Detection rules › Panther
AWS Resource Minimum Tags
This policy ensures that applicable resources have a minimum number of tags set.
Rule body yaml
AnalysisType: policy
Filename: aws_resource_minimum_tags.py
PolicyID: "AWS.Resource.MinimumTags"
DisplayName: "AWS Resource Minimum Tags "
Enabled: false
ResourceTypes:
- AWS.EC2.Instance
- AWS.EC2.VPC
- AWS.EC2.SecurityGroup
- AWS.IAM.User
Tags:
- AWS
- Configuration Required
- Security Control
Severity: Low
Description: >
This policy ensures that applicable resources have a minimum number of tags set.
Runbook: >
https://docs.runpanther.io/alert-runbooks/built-in-policies/aws-resource-has-minimum-number-of-tags
Reference: https://aws.amazon.com/answers/account-management/aws-tagging-strategies/
Tests:
- Name: EC2 Instance Has Less Then The Minimum Number Of Tags Set
ExpectedResult: false
Resource:
{
"AmiLaunchIndex": 0,
"Architecture": "x86_64",
"BlockDeviceMappings":
[
{
"DeviceName": "/dev/xvda",
"Ebs":
{
"AttachTime": "2019-01-01T00:00:00Z",
"DeleteOnTermination": true,
"Status": "attached",
"VolumeId": "vol-0b111222333444",
},
},
],
"CapacityReservationId": null,
"CapacityReservationSpecification":
{
"CapacityReservationPreference": "open",
"CapacityReservationTarget": null,
},
"ClientToken": null,
"CpuOptions": { "CoreCount": 1, "ThreadsPerCore": 1 },
"EbsOptimized": false,
"ElasticGpuAssociations": null,
"ElasticInferenceAcceleratorAssociations": null,
"EnaSupport": true,
"HibernationOptions": { "Configured": false },
"Hypervisor": "xen",
"IamInstanceProfile": null,
"ImageId": "ami-11122233344555",
"InstanceId": "i-111222333444555",
"InstanceLifecycle": null,
"InstanceType": "t2.micro",
"KernelId": null,
"KeyName": "key-1",
"LaunchTime": "2019-01-01T00:00:00Z",
"Licenses": null,
"Monitoring": { "State": "disabled" },
"NetworkInterfaces":
[
{
"Association":
{
"IpOwnerId": "amazon",
"PublicDnsName": "ec2-52-0-0-0.us-west-2.compute.amazonaws.com",
"PublicIp": "52.0.0.0",
},
"Attachment":
{
"AttachTime": "2019-01-01T00:00:00Z",
"AttachmentId": "eni-attach-111222333444",
"DeleteOnTermination": true,
"DeviceIndex": 0,
"Status": "attached",
},
"Description": "Primary network interface",
"Groups": [{ "GroupId": "sg-111222333444", "GroupName": "base" }],
"InterfaceType": "interface",
"Ipv6Addresses": null,
"MacAddress": "de:ad:be:ef:00:00",
"NetworkInterfaceId": "eni-111222333444",
"OwnerId": "123456789012",
"PrivateDnsName": "ip-10-0-0-0.us-west-2.compute.internal",
"PrivateIpAddress": "10.0.0.0",
"PrivateIpAddresses":
[
{
"Association":
{
"IpOwnerId": "amazon",
"PublicDnsName": "ec2-52-0-0-0.us-west-2.compute.amazonaws.com",
"PublicIp": "52.0.0.0",
},
"Primary": true,
"PrivateDnsName": "ip-10-0-0-o.us-west-2.compute.internal",
"PrivateIpAddress": "10.0.0.0",
},
],
"SourceDestCheck": true,
"Status": "in-use",
"SubnetId": "subnet-111222333444",
"VpcId": "vpc-111222333444",
},
],
"Placement":
{
"Affinity": null,
"AvailabilityZone": "us-west-2b",
"GroupName": null,
"HostId": null,
"PartitionNumber": null,
"SpreadDomain": null,
"Tenancy": "default",
},
"Platform": null,
"PrivateDnsName": "ip-10-0-0-0.us-west-2.compute.internal",
"PrivateIpAddress": "10.0.0.0",
"ProductCodes": null,
"PublicDnsName": "ec2-52-0-0-0.us-west-2.compute.amazonaws.com",
"PublicIpAddress": "52.0.0.0",
"RamdiskId": null,
"RootDeviceName": "/dev/xvda",
"RootDeviceType": "ebs",
"SecurityGroups":
[{ "GroupId": "sg-111222333444", "GroupName": "base" }],
"SourceDestCheck": true,
"SpotInstanceRequestId": null,
"SriovNetSupport": null,
"State": { "Code": 16, "Name": "running" },
"StateReason": null,
"StateTransitionReason": null,
"SubnetId": "subnet-111222333",
"Tags": null,
"VirtualizationType": "hvm",
"Volumes":
[
{
"Attachments":
[
{
"AttachTime": "2019-01-01T00:00:00Z",
"DeleteOnTermination": true,
"Device": "/dev/xvda",
"InstanceId": "i-111222333",
"State": "attached",
"VolumeId": "vol-111222333",
},
],
"AvailabilityZone": "us-west-2b",
"CreateTime": "2019-01-01T00:00:00Z",
"Encrypted": false,
"Iops": 100,
"KmsKeyId": null,
"Size": 8,
"SnapshotId": "snap-111222333444",
"State": "in-use",
"Tags": { "TagOne": "True" },
"VolumeId": "vol-111222333444",
"VolumeType": "gp2",
},
],
"VpcId": "vpc-111222333444",
}
- Name: EC2 Instance Has Minimum Number Of Tags
ExpectedResult: true
Resource:
{
"AmiLaunchIndex": 0,
"Architecture": "x86_64",
"BlockDeviceMappings":
[
{
"DeviceName": "/dev/xvda",
"Ebs":
{
"AttachTime": "2019-01-01T00:00:00Z",
"DeleteOnTermination": true,
"Status": "attached",
"VolumeId": "vol-0b111222333444",
},
},
],
"CapacityReservationId": null,
"CapacityReservationSpecification":
{
"CapacityReservationPreference": "open",
"CapacityReservationTarget": null,
},
"ClientToken": null,
"CpuOptions": { "CoreCount": 1, "ThreadsPerCore": 1 },
"EbsOptimized": false,
"ElasticGpuAssociations": null,
"ElasticInferenceAcceleratorAssociations": null,
"EnaSupport": true,
"HibernationOptions": { "Configured": false },
"Hypervisor": "xen",
"IamInstanceProfile": null,
"ImageId": "ami-11122233344555",
"InstanceId": "i-111222333444555",
"InstanceLifecycle": null,
"InstanceType": "t2.micro",
"KernelId": null,
"KeyName": "key-1",
"LaunchTime": "2019-01-01T00:00:00Z",
"Licenses": null,
"Monitoring": { "State": "disabled" },
"NetworkInterfaces":
[
{
"Association":
{
"IpOwnerId": "amazon",
"PublicDnsName": "ec2-52-0-0-0.us-west-2.compute.amazonaws.com",
"PublicIp": "52.0.0.0",
},
"Attachment":
{
"AttachTime": "2019-01-01T00:00:00Z",
"AttachmentId": "eni-attach-111222333444",
"DeleteOnTermination": true,
"DeviceIndex": 0,
"Status": "attached",
},
"Description": "Primary network interface",
"Groups": [{ "GroupId": "sg-111222333444", "GroupName": "base" }],
"InterfaceType": "interface",
"Ipv6Addresses": null,
"MacAddress": "de:ad:be:ef:00:00",
"NetworkInterfaceId": "eni-111222333444",
"OwnerId": "123456789012",
"PrivateDnsName": "ip-10-0-0-0.us-west-2.compute.internal",
"PrivateIpAddress": "10.0.0.0",
"PrivateIpAddresses":
[
{
"Association":
{
"IpOwnerId": "amazon",
"PublicDnsName": "ec2-52-0-0-0.us-west-2.compute.amazonaws.com",
"PublicIp": "52.0.0.0",
},
"Primary": true,
"PrivateDnsName": "ip-10-0-0-o.us-west-2.compute.internal",
"PrivateIpAddress": "10.0.0.0",
},
],
"SourceDestCheck": true,
"Status": "in-use",
"SubnetId": "subnet-111222333444",
"VpcId": "vpc-111222333444",
},
],
"Placement":
{
"Affinity": null,
"AvailabilityZone": "us-west-2b",
"GroupName": null,
"HostId": null,
"PartitionNumber": null,
"SpreadDomain": null,
"Tenancy": "default",
},
"Platform": null,
"PrivateDnsName": "ip-10-0-0-0.us-west-2.compute.internal",
"PrivateIpAddress": "10.0.0.0",
"ProductCodes": null,
"PublicDnsName": "ec2-52-0-0-0.us-west-2.compute.amazonaws.com",
"PublicIpAddress": "52.0.0.0",
"RamdiskId": null,
"RootDeviceName": "/dev/xvda",
"RootDeviceType": "ebs",
"SecurityGroups":
[{ "GroupId": "sg-111222333444", "GroupName": "base" }],
"SourceDestCheck": true,
"SpotInstanceRequestId": null,
"SriovNetSupport": null,
"State": { "Code": 16, "Name": "running" },
"StateReason": null,
"StateTransitionReason": null,
"SubnetId": "subnet-111222333",
"Tags": { "TagOne": "True" },
"VirtualizationType": "hvm",
"Volumes":
[
{
"Attachments":
[
{
"AttachTime": "2019-01-01T00:00:00Z",
"DeleteOnTermination": true,
"Device": "/dev/xvda",
"InstanceId": "i-111222333",
"State": "attached",
"VolumeId": "vol-111222333",
},
],
"AvailabilityZone": "us-west-2b",
"CreateTime": "2019-01-01T00:00:00Z",
"Encrypted": false,
"Iops": 100,
"KmsKeyId": null,
"Size": 8,
"SnapshotId": "snap-111222333444",
"State": "in-use",
"Tags": { "TagOne": "True" },
"VolumeId": "vol-111222333444",
"VolumeType": "gp2",
},
],
"VpcId": "vpc-111222333444",
}
- Name: EC2 Instance Has No Tags Set
ExpectedResult: false
Resource:
{
"AmiLaunchIndex": 0,
"Architecture": "x86_64",
"BlockDeviceMappings":
[
{
"DeviceName": "/dev/xvda",
"Ebs":
{
"AttachTime": "2019-01-01T00:00:00Z",
"DeleteOnTermination": true,
"Status": "attached",
"VolumeId": "vol-0b111222333444",
},
},
],
"CapacityReservationId": null,
"CapacityReservationSpecification":
{
"CapacityReservationPreference": "open",
"CapacityReservationTarget": null,
},
"ClientToken": null,
"CpuOptions": { "CoreCount": 1, "ThreadsPerCore": 1 },
"EbsOptimized": false,
"ElasticGpuAssociations": null,
"ElasticInferenceAcceleratorAssociations": null,
"EnaSupport": true,
"HibernationOptions": { "Configured": false },
"Hypervisor": "xen",
"IamInstanceProfile": null,
"ImageId": "ami-11122233344555",
"InstanceId": "i-111222333444555",
"InstanceLifecycle": null,
"InstanceType": "t2.micro",
"KernelId": null,
"KeyName": "key-1",
"LaunchTime": "2019-01-01T00:00:00Z",
"Licenses": null,
"Monitoring": { "State": "disabled" },
"NetworkInterfaces":
[
{
"Association":
{
"IpOwnerId": "amazon",
"PublicDnsName": "ec2-52-0-0-0.us-west-2.compute.amazonaws.com",
"PublicIp": "52.0.0.0",
},
"Attachment":
{
"AttachTime": "2019-01-01T00:00:00Z",
"AttachmentId": "eni-attach-111222333444",
"DeleteOnTermination": true,
"DeviceIndex": 0,
"Status": "attached",
},
"Description": "Primary network interface",
"Groups": [{ "GroupId": "sg-111222333444", "GroupName": "base" }],
"InterfaceType": "interface",
"Ipv6Addresses": null,
"MacAddress": "de:ad:be:ef:00:00",
"NetworkInterfaceId": "eni-111222333444",
"OwnerId": "123456789012",
"PrivateDnsName": "ip-10-0-0-0.us-west-2.compute.internal",
"PrivateIpAddress": "10.0.0.0",
"PrivateIpAddresses":
[
{
"Association":
{
"IpOwnerId": "amazon",
"PublicDnsName": "ec2-52-0-0-0.us-west-2.compute.amazonaws.com",
"PublicIp": "52.0.0.0",
},
"Primary": true,
"PrivateDnsName": "ip-10-0-0-o.us-west-2.compute.internal",
"PrivateIpAddress": "10.0.0.0",
},
],
"SourceDestCheck": true,
"Status": "in-use",
"SubnetId": "subnet-111222333444",
"VpcId": "vpc-111222333444",
},
],
"Placement":
{
"Affinity": null,
"AvailabilityZone": "us-west-2b",
"GroupName": null,
"HostId": null,
"PartitionNumber": null,
"SpreadDomain": null,
"Tenancy": "default",
},
"Platform": null,
"PrivateDnsName": "ip-10-0-0-0.us-west-2.compute.internal",
"PrivateIpAddress": "10.0.0.0",
"ProductCodes": null,
"PublicDnsName": "ec2-52-0-0-0.us-west-2.compute.amazonaws.com",
"PublicIpAddress": "52.0.0.0",
"RamdiskId": null,
"RootDeviceName": "/dev/xvda",
"RootDeviceType": "ebs",
"SecurityGroups":
[{ "GroupId": "sg-111222333444", "GroupName": "base" }],
"SourceDestCheck": true,
"SpotInstanceRequestId": null,
"SriovNetSupport": null,
"State": { "Code": 16, "Name": "running" },
"StateReason": null,
"StateTransitionReason": null,
"SubnetId": "subnet-111222333",
"Tags": null,
"VirtualizationType": "hvm",
"Volumes":
[
{
"Attachments":
[
{
"AttachTime": "2019-01-01T00:00:00Z",
"DeleteOnTermination": true,
"Device": "/dev/xvda",
"InstanceId": "i-111222333",
"State": "attached",
"VolumeId": "vol-111222333",
},
],
"AvailabilityZone": "us-west-2b",
"CreateTime": "2019-01-01T00:00:00Z",
"Encrypted": false,
"Iops": 100,
"KmsKeyId": null,
"Size": 8,
"SnapshotId": "snap-111222333444",
"State": "in-use",
"Tags": { "TagOne": "True" },
"VolumeId": "vol-111222333444",
"VolumeType": "gp2",
},
],
"VpcId": "vpc-111222333444",
}
- Name: IAM User Has Less Than The Minimum Number Of Tags Set
ExpectedResult: false
Resource:
{
"Arn": "arn:aws:iam::123456789012:user/Bobert",
"CreateDate": "2019-01-01T00:00:00Z",
"CredentialReport":
{
"ARN": "arn:aws:iam::123456789012:user/Bobert",
"AccessKey1Active": true,
"AccessKey1LastRotated": "2019-01-01T00:00:00Z",
"AccessKey1LastUsedDate": "0001-01-01T00:00:00Z",
"AccessKey1LastUsedRegion": "N/A",
"AccessKey1LastUsedService": "N/A",
"AccessKey2Active": false,
"AccessKey2LastRotated": "0001-01-01T00:00:00Z",
"AccessKey2LastUsedDate": "0001-01-01T00:00:00Z",
"AccessKey2LastUsedRegion": "N/A",
"AccessKey2LastUsedService": "N/A",
"Cert1Active": false,
"Cert1LastRotated": "0001-01-01T00:00:00Z",
"Cert2Active": false,
"Cert2LastRotated": "0001-01-01T00:00:00Z",
"MfaActive": false,
"PasswordEnabled": true,
"PasswordLastChanged": "2019-01-01T00:00:00Z",
"PasswordLastUsed": "0001-01-01T00:00:00Z",
"PasswordNextRotation": "2019-04-01T00:00:00Z",
"UserCreationTime": "2019-01-01T00:00:00Z",
"UserName": "Bobert",
},
"Groups":
[
{
"Arn": "arn:aws:iam::123456789012:group/ExampleGroup",
"CreateDate": "2019-01-01T00:00:00Z",
"GroupId": "ABCDEFGHIJKLMNOP",
"GroupName": "ExampleGroup",
"Path": "/",
},
],
"InlinePolicyNames": null,
"ManagedPolicyNames": ["IAMUserChangePassword"],
"PasswordLastUsed": null,
"Path": "/",
"PermissionsBoundary": null,
"Tags": null,
"UserId": "ASDFASDFASDFASDF",
"UserName": "Bobert",
"VirtualMFA": null,
}
- Name: IAM User Has Minimum Number Of Tags Set
ExpectedResult: true
Resource:
{
"Arn": "arn:aws:iam::123456789012:user/Bobert",
"CreateDate": "2019-01-01T00:00:00Z",
"CredentialReport":
{
"ARN": "arn:aws:iam::123456789012:user/Bobert",
"AccessKey1Active": true,
"AccessKey1LastRotated": "2019-01-01T00:00:00Z",
"AccessKey1LastUsedDate": "0001-01-01T00:00:00Z",
"AccessKey1LastUsedRegion": "N/A",
"AccessKey1LastUsedService": "N/A",
"AccessKey2Active": false,
"AccessKey2LastRotated": "0001-01-01T00:00:00Z",
"AccessKey2LastUsedDate": "0001-01-01T00:00:00Z",
"AccessKey2LastUsedRegion": "N/A",
"AccessKey2LastUsedService": "N/A",
"Cert1Active": false,
"Cert1LastRotated": "0001-01-01T00:00:00Z",
"Cert2Active": false,
"Cert2LastRotated": "0001-01-01T00:00:00Z",
"MfaActive": false,
"PasswordEnabled": true,
"PasswordLastChanged": "2019-01-01T00:00:00Z",
"PasswordLastUsed": "0001-01-01T00:00:00Z",
"PasswordNextRotation": "2019-04-01T00:00:00Z",
"UserCreationTime": "2019-01-01T00:00:00Z",
"UserName": "Bobert",
},
"Groups":
[
{
"Arn": "arn:aws:iam::123456789012:group/ExampleGroup",
"CreateDate": "2019-01-01T00:00:00Z",
"GroupId": "ABCDEFGHIJKLMNOP",
"GroupName": "ExampleGroup",
"Path": "/",
},
],
"InlinePolicyNames": null,
"ManagedPolicyNames": ["IAMUserChangePassword"],
"PasswordLastUsed": null,
"Path": "/",
"PermissionsBoundary": null,
"Tags": { "Key": "TagOne", "Value": "ValueOne" },
"UserId": "ASDFASDFASDFASDF",
"UserName": "Bobert",
"VirtualMFA": null,
}
- Name: IAM User Has No Tags Set
ExpectedResult: false
Resource:
{
"Arn": "arn:aws:iam::123456789012:user/Bobert",
"CreateDate": "2019-01-01T00:00:00Z",
"CredentialReport":
{
"ARN": "arn:aws:iam::123456789012:user/Bobert",
"AccessKey1Active": true,
"AccessKey1LastRotated": "2019-01-01T00:00:00Z",
"AccessKey1LastUsedDate": "0001-01-01T00:00:00Z",
"AccessKey1LastUsedRegion": "N/A",
"AccessKey1LastUsedService": "N/A",
"AccessKey2Active": false,
"AccessKey2LastRotated": "0001-01-01T00:00:00Z",
"AccessKey2LastUsedDate": "0001-01-01T00:00:00Z",
"AccessKey2LastUsedRegion": "N/A",
"AccessKey2LastUsedService": "N/A",
"Cert1Active": false,
"Cert1LastRotated": "0001-01-01T00:00:00Z",
"Cert2Active": false,
"Cert2LastRotated": "0001-01-01T00:00:00Z",
"MfaActive": false,
"PasswordEnabled": true,
"PasswordLastChanged": "2019-01-01T00:00:00Z",
"PasswordLastUsed": "0001-01-01T00:00:00Z",
"PasswordNextRotation": "2019-04-01T00:00:00Z",
"UserCreationTime": "2019-01-01T00:00:00Z",
"UserName": "Bobert",
},
"Groups":
[
{
"Arn": "arn:aws:iam::123456789012:group/ExampleGroup",
"CreateDate": "2019-01-01T00:00:00Z",
"GroupId": "ABCDEFGHIJKLMNOP",
"GroupName": "ExampleGroup",
"Path": "/",
},
],
"InlinePolicyNames": null,
"ManagedPolicyNames": ["IAMUserChangePassword"],
"PasswordLastUsed": null,
"Path": "/",
"PermissionsBoundary": null,
"Tags": null,
"UserId": "ASDFASDFASDFASDF",
"UserName": "Bobert",
"VirtualMFA": null,
}
Detection logic
Condition
not (Tags is_not_null and Tags length_compare "1")
Exclusions
Top-level NOT(...) conjuncts: predicates this rule actively suppresses.
| Field | Kind | Excluded values |
|---|---|---|
Tags | is_not_null | |
Tags | length_compare | 1 |