Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add admin role usage alarm and tests #580

Merged
merged 1 commit into from
Aug 30, 2024
Merged

Add admin role usage alarm and tests #580

merged 1 commit into from
Aug 30, 2024

Conversation

richgreen-moj
Copy link
Contributor

@richgreen-moj richgreen-moj commented Aug 30, 2024
edited
Loading

A reference to the issue / Description of it

ministryofjustice/modernisation-platform#7437

How does this PR fix the problem?

This adds a new alarm (and unit tests) which will trigger when anyone assumes the AdministratorAccess role in any MP accounts (Core/Member) in the MP low priority alerts channel.

How has this been tested?

I started by reviewing cloudtrail logs when accessing the role and finding the best way to pinpoint when the role is being assumed.
Then I created a new alarm and metric filter in the baselines module and manually applied it to the core-shared-services account (just because I needed an account that was already subscribed to the low priority slack alerts channel). I then assumed the admin role and observed that the alarm triggered and sent us a message.

See an example of the alert being raised:
https://moj-digital-tools.pagerduty.com/incidents/Q2NOMBHFB4MYRJ?utm_campaign=channel&utm_source=slack
https://mojdt.slack.com/archives/C02PFCG8M1R/p1724922501200269

@richgreen-moj richgreen-moj requested a review from a team as a code owner August 30, 2024 08:01
@richgreen-moj richgreen-moj mentioned this pull request Aug 30, 2024
Closed
2 tasks
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Success

Show Output ```hcl

Trivy will check the following folders:
modules/securityhub-alarms test/securityhub-alarms-test

Running Trivy in modules/securityhub-alarms
2024-08-30T08:03:04Z INFO [db] Need to update DB
2024-08-30T08:03:04Z INFO [db] Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-08-30T08:03:06Z INFO [vuln] Vulnerability scanning is enabled
2024-08-30T08:03:06Z INFO [misconfig] Misconfiguration scanning is enabled
2024-08-30T08:03:06Z INFO Need to update the built-in policies
2024-08-30T08:03:06Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-08-30T08:03:06Z INFO [secret] Secret scanning is enabled
2024-08-30T08:03:06Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-30T08:03:06Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-30T08:03:07Z INFO Number of language-specific files num=0
2024-08-30T08:03:07Z INFO Detected config files num=2
trivy_exitcode=0

Running Trivy in test/securityhub-alarms-test
2024-08-30T08:03:07Z INFO [vuln] Vulnerability scanning is enabled
2024-08-30T08:03:07Z INFO [misconfig] Misconfiguration scanning is enabled
2024-08-30T08:03:07Z INFO [secret] Secret scanning is enabled
2024-08-30T08:03:07Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-30T08:03:07Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-30T08:03:08Z INFO Number of language-specific files num=0
2024-08-30T08:03:08Z INFO Detected config files num=2
trivy_exitcode=0

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
modules/securityhub-alarms test/securityhub-alarms-test

*****************************

Running Checkov in modules/securityhub-alarms
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
terraform scan results:

Passed checks: 36, Failed checks: 0, Skipped checks: 3


checkov_exitcode=0

*****************************

Running Checkov in test/securityhub-alarms-test
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
terraform scan results:

Passed checks: 38, Failed checks: 0, Skipped checks: 3


checkov_exitcode=0

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
modules/securityhub-alarms test/securityhub-alarms-test

*****************************

Running tflint in modules/securityhub-alarms
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

*****************************

Running tflint in test/securityhub-alarms-test
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Success

Show Output 
*****************************

Trivy will check the following folders:
modules/securityhub-alarms test/securityhub-alarms-test

*****************************

Running Trivy in modules/securityhub-alarms
2024-08-30T08:03:04Z	INFO	[db] Need to update DB
2024-08-30T08:03:04Z	INFO	[db] Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-08-30T08:03:06Z	INFO	[vuln] Vulnerability scanning is enabled
2024-08-30T08:03:06Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-08-30T08:03:06Z	INFO	Need to update the built-in policies
2024-08-30T08:03:06Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-08-30T08:03:06Z	INFO	[secret] Secret scanning is enabled
2024-08-30T08:03:06Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-30T08:03:06Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-30T08:03:07Z	INFO	Number of language-specific files	num=0
2024-08-30T08:03:07Z	INFO	Detected config files	num=2
trivy_exitcode=0

*****************************

Running Trivy in test/securityhub-alarms-test
2024-08-30T08:03:07Z	INFO	[vuln] Vulnerability scanning is enabled
2024-08-30T08:03:07Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-08-30T08:03:07Z	INFO	[secret] Secret scanning is enabled
2024-08-30T08:03:07Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-30T08:03:07Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-30T08:03:08Z	INFO	Number of language-specific files	num=0
2024-08-30T08:03:08Z	INFO	Detected config files	num=2
trivy_exitcode=0

ewastempel
ewastempel approved these changes Aug 30, 2024
View reviewed changes
Copy link
Contributor

@ewastempel ewastempel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nice one

@richgreen-moj richgreen-moj merged commit 7a44478 into main Aug 30, 2024
6 checks passed
@richgreen-moj richgreen-moj deleted the feature/7437-alert-when-using-admin-role branch August 30, 2024 12:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ewastempel ewastempel ewastempel approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@richgreen-moj @ewastempel