detection.wiki

Detection rules › Panther

AWS CloudTrail Least Privilege Access

Severity
medium
Tags
AWS, Configuration Required, IAM, Panther, Defense Evasion:Impair Defenses
Reference
https://amzn.to/2ZEUrKm
Source
github.com/panther-labs/panther-analysis

Users with permissions to disable or reconfigure CloudTrail should be limited.

MITRE ATT&CK coverage

TacticTechniques
StealthT1562 Impair Defenses

Rule body yaml

AnalysisType: policy
Filename: aws_cloudtrail_least_privilege.py
PolicyID: "AWS.CloudTrail.LeastPrivilege"
DisplayName: "AWS CloudTrail Least Privilege Access"
Enabled: false
ResourceTypes:
  - AWS.IAM.Group
Tags:
  - AWS
  - Configuration Required
  - IAM
  - Panther
  - Defense Evasion:Impair Defenses
Reports:
  MITRE ATT&CK:
    - TA0005:T1562
Severity: Medium
Description: >
  Users with permissions to disable or reconfigure CloudTrail should be limited.
Runbook: >
  Remove the AWSCloudTrailFullAccess managed IAM policy from all but one user in the account.
Reference: https://amzn.to/2ZEUrKm
Tests:
  - Name: Limited Membership to IAM Group with CloudTrail FullAccess Policy
    ExpectedResult: true
    Resource:
      {
        "Arn": "arn:aws:iam::123456789012:group/CloudTrailAdmins",
        "CreateDate": "2019-01-01T00:00:00Z",
        "GroupId": "ABCDEFGHIJKLMNOP",
        "GroupName": "CloudTrailAdmins",
        "Path": "/",
        "InlinePolicies": [],
        "ManagedPolicyARNs":
          [
            "arn:aws:iam::aws:policy/AWSCloudTrailFullAccess",
            "arn:aws:iam::aws:policy/Readonly",
          ],
        "Users":
          [
            {
              "Arn": "arn:aws:iam::123456789012:user/Bobert",
              "CreateDate": "2019-01-1T00:00:00Z",
              "PasswordLastUsed": null,
              "Path": "/",
              "PermissionsBoundary": null,
              "Tags": null,
              "UserId": "ABCDEFGHIJKLMNOP",
              "UserName": "Bobert",
            },
          ],
      }
  - Name: More Than 2 Users in IAM Group with CloudTrail FullAccess Policy
    ExpectedResult: false
    Resource:
      {
        "Arn": "arn:aws:iam::123456789012:group/CloudTrailAdmins",
        "CreateDate": "2019-01-01T00:00:00Z",
        "GroupId": "ABCDEFGHIJKLMNOP",
        "GroupName": "CloudTrailAdmins",
        "Path": "/",
        "InlinePolicies": [],
        "ManagedPolicyARNs":
          [
            "arn:aws:iam::aws:policy/AWSCloudTrailFullAccess",
            "arn:aws:iam::aws:policy/ReadOnly",
          ],
        "Users":
          [
            {
              "Arn": "arn:aws:iam::123456789012:user/Bobert",
              "CreateDate": "2019-01-1T00:00:00Z",
              "PasswordLastUsed": null,
              "Path": "/",
              "PermissionsBoundary": null,
              "Tags": null,
              "UserId": "ABCDEFGHIJKLMNOP",
              "UserName": "Bobert",
            },
            {
              "Arn": "arn:aws:iam::123456789012:user/Bobert2",
              "CreateDate": "2019-01-1T00:00:00Z",
              "PasswordLastUsed": null,
              "Path": "/",
              "PermissionsBoundary": null,
              "Tags": null,
              "UserId": "ABCDEFGHIJKLMNOP",
              "UserName": "Bobert2",
            },
            {
              "Arn": "arn:aws:iam::123456789012:user/Bobert3",
              "CreateDate": "2019-01-1T00:00:00Z",
              "PasswordLastUsed": null,
              "Path": "/",
              "PermissionsBoundary": null,
              "Tags": null,
              "UserId": "ABCDEFGHIJKLMNOP",
              "UserName": "Bobert3",
            },
          ],
      }

Detection logic

Condition

not (ManagedPolicyARNs contains "arn:aws:iam::aws:policy/AWSCloudTrailFullAccess" and Users length_compare "2")

Exclusions

Top-level NOT(...) conjuncts: predicates this rule actively suppresses.

FieldKindExcluded values
ManagedPolicyARNscontainsarn:aws:iam::aws:policy/AWSCloudTrailFullAccess
Userslength_compare2