-
Notifications
You must be signed in to change notification settings - Fork 176
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add AWS WAF Logging Configured Policy (#1393)
Co-authored-by: Bharat Chandra Penta <[email protected]> Co-authored-by: Ariel Ropek <[email protected]> Co-authored-by: Ariel <[email protected]>
- Loading branch information
4 people
authored
Oct 22, 2024
1 parent
b4460b6
commit 30c461f
Showing
3 changed files
with
121 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,29 @@ | ||
| def is_valid_arn(arn, service): | ||
| if service == "logs": | ||
| return arn.startswith("arn:aws:logs:") and ":log-group:" in arn | ||
| if service == "s3": | ||
| return arn.startswith("arn:aws:s3:::") and len(arn.split(":")) == 6 | ||
| if service == "firehose": | ||
| return arn.startswith("arn:aws:firehose:") and ":deliverystream/" in arn | ||
| return False | ||
|
|
||
|
|
||
| def policy(resource): | ||
| # Check if WAF logging configuration exists | ||
| logging_config = resource.get("LoggingConfiguration") | ||
| if not logging_config: | ||
| return False | ||
|
|
||
| # Get the logging destinations | ||
| destinations = logging_config.get("LogDestinationConfigs", []) | ||
|
|
||
| # Validate the ARNs for CloudWatch Logs, S3, or Kinesis Firehose | ||
| for destination in destinations: | ||
| if ( | ||
| is_valid_arn(destination, "logs") | ||
| or is_valid_arn(destination, "s3") | ||
| or is_valid_arn(destination, "firehose") | ||
| ): | ||
| return True | ||
|
|
||
| return False |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,91 @@ | ||
| AnalysisType: policy | ||
| Filename: aws_waf_logging_configured.py | ||
| PolicyID: "AWS.WAF.LoggingConfigured" | ||
| DisplayName: "AWS WAF Logging Configured" | ||
| Enabled: true | ||
| ResourceTypes: | ||
| - AWS.WAF.Regional.WebACL | ||
| - AWS.WAF.WebACL | ||
| Tags: | ||
| - AWS | ||
| - Monitoring | ||
| - Logging | ||
| - Security Control | ||
| - Defense Evasion:Impair Defenses | ||
| Reports: | ||
| PCI: | ||
| - 10.5.5 | ||
| MITRE ATT&CK: | ||
| - TA0005:T1562 | ||
| Severity: High | ||
| Description: > | ||
| Ensures that AWS WAF logging is enabled and that the logs are being sent to a valid destination (S3, CloudWatch, or Kinesis Firehose). Without logging, visibility into WAF activity is severely limited, increasing the risk of undetected attacks. | ||
| Runbook: > | ||
| Ensure AWS WAF logging is configured to at least one valid destination such as an Amazon S3 bucket, Amazon CloudWatch Logs, or Amazon Kinesis Data Firehose. Refer to the AWS WAF logging documentation for setup instructions. | ||
| Reference: https://docs.aws.amazon.com/waf/latest/developerguide/logging.html | ||
| Tests: | ||
| - Name: WAF Logging Configured to CloudWatch Logs | ||
| ExpectedResult: true | ||
| Resource: | ||
| LoggingConfiguration: | ||
| LogDestinationConfigs: | ||
| - "arn:aws:logs:us-west-2:123456789012:log-group:example-log-group" | ||
| RedactedFields: null | ||
|
|
||
| - Name: WAF Logging Configured to S3 | ||
| ExpectedResult: true | ||
| Resource: | ||
| LoggingConfiguration: | ||
| LogDestinationConfigs: | ||
| - "arn:aws:s3:::example-bucket/waf-logs/" | ||
| RedactedFields: null | ||
|
|
||
| - Name: WAF Logging Configured to Kinesis Firehose | ||
| ExpectedResult: true | ||
| Resource: | ||
| LoggingConfiguration: | ||
| LogDestinationConfigs: | ||
| - "arn:aws:firehose:us-west-2:123456789012:deliverystream/example-firehose" | ||
| RedactedFields: null | ||
|
|
||
| - Name: WAF Logging Not Configured | ||
| ExpectedResult: false | ||
| Resource: | ||
| LoggingConfiguration: null | ||
|
|
||
| # Edge Case 1: Malformed CloudWatch Logs ARN | ||
| - Name: WAF Logging Configured with Malformed CloudWatch Logs ARN | ||
| ExpectedResult: false | ||
| Resource: | ||
| LoggingConfiguration: | ||
| LogDestinationConfigs: | ||
| - "arn:aws:logs:us-west-2:123456789012" # Incorrect ARN format | ||
| RedactedFields: null | ||
|
|
||
| # Edge Case 2: Malformed S3 ARN | ||
| - Name: WAF Logging Configured with Malformed S3 ARN | ||
| ExpectedResult: false | ||
| Resource: | ||
| LoggingConfiguration: | ||
| LogDestinationConfigs: | ||
| - "arn:aws:s3::example-bucket-wrong-format" # Incorrect ARN format | ||
| RedactedFields: null | ||
|
|
||
| # Edge Case 3: Multiple Valid Logging Destinations (S3 and Kinesis Firehose) | ||
| - Name: WAF Logging Configured to Both S3 and Kinesis Firehose | ||
| ExpectedResult: true | ||
| Resource: | ||
| LoggingConfiguration: | ||
| LogDestinationConfigs: | ||
| - "arn:aws:s3:::example-bucket/waf-logs/" | ||
| - "arn:aws:firehose:us-west-2:123456789012:deliverystream/example-firehose" | ||
| RedactedFields: null | ||
|
|
||
| # Edge Case 4: Malformed Kinesis Firehose ARN | ||
| - Name: WAF Logging Configured with Malformed Kinesis Firehose ARN | ||
| ExpectedResult: false | ||
| Resource: | ||
| LoggingConfiguration: | ||
| LogDestinationConfigs: | ||
| - "arn:aws:firehose:us-west-2" # Incorrect ARN format | ||
| RedactedFields: null |