Control: 2.22 Ensure a log monitoring and alerts are set up for security group changes

Description

Real-time monitoring of API calls can be achieved by directing ActionTrail Logs to Log Service and establishing corresponding query and alarms. Security Groups are a stateful packet filter that controls ingress and egress traffic within a VPC. It is recommended that a query and alarm be established for changes to Security Groups.

Remediation

Perform the following to ensure the log monitoring and alerts are set up for security group changes:

Logon to SLS Console.
Click Log Service Audit Service in the navigation pane.
Go to Access to Cloud Products > Global Configuration page.
- Select a location of project for logs.
- Check the Action Trail and configure a proper number of days.
- Click Save to save the changes.
Go to Access to Cloud Products > Global Configurations click Central Project.
Select Log Management > Actiontrail Log.
In the search/analytics console, input the following query:

("event.eventName": CreateSecurityGroup or "event.eventName": AuthorizeSecurityGroup or "event.eventName": AuthorizeSecurityGroupEgress or "event.eventName": RevokeSecurityGroup or "event.eventName": RevokeSecurityGroupEgress or "event.eventName": JoinSecurityGroup or "event.eventName": LeaveSecurityGroup or "event.eventName": DeleteSecurityGroup or "event.eventName": ModifySecurityGroupPolicy) | select count(1) as cnt

Create a dashboard and set alert for the query result.

Default Value:

The monitoring dashboard and alert is not set by default.

Usage

Run the control in your terminal:

powerpipe control run alicloud_compliance.control.cis_v200_2_22

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run alicloud_compliance.control.cis_v200_2_22 --share

SQL

This control uses a named query:

with actiontrail_check as (
  select
    name as trail_name,
    account_id,
    status,
    sls_project_arn,
    sls_write_role_arn,
    home_region,
    trail_region,
    substring(sls_project_arn from 'acs:log:([^:]+):') as sls_region,
    substring(sls_project_arn from 'project/([^/]+)') as sls_project_name
  from
    alicloud_action_trail
  where
    status = 'Enable' and sls_project_arn is not null
), alert_check as (
  select
    project,
    region,
    name as alert_name,
    display_name,
    status as alert_status,
    coalesce(
      query_obj ->> 'Query',
      query_obj ->> 'query',
      query_obj::text
    ) as query_text
  from
    alicloud_sls_alert,
    jsonb_array_elements(query_list) as query_obj
  where
    (status = 'ENABLED' or status is null) and query_list is not null
    and (
      coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%event.eventName="CreateSecurityGroup"%'
      or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%event.eventName="AuthorizeSecurityGroup"%'
      or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%event.eventName="AuthorizeSecurityGroupEgress"%'
      or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%event.eventName="RevokeSecurityGroup"%'
      or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%event.eventName="RevokeSecurityGroupEgress"%'
      or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%event.eventName="JoinSecurityGroup"%'
      or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%event.eventName="LeaveSecurityGroup"%'
      or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%event.eventName="DeleteSecurityGroup"%'
      or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%event.eventName="ModifySecurityGroupPolicy"%'
      or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%"event.eventName": "CreateSecurityGroup"%'
      or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%"event.eventName": "AuthorizeSecurityGroup"%'
      or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%"event.eventName": "AuthorizeSecurityGroupEgress"%'
      or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%"event.eventName": "RevokeSecurityGroup"%'
      or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%"event.eventName": "RevokeSecurityGroupEgress"%'
      or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%"event.eventName": "JoinSecurityGroup"%'
      or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%"event.eventName": "LeaveSecurityGroup"%'
      or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%"event.eventName": "DeleteSecurityGroup"%'
      or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%"event.eventName": "ModifySecurityGroupPolicy"%'
      or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%event_name: CreateSecurityGroup%'
      or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%event_name: AuthorizeSecurityGroup%'
      or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%event_name: AuthorizeSecurityGroupEgress%'
      or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%event_name: RevokeSecurityGroup%'
      or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%event_name: RevokeSecurityGroupEgress%'
      or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%event_name: JoinSecurityGroup%'
      or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%event_name: LeaveSecurityGroup%'
      or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%event_name: DeleteSecurityGroup%'
      or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%event_name: ModifySecurityGroupPolicy%'
    )
),
matched_pairs as (
  select distinct
    at.trail_name,
    at.sls_region,
    at.home_region,
    ac.alert_name,
    ac.region as alert_region
  from
    actiontrail_check at
    inner join alert_check ac on
      trim(lower(coalesce(at.sls_region, ''))) = trim(lower(coalesce(ac.region, '')))
      and at.sls_region is not null
      and ac.region is not null
      and at.sls_region != ''
      and ac.region != ''
)
select
  'acs:actiontrail:' || at.home_region || ':' || at.account_id || ':actiontrail/' || at.name as resource,
  case
    when at.status = 'Enable' and at.sls_project_arn is not null and exists (select 1 from matched_pairs mp where mp.trail_name = at.name) then 'ok'
    else 'alarm'
  end as status,
  case
    when at.status = 'Enable' and at.sls_project_arn is not null and exists (select 1 from matched_pairs mp where mp.trail_name = at.name) then at.name || ' is configured with ActionTrail enabled, delivering to SLS project in region '
      || substring(at.sls_project_arn from 'acs:log:([^:]+):') || ', and has a security group change monitoring alert configured'
    when at.status = 'Enable' and at.sls_project_arn is not null then at.name || ' is configured with ActionTrail enabled and delivering to SLS project in region ' || substring(at.sls_project_arn from 'acs:log:([^:]+):') || ', but no security group change monitoring alert found in that region'
    when at.status = 'Enable' and at.sls_project_arn is null then at.name || ' is enabled but not configured to deliver logs to SLS'
    else at.name || ' is not enabled'
  end as reason
  , account_id as account_id, region as region
from
  alicloud_action_trail at;

Control: 2.22 Ensure a log monitoring and alerts are set up for security group changes

Description

Remediation

Default Value:

Usage

SQL

Tags