Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update aws-privilege-escalation.json #122

Merged
merged 4 commits into from
Jul 10, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion package.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "@jupiterone/jupiterone-alert-rules",
"version": "0.31.0",
"version": "0.32.0",
"description": "Alert rule packages for the JupiterOne platform",
"scripts": {
"validate": "tsx ./scripts/validate.ts"
Expand Down
108 changes: 108 additions & 0 deletions rule-packs/aws-privilege-escalation.json
Original file line number Diff line number Diff line change
Expand Up @@ -178,5 +178,113 @@
}
],
"alertLevel": "HIGH"
},
{
"name": "aws-ability-to-create-a-codestar-project-and-associate-as-project-owner",
"description": "Users with the codestar:CreateProject and codestar:AssociateTeamMember permissions can create a new CodeStar project and associate themselves as an Owner of the project. This will attach a new policy to the user that provides access to numerous permissions for AWS services.",
"queries": [
{
"name": "query0",
"query": "FIND User\n (THAT HAS aws_iam_group)?\n (THAT ASSIGNED aws_iam_role)?\n (THAT TRUSTS << aws_iam_role)?\n THAT ASSIGNED AccessPolicy\n THAT ALLOWS as perm aws_codestar\nWHERE perm.normalizedActions ~= 'codestar:*' OR perm.normalizedActions ~= ('codestar:CreateProject' AND 'codestar:AssociateTeamMember')",
"version": "v1"
}
],
"alertLevel": "CRITICAL"
},
{
"name": "aws-ability-to-remove-permissions-boundary-from-a-role",
"description": "Users with the iam:DeleteRolePermissionsBoundary permission can remove a permissions boundary from a role they have access to, which may increase the role's effective permissions if the permissions boundary is more restrictive than any of the role's identity-based policies.",
"queries": [
{
"name": "query0",
"query": "FIND User\n (THAT HAS aws_iam_group)?\n (THAT ASSIGNED aws_iam_role)?\n (THAT TRUSTS << aws_iam_role)?\n THAT ASSIGNED AccessPolicy\n THAT ALLOWS as perm aws_iam\nWHERE perm.normalizedActions ~= ('iam:deleterolepermissionsboundary' OR 'iam:*')",
"version": "v1"
}
],
"alertLevel": "CRITICAL"
},
{
"name": "aws-ability-to-delete-an-inline-policy-from-a-role",
"description": "Users with the iam:DeleteRolePolicy permission can delete an inline policy from a role they have access to, which may increase the role's effective permissions if the policy contains explicit deny statements allowed by any of the role's other policies.",
"queries": [
{
"name": "query0",
"query": "FIND User\n (THAT HAS aws_iam_group)?\n (THAT ASSIGNED aws_iam_role)?\n (THAT TRUSTS << aws_iam_role)?\n THAT ASSIGNED AccessPolicy\n THAT ALLOWS as perm aws_iam\nWHERE perm.normalizedActions ~= ('iam:deleterolepolicy' OR 'iam:*')\n AND perm.normalizedActions ~= ('sts:assumerole' OR 'sts:*')",
"version": "v1"
}
],
"alertLevel": "CRITICAL"
},
{
"name": "aws-ability-to-delete-an-inline-policy-from-a-user",
"description": "Users with the iam:DeleteUserPolicy permission can delete an inline policy from a user they have access to, which may increase the user's effective permissions if the policy contains explicit deny statements allowed by any of the user's other policies. ",
"queries": [
{
"name": "query0",
"query": "FIND User\n (THAT HAS aws_iam_group)?\n (THAT ASSIGNED aws_iam_role)?\n (THAT TRUSTS << aws_iam_role)?\n THAT ASSIGNED AccessPolicy\n THAT ALLOWS as perm aws_iam\nWHERE perm.normalizedActions ~= ('iam:deleteuserpolicy' OR 'iam:*')",
"version": "v1"
}
],
"alertLevel": "CRITICAL"
},
{
"name": "aws-ability-to-remove-a-managed-policy-from-a-user",
"description": "Users with the iam:DetachUserPolicy permission can remove a managed policy from a user they have access to, which may increase the role's effective permissions if the policy contains explicit deny statements allowed by any of the role's other policies.",
"queries": [
{
"name": "query0",
"query": "FIND User\n (THAT HAS aws_iam_group)?\n (THAT ASSIGNED aws_iam_role)?\n (THAT TRUSTS << aws_iam_role)?\n THAT ASSIGNED AccessPolicy\n THAT ALLOWS as perm aws_iam\nWHERE perm.normalizedActions ~= ('iam:detachuserpolicy' OR 'iam:*')",
"version": "v1"
}
],
"alertLevel": "CRITICAL"
},
{
"name": "aws-ability-to-update-a-permissions-boundary-attached-to-a-user",
"description": "Users with the iam:PutUserPermissionsBoundary can update a permissions boundary attached to a user they have access to, which may increase the user's effective permissions if the permissions boundary is more restrictive than any of the role's identity-based policies.",
"queries": [
{
"name": "query0",
"query": "FIND User\n (THAT HAS aws_iam_group)?\n (THAT ASSIGNED aws_iam_role)?\n (THAT TRUSTS << aws_iam_role)?\n THAT ASSIGNED AccessPolicy\n THAT ALLOWS as perm aws_iam\nWHERE perm.normalizedActions ~= ('iam:putuserpermissionsboundary' OR 'iam:*')",
"version": "v1"
}
],
"alertLevel": "HIGH"
},
{
"name": "aws-ability-to-modify-an-existing-lambda-functions-configuration",
"description": "Users with the lambda:UpdateFunctionConfiguration permission can modify an existing Lambda function's configuration to add a new Lambda layer, allowing the user to override an existing library and allow them to execute malicious code under the privilege of the role associated with the Lambda function.",
"queries": [
{
"name": "query0",
"query": "FIND User\n (THAT HAS aws_iam_group)?\n (THAT ASSIGNED aws_iam_role)?\n (THAT TRUSTS << aws_iam_role)?\n THAT ASSIGNED AccessPolicy\n THAT ALLOWS as perm aws_lambda\nWHERE perm.normalizedActions ~= ('lambda:updatefunctionconfiguration' OR 'lambda:*')",
"version": "v1"
}
],
"alertLevel": "CRITICAL"
},
{
"name": "aws-ability-to-remove-a-managed-policy-from-a-role",
"description": "Users with the iam:DetachRolePolicy permission can remove a managed policy from a role they have access to, which may increase the role's effective permissions if the policy contains explicit deny statements allowed by any of the role's other policies.",
"queries": [
{
"name": "query0",
"query": "FIND User\n (THAT HAS aws_iam_group)?\n (THAT ASSIGNED aws_iam_role)?\n (THAT TRUSTS << aws_iam_role)?\n THAT ASSIGNED AccessPolicy\n THAT ALLOWS as perm aws_iam\nWHERE perm.normalizedActions ~= ('iam:detachrolepolicy' OR 'iam:*')\n AND perm.normalizedActions ~= ('sts:assumerole' OR 'sts:*')",
"version": "v1"
}
],
"alertLevel": "CRITICAL"
},
{
"name": "aws-ability-to-update-a-permissions-boundary-attached-to-a-role",
"description": "A user with the iam:PutRolePermissionsBoundary can update a permissions boundary attached to a role they have access to, which may increase the role's effective permissions if the permissions boundary is more restrictive than any of the role's identity-based policies.",
"queries": [
{
"name": "query0",
"query": "FIND User\n (THAT HAS aws_iam_group)?\n (THAT ASSIGNED aws_iam_role)?\n (THAT TRUSTS << aws_iam_role)?\n THAT ASSIGNED AccessPolicy\n THAT ALLOWS as perm aws_iam\nWHERE perm.normalizedActions ~= ('iam:putrolepermissionsboundary' OR 'iam:*')",
"version": "v1"
}
],
"alertLevel": "HIGH"
}
]
Loading