format changes and added to AWS pack

panther-labs · Oct 28, 2024 · 4461ab7 · 4461ab7
1 parent f7c83bb
commit 4461ab7
Show file tree

Hide file tree

Showing 3 changed files with 68 additions and 51 deletions.
diff --git a/packs/aws.yml b/packs/aws.yml
@@ -142,6 +142,7 @@ PackDefinition:
     - AWS.CMK.KeyRotation
     - AWS.DynamoDB.TableTTLEnabled
     - AWS.EC2.Vulnerable.XZ.Image.Launched
+    - Amazon.EKS.AnonymousAPIAccess
     - AWS.IAM.Policy.DoesNotGrantAdminAccess
     - AWS.IAM.Policy.DoesNotGrantNetworkAdminAccess
     - AWS.IAM.Resource.DoesNotHaveInlinePolicy

diff --git a/rules/aws_eks_rules/anonymous_api_access.py b/rules/aws_eks_rules/anonymous_api_access.py
@@ -1,14 +1,14 @@
 from panther_aws_helpers import eks_panther_obj_ref
 
-# Rule to detect anonymous API requests to the Kubernetes API server in EKS
+
 def rule(event):
     # Check if the username is set to "system:anonymous", which indicates anonymous access
     p_eks = eks_panther_obj_ref(event)
     if p_eks.get("actor") == "system:anonymous":
         return True
     return False
 
-# Custom title for alerts generated by this rule
+
 def title(event):
     p_eks = eks_panther_obj_ref(event)
     return (
@@ -17,12 +17,12 @@ def title(event):
         f"in namespace [{p_eks.get('ns')}] on [{p_eks.get('p_source_label')}]"
     )
 
-# Deduplication logic for grouping alerts
+
 def dedup(event):
     p_eks = eks_panther_obj_ref(event)
     return f"anonymous_access_{p_eks.get('p_source_label')}_{p_eks.get('sourceIPs')[0]}"
 
-# Additional context for alerting
+
 def alert_context(event):
     p_eks = eks_panther_obj_ref(event)
     mutable_event = event.to_dict()

diff --git a/rules/aws_eks_rules/anonymous_api_access.yml b/rules/aws_eks_rules/anonymous_api_access.yml
@@ -5,55 +5,61 @@ DisplayName: "EKS Anonymous API Access Detected"
 Enabled: true
 LogTypes:
   - Amazon.EKS.Audit
-Tags:
-  - EKS
-  - Security Control
-  - API
+Severity: Medium
 Reports:
   MITRE ATT&CK:
     - "TA0001:T1190" # Initial Access: Exploit Public-Facing Application
-Severity: Medium
 Description: >
   This rule detects anonymous API requests made to the Kubernetes API server.
   In production environments, anonymous access should be disabled to prevent
   unauthorized access to the API server.
+DedupPeriodMinutes: 60
+Reference: 
+  https://kubernetes.io/docs/reference/access-authn-authz/authentication/#anonymous-requests
 Runbook: >
   Check the EKS cluster configuration and ensure that anonymous access
-  to the Kubernetes API server is disabled. This can be done by verifying the 
-  API server arguments and authentication webhook configuration.
-Reference: https://kubernetes.io/docs/reference/access-authn-authz/authentication/#anonymous-requests
-DedupPeriodMinutes: 60
+  to the Kubernetes API server is disabled. This can be done by verifying the  API
+  server arguments and authentication webhook configuration.
 SummaryAttributes:
   - user:username
   - p_any_ip_addresses
   - p_source_label
+Tags:
+  - EKS
+  - Security Control
+  - API
+  - Initial Access:Exploit Public-Facing Application
 Tests:
   - Name: Anonymous API Access
     ExpectedResult: true
     Log:
       {
-        "annotations":
-          {
-            "authorization.k8s.io/decision": "allow",
-            "authorization.k8s.io/reason": "RBAC: allowed by ClusterRoleBinding system:public-info-viewer",
-          },
+        "annotations": {
+          "authorization.k8s.io/decision": "allow",
+          "authorization.k8s.io/reason": "RBAC: allowed by ClusterRoleBinding system:public-info-viewer"
+        },
         "apiVersion": "audit.k8s.io/v1",
         "auditID": "abcde12345",
         "kind": "Event",
         "level": "Request",
-        "objectRef":
-          {
-            "apiVersion": "v1",
-            "name": "test-pod",
-            "namespace": "default",
-            "resource": "pods",
-          },
-        "p_any_aws_account_ids": ["123412341234"],
+        "objectRef": {
+          "apiVersion": "v1",
+          "name": "test-pod",
+          "namespace": "default",
+          "resource": "pods"
+        },
+        "p_any_aws_account_ids": [
+          "123412341234"
+        ],
         "p_any_aws_arns": [
-            "arn:aws:iam::123412341234:role/DevAdministrator"
+          "arn:aws:iam::123412341234:role/DevAdministrator"
+        ],
+        "p_any_ip_addresses": [
+          "8.8.8.8"
+        ],
+        "p_any_usernames": [
+          "system:anonymous"
         ],
-        "p_any_ip_addresses": ["8.8.8.8"],
-        "p_any_usernames": ["system:anonymous"],
         "p_event_time": "2022-11-29 00:09:04.38",
         "p_log_type": "Amazon.EKS.Audit",
         "p_parse_time": "2022-11-29 00:10:25.067",
@@ -62,41 +68,48 @@ Tests:
         "p_source_label": "example-cluster-eks-logs",
         "requestReceivedTimestamp": "2022-11-29 00:09:04.38",
         "requestURI": "/api/v1/namespaces/default/pods/test-pod",
-        "responseStatus": { "code": 200 },
-        "sourceIPs": ["8.8.8.8"],
+        "responseStatus": {
+          "code": 200
+        },
+        "sourceIPs": [
+          "8.8.8.8"
+        ],
         "stage": "ResponseComplete",
         "user": {
           "username": "system:anonymous"
         },
         "userAgent": "kubectl/v1.25.4"
       }
-
   - Name: Non-Anonymous API Access
     ExpectedResult: false
     Log:
       {
-        "annotations":
-          {
-            "authorization.k8s.io/decision": "allow",
-            "authorization.k8s.io/reason": "RBAC: allowed by ClusterRoleBinding system:public-info-viewer",
-          },
+        "annotations": {
+          "authorization.k8s.io/decision": "allow",
+          "authorization.k8s.io/reason": "RBAC: allowed by ClusterRoleBinding system:public-info-viewer"
+        },
         "apiVersion": "audit.k8s.io/v1",
         "auditID": "abcde12345",
         "kind": "Event",
         "level": "Request",
-        "objectRef":
-          {
-            "apiVersion": "v1",
-            "name": "test-pod",
-            "namespace": "default",
-            "resource": "pods",
-          },
-        "p_any_aws_account_ids": ["123412341234"],
+        "objectRef": {
+          "apiVersion": "v1",
+          "name": "test-pod",
+          "namespace": "default",
+          "resource": "pods"
+        },
+        "p_any_aws_account_ids": [
+          "123412341234"
+        ],
         "p_any_aws_arns": [
-            "arn:aws:iam::123412341234:role/DevAdministrator"
+          "arn:aws:iam::123412341234:role/DevAdministrator"
+        ],
+        "p_any_ip_addresses": [
+          "8.8.8.8"
+        ],
+        "p_any_usernames": [
+          "kubernetes-admin"
         ],
-        "p_any_ip_addresses": ["8.8.8.8"],
-        "p_any_usernames": ["kubernetes-admin"],
         "p_event_time": "2022-11-29 00:09:04.38",
         "p_log_type": "Amazon.EKS.Audit",
         "p_parse_time": "2022-11-29 00:10:25.067",
@@ -105,12 +118,15 @@ Tests:
         "p_source_label": "example-cluster-eks-logs",
         "requestReceivedTimestamp": "2022-11-29 00:09:04.38",
         "requestURI": "/api/v1/namespaces/default/pods/test-pod",
-        "responseStatus": { "code": 200 },
-        "sourceIPs": ["8.8.8.8"],
+        "responseStatus": {
+          "code": 200
+        },
+        "sourceIPs": [
+          "8.8.8.8"
+        ],
         "stage": "ResponseComplete",
         "user": {
           "username": "kubernetes-admin"
         },
         "userAgent": "kubectl/v1.25.4"
       }
-