diff --git a/package.json b/package.json index 9ca3db9..c03b42e 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "@jupiterone/jupiterone-alert-rules", - "version": "0.31.0", + "version": "0.32.0", "description": "Alert rule packages for the JupiterOne platform", "scripts": { "validate": "tsx ./scripts/validate.ts" diff --git a/rule-packs/aws-privilege-escalation.json b/rule-packs/aws-privilege-escalation.json index 065ddc2..204f17f 100644 --- a/rule-packs/aws-privilege-escalation.json +++ b/rule-packs/aws-privilege-escalation.json @@ -178,5 +178,113 @@ } ], "alertLevel": "HIGH" + }, + { + "name": "aws-ability-to-create-a-codestar-project-and-associate-as-project-owner", + "description": "Users with the codestar:CreateProject and codestar:AssociateTeamMember permissions can create a new CodeStar project and associate themselves as an Owner of the project. This will attach a new policy to the user that provides access to numerous permissions for AWS services.", + "queries": [ + { + "name": "query0", + "query": "FIND User\n (THAT HAS aws_iam_group)?\n (THAT ASSIGNED aws_iam_role)?\n (THAT TRUSTS << aws_iam_role)?\n THAT ASSIGNED AccessPolicy\n THAT ALLOWS as perm aws_codestar\nWHERE perm.normalizedActions ~= 'codestar:*' OR perm.normalizedActions ~= ('codestar:CreateProject' AND 'codestar:AssociateTeamMember')", + "version": "v1" + } + ], + "alertLevel": "CRITICAL" + }, + { + "name": "aws-ability-to-remove-permissions-boundary-from-a-role", + "description": "Users with the iam:DeleteRolePermissionsBoundary permission can remove a permissions boundary from a role they have access to, which may increase the role's effective permissions if the permissions boundary is more restrictive than any of the role's identity-based policies.", + "queries": [ + { + "name": "query0", + "query": "FIND User\n (THAT HAS aws_iam_group)?\n (THAT ASSIGNED aws_iam_role)?\n (THAT TRUSTS << aws_iam_role)?\n THAT ASSIGNED AccessPolicy\n THAT ALLOWS as perm aws_iam\nWHERE perm.normalizedActions ~= ('iam:deleterolepermissionsboundary' OR 'iam:*')", + "version": "v1" + } + ], + "alertLevel": "CRITICAL" + }, + { + "name": "aws-ability-to-delete-an-inline-policy-from-a-role", + "description": "Users with the iam:DeleteRolePolicy permission can delete an inline policy from a role they have access to, which may increase the role's effective permissions if the policy contains explicit deny statements allowed by any of the role's other policies.", + "queries": [ + { + "name": "query0", + "query": "FIND User\n (THAT HAS aws_iam_group)?\n (THAT ASSIGNED aws_iam_role)?\n (THAT TRUSTS << aws_iam_role)?\n THAT ASSIGNED AccessPolicy\n THAT ALLOWS as perm aws_iam\nWHERE perm.normalizedActions ~= ('iam:deleterolepolicy' OR 'iam:*')\n AND perm.normalizedActions ~= ('sts:assumerole' OR 'sts:*')", + "version": "v1" + } + ], + "alertLevel": "CRITICAL" + }, + { + "name": "aws-ability-to-delete-an-inline-policy-from-a-user", + "description": "Users with the iam:DeleteUserPolicy permission can delete an inline policy from a user they have access to, which may increase the user's effective permissions if the policy contains explicit deny statements allowed by any of the user's other policies. ", + "queries": [ + { + "name": "query0", + "query": "FIND User\n (THAT HAS aws_iam_group)?\n (THAT ASSIGNED aws_iam_role)?\n (THAT TRUSTS << aws_iam_role)?\n THAT ASSIGNED AccessPolicy\n THAT ALLOWS as perm aws_iam\nWHERE perm.normalizedActions ~= ('iam:deleteuserpolicy' OR 'iam:*')", + "version": "v1" + } + ], + "alertLevel": "CRITICAL" + }, + { + "name": "aws-ability-to-remove-a-managed-policy-from-a-user", + "description": "Users with the iam:DetachUserPolicy permission can remove a managed policy from a user they have access to, which may increase the role's effective permissions if the policy contains explicit deny statements allowed by any of the role's other policies.", + "queries": [ + { + "name": "query0", + "query": "FIND User\n (THAT HAS aws_iam_group)?\n (THAT ASSIGNED aws_iam_role)?\n (THAT TRUSTS << aws_iam_role)?\n THAT ASSIGNED AccessPolicy\n THAT ALLOWS as perm aws_iam\nWHERE perm.normalizedActions ~= ('iam:detachuserpolicy' OR 'iam:*')", + "version": "v1" + } + ], + "alertLevel": "CRITICAL" + }, + { + "name": "aws-ability-to-update-a-permissions-boundary-attached-to-a-user", + "description": "Users with the iam:PutUserPermissionsBoundary can update a permissions boundary attached to a user they have access to, which may increase the user's effective permissions if the permissions boundary is more restrictive than any of the role's identity-based policies.", + "queries": [ + { + "name": "query0", + "query": "FIND User\n (THAT HAS aws_iam_group)?\n (THAT ASSIGNED aws_iam_role)?\n (THAT TRUSTS << aws_iam_role)?\n THAT ASSIGNED AccessPolicy\n THAT ALLOWS as perm aws_iam\nWHERE perm.normalizedActions ~= ('iam:putuserpermissionsboundary' OR 'iam:*')", + "version": "v1" + } + ], + "alertLevel": "HIGH" + }, + { + "name": "aws-ability-to-modify-an-existing-lambda-functions-configuration", + "description": "Users with the lambda:UpdateFunctionConfiguration permission can modify an existing Lambda function's configuration to add a new Lambda layer, allowing the user to override an existing library and allow them to execute malicious code under the privilege of the role associated with the Lambda function.", + "queries": [ + { + "name": "query0", + "query": "FIND User\n (THAT HAS aws_iam_group)?\n (THAT ASSIGNED aws_iam_role)?\n (THAT TRUSTS << aws_iam_role)?\n THAT ASSIGNED AccessPolicy\n THAT ALLOWS as perm aws_lambda\nWHERE perm.normalizedActions ~= ('lambda:updatefunctionconfiguration' OR 'lambda:*')", + "version": "v1" + } + ], + "alertLevel": "CRITICAL" + }, + { + "name": "aws-ability-to-remove-a-managed-policy-from-a-role", + "description": "Users with the iam:DetachRolePolicy permission can remove a managed policy from a role they have access to, which may increase the role's effective permissions if the policy contains explicit deny statements allowed by any of the role's other policies.", + "queries": [ + { + "name": "query0", + "query": "FIND User\n (THAT HAS aws_iam_group)?\n (THAT ASSIGNED aws_iam_role)?\n (THAT TRUSTS << aws_iam_role)?\n THAT ASSIGNED AccessPolicy\n THAT ALLOWS as perm aws_iam\nWHERE perm.normalizedActions ~= ('iam:detachrolepolicy' OR 'iam:*')\n AND perm.normalizedActions ~= ('sts:assumerole' OR 'sts:*')", + "version": "v1" + } + ], + "alertLevel": "CRITICAL" + }, + { + "name": "aws-ability-to-update-a-permissions-boundary-attached-to-a-role", + "description": "A user with the iam:PutRolePermissionsBoundary can update a permissions boundary attached to a role they have access to, which may increase the role's effective permissions if the permissions boundary is more restrictive than any of the role's identity-based policies.", + "queries": [ + { + "name": "query0", + "query": "FIND User\n (THAT HAS aws_iam_group)?\n (THAT ASSIGNED aws_iam_role)?\n (THAT TRUSTS << aws_iam_role)?\n THAT ASSIGNED AccessPolicy\n THAT ALLOWS as perm aws_iam\nWHERE perm.normalizedActions ~= ('iam:putrolepermissionsboundary' OR 'iam:*')", + "version": "v1" + } + ], + "alertLevel": "HIGH" } ]