"type": "AssumedRole" | ||
} | ||
} | ||
] | ||
}, | ||
"description": "Triggers an alert caused by a config compliance change of NON_COMPLIANT", | ||
"log": "cloudtrail:events", | ||
"service": "s3", | ||
"source": "prefix.cluster.sample.bucket", | ||
"trigger_rules": [ | ||
"config_compliance" | ||
] | ||
}, | ||
{ | ||
"data": { | ||
"Records": [ | ||
{ | ||
"additionalEventData": { | ||
"configRuleArn": "...", | ||
"configRuleInputParameters": "{}", | ||
"configRuleName": "s3-bucket-logging-enabled", | ||
"notificationJobType": "SCHEDULED_NOTIFICATION" | ||
}, | ||
"awsRegion": "...", | ||
"eventID": "...", | ||
"eventName": "PutEvaluations", | ||
"eventSource": "config.amazonaws.com", | ||
"eventTime": "...", | ||
"eventType": "AwsApiCall", | ||
"eventVersion": "1.05", | ||
"recipientAccountId": "...", | ||
"requestID": "...", | ||
"requestParameters": { | ||
"evaluations": [ | ||
{ | ||
"complianceResourceId": "BUCKET_ONE", | ||
"complianceResourceType": "AWS::S3::Bucket", | ||
"complianceType": "COMPLIANT", | ||
"orderingTimestamp": "..." | ||
}, | ||
{ | ||
"complianceResourceId": "BUCKET_TWO", | ||
"complianceResourceType": "AWS::S3::Bucket", | ||
"complianceType": "COMPLIANT", | ||
"orderingTimestamp": "..." | ||
} | ||
], | ||
"resultToken": "...", | ||
"testMode": false | ||
}, | ||
"responseElements": null, | ||
"sourceIPAddress": "...", | ||
"userAgent": "...", | ||
"userIdentity": { | ||
"accessKeyId": "...", | ||
"accountId": "...", | ||
"arn": "...", | ||
"principalId": "...", | ||
"sessionContext": { | ||
"attributes": { | ||
"creationDate": "..." | ||
}, | ||
"sessionIssuer": { | ||
"accountId": "...", | ||
"arn": "...", | ||
"principalId": "...", | ||
"type": "Role", | ||
"userName": "..." | ||
}, | ||
"webIdFederationData": {} | ||
}, | ||
"type": "AssumedRole" | ||
} | ||
} | ||
] | ||
}, | ||
"description": "Will not trigger an alert caused by a config compliance change of COMPLIANT", | ||
"log": "cloudtrail:events", | ||
"service": "s3", | ||
"source": "prefix.cluster.sample.bucket", | ||
"trigger_rules": [] | ||
}, | ||
{ | ||
"data": { | ||
"Records": [ | ||
{ | ||
"awsRegion": "eu-west-1", | ||
"eventID": "...", | ||
"eventName": "StartAutomationExecution", | ||
"eventSource": "ssm.amazonaws.com", | ||
"eventTime": "...", | ||
"eventType": "...", | ||
"eventVersion": "1.05", | ||
"recipientAccountId": "...", | ||
"requestID": "...", | ||
"requestParameters": { | ||
"domain": "vpc" | ||
}, | ||
"responseElements": { | ||
"allocationId": "..", | ||
"domain": "vpc", | ||
"networkBorderGroup": "...", | ||
"publicIp": "...", | ||
"publicIpv4Pool": "amazon", | ||
"requestId": "..." | ||
}, | ||
"sourceIPAddress": "config.amazonaws.com", | ||
"userAgent": "...", | ||
"userIdentity": { | ||
"accessKeyId": "...", | ||
"accountId": "...", | ||
"arn": "...", | ||
"principalId": "...", | ||
"sessionContext": { | ||
"attributes": { | ||
"creationDate": "..." | ||
}, | ||
"sessionIssuer": { | ||
"accountId": "...", | ||
"arn": "...", | ||
"principalId": "...", | ||
"type": "Role", | ||
"userName": "..." | ||
}, | ||
"webIdFederationData": {} | ||
}, | ||
"type": "AssumedRole" | ||
} | ||
} | ||
] | ||
}, | ||
"description": "Triggers an alert when auto-remediation of Config NON_COMPLIANT takes place", | ||
"log": "cloudtrail:events", | ||
"service": "s3", | ||
"source": "prefix.cluster.sample.bucket", | ||
"trigger_rules": [ | ||
"config_auto_remediation" | ||
] | ||
} | ||
] |