forked from 1Strategy/cloud-custodian-demo
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsecurity.yml
104 lines (98 loc) · 3.52 KB
/
security.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
# IAM-related policies are in their own file, because all IAM policies need to be run in us-east-1 (where IAM lives)
# the policies in this file should be run in the region containing your resources
policies:
#==================
# S3
#==================
# Remove public ACLs from buckets on creation or update
- name: s3-revoke-global-access
resource: s3
mode:
type: cloudtrail
role: arn:aws:iam::842337631775:role/custodian-security
events:
- CreateBucket # "CreateBucket" is one of the shortcuts available in c7n to reference a specific CloudTrail event
- source: s3.amazonaws.com
event: PutBucketAcl # the PutBucketAcl event has no c7n shortcut, so here we use the standard method for selecting a CloudTrail event. Then, we use JMESpath to get the resource ID
ids: "requestParameters.bucketName"
filters:
- type: global-grants
- "tag:Custodian": present
actions:
- type: delete-global-grants
grantees:
- "http://acs.amazonaws.com/groups/global/AllUsers"
- "http://acs.amazonaws.com/groups/global/AuthenticatedUsers"
- type: notify
template: default
subject: 'Removed public ACL from S3 bucket'
to:
- arn:aws:sns:us-west-2:842337631775:cloud-custodian-mailer
transport:
type: sqs
queue: https://sqs.us-west-2.amazonaws.com/842337631775/cloud-custodian-mailer
#==================
# Security Groups
#==================
# Remove security group rules with SSH open to the world
- name: security-group-revoke-global-ssh-on-creation
resource: security-group
mode:
type: cloudtrail
role: arn:aws:iam::842337631775:role/custodian-security
events:
- source: ec2.amazonaws.com
event: AuthorizeSecurityGroupIngress
ids: "requestParameters.groupId"
filters:
- or:
- type: ingress # format in the docs doesn't work; this format does
FromPort: 22
Cidr:
value: "0.0.0.0/0"
- type: ingress
FromPort: 22
CidrV6: # use Cidr to match ipv4 rules; use CidrV6 to match ipv6 rules
value: "::/0"
actions:
- type: remove-permissions
ingress: matched
- type: notify
template: default
subject: 'Removed public SSH rule from security group'
to:
- arn:aws:sns:us-west-2:842337631775:cloud-custodian-mailer
transport:
type: sqs
queue: https://sqs.us-west-2.amazonaws.com/842337631775/cloud-custodian-mailer
# Remove security group rules with all tcp open to the world
- name: security-group-revoke-all-tcp-global-on-creation
resource: security-group
mode:
type: cloudtrail
role: arn:aws:iam::842337631775:role/custodian-security
events:
- source: ec2.amazonaws.com
event: AuthorizeSecurityGroupIngress
ids: "requestParameters.groupId"
filters:
- or:
- type: ingress
FromPort: 0
Cidr:
value: 0.0.0.0/0
- type: ingress
ToPort: 65535
Cidr:
value: 0.0.0.0/0
actions:
- type: remove-permissions
ingress: matched
- type: notify
template: default
subject: 'Removed public rule from security group'
to:
- arn:aws:sns:us-west-2:842337631775:cloud-custodian-mailer
transport:
type: sqs
queue: https://sqs.us-west-2.amazonaws.com/842337631775/cloud-custodian-mailer