Query Details

AWS Cloud Trail Aws Defense Evasion Putbucketlifecycle

Query

let threshold_days = 7;
let _ExpectedEventNames = dynamic(["PutBucketLifecycle"]);
let _ExpectedRoleIdentityRegex = toscalar(
    _GetWatchlist("Activity-ExpectedSignificantActivity")
    | where Activity == "AWSAssumedRoleIdentityEventName_Regex" and Auxiliar has_any (_ExpectedEventNames)
    | summarize RegEx = make_set(strcat(SourceResource, ActorPrincipalName))
    | extend RegEx = strcat(@"^(", strcat_array(RegEx, "|"), @")$")
);
AWSCloudTrail
| where EventName == "PutBucketLifecycle"
| extend UserIdentityUserName = tostring(split(UserIdentityPrincipalid, ":")[1])
| where not(EventName in (_ExpectedEventNames) and strcat(SessionIssuerUserName, UserIdentityUserName) matches regex _ExpectedRoleIdentityRegex)
| extend RequestParameters = todynamic(RequestParameters)
| mv-expand Rule = iff(isempty(array_length(RequestParameters["LifecycleConfiguration"]["Rule"])), pack_array(RequestParameters["LifecycleConfiguration"]["Rule"]), RequestParameters["LifecycleConfiguration"]["Rule"])
| extend ExpirationDays = toint(Rule["Expiration"]["Days"])
| where ExpirationDays < threshold_days
| invoke AWSIdentityRole()
| project
    TimeGenerated,
    UserIdentityType,
    Identity,
    ActorRole,
    UserIdentityAccountId,
    UserIdentityAccountName,
    RecipientAccountId,
    RecipientAccountName,
    AWSRegion,
    SessionCreationDate,
    UserIdentityPrincipalid,
    UserIdentityArn,
    SourceIpAddress,
    EventSource,
    EventTypeName,
    EventName,
    ManagementEvent,
    ReadOnly,
    ErrorCode,
    ErrorMessage,
    ExpirationDays,
    RequestParameters,
    ResponseElements,
    Resources,
    SessionMfaAuthenticated,
    UserAgent,
    AwsEventId

Explanation

This KQL (Kusto Query Language) query is designed to analyze AWS CloudTrail logs to identify specific events related to bucket lifecycle configurations that may not meet expected security practices. Here's a simplified breakdown of what the query does:

  1. Set a Threshold: It defines a threshold of 7 days for expiration settings in bucket lifecycle rules.

  2. Expected Events and Roles: It identifies expected event names (PutBucketLifecycle) and retrieves a list of expected role identities from a watchlist. This list is used to create a regular expression pattern to match against.

  3. Filter CloudTrail Logs: The query filters AWS CloudTrail logs to find events where the EventName is PutBucketLifecycle.

  4. Extract User Information: It extracts the username from the UserIdentityPrincipalid.

  5. Exclude Expected Roles: It excludes events that match the expected role identities using the regular expression pattern created earlier.

  6. Parse Request Parameters: It converts the RequestParameters field into a dynamic object and expands the Rule array to analyze each rule individually.

  7. Check Expiration Days: It checks if the ExpirationDays in the lifecycle rule is less than the defined threshold of 7 days.

  8. Invoke Additional Function: It calls an additional function AWSIdentityRole() to enrich the data with identity role information.

  9. Select Relevant Fields: Finally, it projects (selects) a set of relevant fields to display in the results, including details about the event, user identity, and request parameters.

In summary, this query is used to detect potentially insecure bucket lifecycle configurations in AWS by identifying lifecycle rules with expiration settings shorter than 7 days, while excluding events from expected roles.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: March 11, 2024

Tables

AWSCloudTrail

Keywords

AWSCloudTrail

Operators

letdynamictoscalar_GetWatchlistwherehas_anysummarizemake_setstrcatextendtostringsplitnotinmatches regextodynamicmv-expandiffisemptyarray_lengthpack_arraytointinvokeproject

Actions

GitHub