May Update: S3 Rules #53

jacknagz · 2020-05-14T04:27:56Z

Background

A general audit and refresh of our S3 access log rules

Changes

Disable MFA delete policy by default
Tune S3 access log rules, disable some by default, update severities and test cases

Testing

Locally:

[INFO]: Testing analysis packs in aws_s3_rules/

AWS.S3.ServerAccess.Error
	[PASS] Access Error
	[PASS] Internal Server Error

AWS.S3.ServerAccess.IPWhitelist
	[PASS] Access From Approved IP
	[PASS] Access From Unapproved IP

AWS.S3.ServerAccess.Insecure
	[PASS] Secure Access to S3 Bucket
	[PASS] Insecure Access to S3 Bucket

AWS.S3.ServerAccess.Unauthenticated
	[PASS] Authenticated Access
	[PASS] Unauthenticated Access

AWS.S3.ServerAccess.UnknownRequester
	[PASS] Expected Access
	[PASS] Unexpected Access

nhakmiller · 2020-05-14T15:04:34Z

aws_s3_rules/aws_s3_access_ip_whitelist.py

-# IP addresses (in CIDR notation) indicating approved IP ranges for accessing S3 buckets
-IP_WHITELIST = {
+BUCKET_NAMES = {
+    # Example bucket names go here


Should this comment say something like "restricted bucket names go here" or something?

Yep, adding

nhakmiller · 2020-05-14T15:05:47Z

aws_s3_rules/aws_s3_access_ip_whitelist.py

    ip_network('10.0.0.0/8'),
 }


 def rule(event):
-    # Only evaluate if the remoteIP field is present
+    if BUCKET_NAMES:


Is the intent that if BUCKET_NAMES is empty, it applies to all buckets? Perhaps a comment should clarify that under the BUCKET_NAMES declaration at the top.

The intention is that if it's empty, we just apply to all buckets

* adding special handling of SchemaWrongKeyError exceptions * format update; added unit test to check new method * fixing bad merge

) Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>

sync this fork to panther-labs/panther-analysis v3.16.0

jacknagz added 2 commits May 13, 2020 15:22

[aws_s3_rules] update

f3ded3f

[s3_rules] refresh!

71af340

jacknagz requested review from austinbyers, kostaspap and nhakmiller as code owners May 14, 2020 04:27

final update

facf3cc

nhakmiller approved these changes May 14, 2020

View reviewed changes

[analysis] feedback

363a150

jacknagz merged commit 93116a1 into master May 14, 2020

jacknagz deleted the jacknaglieri-update-s3-rules-policies branch May 14, 2020 16:14

melenevskyi pushed a commit that referenced this pull request Dec 12, 2023

schema wrong key error output (#53)

2fc0dab

* adding special handling of SchemaWrongKeyError exceptions * format update; added unit test to check new method * fixing bad merge

egibs pushed a commit that referenced this pull request Jan 30, 2024

Add detection of iam.serviceAccountKeys.create event (#53)

592ff1a

egibs pushed a commit that referenced this pull request Jan 30, 2024

[sync] Add detection of iam.serviceAccountKeys.create event (#53) (#1074

bbb3b2b

) Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>

risto-liftoff added a commit to risto-liftoff/panther-analysis that referenced this pull request Feb 29, 2024

Merge pull request panther-labs#53 from liftoffio/sync_upstream_v3.16.0

9be6334

sync this fork to panther-labs/panther-analysis v3.16.0

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

May Update: S3 Rules #53

May Update: S3 Rules #53

jacknagz commented May 14, 2020

nhakmiller May 14, 2020

jacknagz May 14, 2020

nhakmiller May 14, 2020

jacknagz May 14, 2020

May Update: S3 Rules #53

May Update: S3 Rules #53

Conversation

jacknagz commented May 14, 2020

Background

Changes

Testing

nhakmiller May 14, 2020

Choose a reason for hiding this comment

jacknagz May 14, 2020

Choose a reason for hiding this comment

nhakmiller May 14, 2020

Choose a reason for hiding this comment

jacknagz May 14, 2020

Choose a reason for hiding this comment