Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Tweak existing exfiltration rules; add additional rules #1036

Merged
merged 6 commits into from
Dec 13, 2023
Merged

Tweak existing exfiltration rules; add additional rules #1036

merged 6 commits into from
Dec 13, 2023

Conversation

egibs
Copy link
Contributor

@egibs egibs commented Dec 12, 2023

Background

This PR adds additional exfiltration rules for RDS and tweaks existing rules. Some of the existing rules were only focusing on group share events when resource sharing can also be done on an individual user/account basis.

I also sorted the strings in packs/aws.yaml.

Changes

  • Adds aws_rds_manual_snapshot_created.py/.yml
  • Adds aws_rds_snapshot_shared.py/.yml
  • Updates aws_ami_modified_for_public_access.py/.yml
  • Updates aws_snapshot_made_public.py

Testing

  • make fmt; make lint; make test

@egibs egibs requested review from a team December 12, 2023 21:14
@egibs egibs force-pushed the egibs-exfiltration-rules branch from 2fabc8d to 0c6073b Compare December 12, 2023 21:23
arielkr256
arielkr256 reviewed Dec 13, 2023
View reviewed changes
rules/aws_cloudtrail_rules/aws_rds_snapshot_shared.py
event.deep_get("requestParameters", "attributeName") == "restore",
]
):
shared_account_ids = event.deep_get("requestParameters", "valuesToAdd", default=[])
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can this be compared to userIdentity.accountId and only alert if the valuesToAdd account ID is different?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't know if a snapshot can be shared with the account it's created in. We can certainly add the logic to check for it, though.

Copy link
Contributor Author

@egibs egibs Dec 13, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated in 58b0ad8 and c49ecd3.

arielkr256
arielkr256 approved these changes Dec 13, 2023
View reviewed changes
Copy link
Contributor

@arielkr256 arielkr256 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@egibs egibs merged commit 4639517 into main Dec 13, 2023
3 checks passed
@egibs egibs deleted the egibs-exfiltration-rules branch December 13, 2023 16:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@arielkr256 arielkr256 arielkr256 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@egibs @arielkr256