From 8293000d02e3b98a1c19168a6b213a5e85137c7e Mon Sep 17 00:00:00 2001 From: jsreedharan-panw <> Date: Thu, 2 May 2024 21:15:59 +0530 Subject: [PATCH 1/3] Updated in PCS-24.4.2 --- ...S-Organization-management-permissions.json | 17 +++++++++ ...ith-IAM-policy-management-permissions.json | 17 +++++++++ ...2-Instance-with-IAM-write-permissions.json | 17 +++++++++ ...S-Organization-management-permissions.json | 17 +++++++++ ...ith-IAM-policy-management-permissions.json | 17 +++++++++ ...Definition-with-IAM-write-permissions.json | 17 +++++++++ ...S-Organization-management-permissions.json | 17 +++++++++ ...ith-IAM-policy-management-permissions.json | 17 +++++++++ ...k-Platform-with-IAM-write-permissions.json | 17 +++++++++ ...S-Organization-management-permissions.json | 17 +++++++++ ...ith-IAM-policy-management-permissions.json | 17 +++++++++ ...S-IAM-User-with-IAM-write-permissions.json | 17 +++++++++ ...S-Organization-management-permissions.json | 17 +++++++++ ...ith-IAM-policy-management-permissions.json | 17 +++++++++ ...a-Function-with-IAM-write-permissions.json | 17 +++++++++ ...S-Organization-management-permissions.json | 17 +++++++++ ...ith-IAM-policy-management-permissions.json | 17 +++++++++ ...-Okta-User-with-IAM-write-permissions.json | 17 +++++++++ ...subscription-disabled-for-DB-instance.json | 37 ------------------- 19 files changed, 306 insertions(+), 37 deletions(-) create mode 100644 policies/AWS-EC2-Instance-with-AWS-Organization-management-permissions.json create mode 100644 policies/AWS-EC2-Instance-with-IAM-policy-management-permissions.json create mode 100644 policies/AWS-EC2-Instance-with-IAM-write-permissions.json create mode 100644 policies/AWS-ECS-Task-Definition-with-AWS-Organization-management-permissions.json create mode 100644 policies/AWS-ECS-Task-Definition-with-IAM-policy-management-permissions.json create mode 100644 policies/AWS-ECS-Task-Definition-with-IAM-write-permissions.json create mode 100644 policies/AWS-Elastic-Beanstalk-Platform-with-AWS-Organization-management-permissions.json create mode 100644 policies/AWS-Elastic-Beanstalk-Platform-with-IAM-policy-management-permissions.json create mode 100644 policies/AWS-Elastic-Beanstalk-Platform-with-IAM-write-permissions.json create mode 100644 policies/AWS-IAM-User-with-AWS-Organization-management-permissions.json create mode 100644 policies/AWS-IAM-User-with-IAM-policy-management-permissions.json create mode 100644 policies/AWS-IAM-User-with-IAM-write-permissions.json create mode 100644 policies/AWS-Lambda-Function-with-AWS-Organization-management-permissions.json create mode 100644 policies/AWS-Lambda-Function-with-IAM-policy-management-permissions.json create mode 100644 policies/AWS-Lambda-Function-with-IAM-write-permissions.json create mode 100644 policies/AWS-Okta-User-with-AWS-Organization-management-permissions.json create mode 100644 policies/AWS-Okta-User-with-IAM-policy-management-permissions.json create mode 100644 policies/AWS-Okta-User-with-IAM-write-permissions.json delete mode 100644 policies/AWS-RDS-event-subscription-disabled-for-DB-instance.json diff --git a/policies/AWS-EC2-Instance-with-AWS-Organization-management-permissions.json b/policies/AWS-EC2-Instance-with-AWS-Organization-management-permissions.json new file mode 100644 index 00000000..861a5ff1 --- /dev/null +++ b/policies/AWS-EC2-Instance-with-AWS-Organization-management-permissions.json @@ -0,0 +1,17 @@ +{ + "policyUpi": "", + "policyId": "0acd23f7-12c8-48c2-88c4-2962a4778e6e", + "policyType": "iam", + "cloudType": "aws", + "severity": "high", + "name": "AWS EC2 instance with org write access level", + "description": "This policy identifies org write access that is defined as risky permissions. Ensure that the AWS EC2 instances provisioned in your AWS account don't have a risky set of write permissions to minimize security risks.", + "rule.criteria": "0acd23f7-12c8-48c2-88c4-2962a4778e6e", + "searchModel.query": "config from iam where dest.cloud.type = 'AWS' AND action.name IN ('organizations:AcceptHandshake','organizations:AttachPolicy','organizations:CancelHandshake','organizations:CreateAccount','organizations:CreateGovCloudAccount','organizations:CreateOrganization','organizations:CreateOrganizationalUnit','organizations:CreatePolicy','organizations:DeclineHandshake','organizations:DeleteOrganization','organizations:DeleteOrganizationalUnit','organizations:DeletePolicy','organizations:DeregisterDelegatedAdministrator','organizations:DetachPolicy','organizations:DisableAWSServiceAccess','organizations:DisablePolicyType','organizations:EnableAWSServiceAccess','organizations:EnableAllFeatures','organizations:EnablePolicyType','organizations:InviteAccountToOrganization','organizations:LeaveOrganization','organizations:MoveAccount','organizations:RegisterDelegatedAdministrator','organizations:RemoveAccountFromOrganization','organizations:UpdateOrganizationalUnit','organizations:UpdatePolicy') AND source.cloud.service.name = 'ec2' AND source.cloud.resource.type = 'instance'", + "recommendation": "Remediation steps:\n1. Log in to the AWS console\n2. Navigate to the EC2 instance \n3. Find the role used by the EC2 instance\n4. Navigate to the IAM service\n5. Click on Roles\n6. Choose the relevant role\n7. Under ''Permissions policies'', find the relevant policy according to the alert details and remove the risky actions", + "remediable": true, + "remediation.cliScriptTemplate": "dynamic aws cli commands", + "remediation.description": "List of CLI commands are generated dynamically based on the violating resource. Successful execution will limit the relevant permissions of the violating resource.", + "remediation.impact": "limit the relevant permissions of the violating resource", + "compliance.standard": "" +} \ No newline at end of file diff --git a/policies/AWS-EC2-Instance-with-IAM-policy-management-permissions.json b/policies/AWS-EC2-Instance-with-IAM-policy-management-permissions.json new file mode 100644 index 00000000..18739fc7 --- /dev/null +++ b/policies/AWS-EC2-Instance-with-IAM-policy-management-permissions.json @@ -0,0 +1,17 @@ +{ + "policyUpi": "", + "policyId": "34edd03b-b872-441b-84ed-19d9b4194c7d", + "policyType": "iam", + "cloudType": "aws", + "severity": "high", + "name": "AWS EC2 instance with IAM permissions management access level", + "description": "This policy identifies This policy identifies IAM permissions management access that is defined as risky permissions. Ensure that the AWS EC2 instances provisioned in your AWS account don't have a risky set of write permissions to minimize security risks.AWS IAM permissions management access level that are risky for AWS EC2 instances. Ensure that the AWS EC2 instances provisioned in your AWS account don't have a risky set of permissions management access to minimize security risks.", + "rule.criteria": "34edd03b-b872-441b-84ed-19d9b4194c7d", + "searchModel.query": "config from iam where dest.cloud.type = 'AWS' AND action.name IN ('iam:AttachGroupPolicy','iam:AttachRolePolicy','iam:AttachUserPolicy','iam:CreatePolicy','iam:CreatePolicyVersion','iam:DeleteAccountPasswordPolicy','iam:DeleteGroupPolicy','iam:DeletePolicy','iam:DeletePolicyVersion','iam:DeleteRolePermissionsBoundary','iam:DeleteRolePolicy','iam:DeleteUserPermissionsBoundary','iam:DeleteUserPolicy','iam:DetachGroupPolicy','iam:DetachRolePolicy','iam:DetachUserPolicy','iam:PutGroupPolicy','iam:PutRolePermissionsBoundary','iam:PutRolePolicy','iam:PutUserPermissionsBoundary','iam:PutUserPolicy','iam:SetDefaultPolicyVersion','iam:UpdateAssumeRolePolicy') AND source.cloud.service.name = 'ec2' AND source.cloud.resource.type = 'instance'", + "recommendation": "Remediation steps:\n1. Log in to the AWS console\n2. Navigate to the EC2 instance \n3. Find the role used by the EC2 instance\n4. Navigate to the IAM service\n5. Click on Roles\n6. Choose the relevant role\n7. Under ''Permissions policies'', find the relevant policy according to the alert details and remove the risky actions", + "remediable": true, + "remediation.cliScriptTemplate": "dynamic aws cli commands", + "remediation.description": "List of CLI commands are generated dynamically based on the violating resource. Successful execution will limit the relevant permissions of the violating resource.", + "remediation.impact": "limit the relevant permissions of the violating resource", + "compliance.standard": "" +} \ No newline at end of file diff --git a/policies/AWS-EC2-Instance-with-IAM-write-permissions.json b/policies/AWS-EC2-Instance-with-IAM-write-permissions.json new file mode 100644 index 00000000..2944c2d9 --- /dev/null +++ b/policies/AWS-EC2-Instance-with-IAM-write-permissions.json @@ -0,0 +1,17 @@ +{ + "policyUpi": "", + "policyId": "8bef368e-7b79-4828-a9cd-f4aa4fa8a3ce", + "policyType": "iam", + "cloudType": "aws", + "severity": "high", + "name": "AWS EC2 instance with IAM write access level", + "description": "This policy identifies IAM write permissions that are defined as risky permissions. Ensure that the AWS EC2 instances provisioned in your AWS account don't have a risky set of write permissions to minimize security risks.", + "rule.criteria": "8bef368e-7b79-4828-a9cd-f4aa4fa8a3ce", + "searchModel.query": "config from iam where dest.cloud.type = 'AWS' AND action.name IN ('iam:AddClientIDToOpenIDConnectProvider','iam:AddRoleToInstanceProfile','iam:AddUserToGroup','iam:ChangePassword','iam:CreateAccessKey','iam:CreateAccountAlias','iam:CreateGroup','iam:CreateInstanceProfile','iam:CreateLoginProfile','iam:CreateOpenIDConnectProvider','iam:CreateRole','iam:CreateSAMLProvider','iam:CreateServiceLinkedRole','iam:CreateServiceSpecificCredential','iam:CreateUser','iam:CreateVirtualMFADevice','iam:DeactivateMFADevice','iam:DeleteAccessKey','iam:DeleteAccountAlias','iam:DeleteGroup','iam:DeleteInstanceProfile','iam:DeleteLoginProfile','iam:DeleteOpenIDConnectProvider','iam:DeleteRole','iam:DeleteSAMLProvider','iam:DeleteSSHPublicKey','iam:DeleteServerCertificate','iam:DeleteServiceLinkedRole','iam:DeleteServiceSpecificCredential','iam:DeleteSigningCertificate','iam:DeleteUser','iam:DeleteVirtualMFADevice','iam:EnableMFADevice','iam:PassRole','iam:RemoveClientIDFromOpenIDConnectProvider','iam:RemoveRoleFromInstanceProfile','iam:RemoveUserFromGroup','iam:ResetServiceSpecificCredential','iam:ResyncMFADevice','iam:SetSecurityTokenServicePreferences','iam:UpdateAccessKey','iam:UpdateAccountPasswordPolicy','iam:UpdateGroup','iam:UpdateLoginProfile','iam:UpdateOpenIDConnectProviderThumbprint','iam:UpdateRole','iam:UpdateRoleDescription','iam:UpdateSAMLProvider','iam:UpdateSSHPublicKey','iam:UpdateServerCertificate','iam:UpdateServiceSpecificCredential','iam:UpdateSigningCertificate','iam:UpdateUser','iam:UploadSSHPublicKey','iam:UploadServerCertificate','iam:UploadSigningCertificate') AND source.cloud.service.name = 'ec2' AND source.cloud.resource.type = 'instance'", + "recommendation": "Remediation steps:\n1. Log in to the AWS console\n2. Navigate to the EC2 instance \n3. Find the role used by the EC2 instance\n4. Navigate to the IAM service\n5. Click on Roles\n6. Choose the relevant role\n7. Under ''Permissions policies'', find the relevant policy according to the alert details and remove the risky actions", + "remediable": true, + "remediation.cliScriptTemplate": "dynamic aws cli commands", + "remediation.description": "List of CLI commands are generated dynamically based on the violating resource. Successful execution will limit the relevant permissions of the violating resource.", + "remediation.impact": "limit the relevant permissions of the violating resource", + "compliance.standard": "" +} \ No newline at end of file diff --git a/policies/AWS-ECS-Task-Definition-with-AWS-Organization-management-permissions.json b/policies/AWS-ECS-Task-Definition-with-AWS-Organization-management-permissions.json new file mode 100644 index 00000000..1da9dbdc --- /dev/null +++ b/policies/AWS-ECS-Task-Definition-with-AWS-Organization-management-permissions.json @@ -0,0 +1,17 @@ +{ + "policyUpi": "", + "policyId": "18f6902b-1358-48b4-b81e-528072b30656", + "policyType": "iam", + "cloudType": "aws", + "severity": "high", + "name": "ECS Task Definition with org write access level", + "description": "This policy identifies org write access that is defined as risky permissions. Ensure that the AWS ECS Task Definition instances provisioned in your AWS account don't have a risky set of write permissions to minimize security risks.", + "rule.criteria": "18f6902b-1358-48b4-b81e-528072b30656", + "searchModel.query": "config from iam where dest.cloud.type = 'AWS' AND action.name IN ('organizations:AcceptHandshake','organizations:AttachPolicy','organizations:CancelHandshake','organizations:CreateAccount','organizations:CreateGovCloudAccount','organizations:CreateOrganization','organizations:CreateOrganizationalUnit','organizations:CreatePolicy','organizations:DeclineHandshake','organizations:DeleteOrganization','organizations:DeleteOrganizationalUnit','organizations:DeletePolicy','organizations:DeregisterDelegatedAdministrator','organizations:DetachPolicy','organizations:DisableAWSServiceAccess','organizations:DisablePolicyType','organizations:EnableAWSServiceAccess','organizations:EnableAllFeatures','organizations:EnablePolicyType','organizations:InviteAccountToOrganization','organizations:LeaveOrganization','organizations:MoveAccount','organizations:RegisterDelegatedAdministrator','organizations:RemoveAccountFromOrganization','organizations:UpdateOrganizationalUnit','organizations:UpdatePolicy') AND source.cloud.service.name = 'ecs' and source.cloud.resource.type = 'task-definition'", + "recommendation": "Remediation steps:\n1. Login to the Okta console\n2. Find the role used by the Okta user\n3. Log in to the AWS console\n4. Navigate to the IAM service\n5. Click on Roles\n6. Choose the relevant role\n7. Under ''Permissions policies'', find the relevant policy according to the alert details and remove the risky actions", + "remediable": true, + "remediation.cliScriptTemplate": "dynamic aws cli commands", + "remediation.description": "List of CLI commands are generated dynamically based on the violating resource. Successful execution will limit the relevant permissions of the violating resource.", + "remediation.impact": "limit the relevant permissions of the violating resource", + "compliance.standard": "" +} \ No newline at end of file diff --git a/policies/AWS-ECS-Task-Definition-with-IAM-policy-management-permissions.json b/policies/AWS-ECS-Task-Definition-with-IAM-policy-management-permissions.json new file mode 100644 index 00000000..1ce0f064 --- /dev/null +++ b/policies/AWS-ECS-Task-Definition-with-IAM-policy-management-permissions.json @@ -0,0 +1,17 @@ +{ + "policyUpi": "", + "policyId": "c89882d6-ed8e-4e95-931a-9f4dd2c6ff74", + "policyType": "iam", + "cloudType": "aws", + "severity": "high", + "name": "ECS Task Definition with IAM permissions management access level", + "description": "This policy identifies IAM permissions management access that is defined as risky permissions. Ensure that the AWS ECS Task Definition instances provisioned in your AWS account don't have a risky set of write permissions to minimize security risks.", + "rule.criteria": "c89882d6-ed8e-4e95-931a-9f4dd2c6ff74", + "searchModel.query": "config from iam where dest.cloud.type = 'AWS' AND action.name IN ('iam:AttachGroupPolicy','iam:AttachRolePolicy','iam:AttachUserPolicy','iam:CreatePolicy','iam:CreatePolicyVersion','iam:DeleteAccountPasswordPolicy','iam:DeleteGroupPolicy','iam:DeletePolicy','iam:DeletePolicyVersion','iam:DeleteRolePermissionsBoundary','iam:DeleteRolePolicy','iam:DeleteUserPermissionsBoundary','iam:DeleteUserPolicy','iam:DetachGroupPolicy','iam:DetachRolePolicy','iam:DetachUserPolicy','iam:PutGroupPolicy','iam:PutRolePermissionsBoundary','iam:PutRolePolicy','iam:PutUserPermissionsBoundary','iam:PutUserPolicy','iam:SetDefaultPolicyVersion','iam:UpdateAssumeRolePolicy') AND source.cloud.service.name = 'ecs' and source.cloud.resource.type = 'task-definition'", + "recommendation": "Remediation steps:\n1. Log in to the AWS console\n2. Navigate to the ECS Task Definition \n3. Find the role used by the ECS Task Definition \n4. Navigate to the IAM service\n5. Click on Roles\n6. Choose the relevant role\n7. Under ''Permissions policies'', find the relevant policy according to the alert details and remove the risky actions", + "remediable": true, + "remediation.cliScriptTemplate": "dynamic aws cli commands", + "remediation.description": "List of CLI commands are generated dynamically based on the violating resource. Successful execution will limit the relevant permissions of the violating resource.", + "remediation.impact": "limit the relevant permissions of the violating resource", + "compliance.standard": "" +} \ No newline at end of file diff --git a/policies/AWS-ECS-Task-Definition-with-IAM-write-permissions.json b/policies/AWS-ECS-Task-Definition-with-IAM-write-permissions.json new file mode 100644 index 00000000..e360dbab --- /dev/null +++ b/policies/AWS-ECS-Task-Definition-with-IAM-write-permissions.json @@ -0,0 +1,17 @@ +{ + "policyUpi": "", + "policyId": "a87da1a4-e0ec-4fbc-9a4d-a6b5c2677542", + "policyType": "iam", + "cloudType": "aws", + "severity": "high", + "name": "ECS Task Definition with IAM write access level", + "description": "This policy identifies IAM write permissions that are defined as risky permissions. Ensure that the AWS ECS Task Definition instances provisioned in your AWS account don't have a risky set of write permissions to minimize security risks", + "rule.criteria": "a87da1a4-e0ec-4fbc-9a4d-a6b5c2677542", + "searchModel.query": "config from iam where dest.cloud.type = 'AWS' AND action.name IN ('iam:AddClientIDToOpenIDConnectProvider','iam:AddRoleToInstanceProfile','iam:AddUserToGroup','iam:ChangePassword','iam:CreateAccessKey','iam:CreateAccountAlias','iam:CreateGroup','iam:CreateInstanceProfile','iam:CreateLoginProfile','iam:CreateOpenIDConnectProvider','iam:CreateRole','iam:CreateSAMLProvider','iam:CreateServiceLinkedRole','iam:CreateServiceSpecificCredential','iam:CreateUser','iam:CreateVirtualMFADevice','iam:DeactivateMFADevice','iam:DeleteAccessKey','iam:DeleteAccountAlias','iam:DeleteGroup','iam:DeleteInstanceProfile','iam:DeleteLoginProfile','iam:DeleteOpenIDConnectProvider','iam:DeleteRole','iam:DeleteSAMLProvider','iam:DeleteSSHPublicKey','iam:DeleteServerCertificate','iam:DeleteServiceLinkedRole','iam:DeleteServiceSpecificCredential','iam:DeleteSigningCertificate','iam:DeleteUser','iam:DeleteVirtualMFADevice','iam:EnableMFADevice','iam:PassRole','iam:RemoveClientIDFromOpenIDConnectProvider','iam:RemoveRoleFromInstanceProfile','iam:RemoveUserFromGroup','iam:ResetServiceSpecificCredential','iam:ResyncMFADevice','iam:SetSecurityTokenServicePreferences','iam:UpdateAccessKey','iam:UpdateAccountPasswordPolicy','iam:UpdateGroup','iam:UpdateLoginProfile','iam:UpdateOpenIDConnectProviderThumbprint','iam:UpdateRole','iam:UpdateRoleDescription','iam:UpdateSAMLProvider','iam:UpdateSSHPublicKey','iam:UpdateServerCertificate','iam:UpdateServiceSpecificCredential','iam:UpdateSigningCertificate','iam:UpdateUser','iam:UploadSSHPublicKey','iam:UploadServerCertificate','iam:UploadSigningCertificate') AND source.cloud.service.name = 'ecs' and source.cloud.resource.type = 'task-definition'", + "recommendation": "Remediation steps:\n1. Log in to the AWS console\n2. Navigate to the ECS Task Definition \n3. Find the role used by the ECS Task Definition \n4. Navigate to the IAM service\n5. Click on Roles\n6. Choose the relevant role\n7. Under ''Permissions policies'', find the relevant policy according to the alert details and remove the risky actions", + "remediable": true, + "remediation.cliScriptTemplate": "dynamic aws cli commands", + "remediation.description": "List of CLI commands are generated dynamically based on the violating resource. Successful execution will limit the relevant permissions of the violating resource.", + "remediation.impact": "limit the relevant permissions of the violating resource", + "compliance.standard": "" +} \ No newline at end of file diff --git a/policies/AWS-Elastic-Beanstalk-Platform-with-AWS-Organization-management-permissions.json b/policies/AWS-Elastic-Beanstalk-Platform-with-AWS-Organization-management-permissions.json new file mode 100644 index 00000000..858c224e --- /dev/null +++ b/policies/AWS-Elastic-Beanstalk-Platform-with-AWS-Organization-management-permissions.json @@ -0,0 +1,17 @@ +{ + "policyUpi": "", + "policyId": "b38b7c32-e9e8-4edb-8621-b88157ce34c7", + "policyType": "iam", + "cloudType": "aws", + "severity": "high", + "name": "Elasticbeanstalk Platform with org write access level", + "description": "This policy identifies org write access that is defined as risky permissions. Ensure that the AWS Elasticbeanstalk Platform instances provisioned in your AWS account don't have a risky set of write permissions to minimize security risks.", + "rule.criteria": "b38b7c32-e9e8-4edb-8621-b88157ce34c7", + "searchModel.query": "config from iam where dest.cloud.type = 'AWS' AND action.name IN ('organizations:AcceptHandshake','organizations:AttachPolicy','organizations:CancelHandshake','organizations:CreateAccount','organizations:CreateGovCloudAccount','organizations:CreateOrganization','organizations:CreateOrganizationalUnit','organizations:CreatePolicy','organizations:DeclineHandshake','organizations:DeleteOrganization','organizations:DeleteOrganizationalUnit','organizations:DeletePolicy','organizations:DeregisterDelegatedAdministrator','organizations:DetachPolicy','organizations:DisableAWSServiceAccess','organizations:DisablePolicyType','organizations:EnableAWSServiceAccess','organizations:EnableAllFeatures','organizations:EnablePolicyType','organizations:InviteAccountToOrganization','organizations:LeaveOrganization','organizations:MoveAccount','organizations:RegisterDelegatedAdministrator','organizations:RemoveAccountFromOrganization','organizations:UpdateOrganizationalUnit','organizations:UpdatePolicy') AND source.cloud.service.name = 'elasticbeanstalk' AND source.cloud.resource.type = 'platform'", + "recommendation": "Remediation steps:\n1. Log in to the AWS console\n2. Navigate to the Elasticbeanstalk Platform \n3. Find the role used by the Elasticbeanstalk Platform \n4. Navigate to the IAM service\n5. Click on Roles\n6. Choose the relevant role\n7. Under ''Permissions policies'', find the relevant policy according to the alert details and remove the risky actions", + "remediable": true, + "remediation.cliScriptTemplate": "dynamic aws cli commands", + "remediation.description": "List of CLI commands are generated dynamically based on the violating resource. Successful execution will limit the relevant permissions of the violating resource.", + "remediation.impact": "limit the relevant permissions of the violating resource", + "compliance.standard": "" +} \ No newline at end of file diff --git a/policies/AWS-Elastic-Beanstalk-Platform-with-IAM-policy-management-permissions.json b/policies/AWS-Elastic-Beanstalk-Platform-with-IAM-policy-management-permissions.json new file mode 100644 index 00000000..67f6e980 --- /dev/null +++ b/policies/AWS-Elastic-Beanstalk-Platform-with-IAM-policy-management-permissions.json @@ -0,0 +1,17 @@ +{ + "policyUpi": "", + "policyId": "e0c233b7-8911-4ecb-8387-371f0308c168", + "policyType": "iam", + "cloudType": "aws", + "severity": "high", + "name": "Elasticbeanstalk Platform with IAM permissions management access level", + "description": "This policy identifies IAM permissions management access that is defined as risky permissions. Ensure that the AWS Elasticbeanstalk Platform instances provisioned in your AWS account don't have a risky set of write permissions to minimize security risks.", + "rule.criteria": "e0c233b7-8911-4ecb-8387-371f0308c168", + "searchModel.query": "config from iam where dest.cloud.type = 'AWS' AND action.name IN ('iam:AttachGroupPolicy','iam:AttachRolePolicy','iam:AttachUserPolicy','iam:CreatePolicy','iam:CreatePolicyVersion','iam:DeleteAccountPasswordPolicy','iam:DeleteGroupPolicy','iam:DeletePolicy','iam:DeletePolicyVersion','iam:DeleteRolePermissionsBoundary','iam:DeleteRolePolicy','iam:DeleteUserPermissionsBoundary','iam:DeleteUserPolicy','iam:DetachGroupPolicy','iam:DetachRolePolicy','iam:DetachUserPolicy','iam:PutGroupPolicy','iam:PutRolePermissionsBoundary','iam:PutRolePolicy','iam:PutUserPermissionsBoundary','iam:PutUserPolicy','iam:SetDefaultPolicyVersion','iam:UpdateAssumeRolePolicy') AND source.cloud.service.name = 'elasticbeanstalk' AND source.cloud.resource.type = 'platform'", + "recommendation": "Remediation steps:\n1. Log in to the AWS console\n2. Navigate to the Elasticbeanstalk Platform \n3. Find the role used by the Elasticbeanstalk Platform \n4. Navigate to the IAM service\n5. Click on Roles\n6. Choose the relevant role\n7. Under ''Permissions policies'', find the relevant policy according to the alert details and remove the risky actions", + "remediable": true, + "remediation.cliScriptTemplate": "dynamic aws cli commands", + "remediation.description": "List of CLI commands are generated dynamically based on the violating resource. Successful execution will limit the relevant permissions of the violating resource.", + "remediation.impact": "limit the relevant permissions of the violating resource", + "compliance.standard": "" +} \ No newline at end of file diff --git a/policies/AWS-Elastic-Beanstalk-Platform-with-IAM-write-permissions.json b/policies/AWS-Elastic-Beanstalk-Platform-with-IAM-write-permissions.json new file mode 100644 index 00000000..cdad7586 --- /dev/null +++ b/policies/AWS-Elastic-Beanstalk-Platform-with-IAM-write-permissions.json @@ -0,0 +1,17 @@ +{ + "policyUpi": "", + "policyId": "95d9bf89-5ac0-4b8a-a1ae-a357fe0a45b8", + "policyType": "iam", + "cloudType": "aws", + "severity": "high", + "name": "Elasticbeanstalk Platform with IAM write access level", + "description": "This policy identifies IAM write permissions that are defined as risky permissions. Ensure that the AWS Elasticbeanstalk Platform instances provisioned in your AWS account don't have a risky set of write permissions to minimize security risks.", + "rule.criteria": "95d9bf89-5ac0-4b8a-a1ae-a357fe0a45b8", + "searchModel.query": "config from iam where dest.cloud.type = 'AWS' AND action.name IN ('iam:AddClientIDToOpenIDConnectProvider','iam:AddRoleToInstanceProfile','iam:AddUserToGroup','iam:ChangePassword','iam:CreateAccessKey','iam:CreateAccountAlias','iam:CreateGroup','iam:CreateInstanceProfile','iam:CreateLoginProfile','iam:CreateOpenIDConnectProvider','iam:CreateRole','iam:CreateSAMLProvider','iam:CreateServiceLinkedRole','iam:CreateServiceSpecificCredential','iam:CreateUser','iam:CreateVirtualMFADevice','iam:DeactivateMFADevice','iam:DeleteAccessKey','iam:DeleteAccountAlias','iam:DeleteGroup','iam:DeleteInstanceProfile','iam:DeleteLoginProfile','iam:DeleteOpenIDConnectProvider','iam:DeleteRole','iam:DeleteSAMLProvider','iam:DeleteSSHPublicKey','iam:DeleteServerCertificate','iam:DeleteServiceLinkedRole','iam:DeleteServiceSpecificCredential','iam:DeleteSigningCertificate','iam:DeleteUser','iam:DeleteVirtualMFADevice','iam:EnableMFADevice','iam:PassRole','iam:RemoveClientIDFromOpenIDConnectProvider','iam:RemoveRoleFromInstanceProfile','iam:RemoveUserFromGroup','iam:ResetServiceSpecificCredential','iam:ResyncMFADevice','iam:SetSecurityTokenServicePreferences','iam:UpdateAccessKey','iam:UpdateAccountPasswordPolicy','iam:UpdateGroup','iam:UpdateLoginProfile','iam:UpdateOpenIDConnectProviderThumbprint','iam:UpdateRole','iam:UpdateRoleDescription','iam:UpdateSAMLProvider','iam:UpdateSSHPublicKey','iam:UpdateServerCertificate','iam:UpdateServiceSpecificCredential','iam:UpdateSigningCertificate','iam:UpdateUser','iam:UploadSSHPublicKey','iam:UploadServerCertificate','iam:UploadSigningCertificate') AND source.cloud.service.name = 'elasticbeanstalk' AND source.cloud.resource.type = 'platform' ", + "recommendation": "Remediation steps:\n1. Log in to the AWS console\n2. Navigate to the Elasticbeanstalk Platform \n3. Find the role used by the Elasticbeanstalk Platform \n4. Navigate to the IAM service\n5. Click on Roles\n6. Choose the relevant role\n7. Under ''Permissions policies'', find the relevant policy according to the alert details and remove the risky actions", + "remediable": true, + "remediation.cliScriptTemplate": "dynamic aws cli commands", + "remediation.description": "List of CLI commands are generated dynamically based on the violating resource. Successful execution will limit the relevant permissions of the violating resource.", + "remediation.impact": "limit the relevant permissions of the violating resource", + "compliance.standard": "" +} \ No newline at end of file diff --git a/policies/AWS-IAM-User-with-AWS-Organization-management-permissions.json b/policies/AWS-IAM-User-with-AWS-Organization-management-permissions.json new file mode 100644 index 00000000..71e9b1d3 --- /dev/null +++ b/policies/AWS-IAM-User-with-AWS-Organization-management-permissions.json @@ -0,0 +1,17 @@ +{ + "policyUpi": "", + "policyId": "e9a84ae4-1764-41f5-8565-5c848b3e0e67", + "policyType": "iam", + "cloudType": "aws", + "severity": "medium", + "name": "IAM User with org write access level", + "description": "This policy identifies org write access that is defined as risky permissions. Ensure that the IAM Users in your AWS account don't have a risky set of write permissions to minimize security risks.", + "rule.criteria": "e9a84ae4-1764-41f5-8565-5c848b3e0e67", + "searchModel.query": "config from iam where dest.cloud.type = 'AWS' AND action.name IN ('organizations:AcceptHandshake','organizations:AttachPolicy','organizations:CancelHandshake','organizations:CreateAccount','organizations:CreateGovCloudAccount','organizations:CreateOrganization','organizations:CreateOrganizationalUnit','organizations:CreatePolicy','organizations:DeclineHandshake','organizations:DeleteOrganization','organizations:DeleteOrganizationalUnit','organizations:DeletePolicy','organizations:DeregisterDelegatedAdministrator','organizations:DetachPolicy','organizations:DisableAWSServiceAccess','organizations:DisablePolicyType','organizations:EnableAWSServiceAccess','organizations:EnableAllFeatures','organizations:EnablePolicyType','organizations:InviteAccountToOrganization','organizations:LeaveOrganization','organizations:MoveAccount','organizations:RegisterDelegatedAdministrator','organizations:RemoveAccountFromOrganization','organizations:UpdateOrganizationalUnit','organizations:UpdatePolicy') AND source.cloud.service.name = 'iam' and source.cloud.resource.type = 'user'", + "recommendation": "Remediation steps:\n1. Log in to the AWS console\n2. Navigate to the IAM service\n3. Click on Users\n4. Choose the relevant user\n5. Under ''Permissions policies'', find the relevant policy according to the alert details and remove the risky actions", + "remediable": true, + "remediation.cliScriptTemplate": "dynamic aws cli commands", + "remediation.description": "List of CLI commands are generated dynamically based on the violating resource. Successful execution will limit the relevant permissions of the violating resource.", + "remediation.impact": "limit the relevant permissions of the violating resource", + "compliance.standard": "" +} \ No newline at end of file diff --git a/policies/AWS-IAM-User-with-IAM-policy-management-permissions.json b/policies/AWS-IAM-User-with-IAM-policy-management-permissions.json new file mode 100644 index 00000000..120121d7 --- /dev/null +++ b/policies/AWS-IAM-User-with-IAM-policy-management-permissions.json @@ -0,0 +1,17 @@ +{ + "policyUpi": "", + "policyId": "e231b07d-f1e1-40ad-9c7c-d38f09948db9", + "policyType": "iam", + "cloudType": "aws", + "severity": "high", + "name": "IAM User with IAM permissions management access level", + "description": "This policy identifies IAM permissions management access that is defined as risky permissions. Ensure that the IAM Users in your AWS account don't have a risky set of write permissions to minimize security risks.", + "rule.criteria": "e231b07d-f1e1-40ad-9c7c-d38f09948db9", + "searchModel.query": "config from iam where dest.cloud.type = 'AWS' AND action.name IN ('iam:AttachGroupPolicy','iam:AttachRolePolicy','iam:AttachUserPolicy','iam:CreatePolicy','iam:CreatePolicyVersion','iam:DeleteAccountPasswordPolicy','iam:DeleteGroupPolicy','iam:DeletePolicy','iam:DeletePolicyVersion','iam:DeleteRolePermissionsBoundary','iam:DeleteRolePolicy','iam:DeleteUserPermissionsBoundary','iam:DeleteUserPolicy','iam:DetachGroupPolicy','iam:DetachRolePolicy','iam:DetachUserPolicy','iam:PutGroupPolicy','iam:PutRolePermissionsBoundary','iam:PutRolePolicy','iam:PutUserPermissionsBoundary','iam:PutUserPolicy','iam:SetDefaultPolicyVersion','iam:UpdateAssumeRolePolicy') AND source.cloud.service.name = 'iam' and source.cloud.resource.type = 'user'", + "recommendation": "Remediation steps:\n1. Log in to the AWS console\n2. Navigate to the IAM service\n3. Click on Users\n4. Choose the relevant user\n5. Under ''Permissions policies'', find the relevant policy according to the alert details and remove the risky actions", + "remediable": true, + "remediation.cliScriptTemplate": "dynamic aws cli commands", + "remediation.description": "List of CLI commands are generated dynamically based on the violating resource. Successful execution will limit the relevant permissions of the violating resource.", + "remediation.impact": "limit the relevant permissions of the violating resource", + "compliance.standard": "" +} \ No newline at end of file diff --git a/policies/AWS-IAM-User-with-IAM-write-permissions.json b/policies/AWS-IAM-User-with-IAM-write-permissions.json new file mode 100644 index 00000000..fab18f14 --- /dev/null +++ b/policies/AWS-IAM-User-with-IAM-write-permissions.json @@ -0,0 +1,17 @@ +{ + "policyUpi": "", + "policyId": "99868a5a-9824-4da2-b413-ec5b1632b722", + "policyType": "iam", + "cloudType": "aws", + "severity": "medium", + "name": "IAM User with IAM write access level", + "description": "This policy identifies IAM write permissions that are defined as risky permissions. Ensure that the IAM Users in your AWS account don't have a risky set of write permissions to minimize security risks.", + "rule.criteria": "99868a5a-9824-4da2-b413-ec5b1632b722", + "searchModel.query": "config from iam where dest.cloud.type = 'AWS' AND action.name IN ('iam:AddClientIDToOpenIDConnectProvider','iam:AddRoleToInstanceProfile','iam:AddUserToGroup','iam:ChangePassword','iam:CreateAccessKey','iam:CreateAccountAlias','iam:CreateGroup','iam:CreateInstanceProfile','iam:CreateLoginProfile','iam:CreateOpenIDConnectProvider','iam:CreateRole','iam:CreateSAMLProvider','iam:CreateServiceLinkedRole','iam:CreateServiceSpecificCredential','iam:CreateUser','iam:CreateVirtualMFADevice','iam:DeactivateMFADevice','iam:DeleteAccessKey','iam:DeleteAccountAlias','iam:DeleteGroup','iam:DeleteInstanceProfile','iam:DeleteLoginProfile','iam:DeleteOpenIDConnectProvider','iam:DeleteRole','iam:DeleteSAMLProvider','iam:DeleteSSHPublicKey','iam:DeleteServerCertificate','iam:DeleteServiceLinkedRole','iam:DeleteServiceSpecificCredential','iam:DeleteSigningCertificate','iam:DeleteUser','iam:DeleteVirtualMFADevice','iam:EnableMFADevice','iam:PassRole','iam:RemoveClientIDFromOpenIDConnectProvider','iam:RemoveRoleFromInstanceProfile','iam:RemoveUserFromGroup','iam:ResetServiceSpecificCredential','iam:ResyncMFADevice','iam:SetSecurityTokenServicePreferences','iam:UpdateAccessKey','iam:UpdateAccountPasswordPolicy','iam:UpdateGroup','iam:UpdateLoginProfile','iam:UpdateOpenIDConnectProviderThumbprint','iam:UpdateRole','iam:UpdateRoleDescription','iam:UpdateSAMLProvider','iam:UpdateSSHPublicKey','iam:UpdateServerCertificate','iam:UpdateServiceSpecificCredential','iam:UpdateSigningCertificate','iam:UpdateUser','iam:UploadSSHPublicKey','iam:UploadServerCertificate','iam:UploadSigningCertificate') AND source.cloud.service.name = 'iam' and source.cloud.resource.type = 'user'", + "recommendation": "Remediation steps:\n1. Log in to the AWS console\n2. Navigate to the IAM service\n3. Click on Users\n4. Choose the relevant user\n5. Under ''Permissions policies'', find the relevant policy according to the alert details and remove the risky actions", + "remediable": true, + "remediation.cliScriptTemplate": "dynamic aws cli commands", + "remediation.description": "List of CLI commands are generated dynamically based on the violating resource. Successful execution will limit the relevant permissions of the violating resource.", + "remediation.impact": "limit the relevant permissions of the violating resource", + "compliance.standard": "" +} \ No newline at end of file diff --git a/policies/AWS-Lambda-Function-with-AWS-Organization-management-permissions.json b/policies/AWS-Lambda-Function-with-AWS-Organization-management-permissions.json new file mode 100644 index 00000000..babc8366 --- /dev/null +++ b/policies/AWS-Lambda-Function-with-AWS-Organization-management-permissions.json @@ -0,0 +1,17 @@ +{ + "policyUpi": "", + "policyId": "741ef058-8816-49d0-87be-a714ae1ce2df", + "policyType": "iam", + "cloudType": "aws", + "severity": "high", + "name": "AWS Lambda Function with org write access level", + "description": "This policy identifies org write access that is defined as risky permissions. Ensure that the AWS Lambda Function instances provisioned in your AWS account don't have a risky set of write permissions to minimize security risks.", + "rule.criteria": "741ef058-8816-49d0-87be-a714ae1ce2df", + "searchModel.query": "config from iam where dest.cloud.type = 'AWS' AND action.name IN ('organizations:AcceptHandshake','organizations:AttachPolicy','organizations:CancelHandshake','organizations:CreateAccount','organizations:CreateGovCloudAccount','organizations:CreateOrganization','organizations:CreateOrganizationalUnit','organizations:CreatePolicy','organizations:DeclineHandshake','organizations:DeleteOrganization','organizations:DeleteOrganizationalUnit','organizations:DeletePolicy','organizations:DeregisterDelegatedAdministrator','organizations:DetachPolicy','organizations:DisableAWSServiceAccess','organizations:DisablePolicyType','organizations:EnableAWSServiceAccess','organizations:EnableAllFeatures','organizations:EnablePolicyType','organizations:InviteAccountToOrganization','organizations:LeaveOrganization','organizations:MoveAccount','organizations:RegisterDelegatedAdministrator','organizations:RemoveAccountFromOrganization','organizations:UpdateOrganizationalUnit','organizations:UpdatePolicy') AND source.cloud.service.name = 'lambda' AND source.cloud.resource.type = 'function'", + "recommendation": "Remediation steps:\n1. Log in to the AWS console\n2. Navigate to the Lambda Function \n3. Find the role used by the Lambda Function\n4. Navigate to the IAM service\n5. Click on Roles\n6. Choose the relevant role\n7. Under ''Permissions policies'', find the relevant policy according to the alert details and remove the risky actions", + "remediable": true, + "remediation.cliScriptTemplate": "dynamic aws cli commands", + "remediation.description": "List of CLI commands are generated dynamically based on the violating resource. Successful execution will limit the relevant permissions of the violating resource.", + "remediation.impact": "limit the relevant permissions of the violating resource", + "compliance.standard": "" +} \ No newline at end of file diff --git a/policies/AWS-Lambda-Function-with-IAM-policy-management-permissions.json b/policies/AWS-Lambda-Function-with-IAM-policy-management-permissions.json new file mode 100644 index 00000000..fed3b362 --- /dev/null +++ b/policies/AWS-Lambda-Function-with-IAM-policy-management-permissions.json @@ -0,0 +1,17 @@ +{ + "policyUpi": "", + "policyId": "4810bdba-6daa-4297-8bca-990eb7ea77b0", + "policyType": "iam", + "cloudType": "aws", + "severity": "high", + "name": "AWS Lambda Function with IAM permissions management access level", + "description": "This policy identifies IAM permissions management access that is defined as risky permissions. Ensure that the AWS Lambda Function instances provisioned in your AWS account don't have a risky set of write permissions to minimize security risks.", + "rule.criteria": "4810bdba-6daa-4297-8bca-990eb7ea77b0", + "searchModel.query": "config from iam where dest.cloud.type = 'AWS' AND action.name IN ('iam:AttachGroupPolicy','iam:AttachRolePolicy','iam:AttachUserPolicy','iam:CreatePolicy','iam:CreatePolicyVersion','iam:DeleteAccountPasswordPolicy','iam:DeleteGroupPolicy','iam:DeletePolicy','iam:DeletePolicyVersion','iam:DeleteRolePermissionsBoundary','iam:DeleteRolePolicy','iam:DeleteUserPermissionsBoundary','iam:DeleteUserPolicy','iam:DetachGroupPolicy','iam:DetachRolePolicy','iam:DetachUserPolicy','iam:PutGroupPolicy','iam:PutRolePermissionsBoundary','iam:PutRolePolicy','iam:PutUserPermissionsBoundary','iam:PutUserPolicy','iam:SetDefaultPolicyVersion','iam:UpdateAssumeRolePolicy') AND source.cloud.service.name = 'lambda' AND source.cloud.resource.type = 'function'", + "recommendation": "Remediation steps:\n1. Log in to the AWS console\n2. Navigate to the Lambda Function \n3. Find the role used by the Lambda Function\n4. Navigate to the IAM service\n5. Click on Roles\n6. Choose the relevant role\n7. Under ''Permissions policies'', find the relevant policy according to the alert details and remove the risky actions", + "remediable": true, + "remediation.cliScriptTemplate": "dynamic aws cli commands", + "remediation.description": "List of CLI commands are generated dynamically based on the violating resource. Successful execution will limit the relevant permissions of the violating resource.", + "remediation.impact": "limit the relevant permissions of the violating resource", + "compliance.standard": "" +} \ No newline at end of file diff --git a/policies/AWS-Lambda-Function-with-IAM-write-permissions.json b/policies/AWS-Lambda-Function-with-IAM-write-permissions.json new file mode 100644 index 00000000..ee11f7e1 --- /dev/null +++ b/policies/AWS-Lambda-Function-with-IAM-write-permissions.json @@ -0,0 +1,17 @@ +{ + "policyUpi": "", + "policyId": "be543a73-6d4c-4162-9459-1b83d4f0a158", + "policyType": "iam", + "cloudType": "aws", + "severity": "high", + "name": "AWS Lambda Function with IAM write access level", + "description": "This policy identifies IAM write permissions that are defined as risky permissions. Ensure that the AWS Lambda Function instances provisioned in your AWS account don't have a risky set of write permissions to minimize security risks.", + "rule.criteria": "be543a73-6d4c-4162-9459-1b83d4f0a158", + "searchModel.query": "config from iam where dest.cloud.type = 'AWS' AND action.name IN ('iam:AddClientIDToOpenIDConnectProvider','iam:AddRoleToInstanceProfile','iam:AddUserToGroup','iam:ChangePassword','iam:CreateAccessKey','iam:CreateAccountAlias','iam:CreateGroup','iam:CreateInstanceProfile','iam:CreateLoginProfile','iam:CreateOpenIDConnectProvider','iam:CreateRole','iam:CreateSAMLProvider','iam:CreateServiceLinkedRole','iam:CreateServiceSpecificCredential','iam:CreateUser','iam:CreateVirtualMFADevice','iam:DeactivateMFADevice','iam:DeleteAccessKey','iam:DeleteAccountAlias','iam:DeleteGroup','iam:DeleteInstanceProfile','iam:DeleteLoginProfile','iam:DeleteOpenIDConnectProvider','iam:DeleteRole','iam:DeleteSAMLProvider','iam:DeleteSSHPublicKey','iam:DeleteServerCertificate','iam:DeleteServiceLinkedRole','iam:DeleteServiceSpecificCredential','iam:DeleteSigningCertificate','iam:DeleteUser','iam:DeleteVirtualMFADevice','iam:EnableMFADevice','iam:PassRole','iam:RemoveClientIDFromOpenIDConnectProvider','iam:RemoveRoleFromInstanceProfile','iam:RemoveUserFromGroup','iam:ResetServiceSpecificCredential','iam:ResyncMFADevice','iam:SetSecurityTokenServicePreferences','iam:UpdateAccessKey','iam:UpdateAccountPasswordPolicy','iam:UpdateGroup','iam:UpdateLoginProfile','iam:UpdateOpenIDConnectProviderThumbprint','iam:UpdateRole','iam:UpdateRoleDescription','iam:UpdateSAMLProvider','iam:UpdateSSHPublicKey','iam:UpdateServerCertificate','iam:UpdateServiceSpecificCredential','iam:UpdateSigningCertificate','iam:UpdateUser','iam:UploadSSHPublicKey','iam:UploadServerCertificate','iam:UploadSigningCertificate') AND source.cloud.service.name = 'lambda' AND source.cloud.resource.type = 'function'", + "recommendation": "Remediation steps:\n1. Log in to the AWS console\n2. Navigate to the Lambda Function \n3. Find the role used by the Lambda Function\n4. Navigate to the IAM service\n5. Click on Roles\n6. Choose the relevant role\n7. Under ''Permissions policies'', find the relevant policy according to the alert details and remove the risky actions", + "remediable": true, + "remediation.cliScriptTemplate": "dynamic aws cli commands", + "remediation.description": "List of CLI commands are generated dynamically based on the violating resource. Successful execution will limit the relevant permissions of the violating resource.", + "remediation.impact": "limit the relevant permissions of the violating resource", + "compliance.standard": "" +} \ No newline at end of file diff --git a/policies/AWS-Okta-User-with-AWS-Organization-management-permissions.json b/policies/AWS-Okta-User-with-AWS-Organization-management-permissions.json new file mode 100644 index 00000000..74cb0ccb --- /dev/null +++ b/policies/AWS-Okta-User-with-AWS-Organization-management-permissions.json @@ -0,0 +1,17 @@ +{ + "policyUpi": "", + "policyId": "5def0968-e071-46bb-a2b8-4a54f66bcf23", + "policyType": "iam", + "cloudType": "aws", + "severity": "medium", + "name": "Okta User with org write access level", + "description": "This policy identifies org write access that is defined as risky permissions. Ensure that the Okta Users in your AWS account don't have a risky set of write permissions to minimize security risks.", + "rule.criteria": "5def0968-e071-46bb-a2b8-4a54f66bcf23", + "searchModel.query": "config from iam where dest.cloud.type = 'AWS' AND action.name IN ('organizations:AcceptHandshake','organizations:AttachPolicy','organizations:CancelHandshake','organizations:CreateAccount','organizations:CreateGovCloudAccount','organizations:CreateOrganization','organizations:CreateOrganizationalUnit','organizations:CreatePolicy','organizations:DeclineHandshake','organizations:DeleteOrganization','organizations:DeleteOrganizationalUnit','organizations:DeletePolicy','organizations:DeregisterDelegatedAdministrator','organizations:DetachPolicy','organizations:DisableAWSServiceAccess','organizations:DisablePolicyType','organizations:EnableAWSServiceAccess','organizations:EnableAllFeatures','organizations:EnablePolicyType','organizations:InviteAccountToOrganization','organizations:LeaveOrganization','organizations:MoveAccount','organizations:RegisterDelegatedAdministrator','organizations:RemoveAccountFromOrganization','organizations:UpdateOrganizationalUnit','organizations:UpdatePolicy') AND source.idp.service = 'Okta'", + "recommendation": "Remediation steps:\n1. Login to the Okta console\n2. Find the role used by the Okta user\n3. Log in to the AWS console\n4. Navigate to the IAM service\n5. Click on Roles\n6. Choose the relevant role\n7. Under ''Permissions policies'', find the relevant policy according to the alert details and remove the risky actions", + "remediable": true, + "remediation.cliScriptTemplate": "dynamic aws cli commands", + "remediation.description": "List of CLI commands are generated dynamically based on the violating resource. Successful execution will limit the relevant permissions of the violating resource.", + "remediation.impact": "limit the relevant permissions of the violating resource", + "compliance.standard": "" +} \ No newline at end of file diff --git a/policies/AWS-Okta-User-with-IAM-policy-management-permissions.json b/policies/AWS-Okta-User-with-IAM-policy-management-permissions.json new file mode 100644 index 00000000..5fcc3ae0 --- /dev/null +++ b/policies/AWS-Okta-User-with-IAM-policy-management-permissions.json @@ -0,0 +1,17 @@ +{ + "policyUpi": "", + "policyId": "c14d0daf-bd4b-4b4f-8ee9-b41771217954", + "policyType": "iam", + "cloudType": "aws", + "severity": "high", + "name": "Okta User with IAM permissions management access level", + "description": "This policy identifies IAM permissions management access that is defined as risky permissions. Ensure that the Okta Users in your AWS account don't have a risky set of write permissions to minimize security risks.", + "rule.criteria": "c14d0daf-bd4b-4b4f-8ee9-b41771217954", + "searchModel.query": "config from iam where dest.cloud.type = 'AWS' AND action.name IN ('iam:AttachGroupPolicy','iam:AttachRolePolicy','iam:AttachUserPolicy','iam:CreatePolicy','iam:CreatePolicyVersion','iam:DeleteAccountPasswordPolicy','iam:DeleteGroupPolicy','iam:DeletePolicy','iam:DeletePolicyVersion','iam:DeleteRolePermissionsBoundary','iam:DeleteRolePolicy','iam:DeleteUserPermissionsBoundary','iam:DeleteUserPolicy','iam:DetachGroupPolicy','iam:DetachRolePolicy','iam:DetachUserPolicy','iam:PutGroupPolicy','iam:PutRolePermissionsBoundary','iam:PutRolePolicy','iam:PutUserPermissionsBoundary','iam:PutUserPolicy','iam:SetDefaultPolicyVersion','iam:UpdateAssumeRolePolicy') AND source.idp.service = 'Okta'", + "recommendation": "Remediation steps:\n1. Login to the Okta console\n2. Find the role used by the Okta user\n3. Log in to the AWS console\n4. Navigate to the IAM service\n5. Click on Roles\n6. Choose the relevant role\n7. Under ''Permissions policies'', find the relevant policy according to the alert details and remove the risky actions", + "remediable": true, + "remediation.cliScriptTemplate": "dynamic aws cli commands", + "remediation.description": "List of CLI commands are generated dynamically based on the violating resource. Successful execution will limit the relevant permissions of the violating resource.", + "remediation.impact": "limit the relevant permissions of the violating resource", + "compliance.standard": "" +} \ No newline at end of file diff --git a/policies/AWS-Okta-User-with-IAM-write-permissions.json b/policies/AWS-Okta-User-with-IAM-write-permissions.json new file mode 100644 index 00000000..36acda37 --- /dev/null +++ b/policies/AWS-Okta-User-with-IAM-write-permissions.json @@ -0,0 +1,17 @@ +{ + "policyUpi": "", + "policyId": "59a1468f-150e-469b-a099-df1d372fbb92", + "policyType": "iam", + "cloudType": "aws", + "severity": "medium", + "name": "Okta User with IAM write access level", + "description": "This policy identifies IAM write permissions that are defined as risky permissions. Ensure that the Okta Users in your AWS account don't have a risky set of write permissions to minimize security risks.", + "rule.criteria": "59a1468f-150e-469b-a099-df1d372fbb92", + "searchModel.query": "config from iam where dest.cloud.type = 'AWS' AND action.name IN ('iam:AddClientIDToOpenIDConnectProvider','iam:AddRoleToInstanceProfile','iam:AddUserToGroup','iam:ChangePassword','iam:CreateAccessKey','iam:CreateAccountAlias','iam:CreateGroup','iam:CreateInstanceProfile','iam:CreateLoginProfile','iam:CreateOpenIDConnectProvider','iam:CreateRole','iam:CreateSAMLProvider','iam:CreateServiceLinkedRole','iam:CreateServiceSpecificCredential','iam:CreateUser','iam:CreateVirtualMFADevice','iam:DeactivateMFADevice','iam:DeleteAccessKey','iam:DeleteAccountAlias','iam:DeleteGroup','iam:DeleteInstanceProfile','iam:DeleteLoginProfile','iam:DeleteOpenIDConnectProvider','iam:DeleteRole','iam:DeleteSAMLProvider','iam:DeleteSSHPublicKey','iam:DeleteServerCertificate','iam:DeleteServiceLinkedRole','iam:DeleteServiceSpecificCredential','iam:DeleteSigningCertificate','iam:DeleteUser','iam:DeleteVirtualMFADevice','iam:EnableMFADevice','iam:PassRole','iam:RemoveClientIDFromOpenIDConnectProvider','iam:RemoveRoleFromInstanceProfile','iam:RemoveUserFromGroup','iam:ResetServiceSpecificCredential','iam:ResyncMFADevice','iam:SetSecurityTokenServicePreferences','iam:UpdateAccessKey','iam:UpdateAccountPasswordPolicy','iam:UpdateGroup','iam:UpdateLoginProfile','iam:UpdateOpenIDConnectProviderThumbprint','iam:UpdateRole','iam:UpdateRoleDescription','iam:UpdateSAMLProvider','iam:UpdateSSHPublicKey','iam:UpdateServerCertificate','iam:UpdateServiceSpecificCredential','iam:UpdateSigningCertificate','iam:UpdateUser','iam:UploadSSHPublicKey','iam:UploadServerCertificate','iam:UploadSigningCertificate') AND source.idp.service = 'Okta'", + "recommendation": "Remediation steps:\n1. Login to the Okta console\n2. Find the role used by the Okta user\n3. Log in to the AWS console\n4. Navigate to the IAM service\n5. Click on Roles\n6. Choose the relevant role\n7. Under ''Permissions policies'', find the relevant policy according to the alert details and remove the risky actions", + "remediable": true, + "remediation.cliScriptTemplate": "dynamic aws cli commands", + "remediation.description": "List of CLI commands are generated dynamically based on the violating resource. Successful execution will limit the relevant permissions of the violating resource.", + "remediation.impact": "limit the relevant permissions of the violating resource", + "compliance.standard": "" +} \ No newline at end of file diff --git a/policies/AWS-RDS-event-subscription-disabled-for-DB-instance.json b/policies/AWS-RDS-event-subscription-disabled-for-DB-instance.json deleted file mode 100644 index ecdcf958..00000000 --- a/policies/AWS-RDS-event-subscription-disabled-for-DB-instance.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "policyUpi": "PC-AWS-RDS-295", - "policyId": "b858fad6-4f4a-49ec-b14e-b2c4639b3b1a", - "policyType": "config", - "cloudType": "aws", - "severity": "medium", - "name": "AWS RDS event subscription disabled for DB instance", - "description": "This policy identifies RDS event subscriptions for which DB instance event subscription is disabled. You can create an Amazon RDS event notification subscription so that you can be notified when an event occurs for a given DB instance.", - "rule.criteria": "e122bb46-9075-4e3d-94a3-f428681e25c1", - "searchModel.query": "config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-rds-describe-event-subscriptions' AND json.rule = 'sourceType equals db-instance and ((status does not equal active or enabled is false) or (status equals active and enabled is true and (sourceIdsList is not empty or eventCategoriesList is not empty)))'", - "recommendation": "1. Sign into the AWS console\n2. In the console, select the specific region from region drop down on the top right corner, for which the alert is generated\n3. Navigate to Amazon RDS Dashboard\n4. Click on 'Event subscriptions' (Left Panel)\n5. Choose the reported Event subscription\n6. Click on 'Edit'\n7. On 'Edit event subscription' page, Under 'Details' section; Select 'Yes' for 'Enabled' and Make sure you have subscribed your DB to 'All instances' and 'All event categories'\n8. Click on 'Edit'", - "remediable": true, - "remediation.cliScriptTemplate": "aws rds modify-event-subscription --subscription-name ${resourceName} --region ${region} --enabled", - "remediation.description": "This CLI command requires 'rds:ModifyEventSubscription' permission. Successful execution will enable event subscription for the respective RDS.", - "remediation.impact": "Enable event subscription for the respective RDS", - "compliance.standard": [ - "APRA (CPS 234) Information Security", - "Brazilian Data Protection Law (LGPD)", - "CCPA 2018", - "CIS AWS 3 Tier Web Architecture Benchmark v.1.0.0", - "CSA CCM v.4.0.1", - "CyberSecurity Law of the People's Republic of China", - "Cybersecurity Maturity Model Certification (CMMC) v.1.02", - "HITRUST v.9.4.2", - "ISO/IEC 27002:2013", - "ISO/IEC 27017:2015", - "MAS TRM 2021", - "MLPS 2.0", - "NIST 800-53 Rev 5", - "NIST 800-53 Rev4", - "NIST CSF", - "NIST SP 800-171 Revision 2", - "NIST SP 800-172", - "PCI DSS v3.2.1", - "PIPEDA" - ] -} \ No newline at end of file From 2f439384e91a0460dfc3b542468d20a44626c168 Mon Sep 17 00:00:00 2001 From: jsreedharan-panw <> Date: Thu, 2 May 2024 21:16:39 +0530 Subject: [PATCH 2/3] Updated in PCS-24.4.2 --- ...IAM-permissions-management-access-level.json | 17 ----------------- ...C2-instance-with-IAM-write-access-level.json | 17 ----------------- ...C2-instance-with-org-write-access-level.json | 17 ----------------- ...IAM-permissions-management-access-level.json | 17 ----------------- ...da-Function-with-IAM-write-access-level.json | 17 ----------------- ...da-Function-with-org-write-access-level.json | 17 ----------------- ...IAM-permissions-management-access-level.json | 17 ----------------- ...-Definition-with-IAM-write-access-level.json | 17 ----------------- ...-Definition-with-org-write-access-level.json | 17 ----------------- ...IAM-permissions-management-access-level.json | 17 ----------------- ...lk-Platform-with-IAM-write-access-level.json | 17 ----------------- ...lk-Platform-with-org-write-access-level.json | 17 ----------------- ...IAM-permissions-management-access-level.json | 17 ----------------- .../IAM-User-with-IAM-write-access-level.json | 17 ----------------- .../IAM-User-with-org-write-access-level.json | 17 ----------------- ...IAM-permissions-management-access-level.json | 17 ----------------- .../Okta-User-with-IAM-write-access-level.json | 17 ----------------- .../Okta-User-with-org-write-access-level.json | 17 ----------------- 18 files changed, 306 deletions(-) delete mode 100644 policies/AWS-EC2-instance-with-IAM-permissions-management-access-level.json delete mode 100644 policies/AWS-EC2-instance-with-IAM-write-access-level.json delete mode 100644 policies/AWS-EC2-instance-with-org-write-access-level.json delete mode 100644 policies/AWS-Lambda-Function-with-IAM-permissions-management-access-level.json delete mode 100644 policies/AWS-Lambda-Function-with-IAM-write-access-level.json delete mode 100644 policies/AWS-Lambda-Function-with-org-write-access-level.json delete mode 100644 policies/ECS-Task-Definition-with-IAM-permissions-management-access-level.json delete mode 100644 policies/ECS-Task-Definition-with-IAM-write-access-level.json delete mode 100644 policies/ECS-Task-Definition-with-org-write-access-level.json delete mode 100644 policies/Elasticbeanstalk-Platform-with-IAM-permissions-management-access-level.json delete mode 100644 policies/Elasticbeanstalk-Platform-with-IAM-write-access-level.json delete mode 100644 policies/Elasticbeanstalk-Platform-with-org-write-access-level.json delete mode 100644 policies/IAM-User-with-IAM-permissions-management-access-level.json delete mode 100644 policies/IAM-User-with-IAM-write-access-level.json delete mode 100644 policies/IAM-User-with-org-write-access-level.json delete mode 100644 policies/Okta-User-with-IAM-permissions-management-access-level.json delete mode 100644 policies/Okta-User-with-IAM-write-access-level.json delete mode 100644 policies/Okta-User-with-org-write-access-level.json diff --git a/policies/AWS-EC2-instance-with-IAM-permissions-management-access-level.json b/policies/AWS-EC2-instance-with-IAM-permissions-management-access-level.json deleted file mode 100644 index 18739fc7..00000000 --- a/policies/AWS-EC2-instance-with-IAM-permissions-management-access-level.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "policyUpi": "", - "policyId": "34edd03b-b872-441b-84ed-19d9b4194c7d", - "policyType": "iam", - "cloudType": "aws", - "severity": "high", - "name": "AWS EC2 instance with IAM permissions management access level", - "description": "This policy identifies This policy identifies IAM permissions management access that is defined as risky permissions. Ensure that the AWS EC2 instances provisioned in your AWS account don't have a risky set of write permissions to minimize security risks.AWS IAM permissions management access level that are risky for AWS EC2 instances. Ensure that the AWS EC2 instances provisioned in your AWS account don't have a risky set of permissions management access to minimize security risks.", - "rule.criteria": "34edd03b-b872-441b-84ed-19d9b4194c7d", - "searchModel.query": "config from iam where dest.cloud.type = 'AWS' AND action.name IN ('iam:AttachGroupPolicy','iam:AttachRolePolicy','iam:AttachUserPolicy','iam:CreatePolicy','iam:CreatePolicyVersion','iam:DeleteAccountPasswordPolicy','iam:DeleteGroupPolicy','iam:DeletePolicy','iam:DeletePolicyVersion','iam:DeleteRolePermissionsBoundary','iam:DeleteRolePolicy','iam:DeleteUserPermissionsBoundary','iam:DeleteUserPolicy','iam:DetachGroupPolicy','iam:DetachRolePolicy','iam:DetachUserPolicy','iam:PutGroupPolicy','iam:PutRolePermissionsBoundary','iam:PutRolePolicy','iam:PutUserPermissionsBoundary','iam:PutUserPolicy','iam:SetDefaultPolicyVersion','iam:UpdateAssumeRolePolicy') AND source.cloud.service.name = 'ec2' AND source.cloud.resource.type = 'instance'", - "recommendation": "Remediation steps:\n1. Log in to the AWS console\n2. Navigate to the EC2 instance \n3. Find the role used by the EC2 instance\n4. Navigate to the IAM service\n5. Click on Roles\n6. Choose the relevant role\n7. Under ''Permissions policies'', find the relevant policy according to the alert details and remove the risky actions", - "remediable": true, - "remediation.cliScriptTemplate": "dynamic aws cli commands", - "remediation.description": "List of CLI commands are generated dynamically based on the violating resource. Successful execution will limit the relevant permissions of the violating resource.", - "remediation.impact": "limit the relevant permissions of the violating resource", - "compliance.standard": "" -} \ No newline at end of file diff --git a/policies/AWS-EC2-instance-with-IAM-write-access-level.json b/policies/AWS-EC2-instance-with-IAM-write-access-level.json deleted file mode 100644 index 2944c2d9..00000000 --- a/policies/AWS-EC2-instance-with-IAM-write-access-level.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "policyUpi": "", - "policyId": "8bef368e-7b79-4828-a9cd-f4aa4fa8a3ce", - "policyType": "iam", - "cloudType": "aws", - "severity": "high", - "name": "AWS EC2 instance with IAM write access level", - "description": "This policy identifies IAM write permissions that are defined as risky permissions. Ensure that the AWS EC2 instances provisioned in your AWS account don't have a risky set of write permissions to minimize security risks.", - "rule.criteria": "8bef368e-7b79-4828-a9cd-f4aa4fa8a3ce", - "searchModel.query": "config from iam where dest.cloud.type = 'AWS' AND action.name IN ('iam:AddClientIDToOpenIDConnectProvider','iam:AddRoleToInstanceProfile','iam:AddUserToGroup','iam:ChangePassword','iam:CreateAccessKey','iam:CreateAccountAlias','iam:CreateGroup','iam:CreateInstanceProfile','iam:CreateLoginProfile','iam:CreateOpenIDConnectProvider','iam:CreateRole','iam:CreateSAMLProvider','iam:CreateServiceLinkedRole','iam:CreateServiceSpecificCredential','iam:CreateUser','iam:CreateVirtualMFADevice','iam:DeactivateMFADevice','iam:DeleteAccessKey','iam:DeleteAccountAlias','iam:DeleteGroup','iam:DeleteInstanceProfile','iam:DeleteLoginProfile','iam:DeleteOpenIDConnectProvider','iam:DeleteRole','iam:DeleteSAMLProvider','iam:DeleteSSHPublicKey','iam:DeleteServerCertificate','iam:DeleteServiceLinkedRole','iam:DeleteServiceSpecificCredential','iam:DeleteSigningCertificate','iam:DeleteUser','iam:DeleteVirtualMFADevice','iam:EnableMFADevice','iam:PassRole','iam:RemoveClientIDFromOpenIDConnectProvider','iam:RemoveRoleFromInstanceProfile','iam:RemoveUserFromGroup','iam:ResetServiceSpecificCredential','iam:ResyncMFADevice','iam:SetSecurityTokenServicePreferences','iam:UpdateAccessKey','iam:UpdateAccountPasswordPolicy','iam:UpdateGroup','iam:UpdateLoginProfile','iam:UpdateOpenIDConnectProviderThumbprint','iam:UpdateRole','iam:UpdateRoleDescription','iam:UpdateSAMLProvider','iam:UpdateSSHPublicKey','iam:UpdateServerCertificate','iam:UpdateServiceSpecificCredential','iam:UpdateSigningCertificate','iam:UpdateUser','iam:UploadSSHPublicKey','iam:UploadServerCertificate','iam:UploadSigningCertificate') AND source.cloud.service.name = 'ec2' AND source.cloud.resource.type = 'instance'", - "recommendation": "Remediation steps:\n1. Log in to the AWS console\n2. Navigate to the EC2 instance \n3. Find the role used by the EC2 instance\n4. Navigate to the IAM service\n5. Click on Roles\n6. Choose the relevant role\n7. Under ''Permissions policies'', find the relevant policy according to the alert details and remove the risky actions", - "remediable": true, - "remediation.cliScriptTemplate": "dynamic aws cli commands", - "remediation.description": "List of CLI commands are generated dynamically based on the violating resource. Successful execution will limit the relevant permissions of the violating resource.", - "remediation.impact": "limit the relevant permissions of the violating resource", - "compliance.standard": "" -} \ No newline at end of file diff --git a/policies/AWS-EC2-instance-with-org-write-access-level.json b/policies/AWS-EC2-instance-with-org-write-access-level.json deleted file mode 100644 index 861a5ff1..00000000 --- a/policies/AWS-EC2-instance-with-org-write-access-level.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "policyUpi": "", - "policyId": "0acd23f7-12c8-48c2-88c4-2962a4778e6e", - "policyType": "iam", - "cloudType": "aws", - "severity": "high", - "name": "AWS EC2 instance with org write access level", - "description": "This policy identifies org write access that is defined as risky permissions. Ensure that the AWS EC2 instances provisioned in your AWS account don't have a risky set of write permissions to minimize security risks.", - "rule.criteria": "0acd23f7-12c8-48c2-88c4-2962a4778e6e", - "searchModel.query": "config from iam where dest.cloud.type = 'AWS' AND action.name IN ('organizations:AcceptHandshake','organizations:AttachPolicy','organizations:CancelHandshake','organizations:CreateAccount','organizations:CreateGovCloudAccount','organizations:CreateOrganization','organizations:CreateOrganizationalUnit','organizations:CreatePolicy','organizations:DeclineHandshake','organizations:DeleteOrganization','organizations:DeleteOrganizationalUnit','organizations:DeletePolicy','organizations:DeregisterDelegatedAdministrator','organizations:DetachPolicy','organizations:DisableAWSServiceAccess','organizations:DisablePolicyType','organizations:EnableAWSServiceAccess','organizations:EnableAllFeatures','organizations:EnablePolicyType','organizations:InviteAccountToOrganization','organizations:LeaveOrganization','organizations:MoveAccount','organizations:RegisterDelegatedAdministrator','organizations:RemoveAccountFromOrganization','organizations:UpdateOrganizationalUnit','organizations:UpdatePolicy') AND source.cloud.service.name = 'ec2' AND source.cloud.resource.type = 'instance'", - "recommendation": "Remediation steps:\n1. Log in to the AWS console\n2. Navigate to the EC2 instance \n3. Find the role used by the EC2 instance\n4. Navigate to the IAM service\n5. Click on Roles\n6. Choose the relevant role\n7. Under ''Permissions policies'', find the relevant policy according to the alert details and remove the risky actions", - "remediable": true, - "remediation.cliScriptTemplate": "dynamic aws cli commands", - "remediation.description": "List of CLI commands are generated dynamically based on the violating resource. Successful execution will limit the relevant permissions of the violating resource.", - "remediation.impact": "limit the relevant permissions of the violating resource", - "compliance.standard": "" -} \ No newline at end of file diff --git a/policies/AWS-Lambda-Function-with-IAM-permissions-management-access-level.json b/policies/AWS-Lambda-Function-with-IAM-permissions-management-access-level.json deleted file mode 100644 index fed3b362..00000000 --- a/policies/AWS-Lambda-Function-with-IAM-permissions-management-access-level.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "policyUpi": "", - "policyId": "4810bdba-6daa-4297-8bca-990eb7ea77b0", - "policyType": "iam", - "cloudType": "aws", - "severity": "high", - "name": "AWS Lambda Function with IAM permissions management access level", - "description": "This policy identifies IAM permissions management access that is defined as risky permissions. Ensure that the AWS Lambda Function instances provisioned in your AWS account don't have a risky set of write permissions to minimize security risks.", - "rule.criteria": "4810bdba-6daa-4297-8bca-990eb7ea77b0", - "searchModel.query": "config from iam where dest.cloud.type = 'AWS' AND action.name IN ('iam:AttachGroupPolicy','iam:AttachRolePolicy','iam:AttachUserPolicy','iam:CreatePolicy','iam:CreatePolicyVersion','iam:DeleteAccountPasswordPolicy','iam:DeleteGroupPolicy','iam:DeletePolicy','iam:DeletePolicyVersion','iam:DeleteRolePermissionsBoundary','iam:DeleteRolePolicy','iam:DeleteUserPermissionsBoundary','iam:DeleteUserPolicy','iam:DetachGroupPolicy','iam:DetachRolePolicy','iam:DetachUserPolicy','iam:PutGroupPolicy','iam:PutRolePermissionsBoundary','iam:PutRolePolicy','iam:PutUserPermissionsBoundary','iam:PutUserPolicy','iam:SetDefaultPolicyVersion','iam:UpdateAssumeRolePolicy') AND source.cloud.service.name = 'lambda' AND source.cloud.resource.type = 'function'", - "recommendation": "Remediation steps:\n1. Log in to the AWS console\n2. Navigate to the Lambda Function \n3. Find the role used by the Lambda Function\n4. Navigate to the IAM service\n5. Click on Roles\n6. Choose the relevant role\n7. Under ''Permissions policies'', find the relevant policy according to the alert details and remove the risky actions", - "remediable": true, - "remediation.cliScriptTemplate": "dynamic aws cli commands", - "remediation.description": "List of CLI commands are generated dynamically based on the violating resource. Successful execution will limit the relevant permissions of the violating resource.", - "remediation.impact": "limit the relevant permissions of the violating resource", - "compliance.standard": "" -} \ No newline at end of file diff --git a/policies/AWS-Lambda-Function-with-IAM-write-access-level.json b/policies/AWS-Lambda-Function-with-IAM-write-access-level.json deleted file mode 100644 index ee11f7e1..00000000 --- a/policies/AWS-Lambda-Function-with-IAM-write-access-level.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "policyUpi": "", - "policyId": "be543a73-6d4c-4162-9459-1b83d4f0a158", - "policyType": "iam", - "cloudType": "aws", - "severity": "high", - "name": "AWS Lambda Function with IAM write access level", - "description": "This policy identifies IAM write permissions that are defined as risky permissions. Ensure that the AWS Lambda Function instances provisioned in your AWS account don't have a risky set of write permissions to minimize security risks.", - "rule.criteria": "be543a73-6d4c-4162-9459-1b83d4f0a158", - "searchModel.query": "config from iam where dest.cloud.type = 'AWS' AND action.name IN ('iam:AddClientIDToOpenIDConnectProvider','iam:AddRoleToInstanceProfile','iam:AddUserToGroup','iam:ChangePassword','iam:CreateAccessKey','iam:CreateAccountAlias','iam:CreateGroup','iam:CreateInstanceProfile','iam:CreateLoginProfile','iam:CreateOpenIDConnectProvider','iam:CreateRole','iam:CreateSAMLProvider','iam:CreateServiceLinkedRole','iam:CreateServiceSpecificCredential','iam:CreateUser','iam:CreateVirtualMFADevice','iam:DeactivateMFADevice','iam:DeleteAccessKey','iam:DeleteAccountAlias','iam:DeleteGroup','iam:DeleteInstanceProfile','iam:DeleteLoginProfile','iam:DeleteOpenIDConnectProvider','iam:DeleteRole','iam:DeleteSAMLProvider','iam:DeleteSSHPublicKey','iam:DeleteServerCertificate','iam:DeleteServiceLinkedRole','iam:DeleteServiceSpecificCredential','iam:DeleteSigningCertificate','iam:DeleteUser','iam:DeleteVirtualMFADevice','iam:EnableMFADevice','iam:PassRole','iam:RemoveClientIDFromOpenIDConnectProvider','iam:RemoveRoleFromInstanceProfile','iam:RemoveUserFromGroup','iam:ResetServiceSpecificCredential','iam:ResyncMFADevice','iam:SetSecurityTokenServicePreferences','iam:UpdateAccessKey','iam:UpdateAccountPasswordPolicy','iam:UpdateGroup','iam:UpdateLoginProfile','iam:UpdateOpenIDConnectProviderThumbprint','iam:UpdateRole','iam:UpdateRoleDescription','iam:UpdateSAMLProvider','iam:UpdateSSHPublicKey','iam:UpdateServerCertificate','iam:UpdateServiceSpecificCredential','iam:UpdateSigningCertificate','iam:UpdateUser','iam:UploadSSHPublicKey','iam:UploadServerCertificate','iam:UploadSigningCertificate') AND source.cloud.service.name = 'lambda' AND source.cloud.resource.type = 'function'", - "recommendation": "Remediation steps:\n1. Log in to the AWS console\n2. Navigate to the Lambda Function \n3. Find the role used by the Lambda Function\n4. Navigate to the IAM service\n5. Click on Roles\n6. Choose the relevant role\n7. Under ''Permissions policies'', find the relevant policy according to the alert details and remove the risky actions", - "remediable": true, - "remediation.cliScriptTemplate": "dynamic aws cli commands", - "remediation.description": "List of CLI commands are generated dynamically based on the violating resource. Successful execution will limit the relevant permissions of the violating resource.", - "remediation.impact": "limit the relevant permissions of the violating resource", - "compliance.standard": "" -} \ No newline at end of file diff --git a/policies/AWS-Lambda-Function-with-org-write-access-level.json b/policies/AWS-Lambda-Function-with-org-write-access-level.json deleted file mode 100644 index babc8366..00000000 --- a/policies/AWS-Lambda-Function-with-org-write-access-level.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "policyUpi": "", - "policyId": "741ef058-8816-49d0-87be-a714ae1ce2df", - "policyType": "iam", - "cloudType": "aws", - "severity": "high", - "name": "AWS Lambda Function with org write access level", - "description": "This policy identifies org write access that is defined as risky permissions. Ensure that the AWS Lambda Function instances provisioned in your AWS account don't have a risky set of write permissions to minimize security risks.", - "rule.criteria": "741ef058-8816-49d0-87be-a714ae1ce2df", - "searchModel.query": "config from iam where dest.cloud.type = 'AWS' AND action.name IN ('organizations:AcceptHandshake','organizations:AttachPolicy','organizations:CancelHandshake','organizations:CreateAccount','organizations:CreateGovCloudAccount','organizations:CreateOrganization','organizations:CreateOrganizationalUnit','organizations:CreatePolicy','organizations:DeclineHandshake','organizations:DeleteOrganization','organizations:DeleteOrganizationalUnit','organizations:DeletePolicy','organizations:DeregisterDelegatedAdministrator','organizations:DetachPolicy','organizations:DisableAWSServiceAccess','organizations:DisablePolicyType','organizations:EnableAWSServiceAccess','organizations:EnableAllFeatures','organizations:EnablePolicyType','organizations:InviteAccountToOrganization','organizations:LeaveOrganization','organizations:MoveAccount','organizations:RegisterDelegatedAdministrator','organizations:RemoveAccountFromOrganization','organizations:UpdateOrganizationalUnit','organizations:UpdatePolicy') AND source.cloud.service.name = 'lambda' AND source.cloud.resource.type = 'function'", - "recommendation": "Remediation steps:\n1. Log in to the AWS console\n2. Navigate to the Lambda Function \n3. Find the role used by the Lambda Function\n4. Navigate to the IAM service\n5. Click on Roles\n6. Choose the relevant role\n7. Under ''Permissions policies'', find the relevant policy according to the alert details and remove the risky actions", - "remediable": true, - "remediation.cliScriptTemplate": "dynamic aws cli commands", - "remediation.description": "List of CLI commands are generated dynamically based on the violating resource. Successful execution will limit the relevant permissions of the violating resource.", - "remediation.impact": "limit the relevant permissions of the violating resource", - "compliance.standard": "" -} \ No newline at end of file diff --git a/policies/ECS-Task-Definition-with-IAM-permissions-management-access-level.json b/policies/ECS-Task-Definition-with-IAM-permissions-management-access-level.json deleted file mode 100644 index 1ce0f064..00000000 --- a/policies/ECS-Task-Definition-with-IAM-permissions-management-access-level.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "policyUpi": "", - "policyId": "c89882d6-ed8e-4e95-931a-9f4dd2c6ff74", - "policyType": "iam", - "cloudType": "aws", - "severity": "high", - "name": "ECS Task Definition with IAM permissions management access level", - "description": "This policy identifies IAM permissions management access that is defined as risky permissions. Ensure that the AWS ECS Task Definition instances provisioned in your AWS account don't have a risky set of write permissions to minimize security risks.", - "rule.criteria": "c89882d6-ed8e-4e95-931a-9f4dd2c6ff74", - "searchModel.query": "config from iam where dest.cloud.type = 'AWS' AND action.name IN ('iam:AttachGroupPolicy','iam:AttachRolePolicy','iam:AttachUserPolicy','iam:CreatePolicy','iam:CreatePolicyVersion','iam:DeleteAccountPasswordPolicy','iam:DeleteGroupPolicy','iam:DeletePolicy','iam:DeletePolicyVersion','iam:DeleteRolePermissionsBoundary','iam:DeleteRolePolicy','iam:DeleteUserPermissionsBoundary','iam:DeleteUserPolicy','iam:DetachGroupPolicy','iam:DetachRolePolicy','iam:DetachUserPolicy','iam:PutGroupPolicy','iam:PutRolePermissionsBoundary','iam:PutRolePolicy','iam:PutUserPermissionsBoundary','iam:PutUserPolicy','iam:SetDefaultPolicyVersion','iam:UpdateAssumeRolePolicy') AND source.cloud.service.name = 'ecs' and source.cloud.resource.type = 'task-definition'", - "recommendation": "Remediation steps:\n1. Log in to the AWS console\n2. Navigate to the ECS Task Definition \n3. Find the role used by the ECS Task Definition \n4. Navigate to the IAM service\n5. Click on Roles\n6. Choose the relevant role\n7. Under ''Permissions policies'', find the relevant policy according to the alert details and remove the risky actions", - "remediable": true, - "remediation.cliScriptTemplate": "dynamic aws cli commands", - "remediation.description": "List of CLI commands are generated dynamically based on the violating resource. Successful execution will limit the relevant permissions of the violating resource.", - "remediation.impact": "limit the relevant permissions of the violating resource", - "compliance.standard": "" -} \ No newline at end of file diff --git a/policies/ECS-Task-Definition-with-IAM-write-access-level.json b/policies/ECS-Task-Definition-with-IAM-write-access-level.json deleted file mode 100644 index e360dbab..00000000 --- a/policies/ECS-Task-Definition-with-IAM-write-access-level.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "policyUpi": "", - "policyId": "a87da1a4-e0ec-4fbc-9a4d-a6b5c2677542", - "policyType": "iam", - "cloudType": "aws", - "severity": "high", - "name": "ECS Task Definition with IAM write access level", - "description": "This policy identifies IAM write permissions that are defined as risky permissions. Ensure that the AWS ECS Task Definition instances provisioned in your AWS account don't have a risky set of write permissions to minimize security risks", - "rule.criteria": "a87da1a4-e0ec-4fbc-9a4d-a6b5c2677542", - "searchModel.query": "config from iam where dest.cloud.type = 'AWS' AND action.name IN ('iam:AddClientIDToOpenIDConnectProvider','iam:AddRoleToInstanceProfile','iam:AddUserToGroup','iam:ChangePassword','iam:CreateAccessKey','iam:CreateAccountAlias','iam:CreateGroup','iam:CreateInstanceProfile','iam:CreateLoginProfile','iam:CreateOpenIDConnectProvider','iam:CreateRole','iam:CreateSAMLProvider','iam:CreateServiceLinkedRole','iam:CreateServiceSpecificCredential','iam:CreateUser','iam:CreateVirtualMFADevice','iam:DeactivateMFADevice','iam:DeleteAccessKey','iam:DeleteAccountAlias','iam:DeleteGroup','iam:DeleteInstanceProfile','iam:DeleteLoginProfile','iam:DeleteOpenIDConnectProvider','iam:DeleteRole','iam:DeleteSAMLProvider','iam:DeleteSSHPublicKey','iam:DeleteServerCertificate','iam:DeleteServiceLinkedRole','iam:DeleteServiceSpecificCredential','iam:DeleteSigningCertificate','iam:DeleteUser','iam:DeleteVirtualMFADevice','iam:EnableMFADevice','iam:PassRole','iam:RemoveClientIDFromOpenIDConnectProvider','iam:RemoveRoleFromInstanceProfile','iam:RemoveUserFromGroup','iam:ResetServiceSpecificCredential','iam:ResyncMFADevice','iam:SetSecurityTokenServicePreferences','iam:UpdateAccessKey','iam:UpdateAccountPasswordPolicy','iam:UpdateGroup','iam:UpdateLoginProfile','iam:UpdateOpenIDConnectProviderThumbprint','iam:UpdateRole','iam:UpdateRoleDescription','iam:UpdateSAMLProvider','iam:UpdateSSHPublicKey','iam:UpdateServerCertificate','iam:UpdateServiceSpecificCredential','iam:UpdateSigningCertificate','iam:UpdateUser','iam:UploadSSHPublicKey','iam:UploadServerCertificate','iam:UploadSigningCertificate') AND source.cloud.service.name = 'ecs' and source.cloud.resource.type = 'task-definition'", - "recommendation": "Remediation steps:\n1. Log in to the AWS console\n2. Navigate to the ECS Task Definition \n3. Find the role used by the ECS Task Definition \n4. Navigate to the IAM service\n5. Click on Roles\n6. Choose the relevant role\n7. Under ''Permissions policies'', find the relevant policy according to the alert details and remove the risky actions", - "remediable": true, - "remediation.cliScriptTemplate": "dynamic aws cli commands", - "remediation.description": "List of CLI commands are generated dynamically based on the violating resource. Successful execution will limit the relevant permissions of the violating resource.", - "remediation.impact": "limit the relevant permissions of the violating resource", - "compliance.standard": "" -} \ No newline at end of file diff --git a/policies/ECS-Task-Definition-with-org-write-access-level.json b/policies/ECS-Task-Definition-with-org-write-access-level.json deleted file mode 100644 index 1da9dbdc..00000000 --- a/policies/ECS-Task-Definition-with-org-write-access-level.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "policyUpi": "", - "policyId": "18f6902b-1358-48b4-b81e-528072b30656", - "policyType": "iam", - "cloudType": "aws", - "severity": "high", - "name": "ECS Task Definition with org write access level", - "description": "This policy identifies org write access that is defined as risky permissions. Ensure that the AWS ECS Task Definition instances provisioned in your AWS account don't have a risky set of write permissions to minimize security risks.", - "rule.criteria": "18f6902b-1358-48b4-b81e-528072b30656", - "searchModel.query": "config from iam where dest.cloud.type = 'AWS' AND action.name IN ('organizations:AcceptHandshake','organizations:AttachPolicy','organizations:CancelHandshake','organizations:CreateAccount','organizations:CreateGovCloudAccount','organizations:CreateOrganization','organizations:CreateOrganizationalUnit','organizations:CreatePolicy','organizations:DeclineHandshake','organizations:DeleteOrganization','organizations:DeleteOrganizationalUnit','organizations:DeletePolicy','organizations:DeregisterDelegatedAdministrator','organizations:DetachPolicy','organizations:DisableAWSServiceAccess','organizations:DisablePolicyType','organizations:EnableAWSServiceAccess','organizations:EnableAllFeatures','organizations:EnablePolicyType','organizations:InviteAccountToOrganization','organizations:LeaveOrganization','organizations:MoveAccount','organizations:RegisterDelegatedAdministrator','organizations:RemoveAccountFromOrganization','organizations:UpdateOrganizationalUnit','organizations:UpdatePolicy') AND source.cloud.service.name = 'ecs' and source.cloud.resource.type = 'task-definition'", - "recommendation": "Remediation steps:\n1. Login to the Okta console\n2. Find the role used by the Okta user\n3. Log in to the AWS console\n4. Navigate to the IAM service\n5. Click on Roles\n6. Choose the relevant role\n7. Under ''Permissions policies'', find the relevant policy according to the alert details and remove the risky actions", - "remediable": true, - "remediation.cliScriptTemplate": "dynamic aws cli commands", - "remediation.description": "List of CLI commands are generated dynamically based on the violating resource. Successful execution will limit the relevant permissions of the violating resource.", - "remediation.impact": "limit the relevant permissions of the violating resource", - "compliance.standard": "" -} \ No newline at end of file diff --git a/policies/Elasticbeanstalk-Platform-with-IAM-permissions-management-access-level.json b/policies/Elasticbeanstalk-Platform-with-IAM-permissions-management-access-level.json deleted file mode 100644 index 67f6e980..00000000 --- a/policies/Elasticbeanstalk-Platform-with-IAM-permissions-management-access-level.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "policyUpi": "", - "policyId": "e0c233b7-8911-4ecb-8387-371f0308c168", - "policyType": "iam", - "cloudType": "aws", - "severity": "high", - "name": "Elasticbeanstalk Platform with IAM permissions management access level", - "description": "This policy identifies IAM permissions management access that is defined as risky permissions. Ensure that the AWS Elasticbeanstalk Platform instances provisioned in your AWS account don't have a risky set of write permissions to minimize security risks.", - "rule.criteria": "e0c233b7-8911-4ecb-8387-371f0308c168", - "searchModel.query": "config from iam where dest.cloud.type = 'AWS' AND action.name IN ('iam:AttachGroupPolicy','iam:AttachRolePolicy','iam:AttachUserPolicy','iam:CreatePolicy','iam:CreatePolicyVersion','iam:DeleteAccountPasswordPolicy','iam:DeleteGroupPolicy','iam:DeletePolicy','iam:DeletePolicyVersion','iam:DeleteRolePermissionsBoundary','iam:DeleteRolePolicy','iam:DeleteUserPermissionsBoundary','iam:DeleteUserPolicy','iam:DetachGroupPolicy','iam:DetachRolePolicy','iam:DetachUserPolicy','iam:PutGroupPolicy','iam:PutRolePermissionsBoundary','iam:PutRolePolicy','iam:PutUserPermissionsBoundary','iam:PutUserPolicy','iam:SetDefaultPolicyVersion','iam:UpdateAssumeRolePolicy') AND source.cloud.service.name = 'elasticbeanstalk' AND source.cloud.resource.type = 'platform'", - "recommendation": "Remediation steps:\n1. Log in to the AWS console\n2. Navigate to the Elasticbeanstalk Platform \n3. Find the role used by the Elasticbeanstalk Platform \n4. Navigate to the IAM service\n5. Click on Roles\n6. Choose the relevant role\n7. Under ''Permissions policies'', find the relevant policy according to the alert details and remove the risky actions", - "remediable": true, - "remediation.cliScriptTemplate": "dynamic aws cli commands", - "remediation.description": "List of CLI commands are generated dynamically based on the violating resource. Successful execution will limit the relevant permissions of the violating resource.", - "remediation.impact": "limit the relevant permissions of the violating resource", - "compliance.standard": "" -} \ No newline at end of file diff --git a/policies/Elasticbeanstalk-Platform-with-IAM-write-access-level.json b/policies/Elasticbeanstalk-Platform-with-IAM-write-access-level.json deleted file mode 100644 index cdad7586..00000000 --- a/policies/Elasticbeanstalk-Platform-with-IAM-write-access-level.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "policyUpi": "", - "policyId": "95d9bf89-5ac0-4b8a-a1ae-a357fe0a45b8", - "policyType": "iam", - "cloudType": "aws", - "severity": "high", - "name": "Elasticbeanstalk Platform with IAM write access level", - "description": "This policy identifies IAM write permissions that are defined as risky permissions. Ensure that the AWS Elasticbeanstalk Platform instances provisioned in your AWS account don't have a risky set of write permissions to minimize security risks.", - "rule.criteria": "95d9bf89-5ac0-4b8a-a1ae-a357fe0a45b8", - "searchModel.query": "config from iam where dest.cloud.type = 'AWS' AND action.name IN ('iam:AddClientIDToOpenIDConnectProvider','iam:AddRoleToInstanceProfile','iam:AddUserToGroup','iam:ChangePassword','iam:CreateAccessKey','iam:CreateAccountAlias','iam:CreateGroup','iam:CreateInstanceProfile','iam:CreateLoginProfile','iam:CreateOpenIDConnectProvider','iam:CreateRole','iam:CreateSAMLProvider','iam:CreateServiceLinkedRole','iam:CreateServiceSpecificCredential','iam:CreateUser','iam:CreateVirtualMFADevice','iam:DeactivateMFADevice','iam:DeleteAccessKey','iam:DeleteAccountAlias','iam:DeleteGroup','iam:DeleteInstanceProfile','iam:DeleteLoginProfile','iam:DeleteOpenIDConnectProvider','iam:DeleteRole','iam:DeleteSAMLProvider','iam:DeleteSSHPublicKey','iam:DeleteServerCertificate','iam:DeleteServiceLinkedRole','iam:DeleteServiceSpecificCredential','iam:DeleteSigningCertificate','iam:DeleteUser','iam:DeleteVirtualMFADevice','iam:EnableMFADevice','iam:PassRole','iam:RemoveClientIDFromOpenIDConnectProvider','iam:RemoveRoleFromInstanceProfile','iam:RemoveUserFromGroup','iam:ResetServiceSpecificCredential','iam:ResyncMFADevice','iam:SetSecurityTokenServicePreferences','iam:UpdateAccessKey','iam:UpdateAccountPasswordPolicy','iam:UpdateGroup','iam:UpdateLoginProfile','iam:UpdateOpenIDConnectProviderThumbprint','iam:UpdateRole','iam:UpdateRoleDescription','iam:UpdateSAMLProvider','iam:UpdateSSHPublicKey','iam:UpdateServerCertificate','iam:UpdateServiceSpecificCredential','iam:UpdateSigningCertificate','iam:UpdateUser','iam:UploadSSHPublicKey','iam:UploadServerCertificate','iam:UploadSigningCertificate') AND source.cloud.service.name = 'elasticbeanstalk' AND source.cloud.resource.type = 'platform' ", - "recommendation": "Remediation steps:\n1. Log in to the AWS console\n2. Navigate to the Elasticbeanstalk Platform \n3. Find the role used by the Elasticbeanstalk Platform \n4. Navigate to the IAM service\n5. Click on Roles\n6. Choose the relevant role\n7. Under ''Permissions policies'', find the relevant policy according to the alert details and remove the risky actions", - "remediable": true, - "remediation.cliScriptTemplate": "dynamic aws cli commands", - "remediation.description": "List of CLI commands are generated dynamically based on the violating resource. Successful execution will limit the relevant permissions of the violating resource.", - "remediation.impact": "limit the relevant permissions of the violating resource", - "compliance.standard": "" -} \ No newline at end of file diff --git a/policies/Elasticbeanstalk-Platform-with-org-write-access-level.json b/policies/Elasticbeanstalk-Platform-with-org-write-access-level.json deleted file mode 100644 index 858c224e..00000000 --- a/policies/Elasticbeanstalk-Platform-with-org-write-access-level.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "policyUpi": "", - "policyId": "b38b7c32-e9e8-4edb-8621-b88157ce34c7", - "policyType": "iam", - "cloudType": "aws", - "severity": "high", - "name": "Elasticbeanstalk Platform with org write access level", - "description": "This policy identifies org write access that is defined as risky permissions. Ensure that the AWS Elasticbeanstalk Platform instances provisioned in your AWS account don't have a risky set of write permissions to minimize security risks.", - "rule.criteria": "b38b7c32-e9e8-4edb-8621-b88157ce34c7", - "searchModel.query": "config from iam where dest.cloud.type = 'AWS' AND action.name IN ('organizations:AcceptHandshake','organizations:AttachPolicy','organizations:CancelHandshake','organizations:CreateAccount','organizations:CreateGovCloudAccount','organizations:CreateOrganization','organizations:CreateOrganizationalUnit','organizations:CreatePolicy','organizations:DeclineHandshake','organizations:DeleteOrganization','organizations:DeleteOrganizationalUnit','organizations:DeletePolicy','organizations:DeregisterDelegatedAdministrator','organizations:DetachPolicy','organizations:DisableAWSServiceAccess','organizations:DisablePolicyType','organizations:EnableAWSServiceAccess','organizations:EnableAllFeatures','organizations:EnablePolicyType','organizations:InviteAccountToOrganization','organizations:LeaveOrganization','organizations:MoveAccount','organizations:RegisterDelegatedAdministrator','organizations:RemoveAccountFromOrganization','organizations:UpdateOrganizationalUnit','organizations:UpdatePolicy') AND source.cloud.service.name = 'elasticbeanstalk' AND source.cloud.resource.type = 'platform'", - "recommendation": "Remediation steps:\n1. Log in to the AWS console\n2. Navigate to the Elasticbeanstalk Platform \n3. Find the role used by the Elasticbeanstalk Platform \n4. Navigate to the IAM service\n5. Click on Roles\n6. Choose the relevant role\n7. Under ''Permissions policies'', find the relevant policy according to the alert details and remove the risky actions", - "remediable": true, - "remediation.cliScriptTemplate": "dynamic aws cli commands", - "remediation.description": "List of CLI commands are generated dynamically based on the violating resource. Successful execution will limit the relevant permissions of the violating resource.", - "remediation.impact": "limit the relevant permissions of the violating resource", - "compliance.standard": "" -} \ No newline at end of file diff --git a/policies/IAM-User-with-IAM-permissions-management-access-level.json b/policies/IAM-User-with-IAM-permissions-management-access-level.json deleted file mode 100644 index 120121d7..00000000 --- a/policies/IAM-User-with-IAM-permissions-management-access-level.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "policyUpi": "", - "policyId": "e231b07d-f1e1-40ad-9c7c-d38f09948db9", - "policyType": "iam", - "cloudType": "aws", - "severity": "high", - "name": "IAM User with IAM permissions management access level", - "description": "This policy identifies IAM permissions management access that is defined as risky permissions. Ensure that the IAM Users in your AWS account don't have a risky set of write permissions to minimize security risks.", - "rule.criteria": "e231b07d-f1e1-40ad-9c7c-d38f09948db9", - "searchModel.query": "config from iam where dest.cloud.type = 'AWS' AND action.name IN ('iam:AttachGroupPolicy','iam:AttachRolePolicy','iam:AttachUserPolicy','iam:CreatePolicy','iam:CreatePolicyVersion','iam:DeleteAccountPasswordPolicy','iam:DeleteGroupPolicy','iam:DeletePolicy','iam:DeletePolicyVersion','iam:DeleteRolePermissionsBoundary','iam:DeleteRolePolicy','iam:DeleteUserPermissionsBoundary','iam:DeleteUserPolicy','iam:DetachGroupPolicy','iam:DetachRolePolicy','iam:DetachUserPolicy','iam:PutGroupPolicy','iam:PutRolePermissionsBoundary','iam:PutRolePolicy','iam:PutUserPermissionsBoundary','iam:PutUserPolicy','iam:SetDefaultPolicyVersion','iam:UpdateAssumeRolePolicy') AND source.cloud.service.name = 'iam' and source.cloud.resource.type = 'user'", - "recommendation": "Remediation steps:\n1. Log in to the AWS console\n2. Navigate to the IAM service\n3. Click on Users\n4. Choose the relevant user\n5. Under ''Permissions policies'', find the relevant policy according to the alert details and remove the risky actions", - "remediable": true, - "remediation.cliScriptTemplate": "dynamic aws cli commands", - "remediation.description": "List of CLI commands are generated dynamically based on the violating resource. Successful execution will limit the relevant permissions of the violating resource.", - "remediation.impact": "limit the relevant permissions of the violating resource", - "compliance.standard": "" -} \ No newline at end of file diff --git a/policies/IAM-User-with-IAM-write-access-level.json b/policies/IAM-User-with-IAM-write-access-level.json deleted file mode 100644 index fab18f14..00000000 --- a/policies/IAM-User-with-IAM-write-access-level.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "policyUpi": "", - "policyId": "99868a5a-9824-4da2-b413-ec5b1632b722", - "policyType": "iam", - "cloudType": "aws", - "severity": "medium", - "name": "IAM User with IAM write access level", - "description": "This policy identifies IAM write permissions that are defined as risky permissions. Ensure that the IAM Users in your AWS account don't have a risky set of write permissions to minimize security risks.", - "rule.criteria": "99868a5a-9824-4da2-b413-ec5b1632b722", - "searchModel.query": "config from iam where dest.cloud.type = 'AWS' AND action.name IN ('iam:AddClientIDToOpenIDConnectProvider','iam:AddRoleToInstanceProfile','iam:AddUserToGroup','iam:ChangePassword','iam:CreateAccessKey','iam:CreateAccountAlias','iam:CreateGroup','iam:CreateInstanceProfile','iam:CreateLoginProfile','iam:CreateOpenIDConnectProvider','iam:CreateRole','iam:CreateSAMLProvider','iam:CreateServiceLinkedRole','iam:CreateServiceSpecificCredential','iam:CreateUser','iam:CreateVirtualMFADevice','iam:DeactivateMFADevice','iam:DeleteAccessKey','iam:DeleteAccountAlias','iam:DeleteGroup','iam:DeleteInstanceProfile','iam:DeleteLoginProfile','iam:DeleteOpenIDConnectProvider','iam:DeleteRole','iam:DeleteSAMLProvider','iam:DeleteSSHPublicKey','iam:DeleteServerCertificate','iam:DeleteServiceLinkedRole','iam:DeleteServiceSpecificCredential','iam:DeleteSigningCertificate','iam:DeleteUser','iam:DeleteVirtualMFADevice','iam:EnableMFADevice','iam:PassRole','iam:RemoveClientIDFromOpenIDConnectProvider','iam:RemoveRoleFromInstanceProfile','iam:RemoveUserFromGroup','iam:ResetServiceSpecificCredential','iam:ResyncMFADevice','iam:SetSecurityTokenServicePreferences','iam:UpdateAccessKey','iam:UpdateAccountPasswordPolicy','iam:UpdateGroup','iam:UpdateLoginProfile','iam:UpdateOpenIDConnectProviderThumbprint','iam:UpdateRole','iam:UpdateRoleDescription','iam:UpdateSAMLProvider','iam:UpdateSSHPublicKey','iam:UpdateServerCertificate','iam:UpdateServiceSpecificCredential','iam:UpdateSigningCertificate','iam:UpdateUser','iam:UploadSSHPublicKey','iam:UploadServerCertificate','iam:UploadSigningCertificate') AND source.cloud.service.name = 'iam' and source.cloud.resource.type = 'user'", - "recommendation": "Remediation steps:\n1. Log in to the AWS console\n2. Navigate to the IAM service\n3. Click on Users\n4. Choose the relevant user\n5. Under ''Permissions policies'', find the relevant policy according to the alert details and remove the risky actions", - "remediable": true, - "remediation.cliScriptTemplate": "dynamic aws cli commands", - "remediation.description": "List of CLI commands are generated dynamically based on the violating resource. Successful execution will limit the relevant permissions of the violating resource.", - "remediation.impact": "limit the relevant permissions of the violating resource", - "compliance.standard": "" -} \ No newline at end of file diff --git a/policies/IAM-User-with-org-write-access-level.json b/policies/IAM-User-with-org-write-access-level.json deleted file mode 100644 index 71e9b1d3..00000000 --- a/policies/IAM-User-with-org-write-access-level.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "policyUpi": "", - "policyId": "e9a84ae4-1764-41f5-8565-5c848b3e0e67", - "policyType": "iam", - "cloudType": "aws", - "severity": "medium", - "name": "IAM User with org write access level", - "description": "This policy identifies org write access that is defined as risky permissions. Ensure that the IAM Users in your AWS account don't have a risky set of write permissions to minimize security risks.", - "rule.criteria": "e9a84ae4-1764-41f5-8565-5c848b3e0e67", - "searchModel.query": "config from iam where dest.cloud.type = 'AWS' AND action.name IN ('organizations:AcceptHandshake','organizations:AttachPolicy','organizations:CancelHandshake','organizations:CreateAccount','organizations:CreateGovCloudAccount','organizations:CreateOrganization','organizations:CreateOrganizationalUnit','organizations:CreatePolicy','organizations:DeclineHandshake','organizations:DeleteOrganization','organizations:DeleteOrganizationalUnit','organizations:DeletePolicy','organizations:DeregisterDelegatedAdministrator','organizations:DetachPolicy','organizations:DisableAWSServiceAccess','organizations:DisablePolicyType','organizations:EnableAWSServiceAccess','organizations:EnableAllFeatures','organizations:EnablePolicyType','organizations:InviteAccountToOrganization','organizations:LeaveOrganization','organizations:MoveAccount','organizations:RegisterDelegatedAdministrator','organizations:RemoveAccountFromOrganization','organizations:UpdateOrganizationalUnit','organizations:UpdatePolicy') AND source.cloud.service.name = 'iam' and source.cloud.resource.type = 'user'", - "recommendation": "Remediation steps:\n1. Log in to the AWS console\n2. Navigate to the IAM service\n3. Click on Users\n4. Choose the relevant user\n5. Under ''Permissions policies'', find the relevant policy according to the alert details and remove the risky actions", - "remediable": true, - "remediation.cliScriptTemplate": "dynamic aws cli commands", - "remediation.description": "List of CLI commands are generated dynamically based on the violating resource. Successful execution will limit the relevant permissions of the violating resource.", - "remediation.impact": "limit the relevant permissions of the violating resource", - "compliance.standard": "" -} \ No newline at end of file diff --git a/policies/Okta-User-with-IAM-permissions-management-access-level.json b/policies/Okta-User-with-IAM-permissions-management-access-level.json deleted file mode 100644 index 5fcc3ae0..00000000 --- a/policies/Okta-User-with-IAM-permissions-management-access-level.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "policyUpi": "", - "policyId": "c14d0daf-bd4b-4b4f-8ee9-b41771217954", - "policyType": "iam", - "cloudType": "aws", - "severity": "high", - "name": "Okta User with IAM permissions management access level", - "description": "This policy identifies IAM permissions management access that is defined as risky permissions. Ensure that the Okta Users in your AWS account don't have a risky set of write permissions to minimize security risks.", - "rule.criteria": "c14d0daf-bd4b-4b4f-8ee9-b41771217954", - "searchModel.query": "config from iam where dest.cloud.type = 'AWS' AND action.name IN ('iam:AttachGroupPolicy','iam:AttachRolePolicy','iam:AttachUserPolicy','iam:CreatePolicy','iam:CreatePolicyVersion','iam:DeleteAccountPasswordPolicy','iam:DeleteGroupPolicy','iam:DeletePolicy','iam:DeletePolicyVersion','iam:DeleteRolePermissionsBoundary','iam:DeleteRolePolicy','iam:DeleteUserPermissionsBoundary','iam:DeleteUserPolicy','iam:DetachGroupPolicy','iam:DetachRolePolicy','iam:DetachUserPolicy','iam:PutGroupPolicy','iam:PutRolePermissionsBoundary','iam:PutRolePolicy','iam:PutUserPermissionsBoundary','iam:PutUserPolicy','iam:SetDefaultPolicyVersion','iam:UpdateAssumeRolePolicy') AND source.idp.service = 'Okta'", - "recommendation": "Remediation steps:\n1. Login to the Okta console\n2. Find the role used by the Okta user\n3. Log in to the AWS console\n4. Navigate to the IAM service\n5. Click on Roles\n6. Choose the relevant role\n7. Under ''Permissions policies'', find the relevant policy according to the alert details and remove the risky actions", - "remediable": true, - "remediation.cliScriptTemplate": "dynamic aws cli commands", - "remediation.description": "List of CLI commands are generated dynamically based on the violating resource. Successful execution will limit the relevant permissions of the violating resource.", - "remediation.impact": "limit the relevant permissions of the violating resource", - "compliance.standard": "" -} \ No newline at end of file diff --git a/policies/Okta-User-with-IAM-write-access-level.json b/policies/Okta-User-with-IAM-write-access-level.json deleted file mode 100644 index 36acda37..00000000 --- a/policies/Okta-User-with-IAM-write-access-level.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "policyUpi": "", - "policyId": "59a1468f-150e-469b-a099-df1d372fbb92", - "policyType": "iam", - "cloudType": "aws", - "severity": "medium", - "name": "Okta User with IAM write access level", - "description": "This policy identifies IAM write permissions that are defined as risky permissions. Ensure that the Okta Users in your AWS account don't have a risky set of write permissions to minimize security risks.", - "rule.criteria": "59a1468f-150e-469b-a099-df1d372fbb92", - "searchModel.query": "config from iam where dest.cloud.type = 'AWS' AND action.name IN ('iam:AddClientIDToOpenIDConnectProvider','iam:AddRoleToInstanceProfile','iam:AddUserToGroup','iam:ChangePassword','iam:CreateAccessKey','iam:CreateAccountAlias','iam:CreateGroup','iam:CreateInstanceProfile','iam:CreateLoginProfile','iam:CreateOpenIDConnectProvider','iam:CreateRole','iam:CreateSAMLProvider','iam:CreateServiceLinkedRole','iam:CreateServiceSpecificCredential','iam:CreateUser','iam:CreateVirtualMFADevice','iam:DeactivateMFADevice','iam:DeleteAccessKey','iam:DeleteAccountAlias','iam:DeleteGroup','iam:DeleteInstanceProfile','iam:DeleteLoginProfile','iam:DeleteOpenIDConnectProvider','iam:DeleteRole','iam:DeleteSAMLProvider','iam:DeleteSSHPublicKey','iam:DeleteServerCertificate','iam:DeleteServiceLinkedRole','iam:DeleteServiceSpecificCredential','iam:DeleteSigningCertificate','iam:DeleteUser','iam:DeleteVirtualMFADevice','iam:EnableMFADevice','iam:PassRole','iam:RemoveClientIDFromOpenIDConnectProvider','iam:RemoveRoleFromInstanceProfile','iam:RemoveUserFromGroup','iam:ResetServiceSpecificCredential','iam:ResyncMFADevice','iam:SetSecurityTokenServicePreferences','iam:UpdateAccessKey','iam:UpdateAccountPasswordPolicy','iam:UpdateGroup','iam:UpdateLoginProfile','iam:UpdateOpenIDConnectProviderThumbprint','iam:UpdateRole','iam:UpdateRoleDescription','iam:UpdateSAMLProvider','iam:UpdateSSHPublicKey','iam:UpdateServerCertificate','iam:UpdateServiceSpecificCredential','iam:UpdateSigningCertificate','iam:UpdateUser','iam:UploadSSHPublicKey','iam:UploadServerCertificate','iam:UploadSigningCertificate') AND source.idp.service = 'Okta'", - "recommendation": "Remediation steps:\n1. Login to the Okta console\n2. Find the role used by the Okta user\n3. Log in to the AWS console\n4. Navigate to the IAM service\n5. Click on Roles\n6. Choose the relevant role\n7. Under ''Permissions policies'', find the relevant policy according to the alert details and remove the risky actions", - "remediable": true, - "remediation.cliScriptTemplate": "dynamic aws cli commands", - "remediation.description": "List of CLI commands are generated dynamically based on the violating resource. Successful execution will limit the relevant permissions of the violating resource.", - "remediation.impact": "limit the relevant permissions of the violating resource", - "compliance.standard": "" -} \ No newline at end of file diff --git a/policies/Okta-User-with-org-write-access-level.json b/policies/Okta-User-with-org-write-access-level.json deleted file mode 100644 index 74cb0ccb..00000000 --- a/policies/Okta-User-with-org-write-access-level.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "policyUpi": "", - "policyId": "5def0968-e071-46bb-a2b8-4a54f66bcf23", - "policyType": "iam", - "cloudType": "aws", - "severity": "medium", - "name": "Okta User with org write access level", - "description": "This policy identifies org write access that is defined as risky permissions. Ensure that the Okta Users in your AWS account don't have a risky set of write permissions to minimize security risks.", - "rule.criteria": "5def0968-e071-46bb-a2b8-4a54f66bcf23", - "searchModel.query": "config from iam where dest.cloud.type = 'AWS' AND action.name IN ('organizations:AcceptHandshake','organizations:AttachPolicy','organizations:CancelHandshake','organizations:CreateAccount','organizations:CreateGovCloudAccount','organizations:CreateOrganization','organizations:CreateOrganizationalUnit','organizations:CreatePolicy','organizations:DeclineHandshake','organizations:DeleteOrganization','organizations:DeleteOrganizationalUnit','organizations:DeletePolicy','organizations:DeregisterDelegatedAdministrator','organizations:DetachPolicy','organizations:DisableAWSServiceAccess','organizations:DisablePolicyType','organizations:EnableAWSServiceAccess','organizations:EnableAllFeatures','organizations:EnablePolicyType','organizations:InviteAccountToOrganization','organizations:LeaveOrganization','organizations:MoveAccount','organizations:RegisterDelegatedAdministrator','organizations:RemoveAccountFromOrganization','organizations:UpdateOrganizationalUnit','organizations:UpdatePolicy') AND source.idp.service = 'Okta'", - "recommendation": "Remediation steps:\n1. Login to the Okta console\n2. Find the role used by the Okta user\n3. Log in to the AWS console\n4. Navigate to the IAM service\n5. Click on Roles\n6. Choose the relevant role\n7. Under ''Permissions policies'', find the relevant policy according to the alert details and remove the risky actions", - "remediable": true, - "remediation.cliScriptTemplate": "dynamic aws cli commands", - "remediation.description": "List of CLI commands are generated dynamically based on the violating resource. Successful execution will limit the relevant permissions of the violating resource.", - "remediation.impact": "limit the relevant permissions of the violating resource", - "compliance.standard": "" -} \ No newline at end of file From 70c1e4403188cceef282e8145811823605cf3493 Mon Sep 17 00:00:00 2001 From: jsreedharan-panw <> Date: Thu, 2 May 2024 21:22:28 +0530 Subject: [PATCH 3/3] name change --- ...Instance-with-AWS-Organization-management-permissions.json | 4 ++-- ...S-EC2-Instance-with-IAM-policy-management-permissions.json | 4 ++-- policies/AWS-EC2-Instance-with-IAM-write-permissions.json | 4 ++-- ...finition-with-AWS-Organization-management-permissions.json | 4 ++-- ...ask-Definition-with-IAM-policy-management-permissions.json | 4 ++-- .../AWS-ECS-Task-Definition-with-IAM-write-permissions.json | 4 ++-- ...Platform-with-AWS-Organization-management-permissions.json | 4 ++-- ...stalk-Platform-with-IAM-policy-management-permissions.json | 4 ++-- ...Elastic-Beanstalk-Platform-with-IAM-write-permissions.json | 4 ++-- ...IAM-User-with-AWS-Organization-management-permissions.json | 4 ++-- .../AWS-IAM-User-with-IAM-policy-management-permissions.json | 4 ++-- policies/AWS-IAM-User-with-IAM-write-permissions.json | 4 ++-- ...Function-with-AWS-Organization-management-permissions.json | 4 ++-- ...ambda-Function-with-IAM-policy-management-permissions.json | 4 ++-- policies/AWS-Lambda-Function-with-IAM-write-permissions.json | 4 ++-- ...kta-User-with-AWS-Organization-management-permissions.json | 4 ++-- .../AWS-Okta-User-with-IAM-policy-management-permissions.json | 4 ++-- policies/AWS-Okta-User-with-IAM-write-permissions.json | 4 ++-- 18 files changed, 36 insertions(+), 36 deletions(-) diff --git a/policies/AWS-EC2-Instance-with-AWS-Organization-management-permissions.json b/policies/AWS-EC2-Instance-with-AWS-Organization-management-permissions.json index 861a5ff1..2eebd23f 100644 --- a/policies/AWS-EC2-Instance-with-AWS-Organization-management-permissions.json +++ b/policies/AWS-EC2-Instance-with-AWS-Organization-management-permissions.json @@ -4,8 +4,8 @@ "policyType": "iam", "cloudType": "aws", "severity": "high", - "name": "AWS EC2 instance with org write access level", - "description": "This policy identifies org write access that is defined as risky permissions. Ensure that the AWS EC2 instances provisioned in your AWS account don't have a risky set of write permissions to minimize security risks.", + "name": "AWS EC2 Instance with AWS Organization management permissions", + "description": "This policy identifies IAM permissions that allow EC2 instances to manage AWS Organizations such as creating, deleting, updating AWS Organizations, accounts and Org level policies, features, and services. AWS Organization write permissions are very risky and should only be used under very strict controls. Unnecessary usage of these permissions can significantly increase your attack surface and make it easier for attackers to compromise your AWS environment.", "rule.criteria": "0acd23f7-12c8-48c2-88c4-2962a4778e6e", "searchModel.query": "config from iam where dest.cloud.type = 'AWS' AND action.name IN ('organizations:AcceptHandshake','organizations:AttachPolicy','organizations:CancelHandshake','organizations:CreateAccount','organizations:CreateGovCloudAccount','organizations:CreateOrganization','organizations:CreateOrganizationalUnit','organizations:CreatePolicy','organizations:DeclineHandshake','organizations:DeleteOrganization','organizations:DeleteOrganizationalUnit','organizations:DeletePolicy','organizations:DeregisterDelegatedAdministrator','organizations:DetachPolicy','organizations:DisableAWSServiceAccess','organizations:DisablePolicyType','organizations:EnableAWSServiceAccess','organizations:EnableAllFeatures','organizations:EnablePolicyType','organizations:InviteAccountToOrganization','organizations:LeaveOrganization','organizations:MoveAccount','organizations:RegisterDelegatedAdministrator','organizations:RemoveAccountFromOrganization','organizations:UpdateOrganizationalUnit','organizations:UpdatePolicy') AND source.cloud.service.name = 'ec2' AND source.cloud.resource.type = 'instance'", "recommendation": "Remediation steps:\n1. Log in to the AWS console\n2. Navigate to the EC2 instance \n3. Find the role used by the EC2 instance\n4. Navigate to the IAM service\n5. Click on Roles\n6. Choose the relevant role\n7. Under ''Permissions policies'', find the relevant policy according to the alert details and remove the risky actions", diff --git a/policies/AWS-EC2-Instance-with-IAM-policy-management-permissions.json b/policies/AWS-EC2-Instance-with-IAM-policy-management-permissions.json index 18739fc7..d4875abe 100644 --- a/policies/AWS-EC2-Instance-with-IAM-policy-management-permissions.json +++ b/policies/AWS-EC2-Instance-with-IAM-policy-management-permissions.json @@ -4,8 +4,8 @@ "policyType": "iam", "cloudType": "aws", "severity": "high", - "name": "AWS EC2 instance with IAM permissions management access level", - "description": "This policy identifies This policy identifies IAM permissions management access that is defined as risky permissions. Ensure that the AWS EC2 instances provisioned in your AWS account don't have a risky set of write permissions to minimize security risks.AWS IAM permissions management access level that are risky for AWS EC2 instances. Ensure that the AWS EC2 instances provisioned in your AWS account don't have a risky set of permissions management access to minimize security risks.", + "name": "AWS EC2 Instance with IAM policy management permissions", + "description": "This policy identifies IAM permissions that allow EC2 instances to manage IAM policies, such as creating, deleting, or attaching IAM policies to identities, roles, or groups. IAM policy management permissions are very risky and should only be used under very strict controls. Unnecessary usage of these permissions can significantly increase your attack surface and make it easier for attackers to compromise your AWS environment.", "rule.criteria": "34edd03b-b872-441b-84ed-19d9b4194c7d", "searchModel.query": "config from iam where dest.cloud.type = 'AWS' AND action.name IN ('iam:AttachGroupPolicy','iam:AttachRolePolicy','iam:AttachUserPolicy','iam:CreatePolicy','iam:CreatePolicyVersion','iam:DeleteAccountPasswordPolicy','iam:DeleteGroupPolicy','iam:DeletePolicy','iam:DeletePolicyVersion','iam:DeleteRolePermissionsBoundary','iam:DeleteRolePolicy','iam:DeleteUserPermissionsBoundary','iam:DeleteUserPolicy','iam:DetachGroupPolicy','iam:DetachRolePolicy','iam:DetachUserPolicy','iam:PutGroupPolicy','iam:PutRolePermissionsBoundary','iam:PutRolePolicy','iam:PutUserPermissionsBoundary','iam:PutUserPolicy','iam:SetDefaultPolicyVersion','iam:UpdateAssumeRolePolicy') AND source.cloud.service.name = 'ec2' AND source.cloud.resource.type = 'instance'", "recommendation": "Remediation steps:\n1. Log in to the AWS console\n2. Navigate to the EC2 instance \n3. Find the role used by the EC2 instance\n4. Navigate to the IAM service\n5. Click on Roles\n6. Choose the relevant role\n7. Under ''Permissions policies'', find the relevant policy according to the alert details and remove the risky actions", diff --git a/policies/AWS-EC2-Instance-with-IAM-write-permissions.json b/policies/AWS-EC2-Instance-with-IAM-write-permissions.json index 2944c2d9..e603efcb 100644 --- a/policies/AWS-EC2-Instance-with-IAM-write-permissions.json +++ b/policies/AWS-EC2-Instance-with-IAM-write-permissions.json @@ -4,8 +4,8 @@ "policyType": "iam", "cloudType": "aws", "severity": "high", - "name": "AWS EC2 instance with IAM write access level", - "description": "This policy identifies IAM write permissions that are defined as risky permissions. Ensure that the AWS EC2 instances provisioned in your AWS account don't have a risky set of write permissions to minimize security risks.", + "name": "AWS EC2 Instance with IAM write permissions", + "description": "This policy identifies IAM permissions that allow EC2 instances to perform write operations for IAM. such as creating, deleting, updating access keys, users, groups, and roles. IAM write permissions are very risky and should only be used under very strict controls. Unnecessary usage of these permissions can significantly increase your attack surface and make it easier for attackers to compromise your AWS environment.", "rule.criteria": "8bef368e-7b79-4828-a9cd-f4aa4fa8a3ce", "searchModel.query": "config from iam where dest.cloud.type = 'AWS' AND action.name IN ('iam:AddClientIDToOpenIDConnectProvider','iam:AddRoleToInstanceProfile','iam:AddUserToGroup','iam:ChangePassword','iam:CreateAccessKey','iam:CreateAccountAlias','iam:CreateGroup','iam:CreateInstanceProfile','iam:CreateLoginProfile','iam:CreateOpenIDConnectProvider','iam:CreateRole','iam:CreateSAMLProvider','iam:CreateServiceLinkedRole','iam:CreateServiceSpecificCredential','iam:CreateUser','iam:CreateVirtualMFADevice','iam:DeactivateMFADevice','iam:DeleteAccessKey','iam:DeleteAccountAlias','iam:DeleteGroup','iam:DeleteInstanceProfile','iam:DeleteLoginProfile','iam:DeleteOpenIDConnectProvider','iam:DeleteRole','iam:DeleteSAMLProvider','iam:DeleteSSHPublicKey','iam:DeleteServerCertificate','iam:DeleteServiceLinkedRole','iam:DeleteServiceSpecificCredential','iam:DeleteSigningCertificate','iam:DeleteUser','iam:DeleteVirtualMFADevice','iam:EnableMFADevice','iam:PassRole','iam:RemoveClientIDFromOpenIDConnectProvider','iam:RemoveRoleFromInstanceProfile','iam:RemoveUserFromGroup','iam:ResetServiceSpecificCredential','iam:ResyncMFADevice','iam:SetSecurityTokenServicePreferences','iam:UpdateAccessKey','iam:UpdateAccountPasswordPolicy','iam:UpdateGroup','iam:UpdateLoginProfile','iam:UpdateOpenIDConnectProviderThumbprint','iam:UpdateRole','iam:UpdateRoleDescription','iam:UpdateSAMLProvider','iam:UpdateSSHPublicKey','iam:UpdateServerCertificate','iam:UpdateServiceSpecificCredential','iam:UpdateSigningCertificate','iam:UpdateUser','iam:UploadSSHPublicKey','iam:UploadServerCertificate','iam:UploadSigningCertificate') AND source.cloud.service.name = 'ec2' AND source.cloud.resource.type = 'instance'", "recommendation": "Remediation steps:\n1. Log in to the AWS console\n2. Navigate to the EC2 instance \n3. Find the role used by the EC2 instance\n4. Navigate to the IAM service\n5. Click on Roles\n6. Choose the relevant role\n7. Under ''Permissions policies'', find the relevant policy according to the alert details and remove the risky actions", diff --git a/policies/AWS-ECS-Task-Definition-with-AWS-Organization-management-permissions.json b/policies/AWS-ECS-Task-Definition-with-AWS-Organization-management-permissions.json index 1da9dbdc..c9ba6470 100644 --- a/policies/AWS-ECS-Task-Definition-with-AWS-Organization-management-permissions.json +++ b/policies/AWS-ECS-Task-Definition-with-AWS-Organization-management-permissions.json @@ -4,8 +4,8 @@ "policyType": "iam", "cloudType": "aws", "severity": "high", - "name": "ECS Task Definition with org write access level", - "description": "This policy identifies org write access that is defined as risky permissions. Ensure that the AWS ECS Task Definition instances provisioned in your AWS account don't have a risky set of write permissions to minimize security risks.", + "name": "AWS ECS Task Definition with AWS Organization management permissions", + "description": "This policy identifies IAM permissions that allow ECS task definitions to manage AWS Organizations such as creating, deleting, updating AWS Organizations, accounts and Org level policies, features, and services. AWS Organization write permissions are very risky and should only be used under very strict controls. Unnecessary usage of these permissions can significantly increase your attack surface and make it easier for attackers to compromise your AWS environment.", "rule.criteria": "18f6902b-1358-48b4-b81e-528072b30656", "searchModel.query": "config from iam where dest.cloud.type = 'AWS' AND action.name IN ('organizations:AcceptHandshake','organizations:AttachPolicy','organizations:CancelHandshake','organizations:CreateAccount','organizations:CreateGovCloudAccount','organizations:CreateOrganization','organizations:CreateOrganizationalUnit','organizations:CreatePolicy','organizations:DeclineHandshake','organizations:DeleteOrganization','organizations:DeleteOrganizationalUnit','organizations:DeletePolicy','organizations:DeregisterDelegatedAdministrator','organizations:DetachPolicy','organizations:DisableAWSServiceAccess','organizations:DisablePolicyType','organizations:EnableAWSServiceAccess','organizations:EnableAllFeatures','organizations:EnablePolicyType','organizations:InviteAccountToOrganization','organizations:LeaveOrganization','organizations:MoveAccount','organizations:RegisterDelegatedAdministrator','organizations:RemoveAccountFromOrganization','organizations:UpdateOrganizationalUnit','organizations:UpdatePolicy') AND source.cloud.service.name = 'ecs' and source.cloud.resource.type = 'task-definition'", "recommendation": "Remediation steps:\n1. Login to the Okta console\n2. Find the role used by the Okta user\n3. Log in to the AWS console\n4. Navigate to the IAM service\n5. Click on Roles\n6. Choose the relevant role\n7. Under ''Permissions policies'', find the relevant policy according to the alert details and remove the risky actions", diff --git a/policies/AWS-ECS-Task-Definition-with-IAM-policy-management-permissions.json b/policies/AWS-ECS-Task-Definition-with-IAM-policy-management-permissions.json index 1ce0f064..9330e421 100644 --- a/policies/AWS-ECS-Task-Definition-with-IAM-policy-management-permissions.json +++ b/policies/AWS-ECS-Task-Definition-with-IAM-policy-management-permissions.json @@ -4,8 +4,8 @@ "policyType": "iam", "cloudType": "aws", "severity": "high", - "name": "ECS Task Definition with IAM permissions management access level", - "description": "This policy identifies IAM permissions management access that is defined as risky permissions. Ensure that the AWS ECS Task Definition instances provisioned in your AWS account don't have a risky set of write permissions to minimize security risks.", + "name": "AWS ECS Task Definition with IAM policy management permissions", + "description": "This policy identifies IAM permissions that allow ECS task definitions to manage IAM policies, such as creating, deleting, or attaching IAM policies to identities, roles, or groups. IAM policy management permissions are very risky and should only be used under very strict controls. Unnecessary usage of these permissions can significantly increase your attack surface and make it easier for attackers to compromise your AWS environment.", "rule.criteria": "c89882d6-ed8e-4e95-931a-9f4dd2c6ff74", "searchModel.query": "config from iam where dest.cloud.type = 'AWS' AND action.name IN ('iam:AttachGroupPolicy','iam:AttachRolePolicy','iam:AttachUserPolicy','iam:CreatePolicy','iam:CreatePolicyVersion','iam:DeleteAccountPasswordPolicy','iam:DeleteGroupPolicy','iam:DeletePolicy','iam:DeletePolicyVersion','iam:DeleteRolePermissionsBoundary','iam:DeleteRolePolicy','iam:DeleteUserPermissionsBoundary','iam:DeleteUserPolicy','iam:DetachGroupPolicy','iam:DetachRolePolicy','iam:DetachUserPolicy','iam:PutGroupPolicy','iam:PutRolePermissionsBoundary','iam:PutRolePolicy','iam:PutUserPermissionsBoundary','iam:PutUserPolicy','iam:SetDefaultPolicyVersion','iam:UpdateAssumeRolePolicy') AND source.cloud.service.name = 'ecs' and source.cloud.resource.type = 'task-definition'", "recommendation": "Remediation steps:\n1. Log in to the AWS console\n2. Navigate to the ECS Task Definition \n3. Find the role used by the ECS Task Definition \n4. Navigate to the IAM service\n5. Click on Roles\n6. Choose the relevant role\n7. Under ''Permissions policies'', find the relevant policy according to the alert details and remove the risky actions", diff --git a/policies/AWS-ECS-Task-Definition-with-IAM-write-permissions.json b/policies/AWS-ECS-Task-Definition-with-IAM-write-permissions.json index e360dbab..db5d49e4 100644 --- a/policies/AWS-ECS-Task-Definition-with-IAM-write-permissions.json +++ b/policies/AWS-ECS-Task-Definition-with-IAM-write-permissions.json @@ -4,8 +4,8 @@ "policyType": "iam", "cloudType": "aws", "severity": "high", - "name": "ECS Task Definition with IAM write access level", - "description": "This policy identifies IAM write permissions that are defined as risky permissions. Ensure that the AWS ECS Task Definition instances provisioned in your AWS account don't have a risky set of write permissions to minimize security risks", + "name": "AWS ECS Task Definition with IAM write permissions", + "description": "This policy identifies IAM permissions that allow ECS task definitions to perform write operations for IAM. such as creating, deleting, updating access keys, users, groups, and roles. IAM write permissions are very risky and should only be used under very strict controls. Unnecessary usage of these permissions can significantly increase your attack surface and make it easier for attackers to compromise your AWS environment.", "rule.criteria": "a87da1a4-e0ec-4fbc-9a4d-a6b5c2677542", "searchModel.query": "config from iam where dest.cloud.type = 'AWS' AND action.name IN ('iam:AddClientIDToOpenIDConnectProvider','iam:AddRoleToInstanceProfile','iam:AddUserToGroup','iam:ChangePassword','iam:CreateAccessKey','iam:CreateAccountAlias','iam:CreateGroup','iam:CreateInstanceProfile','iam:CreateLoginProfile','iam:CreateOpenIDConnectProvider','iam:CreateRole','iam:CreateSAMLProvider','iam:CreateServiceLinkedRole','iam:CreateServiceSpecificCredential','iam:CreateUser','iam:CreateVirtualMFADevice','iam:DeactivateMFADevice','iam:DeleteAccessKey','iam:DeleteAccountAlias','iam:DeleteGroup','iam:DeleteInstanceProfile','iam:DeleteLoginProfile','iam:DeleteOpenIDConnectProvider','iam:DeleteRole','iam:DeleteSAMLProvider','iam:DeleteSSHPublicKey','iam:DeleteServerCertificate','iam:DeleteServiceLinkedRole','iam:DeleteServiceSpecificCredential','iam:DeleteSigningCertificate','iam:DeleteUser','iam:DeleteVirtualMFADevice','iam:EnableMFADevice','iam:PassRole','iam:RemoveClientIDFromOpenIDConnectProvider','iam:RemoveRoleFromInstanceProfile','iam:RemoveUserFromGroup','iam:ResetServiceSpecificCredential','iam:ResyncMFADevice','iam:SetSecurityTokenServicePreferences','iam:UpdateAccessKey','iam:UpdateAccountPasswordPolicy','iam:UpdateGroup','iam:UpdateLoginProfile','iam:UpdateOpenIDConnectProviderThumbprint','iam:UpdateRole','iam:UpdateRoleDescription','iam:UpdateSAMLProvider','iam:UpdateSSHPublicKey','iam:UpdateServerCertificate','iam:UpdateServiceSpecificCredential','iam:UpdateSigningCertificate','iam:UpdateUser','iam:UploadSSHPublicKey','iam:UploadServerCertificate','iam:UploadSigningCertificate') AND source.cloud.service.name = 'ecs' and source.cloud.resource.type = 'task-definition'", "recommendation": "Remediation steps:\n1. Log in to the AWS console\n2. Navigate to the ECS Task Definition \n3. Find the role used by the ECS Task Definition \n4. Navigate to the IAM service\n5. Click on Roles\n6. Choose the relevant role\n7. Under ''Permissions policies'', find the relevant policy according to the alert details and remove the risky actions", diff --git a/policies/AWS-Elastic-Beanstalk-Platform-with-AWS-Organization-management-permissions.json b/policies/AWS-Elastic-Beanstalk-Platform-with-AWS-Organization-management-permissions.json index 858c224e..e18c09d3 100644 --- a/policies/AWS-Elastic-Beanstalk-Platform-with-AWS-Organization-management-permissions.json +++ b/policies/AWS-Elastic-Beanstalk-Platform-with-AWS-Organization-management-permissions.json @@ -4,8 +4,8 @@ "policyType": "iam", "cloudType": "aws", "severity": "high", - "name": "Elasticbeanstalk Platform with org write access level", - "description": "This policy identifies org write access that is defined as risky permissions. Ensure that the AWS Elasticbeanstalk Platform instances provisioned in your AWS account don't have a risky set of write permissions to minimize security risks.", + "name": "AWS Elastic Beanstalk Platform with AWS Organization management permissions", + "description": "This policy identifies IAM permissions that allows an Elastic Beanstalk Platform to manage AWS Organizations such as creating, deleting, updating AWS Organizations, accounts and Org level policies, features, and services. AWS Organization write permissions are very risky and should only be used under very strict controls. Unnecessary usage of these permissions can significantly increase your attack surface and make it easier for attackers to compromise your AWS environment.", "rule.criteria": "b38b7c32-e9e8-4edb-8621-b88157ce34c7", "searchModel.query": "config from iam where dest.cloud.type = 'AWS' AND action.name IN ('organizations:AcceptHandshake','organizations:AttachPolicy','organizations:CancelHandshake','organizations:CreateAccount','organizations:CreateGovCloudAccount','organizations:CreateOrganization','organizations:CreateOrganizationalUnit','organizations:CreatePolicy','organizations:DeclineHandshake','organizations:DeleteOrganization','organizations:DeleteOrganizationalUnit','organizations:DeletePolicy','organizations:DeregisterDelegatedAdministrator','organizations:DetachPolicy','organizations:DisableAWSServiceAccess','organizations:DisablePolicyType','organizations:EnableAWSServiceAccess','organizations:EnableAllFeatures','organizations:EnablePolicyType','organizations:InviteAccountToOrganization','organizations:LeaveOrganization','organizations:MoveAccount','organizations:RegisterDelegatedAdministrator','organizations:RemoveAccountFromOrganization','organizations:UpdateOrganizationalUnit','organizations:UpdatePolicy') AND source.cloud.service.name = 'elasticbeanstalk' AND source.cloud.resource.type = 'platform'", "recommendation": "Remediation steps:\n1. Log in to the AWS console\n2. Navigate to the Elasticbeanstalk Platform \n3. Find the role used by the Elasticbeanstalk Platform \n4. Navigate to the IAM service\n5. Click on Roles\n6. Choose the relevant role\n7. Under ''Permissions policies'', find the relevant policy according to the alert details and remove the risky actions", diff --git a/policies/AWS-Elastic-Beanstalk-Platform-with-IAM-policy-management-permissions.json b/policies/AWS-Elastic-Beanstalk-Platform-with-IAM-policy-management-permissions.json index 67f6e980..862a9f07 100644 --- a/policies/AWS-Elastic-Beanstalk-Platform-with-IAM-policy-management-permissions.json +++ b/policies/AWS-Elastic-Beanstalk-Platform-with-IAM-policy-management-permissions.json @@ -4,8 +4,8 @@ "policyType": "iam", "cloudType": "aws", "severity": "high", - "name": "Elasticbeanstalk Platform with IAM permissions management access level", - "description": "This policy identifies IAM permissions management access that is defined as risky permissions. Ensure that the AWS Elasticbeanstalk Platform instances provisioned in your AWS account don't have a risky set of write permissions to minimize security risks.", + "name": "AWS Elastic Beanstalk Platform with IAM policy management permissions", + "description": "This policy identifies IAM permissions that allows an Elastic Beanstalk Platform to manage IAM policies, such as creating, deleting, or attaching IAM policies to identities, roles, or groups. IAM policy management permissions are very risky and should only be used under very strict controls. Unnecessary usage of these permissions can significantly increase your attack surface and make it easier for attackers to compromise your AWS environment.", "rule.criteria": "e0c233b7-8911-4ecb-8387-371f0308c168", "searchModel.query": "config from iam where dest.cloud.type = 'AWS' AND action.name IN ('iam:AttachGroupPolicy','iam:AttachRolePolicy','iam:AttachUserPolicy','iam:CreatePolicy','iam:CreatePolicyVersion','iam:DeleteAccountPasswordPolicy','iam:DeleteGroupPolicy','iam:DeletePolicy','iam:DeletePolicyVersion','iam:DeleteRolePermissionsBoundary','iam:DeleteRolePolicy','iam:DeleteUserPermissionsBoundary','iam:DeleteUserPolicy','iam:DetachGroupPolicy','iam:DetachRolePolicy','iam:DetachUserPolicy','iam:PutGroupPolicy','iam:PutRolePermissionsBoundary','iam:PutRolePolicy','iam:PutUserPermissionsBoundary','iam:PutUserPolicy','iam:SetDefaultPolicyVersion','iam:UpdateAssumeRolePolicy') AND source.cloud.service.name = 'elasticbeanstalk' AND source.cloud.resource.type = 'platform'", "recommendation": "Remediation steps:\n1. Log in to the AWS console\n2. Navigate to the Elasticbeanstalk Platform \n3. Find the role used by the Elasticbeanstalk Platform \n4. Navigate to the IAM service\n5. Click on Roles\n6. Choose the relevant role\n7. Under ''Permissions policies'', find the relevant policy according to the alert details and remove the risky actions", diff --git a/policies/AWS-Elastic-Beanstalk-Platform-with-IAM-write-permissions.json b/policies/AWS-Elastic-Beanstalk-Platform-with-IAM-write-permissions.json index cdad7586..28827b14 100644 --- a/policies/AWS-Elastic-Beanstalk-Platform-with-IAM-write-permissions.json +++ b/policies/AWS-Elastic-Beanstalk-Platform-with-IAM-write-permissions.json @@ -4,8 +4,8 @@ "policyType": "iam", "cloudType": "aws", "severity": "high", - "name": "Elasticbeanstalk Platform with IAM write access level", - "description": "This policy identifies IAM write permissions that are defined as risky permissions. Ensure that the AWS Elasticbeanstalk Platform instances provisioned in your AWS account don't have a risky set of write permissions to minimize security risks.", + "name": "AWS Elastic Beanstalk Platform with IAM write permissions", + "description": "This policy identifies IAM permissions that allows an Elastic Beanstalk Platform to perform write operations for IAM. such as creating, deleting, updating access keys, users, groups, and roles. IAM write permissions are very risky and should only be used under very strict controls. Unnecessary usage of these permissions can significantly increase your attack surface and make it easier for attackers to compromise your AWS environment.", "rule.criteria": "95d9bf89-5ac0-4b8a-a1ae-a357fe0a45b8", "searchModel.query": "config from iam where dest.cloud.type = 'AWS' AND action.name IN ('iam:AddClientIDToOpenIDConnectProvider','iam:AddRoleToInstanceProfile','iam:AddUserToGroup','iam:ChangePassword','iam:CreateAccessKey','iam:CreateAccountAlias','iam:CreateGroup','iam:CreateInstanceProfile','iam:CreateLoginProfile','iam:CreateOpenIDConnectProvider','iam:CreateRole','iam:CreateSAMLProvider','iam:CreateServiceLinkedRole','iam:CreateServiceSpecificCredential','iam:CreateUser','iam:CreateVirtualMFADevice','iam:DeactivateMFADevice','iam:DeleteAccessKey','iam:DeleteAccountAlias','iam:DeleteGroup','iam:DeleteInstanceProfile','iam:DeleteLoginProfile','iam:DeleteOpenIDConnectProvider','iam:DeleteRole','iam:DeleteSAMLProvider','iam:DeleteSSHPublicKey','iam:DeleteServerCertificate','iam:DeleteServiceLinkedRole','iam:DeleteServiceSpecificCredential','iam:DeleteSigningCertificate','iam:DeleteUser','iam:DeleteVirtualMFADevice','iam:EnableMFADevice','iam:PassRole','iam:RemoveClientIDFromOpenIDConnectProvider','iam:RemoveRoleFromInstanceProfile','iam:RemoveUserFromGroup','iam:ResetServiceSpecificCredential','iam:ResyncMFADevice','iam:SetSecurityTokenServicePreferences','iam:UpdateAccessKey','iam:UpdateAccountPasswordPolicy','iam:UpdateGroup','iam:UpdateLoginProfile','iam:UpdateOpenIDConnectProviderThumbprint','iam:UpdateRole','iam:UpdateRoleDescription','iam:UpdateSAMLProvider','iam:UpdateSSHPublicKey','iam:UpdateServerCertificate','iam:UpdateServiceSpecificCredential','iam:UpdateSigningCertificate','iam:UpdateUser','iam:UploadSSHPublicKey','iam:UploadServerCertificate','iam:UploadSigningCertificate') AND source.cloud.service.name = 'elasticbeanstalk' AND source.cloud.resource.type = 'platform' ", "recommendation": "Remediation steps:\n1. Log in to the AWS console\n2. Navigate to the Elasticbeanstalk Platform \n3. Find the role used by the Elasticbeanstalk Platform \n4. Navigate to the IAM service\n5. Click on Roles\n6. Choose the relevant role\n7. Under ''Permissions policies'', find the relevant policy according to the alert details and remove the risky actions", diff --git a/policies/AWS-IAM-User-with-AWS-Organization-management-permissions.json b/policies/AWS-IAM-User-with-AWS-Organization-management-permissions.json index 71e9b1d3..7c151ad7 100644 --- a/policies/AWS-IAM-User-with-AWS-Organization-management-permissions.json +++ b/policies/AWS-IAM-User-with-AWS-Organization-management-permissions.json @@ -4,8 +4,8 @@ "policyType": "iam", "cloudType": "aws", "severity": "medium", - "name": "IAM User with org write access level", - "description": "This policy identifies org write access that is defined as risky permissions. Ensure that the IAM Users in your AWS account don't have a risky set of write permissions to minimize security risks.", + "name": "AWS IAM User with AWS Organization management permissions", + "description": "This policy identifies IAM permissions that allow IAM users to manage AWS Organizations such as creating, deleting, updating AWS Organizations, accounts and Org level policies, features, and services. AWS Organization write permissions are very risky and should only be used under very strict controls. Unnecessary usage of these permissions can significantly increase your attack surface and make it easier for attackers to compromise your AWS environment.", "rule.criteria": "e9a84ae4-1764-41f5-8565-5c848b3e0e67", "searchModel.query": "config from iam where dest.cloud.type = 'AWS' AND action.name IN ('organizations:AcceptHandshake','organizations:AttachPolicy','organizations:CancelHandshake','organizations:CreateAccount','organizations:CreateGovCloudAccount','organizations:CreateOrganization','organizations:CreateOrganizationalUnit','organizations:CreatePolicy','organizations:DeclineHandshake','organizations:DeleteOrganization','organizations:DeleteOrganizationalUnit','organizations:DeletePolicy','organizations:DeregisterDelegatedAdministrator','organizations:DetachPolicy','organizations:DisableAWSServiceAccess','organizations:DisablePolicyType','organizations:EnableAWSServiceAccess','organizations:EnableAllFeatures','organizations:EnablePolicyType','organizations:InviteAccountToOrganization','organizations:LeaveOrganization','organizations:MoveAccount','organizations:RegisterDelegatedAdministrator','organizations:RemoveAccountFromOrganization','organizations:UpdateOrganizationalUnit','organizations:UpdatePolicy') AND source.cloud.service.name = 'iam' and source.cloud.resource.type = 'user'", "recommendation": "Remediation steps:\n1. Log in to the AWS console\n2. Navigate to the IAM service\n3. Click on Users\n4. Choose the relevant user\n5. Under ''Permissions policies'', find the relevant policy according to the alert details and remove the risky actions", diff --git a/policies/AWS-IAM-User-with-IAM-policy-management-permissions.json b/policies/AWS-IAM-User-with-IAM-policy-management-permissions.json index 120121d7..1ca56273 100644 --- a/policies/AWS-IAM-User-with-IAM-policy-management-permissions.json +++ b/policies/AWS-IAM-User-with-IAM-policy-management-permissions.json @@ -4,8 +4,8 @@ "policyType": "iam", "cloudType": "aws", "severity": "high", - "name": "IAM User with IAM permissions management access level", - "description": "This policy identifies IAM permissions management access that is defined as risky permissions. Ensure that the IAM Users in your AWS account don't have a risky set of write permissions to minimize security risks.", + "name": "AWS IAM User with IAM policy management permissions", + "description": "This policy identifies IAM permissions that allow IAM users to manage IAM policies, such as creating, deleting, or attaching IAM policies to identities, roles, or groups. IAM policy management permissions are very risky and should only be used under very strict controls. Unnecessary usage of these permissions can significantly increase your attack surface and make it easier for attackers to compromise your AWS environment.", "rule.criteria": "e231b07d-f1e1-40ad-9c7c-d38f09948db9", "searchModel.query": "config from iam where dest.cloud.type = 'AWS' AND action.name IN ('iam:AttachGroupPolicy','iam:AttachRolePolicy','iam:AttachUserPolicy','iam:CreatePolicy','iam:CreatePolicyVersion','iam:DeleteAccountPasswordPolicy','iam:DeleteGroupPolicy','iam:DeletePolicy','iam:DeletePolicyVersion','iam:DeleteRolePermissionsBoundary','iam:DeleteRolePolicy','iam:DeleteUserPermissionsBoundary','iam:DeleteUserPolicy','iam:DetachGroupPolicy','iam:DetachRolePolicy','iam:DetachUserPolicy','iam:PutGroupPolicy','iam:PutRolePermissionsBoundary','iam:PutRolePolicy','iam:PutUserPermissionsBoundary','iam:PutUserPolicy','iam:SetDefaultPolicyVersion','iam:UpdateAssumeRolePolicy') AND source.cloud.service.name = 'iam' and source.cloud.resource.type = 'user'", "recommendation": "Remediation steps:\n1. Log in to the AWS console\n2. Navigate to the IAM service\n3. Click on Users\n4. Choose the relevant user\n5. Under ''Permissions policies'', find the relevant policy according to the alert details and remove the risky actions", diff --git a/policies/AWS-IAM-User-with-IAM-write-permissions.json b/policies/AWS-IAM-User-with-IAM-write-permissions.json index fab18f14..fcc57dd7 100644 --- a/policies/AWS-IAM-User-with-IAM-write-permissions.json +++ b/policies/AWS-IAM-User-with-IAM-write-permissions.json @@ -4,8 +4,8 @@ "policyType": "iam", "cloudType": "aws", "severity": "medium", - "name": "IAM User with IAM write access level", - "description": "This policy identifies IAM write permissions that are defined as risky permissions. Ensure that the IAM Users in your AWS account don't have a risky set of write permissions to minimize security risks.", + "name": "AWS IAM User with IAM write permissions", + "description": "This policy identifies IAM permissions that allow IAM users to perform write operations for IAM. such as creating, deleting, updating access keys, users, groups, and roles. IAM write permissions are very risky and should only be used under very strict controls. Unnecessary usage of these permissions can significantly increase your attack surface and make it easier for attackers to compromise your AWS environment.", "rule.criteria": "99868a5a-9824-4da2-b413-ec5b1632b722", "searchModel.query": "config from iam where dest.cloud.type = 'AWS' AND action.name IN ('iam:AddClientIDToOpenIDConnectProvider','iam:AddRoleToInstanceProfile','iam:AddUserToGroup','iam:ChangePassword','iam:CreateAccessKey','iam:CreateAccountAlias','iam:CreateGroup','iam:CreateInstanceProfile','iam:CreateLoginProfile','iam:CreateOpenIDConnectProvider','iam:CreateRole','iam:CreateSAMLProvider','iam:CreateServiceLinkedRole','iam:CreateServiceSpecificCredential','iam:CreateUser','iam:CreateVirtualMFADevice','iam:DeactivateMFADevice','iam:DeleteAccessKey','iam:DeleteAccountAlias','iam:DeleteGroup','iam:DeleteInstanceProfile','iam:DeleteLoginProfile','iam:DeleteOpenIDConnectProvider','iam:DeleteRole','iam:DeleteSAMLProvider','iam:DeleteSSHPublicKey','iam:DeleteServerCertificate','iam:DeleteServiceLinkedRole','iam:DeleteServiceSpecificCredential','iam:DeleteSigningCertificate','iam:DeleteUser','iam:DeleteVirtualMFADevice','iam:EnableMFADevice','iam:PassRole','iam:RemoveClientIDFromOpenIDConnectProvider','iam:RemoveRoleFromInstanceProfile','iam:RemoveUserFromGroup','iam:ResetServiceSpecificCredential','iam:ResyncMFADevice','iam:SetSecurityTokenServicePreferences','iam:UpdateAccessKey','iam:UpdateAccountPasswordPolicy','iam:UpdateGroup','iam:UpdateLoginProfile','iam:UpdateOpenIDConnectProviderThumbprint','iam:UpdateRole','iam:UpdateRoleDescription','iam:UpdateSAMLProvider','iam:UpdateSSHPublicKey','iam:UpdateServerCertificate','iam:UpdateServiceSpecificCredential','iam:UpdateSigningCertificate','iam:UpdateUser','iam:UploadSSHPublicKey','iam:UploadServerCertificate','iam:UploadSigningCertificate') AND source.cloud.service.name = 'iam' and source.cloud.resource.type = 'user'", "recommendation": "Remediation steps:\n1. Log in to the AWS console\n2. Navigate to the IAM service\n3. Click on Users\n4. Choose the relevant user\n5. Under ''Permissions policies'', find the relevant policy according to the alert details and remove the risky actions", diff --git a/policies/AWS-Lambda-Function-with-AWS-Organization-management-permissions.json b/policies/AWS-Lambda-Function-with-AWS-Organization-management-permissions.json index babc8366..31781934 100644 --- a/policies/AWS-Lambda-Function-with-AWS-Organization-management-permissions.json +++ b/policies/AWS-Lambda-Function-with-AWS-Organization-management-permissions.json @@ -4,8 +4,8 @@ "policyType": "iam", "cloudType": "aws", "severity": "high", - "name": "AWS Lambda Function with org write access level", - "description": "This policy identifies org write access that is defined as risky permissions. Ensure that the AWS Lambda Function instances provisioned in your AWS account don't have a risky set of write permissions to minimize security risks.", + "name": "AWS Lambda Function with AWS Organization management permissions", + "description": "This policy identifies IAM permissions that allow Lambda functions to manage AWS Organizations such as creating, deleting, updating AWS Organizations, accounts and Org level policies, features, and services. AWS Organization write permissions are very risky and should only be used under very strict controls. Unnecessary usage of these permissions can significantly increase your attack surface and make it easier for attackers to compromise your AWS environment.", "rule.criteria": "741ef058-8816-49d0-87be-a714ae1ce2df", "searchModel.query": "config from iam where dest.cloud.type = 'AWS' AND action.name IN ('organizations:AcceptHandshake','organizations:AttachPolicy','organizations:CancelHandshake','organizations:CreateAccount','organizations:CreateGovCloudAccount','organizations:CreateOrganization','organizations:CreateOrganizationalUnit','organizations:CreatePolicy','organizations:DeclineHandshake','organizations:DeleteOrganization','organizations:DeleteOrganizationalUnit','organizations:DeletePolicy','organizations:DeregisterDelegatedAdministrator','organizations:DetachPolicy','organizations:DisableAWSServiceAccess','organizations:DisablePolicyType','organizations:EnableAWSServiceAccess','organizations:EnableAllFeatures','organizations:EnablePolicyType','organizations:InviteAccountToOrganization','organizations:LeaveOrganization','organizations:MoveAccount','organizations:RegisterDelegatedAdministrator','organizations:RemoveAccountFromOrganization','organizations:UpdateOrganizationalUnit','organizations:UpdatePolicy') AND source.cloud.service.name = 'lambda' AND source.cloud.resource.type = 'function'", "recommendation": "Remediation steps:\n1. Log in to the AWS console\n2. Navigate to the Lambda Function \n3. Find the role used by the Lambda Function\n4. Navigate to the IAM service\n5. Click on Roles\n6. Choose the relevant role\n7. Under ''Permissions policies'', find the relevant policy according to the alert details and remove the risky actions", diff --git a/policies/AWS-Lambda-Function-with-IAM-policy-management-permissions.json b/policies/AWS-Lambda-Function-with-IAM-policy-management-permissions.json index fed3b362..f7c63aec 100644 --- a/policies/AWS-Lambda-Function-with-IAM-policy-management-permissions.json +++ b/policies/AWS-Lambda-Function-with-IAM-policy-management-permissions.json @@ -4,8 +4,8 @@ "policyType": "iam", "cloudType": "aws", "severity": "high", - "name": "AWS Lambda Function with IAM permissions management access level", - "description": "This policy identifies IAM permissions management access that is defined as risky permissions. Ensure that the AWS Lambda Function instances provisioned in your AWS account don't have a risky set of write permissions to minimize security risks.", + "name": "AWS Lambda Function with IAM policy management permissions", + "description": "This policy identifies IAM permissions that allow Lambda functions to manage IAM policies, such as creating, deleting, or attaching IAM policies to identities, roles, or groups. IAM policy management permissions are very risky and should only be used under very strict controls. Unnecessary usage of these permissions can significantly increase your attack surface and make it easier for attackers to compromise your AWS environment.", "rule.criteria": "4810bdba-6daa-4297-8bca-990eb7ea77b0", "searchModel.query": "config from iam where dest.cloud.type = 'AWS' AND action.name IN ('iam:AttachGroupPolicy','iam:AttachRolePolicy','iam:AttachUserPolicy','iam:CreatePolicy','iam:CreatePolicyVersion','iam:DeleteAccountPasswordPolicy','iam:DeleteGroupPolicy','iam:DeletePolicy','iam:DeletePolicyVersion','iam:DeleteRolePermissionsBoundary','iam:DeleteRolePolicy','iam:DeleteUserPermissionsBoundary','iam:DeleteUserPolicy','iam:DetachGroupPolicy','iam:DetachRolePolicy','iam:DetachUserPolicy','iam:PutGroupPolicy','iam:PutRolePermissionsBoundary','iam:PutRolePolicy','iam:PutUserPermissionsBoundary','iam:PutUserPolicy','iam:SetDefaultPolicyVersion','iam:UpdateAssumeRolePolicy') AND source.cloud.service.name = 'lambda' AND source.cloud.resource.type = 'function'", "recommendation": "Remediation steps:\n1. Log in to the AWS console\n2. Navigate to the Lambda Function \n3. Find the role used by the Lambda Function\n4. Navigate to the IAM service\n5. Click on Roles\n6. Choose the relevant role\n7. Under ''Permissions policies'', find the relevant policy according to the alert details and remove the risky actions", diff --git a/policies/AWS-Lambda-Function-with-IAM-write-permissions.json b/policies/AWS-Lambda-Function-with-IAM-write-permissions.json index ee11f7e1..0bbe3254 100644 --- a/policies/AWS-Lambda-Function-with-IAM-write-permissions.json +++ b/policies/AWS-Lambda-Function-with-IAM-write-permissions.json @@ -4,8 +4,8 @@ "policyType": "iam", "cloudType": "aws", "severity": "high", - "name": "AWS Lambda Function with IAM write access level", - "description": "This policy identifies IAM write permissions that are defined as risky permissions. Ensure that the AWS Lambda Function instances provisioned in your AWS account don't have a risky set of write permissions to minimize security risks.", + "name": "AWS Lambda Function with IAM write permissions", + "description": "This policy identifies IAM permissions that allow Lambda functions to perform write operations for IAM. such as creating, deleting, updating access keys, users, groups, and roles. IAM write permissions are very risky and should only be used under very strict controls. Unnecessary usage of these permissions can significantly increase your attack surface and make it easier for attackers to compromise your AWS environment.", "rule.criteria": "be543a73-6d4c-4162-9459-1b83d4f0a158", "searchModel.query": "config from iam where dest.cloud.type = 'AWS' AND action.name IN ('iam:AddClientIDToOpenIDConnectProvider','iam:AddRoleToInstanceProfile','iam:AddUserToGroup','iam:ChangePassword','iam:CreateAccessKey','iam:CreateAccountAlias','iam:CreateGroup','iam:CreateInstanceProfile','iam:CreateLoginProfile','iam:CreateOpenIDConnectProvider','iam:CreateRole','iam:CreateSAMLProvider','iam:CreateServiceLinkedRole','iam:CreateServiceSpecificCredential','iam:CreateUser','iam:CreateVirtualMFADevice','iam:DeactivateMFADevice','iam:DeleteAccessKey','iam:DeleteAccountAlias','iam:DeleteGroup','iam:DeleteInstanceProfile','iam:DeleteLoginProfile','iam:DeleteOpenIDConnectProvider','iam:DeleteRole','iam:DeleteSAMLProvider','iam:DeleteSSHPublicKey','iam:DeleteServerCertificate','iam:DeleteServiceLinkedRole','iam:DeleteServiceSpecificCredential','iam:DeleteSigningCertificate','iam:DeleteUser','iam:DeleteVirtualMFADevice','iam:EnableMFADevice','iam:PassRole','iam:RemoveClientIDFromOpenIDConnectProvider','iam:RemoveRoleFromInstanceProfile','iam:RemoveUserFromGroup','iam:ResetServiceSpecificCredential','iam:ResyncMFADevice','iam:SetSecurityTokenServicePreferences','iam:UpdateAccessKey','iam:UpdateAccountPasswordPolicy','iam:UpdateGroup','iam:UpdateLoginProfile','iam:UpdateOpenIDConnectProviderThumbprint','iam:UpdateRole','iam:UpdateRoleDescription','iam:UpdateSAMLProvider','iam:UpdateSSHPublicKey','iam:UpdateServerCertificate','iam:UpdateServiceSpecificCredential','iam:UpdateSigningCertificate','iam:UpdateUser','iam:UploadSSHPublicKey','iam:UploadServerCertificate','iam:UploadSigningCertificate') AND source.cloud.service.name = 'lambda' AND source.cloud.resource.type = 'function'", "recommendation": "Remediation steps:\n1. Log in to the AWS console\n2. Navigate to the Lambda Function \n3. Find the role used by the Lambda Function\n4. Navigate to the IAM service\n5. Click on Roles\n6. Choose the relevant role\n7. Under ''Permissions policies'', find the relevant policy according to the alert details and remove the risky actions", diff --git a/policies/AWS-Okta-User-with-AWS-Organization-management-permissions.json b/policies/AWS-Okta-User-with-AWS-Organization-management-permissions.json index 74cb0ccb..d0d8bbcb 100644 --- a/policies/AWS-Okta-User-with-AWS-Organization-management-permissions.json +++ b/policies/AWS-Okta-User-with-AWS-Organization-management-permissions.json @@ -4,8 +4,8 @@ "policyType": "iam", "cloudType": "aws", "severity": "medium", - "name": "Okta User with org write access level", - "description": "This policy identifies org write access that is defined as risky permissions. Ensure that the Okta Users in your AWS account don't have a risky set of write permissions to minimize security risks.", + "name": "AWS Okta User with AWS Organization management permissions", + "description": "This policy identifies IAM permissions that allow Okta users to manage AWS Organizations such as creating, deleting, updating AWS Organizations, accounts and Org level policies, features, and services. AWS Organization write permissions are very risky and should only be used under very strict controls. Unnecessary usage of these permissions can significantly increase your attack surface and make it easier for attackers to compromise your AWS environment.", "rule.criteria": "5def0968-e071-46bb-a2b8-4a54f66bcf23", "searchModel.query": "config from iam where dest.cloud.type = 'AWS' AND action.name IN ('organizations:AcceptHandshake','organizations:AttachPolicy','organizations:CancelHandshake','organizations:CreateAccount','organizations:CreateGovCloudAccount','organizations:CreateOrganization','organizations:CreateOrganizationalUnit','organizations:CreatePolicy','organizations:DeclineHandshake','organizations:DeleteOrganization','organizations:DeleteOrganizationalUnit','organizations:DeletePolicy','organizations:DeregisterDelegatedAdministrator','organizations:DetachPolicy','organizations:DisableAWSServiceAccess','organizations:DisablePolicyType','organizations:EnableAWSServiceAccess','organizations:EnableAllFeatures','organizations:EnablePolicyType','organizations:InviteAccountToOrganization','organizations:LeaveOrganization','organizations:MoveAccount','organizations:RegisterDelegatedAdministrator','organizations:RemoveAccountFromOrganization','organizations:UpdateOrganizationalUnit','organizations:UpdatePolicy') AND source.idp.service = 'Okta'", "recommendation": "Remediation steps:\n1. Login to the Okta console\n2. Find the role used by the Okta user\n3. Log in to the AWS console\n4. Navigate to the IAM service\n5. Click on Roles\n6. Choose the relevant role\n7. Under ''Permissions policies'', find the relevant policy according to the alert details and remove the risky actions", diff --git a/policies/AWS-Okta-User-with-IAM-policy-management-permissions.json b/policies/AWS-Okta-User-with-IAM-policy-management-permissions.json index 5fcc3ae0..25e4b3cf 100644 --- a/policies/AWS-Okta-User-with-IAM-policy-management-permissions.json +++ b/policies/AWS-Okta-User-with-IAM-policy-management-permissions.json @@ -4,8 +4,8 @@ "policyType": "iam", "cloudType": "aws", "severity": "high", - "name": "Okta User with IAM permissions management access level", - "description": "This policy identifies IAM permissions management access that is defined as risky permissions. Ensure that the Okta Users in your AWS account don't have a risky set of write permissions to minimize security risks.", + "name": "AWS Okta User with IAM policy management permissions", + "description": "This policy identifies IAM permissions that allow Okta users to manage IAM policies, such as creating, deleting, or attaching IAM policies to identities, roles, or groups. IAM policy management permissions are very risky and should only be used under very strict controls. Unnecessary usage of these permissions can significantly increase your attack surface and make it easier for attackers to compromise your AWS environment.", "rule.criteria": "c14d0daf-bd4b-4b4f-8ee9-b41771217954", "searchModel.query": "config from iam where dest.cloud.type = 'AWS' AND action.name IN ('iam:AttachGroupPolicy','iam:AttachRolePolicy','iam:AttachUserPolicy','iam:CreatePolicy','iam:CreatePolicyVersion','iam:DeleteAccountPasswordPolicy','iam:DeleteGroupPolicy','iam:DeletePolicy','iam:DeletePolicyVersion','iam:DeleteRolePermissionsBoundary','iam:DeleteRolePolicy','iam:DeleteUserPermissionsBoundary','iam:DeleteUserPolicy','iam:DetachGroupPolicy','iam:DetachRolePolicy','iam:DetachUserPolicy','iam:PutGroupPolicy','iam:PutRolePermissionsBoundary','iam:PutRolePolicy','iam:PutUserPermissionsBoundary','iam:PutUserPolicy','iam:SetDefaultPolicyVersion','iam:UpdateAssumeRolePolicy') AND source.idp.service = 'Okta'", "recommendation": "Remediation steps:\n1. Login to the Okta console\n2. Find the role used by the Okta user\n3. Log in to the AWS console\n4. Navigate to the IAM service\n5. Click on Roles\n6. Choose the relevant role\n7. Under ''Permissions policies'', find the relevant policy according to the alert details and remove the risky actions", diff --git a/policies/AWS-Okta-User-with-IAM-write-permissions.json b/policies/AWS-Okta-User-with-IAM-write-permissions.json index 36acda37..97f74cac 100644 --- a/policies/AWS-Okta-User-with-IAM-write-permissions.json +++ b/policies/AWS-Okta-User-with-IAM-write-permissions.json @@ -4,8 +4,8 @@ "policyType": "iam", "cloudType": "aws", "severity": "medium", - "name": "Okta User with IAM write access level", - "description": "This policy identifies IAM write permissions that are defined as risky permissions. Ensure that the Okta Users in your AWS account don't have a risky set of write permissions to minimize security risks.", + "name": "AWS Okta User with IAM write permissions", + "description": "This policy identifies IAM permissions that allow Okta users to perform write operations for IAM. such as creating, deleting, updating access keys, users, groups, and roles. IAM write permissions are very risky and should only be used under very strict controls. Unnecessary usage of these permissions can significantly increase your attack surface and make it easier for attackers to compromise your AWS environment.", "rule.criteria": "59a1468f-150e-469b-a099-df1d372fbb92", "searchModel.query": "config from iam where dest.cloud.type = 'AWS' AND action.name IN ('iam:AddClientIDToOpenIDConnectProvider','iam:AddRoleToInstanceProfile','iam:AddUserToGroup','iam:ChangePassword','iam:CreateAccessKey','iam:CreateAccountAlias','iam:CreateGroup','iam:CreateInstanceProfile','iam:CreateLoginProfile','iam:CreateOpenIDConnectProvider','iam:CreateRole','iam:CreateSAMLProvider','iam:CreateServiceLinkedRole','iam:CreateServiceSpecificCredential','iam:CreateUser','iam:CreateVirtualMFADevice','iam:DeactivateMFADevice','iam:DeleteAccessKey','iam:DeleteAccountAlias','iam:DeleteGroup','iam:DeleteInstanceProfile','iam:DeleteLoginProfile','iam:DeleteOpenIDConnectProvider','iam:DeleteRole','iam:DeleteSAMLProvider','iam:DeleteSSHPublicKey','iam:DeleteServerCertificate','iam:DeleteServiceLinkedRole','iam:DeleteServiceSpecificCredential','iam:DeleteSigningCertificate','iam:DeleteUser','iam:DeleteVirtualMFADevice','iam:EnableMFADevice','iam:PassRole','iam:RemoveClientIDFromOpenIDConnectProvider','iam:RemoveRoleFromInstanceProfile','iam:RemoveUserFromGroup','iam:ResetServiceSpecificCredential','iam:ResyncMFADevice','iam:SetSecurityTokenServicePreferences','iam:UpdateAccessKey','iam:UpdateAccountPasswordPolicy','iam:UpdateGroup','iam:UpdateLoginProfile','iam:UpdateOpenIDConnectProviderThumbprint','iam:UpdateRole','iam:UpdateRoleDescription','iam:UpdateSAMLProvider','iam:UpdateSSHPublicKey','iam:UpdateServerCertificate','iam:UpdateServiceSpecificCredential','iam:UpdateSigningCertificate','iam:UpdateUser','iam:UploadSSHPublicKey','iam:UploadServerCertificate','iam:UploadSigningCertificate') AND source.idp.service = 'Okta'", "recommendation": "Remediation steps:\n1. Login to the Okta console\n2. Find the role used by the Okta user\n3. Log in to the AWS console\n4. Navigate to the IAM service\n5. Click on Roles\n6. Choose the relevant role\n7. Under ''Permissions policies'', find the relevant policy according to the alert details and remove the risky actions",