Enhance check38: Ensure a log metric filter and alarm works with Cloudwatch Event Rule

prowler-cloud / prowler

Prowler is an Open Source Security tool for AWS, Azure, GCP and Kubernetes to do security assessments, audits, incident response, compliance, continuous monitoring, hardening and forensics readiness. Includes CIS, NIST 800, NIST CSF, CISA, FedRAMP, PCI-DSS, GDPR, HIPAA, FFIEC, SOC2, GXP, Well-Architected Security, ENS and more

https://prowler.com

Apache License 2.0

10.63k stars 1.51k forks source link

Enhance check38: Ensure a log metric filter and alarm works with Cloudwatch Event Rule #831

Closed hampsterx closed 2 years ago

hampsterx commented 3 years ago

Maybe other checks as well, but this one is looking for metric filter alarm. However I have implemented it using Cloudwatch Event Rule which seems to be the preferred way now?

  "detail-type": [
    "AWS API Call via CloudTrail"
  ],
  "detail": {
    "eventSource": [
      "s3.amazonaws.com"
    ],
    "eventName": [
      "CreateBucket",
      "DeleteBucket",
      "PutBucketAcl",
      "PutBucketPublicAccessBlock",
      "PutBucketPolicy",
      "PutBucketCors",
      "PutBucketLifecycle",
      "PutBucketReplication",
      "DeleteBucketPolicy",
      "DeleteBucketCors",
      "DeleteBucketLifecycle",
      "DeleteBucketReplication"
    ]
  }
}

what would be involved in supporting this alternative?

w0rmr1d3r commented 3 years ago

Hello @hampsterx ! I like your alternative, it sure keeps track of changes done within the bucket, however, it's keeping track of more things than check38 (if I'm not mistaken).

As long as it follows (check the link)-> https://github.com/toniblyx/prowler/blob/583cffaefb067e8fbd81a5300db11a0a841102b2/checks/check38#L13

I guess it could be just fine to add the filters you have on your CloudWatch rule, to the check38.

Let's wait @toniblyx confirmation about it.

Cheers!

toniblyx commented 3 years ago

Hi @hampsterx, not sure if I'm missing something here but what CIS check38 looks for is pretty much what you have except for CreateBucket, DeleteBucket, despite those are important, are not part of CIS benchmark 1.2 (not sure if they are included in 1.3). What I recommend in these cases is to create your custom one and use it separately. See option -x in ./prowler -h.

hampsterx commented 3 years ago

hi @toniblyx

Unless I am mistaken, the current check is regex for a metric filter.

check38(){
  check3x '\$\.eventSource\s*=\s*s3.amazonaws.com.+\$\.eventName\s*=\s*PutBucketAcl.+\$\.eventName\s*=\s*PutBucketPolicy.+\$\.eventName\s*=\s*PutBucketCors.+\$\.eventName\s*=\s*PutBucketLifecycle.+\$\.eventName\s*=\s*PutBucketReplication.+\$\.eventName\s*=\s*DeleteBucketPolicy.+\$\.eventName\s*=\s*DeleteBucketCors.+\$\.eventName\s*=\s*DeleteBucketLifecycle.+\$\.eventName\s*=\s*DeleteBucketReplication'
}

My suggestion is whether its possible to use Cloudwatch Event Rule which now seems to be the recommended way of creating these sorts of alarms.

My rule above is superset including CreateBucket, DeleteBucket.

jfagoagas commented 2 years ago

Hi @hampsterx, because AWS EventBridge rules can support this we think the best way is to include new extra checks to review it.

Regarding the following events for S3, this check is only auditing if a log metric filter and alarm exist for S3 bucket policy changes, so maybe we can include another extra check to review the following S3 events.

"CreateBucket",
"DeleteBucket",

We are going to include the above in our roadmap.

Thank you!