Merge branch 'develop' into ben/deprecate-notion-many-pages-deleted

panther-labs · Nov 12, 2024 · 44997dc · 44997dc
2 parents 0695614 + 4a79a46
commit 44997dc
Show file tree

Hide file tree

Showing 6 changed files with 385 additions and 284 deletions.
diff --git a/lookup_tables/traildiscover/traildiscover_data.jsonl b/lookup_tables/traildiscover/traildiscover_data.jsonl
diff --git a/packs/aws.yml b/packs/aws.yml
@@ -25,6 +25,7 @@ PackDefinition:
     - AWS.S3.Bucket.PublicWrite
     - AWS.S3.Bucket.SecureAccess
     - AWS.S3.Bucket.Versioning
+    - AWS.S3.Bucket.PolicyConfusedDeputyProtection
     # Encryption Status
     - AWS.EC2.EBS.Encryption.Disabled
     - AWS.EC2.Volume.Encryption

diff --git a/policies/aws_s3_policies/aws_s3_bucket_policy_confused_deputy.py b/policies/aws_s3_policies/aws_s3_bucket_policy_confused_deputy.py
@@ -0,0 +1,30 @@
+import json
+
+REQUIRED_CONDITIONS = {
+    "aws:SourceArn",
+    "aws:SourceAccount",
+    "aws:SourceOrgID",
+    "aws:SourceOrgPaths",
+}
+
+
+def policy(resource):
+    bucket_policy = resource.get("Policy")
+    if bucket_policy is None:
+        return True  # Pass if there is no bucket policy
+
+    policy_statements = json.loads(bucket_policy).get("Statement", [])
+    for statement in policy_statements:
+        # Check if the statement includes a service principal and allows access
+        principal = statement.get("Principal", {})
+        if "Service" in principal and statement["Effect"] == "Allow":
+            conditions = statement.get("Condition", {})
+            # Flatten nested condition keys (e.g., inside "StringEquals")
+            flat_condition_keys = set()
+            for condition in conditions.values():
+                if isinstance(condition, dict):
+                    flat_condition_keys.update(condition.keys())
+            # Check if any required condition key is present
+            if not REQUIRED_CONDITIONS.intersection(flat_condition_keys):
+                return False
+    return True
diff --git a/policies/aws_s3_policies/aws_s3_bucket_policy_confused_deputy.yml b/policies/aws_s3_policies/aws_s3_bucket_policy_confused_deputy.yml
@@ -0,0 +1,39 @@
+AnalysisType: policy
+Filename: aws_s3_bucket_policy_confused_deputy.py
+PolicyID: "AWS.S3.Bucket.PolicyConfusedDeputyProtection"
+DisplayName: "S3 Bucket Policy Confused Deputy Protection for Service Principals"
+Enabled: true
+ResourceTypes:
+  - AWS.S3.Bucket
+Tags:
+  - AWS
+  - Security Control
+  - Best Practices
+Severity: High
+Description: >
+  Ensures that S3 bucket policies with service principals include conditions to prevent the confused deputy problem.
+Runbook: >
+  Update the bucket policy to include conditions such as aws:SourceArn, aws:SourceAccount,
+  aws:SourceOrgID, or aws:SourceOrgPaths when a service principal is specified.
+Reference: https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html
+Tests:
+  - Name: Compliant Policy with Service Principal and Condition
+    ExpectedResult: true
+    Resource:
+      {
+        "Policy": '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":"cloudtrail.amazonaws.com"},"Action":"s3:PutObject","Resource":"arn:aws:s3:::my-example-bucket/*","Condition":{"StringEquals":{"aws:SourceAccount":"123456789012"}}}]}'
+      }
+
+  - Name: Non-Compliant Policy with Service Principal and No Condition
+    ExpectedResult: false
+    Resource:
+      {
+        "Policy": '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":"cloudtrail.amazonaws.com"},"Action":"s3:PutObject","Resource":"arn:aws:s3:::my-example-bucket/*"}]}'
+      }
+
+  - Name: Policy without Service Principal
+    ExpectedResult: true
+    Resource:
+      {
+        "Policy": '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":"arn:aws:iam::123456789012:root"},"Action":"s3:GetObject","Resource":"arn:aws:s3:::my-example-bucket/*"}]}'
+      }
diff --git a/rules/zendesk_rules/zendesk_user_role.py b/rules/zendesk_rules/zendesk_user_role.py
@@ -5,7 +5,10 @@
 def rule(event):
     if event.get("source_type") == "user" and event.get("action") == "update":
         # admin roles have their own handling
-        if event.udm("event_type") != event_type.ADMIN_ROLE_ASSIGNED:
+        if (
+            event.udm("event_type") != event_type.ADMIN_ROLE_ASSIGNED
+            and "role changed" in event.get("change_description", "").lower()
+        ):
             _, new_role = zendesk_get_roles(event)
             return bool(new_role)
     return False

diff --git a/rules/zendesk_rules/zendesk_user_role.yml b/rules/zendesk_rules/zendesk_user_role.yml
@@ -48,3 +48,21 @@ Tests:
         "created_at": "2021-05-28T18:39:50Z",
         "p_log_type": "Zendesk.Audit",
       }
+  - Name: Zendesk - No changing roles
+    ExpectedResult: false
+    Log:
+      {
+        "url": "https://myzendek.zendesk.com/api/v2/audit_logs/111222333444.json",
+        "id": 123456789123,
+        "action_label": "Updated",
+        "actor_id": 123,
+        "actor_name": "John Doe",
+        "source_id": 123,
+        "source_type": "user",
+        "source_label": "Bob Cat",
+        "action": "update",
+        "change_description": "Organization: AAAA is asigned",
+        "ip_address": "127.0.0.1",
+        "created_at": "2021-05-28T18:39:50Z",
+        "p_log_type": "Zendesk.Audit",
+      }