forked from panther-labs/panther-analysis
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathaws_s3_unknown_requester_get_object.py
38 lines (30 loc) · 1.32 KB
/
aws_s3_unknown_requester_get_object.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
from fnmatch import fnmatch
# pylint: disable=line-too-long
BUCKET_ROLE_MAPPING = {
"panther-bootstrap-processeddata-*": [
"arn:aws:sts::*:assumed-role/panther-cloud-security-EventProcessorFunctionRole-*/panther-aws-event-processor",
"arn:aws:sts::*:assumed-role/panther-log-analysis-AthenaApiFunctionRole-*/panther-athena-api",
"arn:aws:sts::*:assumed-role/panther-log-analysis-RulesEngineFunctionRole-*/panther-rules-engine",
"arn:aws:sts::*:assumed-role/panther-snowflake-logprocessing-role-*/snowflake",
"arn:aws:sts::*:assumed-role/panther-data-replication-role-*/s3-replication",
]
}
# pylint: enable=line-too-long
def _unknown_requester_access(event):
for bucket_pattern, role_patterns in BUCKET_ROLE_MAPPING.items():
if not fnmatch(event.get("bucket", ""), bucket_pattern):
continue
if not any(
(fnmatch(event.get("requester", ""), role_pattern) for role_pattern in role_patterns)
):
return True
return False
def rule(event):
if event.get("errorcode"):
return False
return event.get("operation") == "REST.GET.OBJECT" and _unknown_requester_access(event)
def title(event):
return (
f"Unknown requester accessing data from S3 Bucket "
f"[{event.get('bucket', '<UNKNOWN_BUCKET>')}]"
)