Closed Riebart closed 6 years ago
Finally have made these additions.
enum_monitoring now expands more into Config enumeration
disrupt_monitoring now can disrupt everything (at least everything relevant) that enum_monitoring enumerates, including VPC flow logs (delete), CloudTrail trails (delete, disable, modify), various Config resources (delete/disable), CloudWatch alarms (delete/disable actions), and GuardDuty detectors (delete/disable).
S3 events are on the roadmap, as well as another addition to GuardDuty, but this is what is currently implemented.
https://github.com/RhinoSecurityLabs/pacu/pull/40
I'll close this once it hits the master branch
Disrupting monitoring applies to a variety of services: VPC flow logs, CloudTrail, AWS Config, CloudWatch alarms, S3 events, etc... CloudTrail and GuardDuty detectors are great, but there's other things that qualify too; essentially anything that takes an automated action based on the state of something of an event can function as an alarm, depending on what we're trying to do/mutate.