Skip to content

Commit

Permalink
Merge pull request #1140 from jack1902/rules/aws_config
Browse files Browse the repository at this point in the history
[rules] Added AWS Config Compliance and Remediation Rules
  • Loading branch information
Ryxias authored Mar 10, 2020
2 parents d57a2ab + e3cfa59 commit f8a9da4
Show file tree
Hide file tree
Showing 4 changed files with 284 additions and 3 deletions.
47 changes: 47 additions & 0 deletions rules/community/cloudtrail/cloudtrail_aws_config.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
"""Alert on AWS Config"""
from rules.matchers.matchers import AwsConfigMatcher
from streamalert.shared.rule import rule


# Populate this list to alert on specific Config Rules, otherwise all rules will be in-scope
# Also consider the use of Lookup-Tables
RULES_TO_ALERT_ON = []


@rule(logs=["cloudtrail:events"], matchers=[AwsConfigMatcher.is_config_compliance])
def config_compliance(record):
"""
author: jack (jack1902)
description: Alert on AWS Config Complaince Change events of NON_COMPLIANT
testing: From the Config page (https://console.aws.amazon.com/config/home)
ensure recording is turned on. And you have a basic rule you can
trigger as compliant or non-compliant.
"""

non_compliance_present = any(
evaluation["complianceType"] == "NON_COMPLIANT"
for evaluation in record["requestParameters"]["evaluations"]
)

if RULES_TO_ALERT_ON:
# Alert on specific rule names. Useful when some Config Rules are just TOO noisy.
rule_name = record["additionalEventData"]["configRuleName"]
result = rule_name in RULES_TO_ALERT_ON and non_compliance_present
else:
# Alert on ALL config rules regardless of their name
result = non_compliance_present

return result


@rule(logs=["cloudtrail:events"], matchers=[AwsConfigMatcher.is_auto_remediation])
def config_auto_remediation(_):
"""
author: jack (jack1902)
description: Alert on AWS Config Auto Remediation
testing: From the Config page (https://console.aws.amazon.com/config/home)
ensure recording is turned on. And you have a basic rule you can
trigger as compliant or non-compliant. Then trigger the remediation
either manually or have it done automatically.
"""
return True
4 changes: 2 additions & 2 deletions rules/community/guardduty/guard_duty_all.py
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
"""Alert on GuardDuty"""
from rules.matchers.matchers import GuardDutyMatcher
from rules.matchers.matchers import AwsGuardDutyMatcher
from streamalert.shared.rule import rule


@rule(logs=['cloudwatch:events'], matchers=[GuardDutyMatcher.guard_duty])
@rule(logs=['cloudwatch:events'], matchers=[AwsGuardDutyMatcher.guard_duty])
def guard_duty_all(*_):
"""
author: spiper
Expand Down
37 changes: 36 additions & 1 deletion rules/matchers/matchers.py
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@
@rule('root_logins', logs=['osquery:differential'],
matchers=[matchers.prod, matchers.pci], outputs=['pagerduty:sample-integration'])
"""
class GuardDutyMatcher:
class AwsGuardDutyMatcher:
"""A class contains matchers for AWS GuardDuty service"""

@classmethod
Expand Down Expand Up @@ -51,3 +51,38 @@ def user_login(cls, rec):
int(rec['columns']['type']) == cls._EVENT_TYPE_LOGIN and
(rec['columns']['username'] not in cls._RUNLEVELS)
)


class AwsConfigMatcher:
"""Contains Matchers relevant to AWS Config"""

@staticmethod
def is_config_compliance(rec):
"""Check if the record event is from config compliance
Args:
rec (dict): Parsed log to check key/value pairs
Returns:
bool: True if from config and not in testMode else False
"""
return (
rec['eventSource'] == 'config.amazonaws.com'
and rec['eventName'] == 'PutEvaluations'
and not rec['requestParameters']['testMode']
)

@staticmethod
def is_auto_remediation(rec):
"""Check if the record is an auto-remediation event
Args:
rec (dict): Parsed log to check key/value pairs
Returns:
bool: True if auto_remediation event else False
"""
return (
rec['eventName'] == 'StartAutomationExecution'
and rec['eventSource'] == 'ssm.amazonaws.com'
and rec['sourceIPAddress'] == 'config.amazonaws.com'
)
199 changes: 199 additions & 0 deletions tests/integration/rules/cloudtrail/cloudtrail_aws_config.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,199 @@
[
{
"data": {
"Records": [
{
"additionalEventData": {
"configRuleArn": "...",
"configRuleInputParameters": "{}",
"configRuleName": "s3-bucket-logging-enabled",
"notificationJobType": "SCHEDULED_NOTIFICATION"
},
"awsRegion": "...",
"eventID": "...",
"eventName": "PutEvaluations",
"eventSource": "config.amazonaws.com",
"eventTime": "...",
"eventType": "AwsApiCall",
"eventVersion": "1.05",
"recipientAccountId": "...",
"requestID": "...",
"requestParameters": {
"evaluations": [
{
"complianceResourceId": "BUCKET_ONE",
"complianceResourceType": "AWS::S3::Bucket",
"complianceType": "NON_COMPLIANT",
"orderingTimestamp": "..."
},
{
"complianceResourceId": "BUCKET_TWO",
"complianceResourceType": "AWS::S3::Bucket",
"complianceType": "COMPLIANT",
"orderingTimestamp": "..."
}
],
"resultToken": "...",
"testMode": false
},
"responseElements": null,
"sourceIPAddress": "...",
"userAgent": "...",
"userIdentity": {
"accessKeyId": "...",
"accountId": "...",
"arn": "...",
"principalId": "...",
"sessionContext": {
"attributes": {
"creationDate": "..."
},
"sessionIssuer": {
"accountId": "...",
"arn": "...",
"principalId": "...",
"type": "Role",
"userName": "..."
},
"webIdFederationData": {}
},
"type": "AssumedRole"
}
}
]
},
"description": "Triggers an alert caused by a config compliance change of NON_COMPLIANT",
"log": "cloudtrail:events",
"service": "s3",
"source": "prefix.cluster.sample.bucket",
"trigger_rules": [
"config_compliance"
]
},
{
"data": {
"Records": [
{
"additionalEventData": {
"configRuleArn": "...",
"configRuleInputParameters": "{}",
"configRuleName": "s3-bucket-logging-enabled",
"notificationJobType": "SCHEDULED_NOTIFICATION"
},
"awsRegion": "...",
"eventID": "...",
"eventName": "PutEvaluations",
"eventSource": "config.amazonaws.com",
"eventTime": "...",
"eventType": "AwsApiCall",
"eventVersion": "1.05",
"recipientAccountId": "...",
"requestID": "...",
"requestParameters": {
"evaluations": [
{
"complianceResourceId": "BUCKET_ONE",
"complianceResourceType": "AWS::S3::Bucket",
"complianceType": "COMPLIANT",
"orderingTimestamp": "..."
},
{
"complianceResourceId": "BUCKET_TWO",
"complianceResourceType": "AWS::S3::Bucket",
"complianceType": "COMPLIANT",
"orderingTimestamp": "..."
}
],
"resultToken": "...",
"testMode": false
},
"responseElements": null,
"sourceIPAddress": "...",
"userAgent": "...",
"userIdentity": {
"accessKeyId": "...",
"accountId": "...",
"arn": "...",
"principalId": "...",
"sessionContext": {
"attributes": {
"creationDate": "..."
},
"sessionIssuer": {
"accountId": "...",
"arn": "...",
"principalId": "...",
"type": "Role",
"userName": "..."
},
"webIdFederationData": {}
},
"type": "AssumedRole"
}
}
]
},
"description": "Will not trigger an alert caused by a config compliance change of COMPLIANT",
"log": "cloudtrail:events",
"service": "s3",
"source": "prefix.cluster.sample.bucket",
"trigger_rules": []
},
{
"data": {
"Records": [
{
"awsRegion": "eu-west-1",
"eventID": "...",
"eventName": "StartAutomationExecution",
"eventSource": "ssm.amazonaws.com",
"eventTime": "...",
"eventType": "...",
"eventVersion": "1.05",
"recipientAccountId": "...",
"requestID": "...",
"requestParameters": {
"domain": "vpc"
},
"responseElements": {
"allocationId": "..",
"domain": "vpc",
"networkBorderGroup": "...",
"publicIp": "...",
"publicIpv4Pool": "amazon",
"requestId": "..."
},
"sourceIPAddress": "config.amazonaws.com",
"userAgent": "...",
"userIdentity": {
"accessKeyId": "...",
"accountId": "...",
"arn": "...",
"principalId": "...",
"sessionContext": {
"attributes": {
"creationDate": "..."
},
"sessionIssuer": {
"accountId": "...",
"arn": "...",
"principalId": "...",
"type": "Role",
"userName": "..."
},
"webIdFederationData": {}
},
"type": "AssumedRole"
}
}
]
},
"description": "Triggers an alert when auto-remediation of Config NON_COMPLIANT takes place",
"log": "cloudtrail:events",
"service": "s3",
"source": "prefix.cluster.sample.bucket",
"trigger_rules": [
"config_auto_remediation"
]
}
]

0 comments on commit f8a9da4

Please sign in to comment.