AWS IAM Permissions Guardrails

AWS IAM Permissions Guardrails https://aws-samples.github.io/aws-iam-permissions-guardrails/

View project on GitHub

Amazon CloudTrail

Identifier Guardrail Rationale Remediation References IAM Actions Policy
IAM-CLOUDTRAIL-1 Check that Principals aren’t allowed to DeleteTrail or StopLogging As Cloudtrail is the source for auditing of activity within your AWS Account, it is important to verify that this functionality cannot be disabled by most entities within your Organization. This permission should be limited to breakglass roles (those who own the logging capability). It is also important to call out that Cloudtrail supports Resource Level Permissions for individual trails, so this can be scoped to Infosec/Logging Team owned Trails if the usecase exists for other independent teams to need access to manage their own trails Verify that DeleteTrail and StopLogging are explicitly denied to non-whitelisted Principals And That DeleteTrail and StopLogging permissions don’t exist in an Allow Statement for any non-whitelisted principal https://docs.aws.amazon.com/awscloudtrail/latest/userguide/security_iam_id-based-policy-examples.html

https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awscloudtrail.html

cloudtrail:DeleteTrail
cloudtrail:StopLogging
nan
IAM-CLOUDTRAIL-2 Check that only authorized principals are able to UpdateTrail. Unauthorized principals could potentially turn off log file validation, turn off multi region trails, or turn off organizational trails. As Cloudtrail is the source for auditing of activity within your AWS Account, it is important to verify that this functionality is only for authorized principals within your Organization. Examples of authorized principals include break glass roles or those who own the logging capability, such as Security or the Logging Team. Verify that UpdateTrail is allowed only for authorized principals and denied for all else. https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_UpdateTrail.html

cloudtrail:UpdateTrail
nan
IAM-CLOUDTRAIL-3 Check that the CloudTrail S3 bucket includes either the PrincipalOrgId or source account for IAM Roles. (This is not applicable to the CloudTrail service role) Ensure that CloudTrail S3 buckets are scoped to allow only the authorized accounts to read and write to the CloudTrail S3 bucket. Unauthorized writes from external parties could potentially occur via confused deputy if the S3 bucket is known to external parties. Add aws:PrincipalOrgID or aws:SourceAccount to the bucket policy for any IAM Roles that access the CloudTrail S3 bucket. Add aws:PrincipalOrgID or aws:SourceAccount to the bucket policy for any IAM Roles that access the CloudTrail S3 bucket. This is not applicable to the CloudTrail service role. https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-set-bucket-policy-for-multiple-accounts.html

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-principalorgid

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceaccount

  IAM Role
IAM-CLOUDTRAIL-4 Check that Principals aren’t allowed to PutEventSelectors or PutInsightSelectors. As Cloudtrail is the source for auditing of activity within your AWS Account, it is important to verify that the CloudTrail event selectors can’t be modified to disable the majority of CloudTrail events within your Organization. This permission should be limited to breakglass roles (those who own the logging capability). It is also important to call out that Cloudtrail supports Resource Level Permissions for individual trails, so this can be scoped to Infosec/Logging Team owned Trails if the usecase exists for other independent teams to need access to manage their own trails Verify that PutEventSelectors and PutInsightSelectors are explicitly denied to non-whitelisted Principals and that PutEventSelectors and PutInsightSelectors permissions don’t exist in an Allow Statement for any non-whitelisted principal https://docs.aws.amazon.com/awscloudtrail/latest/userguide/security_iam_id-based-policy-examples.html

https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awscloudtrail.html

cloudtrail:PutEventSelectors
cloudtrail:PutInsightSelectors
nan
IAM-CLOUDTRAIL-5 Check that only authorized administrative Principals are allowed AWS CloudTrail modification permissions. As Cloudtrail is the source for auditing of activity within your AWS Account, it is important to verify that this functionality cannot be disabled or modified by most unathorized entities within your Organization. This permission should be limited to those who own the logging capability or break glass principals. It is also important to call out that Cloudtrail supports Resource Level Permissions for individual trails, so this CloudTrail permissions can be scoped to Infosec or Logging Team owned Trails if the usecase exists for other independent teams that need access to manage their own trails. Verify that CloudTrail modification permissions are explicitly denied to non-whitelisted Principals and that the CloudTrail modification permissions don’t exist in an Allow statement for any unauthorized principal. https://docs.aws.amazon.com/awscloudtrail/latest/userguide/security_iam_id-based-policy-examples.html

https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awscloudtrail.html

cloudtrail:DeleteTrail
cloudtrail:PutEventSelectors
cloudtrail:PutInsightSelectors
cloudtrail:RemoveTags
cloudtrail:StopLogging
cloudtrail:UpdateTrail
nan