[New rules] AWS IAM AdministratorAccess Policy Attached to : User, Group, Role(es|ql) #3735
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
imays11
added
Integration: AWS
imays11
changed the title
imays11
changed the title
imays11
commented
May 31, 2024
...tegrations/aws/privilege_escalation_aws_iam_administratoraccess_policy_attached_to_user.toml
Outdated
Show resolved
Hide resolved
...tegrations/aws/privilege_escalation_aws_iam_administratoraccess_policy_attached_to_user.toml
Outdated
Show resolved
Hide resolved
Aegrah
approved these changes
Jun 5, 2024
...egrations/aws/privilege_escalation_aws_iam_administratoraccess_policy_attached_to_group.toml
Outdated
Show resolved
Hide resolved
...tegrations/aws/privilege_escalation_aws_iam_administratoraccess_policy_attached_to_role.toml
Outdated
Show resolved
Hide resolved
...tegrations/aws/privilege_escalation_aws_iam_administratoraccess_policy_attached_to_user.toml
Outdated
Show resolved
Hide resolved
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Comment on lines
+102
to
+107
| from logs-aws.cloudtrail-* | ||
| | where event.provider == "iam.amazonaws.com" and event.action == "AttachUserPolicy" and event.outcome == "success" | ||
| | dissect aws.cloudtrail.request_parameters "{%{?policyArn}=%{?arn}:%{?aws}:%{?iam}::%{?aws}:%{?policy}/%{policyName},%{?userName}=%{target.userName}}" | ||
| | where policyName == "AdministratorAccess" | ||
| | keep @timestamp, aws.cloudtrail.user_identity.arn, aws.cloudtrail.user_identity.access_key_id, event.action, policyName, target.userName, user_agent.original, source.address, source.geo.location | ||
| | sort aws.cloudtrail.user_identity.arn |
There was a problem hiding this comment.
Thoughts on collapsing into one rule with a query like the following?
from logs-aws.cloudtrail-*
| where event.provider == "iam.amazonaws.com" and event.action in ("AttachUserPolicy", "AttachRolePolicy", "AttachGroupPolicy") and event.outcome == "success"
| where aws.cloudtrail.request_parameters rlike "(.*)AdministratorAccess(.*)"
| keep @timestamp, aws.cloudtrail.user_identity.arn, aws.cloudtrail.user_identity.access_key_id, event.action, aws.cloudtrail.request_parameters, user_agent.original, source.address, source.geo.location
| sort aws.cloudtrail.user_identity.arn
There was a problem hiding this comment.
I did consider this and thought keeping them seperate may be better for clients to disable or add exclusions if needed since all 3 have slightly different use-cases. For example, I could see the creation of roles with AdministratorAccess being used as a safer method when necessary since those requested credentials are temporary, vs. granting individual users the AdministratorAccess policy with long-standing credentials. In this case someone may want to disable the AttachRolePolicy rule but keep the AttachUserPolicy.
terrancedejesus
approved these changes
Jun 7, 2024
imays11
deleted the
new_rule_aws_iam_administratoraccess_policy_attached_to_user
branch
protectionsmachine
pushed a commit
that referenced
this pull request
Jun 7, 2024
…oup, Role(es|ql) (#3735) * [New Rule] AWS IAM AdministratorAccess Policy Attached to User issue... * add source.address and source.geo.location * fix threat tactic ids * AdministratorAccess Policy Attached to Group * AdminstratoAccess Policy Attached to Role * reduce severity to medium Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> (cherry picked from commit e1cbf9f)
protectionsmachine
pushed a commit
that referenced
this pull request
Jun 7, 2024
…oup, Role(es|ql) (#3735) * [New Rule] AWS IAM AdministratorAccess Policy Attached to User issue... * add source.address and source.geo.location * fix threat tactic ids * AdministratorAccess Policy Attached to Group * AdminstratoAccess Policy Attached to Role * reduce severity to medium Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> (cherry picked from commit e1cbf9f)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Issues
Summary
Identifies the use of
iam:AttachUserPolicy,iam:AttachGroupPolicy, andiam:AttachRolePolicyAPI functions, which are used to attach user policies to user accounts, groups and roles in AWS. Specifically, these rules use ES|QL to dissect theaws.cloudtrail.request_parametersfield to isolate the policyName and alert on theAdministrativeAccessAWS managed policy, which grants an identity full administrative access over all AWS services and resources. While there are legitimate use-cases, such highly privileged access should be closely monitored and any usage of this policy should be verified for validity.AttachUserPolicy
AttachGroupPolicy
AttachRolePolicy