Skip to content

tgpadua/aws-sec-monitor

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

25 Commits
bin
bin
 
 
lib
lib
 
 
resources
resources
 
 
test
test
 
 
.gitignore
.gitignore
 
 
.npmignore
.npmignore
 
 
README.md
README.md
 
 
cdk.context.json
cdk.context.json
 
 
cdk.json
cdk.json
 
 
invoke.sh
invoke.sh
 
 
package-lock.json
package-lock.json
 
 
package.json
package.json
 
 

Repository files navigation

Welcome to AWS Sec Monitor

AWS Sec Monitor notifies IAM changes on Users, MFA and Access Keys.

Solution Blueprint

Use Agreement

Using this software I Agree I'm solely responsible for any security issue caused due any misconfiguration and/or bugs.

Requirements

Pre-Deploy

Edit cdk.context.json and fulfill the following parameters:

  • cronExpression (Required) - Cron expression used to schedule the monitoring
  • roleName (Required) - IAM RoleName assumed to generate the reports
  • email (Required) - Email to be notified with changelog report
  • bucketName (Optional) - Amazon S3 bucket name

Sample file:

{
  "cronExpression": "cron(0 * * * ? *)",
  "roleName": "AWSSecMonitorRole",
  "email": "sec-team@example.com"
}

Deploy

To deploy this app, you need to be in root directory. Then run the following commands:

npm run deps
cdk bootstrap
cdk deploy

Post-Deploy

You may choose between the following approaches to specify the accounts to be monitored:

  • Accounts: Allows you to specify the accounts individually. To do so, you must create a file named accounts.txt
  • Organizations: Dynamically generates the accounts list file (accounts.txt) from a list of organizations root accounts. The accounts list file will be automatically updated before each report is executed. To do so, you must create a file named organizations.txt

Both files must reside in the root of the S3 bucket and use line separation (Unix LF = \n); Sample file:

111111111111
222222222222
333333333333
  • Create an IAM role named as the roleName parameter, in each account you'd like to monitor. It must contain the following trust relationship and policy.

Report Sample

Report Format:

Account Id | User Name | MFA Enabled | Access Key Id | AK Created Date | AK Last Used Date

+ 111111111111	user1	false
- 222222222222	user2	false	AAAAAAAAAAAAAAAAAAAA	2021-12-14T20:57:31.000Z
+ 333333333333	user3	false	BBBBBBBBBBBBBBBBBBBB	2021-12-11T22:04:52.000Z
+ 333333333333	user4	false	CCCCCCCCCCCCCCCCCCCC	2021-12-14T19:45:47.000Z	2021-12-14T19:48:00.000Z
- 333333333333	user5	true	DDDDDDDDDDDDDDDDDDDD	2021-12-12T21:35:39.000Z	2021-12-12T21:48:00.000Z

Testing

You can manually invoke the report by running the following script in the root directory:

./invoke.sh

Cleanup

cdk destroy

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

5 stars

Watchers

0 watching

Forks

1 fork
Report repository

Releases

1 tags

Packages

 
 
 

Contributors

Languages