GithubHelp home page GithubHelp logo

Comments (6)

toniblyx avatar toniblyx commented on May 15, 2024

Thanks @virtualjj working through checks 3.x now, I'll keep you posted

from prowler.

virtualjj avatar virtualjj commented on May 15, 2024

Cool - I'm slowing going through each control but I'm finding issues with the actual CIS recommendations. For example this filter will actually return a bunch of hits from the following AWS services:

kms.amazonaws.com
elasticloadbalancing.amazonaws.com
s3.amazonaws.com
acm.amazonaws.com
cloudtrail.amazonaws.com
cloudtrail.amazonaws.com
rds.amazonaws.com
logs.amazonaws.com
acm.amazonaws.com
ec2.amazonaws.com
iam.amazonaws.com

Especially kms.amazonaws.com if control 2.7 (Encrypted CloudTrail Logs) is enabled.

I think this metric filter below is actually better to reduce false positives but I have opened a support case with AWS to confirm:

{ $.userIdentity.sessionContext.attributes.mfaAuthenticated != "true" && $.eventSource != *.amazonaws.com }

UPDATE: AWS has acknowledged this issue (Case 1909332871) and will contact their teams to review the CIS white paper. This filter pattern has been suggested instead:

{ ($.additionalEventData.MFAUsed = "No") && ($.eventName = "ConsoleLogin") }

from prowler.

toniblyx avatar toniblyx commented on May 15, 2024

Thanks @virtualjj. Are you using something to implement all these changes? I mean, commands or a CFN template? I have found a template here that may create some alarms but it is not fully covering all CIS 3.X checks. https://s3-us-west-2.amazonaws.com/awscloudtrail/cloudwatch-alarms-for-cloudtrail-api-activity/CloudWatch_Alarms_for_CloudTrail_API_Activity.json

from prowler.

virtualjj avatar virtualjj commented on May 15, 2024

Awesome - thanks for this. I'm actually doing the changes with my own scripts but once I have everything cleaned up, planning on sharing my templates on GitHub.

from prowler.

toniblyx avatar toniblyx commented on May 15, 2024

That would be great. I'm also thinking to make public content here or write an blog post about how to fix all these WARNINGS with real commands or assets since what it comes in the CIS document is very vague. If you are interested let me know and we can put them toguether. I will keep you posted about my work on that template in the next days.

from prowler.

virtualjj avatar virtualjj commented on May 15, 2024

Sounds great - just followed you on Twitter. Not sure how quick I can contribute but will throw ideas your way in the meantime! Will close this issue - thanks again!

from prowler.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.