cloudtrail

package
v1.3.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 21, 2024 License: MIT Imports: 6 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var CheckBucketAccessLoggingRequired = rules.Register(
	scan.Rule{
		AVDID:     "AVD-AWS-0163",
		Provider:  providers.AWSProvider,
		Service:   "cloudtrail",
		ShortCode: "require-bucket-access-logging",
		Frameworks: map[framework.Framework][]string{
			framework.Default:     nil,
			framework.CIS_AWS_1_2: {"2.6"},
			framework.CIS_AWS_1_4: {"3.6"},
		},
		Summary:    "You should enable bucket access logging on the CloudTrail S3 bucket.",
		Impact:     "There is no way to determine the access to this bucket",
		Resolution: "Enable access logging on the bucket",
		Explanation: `Amazon S3 bucket access logging generates a log that contains access records for each request made to your S3 bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed.

CIS recommends that you enable bucket access logging on the CloudTrail S3 bucket.

By enabling S3 bucket logging on target S3 buckets, you can capture all events that might affect objects in a target bucket. Configuring logs to be placed in a separate bucket enables access to log information, which can be useful in security and incident response workflows.
`,
		Links: []string{
			"https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerLogs.html",
		},
		Terraform: &scan.EngineMetadata{
			GoodExamples:        terraformBucketAccessLoggingRequiredGoodExamples,
			BadExamples:         terraformBucketAccessLoggingRequiredBadExamples,
			Links:               terraformBucketAccessLoggingRequiredLinks,
			RemediationMarkdown: terraformBucketAccessLoggingRequiredRemediationMarkdown,
		},
		CloudFormation: &scan.EngineMetadata{
			GoodExamples:        cloudFormationBucketAccessLoggingRequiredGoodExamples,
			BadExamples:         cloudFormationBucketAccessLoggingRequiredBadExamples,
			Links:               cloudFormationBucketAccessLoggingRequiredLinks,
			RemediationMarkdown: cloudFormationBucketAccessLoggingRequiredRemediationMarkdown,
		},
		Severity:   severity.Low,
		Deprecated: true,
	},
	func(s *state.State) (results scan.Results) {
		for _, trail := range s.AWS.CloudTrail.Trails {
			if trail.BucketName.IsNotEmpty() {
				for _, bucket := range s.AWS.S3.Buckets {
					if bucket.Name.EqualTo(trail.BucketName.Value()) {
						if bucket.Logging.Enabled.IsFalse() {
							results.Add("Trail S3 bucket does not have logging enabled", &bucket)
						} else {
							results.AddPassed(&bucket)
						}
					}
				}
			}
		}
		return
	},
)
View Source 
var CheckEnableAllRegions = rules.Register(
	scan.Rule{
		AVDID:     "AVD-AWS-0014",
		Provider:  providers.AWSProvider,
		Service:   "cloudtrail",
		ShortCode: "enable-all-regions",
		Frameworks: map[framework.Framework][]string{
			framework.Default:     nil,
			framework.CIS_AWS_1_2: {"2.5"},
		},
		Summary:     "Cloudtrail should be enabled in all regions regardless of where your AWS resources are generally homed",
		Impact:      "Activity could be happening in your account in a different region",
		Resolution:  "Enable Cloudtrail in all regions",
		Explanation: `When creating Cloudtrail in the AWS Management Console the trail is configured by default to be multi-region, this isn't the case with the Terraform resource. Cloudtrail should cover the full AWS account to ensure you can track changes in regions you are not actively operting in.`,
		Links: []string{
			"https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html",
		},
		Terraform: &scan.EngineMetadata{
			GoodExamples:        terraformEnableAllRegionsGoodExamples,
			BadExamples:         terraformEnableAllRegionsBadExamples,
			Links:               terraformEnableAllRegionsLinks,
			RemediationMarkdown: terraformEnableAllRegionsRemediationMarkdown,
		},
		CloudFormation: &scan.EngineMetadata{
			GoodExamples:        cloudFormationEnableAllRegionsGoodExamples,
			BadExamples:         cloudFormationEnableAllRegionsBadExamples,
			Links:               cloudFormationEnableAllRegionsLinks,
			RemediationMarkdown: cloudFormationEnableAllRegionsRemediationMarkdown,
		},
		Severity:   severity.Medium,
		Deprecated: true,
	},
	func(s *state.State) (results scan.Results) {
		for _, trail := range s.AWS.CloudTrail.Trails {
			if trail.IsMultiRegion.IsFalse() {
				results.Add(
					"Trail is not enabled across all regions.",
					trail.IsMultiRegion,
				)
			} else {
				results.AddPassed(&trail)
			}
		}
		return
	},
)
View Source 
var CheckEnableLogValidation = rules.Register(
	scan.Rule{
		AVDID:       "AVD-AWS-0016",
		Provider:    providers.AWSProvider,
		Service:     "cloudtrail",
		ShortCode:   "enable-log-validation",
		Summary:     "Cloudtrail log validation should be enabled to prevent tampering of log data",
		Impact:      "Illicit activity could be removed from the logs",
		Resolution:  "Turn on log validation for Cloudtrail",
		Explanation: `Log validation should be activated on Cloudtrail logs to prevent the tampering of the underlying data in the S3 bucket. It is feasible that a rogue actor compromising an AWS account might want to modify the log data to remove trace of their actions.`,
		Links: []string{
			"https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-intro.html",
		},
		Terraform: &scan.EngineMetadata{
			GoodExamples:        terraformEnableLogValidationGoodExamples,
			BadExamples:         terraformEnableLogValidationBadExamples,
			Links:               terraformEnableLogValidationLinks,
			RemediationMarkdown: terraformEnableLogValidationRemediationMarkdown,
		},
		CloudFormation: &scan.EngineMetadata{
			GoodExamples:        cloudFormationEnableLogValidationGoodExamples,
			BadExamples:         cloudFormationEnableLogValidationBadExamples,
			Links:               cloudFormationEnableLogValidationLinks,
			RemediationMarkdown: cloudFormationEnableLogValidationRemediationMarkdown,
		},
		Severity:   severity.High,
		Deprecated: true,
	},
	func(s *state.State) (results scan.Results) {
		for _, trail := range s.AWS.CloudTrail.Trails {
			if trail.EnableLogFileValidation.IsFalse() {
				results.Add(
					"Trail does not have log validation enabled.",
					trail.EnableLogFileValidation,
				)
			} else {
				results.AddPassed(&trail)
			}
		}
		return
	},
)
View Source 
var CheckEnsureCloudwatchIntegration = rules.Register(
	scan.Rule{
		AVDID:     "AVD-AWS-0162",
		Provider:  providers.AWSProvider,
		Service:   "cloudtrail",
		ShortCode: "ensure-cloudwatch-integration",
		Frameworks: map[framework.Framework][]string{
			framework.Default:     nil,
			framework.CIS_AWS_1_2: {"2.4"},
			framework.CIS_AWS_1_4: {"3.4"},
		},
		Summary:    "CloudTrail logs should be stored in S3 and also sent to CloudWatch Logs",
		Impact:     "Realtime log analysis is not available without enabling CloudWatch logging",
		Resolution: "Enable logging to CloudWatch",
		Explanation: `
CloudTrail is a web service that records AWS API calls made in a given account. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service.

CloudTrail uses Amazon S3 for log file storage and delivery, so log files are stored durably. In addition to capturing CloudTrail logs in a specified Amazon S3 bucket for long-term analysis, you can perform real-time analysis by configuring CloudTrail to send logs to CloudWatch Logs.

For a trail that is enabled in all Regions in an account, CloudTrail sends log files from all those Regions to a CloudWatch Logs log group.
`,
		Links: []string{
			"https://docs.aws.amazon.com/awscloudtrail/latest/userguide/send-cloudtrail-events-to-cloudwatch-logs.html#send-cloudtrail-events-to-cloudwatch-logs-console",
		},
		Terraform: &scan.EngineMetadata{
			GoodExamples:        terraformEnsureCloudwatchIntegrationGoodExamples,
			BadExamples:         terraformEnsureCloudwatchIntegrationBadExamples,
			Links:               terraformEnsureCloudwatchIntegrationLinks,
			RemediationMarkdown: terraformEnsureCloudwatchIntegrationRemediationMarkdown,
		},
		CloudFormation: &scan.EngineMetadata{
			GoodExamples:        cloudFormationEnsureCloudwatchIntegrationGoodExamples,
			BadExamples:         cloudFormationEnsureCloudwatchIntegrationBadExamples,
			Links:               cloudFormationEnsureCloudwatchIntegrationLinks,
			RemediationMarkdown: cloudFormationEnsureCloudwatchIntegrationRemediationMarkdown,
		},
		Severity:   severity.Low,
		Deprecated: true,
	},
	func(s *state.State) (results scan.Results) {
		for _, trail := range s.AWS.CloudTrail.Trails {
			if trail.CloudWatchLogsLogGroupArn.IsEmpty() {
				results.Add("Trail does not have CloudWatch logging configured", &trail)
			} else {
				results.AddPassed(&trail)
			}
		}
		return
	},
)
View Source 
var CheckNoPublicLogAccess = rules.Register(
	scan.Rule{
		AVDID:     "AVD-AWS-0161",
		Provider:  providers.AWSProvider,
		Service:   "cloudtrail",
		ShortCode: "no-public-log-access",
		Frameworks: map[framework.Framework][]string{
			framework.Default:     nil,
			framework.CIS_AWS_1_2: {"2.3"},
			framework.CIS_AWS_1_4: {"3.3"},
		},
		Summary:    "The S3 Bucket backing Cloudtrail should be private",
		Impact:     "CloudTrail logs will be publicly exposed, potentially containing sensitive information",
		Resolution: "Restrict public access to the S3 bucket",
		Explanation: `
CloudTrail logs a record of every API call made in your account. These log files are stored in an S3 bucket. CIS recommends that the S3 bucket policy, or access control list (ACL), applied to the S3 bucket that CloudTrail logs to prevents public access to the CloudTrail logs. Allowing public access to CloudTrail log content might aid an adversary in identifying weaknesses in the affected account's use or configuration.
`,
		Links: []string{
			"https://docs.aws.amazon.com/AmazonS3/latest/userguide/configuring-block-public-access-bucket.html",
		},
		Terraform: &scan.EngineMetadata{
			GoodExamples:        terraformNoPublicLogAccessGoodExamples,
			BadExamples:         terraformNoPublicLogAccessBadExamples,
			Links:               terraformNoPublicLogAccessLinks,
			RemediationMarkdown: terraformNoPublicLogAccessRemediationMarkdown,
		},
		CloudFormation: &scan.EngineMetadata{
			GoodExamples:        cloudFormationNoPublicLogAccessGoodExamples,
			BadExamples:         cloudFormationNoPublicLogAccessBadExamples,
			Links:               cloudFormationNoPublicLogAccessLinks,
			RemediationMarkdown: cloudFormationNoPublicLogAccessRemediationMarkdown,
		},
		Severity:   severity.Critical,
		Deprecated: true,
	},
	func(s *state.State) (results scan.Results) {
		for _, trail := range s.AWS.CloudTrail.Trails {
			if trail.BucketName.IsNotEmpty() {
				for _, bucket := range s.AWS.S3.Buckets {
					if bucket.Name.EqualTo(trail.BucketName.Value()) {
						if bucket.HasPublicExposureACL() {
							results.Add("Trail S3 bucket is publicly exposed", &bucket)
						} else {
							results.AddPassed(&bucket)
						}
					}
				}
			}
		}
		return
	},
)
View Source 
var EncryptionCustomerManagedKey = rules.Register(
	scan.Rule{
		AVDID:       "AVD-AWS-0015",
		Provider:    providers.AWSProvider,
		Service:     "cloudtrail",
		ShortCode:   "encryption-customer-managed-key",
		Summary:     "CloudTrail should use Customer managed keys to encrypt the logs",
		Impact:      "Using AWS managed keys does not allow for fine grained control",
		Resolution:  "Use Customer managed key",
		Explanation: `Using Customer managed keys provides comprehensive control over cryptographic keys, enabling management of policies, permissions, and rotation, thus enhancing security and compliance measures for sensitive data and systems.`,
		Links: []string{
			"https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html",
			"https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-mgmt",
		},
		Terraform: &scan.EngineMetadata{
			GoodExamples:        terraformEncryptionCustomerManagedKeyGoodExamples,
			BadExamples:         terraformEncryptionCustomerManagedKeyBadExamples,
			Links:               terraformEncryptionCustomerManagedKeyLinks,
			RemediationMarkdown: ``,
		},
		CloudFormation: &scan.EngineMetadata{
			GoodExamples:        cloudFormationEncryptionCustomerManagedKeyGoodExamples,
			BadExamples:         cloudFormationEncryptionCustomerManagedKeyBadExamples,
			Links:               cloudFormationEncryptionCustomerManagedKeyLinks,
			RemediationMarkdown: ``,
		},
		Severity:   severity.High,
		Deprecated: true,
	},
	func(s *state.State) (results scan.Results) {
		for _, trail := range s.AWS.CloudTrail.Trails {
			if trail.KMSKeyID.IsEmpty() {
				results.Add(
					"CloudTrail does not use a customer managed key to encrypt the logs.",
					trail.KMSKeyID,
				)
			} else {
				results.AddPassed(&trail)
			}
		}
		return
	},
)

Functions

This section is empty.

Types

This section is empty.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.