Critical API call detection fixes (#1029)

* [apps] Correctly update aliyun timestamp (#978) * tweaking .gitignore file slightly for venv (#980) * Hotfix/links and spelling (#967) * Fix broken link in the documentation * Minor spelling updates in comments, code, and docs * Bumped slack app timeout (#983) * Fix logic for S3 Public Block Access; Add detection of Organization calls * update to use sets vs lists
airbnb · Nov 22, 2019 · dc973b2 · dc973b2
1 parent 6df24fe
commit dc973b2
Showing 1 changed file with 32 additions and 14 deletions.
diff --git a/rules/community/cloudtrail/cloudtrail_critical_api_calls.py b/rules/community/cloudtrail/cloudtrail_critical_api_calls.py
@@ -27,6 +27,31 @@
     'DisableEbsEncryptionByDefault',
 }
 
+PUBLIC_ACCESS_BLOCK_CONFIG_ACTIONS = {
+    'RestrictPublicBuckets',
+    'BlockPublicPolicy',
+    'BlockPublicAcls',
+    'IgnorePublicAcls',
+}
+
+AWS_ORG_EVENTS = {
+    'AttachPolicy',
+    'CreateOrganizationUnit',
+    'CreatePolicy',
+    'DeletePolicy',
+    'DeleteOrganizationUnit',
+    'DetachPolicy',
+    'DisableAWSServiceAccess',
+    'DisablePolicyType',
+    'EnableAllFeatures',
+    'EnableAWSServiceAccess',
+    'EnablePolicyType',
+    'LeaveOrganization',
+    'MoveAccount',
+    'RemoveAccountFromOrganization',
+    'UpdatePolicy',
+}
+
 
 @rule(logs=['cloudtrail:events'])
 def cloudtrail_critical_api_calls(rec):
@@ -53,20 +78,13 @@ def cloudtrail_critical_api_calls(rec):
         # The call to PutBucketPublicAccessBlock sets the policy for what to
         # block for a bucket. We need to get the configuration and see if any
         # of the items are set to False.
-        config = rec.get('requestParameters', {}).get(
-            'PublicAccessBlockConfiguration', {}
-        )
-        if (config.get('RestrictPublicBuckets', False) is False
-                or config.get('BlockPublicPolicy', False) is False
-                or config.get('BlockPublicAcls', False) is False
-                or config.get('IgnorePublicAcls', False) is False
-           ):
-            return True
+        config = rec.get('requestParameters', {}).get('PublicAccessBlockConfiguration', {})
+        for action in PUBLIC_ACCESS_BLOCK_CONFIG_ACTIONS:
+            if config.get(action, True) is False:
+                return True
 
-    # PutAccountPublicAccessBlock does not indicate if the account is
-    # enabling or disabling this feature so to reduce FPs,
-    # for now this is not being detected.
-    # This issue was reported to aws-security@amazon.com by spiper
-    # on 2019.07.09
+    # Detect important Organizations calls
+    if rec['eventSource'] == 'organizations.amazonaws.com' and rec['eventName'] in AWS_ORG_EVENTS:
+        return True
 
     return False