aws.account

Filters

check-cloudtrail

Verify cloud trail enabled for this account per specifications.

Returns an annotated account resource if trail is not enabled.

Of particular note, the current-region option will evaluate whether cloudtrail is available in the current region, either as a multi region trail or as a trail with it as the home region.

example

policies:
  - name: account-cloudtrail-enabled
    resource: account
    region: us-east-1
    filters:
      - type: check-cloudtrail
        global-events: true
        multi-region: true
        running: true
properties:
  current-region:
    type: boolean
  file-digest:
    type: boolean
  global-events:
    type: boolean
  kms:
    type: boolean
  kms-key:
    type: string
  multi-region:
    type: boolean
  notifies:
    type: boolean
  running:
    type: boolean
  type:
    enum:
    - check-cloudtrail
required:
- type

check-config

Is config service enabled for this account

example

policies:
  - name: account-check-config-services
    resource: account
    region: us-east-1
    filters:
      - type: check-config
        all-resources: true
        global-resources: true
        running: true
properties:
  all-resources:
    type: boolean
  global-resources:
    type: boolean
  running:
    type: boolean
  type:
    enum:
    - check-config
required:
- type

credential

Use IAM Credential report to filter users.

The IAM Credential report aggregates multiple pieces of information on iam users. This makes it highly efficient for querying multiple aspects of a user that would otherwise require per user api calls.

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html

For example if we wanted to retrieve all users with mfa who have never used their password but have active access keys from the last month

- name: iam-mfa-active-keys-no-login
  resource: iam-user
  filters:
    - type: credential
      key: mfa_active
      value: true
    - type: credential
      key: password_last_used
      value: absent
    - type: credential
      key: access_keys.last_used_date
      value_type: age
      value: 30
      op: less-than

Credential Report Transforms

We perform some default transformations from the raw credential report. Sub-objects (access_key_1, cert_2) are turned into array of dictionaries for matching purposes with their common prefixes stripped. N/A values are turned into None, TRUE/FALSE are turned into boolean values.

properties:
  key:
    enum:
    - user
    - arn
    - user_creation_time
    - password_enabled
    - password_last_used
    - password_last_changed
    - password_next_rotation
    - mfa_active
    - access_keys
    - access_keys.active
    - access_keys.last_used_date
    - access_keys.last_used_region
    - access_keys.last_used_service
    - access_keys.last_rotated
    - certs
    - certs.active
    - certs.last_rotated
    title: report key to search
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  report_delay:
    default: 10
    title: Number of seconds to wait for report generation.
    type: number
  report_generate:
    default: true
    title: Generate a report if none is present.
    type: boolean
  report_max_age:
    default: 86400
    title: Number of seconds to consider a report valid.
    type: number
  type:
    enum:
    - credential
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
required:
- type

default-ebs-encryption

Filter an account by its ebs encryption status.

By default for key we match on the alias name for a key.

example

policies:
  - name: check-default-ebs-encryption
    resource: aws.account
    filters:
     - type: default-ebs-encryption
       key: "alias/aws/ebs"
       state: true

It is also possible to match on specific key attributes (tags, origin)

example

policies:
  - name: check-ebs-encryption-key-origin
    resource: aws.account
    filters:
     - type: default-ebs-encryption
       key:
         type: value
         key: Origin
         value: AWS_KMS
       state: true
properties:
  key:
    oneOf:
    - $ref: '#/definitions/filters/value'
    - type: string
  state:
    type: boolean
  type:
    enum:
    - default-ebs-encryption
required:
- type

emr-block-public-access

Check for EMR block public access configuration on an account

example

policies:
  - name: get-emr-block-public-access
    resource: account
    filters:
      - type: emr-block-public-access
properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - emr-block-public-access
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      url:
        type: string
    required:
    - url
    type: object
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
required:
- type

glue-security-config

Filter aws account by its glue encryption status and KMS key

example

policies:
  - name: glue-security-config
    resource: aws.account
    filters:
      - type: glue-security-config
        SseAwsKmsKeyId: alias/aws/glue
properties:
  AwsKmsKeyId:
    type: string
  CatalogEncryptionMode:
    enum:
    - DISABLED
    - SSE-KMS
  ReturnConnectionPasswordEncrypted:
    type: boolean
  SseAwsKmsKeyId:
    type: string
  type:
    enum:
    - glue-security-config

guard-duty

Check if the guard duty service is enabled.

This allows looking at account’s detector and its associated master if any.

example

Check to ensure guard duty is active on account and associated to a master.

policies:
  - name: guardduty-enabled
    resource: account
    filters:
      - type: guard-duty
        Detector.Status: ENABLED
        Master.AccountId: "00011001"
        Master.RelationshipStatus: "Enabled"
patternProperties:
  ^Detector:
    oneOf:
    - type: object
    - type: string
  ^Master:
    oneOf:
    - type: object
    - type: string
properties:
  match-operator:
    enum:
    - or
    - and
  type:
    enum:
    - guard-duty

has-virtual-mfa

Is the account configured with a virtual MFA device?

example

policies:
    - name: account-with-virtual-mfa
      resource: account
      region: us-east-1
      filters:
        - type: has-virtual-mfa
          value: true
properties:
  type:
    enum:
    - has-virtual-mfa
  value:
    type: boolean
required:
- type

iam-summary

Return annotated account resource if iam summary filter matches.

Some use cases include, detecting root api keys or mfa usage.

Example iam summary wrt to matchable fields:

{
      "AccessKeysPerUserQuota": 2,
      "AccountAccessKeysPresent": 0,
      "AccountMFAEnabled": 1,
      "AccountSigningCertificatesPresent": 0,
      "AssumeRolePolicySizeQuota": 2048,
      "AttachedPoliciesPerGroupQuota": 10,
      "AttachedPoliciesPerRoleQuota": 10,
      "AttachedPoliciesPerUserQuota": 10,
      "GroupPolicySizeQuota": 5120,
      "Groups": 1,
      "GroupsPerUserQuota": 10,
      "GroupsQuota": 100,
      "InstanceProfiles": 0,
      "InstanceProfilesQuota": 100,
      "MFADevices": 3,
      "MFADevicesInUse": 2,
      "Policies": 3,
      "PoliciesQuota": 1000,
      "PolicySizeQuota": 5120,
      "PolicyVersionsInUse": 5,
      "PolicyVersionsInUseQuota": 10000,
      "Providers": 0,
      "RolePolicySizeQuota": 10240,
      "Roles": 4,
      "RolesQuota": 250,
      "ServerCertificates": 0,
      "ServerCertificatesQuota": 20,
      "SigningCertificatesPerUserQuota": 2,
      "UserPolicySizeQuota": 2048,
      "Users": 5,
      "UsersQuota": 5000,
      "VersionsPerPolicyQuota": 5,
  }

For example to determine if an account has either not been enabled with root mfa or has root api keys.

policies:
  - name: root-keys-or-no-mfa
    resource: account
    filters:
      - type: iam-summary
        key: AccountMFAEnabled
        value: true
        op: eq
        value_type: swap
properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - iam-summary
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      url:
        type: string
    required:
    - url
    type: object
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
required:
- type

missing

Assert the absence of a particular resource.

Intended for use at a logical account/subscription/project level

This works as an effectively an embedded policy thats evaluated.

properties:
  policy:
    properties:
      resource:
        type: string
    required:
    - resource
    type: object
  type:
    enum:
    - missing
required:
- policy
- type

password-policy

Check an account’s password policy.

Note that on top of the default password policy fields, we also add an extra key, PasswordPolicyConfigured which will be set to true or false to signify if the given account has attempted to set a policy at all.

example

policies:
  - name: password-policy-check
    resource: account
    region: us-east-1
    filters:
      - type: password-policy
        key: MinimumPasswordLength
        value: 10
        op: ge
      - type: password-policy
        key: RequireSymbols
        value: true
properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - password-policy
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      url:
        type: string
    required:
    - url
    type: object
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
required:
- type

s3-public-block

Check for s3 public blocks on an account.

https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html

properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - s3-public-block
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      url:
        type: string
    required:
    - url
    type: object
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
required:
- type

securityhub

Filter an account depending on whether security hub is enabled or not.

example

policies:
  - name: check-securityhub-status
    resource: aws.account
    filters:
     - type: securityhub
       enabled: true
properties:
  enabled:
    type: boolean
  type:
    enum:
    - securityhub
required:
- type

service-limit

Check if account’s service limits are past a given threshold.

Supported limits are per trusted advisor, which is variable based on usage in the account and support level enabled on the account.

The names attribute lets you filter which checks to query limits about. This is a case-insensitive globbing match on a check name. You can specify a name exactly or use globbing wildcards like VPC*.

The names are exactly what’s shown on the trusted advisor page:

or via the awscli:

aws –region us-east-1 support describe-trusted-advisor-checks –language en –query ‘checks[?category==`service_limits`].[name]’ –output text

While you can target individual checks via the names attribute, and that should be the preferred method, the following are provided for backward compatibility with the old style of checks:

  • services

    The resulting limit’s service field must match one of these. These are case-insensitive globbing matches.

    Note: If you haven’t specified any names to filter, then these service names are used as a case-insensitive prefix match on the check name. This helps limit the number of API calls we need to make.

  • limits

    The resulting limit’s Limit Name field must match one of these. These are case-insensitive globbing matches.

Some example names and their corresponding service and limit names:

Check Name Service Limit Name ———————————- ————– ——————————— Auto Scaling Groups AutoScaling Auto Scaling groups Auto Scaling Launch Configurations AutoScaling Launch configurations CloudFormation Stacks CloudFormation Stacks ELB Application Load Balancers ELB Active Application Load Balancers ELB Classic Load Balancers ELB Active load balancers ELB Network Load Balancers ELB Active Network Load Balancers VPC VPC VPCs VPC Elastic IP Address VPC VPC Elastic IP addresses (EIPs) VPC Internet Gateways VPC Internet gateways

Note: Some service limits checks are being migrated to service quotas, which is expected to largely replace service limit checks in trusted advisor. In this case, some of these checks have no results.

example

policies:
  - name: specific-account-service-limits
    resource: account
    filters:
      - type: service-limit
        names:
          - IAM Policies
          - IAM Roles
          - "VPC*"
        threshold: 1.0

  - name: increase-account-service-limits
    resource: account
    filters:
      - type: service-limit
        services:
          - EC2
        threshold: 1.0

  - name: specify-region-for-global-service
    region: us-east-1
    resource: account
    filters:
      - type: service-limit
        services:
          - IAM
        limits:
          - Roles
properties:
  limits:
    items:
      type: string
    type: array
  names:
    items:
      type: string
    type: array
  refresh_period:
    title: how long should a check result be considered fresh
    type: integer
  services:
    items:
      enum:
      - AutoScaling
      - CloudFormation
      - DynamoDB
      - EBS
      - EC2
      - ELB
      - IAM
      - RDS
      - Route53
      - SES
      - VPC
    type: array
  threshold:
    type: number
  type:
    enum:
    - service-limit
required:
- type

shield-enabled

Parent base class for filters and actions.

properties:
  state:
    type: boolean
  type:
    enum:
    - shield-enabled
required:
- type

xray-encrypt-key

Determine if xray is encrypted.

example

policies:
  - name: xray-encrypt-with-default
    resource: aws.account
    filters:
       - type: xray-encrypt-key
         key: default
  - name: xray-encrypt-with-kms
    resource: aws.account
    filters:
       - type: xray-encrypt-key
         key: kms
  - name: xray-encrypt-with-specific-key
    resource: aws.account
    filters:
       - type: xray-encrypt-key
         key: alias/my-alias or arn or keyid
properties:
  key:
    type: string
  type:
    enum:
    - xray-encrypt-key
required:
- key
- type

Actions

enable-cloudtrail

Enables logging on the trail(s) named in the policy

Example

policies:
  - name: trail-test
    description: Ensure CloudTrail logging is enabled
    resource: account
    actions:
      - type: enable-cloudtrail
        trail: mytrail
        bucket: trails
properties:
  bucket:
    type: string
  bucket-region:
    type: string
  file-digest:
    type: boolean
  global-events:
    type: boolean
  kms:
    type: boolean
  kms-key:
    type: string
  multi-region:
    type: boolean
  notify:
    type: string
  trail:
    type: string
  type:
    enum:
    - enable-cloudtrail
required:
- bucket

enable-data-events

Ensure all buckets in account are setup to log data events.

Note this works via a single trail for data events per https://aws.amazon.com/about-aws/whats-new/2017/09/aws-cloudtrail-enables-option-to-add-all-amazon-s3-buckets-to-data-events/

This trail should NOT be used for api management events, the configuration here is soley for data events. If directed to create a trail this will do so without management events.

example

policies:
  - name: s3-enable-data-events-logging
    resource: account
    actions:
     - type: enable-data-events
       data-trail:
         name: s3-events
         multi-region: us-east-1
properties:
  data-trail:
    additionalProperties: false
    properties:
      create:
        title: Should we create trail if needed for events?
        type: boolean
      key-id:
        title: If creating, Enable kms on the trail
        type: string
      multi-region:
        title: If creating, use this region for all data trails
        type: string
      name:
        title: The name of the event trail
        type: string
      s3-bucket:
        title: If creating, the bucket to store trail event data
        type: string
      s3-prefix:
        type: string
      topic:
        title: If creating, the sns topic for the trail to send updates
        type: string
      type:
        enum:
        - ReadOnly
        - WriteOnly
        - All
    required:
    - name
    type: object
  type:
    enum:
    - enable-data-events
required:
- data-trail
- type

request-limit-increase

File support ticket to raise limit.

Example

policies:
  - name: raise-account-service-limits
    resource: account
    filters:
      - type: service-limit
        services:
          - EBS
        limits:
          - Provisioned IOPS (SSD) storage (GiB)
        threshold: 60.5
    actions:
      - type: request-limit-increase
        notify: [email, email2]
        ## You can use one of either percent-increase or an amount-increase.
        percent-increase: 50
        message: "Please raise the below account limit(s); \n {limits}"
oneOf:
- required:
  - type
  - percent-increase
- required:
  - type
  - amount-increase
properties:
  amount-increase:
    minimum: 1
    type: number
  message:
    type: string
  minimum-increase:
    minimum: 1
    type: number
  notify:
    items:
      type: string
    type: array
  percent-increase:
    minimum: 1
    type: number
  severity:
    enum:
    - urgent
    - high
    - normal
    - low
    type: string
  subject:
    type: string
  type:
    enum:
    - request-limit-increase

set-ebs-encryption

Set AWS EBS default encryption on an account

example

policies:
  - name: set-default-ebs-encryption
    resource: aws.account
    filters:
     - type: default-ebs-encryption
       state: false
    actions:
     - type: set-ebs-encryption
       state: true
       key: alias/aws/ebs
properties:
  key:
    type: string
  state:
    type: boolean
  type:
    enum:
    - set-ebs-encryption
required:
- type

set-emr-block-public-access

Action to put/update the EMR block public access configuration for your

AWS account in the current region

example

policies:
  - name: set-emr-block-public-access
    resource: account
    filters:
      - type: emr-block-public-access
        key: BlockPublicAccessConfiguration.BlockPublicSecurityGroupRules
        value: False
    actions:
      - type: set-emr-block-public-access
        config:
            BlockPublicSecurityGroupRules: True
            PermittedPublicSecurityGroupRuleRanges:
                - MinRange: 22
                  MaxRange: 22
                - MinRange: 23
                  MaxRange: 23
properties:
  config:
    properties:
      BlockPublicSecurityGroupRules:
        type: boolean
      PermittedPublicSecurityGroupRuleRanges:
        items:
          properties:
            MaxRange:
              minimum: 0
              type: number
            MinRange:
              minimum: 0
              type: number
          required:
          - MinRange
          type: object
        type: array
    required:
    - BlockPublicSecurityGroupRules
    type: object
  type:
    enum:
    - set-emr-block-public-access
required:
- config

set-password-policy

Set an account’s password policy.

This only changes the policy for the items provided. If this is the first time setting a password policy and an item is not provided it will be set to the defaults defined in the boto docs for IAM.Client.update_account_password_policy

example

policies:
  - name: set-account-password-policy
    resource: account
    filters:
      - not:
        - type: password-policy
          key: MinimumPasswordLength
          value: 10
          op: ge
    actions:
        - type: set-password-policy
          policy:
            MinimumPasswordLength: 20
properties:
  policy:
    type: object
  type:
    enum:
    - set-password-policy
required:
- type

set-s3-public-block

Configure S3 Public Access Block on an account.

All public access block attributes can be set. If not specified they are merged with the extant configuration.

https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html

example

properties:
  BlockPublicAcls:
    type: boolean
  BlockPublicPolicy:
    type: boolean
  IgnorePublicAcls:
    type: boolean
  RestrictPublicBuckets:
    type: boolean
  state:
    default: true
    type: boolean
  type:
    enum:
    - set-s3-public-block
required:
- type

set-shield-advanced

Enable/disable Shield Advanced on an account.

properties:
  state:
    type: boolean
  type:
    enum:
    - set-shield-advanced
required:
- type

set-xray-encrypt

Enable specific xray encryption.

example

policies:
  - name: xray-default-encrypt
    resource: aws.account
    actions:
      - type: set-xray-encrypt
        key: default
  - name: xray-kms-encrypt
    resource: aws.account
    actions:
      - type: set-xray-encrypt
        key: alias/some/alias/key
properties:
  key:
    type: string
  type:
    enum:
    - set-xray-encrypt
required:
- key
- type