new: added policy ecc-aws-079-iam_policy_changes_alarm_exist

policies/ecc-aws-079-iam_policy_changes_alarm_exist.yml

@@ -0,0 +1,21 @@
+# Copyright (c) 2023 EPAM Systems, Inc.
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+policies:
+  - name: ecc-aws-079-iam_policy_changes_alarm_exist
+    comment: '010016012500'
+    description: |
+      Log metric filter and alarm do not exist for IAM policy changes
+    resource: aws.account
+    filters:
+      - type: check-cloudtrail
+        multi-region: true
+        running: true
+        include-management-events: true
+        log-metric-filter-pattern:
+          type: value
+          op: regex
+          value: '{ ?\(? ?\$\.eventName ?= ?\"?DeleteGroupPolicy\"? ?\)? ?\|\| ?\(? ?\$\.eventName ?= ?\"?DeleteRolePolicy\"? ?\)? ?\|\| ?\(? ?\$\.eventName ?= ?\"?DeleteUserPolicy\"? ?\)? ?\|\| ?\(? ?\$\.eventName ?= ?\"?PutGroupPolicy\"? ?\)? ?\|\| ?\(? ?\$\.eventName ?= ?\"?PutRolePolicy\"? ?\)? ?\|\| ?\(? ?\$\.eventName ?= ?\"?PutUserPolicy\"? ?\)? ?\|\| ?\(? ?\$\.eventName ?= ?\"?CreatePolicy\"? ?\)? ?\|\| ?\(? ?\$\.eventName ?= ?\"?DeletePolicy\"? ?\)? ?\|\| ?\(? ?\$\.eventName ?= ?\"?CreatePolicyVersion\"? ?\)? ?\|\| ?\(? ?\$\.eventName ?= ?\"?DeletePolicyVersion\"?\)? ?\|\| ?\(? ?\$\.eventName ?= ?\"?AttachRolePolicy\"? ?\)? ?\|\| ?\(? ?\$\.eventName ?= ?\"?DetachRolePolicy\"? ?\)? ?\|\| ?\(? ?\$\.eventName ?= ?\"?AttachUserPolicy\"? ?\)? ?\|\| ?\(? ?\$\.eventName ?= ?\"?DetachUserPolicy\"? ?\)? ?\|\| ?\(? ?\$\.eventName ?= ?\"?AttachGroupPolicy\"? ?\)? ?\|\| ?\(? ?\$\.eventName ?= ?\"?DetachGroupPolicy\"? ?\)? ?}'

terraform/ecc-aws-079-iam_policy_changes_alarm_exist/green/sns.tf

@@ -2,17 +2,12 @@ resource "aws_sns_topic" "this" {
   name = "079-sns-green"
 }
 
-resource "null_resource" "this" {
-  provisioner "local-exec" {
-    command = join(" ", [
-      "aws sns subscribe",
-      "--topic-arn ${aws_sns_topic.this.arn}",
-      "--protocol email",
-      "--notification-endpoint ${var.test-email}",
-      "--profile ${var.profile}",
-      "--region ${var.default-region}"
-
-      ]
-    )
-  }
+resource "aws_sqs_queue" "this" {
+  name = "079-sqs-green"
+}
+
+resource "aws_sns_topic_subscription" "this" {
+  topic_arn = aws_sns_topic.this.arn
+  protocol  = "sqs"
+  endpoint  = aws_sqs_queue.this.arn
 }

terraform/ecc-aws-079-iam_policy_changes_alarm_exist/iam/079-policy.json

@@ -4,17 +4,16 @@
         {
             "Effect": "Allow",
             "Action": [ 
+                "iam:ListAccountAliases",
                 "cloudtrail:DescribeTrails",
                 "cloudtrail:GetTrailStatus",
                 "cloudtrail:GetEventSelectors",
-                "sns:GetTopicAttributes",
-                "sns:ListTopics",
                 "cloudwatch:DescribeAlarms",
                 "logs:DescribeMetricFilters",
-                "logs:DescribeLogGroups",
-                "iam:ListAccountAliases"
+                "cloudwatch:DescribeAlarmsForMetric",
+                "sns:GetTopicAttributes"
             ],
             "Resource": "*"
         }
     ]
-}
+}

terraform/ecc-aws-079-iam_policy_changes_alarm_exist/red1/sns.tf

@@ -2,17 +2,12 @@ resource "aws_sns_topic" "this" {
   name = "079-sns-red1"
 }
 
-resource "null_resource" "this" {
-  provisioner "local-exec" {
-    command = join(" ", [
-      "aws sns subscribe",
-      "--topic-arn ${aws_sns_topic.this.arn}",
-      "--protocol email",
-      "--notification-endpoint ${var.test-email}",
-      "--profile ${var.profile}",
-      "--region ${var.default-region}"
-
-      ]
-    )
-  }
+resource "aws_sqs_queue" "this" {
+  name = "079-sqs-red"
+}
+
+resource "aws_sns_topic_subscription" "this" {
+  topic_arn = aws_sns_topic.this.arn
+  protocol  = "sqs"
+  endpoint  = aws_sqs_queue.this.arn
 }

tests/ecc-aws-079-iam_policy_changes_alarm_exist/placebo-green/cloudtrail.DescribeTrails_1.json

@@ -0,0 +1,22 @@
+{
+    "status_code": 200,
+    "data": {
+        "trailList": [
+            {
+                "Name": "c7n-079-cloudtrail-green",
+                "S3BucketName": "c7n-079-bucket-green",
+                "IncludeGlobalServiceEvents": true,
+                "IsMultiRegionTrail": true,
+                "HomeRegion": "us-east-1",
+                "TrailARN": "arn:aws:cloudtrail:us-east-1:644160558196:trail/c7n-079-cloudtrail-green",
+                "LogFileValidationEnabled": false,
+                "CloudWatchLogsLogGroupArn": "arn:aws:logs:us-east-1:644160558196:log-group:079_log_group_green:*",
+                "CloudWatchLogsRoleArn": "arn:aws:iam::644160558196:role/079_role_green",
+                "HasCustomEventSelectors": false,
+                "HasInsightSelectors": false,
+                "IsOrganizationTrail": false
+            }
+        ],
+        "ResponseMetadata": {}
+    }
+}

tests/ecc-aws-079-iam_policy_changes_alarm_exist/placebo-green/cloudtrail.GetEventSelectors_1.json

@@ -0,0 +1,15 @@
+{
+    "status_code": 200,
+    "data": {
+        "TrailARN": "arn:aws:cloudtrail:us-east-1:644160558196:trail/c7n-079-cloudtrail-green",
+        "EventSelectors": [
+            {
+                "ReadWriteType": "All",
+                "IncludeManagementEvents": true,
+                "DataResources": [],
+                "ExcludeManagementEventSources": []
+            }
+        ],
+        "ResponseMetadata": {}
+    }
+}

tests/ecc-aws-079-iam_policy_changes_alarm_exist/placebo-green/cloudtrail.GetTrailStatus_1.json

@@ -0,0 +1,43 @@
+{
+    "status_code": 200,
+    "data": {
+        "IsLogging": true,
+        "LatestDeliveryTime": {
+            "__class__": "datetime",
+            "year": 2023,
+            "month": 12,
+            "day": 14,
+            "hour": 10,
+            "minute": 16,
+            "second": 9,
+            "microsecond": 691000
+        },
+        "StartLoggingTime": {
+            "__class__": "datetime",
+            "year": 2023,
+            "month": 12,
+            "day": 14,
+            "hour": 9,
+            "minute": 59,
+            "second": 49,
+            "microsecond": 896000
+        },
+        "LatestCloudWatchLogsDeliveryTime": {
+            "__class__": "datetime",
+            "year": 2023,
+            "month": 12,
+            "day": 14,
+            "hour": 10,
+            "minute": 16,
+            "second": 49,
+            "microsecond": 920000
+        },
+        "LatestDeliveryAttemptTime": "2023-12-14T08:16:09Z",
+        "LatestNotificationAttemptTime": "",
+        "LatestNotificationAttemptSucceeded": "",
+        "LatestDeliveryAttemptSucceeded": "2023-12-14T08:16:09Z",
+        "TimeLoggingStarted": "2023-12-14T07:59:49Z",
+        "TimeLoggingStopped": "",
+        "ResponseMetadata": {}
+    }
+}

tests/ecc-aws-079-iam_policy_changes_alarm_exist/placebo-green/iam.ListAccountAliases_1.json

@@ -0,0 +1,10 @@
+{
+    "status_code": 200,
+    "data": {
+        "AccountAliases": [
+            "test"
+        ],
+        "IsTruncated": false,
+        "ResponseMetadata": {}
+    }
+}

tests/ecc-aws-079-iam_policy_changes_alarm_exist/placebo-green/logs.DescribeMetricFilters_1.json

@@ -0,0 +1,22 @@
+{
+    "status_code": 200,
+    "data": {
+        "metricFilters": [
+            {
+                "filterName": "079_Iam_Policy_Changes_green",
+                "filterPattern": "{($.eventName=DeleteGroupPolicy) || ($.eventName=DeleteRolePolicy) || ($.eventName=DeleteUserPolicy) || ($.eventName=PutGroupPolicy) || ($.eventName=PutRolePolicy) || ($.eventName=PutUserPolicy) || ($.eventName=CreatePolicy) || ($.eventName=DeletePolicy) || ($.eventName=CreatePolicyVersion) || ($.eventName=DeletePolicyVersion) || ($.eventName=AttachRolePolicy) || ($.eventName=DetachRolePolicy) || ($.eventName=AttachUserPolicy) || ($.eventName=DetachUserPolicy) || ($.eventName=AttachGroupPolicy) || ($.eventName=DetachGroupPolicy)}",
+                "metricTransformations": [
+                    {
+                        "metricName": "079_Iam_Policy_Changes_green",
+                        "metricNamespace": "IAM_Policy_Changes",
+                        "metricValue": "1",
+                        "unit": "None"
+                    }
+                ],
+                "creationTime": 1702540781872,
+                "logGroupName": "079_log_group_green"
+            }
+        ],
+        "ResponseMetadata": {}
+    }
+}

tests/ecc-aws-079-iam_policy_changes_alarm_exist/placebo-green/monitoring.DescribeAlarmsForMetric_1.json

@@ -0,0 +1,59 @@
+{
+    "status_code": 200,
+    "data": {
+        "MetricAlarms": [
+            {
+                "AlarmName": "079_Iam_Policy_Changes_green",
+                "AlarmArn": "arn:aws:cloudwatch:us-east-1:644160558196:alarm:079_Iam_Policy_Changes_green",
+                "AlarmConfigurationUpdatedTimestamp": {
+                    "__class__": "datetime",
+                    "year": 2023,
+                    "month": 12,
+                    "day": 14,
+                    "hour": 7,
+                    "minute": 59,
+                    "second": 43,
+                    "microsecond": 287000
+                },
+                "ActionsEnabled": true,
+                "OKActions": [],
+                "AlarmActions": [
+                    "arn:aws:sns:us-east-1:644160558196:079-sns-green"
+                ],
+                "InsufficientDataActions": [],
+                "StateValue": "INSUFFICIENT_DATA",
+                "StateReason": "Unchecked: Initial alarm creation",
+                "StateUpdatedTimestamp": {
+                    "__class__": "datetime",
+                    "year": 2023,
+                    "month": 12,
+                    "day": 14,
+                    "hour": 7,
+                    "minute": 59,
+                    "second": 43,
+                    "microsecond": 287000
+                },
+                "MetricName": "079_Iam_Policy_Changes_green",
+                "Namespace": "IAM_Policy_Changes",
+                "Statistic": "Sum",
+                "Dimensions": [],
+                "Period": 300,
+                "EvaluationPeriods": 1,
+                "Threshold": 1.0,
+                "ComparisonOperator": "GreaterThanOrEqualToThreshold",
+                "TreatMissingData": "missing",
+                "StateTransitionedTimestamp": {
+                    "__class__": "datetime",
+                    "year": 2023,
+                    "month": 12,
+                    "day": 14,
+                    "hour": 7,
+                    "minute": 59,
+                    "second": 43,
+                    "microsecond": 287000
+                }
+            }
+        ],
+        "ResponseMetadata": {}
+    }
+}

tests/ecc-aws-079-iam_policy_changes_alarm_exist/placebo-green/sns.GetTopicAttributes_1.json

@@ -0,0 +1,21 @@
+{
+    "status_code": 200,
+    "data": {
+        "Attributes": {
+            "Policy": "{\"Version\":\"2008-10-17\",\"Id\":\"__default_policy_ID\",\"Statement\":[{\"Sid\":\"__default_statement_ID\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"*\"},\"Action\":[\"SNS:GetTopicAttributes\",\"SNS:SetTopicAttributes\",\"SNS:AddPermission\",\"SNS:RemovePermission\",\"SNS:DeleteTopic\",\"SNS:Subscribe\",\"SNS:ListSubscriptionsByTopic\",\"SNS:Publish\"],\"Resource\":\"arn:aws:sns:us-east-1:644160558196:079-sns-green\",\"Condition\":{\"StringEquals\":{\"AWS:SourceOwner\":\"644160558196\"}}}]}",
+            "LambdaSuccessFeedbackSampleRate": "0",
+            "Owner": "644160558196",
+            "SubscriptionsPending": "0",
+            "TopicArn": "arn:aws:sns:us-east-1:644160558196:079-sns-green",
+            "EffectiveDeliveryPolicy": "{\"http\":{\"defaultHealthyRetryPolicy\":{\"minDelayTarget\":20,\"maxDelayTarget\":20,\"numRetries\":3,\"numMaxDelayRetries\":0,\"numNoDelayRetries\":0,\"numMinDelayRetries\":0,\"backoffFunction\":\"linear\"},\"disableSubscriptionOverrides\":false,\"defaultRequestPolicy\":{\"headerContentType\":\"text/plain; charset=UTF-8\"}}}",
+            "FirehoseSuccessFeedbackSampleRate": "0",
+            "SubscriptionsConfirmed": "1",
+            "SQSSuccessFeedbackSampleRate": "0",
+            "HTTPSuccessFeedbackSampleRate": "0",
+            "ApplicationSuccessFeedbackSampleRate": "0",
+            "DisplayName": "",
+            "SubscriptionsDeleted": "0"
+        },
+        "ResponseMetadata": {}
+    }
+}

tests/ecc-aws-079-iam_policy_changes_alarm_exist/placebo-red/cloudtrail.DescribeTrails_1.json

@@ -0,0 +1,22 @@
+{
+    "status_code": 200,
+    "data": {
+        "trailList": [
+            {
+                "Name": "c7n-079-cloudtrail-red",
+                "S3BucketName": "c7n-079-bucket-red",
+                "IncludeGlobalServiceEvents": true,
+                "IsMultiRegionTrail": false,
+                "HomeRegion": "us-east-1",
+                "TrailARN": "arn:aws:cloudtrail:us-east-1:644160558196:trail/c7n-079-cloudtrail-red",
+                "LogFileValidationEnabled": false,
+                "CloudWatchLogsLogGroupArn": "arn:aws:logs:us-east-1:644160558196:log-group:079_log_group_red:*",
+                "CloudWatchLogsRoleArn": "arn:aws:iam::644160558196:role/079_role_red",
+                "HasCustomEventSelectors": false,
+                "HasInsightSelectors": false,
+                "IsOrganizationTrail": false
+            }
+        ],
+        "ResponseMetadata": {}
+    }
+}

tests/ecc-aws-079-iam_policy_changes_alarm_exist/placebo-red/cloudtrail.GetEventSelectors_1.json

@@ -0,0 +1,15 @@
+{
+    "status_code": 200,
+    "data": {
+        "TrailARN": "arn:aws:cloudtrail:us-east-1:644160558196:trail/c7n-079-cloudtrail-red",
+        "EventSelectors": [
+            {
+                "ReadWriteType": "All",
+                "IncludeManagementEvents": true,
+                "DataResources": [],
+                "ExcludeManagementEventSources": []
+            }
+        ],
+        "ResponseMetadata": {}
+    }
+}