Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-alicloud-compliance
Overview
2Dashboards
163Benchmarks
65Queries
2Variables
GitHub

Control: 2.16 Ensure a log monitoring and alerts are set up for unauthorized API calls

Description

Real-time monitoring of API calls can be achieved by directing ActionTrail Logs to Log Service and establishing corresponding query and alarms. It is recommended that a query and alarm be established for unauthorized API calls.

Remediation

Perform the following to ensure the log monitoring and alerts are set up for unauthorized API calls:

  1. Logon to SLS Console.
  2. Click Log Service Audit Service in the navigation pane.
  3. Go to Access to Cloud Products > Global Configuration page.
    • Select a location of project for logs.
    • Check the Action Trail and configure a proper number of days.
    • Click Save to save the changes.
  4. Go to Access to Cloud Products > Global Configurations click Central Project.
  5. Select Log Management > Actiontrail Log.
  6. In the search/analytics console, input the following query:
"event.eventType": ApiCall and ("event.errorCode": "NoPermission" or "event.errorCode": "NoPermission.*" or "event.errorCode": "Forbidden" or "event.errorCode": "Forbidden" or "event.errorCode": "Forbidden.*" or "event.errorCode": "InvalidAccessKeyId" or "event.errorCode": "InvalidAccessKeyId.*" or "event.errorCode": "InvalidSecurityToken" or "event.errorCode": "InvalidSecurityToken.*" or "event.errorCode": "SignatureDoesNotMatch" or "event.errorCode": "InvalidAuthorization" or "event.errorCode": "AccessForbidden" or "event.errorCode": "NotAuthorized") | select count(1) as cnt
  1. Create a dashboard and set alert for the query result.

Default Value:

The monitoring dashboard and alert is not set by default.

Usage

Run the control in your terminal:

powerpipe control run alicloud_compliance.control.cis_v200_2_16

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run alicloud_compliance.control.cis_v200_2_16 --share

SQL

This control uses a named query:

with actiontrail_check as (
  select
    name as trail_name,
    account_id,
    status,
    sls_project_arn,
    sls_write_role_arn,
    home_region,
    trail_region,
    substring(sls_project_arn from 'acs:log:([^:]+):') as sls_region,
    substring(sls_project_arn from 'project/([^/]+)') as sls_project_name
  from
    alicloud_action_trail
  where
    status = 'Enable' and sls_project_arn is not null
), alert_check as (
  select
    project,
    region,
    name as alert_name,
    display_name,
    status as alert_status,
    coalesce(
      query_obj ->> 'Query',
      query_obj ->> 'query',
      query_obj::text
    ) as query_text
  from
    alicloud_sls_alert,
    jsonb_array_elements(query_list) as query_obj
  where
    (status = 'ENABLED' or status is null) and query_list is not null
    and (
      coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%event.eventType%ApiCall%'
      or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%"event.eventType":%ApiCall%'
    )
    and (
      coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%event.errorCode%NoPermission%'
      or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%event.errorCode%Forbidden%'
      or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%event.errorCode%Forbbiden%'
      or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%event.errorCode%InvalidAccessKeyId%'
      or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%event.errorCode%InvalidSecurityToken%'
      or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%event.errorCode%SignatureDoesNotMatch%'
      or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%event.errorCode%InvalidAuthorization%'
      or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%event.errorCode%AccessForbidden%'
      or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%event.errorCode%NotAuthorized%'
      or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%"event.errorCode":%"NoPermission%'
      or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%"event.errorCode":%"Forbidden%'
      or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%"event.errorCode":%"Forbbiden%'
      or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%"event.errorCode":%"InvalidAccessKeyId%'
      or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%"event.errorCode":%"InvalidSecurityToken%'
      or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%"event.errorCode":%"SignatureDoesNotMatch%'
      or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%"event.errorCode":%"InvalidAuthorization%'
      or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%"event.errorCode":%"AccessForbidden%'
      or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%"event.errorCode":%"NotAuthorized%'
    )
),
matched_pairs as (
  select distinct
    at.trail_name,
    at.sls_region,
    at.home_region,
    ac.alert_name,
    ac.region as alert_region
  from
    actiontrail_check at
    inner join alert_check ac on
      trim(lower(coalesce(at.sls_region, ''))) = trim(lower(coalesce(ac.region, '')))
      and at.sls_region is not null
      and ac.region is not null
      and at.sls_region != ''
      and ac.region != ''
)
select
  'acs:actiontrail:' || at.home_region || ':' || at.account_id || ':actiontrail/' || at.name as resource,
  case
    when at.status = 'Enable' and at.sls_project_arn is not null and exists (select 1 from matched_pairs mp where mp.trail_name = at.name) then 'ok'
    else 'alarm'
  end as status,
  case
    when at.status = 'Enable' and at.sls_project_arn is not null and exists (select 1 from matched_pairs mp where mp.trail_name = at.name) then at.name || ' is configured with ActionTrail enabled, delivering to SLS project in region '
      || substring(at.sls_project_arn from 'acs:log:([^:]+):') || ', and has an unauthorized API call monitoring alert configured'
    when at.status = 'Enable' and at.sls_project_arn is not null then at.name || ' is configured with ActionTrail enabled and delivering to SLS project in region ' || substring(at.sls_project_arn from 'acs:log:([^:]+):') || ', but no unauthorized API call monitoring alert found in that region'
    when at.status = 'Enable' and at.sls_project_arn is null then at.name || ' is enabled but not configured to deliver logs to SLS'
    else at.name || ' is not enabled'
  end as reason
  , account_id as account_id, region as region
from
  alicloud_action_trail at;

Tags

category = Compliance
cis = true
cis_item_id = 2.16
cis_level = 1
cis_section_id = 2
cis_type = manual
cis_version = v2.0.0
plugin = alicloud
service = AliCloud/SLS