Add rules for CIS AWS Benchmark (Section 3)

[oladon]

This adds rules for section 3 of the CIS AWS Foundations Benchmark to the Amazon rules.

I'm not familiar enough with the rest of the rules to feel comfortable adding groups to these, so they still need that done (including PCI). A few of them also might also benefit from being made a bit more specific.

Nonetheless, I hope this is a worthwhile contribution. :)

[jesuslinares]

That is great!. Let us check it.

Thanks.

[UranusBytes]

This is a great expansion to the existing AWS rules. I would like to build upon this to include additional rules based upon best practice monitoring of CloudTrail events.

@SitoRBJ Any chance of reviewing and merging soon?

[oladon]

@UranusBytes Thanks! :) I have found a few tweaks that it needs — I made a few of the rules too wide, and they're detecting "Describe" events as changes in a few places. Haven't had time to revisit, and the false positives aren't bothering us all that much. :)

[SitoRBJ]

Hello @oladon and @UranusBytes ,

@oladon Thank you so much for the great job you have done. Community contributions are one of the best ways to grow and improve.

There is a small drawback to the rules created.

For example, let's look at this rule:

<!-- CIS Benchmark: 3.14 -->
  <rule id="80272" level="3">
      <if_sid>80200</if_sid>
      <field name="aws.eventName">^CreateVpc$|^DeleteVpc$|^ModifyVpcAttribute$|^AcceptVpcPeeringConnection$|^CreateVpcPeeringConnection$|^DeleteVpcPeeringConnection$|^RejectVpcPeeringConnection$|^AttachClassicLinkVpc$|^DetachClassicLinkVpc$|^EnableVpcClassicLink$|^DisableVpcClassicLink$</field>
      <description>VPC Change: $(aws.eventSource) - $(aws.eventName)</description>
  </rule>

And now, let's look at this other rule:

    <rule id="80201" level="0">
        <if_sid>80200</if_sid>
        <list field="aws.eventSource" lookup="match_key">etc/lists/amazon/aws-sources</list>
        <description>Amazon: $(aws.eventSource).</description>
    </rule>

If we receive an event that matches any of our list (etc/lists/amazon/aws-sources</list) the rule will have the ID 80201 and the rule 80272 will never be activated, because <if_sid> (80200) does not match.

This can also happen if we recognize the name of the event in rule 80202. If none of the elements are recognized and we do not enter the 80201 rule, the new rule will work well.

This happens with several rules, it would be ideal if each user had his or her lists configured and all rules inherited from rule 80201 or 80202.

Even so, we are not sure if we will proceed in this way, that is, we do not know if we will increase our lists for names and sources or keep them to a minimum. Because of this we cannot accept the PR yet.

Finally:

    <rule id="80267" level="3">
        <if_sid>80200</if_sid>
        <field name="aws.eventSource"></field>
        <field name="aws.eventName">^PutConfigurationRecorder$|^PutDeliveryChannel$|^StopConfigurationRecorder$|^DeleteDeliveryChannel$</field>
        <description>AWS Config Change: $(aws.eventSource) - $(aws.eventName)</description>
    </rule>

We do not understand very well what this entry is about:

<field name="aws.eventSource"></field>

• If the source is on our list ("eventSource": "s3.amazonaws.com").

**Phase 1: Completed pre-decoding.
       full event: '{"aws": {"eventVersion": "1.05", "eventSource": "s3.amazonaws.com", "eventName": "StopConfigurationRecorder", "eventID": "94c08683-0f7e-4bd9-b37e-937d5b650644", "eventTime": "2018-07-18T07:18:04Z", "sharedEventID": "4344e077-760f-4b77-9740-d1b0b4c21de2", "requestParameters": {"roleSessionName": "i-022d93bf01eb05ca9", "roleArn": "arn:aws:iam::166157441623:role/aws-opsworks-ec2-role"}, "eventType": "AwsApiCall", "responseElements": {"credentials": {"accessKeyId": "ASIAIEZPCZONYGVANBFQ", "expiration": "Jul 18, 2018 1:48:24 PM", "sessionToken": "FQoDYXdzEND//////////wEaDCl90e2TRd4+sIpjpCK3Aw5pmfcm/onTSV5VfhjyM7ofRgqu3rFkF4cVN7UejvOoxEgawcV1sjir+raR9QeiPuNLa5ugXvLmjCSpk26JustO8/2pasB0gTbNn8/E50urvAvi8ywqcniT7mDxD2UgpnRDKGsJHnWKv4Is94Hc9eHvTf8sm8feGCzsrz6YVAjmA+dX+JHOUGXSHDFDx2jkm5Mikk3CGNhAU8mx+T3pZYPMLQzDuubmBhv8skeVf/+VhUqIWQly2AfbmudjYV17YJ5vnEMoKd5P+gNTPonaLiJoPFAZTK8F/ultK45Z+y65nvvzU4SjVjfAPiv1+wTdryTGpWChZPqGztOlc6Ly4byz14yIvl29C3tmeYl89ajqvP8LQ5z0yduf7dAQVGBYG8lWDcVpob8APTgweV7wk3HuycIsziiDiVhsBEgFAj3F8jy1G0XNThhGunLlmXGbRedvGFH8Xrxl+Wh8eqBrndWfADbH379fK7pUoc49QBl6U6m3UmP1iZPxjJK4IMiRC49AwEf/QqfYDYYwAXVBZQTTVedc+ROMOAJi6n8y0QTkrNU3w3qBYN5VRFBm+6YabVyABCADahMorNO72gU="}}, "awsRegion": "us-west-1", "log_file": "166157441623_CloudTrail_us-west-1_20180718T0720Z_miax9mcKGryDiuFJ.json.gz", "userIdentity": {"invokedBy": "ec2.amazonaws.com", "type": "AWSService"},  "requestID": "1a939af4-c973-4699-894e-a92ecf291816", "userAgent": "ec2.amazonaws.com", "sourceIPAddress": "ec2.amazonaws.com", "resources": [{"type": "AWS::IAM::Role", "ARN": "arn:aws:iam::166157441623:role/aws-opsworks-ec2-role", "accountId": "166157441623"}], "recipientAccountId": "166157441623"}, "integration": "aws"}'
       timestamp: '(null)'
       hostname: 'manager'
       program_name: '(null)'
       log: '{"aws": {"eventVersion": "1.05", "eventSource": "s3.amazonaws.com", "eventName": "StopConfigurationRecorder", "eventID": "94c08683-0f7e-4bd9-b37e-937d5b650644", "eventTime": "2018-07-18T07:18:04Z", "sharedEventID": "4344e077-760f-4b77-9740-d1b0b4c21de2", "requestParameters": {"roleSessionName": "i-022d93bf01eb05ca9", "roleArn": "arn:aws:iam::166157441623:role/aws-opsworks-ec2-role"}, "eventType": "AwsApiCall", "responseElements": {"credentials": {"accessKeyId": "ASIAIEZPCZONYGVANBFQ", "expiration": "Jul 18, 2018 1:48:24 PM", "sessionToken": "FQoDYXdzEND//////////wEaDCl90e2TRd4+sIpjpCK3Aw5pmfcm/onTSV5VfhjyM7ofRgqu3rFkF4cVN7UejvOoxEgawcV1sjir+raR9QeiPuNLa5ugXvLmjCSpk26JustO8/2pasB0gTbNn8/E50urvAvi8ywqcniT7mDxD2UgpnRDKGsJHnWKv4Is94Hc9eHvTf8sm8feGCzsrz6YVAjmA+dX+JHOUGXSHDFDx2jkm5Mikk3CGNhAU8mx+T3pZYPMLQzDuubmBhv8skeVf/+VhUqIWQly2AfbmudjYV17YJ5vnEMoKd5P+gNTPonaLiJoPFAZTK8F/ultK45Z+y65nvvzU4SjVjfAPiv1+wTdryTGpWChZPqGztOlc6Ly4byz14yIvl29C3tmeYl89ajqvP8LQ5z0yduf7dAQVGBYG8lWDcVpob8APTgweV7wk3HuycIsziiDiVhsBEgFAj3F8jy1G0XNThhGunLlmXGbRedvGFH8Xrxl+Wh8eqBrndWfADbH379fK7pUoc49QBl6U6m3UmP1iZPxjJK4IMiRC49AwEf/QqfYDYYwAXVBZQTTVedc+ROMOAJi6n8y0QTkrNU3w3qBYN5VRFBm+6YabVyABCADahMorNO72gU="}}, "awsRegion": "us-west-1", "log_file": "166157441623_CloudTrail_us-west-1_20180718T0720Z_miax9mcKGryDiuFJ.json.gz", "userIdentity": {"invokedBy": "ec2.amazonaws.com", "type": "AWSService"},  "requestID": "1a939af4-c973-4699-894e-a92ecf291816", "userAgent": "ec2.amazonaws.com", "sourceIPAddress": "ec2.amazonaws.com", "resources": [{"type": "AWS::IAM::Role", "ARN": "arn:aws:iam::166157441623:role/aws-opsworks-ec2-role", "accountId": "166157441623"}], "recipientAccountId": "166157441623"}, "integration": "aws"}'

**Phase 2: Completed decoding.
       decoder: 'json'
       aws.eventVersion: '1.05'
       aws.eventSource: 's3.amazonaws.com'
       aws.eventName: 'StopConfigurationRecorder'
       aws.eventID: '94c08683-0f7e-4bd9-b37e-937d5b650644'
       aws.eventTime: '2018-07-18T07:18:04Z'
       aws.sharedEventID: '4344e077-760f-4b77-9740-d1b0b4c21de2'
       aws.requestParameters.roleSessionName: 'i-022d93bf01eb05ca9'
       aws.requestParameters.roleArn: 'arn:aws:iam::166157441623:role/aws-opsworks-ec2-role'
       aws.eventType: 'AwsApiCall'
       aws.responseElements.credentials.accessKeyId: 'ASIAIEZPCZONYGVANBFQ'
       aws.responseElements.credentials.expiration: 'Jul 18, 2018 1:48:24 PM'
       aws.responseElements.credentials.sessionToken: 'FQoDYXdzEND//////////wEaDCl90e2TRd4+sIpjpCK3Aw5pmfcm/onTSV5VfhjyM7ofRgqu3rFkF4cVN7UejvOoxEgawcV1sjir+raR9QeiPuNLa5ugXvLmjCSpk26JustO8/2pasB0gTbNn8/E50urvAvi8ywqcniT7mDxD2UgpnRDKGsJHnWKv4Is94Hc9eHvTf8sm8feGCzsrz6YVAjmA+dX+JHOUGXSHDFDx2jkm5Mikk3CGNhAU8mx+T3pZYPMLQzDuubmBhv8skeVf/+VhUqIWQly2AfbmudjYV17YJ5vnEMoKd5P+gNTPonaLiJoPFAZTK8F/ultK45Z+y65nvvzU4SjVjfAPiv1+wTdryTGpWChZPqGztOlc6Ly4byz14yIvl29C3tmeYl89ajqvP8LQ5z0yduf7dAQVGBYG8lWDcVpob8APTgweV7wk3HuycIsziiDiVhsBEgFAj3F8jy1G0XNThhGunLlmXGbRedvGFH8Xrxl+Wh8eqBrndWfADbH379fK7pUoc49QBl6U6m3UmP1iZPxjJK4IMiRC49AwEf/QqfYDYYwAXVBZQTTVedc+ROMOAJi6n8y0QTkrNU3w3qBYN5VRFBm+6YabVyABCADahMorNO72gU='
       aws.awsRegion: 'us-west-1'
       aws.log_file: '166157441623_CloudTrail_us-west-1_20180718T0720Z_miax9mcKGryDiuFJ.json.gz'
       aws.userIdentity.invokedBy: 'ec2.amazonaws.com'
       aws.userIdentity.type: 'AWSService'
       aws.requestID: '1a939af4-c973-4699-894e-a92ecf291816'
       aws.userAgent: 'ec2.amazonaws.com'
       aws.sourceIPAddress: 'ec2.amazonaws.com'
       aws.recipientAccountId: '166157441623'
       integration: 'aws'

**Phase 3: Completed filtering (rules).
       Rule id: '80201'
       Level: '0'
       Description: 'Amazon: s3.amazonaws.com.'

• If the source is not on our list ("eventSource": "sts.amazonaws.com").

**Phase 1: Completed pre-decoding.
       full event: '{"aws": {"eventVersion": "1.05", "eventSource": "sts.amazonaws.com", "eventName": "StopConfigurationRecorder", "eventID": "94c08683-0f7e-4bd9-b37e-937d5b650644", "eventTime": "2018-07-18T07:18:04Z", "sharedEventID": "4344e077-760f-4b77-9740-d1b0b4c21de2", "requestParameters": {"roleSessionName": "i-022d93bf01eb05ca9", "roleArn": "arn:aws:iam::166157441623:role/aws-opsworks-ec2-role"}, "eventType": "AwsApiCall", "responseElements": {"credentials": {"accessKeyId": "ASIAIEZPCZONYGVANBFQ", "expiration": "Jul 18, 2018 1:48:24 PM", "sessionToken": "FQoDYXdzEND//////////wEaDCl90e2TRd4+sIpjpCK3Aw5pmfcm/onTSV5VfhjyM7ofRgqu3rFkF4cVN7UejvOoxEgawcV1sjir+raR9QeiPuNLa5ugXvLmjCSpk26JustO8/2pasB0gTbNn8/E50urvAvi8ywqcniT7mDxD2UgpnRDKGsJHnWKv4Is94Hc9eHvTf8sm8feGCzsrz6YVAjmA+dX+JHOUGXSHDFDx2jkm5Mikk3CGNhAU8mx+T3pZYPMLQzDuubmBhv8skeVf/+VhUqIWQly2AfbmudjYV17YJ5vnEMoKd5P+gNTPonaLiJoPFAZTK8F/ultK45Z+y65nvvzU4SjVjfAPiv1+wTdryTGpWChZPqGztOlc6Ly4byz14yIvl29C3tmeYl89ajqvP8LQ5z0yduf7dAQVGBYG8lWDcVpob8APTgweV7wk3HuycIsziiDiVhsBEgFAj3F8jy1G0XNThhGunLlmXGbRedvGFH8Xrxl+Wh8eqBrndWfADbH379fK7pUoc49QBl6U6m3UmP1iZPxjJK4IMiRC49AwEf/QqfYDYYwAXVBZQTTVedc+ROMOAJi6n8y0QTkrNU3w3qBYN5VRFBm+6YabVyABCADahMorNO72gU="}}, "awsRegion": "us-west-1", "log_file": "166157441623_CloudTrail_us-west-1_20180718T0720Z_miax9mcKGryDiuFJ.json.gz", "userIdentity": {"invokedBy": "ec2.amazonaws.com", "type": "AWSService"},  "requestID": "1a939af4-c973-4699-894e-a92ecf291816", "userAgent": "ec2.amazonaws.com", "sourceIPAddress": "ec2.amazonaws.com", "resources": [{"type": "AWS::IAM::Role", "ARN": "arn:aws:iam::166157441623:role/aws-opsworks-ec2-role", "accountId": "166157441623"}], "recipientAccountId": "166157441623"}, "integration": "aws"}'
       timestamp: '(null)'
       hostname: 'manager'
       program_name: '(null)'
       log: '{"aws": {"eventVersion": "1.05", "eventSource": "sts.amazonaws.com", "eventName": "StopConfigurationRecorder", "eventID": "94c08683-0f7e-4bd9-b37e-937d5b650644", "eventTime": "2018-07-18T07:18:04Z", "sharedEventID": "4344e077-760f-4b77-9740-d1b0b4c21de2", "requestParameters": {"roleSessionName": "i-022d93bf01eb05ca9", "roleArn": "arn:aws:iam::166157441623:role/aws-opsworks-ec2-role"}, "eventType": "AwsApiCall", "responseElements": {"credentials": {"accessKeyId": "ASIAIEZPCZONYGVANBFQ", "expiration": "Jul 18, 2018 1:48:24 PM", "sessionToken": "FQoDYXdzEND//////////wEaDCl90e2TRd4+sIpjpCK3Aw5pmfcm/onTSV5VfhjyM7ofRgqu3rFkF4cVN7UejvOoxEgawcV1sjir+raR9QeiPuNLa5ugXvLmjCSpk26JustO8/2pasB0gTbNn8/E50urvAvi8ywqcniT7mDxD2UgpnRDKGsJHnWKv4Is94Hc9eHvTf8sm8feGCzsrz6YVAjmA+dX+JHOUGXSHDFDx2jkm5Mikk3CGNhAU8mx+T3pZYPMLQzDuubmBhv8skeVf/+VhUqIWQly2AfbmudjYV17YJ5vnEMoKd5P+gNTPonaLiJoPFAZTK8F/ultK45Z+y65nvvzU4SjVjfAPiv1+wTdryTGpWChZPqGztOlc6Ly4byz14yIvl29C3tmeYl89ajqvP8LQ5z0yduf7dAQVGBYG8lWDcVpob8APTgweV7wk3HuycIsziiDiVhsBEgFAj3F8jy1G0XNThhGunLlmXGbRedvGFH8Xrxl+Wh8eqBrndWfADbH379fK7pUoc49QBl6U6m3UmP1iZPxjJK4IMiRC49AwEf/QqfYDYYwAXVBZQTTVedc+ROMOAJi6n8y0QTkrNU3w3qBYN5VRFBm+6YabVyABCADahMorNO72gU="}}, "awsRegion": "us-west-1", "log_file": "166157441623_CloudTrail_us-west-1_20180718T0720Z_miax9mcKGryDiuFJ.json.gz", "userIdentity": {"invokedBy": "ec2.amazonaws.com", "type": "AWSService"},  "requestID": "1a939af4-c973-4699-894e-a92ecf291816", "userAgent": "ec2.amazonaws.com", "sourceIPAddress": "ec2.amazonaws.com", "resources": [{"type": "AWS::IAM::Role", "ARN": "arn:aws:iam::166157441623:role/aws-opsworks-ec2-role", "accountId": "166157441623"}], "recipientAccountId": "166157441623"}, "integration": "aws"}'

**Phase 2: Completed decoding.
       decoder: 'json'
       aws.eventVersion: '1.05'
       aws.eventSource: 'sts.amazonaws.com'
       aws.eventName: 'StopConfigurationRecorder'
       aws.eventID: '94c08683-0f7e-4bd9-b37e-937d5b650644'
       aws.eventTime: '2018-07-18T07:18:04Z'
       aws.sharedEventID: '4344e077-760f-4b77-9740-d1b0b4c21de2'
       aws.requestParameters.roleSessionName: 'i-022d93bf01eb05ca9'
       aws.requestParameters.roleArn: 'arn:aws:iam::166157441623:role/aws-opsworks-ec2-role'
       aws.eventType: 'AwsApiCall'
       aws.responseElements.credentials.accessKeyId: 'ASIAIEZPCZONYGVANBFQ'
       aws.responseElements.credentials.expiration: 'Jul 18, 2018 1:48:24 PM'
       aws.responseElements.credentials.sessionToken: 'FQoDYXdzEND//////////wEaDCl90e2TRd4+sIpjpCK3Aw5pmfcm/onTSV5VfhjyM7ofRgqu3rFkF4cVN7UejvOoxEgawcV1sjir+raR9QeiPuNLa5ugXvLmjCSpk26JustO8/2pasB0gTbNn8/E50urvAvi8ywqcniT7mDxD2UgpnRDKGsJHnWKv4Is94Hc9eHvTf8sm8feGCzsrz6YVAjmA+dX+JHOUGXSHDFDx2jkm5Mikk3CGNhAU8mx+T3pZYPMLQzDuubmBhv8skeVf/+VhUqIWQly2AfbmudjYV17YJ5vnEMoKd5P+gNTPonaLiJoPFAZTK8F/ultK45Z+y65nvvzU4SjVjfAPiv1+wTdryTGpWChZPqGztOlc6Ly4byz14yIvl29C3tmeYl89ajqvP8LQ5z0yduf7dAQVGBYG8lWDcVpob8APTgweV7wk3HuycIsziiDiVhsBEgFAj3F8jy1G0XNThhGunLlmXGbRedvGFH8Xrxl+Wh8eqBrndWfADbH379fK7pUoc49QBl6U6m3UmP1iZPxjJK4IMiRC49AwEf/QqfYDYYwAXVBZQTTVedc+ROMOAJi6n8y0QTkrNU3w3qBYN5VRFBm+6YabVyABCADahMorNO72gU='
       aws.awsRegion: 'us-west-1'
       aws.log_file: '166157441623_CloudTrail_us-west-1_20180718T0720Z_miax9mcKGryDiuFJ.json.gz'
       aws.userIdentity.invokedBy: 'ec2.amazonaws.com'
       aws.userIdentity.type: 'AWSService'
       aws.requestID: '1a939af4-c973-4699-894e-a92ecf291816'
       aws.userAgent: 'ec2.amazonaws.com'
       aws.sourceIPAddress: 'ec2.amazonaws.com'
       aws.recipientAccountId: '166157441623'
       integration: 'aws'

**Phase 3: Completed filtering (rules).
       Rule id: '80200'
       Level: '0'
       Description: 'Amazon alerts.'

If what we are trying to do is accept any source, the rule could be:

• If the source is not on our list ("eventSource": "sts.amazonaws.com").

    <rule id="80267" level="3">
            <if_sid>80200</if_sid>
            <field name="aws.eventSource">\.+</field>
            <field name="aws.eventName">^PutConfigurationRecorder$|^PutDeliveryChannel$|^StopConfigurationRecorder$|^DeleteDeliveryChannel$</field>
            <description>AWS Config Change: $(aws.eventSource) - $(aws.eventName)</description>
    </rule>

**Phase 1: Completed pre-decoding.
       full event: '{"aws": {"eventVersion": "1.05", "eventSource": "sts.amazonaws.com", "eventName": "StopConfigurationRecorder", "eventID": "94c08683-0f7e-4bd9-b37e-937d5b650644", "eventTime": "2018-07-18T07:18:04Z", "sharedEventID": "4344e077-760f-4b77-9740-d1b0b4c21de2", "requestParameters": {"roleSessionName": "i-022d93bf01eb05ca9", "roleArn": "arn:aws:iam::166157441623:role/aws-opsworks-ec2-role"}, "eventType": "AwsApiCall", "responseElements": {"credentials": {"accessKeyId": "ASIAIEZPCZONYGVANBFQ", "expiration": "Jul 18, 2018 1:48:24 PM", "sessionToken": "FQoDYXdzEND//////////wEaDCl90e2TRd4+sIpjpCK3Aw5pmfcm/onTSV5VfhjyM7ofRgqu3rFkF4cVN7UejvOoxEgawcV1sjir+raR9QeiPuNLa5ugXvLmjCSpk26JustO8/2pasB0gTbNn8/E50urvAvi8ywqcniT7mDxD2UgpnRDKGsJHnWKv4Is94Hc9eHvTf8sm8feGCzsrz6YVAjmA+dX+JHOUGXSHDFDx2jkm5Mikk3CGNhAU8mx+T3pZYPMLQzDuubmBhv8skeVf/+VhUqIWQly2AfbmudjYV17YJ5vnEMoKd5P+gNTPonaLiJoPFAZTK8F/ultK45Z+y65nvvzU4SjVjfAPiv1+wTdryTGpWChZPqGztOlc6Ly4byz14yIvl29C3tmeYl89ajqvP8LQ5z0yduf7dAQVGBYG8lWDcVpob8APTgweV7wk3HuycIsziiDiVhsBEgFAj3F8jy1G0XNThhGunLlmXGbRedvGFH8Xrxl+Wh8eqBrndWfADbH379fK7pUoc49QBl6U6m3UmP1iZPxjJK4IMiRC49AwEf/QqfYDYYwAXVBZQTTVedc+ROMOAJi6n8y0QTkrNU3w3qBYN5VRFBm+6YabVyABCADahMorNO72gU="}}, "awsRegion": "us-west-1", "log_file": "166157441623_CloudTrail_us-west-1_20180718T0720Z_miax9mcKGryDiuFJ.json.gz", "userIdentity": {"invokedBy": "ec2.amazonaws.com", "type": "AWSService"},  "requestID": "1a939af4-c973-4699-894e-a92ecf291816", "userAgent": "ec2.amazonaws.com", "sourceIPAddress": "ec2.amazonaws.com", "resources": [{"type": "AWS::IAM::Role", "ARN": "arn:aws:iam::166157441623:role/aws-opsworks-ec2-role", "accountId": "166157441623"}], "recipientAccountId": "166157441623"}, "integration": "aws"}'
       timestamp: '(null)'
       hostname: 'manager'
       program_name: '(null)'
       log: '{"aws": {"eventVersion": "1.05", "eventSource": "sts.amazonaws.com", "eventName": "StopConfigurationRecorder", "eventID": "94c08683-0f7e-4bd9-b37e-937d5b650644", "eventTime": "2018-07-18T07:18:04Z", "sharedEventID": "4344e077-760f-4b77-9740-d1b0b4c21de2", "requestParameters": {"roleSessionName": "i-022d93bf01eb05ca9", "roleArn": "arn:aws:iam::166157441623:role/aws-opsworks-ec2-role"}, "eventType": "AwsApiCall", "responseElements": {"credentials": {"accessKeyId": "ASIAIEZPCZONYGVANBFQ", "expiration": "Jul 18, 2018 1:48:24 PM", "sessionToken": "FQoDYXdzEND//////////wEaDCl90e2TRd4+sIpjpCK3Aw5pmfcm/onTSV5VfhjyM7ofRgqu3rFkF4cVN7UejvOoxEgawcV1sjir+raR9QeiPuNLa5ugXvLmjCSpk26JustO8/2pasB0gTbNn8/E50urvAvi8ywqcniT7mDxD2UgpnRDKGsJHnWKv4Is94Hc9eHvTf8sm8feGCzsrz6YVAjmA+dX+JHOUGXSHDFDx2jkm5Mikk3CGNhAU8mx+T3pZYPMLQzDuubmBhv8skeVf/+VhUqIWQly2AfbmudjYV17YJ5vnEMoKd5P+gNTPonaLiJoPFAZTK8F/ultK45Z+y65nvvzU4SjVjfAPiv1+wTdryTGpWChZPqGztOlc6Ly4byz14yIvl29C3tmeYl89ajqvP8LQ5z0yduf7dAQVGBYG8lWDcVpob8APTgweV7wk3HuycIsziiDiVhsBEgFAj3F8jy1G0XNThhGunLlmXGbRedvGFH8Xrxl+Wh8eqBrndWfADbH379fK7pUoc49QBl6U6m3UmP1iZPxjJK4IMiRC49AwEf/QqfYDYYwAXVBZQTTVedc+ROMOAJi6n8y0QTkrNU3w3qBYN5VRFBm+6YabVyABCADahMorNO72gU="}}, "awsRegion": "us-west-1", "log_file": "166157441623_CloudTrail_us-west-1_20180718T0720Z_miax9mcKGryDiuFJ.json.gz", "userIdentity": {"invokedBy": "ec2.amazonaws.com", "type": "AWSService"},  "requestID": "1a939af4-c973-4699-894e-a92ecf291816", "userAgent": "ec2.amazonaws.com", "sourceIPAddress": "ec2.amazonaws.com", "resources": [{"type": "AWS::IAM::Role", "ARN": "arn:aws:iam::166157441623:role/aws-opsworks-ec2-role", "accountId": "166157441623"}], "recipientAccountId": "166157441623"}, "integration": "aws"}'

**Phase 2: Completed decoding.
       decoder: 'json'
       aws.eventVersion: '1.05'
       aws.eventSource: 'sts.amazonaws.com'
       aws.eventName: 'StopConfigurationRecorder'
       aws.eventID: '94c08683-0f7e-4bd9-b37e-937d5b650644'
       aws.eventTime: '2018-07-18T07:18:04Z'
       aws.sharedEventID: '4344e077-760f-4b77-9740-d1b0b4c21de2'
       aws.requestParameters.roleSessionName: 'i-022d93bf01eb05ca9'
       aws.requestParameters.roleArn: 'arn:aws:iam::166157441623:role/aws-opsworks-ec2-role'
       aws.eventType: 'AwsApiCall'
       aws.responseElements.credentials.accessKeyId: 'ASIAIEZPCZONYGVANBFQ'
       aws.responseElements.credentials.expiration: 'Jul 18, 2018 1:48:24 PM'
       aws.responseElements.credentials.sessionToken: 'FQoDYXdzEND//////////wEaDCl90e2TRd4+sIpjpCK3Aw5pmfcm/onTSV5VfhjyM7ofRgqu3rFkF4cVN7UejvOoxEgawcV1sjir+raR9QeiPuNLa5ugXvLmjCSpk26JustO8/2pasB0gTbNn8/E50urvAvi8ywqcniT7mDxD2UgpnRDKGsJHnWKv4Is94Hc9eHvTf8sm8feGCzsrz6YVAjmA+dX+JHOUGXSHDFDx2jkm5Mikk3CGNhAU8mx+T3pZYPMLQzDuubmBhv8skeVf/+VhUqIWQly2AfbmudjYV17YJ5vnEMoKd5P+gNTPonaLiJoPFAZTK8F/ultK45Z+y65nvvzU4SjVjfAPiv1+wTdryTGpWChZPqGztOlc6Ly4byz14yIvl29C3tmeYl89ajqvP8LQ5z0yduf7dAQVGBYG8lWDcVpob8APTgweV7wk3HuycIsziiDiVhsBEgFAj3F8jy1G0XNThhGunLlmXGbRedvGFH8Xrxl+Wh8eqBrndWfADbH379fK7pUoc49QBl6U6m3UmP1iZPxjJK4IMiRC49AwEf/QqfYDYYwAXVBZQTTVedc+ROMOAJi6n8y0QTkrNU3w3qBYN5VRFBm+6YabVyABCADahMorNO72gU='
       aws.awsRegion: 'us-west-1'
       aws.log_file: '166157441623_CloudTrail_us-west-1_20180718T0720Z_miax9mcKGryDiuFJ.json.gz'
       aws.userIdentity.invokedBy: 'ec2.amazonaws.com'
       aws.userIdentity.type: 'AWSService'
       aws.requestID: '1a939af4-c973-4699-894e-a92ecf291816'
       aws.userAgent: 'ec2.amazonaws.com'
       aws.sourceIPAddress: 'ec2.amazonaws.com'
       aws.recipientAccountId: '166157441623'
       integration: 'aws'

**Phase 3: Completed filtering (rules).
       Rule id: '80267'
       Level: '3'
       Description: 'AWS Config Change: sts.amazonaws.com - StopConfigurationRecorder'
**Alert to be generated.

Thank you very much for your contribution. We will keep you informed of the evolution of this PR. Do not hesitate to consult any question.

Kind regards,

Alfonso Ruiz-Bravo

[UranusBytes]

@SitoRBJ I see now what you are saying around the rules... Unless @oladon is able to tweak over the coming weeks, I'll add to my todo list and try taking a pass at revising...

[oladon]

@UranusBytes I'll see what I can do (time permitting), but am actually not 100% clear on the desired path forward, and my limited experience with OSSEC/Wazuh may hinder my ability to produce the best outcome — so I'd definitely welcome your assistance!

I may have time to revisit the specific event types and bring them more in line with the benchmark...

[UranusBytes]

Thanks @oladon

I haven't given much thought yet on options for a path forward, other then a diff of new rules for the CIS v1.2 benchmarks. If you don't have availability to look at, I should have some cycles in a couple of weeks where I can take a try...