https://github.com/mrcloudsec/mitre-aws-checks
Script for analyzing the compliance of your AWS account based on the adversary techniques on the MITRE ATT&CK Iaas Matrix.
https://github.com/mrcloudsec/mitre-aws-checks
aws mitre security security-scanner security-tools
Last synced: 8 months ago
JSON representation
Script for analyzing the compliance of your AWS account based on the adversary techniques on the MITRE ATT&CK Iaas Matrix.
- Host: GitHub
- URL: https://github.com/mrcloudsec/mitre-aws-checks
- Owner: MrCloudSec
- Created: 2021-08-25T16:18:17.000Z (almost 5 years ago)
- Default Branch: main
- Last Pushed: 2021-08-31T23:20:43.000Z (almost 5 years ago)
- Last Synced: 2025-06-25T19:40:28.142Z (about 1 year ago)
- Topics: aws, mitre, security, security-scanner, security-tools
- Language: Python
- Homepage:
- Size: 278 KB
- Stars: 7
- Watchers: 2
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# AWS MITRE Compliance Checks
Script for analyzing the compliance of your AWS account based on the adversary techniques on the [MITRE ATT&CK Iaas Matrix](https://attack.mitre.org/matrices/enterprise/cloud/iaas/).
## Getting Started
### Dependencies
* It is necessary to have Python3 installed with the packages boto3 and termcolor
* The packages can be installed with the following command:
```
pip3 install boto3 termcolor
```
### User Creation
* The script needs the following permissions to run all the checks:
```
cloudtrail:describetrails
config:describeconfigurationrecorderstatus
guardduty:listdetectors
inspector:listassessmenttemplates
inspector:listassessmentruns
inspector:describeassessmentruns
ec2:describeflowlogs
ec2:describevolumes
ec2:describevpcs
ec2:describesecuritygroups
s3:getaccountpublicaccessblock
s3:ListAllMyBuckets
s3:GetBucketPublicAccessBlock
s3:GetEncryptionConfiguration
s3:GetBucketVersioning
iam:GetAccountSummary
iam:ListUsers
iam:ListAccessKeys
iam:ListMFADevices
iam:GetServiceLastAccessedDetails
iam:ListVirtualMFADevices
iam:GenerateServiceLastAccessedDetails
iam:GetAccountPasswordPolicy
```
* To facilitate the creation of these permissions, this repository has a [CloudFormation template](https://github.com/sergargar/mitre-aws-checks/blob/main/user-creation.yaml) to automatically deploy an user with the necessary permissions.
* Once the stack is created with the template, it gives you the access and secret keys of the new user in the Output Section.
* Finally, both the output credentials and the region to be analyzed must be configured locally through the following command:
```
aws configure
```
### Customize verification functions
* The following parameters can be customized in some functions:
| Function | Input Parameter | Description |
|-------------------------|----------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| inactive_users | days_without_access | Days without access of a user to be considered as inactive. |
| access_keys_rotation | keys_older_than_days | Days old of the access keys so that they are rotated. |
| s3_public_access | account | AWS account where you want to verify the public access policies of S3. |
| strong_password_policy | password_length, password_expiration_days, last_passwords_reuse | Minimum length and maximum expiration days of user passwords, and the number of last passwords that cannot be reused, required in the password policy of the AWS account. |
| least_privilege_iam | JobId | Job ID that the user has previously generated with the AWS call generate_service_last_accessed_details(Arn=,Granularity='ACTION_LEVEL'), choosing the entity to analyze. |
| | days_without_being_used | Days without using a service and / or actions by an entity for it to be considered as unused. |
| inspector_enabled | days_since_last_assessment | Days since the last Inspector evaluation to be considered non-compliant. | |
### Executing program
* Once the user is created and the credentials were configured, the script can be executed with:
```
python3 main.py
```
### [Demo Video](https://www.youtube.com/watch?v=H11duhLptKE)
## MITRE ATT&CK Relationship
* The functions of the script can mitigate the following adversary techniques that are describe in the [IaaS Matrix](https://attack.mitre.org/matrices/enterprise/cloud/iaas/):

## Version History
* 1.0
* Initial Release