Identify AWS Resources Exposed to the World using Cloud Custodian

AWS resources exposed to the world
policies:
- name: cw-event-bus-publicly-accessible
resource: aws.event-bus
comment: |
This policy identifies any publicly accessible CloudWatch Event
Bus. This is a notify policy. Deployed in all low and high tier.
Using an overly permissive access policy for your CloudWatch
default event bus can allow unauthorized AWS users to send their
CloudWatch events.
filters:
— type: cross-account
everyone_only: true
mode:
schedule: “rate(24 hours)”
type: periodic
execution-options:
output_dir: s3://s3bucket/path/{account_id}/
runtime: python3.8
policies:
- name: ebs-snapshot-publicly-accessible
resource: aws.ebs-snapshot
comment: |
Identify EBS Volume Snapshot that are publicly accessible. When
you share an EBS volume snapshot publicly, you give another AWS
account permission to both copy the snapshot and create a volume
from it. Most of the time your AWS EBS snapshots will contain
mirrors of your applications (including their data), therefore
sharing your snapshots in this manner is not recommended.
filters:
— type: event
key: ModifySnapshotAttribute.createVolumePermission.add.items[].group
value: all
mode:
schedule: “rate(24 hours)”
type: periodic
execution-options:
output_dir: s3://s3bucket/path/{account_id}/
runtime: python3.8
policies:
- name: elasticsearch-domain-publicly-accessible
resource: aws.elasticsearch
comment: |
This policy identifies any publicly accessible Elasticsearch
domains.This is a notify policy. Deployed in all low and high
tier. Allowing anonymous access to your ES domains is not
recommended and is considered bad practice. To protect your
domains against unauthorized access, Amazon ElasticSearch
Service provides preconfigured access policies (resource-based,
IP-based and IAM user/role-based policies) that you can
customize as needed, as well as the ability to import access
policies from other AWS ES domains.
filters:
— type: cross-account
everyone_only: true
mode:
schedule: “rate(24 hours)”
type: periodic
execution-options:
output_dir: s3://s3bucket/path/{account_id}/
runtime: python3.8
policies:
- name: ecr-repository-publicly-accessible
resource: aws.ecr
comment: |
This policy identifies any publicly accessible ECR Repository.
This is a notify policy. Allowing public access to your Amazon
ECR image repositories through resource-based policies can lead
to data leakage and/or data loss.
filters:
— type: cross-account
everyone_only: true
mode:
schedule: “rate(24 hours)”
type: periodic
execution-options:
output_dir: s3://s3bucket/path/{account_id}/
runtime: python3.8
policies:
- name: rds-snapshot-publicly-accessible
resource: aws.rds-snapshot
comment: |
Identify RDS Snapshot that are publicly accessible. If Attribute
Value includes "all", then the manual DB Snapshot is public.
filters:
— type: value
key: DBSnapshotAttributes[].attributeValues
value: all
op: eq
mode:
schedule: “rate(24 hours)”
type: periodic
execution-options:
output_dir: s3://s3bucket/path/{account_id}/
runtime: python3.8
policies:
- name: security-group-existing-wide-open
resource: aws.security-group
comment: |
Identify existing security groups that allows unrestricted
access for both IPv4 and IPv6. This is a notify only policy.
filters:
— or:
- type: ingress
Cidr:
value: 0.0.0.0/0
- type: ingress
Cidr:
value: "::/0"
mode:
schedule: “rate(24 hours)”
type: periodic
execution-options:
output_dir: s3://s3bucket/path/{account_id}/
runtime: python3.8
policies:
- name: security-group-unrestricted-ingress-ports
resource: aws.security-group
comment: |
Identify existing security groups that allows unrestricted
access for both IPv4 and IPv6. This is a notify only policy.
filters:
— type: ingress
Ports: [20,21,23,25,53,135,137,138,139,445,1433,3306,5432,6379,9200,11211]
Cidr:
value: 0.0.0.0/0
op: eq
value_type: cidr
mode:
schedule: “rate(24 hours)”
type: periodic
execution-options:
output_dir: s3://s3bucket/path/{account_id}/
runtime: python3.8
policies:
- name: sqs-queue-publicly-accessible
resource: aws.sqs
comment: |
This policy identifies any publicly accessible SQS queues.
Allowing anonymous users to have access to your SQS queues can
lead to unauthorized actions such as intercepting, deleting and
sending queue messages. One common scenario is when the queue
owner grants permissions to everyone by setting the Principal to
“Everybody (*)” while testing the queue system configuration and
the insecure set of permissions reach into production. To avoid
data leakage and unexpected costs on your AWS bill, limit
access to your queues by implementing the necessary policies.
filters:
— type: cross-account
everyone_only: true
mode:
schedule: “rate(24 hours)”
type: periodic
execution-options:
output_dir: s3://s3bucket/path/{account_id}/
runtime: python3.8
policies:
- name: sns-topic-publicly-accessible
resource: aws.sns
comment: |
This policy identifies any publicly accessible SNS Topics.
Setting accidentally (or intentionally) overly permissive
policies for your SNS topics can allow unauthorized users to
receive/publish messages and subscribe to the exposed topics.
One common scenario is when a root user grants permissions for
an SNS topic to the "Everyone" grantee while testing the
notification system and forgets about the insecure set of
permissions applied during the testing stage.
filters:
— type: cross-account
everyone_only: true
mode:
schedule: “rate(24 hours)”
type: periodic
execution-options:
output_dir: s3://s3bucket/path/{account_id}/
runtime: python3.8
policies:
- name: rds-instance-publicly-accessible
resource: aws.rds
comment: |
This policy identifies any publicly accessible RDS Instance.
filters:
— PubliclyAccessible: true
mode:
schedule: “rate(24 hours)”
type: periodic
execution-options:
output_dir: s3://s3bucket/path/{account_id}/
runtime: python3.8
policies:
- name: lambda-function-publicly-accessible
resource: aws.lambda
comment: |
This policy identifies any publicly accessible CloudWatch Event
Bus. Using an overly permissive access policy for your
CloudWatch default event bus can allow unauthorized AWS users to
send their CloudWatch events.
filters:
— type: cross-account
everyone_only: true
mode:
schedule: “rate(24 hours)”
type: periodic
execution-options:
output_dir: s3://s3bucket/path/{account_id}/
runtime: python3.8
policies:
- name: eks-endpoint-publicly-accessible
resource: aws.eks
comment: |
This policy identifies any publicly accessible EKS Endpoint.
filters:
— type: value
key: endpointPublicAccess
value: true
- type: value
key: endpointPrivateAccess
value: false
mode:
schedule: “rate(24 hours)”
type: periodic
execution-options:
output_dir: s3://s3bucket/path/{account_id}/
runtime: python3.8
# public=true and private=false, EKS API endoint is reachable anywhere from the internet.
# public=true and private=true, EKS API endpoint is accessible and resolvable over the internet and from within the connected networks of the VPC.
# public=false and private=true, then all traffic to the API server of the Amazon EKS cluster must originate from within your VPC or its connected networks.
# The API server endpoint isn't accessible over the internet
policies:
- name: redshift-cluster-publicly-accessible
resource: aws.redshift
comment: |
This policy identifies any publicly accessible Redshift
Clusters.
filters:
— PubliclyAccessible: true
mode:
schedule: “rate(24 hours)”
type: periodic
execution-options:
output_dir: s3://s3bucket/path/{account_id}/
runtime: python3.8
policies:
- name: s3-checkforpublicblock-off
resource: aws.s3
comment: |
This policy identifies all S3 buckets where public blocks are
not enabled.
filters:
— type: check-public-block
BlockPublicAcls: false
BlockPublicPolicy: false
mode:
schedule: “rate(24 hours)”
type: periodic
execution-options:
output_dir: s3://s3bucket/path/{account_id}/
runtime: python3.8
policies:
- name: s3-public-access-via-acl
resource: aws.s3
comment: |
This policy identifies all S3 buckets which are exposed to
public via ACL. Global Grant looks for permissions- READ, WRITE,
WRITE_ACP, READ_ACP, FULL_CONTROL to members of the predefined
AllUsers or AuthenticatedUsers groups.
filters:
— type: global-grants
mode:
schedule: “rate(24 hours)”
type: periodic
execution-options:
output_dir: s3://s3bucket/path/{account_id}/
runtime: python3.8
policies:
- name: s3-public-access-via-policy
resource: aws.s3
comment: |
This policy identifies all S3 buckets which are exposed to
public via ACL. Global Grant looks for permissions- READ, WRITE,
WRITE_ACP, READ_ACP, FULL_CONTROL to members of the predefined
AllUsers or AuthenticatedUsers groups.
filters:
- type: has-statement
statements:
- Effect: Allow
Action: 's3:*'
Principal: '*'
mode:
schedule: “rate(24 hours)”
type: periodic
execution-options:
output_dir: s3://s3bucket/path/{account_id}/
runtime: python3.8

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Aakif Shaikh, CISSP, CEH, CHFI, CISA, GWAPT

Aakif Shaikh, CISSP, CEH, CHFI, CISA, GWAPT

67 Followers

Over 18 years of experience in a wide variety of technical domains within information security including information assurance, compliance, and risk management.