forked from panther-labs/panther-analysis
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathaws_iam_entity_created_without_cloudformation.py
56 lines (47 loc) · 1.56 KB
/
aws_iam_entity_created_without_cloudformation.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
import re
from panther import aws_cloudtrail_success
from panther_base_helpers import deep_get
# The role dedicated for IAM administration
IAM_ADMIN_ROLES = {
"arn:aws:iam::123456789012:role/IdentityCFNServiceRole",
}
# The role patterns dedicated for IAM Service Roles
IAM_ADMIN_ROLE_PATTERNS = {"arn:aws:iam::[0-9]+:role/IdentityCFNServiceRole"}
# API calls that are indicative of IAM entity creation
IAM_ENTITY_CREATION_EVENTS = {
"BatchCreateUser",
"CreateGroup",
"CreateInstanceProfile",
"CreatePolicy",
"CreatePolicyVersion",
"CreateRole",
"CreateServiceLinkedRole",
"CreateUser",
}
def rule(event):
# Check if this event is in scope
if (
not aws_cloudtrail_success(event)
or event.get("eventName") not in IAM_ENTITY_CREATION_EVENTS
):
return False
# All IAM changes MUST go through CloudFormation
if deep_get(event, "userIdentity", "invokedBy") != "cloudformation.amazonaws.com":
return True
# Only approved IAM Roles can make IAM Changes
for admin_role_pattern in IAM_ADMIN_ROLE_PATTERNS:
# Check if the arn matches any role patterns, return False if there is a match
if (
len(
re.findall(
admin_role_pattern,
deep_get(event, "userIdentity", "sessionContext", "sessionIssuer", "arn"),
)
)
> 0
):
return False
return (
deep_get(event, "userIdentity", "sessionContext", "sessionIssuer", "arn")
not in IAM_ADMIN_ROLES
)