cloudsplaining icon indicating copy to clipboard operation
cloudsplaining copied to clipboard

Published 20 hours ago verified publisher icon salesforce

Add new read actions to detection list

Open spookerlabs opened this issue 2 years ago • 0 comments

We did some research here https://sidechannel.blog/en/unwanted-permissions-that-may-impact-security-when-using-the-readonlyaccess-policy-in-aws/

READ_ONLY_DATA_EXFILTRATION_ACTIONS = [ "apigateway:GET", "athena:GetDatabase", "athena:GetQueryExecution", "athena:GetQueryResults", "cassandra:Select", "chime:Retrieve*", "cloudtrail:LookupEvents", "config:SelectResourceConfig", "datapipeline:QueryObjects", "dax:Query", "dax:Scan", "dynamodb:Get*", "dynamodb:Query", "dynamodb:Scan", "ec2:DescribeInstanceAttribute", "ec2:GetConsoleOutput", "ec2:GetConsoleScreenshot", "es:ESHttpGet", "glue:GetDatabase", "glue:GetDatabases", "glue:GetTable", "glue:GetTables", "kendra:Query", "lambda:GetFunction", "logs:StartQuery", "s3:GetObject", "s3-object-lambda:GetObject", "ssm:GetDocument", "ssm:GetParameter", "ssm:GetParameters", "ssm:GetParametersByPath" ]

Add to ACTIONS_THAT_RETURN_CREDENTIALS codeartifact:GetAuthorizationToken

spookerlabs avatar Jun 18 '22 11:06 spookerlabs