Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/awslabs/cwe-monitor-secgrp

This CloudWatch Events rule Lambda function evaluates AWS API calls that change Amazon EC2 security group ingress rules. The function flags rules that violate a preconfigured policy.
https://github.com/awslabs/cwe-monitor-secgrp

Last synced: about 1 month ago
JSON representation

This CloudWatch Events rule Lambda function evaluates AWS API calls that change Amazon EC2 security group ingress rules. The function flags rules that violate a preconfigured policy.

Host: GitHub
URL: https://github.com/awslabs/cwe-monitor-secgrp
Owner: awslabs
License: apache-2.0
Created: 2016-10-13T17:26:19.000Z (about 8 years ago)
Default Branch: master
Last Pushed: 2019-11-22T06:29:16.000Z (about 5 years ago)
Last Synced: 2024-08-01T10:16:16.925Z (4 months ago)
Language: Python
Size: 6.84 KB
Stars: 25
Watchers: 58
Forks: 30
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

awesome-cloud-security - AWS CloudWatch Events Monitor Security Groups

README

        # cwe-monitor-secgrp

This CloudWatch Events rule Lambda function is used to look at invocations of the authorize_security_group_ingress() and revoke_security_group_ingress() API calls.  When such as call is made, the function examines the contents of the applicable security group to determine if it matches a pre-configured policy.  The policy is hardcoded into the Lambda function using an IpPermisions structure which is in the same format as the IpPermissions structure used by the describe_security_groups() API call.  If the security group permissions do not match the pre-configured policy, the function sends log messages to CloudWatch logs saying what permissions need to be added or revoked in order to bring the group ingress rules into compliance.

In order to select the appropriate API call and security group for the CloudWatch events rule, you should use a JSON event selector.  An example of such a selector appears below.  Substitute "sg-abc12345" with the id of the specific security group you wish to inspect.

```

{

  "detail-type": [

    "AWS API Call via CloudTrail"

  ],

  "detail": {

    "eventSource": [

      "ec2.amazonaws.com"

    ],

    "eventName": [

      "AuthorizeSecurityGroupIngress",

      "RevokeSecurityGroupIngress"

    ],

    "requestParameters": {

      "groupId": [

        "sg-abc12345"

      ]

    }

  }

}

```