Query Details

AWS Cloud Trail Overly Permissive AWS IAM Policy

Query

AWSCloudTrail
| where EventName in ("CreatePolicy", "CreatePolicyVersion")
    and isempty(ErrorCode)
    and isempty(ErrorMessage)
| extend DynamicRequestParameters = todynamic(RequestParameters)
| extend Statement = case(
    bag_keys(DynamicRequestParameters) has "policyDocument", todynamic(tostring(DynamicRequestParameters["policyDocument"]))["Statement"],
    bag_keys(DynamicRequestParameters) has "content", todynamic(tostring(DynamicRequestParameters["content"]))["Statement"],
    dynamic(null)
)
| mv-expand Statement = iff(isnotempty(bag_keys(Statement)), pack_array(Statement), Statement)
| extend
    Effect = tostring(Statement["Effect"]),
    Action = tostring(Statement["Action"]),
    Resource = tostring(Statement["Resource"])
| where Effect == "Allow" and Resource has "*" and Action has "*"
| summarize take_any(*) by AwsEventId
| invoke AWSIdentityRole()
| extend PolicyArn = tostring(todynamic(ResponseElements)["policy"]["arn"])
| join kind=leftouter (
    AWSCloudTrail
    | where EventName in ("AttachUserPolicy","AttachRolePolicy","AttachGroupPolicy")
        and isempty(ErrorCode)
        and isempty(ErrorMessage)
    | extend PolicyArn = tostring(todynamic(RequestParameters)["policyArn"])
    | where isnotempty(PolicyArn)
    | summarize AttachedEntities = make_list(RequestParameters, 200) by PolicyArn
    ) on PolicyArn
| project
    TimeGenerated,
    UserIdentityType,
    Identity,
    ActorRole,
    TargetRole,
    TargetRoleSessionName,
    UserIdentityAccountId,
    UserIdentityAccountName,
    RecipientAccountId,
    RecipientAccountName,
    AWSRegion,
    SessionCreationDate,
    UserIdentityPrincipalid,
    UserIdentityArn,
    SourceIpAddress,
    EventSource,
    EventTypeName,
    EventName,
    ManagementEvent,
    ReadOnly,
    ErrorCode,
    ErrorMessage,
    PolicyArn,
    Statement = iff(isnotempty(bag_keys(Statement)), pack_array(Statement), Statement),
    AttachedEntities,
    RequestParameters,
    ResponseElements,
    Resources,
    SessionMfaAuthenticated,
    UserAgent,
    AwsEventId

Explanation

This KQL query is designed to analyze AWS CloudTrail logs to identify and provide details about specific policy creation events and their subsequent attachments. Here's a simplified breakdown of what the query does:

  1. Filter Events: It starts by filtering CloudTrail logs for events where policies are created or new versions of policies are made (CreatePolicy, CreatePolicyVersion). It ensures these events have no errors.

  2. Extract Policy Details: The query extracts the policy document details from the request parameters, specifically looking for the "Statement" part of the policy.

  3. Identify Broad Permissions: It checks if the policy statements allow all actions (Action: "*") on all resources (Resource: "*") with an "Allow" effect.

  4. Summarize Events: It summarizes these events by their unique AWS event ID.

  5. Invoke Additional Information: The query invokes additional information about the identity roles involved in these events.

  6. Join with Attachment Events: It performs a left outer join with another set of CloudTrail logs to find events where these policies were attached to users, roles, or groups (AttachUserPolicy, AttachRolePolicy, AttachGroupPolicy).

  7. Project Relevant Information: Finally, it projects a comprehensive set of details about these events, including time, user identity, account information, source IP, event type, and any entities to which the policies were attached.

In summary, this query identifies and details AWS IAM policies that grant broad permissions and tracks their attachment to AWS identities, providing insights into potential security risks.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: March 11, 2024

Tables

AWSCloudTrail

Keywords

AWSCloudTrailPolicyRoleUserGroupEventIdentitySessionAccountResourceRegionError

Operators

AWSCloudTrail|whereinandisemptyextendtodynamiccasebag_keyshastostringmv-expandiffisnotemptypack_arraysummarizetake_anybyinvokeAWSIdentityRolejoinkind=leftoutermake_listonproject

Actions

GitHub