Scott Piper
Scott Piper
Some of the checks require some expertise to understand or figure out how to fix. For example, for S3 buckets, you can end up with "POLICY - No Policy." which...
## Background AWS has a service called Access Analyzer to identify when resources are made public. https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-eventbridge.html Alerts from this go to EventBridge. A new rule should be made much...
The rule cloudtrail_public_resources is supposed to identify when a resource is made public. However it is missing some actions, even for the resource types it is supposed to monitor. For...
## Background See discussion in the thread at https://streamalert.slack.com/archives/C3BHE2Z0S/p1559152670016000 In speaking with @ryandeivert there, certain errors appear only as counts in the error metric, but it's difficult to identify the...
By default, StreamAlert monitors all CloudWatch events, but does not alert on all of them. The AWS Trusted Advisor service supposedly sends events to CloudWatch events by default. The TrustedAdvisor...
I have a check for some. https://github.com/duo-labs/cloudmapper/blob/master/shared/iam_audit.py#L18 More get deprecated, such as `AmazonEC2SpotFleetRole`: https://twitter.com/0xdabbad00/status/1202989106050945025 I should have a more generic way maybe of identifying these.
Need to collect `ec2:describe-transit-gateway-attachments` and add the `TransitGatewayOwnerId` to the web of trust.