Skip to content

tgpadua/aws-sec-monitor

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

25 Commits

bin

bin

 
 

lib

lib

 
 

resources

resources

 
 

test

test

 
 

.gitignore

.gitignore

 
 

.npmignore

.npmignore

 
 

README.md

README.md

 
 

cdk.context.json

cdk.context.json

 
 

cdk.json

cdk.json

 
 

invoke.sh

invoke.sh

 
 

package-lock.json

package-lock.json

 
 

package.json

package.json

 
 

Repository files navigation

Welcome to AWS Sec Monitor

AWS Sec Monitor notifies IAM changes on Users, MFA and Access Keys.

Solution Blueprint

Use Agreement

Using this software I Agree I'm solely responsible for any security issue caused due any misconfiguration and/or bugs.

Requirements

Pre-Deploy

Edit cdk.context.json and fulfill the following parameters:

  • cronExpression (Required) - Cron expression used to schedule the monitoring
  • roleName (Required) - IAM RoleName assumed to generate the reports
  • email (Required) - Email to be notified with changelog report
  • bucketName (Optional) - Amazon S3 bucket name

Sample file:

{
  "cronExpression": "cron(0 * * * ? *)",
  "roleName": "AWSSecMonitorRole",
  "email": "sec-team@example.com"
}

Deploy

To deploy this app, you need to be in root directory. Then run the following commands:

npm run deps
cdk bootstrap
cdk deploy

Post-Deploy

You may choose between the following approaches to specify the accounts to be monitored:

  • Accounts: Allows you to specify the accounts individually. To do so, you must create a file named accounts.txt
  • Organizations: Dynamically generates the accounts list file (accounts.txt) from a list of organizations root accounts. The accounts list file will be automatically updated before each report is executed. To do so, you must create a file named organizations.txt

Both files must reside in the root of the S3 bucket and use line separation (Unix LF = \n); Sample file:

111111111111
222222222222
333333333333
  • Create an IAM role named as the roleName parameter, in each account you'd like to monitor. It must contain the following trust relationship and policy.

Report Sample

Report Format:

Account Id | User Name | MFA Enabled | Access Key Id | AK Created Date | AK Last Used Date

+ 111111111111	user1	false
- 222222222222	user2	false	AAAAAAAAAAAAAAAAAAAA	2021-12-14T20:57:31.000Z
+ 333333333333	user3	false	BBBBBBBBBBBBBBBBBBBB	2021-12-11T22:04:52.000Z
+ 333333333333	user4	false	CCCCCCCCCCCCCCCCCCCC	2021-12-14T19:45:47.000Z	2021-12-14T19:48:00.000Z
- 333333333333	user5	true	DDDDDDDDDDDDDDDDDDDD	2021-12-12T21:35:39.000Z	2021-12-12T21:48:00.000Z

Testing

You can manually invoke the report by running the following script in the root directory:

./invoke.sh

Cleanup

cdk destroy

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

5 stars

Watchers

0 watching

Forks

1 fork
Report repository

Releases

1 tags

Packages

No packages published

Languages