Control: 2.10 Ensure log monitoring and alerts are set up for RAM Role changes
Description
It is recommended that a query and alarm should be established for RAM Role creation, deletion and updating activities.
Remediation
Perform the following to ensure the log monitoring and alerts are set up for RAM Role Changes:
From Console
- Logon to SLS Console.
- Click
Log Service Audit Servicein the navigation pane. - Go to
Access to Cloud Products > Global Configurationpage.- Select a location of project for logs.
- Check the
Action Trailand configure a proper number of days. - Click
Saveto save the changes.
- Go to
Access to Cloud Products > Global ConfigurationsclickCentral Project. - Select
Log Management > Actiontrail Log. - In the search/analytics console, input the following query:
("event.serviceName": ResourceManager or "event.serviceName": Ram) and ("event.eventName": CreatePolicy or "event.eventName": DeletePolicy or "event.eventName": CreatePolicyVersion or "event.eventName": UpdatePolicyVersion or "event.eventName": SetDefaultPolicyVersion or "event.eventName": DeletePolicyVersion) | select count(1) as c
- Create a dashboard and set alert for the query result.
Default Value:
The monitoring dashboard and alert is not set by default.
Usage
Run the control in your terminal:
powerpipe control run alicloud_compliance.control.cis_v200_2_10Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run alicloud_compliance.control.cis_v200_2_10 --shareSQL
This control uses a named query:
with actiontrail_check as ( select name as trail_name, account_id, status, sls_project_arn, sls_write_role_arn, home_region, trail_region, substring(sls_project_arn from 'acs:log:([^:]+):') as sls_region, substring(sls_project_arn from 'project/([^/]+)') as sls_project_name from alicloud_action_trail where status = 'Enable' and sls_project_arn is not null), alert_check as ( select project, region, name as alert_name, display_name, status as alert_status, coalesce( query_obj ->> 'Query', query_obj ->> 'query', query_obj::text ) as query_text from alicloud_sls_alert, jsonb_array_elements(query_list) as query_obj where (status = 'ENABLED' or status is null) and query_list is not null and ( coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%event.serviceName="ResourceManager"%' or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%event.serviceName="Ram"%' or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%"event.serviceName": "ResourceManager"%' or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%"event.serviceName": "Ram"%' ) and ( coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%event.eventName="CreatePolicy"%' or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%event.eventName="DeletePolicy"%' or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%event.eventName="CreatePolicyVersion"%' or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%event.eventName="UpdatePolicyVersion"%' or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%event.eventName="SetDefaultPolicyVersion"%' or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%event.eventName="DeletePolicyVersion"%' -- optional: JSON-style variants or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%"event.eventName": "CreatePolicy"%' or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%"event.eventName": "DeletePolicy"%' or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%"event.eventName": "CreatePolicyVersion"%' or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%"event.eventName": "UpdatePolicyVersion"%' or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%"event.eventName": "SetDefaultPolicyVersion"%' or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%"event.eventName": "DeletePolicyVersion"%' )),matched_pairs as ( select distinct at.trail_name, at.sls_region, at.home_region, ac.alert_name, ac.region as alert_region from actiontrail_check at inner join alert_check ac on trim(lower(coalesce(at.sls_region, ''))) = trim(lower(coalesce(ac.region, ''))) and at.sls_region is not null and ac.region is not null and at.sls_region != '' and ac.region != '')select 'acs:actiontrail:' || at.home_region || ':' || at.account_id || ':actiontrail/' || at.name as resource, case when at.status = 'Enable' and at.sls_project_arn is not null and exists (select 1 from matched_pairs mp where mp.trail_name = at.name) then 'ok' else 'alarm' end as status, case when at.status = 'Enable' and at.sls_project_arn is not null and exists (select 1 from matched_pairs mp where mp.trail_name = at.name) then at.name || ' is configured with ActionTrail enabled, delivering to SLS project in region ' || substring(at.sls_project_arn from 'acs:log:([^:]+):') || ', and has a RAM policy change monitoring alert configured' when at.status = 'Enable' and at.sls_project_arn is not null then at.name || ' is configured with ActionTrail enabled and delivering to SLS project in region ' || substring(at.sls_project_arn from 'acs:log:([^:]+):') || ', but no RAM policy change monitoring alert found in that region' when at.status = 'Enable' and at.sls_project_arn is null then at.name || ' is enabled but not configured to deliver logs to SLS' else at.name || ' is not enabled' end as reason , account_id as account_id, region as regionfrom alicloud_action_trail at;