Mozilla Security Cloudtrail notifications
Analyze messages that are sent from AWS Cloudtrail and provide alerting notifications on configured event matchers.
This sandbox expects raw Cloudtrail "Records", as sent from cloudtrail-streamer (https://github.com/mozilla-services/cloudtrail-streamer) or similar.
Event field matchers are processed using lpeg.re (http://www.inf.puc-rio.br/~roberto/lpeg/re.html).
If enable_metrics is true, the module will submit metrics events for collection by the metrics output sandbox. Ensure process_message_inject_limit is set appropriately, as if enabled process_event will submit up to 2 messages (the alert, and the metric event).
1. Sample Configuration
filename = "moz_security_cloudtrail.lua"
message_matcher = "Type == 'logging.cloudtrail.lambda.cloudtrail.logs'"
ticker_interval = 0
process_message_inject_limit = 1
-- cloudtrail events to alert on (required)
events = {
{
description = "mfa disabled",
resource = "requestParameters.userName",
fields = {
{ "eventName", "'DeleteVirtualMFADevice' !." },
}
},
{
description = "mfa disabled",
resource = "requestParameters.userName",
fields = {
{ "eventName", "'DeactivateMFADevice' !." },
}
},
{
description = "access key created",
resource = "requestParameters.userName",
fields = {
{ "eventName", "'CreateAccessKey' !." }
}
},
{
description = "IAM action in production account from console without mfa",
fields = {
{ "eventSource", "'iam.amazonaws.com' !." },
{ "recipientAccountId", "('1122334455' / '1234567890') !." },
{ "userIdentity.invokedBy", "'signin.amazonaws.com' !." },
{ "userIdentity.sessionContext.attributes.mfaAuthenticated", "!('true' !.)" }
}
}
}
-- mapping of aws account ids to human-friendly names (optional)
aws_account_mapping = {
["5555555555"] = "dev",
["1234567890"] = "prod",
["1122334455"] = "prod2"
}
-- module makes use of alert output and needs a valid alert configuration
alert = {
modules = { }
}
-- enable_metrics = false -- optional, if true enable secmetrics submission
source code: moz_security_cloudtrail.lua