Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-alicloud-compliance
Overview
2Dashboards
163Benchmarks
65Queries
2Variables
GitHub

Control: 2.18 Ensure a log monitoring and alerts are set up for usage of 'root' account

Description

Real-time monitoring of API calls can be achieved by directing ActionTrail Logs to Log Service and establishing corresponding query and alarms. It is recommended that a query and alarm be established for console logins that are not protected by root login attempts.

Remediation

Perform the following to ensure the log monitoring and alerts are set up for usage of “root” account:

  1. Logon to SLS Console.
  2. Click Log Service Audit Service in the navigation pane.
  3. Go to Access to Cloud Products > Global Configuration page.
    • Select a location of project for logs.
    • Check the Action Trail and configure a proper number of days.
    • Click Save to save the changes.
  4. Go to Access to Cloud Products > Global Configurations click Central Project.
  5. Select Log Management > Actiontrail Log.
  6. In the search/analytics console, input the following query:
"event.eventName": ConsoleSignin and "event.userIdentity.type": root-account
  1. Create a dashboard and set alert for the query result.

Default Value:

The monitoring dashboard and alert is not set by default.

Usage

Run the control in your terminal:

powerpipe control run alicloud_compliance.control.cis_v200_2_18

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run alicloud_compliance.control.cis_v200_2_18 --share

SQL

This control uses a named query:

with actiontrail_check as (
  select
    name as trail_name,
    account_id,
    status,
    sls_project_arn,
    sls_write_role_arn,
    home_region,
    trail_region,
    substring(sls_project_arn from 'acs:log:([^:]+):') as sls_region,
    substring(sls_project_arn from 'project/([^/]+)') as sls_project_name
  from
    alicloud_action_trail
  where
    status = 'Enable' and sls_project_arn is not null
), alert_check as (
  select
    project,
    region,
    name as alert_name,
    display_name,
    status as alert_status,
    coalesce(
      query_obj ->> 'Query',
      query_obj ->> 'query',
      query_obj::text
    ) as query_text
  from
    alicloud_sls_alert,
    jsonb_array_elements(query_list) as query_obj
  where
    (status = 'ENABLED' or status is null) and query_list is not null
    and (
      coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%event.eventName%ConsoleSignin%'
      or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%"event.eventName":%ConsoleSignin%'
    )
    and (
      coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%event.userIdentity.type%root-account%'
      or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%"event.userIdentity.type":%root-account%'
      or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%userIdentity.type%root-account%'
      or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%"userIdentity.type":%root-account%'
      or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%root-account%'
    )
),
matched_pairs as (
  select distinct
    at.trail_name,
    at.sls_region,
    at.home_region,
    ac.alert_name,
    ac.region as alert_region
  from
    actiontrail_check at
    inner join alert_check ac on
      trim(lower(coalesce(at.sls_region, ''))) = trim(lower(coalesce(ac.region, '')))
      and at.sls_region is not null
      and ac.region is not null
      and at.sls_region != ''
      and ac.region != ''
)
select
  'acs:actiontrail:' || at.home_region || ':' || at.account_id || ':actiontrail/' || at.name as resource,
  case
    when at.status = 'Enable' and at.sls_project_arn is not null and exists (select 1 from matched_pairs mp where mp.trail_name = at.name) then 'ok'
    else 'alarm'
  end as status,
  case
    when at.status = 'Enable' and at.sls_project_arn is not null and exists (select 1 from matched_pairs mp where mp.trail_name = at.name) then at.name || ' is configured with ActionTrail enabled, delivering to SLS project in region '
      || substring(at.sls_project_arn from 'acs:log:([^:]+):') || ', and has a root account usage monitoring alert configured'
    when at.status = 'Enable' and at.sls_project_arn is not null then at.name || ' is configured with ActionTrail enabled and delivering to SLS project in region ' || substring(at.sls_project_arn from 'acs:log:([^:]+):') || ', but no root account usage monitoring alert found in that region'
    when at.status = 'Enable' and at.sls_project_arn is null then at.name || ' is enabled but not configured to deliver logs to SLS'
    else at.name || ' is not enabled'
  end as reason
  , account_id as account_id, region as region
from
  alicloud_action_trail at;

Tags

category = Compliance
cis = true
cis_item_id = 2.18
cis_level = 1
cis_section_id = 2
cis_type = manual
cis_version = v2.0.0
plugin = alicloud
service = AliCloud/SLS