· 6 years ago · Sep 03, 2019, 01:40 AM
1# 1. Enable AWS Config Service
2# 1. Accept default settings, but check "Include Global resources"
3# 2. Skip creating any rules
4# 3. Confirm to complete setup.
5# 1. Enable CIS Benchmark Standards
6# 1. Navigate to Security Hub in the AWS console
7# 2. Choose "Compliance Standards"
8# 3. Enable the CIS AWS Foundations rules
9# 1. Configure CloudTrail
10# 1. Name: all-events
11# 2. Apply to All regions: Yes
12# 3. Read/Write events: All
13# 4. Data Events, S3: All buckets
14# 5. Data Events, Lambda: Log all current and future functions
15# 6. Create new S3 Bucket, enter $PROJECT_NAME-cloudtrail
16# 7. Encrypt log files with SSE-KMS: Yes
17# 8. Create a new KMS Key: Yes
18# 9. KMS Key: $PROJECT_NAME-cloudtrail
19# 10. Enable Log File Validation: Yes
20# 11. Send SNS Notification for every log file delivery: No
21# 12. Create
22# 2. Configure Cloudtrail to Cloudwatch Logs
23# 1. edit the newly created cloud trail
24# 2. Scroll down to "CloudWatch Logs" and choose "Configure"
25# 3. Accept the default group name and choose "Continue"
26# 4. use default settings (Create a new IAM Role), Allow
27# 1. if you get "Unable to validate the role policy. Please retry.", Continue through the process again
28
29# Configures $PROJECT_NAME CIS config
30PROJECT_NAME=project
31CLOUDTRAIL_LOG_GROUP=CloudTrail/DefaultLogGroup
32ALARMING_SNS_TOPIC_ARN=arn:aws:sns:us-east-1:034723381148:cisbenchmark-monitoring
33SUBSCRIPTION_EMAIL_ADDRESS=email@email.com
34
35# aws sns create-topic --name amp-cisbenchmark-monitoring
36# {
37# "TopicArn": "$ALARMING_SNS_TOPIC_ARN"
38# }
39
40aws sns subscribe --topic-arn $ALARMING_SNS_TOPIC_ARN --protocol email --notification-endpoint $SUBSCRIPTION_EMAIL_ADDRESS
41# Section 3.1
42
43aws logs put-metric-filter --log-group-name $CLOUDTRAIL_LOG_GROUP --filter-name $PROJECT_NAME-cloudTrail-unauthorizedApiCalls --metric-transformations metricName=$PROJECT_NAME-cloudtrail-UnauthorizedApiCalls,metricNamespace=CISBenchmark,metricValue=1 --filter-pattern '{ ($.errorCode = "*UnauthorizedOperation") || ($.errorCode = "AccessDenied*") }'
44aws cloudwatch put-metric-alarm --alarm-name CISBenchmark/3.1-unauthorized_api_calls_alarm --metric-name $PROJECT_NAME-cloudtrail-UnauthorizedApiCalls --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions $ALARMING_SNS_TOPIC_ARN --alarm-description "Unauthorized API calls"
45
46# Section 3.2
47aws logs put-metric-filter --log-group-name $CLOUDTRAIL_LOG_GROUP --filter-name $PROJECT_NAME-cloudtrail-NoMFAConsoleSignin --metric-transformations metricName=$PROJECT_NAME-cloudtrail-NoMFAConsoleSignin,metricNamespace=CISBenchmark,metricValue=1 --filter-pattern '{ ($.eventName = "ConsoleLogin") && ($.additionalEventData.MFAUsed != "Yes") }'
48aws cloudwatch put-metric-alarm --alarm-name CISBenchmark/3.2-no_mfa_console_signin_alarm --metric-name $PROJECT_NAME-cloudtrail-NoMFAConsoleSignin --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions $ALARMING_SNS_TOPIC_ARN --alarm-description "Management Console sign-in without MFA"
49
50# Section 3.3
51aws logs put-metric-filter --log-group-name $CLOUDTRAIL_LOG_GROUP --filter-name $PROJECT_NAME-cloudtrail-RootAccountUsage --metric-transformations metricName=$PROJECT_NAME-cloudtrail-RootAccountUsage,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ $.userIdentity.type = "Root" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != "AwsServiceEvent" }'
52aws cloudwatch put-metric-alarm --alarm-name CISBenchmark/3.3-root_usage_alarm --metric-name $PROJECT_NAME-cloudtrail-RootAccountUsage --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions $ALARMING_SNS_TOPIC_ARN --alarm-description "Usage of \"root\" account"
53
54# Section 3.4
55aws logs put-metric-filter --log-group-name $CLOUDTRAIL_LOG_GROUP --filter-name $PROJECT_NAME-cloudtrail-IAMChanges --metric-transformations metricName=$PROJECT_NAME-cloudtrail-IAMChanges,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)}'
56aws cloudwatch put-metric-alarm --alarm-name CISBenchmark/3.4-iam_changes_alarm --metric-name $PROJECT_NAME-cloudtrail-IAMChanges --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions $ALARMING_SNS_TOPIC_ARN --alarm-description "IAM policy changes"
57
58# Section 3.5
59aws logs put-metric-filter --log-group-name $CLOUDTRAIL_LOG_GROUP --filter-name $PROJECT_NAME-cloudtrail-CloudtrailConfigChanges --metric-transformations metricName=$PROJECT_NAME-cloudtrail-CloudtrailConfigChanges,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }'
60aws cloudwatch put-metric-alarm --alarm-name CISBenchmark/3.5-cloudtrail_cfg_changes_alarm --metric-name $PROJECT_NAME-cloudtrail-CloudtrailConfigChanges --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions $ALARMING_SNS_TOPIC_ARN --alarm-description "cloudtrail configuration changes"
61
62# Section 3.6
63aws logs put-metric-filter --log-group-name $CLOUDTRAIL_LOG_GROUP --filter-name $PROJECT_NAME-cloudtrail-ConsoleSigninFailures --metric-transformations metricName=$PROJECT_NAME-cloudtrail-ConsoleSigninFailures,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = ConsoleLogin) && ($.errorMessage = "Failed authentication") }'
64aws cloudwatch put-metric-alarm --alarm-name CISBenchmark/3.6-console_signin_failure_alarm --metric-name $PROJECT_NAME-cloudtrail-ConsoleSigninFailures --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions $ALARMING_SNS_TOPIC_ARN --alarm-description "AWS Management Console authentication failures"
65
66# Section 3.7
67aws logs put-metric-filter --log-group-name $CLOUDTRAIL_LOG_GROUP --filter-name $PROJECT_NAME-cloudtrail-DisableOrDeleteCmkChanges --metric-transformations metricName=$PROJECT_NAME-cloudtrail-DisableOrDeleteCmkChanges,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{($.eventSource = kms.amazonaws.com) && (($.eventName=DisableKey)||($.eventName=ScheduleKeyDeletion)) }'
68aws cloudwatch put-metric-alarm --alarm-name CISBenchmark/3.7-disable_or_delete_cmk_changes_alarm --metric-name $PROJECT_NAME-cloudtrail-DisableOrDeleteCmkChanges --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions $ALARMING_SNS_TOPIC_ARN --alarm-description "Disabling or scheduled deletion of customer created CMKs"
69
70# Section 3.8
71aws logs put-metric-filter --log-group-name $CLOUDTRAIL_LOG_GROUP --filter-name $PROJECT_NAME-cloudtrail-S3BucketPolicyChangesMetric --metric-transformations metricName=$PROJECT_NAME-cloudtrail-S3BucketPolicyChangesMetric,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName =DeleteBucketReplication)) }'
72aws cloudwatch put-metric-alarm --alarm-name CISBenchmark/3.8-s3_bucket_policy_changes_alarm --metric-name $PROJECT_NAME-cloudtrail-S3BucketPolicyChangesMetric --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions $ALARMING_SNS_TOPIC_ARN --alarm-description "S3 bucket policy changes"
73
74# Section 3.9
75aws logs put-metric-filter --log-group-name $CLOUDTRAIL_LOG_GROUP --filter-name $PROJECT_NAME-cloudtrail-AwsConfigChanges --metric-transformations metricName=$PROJECT_NAME-cloudtrail-AwsConfigChanges,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) }'
76aws cloudwatch put-metric-alarm --alarm-name CISBenchmark/3.9-aws_config_changes_metric --metric-name $PROJECT_NAME-cloudtrail-AwsConfigChanges --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions $ALARMING_SNS_TOPIC_ARN --alarm-description "AWS Config configuration changes"
77
78# Section 3.10
79aws logs put-metric-filter --log-group-name $CLOUDTRAIL_LOG_GROUP --filter-name $PROJECT_NAME-cloudtrail-SecurityGroupChanges --metric-transformations metricName=$PROJECT_NAME-cloudtrail-SecurityGroupChanges,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName= CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) }'
80aws cloudwatch put-metric-alarm --alarm-name CISBenchmark/3.10-security_group_changes_alarm --metric-name $PROJECT_NAME-cloudtrail-SecurityGroupChanges --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions $ALARMING_SNS_TOPIC_ARN --alarm-description "Security group changes"
81
82# Section 3.11
83aws logs put-metric-filter --log-group-name $CLOUDTRAIL_LOG_GROUP --filter-name $PROJECT_NAME-cloudtrail-NACLChanges --metric-transformations metricName=$PROJECT_NAME-cloudtrail-NACLChanges,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateNetworkAcl) || ($.eventName =CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) }'
84aws cloudwatch put-metric-alarm --alarm-name CISBenchmark/3.11-nacl_changes_alarm --metric-name $PROJECT_NAME-cloudtrail-NACLChanges --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions $ALARMING_SNS_TOPIC_ARN --alarm-description "Changes to Network Access Control Lists (NACL)"
85
86# Section 3.12
87aws logs put-metric-filter --log-group-name $CLOUDTRAIL_LOG_GROUP --filter-name $PROJECT_NAME-cloudtrail-NetworkGatewayChanges --metric-transformations metricName=$PROJECT_NAME-cloudtrail-NetworkGatewayChanges,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }'
88aws cloudwatch put-metric-alarm --alarm-name CISBenchmark/3.12-network_gw_changes_alarm --metric-name $PROJECT_NAME-cloudtrail-NetworkGatewayChanges --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions $ALARMING_SNS_TOPIC_ARN --alarm-description "Changes to network gateways"
89
90# 3.13 Ensure a log metric filter and alarm exist for route table changes
91aws logs put-metric-filter --log-group-name $CLOUDTRAIL_LOG_GROUP --filter-name $PROJECT_NAME-cloudtrail-RouteTableChanges --metric-transformations metricName=$PROJECT_NAME-cloudtrail-RouteTableChanges,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) }'
92aws cloudwatch put-metric-alarm --alarm-name CISBenchmark/3.13-route_table_changes_alarm --metric-name $PROJECT_NAME-cloudtrail-RouteTableChanges --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions $ALARMING_SNS_TOPIC_ARN --alarm-description "Route table changes"
93
94# 3.14 Ensure a log metric filter and alarm exist for VPC changes
95aws logs put-metric-filter --log-group-name $CLOUDTRAIL_LOG_GROUP --filter-name $PROJECT_NAME-cloudtrail-VPCChanges --metric-transformations metricName=$PROJECT_NAME-cloudtrail-VPCChanges,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }'
96aws cloudwatch put-metric-alarm --alarm-name CISBenchmark/3.14-vpc_changes_alarm --metric-name $PROJECT_NAME-cloudtrail-VPCChanges --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions $ALARMING_SNS_TOPIC_ARN --alarm-description "VPC changes"