API Scan Specific Resource Document



Below is the command Payload for creating S3 Bucket that we hit through Postman:

{
"commandType": "connector-management",
"commandPayload": {"command":"runNow","content":"{\"collectionType\":\"POLICY\",\"filters\":{\"S3_BUCKETS\":[{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"XXXXXXXXXXXXXXXXXXXXXX\",\"arn\":\"arn:aws:iam::dummy_account:user\/ABCuser\",\"accountId\":\"dummy_account\",\"accessKeyId\":\"XXXXXXXXXXXXXX\",\"userName\":\"ABCuser\",\"sessionContext\":{\"attributes\":{\"mfaAuthenticated\":\"false\",\"creationDate\":\"2019-12-06T02:39:12Z\"}},\"invokedBy\":\"signin.amazonaws.com\"},\"eventTime\":\"2019-12-06T06:36:05Z\",\"eventSource\":\"s3.amazonaws.com\",\"eventName\":\"CreateBucket\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"aa.bbb.ccc.dd\",\"userAgent\":\"signin.amazonaws.com\",\"requestParameters\":{\"host\":[\"s3.amazonaws.com\"],\"bucketName\":\"bucketABC\"},\"requestID\":\"3AD5599896AA865B\",\"eventID\":\"27ee130b-9830-427f-841e-7d49ac0f7440\",\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"dummy_account\",\"additionalProperties\":{}}]}}" },
"commandPriority": "priority"
}

Steps to find out the payload that we pass as a filter in the connector service command API:

  1. Create a connector with Event-Driven enabled.
  2. Select a particular resource on the AWS account, for example, S3 bucket.
  3. Mark it as compliant or non-compliant as per the requirement.
  4. Wait for the event to generate in the event filtering logs.

Important

The event filtering pods are created every 5 minutes.


To find efs pods on a particular stack, using below command :

Kubectl get pods -n stackname | grep efs


On executing the above command, will get below efs related pods, for example:

efs-cwp-21886491-ed16-4b2d-9c50-6854382986a3-gjhhw 0/1 ContainerCreating 0 30s
efs-cwp-3db9994b-4b96-4c8b-a824-20832ede6fc2-fd8hm 0/1 Completed 0 30s
efs-cwp-831a38ed-4c7e-40f5-a499-5b64d5712c95-tp4w6 1/1 Running 0 30s


To check the efs logs use the following command:

Kubectl logs efs-cwp-3db9994b-4b96-4c8b-a824-20832ede6fc2-fd8hm -n stack_name

On going to one of the efs logs details, we get the following payload :

{
"eventVersion": "1.05",
"userIdentity": {
"type": "IAMUser",
"principalId": "XXXXXXXXXXXXXXXX",
"arn": "arn:aws:iam::dummy_account:user/ABCuser",
"accountId": "dummy_account",
"accessKeyId": "XXXXXXXXXXXXXXXX",
"userName": "ABCuser",
"sessionContext": {
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2019-12-06T02:39:12Z"
}
},
"invokedBy": "signin.amazonaws.com"
},
"eventTime": "2019-12-06T06:36:05Z",
"eventSource": "s3.amazonaws.com",
"eventName": "CreateBucket",
"awsRegion": "us-east-1",
"sourceIPAddress": "aa.bbb.ccc.dd",
"userAgent": "signin.amazonaws.com",
"requestParameters": {
"host": [
"s3.amazonaws.com"
],
"bucketName": "bucketABC"
},
"requestID": "3AD5599896AA865B",
"eventID": "27ee130b-9830-427f-841e-7d49ac0f7440",
"eventType": "AwsApiCall",
"recipientAccountId": "XXXXXXXXXXXXX",
"additionalProperties": {}
}


Convert the above payload to single line JSON format :

{"eventVersion":"1.05","userIdentity":{"type":"IAMUser","principalId":"XXXXXXXXXXXXXXXX","arn":"arn:aws:iam::dummy_account:user/ABCuser","accountId":"dummy_account","accessKeyId":"XXXXXXXXXXXXXXXX","userName":"ABCuser","sessionContext":{"attributes":{"mfaAuthenticated":"false","creationDate":"2019-12-06T02:39:12Z"}},"invokedBy":"signin.amazonaws.com"},"eventTime":"2019-12-06T06:36:05Z","eventSource":"s3.amazonaws.com","eventName":"CreateBucket","awsRegion":"us-east-1","sourceIPAddress":"aa.bbb.ccc.dd","userAgent":"signin.amazonaws.com","requestParameters":{"host":["s3.amazonaws.com"],"bucketName":"bucketABC"},"requestID":"3AD5599896AA865B","eventID":"27ee130b-9830-427f-841e-7d49ac0f7440","eventType":"AwsApiCall","recipientAccountId":"XXXXXXXXXXXXX","additionalProperties":{}}


Convert the above single line JSON format to stringify JSON format which is as below and then pass it as an Filter in the connector service command API.

{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"XXXXXXXXXXXXXXXXXXXXXX\",\"arn\":\"arn:aws:iam::dummy_account:user\/ABCuser\",\"accountId\":\"dummy_account\",\"accessKeyId\":\"XXXXXXXXXXXXXX\",\"userName\":\"ABCuser\",\"sessionContext\":{\"attributes\":{\"mfaAuthenticated\":\"false\",\"creationDate\":\"2019-12-06T02:39:12Z\"}},\"invokedBy\":\"signin.amazonaws.com\"},\"eventTime\":\"2019-12-06T06:36:05Z\",\"eventSource\":\"s3.amazonaws.com\",\"eventName\":\"CreateBucket\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"aa.bbb.ccc.dd\",\"userAgent\":\"signin.amazonaws.com\",\"requestParameters\":{\"host\":[\"s3.amazonaws.com\"],\"bucketName\":\"bucketABC\"},\"requestID\":\"3AD5599896AA865B\",\"eventID\":\"27ee130b-9830-427f-841e-7d49ac0f7440\",\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"dummy_account\",\"additionalProperties\":{}}


On executing the below connector service command API through postman:

{
"commandType": "connector-management",
"commandPayload": {"command":"runNow","content":"{\"collectionType\":\"POLICY\",\"filters\":{\"S3_BUCKETS\":[{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"XXXXXXXXXXXXXXXXXXXXXX\",\"arn\":\"arn:aws:iam::dummy_account:user\/ABCuser\",\"accountId\":\"dummy_account\",\"accessKeyId\":\"XXXXXXXXXXXXXX\",\"userName\":\"ABCuser\",\"sessionContext\":{\"attributes\":{\"mfaAuthenticated\":\"false\",\"creationDate\":\"2019-12-06T02:39:12Z\"}},\"invokedBy\":\"signin.amazonaws.com\"},\"eventTime\":\"2019-12-06T06:36:05Z\",\"eventSource\":\"s3.amazonaws.com\",\"eventName\":\"CreateBucket\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"aa.bbb.ccc.dd\",\"userAgent\":\"signin.amazonaws.com\",\"requestParameters\":{\"host\":[\"s3.amazonaws.com\"],\"bucketName\":\"bucketABC\"},\"requestID\":\"3AD5599896AA865B\",\"eventID\":\"27ee130b-9830-427f-841e-7d49ac0f7440\",\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"dummy_account\",\"additionalProperties\":{}}]}}" },
"commandPriority": "priority"
}

Response as follows :

[
{
"status": "COMPLETED",
"message": "Successfully emitted Collection event",
"statusTimestamp": "20191204T074005Z"
}
]

To check specific resource scan logs in awscloudconnector logs use the below command:

kubectl get pods -n stackname | grep awscloud
awscloudconnector-neon-v045-gqbz2 1/1 Running 1 6d14h


To check the awscloudconnector logs use the following command:

Kubectl logs awscloudconnector-neon-v045-gqbz2 -n stackname | grep bucket_name


In the awscloudconnector logs, below  command content result are displayed: 

2019-12-12 07:55:59.185 - info: modules/AWSCollector.js:274:20:commandContent : {"collectionType":"POLICY","filters":{"S3_BUCKETS":[{"eventVersion":"1.05","userIdentity":{"type":"IAMUser","principalId":"XXXXXXXXXXXXXXXXXXXXXX","arn":"arn:aws:iam::dummy_account:user/ABCuser","accountId":"dummy_account","accessKeyId":"XXXXXXXXXXXXXX","userName":"ABCuser","sessionContext":{"attributes":{"mfaAuthenticated":"false","creationDate":"2019-12-06T02:39:12Z"}},"invokedBy":"signin.amazonaws.com"},"eventTime":"2019-12-06T06:36:05Z","eventSource":"s3.amazonaws.com","eventName":"CreateBucket","awsRegion":"us-east-1","sourceIPAddress":"aa.bbb.ccc.dd","userAgent":"signin.amazonaws.com","requestParameters":{"host":["s3.amazonaws.com"],"bucketName":"bucketABC"},"requestID":"3AD5599896AA865B","eventID":"27ee130b-9830-427f-841e-7d49ac0f7440","eventType":"AwsApiCall","recipientAccountId":"dummy_account","additionalProperties":{}}]}}

Specific Scan API supports the following resource types:

S3_BUCKET, EC2_INSTANCES, RDS INSTANCE, ES_DOMAINS, IAM POLICIES, IAM PASSWORD POLICY, SECURITY GROUP, KMS, Cloud Trail, EBS, Elastic Load Balancer, VPC

Important

IAM Support Policy is not supported.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*