Closed hampsterx closed 2 years ago
Hello @hampsterx ! I like your alternative, it sure keeps track of changes done within the bucket, however, it's keeping track of more things than check38 (if I'm not mistaken).
As long as it follows (check the link)-> https://github.com/toniblyx/prowler/blob/583cffaefb067e8fbd81a5300db11a0a841102b2/checks/check38#L13
I guess it could be just fine to add the filters you have on your CloudWatch rule, to the check38.
Let's wait @toniblyx confirmation about it.
Cheers!
Hi @hampsterx, not sure if I'm missing something here but what CIS check38 looks for is pretty much what you have except for CreateBucket, DeleteBucket, despite those are important, are not part of CIS benchmark 1.2 (not sure if they are included in 1.3). What I recommend in these cases is to create your custom one and use it separately. See option -x
in ./prowler -h
.
hi @toniblyx
Unless I am mistaken, the current check is regex for a metric filter.
check38(){
check3x '\$\.eventSource\s*=\s*s3.amazonaws.com.+\$\.eventName\s*=\s*PutBucketAcl.+\$\.eventName\s*=\s*PutBucketPolicy.+\$\.eventName\s*=\s*PutBucketCors.+\$\.eventName\s*=\s*PutBucketLifecycle.+\$\.eventName\s*=\s*PutBucketReplication.+\$\.eventName\s*=\s*DeleteBucketPolicy.+\$\.eventName\s*=\s*DeleteBucketCors.+\$\.eventName\s*=\s*DeleteBucketLifecycle.+\$\.eventName\s*=\s*DeleteBucketReplication'
}
My suggestion is whether its possible to use Cloudwatch Event Rule which now seems to be the recommended way of creating these sorts of alarms.
My rule above is superset including CreateBucket, DeleteBucket.
Hi @hampsterx, because AWS EventBridge rules can support this we think the best way is to include new extra checks to review it.
Regarding the following events for S3, this check is only auditing if a log metric filter and alarm exist for S3 bucket policy changes, so maybe we can include another extra check to review the following S3 events.
"CreateBucket",
"DeleteBucket",
We are going to include the above in our roadmap.
Thank you!
Maybe other checks as well, but this one is looking for metric filter alarm. However I have implemented it using Cloudwatch Event Rule which seems to be the preferred way now?
eg
what would be involved in supporting this alternative?