Query Details

AWS Cloud Trail AWS Overly Permessive KMS

Query

AWSCloudTrail
| where EventName in ("CreateKey", "PutKeyPolicy")
    and isempty(ErrorCode)
    and isempty(ErrorMessage)
| mv-expand Statement = todynamic(tostring(todynamic(RequestParameters)["policy"]))["Statement"]
| extend
    Action = tostring(Statement["Action"]),
    Effect = tostring(Statement["Effect"]),
    Principal = tostring(Statement["Principal"])
| where Effect == "Allow" and Principal has "*"// and Action has_any ("kms:Encrypt", "kms:*")
| summarize take_any(*) by AwsEventId
| invoke AWSIdentityRole()
| project
    TimeGenerated,
    UserIdentityType,
    Identity,
    ActorRole,
    TargetRole,
    TargetRoleSessionName,
    UserIdentityAccountId,
    UserIdentityAccountName,
    RecipientAccountId,
    RecipientAccountName,
    AWSRegion,
    SessionCreationDate,
    UserIdentityPrincipalid,
    UserIdentityArn,
    SourceIpAddress,
    EventSource,
    EventTypeName,
    EventName,
    ManagementEvent,
    ReadOnly,
    ErrorCode,
    ErrorMessage,
    Statement = todynamic(tostring(todynamic(RequestParameters)["policy"]))["Statement"],
    RequestParameters,
    ResponseElements,
    Resources,
    SessionMfaAuthenticated,
    UserAgent,
    AwsEventId

Explanation

This query is analyzing AWS CloudTrail logs to identify specific security-related events involving AWS Key Management Service (KMS). Here's a simplified breakdown of what the query does:

  1. Filter Events: It looks for events where a key is created (CreateKey) or a key policy is set (PutKeyPolicy), ensuring there are no errors (isempty(ErrorCode) and isempty(ErrorMessage)).

  2. Expand Policy Statements: For each event, it extracts and expands the policy statements from the RequestParameters.

  3. Extract Key Details: It pulls out specific details from the policy statement, such as the actions allowed (Action), the effect of the policy (Effect), and the principal (who or what is allowed access).

  4. Identify Broad Permissions: It filters for policies that allow actions (Effect == "Allow") and have a principal set to wildcard (Principal has "*") which indicates broad permissions.

  5. Summarize Events: It summarizes the data to take any unique event by AwsEventId.

  6. Invoke Additional Role Information: It calls a function AWSIdentityRole() to get more information about the roles involved in these events.

  7. Select and Display Fields: Finally, it projects a list of fields to display, including details about the event, user identity, account information, and more.

In essence, this query is used to identify and review AWS KMS-related events that might pose a security risk due to overly permissive policies.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: March 11, 2024

Tables

AWSCloudTrail

Keywords

AWSCloudTrail

Operators

whereinisemptymv-expandtodynamictostringextendhassummarizetake_anybyinvokeproject

Actions

GitHub