# OU SCPs - Below is gecc Root SCPs
aws organizations list-policies-for-target --filter SERVICE_CONTROL_POLICY --target-id r-y70b
# OU for Parent
aws organizations list-organizational-units-for-parent --parent-id r-y70b | jq '.OrganizationalUnits[0:] | {OrganizationalUnit: map({Id: .Id, Name: .Name})}'SCP Propagation / bin
SCP Propagation / Describe Org
| Description | Link |
|---|---|
| SecOps | SecOps |
| SecOps Config / CloudTrail | SecOps CloudTrail |
| SecOps Config / Guard Duty | SecOps Guard Duty |
| SecOps Config / Load Balancers | SecOps Load Balancer |
| SecOps Config / Security Hub | SecOps Security Hub |
## Test SecOps Config
## from TMP/src/tests run with Target account Profile
# Check Target
ACC=$( aws sts get-caller-identity | jq --raw-output .Account )
whodat $ACC --brief --owner
pytest -n 10 --tb=short test_cloudtrail.py
pytest -n 10 --tb=short test_config.py
pytest -n 10 --tb=short test_guardduty.py
pytest -n 10 --tb=short test_securityhub.py## 7393-8413-2772 (739384132772) [admin-ge] which is a Management Account
TRAIL=$( aws cloudtrail describe-trails | jq --raw-output '.trailList[] .TrailARN' )
aws cloudtrail describe-trails --output yaml
## Outcome:
trailList:
- HasCustomEventSelectors: true
HasInsightSelectors: false
HomeRegion: us-east-1 # Target Acc. HomeRegion
IncludeGlobalServiceEvents: true
IsMultiRegionTrail: true
IsOrganizationTrail: false
LogFileValidationEnabled: true
Name: global_trail # Same for all Trails in all accounts
S3BucketName: ge-central-bit-bucket # Mgmt. Acc. Central CT Logs Bucket
S3KeyPrefix: mac-co-dev # Target Acc. Alias
SnsTopicARN: arn:aws:sns:us-east-1:739384132772:AwsCloudTrailCollector # Mgmt. Acc. SNS ARN
SnsTopicName: arn:aws:sns:us-east-1:739384132772:AwsCloudTrailCollector # Mgmt. Acc. SNS Name
# Patthern: arn:aws:cloudtrail:<HomeRegion>:<AccountId>:trail/<GlobalTRailName>
TrailARN: arn:aws:cloudtrail:us-east-1:432375862099:trail/global_trail # Target Acc. HomeRegion Acc. IDaws cloudtrail get-trail-status --name $TRAIL
## Outcome:
{
"IsLogging": true,
"LatestDeliveryTime": "2023-11-15T13:04:19.009000-08:00",
"LatestNotificationTime": "2023-11-15T13:04:19.002000-08:00",
"StartLoggingTime": "2019-10-01T11:44:15.272000-07:00",
"LatestDigestDeliveryTime": "2023-11-15T12:21:03.107000-08:00",
"LatestDeliveryAttemptTime": "2023-11-15T21:04:19Z",
"LatestNotificationAttemptTime": "2023-11-15T21:04:19Z",
"LatestNotificationAttemptSucceeded": "2023-11-15T21:04:19Z",
"LatestDeliveryAttemptSucceeded": "2023-11-15T21:04:19Z",
"TimeLoggingStarted": "2019-10-01T18:44:15Z",
"TimeLoggingStopped": ""
}Configures an event selector or advanced event selectors for your trail. Use event selectors or advanced event selectors to specify management and data event settings for your trail. If you want your trail to log Insights events, be sure the event selector enables logging of the Insights event types you want configured for your trail.
AWS CLI / cloudtrail put-event-selectors
aws cloudtrail get-event-selectors --trail-name $TRAIL
## Outcome:
{
"TrailARN": "arn:aws:cloudtrail:us-east-1:432375862099:trail/global_trail",
"EventSelectors": [
{
"ReadWriteType": "All",
"IncludeManagementEvents": true,
"DataResources": [
{
"Type": "AWS::Lambda::Function",
"Values": [
"arn:aws:lambda"
]
}
],
"ExcludeManagementEventSources": []
},
{
"ReadWriteType": "All",
"IncludeManagementEvents": true,
"DataResources": [
{
"Type": "AWS::S3::Object",
"Values": [
"arn:aws:s3:::"
]
}
],
"ExcludeManagementEventSources": []
}
]
}In GE 7393-8413-2772 (739384132772) [admin-ge] is a Management Account for CloudTrail:
AWS CLI / S3 API
Block public access: Block all public access
Bucket Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSCloudTrailAclCheck20150319",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::ge-central-bit-bucket"
},
{
"Sid": "AWSCloudTrailWrite20150319",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::ge-central-bit-bucket/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
},
{
"Sid": "Permissions for Splunk in ent-intel",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::074165473198:root"
},
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::ge-central-bit-bucket"
},
{
"Sid": "Permissions for Splunk in ent-intel",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::074165473198:root"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::ge-central-bit-bucket/*"
},
{
"Sid": "AllowBucketAclPolicyRead",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::523084324983:root"
},
"Action": [
"s3:GetBucketAcl",
"s3:GetBucketPolicy"
],
"Resource": "arn:aws:s3:::ge-central-bit-bucket"
},
{
"Sid": "AllowLimitedS3ReadAccess",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::523084324983:root"
},
"Action": [
"s3:List*",
"s3:Get*"
],
"Resource": [
"arn:aws:s3:::ge-central-bit-bucket/pnw-prod/AWSLogs",
"arn:aws:s3:::ge-central-bit-bucket/pnw-prod/AWSLogs/*",
"arn:aws:s3:::ge-central-bit-bucket/pnw-preprod/AWSLogs",
"arn:aws:s3:::ge-central-bit-bucket/pnw-preprod/AWSLogs/*",
"arn:aws:s3:::ge-central-bit-bucket/ent-emea-pnw-preprod/AWSLogs",
"arn:aws:s3:::ge-central-bit-bucket/ent-emea-pnw-preprod/AWSLogs/*",
"arn:aws:s3:::ge-central-bit-bucket/ent-emea-pnw/AWSLogs",
"arn:aws:s3:::ge-central-bit-bucket/ent-emea-pnw/AWSLogs/*",
"arn:aws:s3:::ge-central-bit-bucket/pwr-primavera/AWSLogs",
"arn:aws:s3:::ge-central-bit-bucket/pwr-primavera/AWSLogs/*",
"arn:aws:s3:::ge-central-bit-bucket/pwr-power-services/AWSLogs",
"arn:aws:s3:::ge-central-bit-bucket/pwr-power-services/AWSLogs/*",
"arn:aws:s3:::ge-central-bit-bucket/pwr-datalake/AWSLogs",
"arn:aws:s3:::ge-central-bit-bucket/pwr-datalake/AWSLogs/*",
"arn:aws:s3:::ge-central-bit-bucket/pwr-itsecops/AWSLogs",
"arn:aws:s3:::ge-central-bit-bucket/pwr-itsecops/AWSLogs/*",
"arn:aws:s3:::ge-central-bit-bucket/pwr-sharedhr/AWSLogs",
"arn:aws:s3:::ge-central-bit-bucket/pwr-sharedhr/AWSLogs/*",
"arn:aws:s3:::ge-central-bit-bucket/ge-data-analytics/AWSLogs",
"arn:aws:s3:::ge-central-bit-bucket/ge-data-analytics/AWSLogs/*",
"arn:aws:s3:::ge-central-bit-bucket/energy-preprod/AWSLogs",
"arn:aws:s3:::ge-central-bit-bucket/energy-preprod/AWSLogs/*",
"arn:aws:s3:::ge-central-bit-bucket/energy-prod/AWSLogs",
"arn:aws:s3:::ge-central-bit-bucket/energy-prod/AWSLogs/*",
"arn:aws:s3:::ge-central-bit-bucket/ent-emea-energy/AWSLogs",
"arn:aws:s3:::ge-central-bit-bucket/ent-emea-energy/AWSLogs/*",
"arn:aws:s3:::ge-central-bit-bucket/digital-energy-prod/AWSLogs",
"arn:aws:s3:::ge-central-bit-bucket/digital-energy-prod/AWSLogs/*",
"arn:aws:s3:::ge-central-bit-bucket/ind-energy-gsdemo/AWSLogs",
"arn:aws:s3:::ge-central-bit-bucket/ind-energy-gsdemo/AWSLogs/*"
]
}
]
}# Aero CloudTrail Global Trail
404063023013 av-ctr-llz us-east-1 # CloudTrail Mgmt. Acc.
791232313887 av-ctr-ads-nonprod us-east-1 aws.av-ctr-ads-nonprod@ge.com # CloudTrail Target Acc.
534701031479 aviation-ctr-nonprod us-east-1 aws.aviation-ctr-nonprod@ge.com # CloudTrail Target Acc.
# Note New Aero email for AWS account - New accounts only:
# example for the future state : aws-sandbox-root+cyber-audit@geaerospace.usIn GE 7393-8413-2772 (739384132772) [admin-ge] is a Management Account for CloudTrail:
AWS CLI / S3 API
BUCKET='ge-aero-central-bit-bucket' # Global Trail S3 Bucket from Mgmt. Acc.
TRAIL_NAME='global_trail' # Global Trail from Mgmt. Acc.
## Mgmt. Acc. Config #########################################
## With Mgmt. Acc. Profile call
aws s3api --acl private --bucket $BUCKET
## Bucket Policy
## Create SNS
## Create Trail - See below
## CloudTrail Put Event Selector - See below
## Target Account Config ####################################
## Capture current custom data events
SNS='arn:aws:sns:us-east-1:404063023013:AwsCloudTrailCollector' # Target Acc. ID
PREFIX='caludtrail/av-ctr-ads-nonprod' # Target Acc. Alias
REGION='us-east-1' # Target Acc. HomeRegion
## With Target Acc. Profile call
## Config CloudTrail - Repeat the same for PREFIX value for the second account
aws cloudtrail create-trail \
--name $TRAIL_NAME \
--s3-bucket-name $BUCKET \
--s3-key-prefix $PREFIX \
--sns-topic-name $SNS \
--region EVENT_SELECTOR='[{"ReadWriteType": "All","IncludeManagementEvents": true,"DataResources": [{"Type":"AWS::S3::Object", "Values": ["arn:aws:s3:::"]},{"Type": "AWS::Lambda::Function","Values": ["arn:aws:lambda"]}]}]'
TRAIL_NAME='global_trail'
echo "$EVENT_SELECTOR" | jq .
echo "aws cloudtrail put-event-selectors --trail-name $TRAIL_NAME --event-selectors '${EVENT_SELECTOR}'"
aws cloudtrail put-event-selectors --trail-name $TRAIL_NAME --event-selectors "${EVENT_SELECTOR}"
## Add captured custom data eventsAWS Docs / Access logs for your Application Load Balancer
AWS Docs / Access logs for your Classic Load Balancer
AWS Docs / Access logs for your Network Load Balancer
- AWS Console / CloudTrail / Event History:
- Date Range: 90 Days
- Event Name: ConsoleLogin
- Store as json in
./data/ - Store result as
data/<accountId>-90-days-signin-2023-10-06-<accountAlias>.json - Run
python audit-cloudtrail.py --user-type IAMUser --path data --store data/<Results.csv> - If Run returned result, open
data/tmp.csvand paste its content to consolidated file - Paste formula to fill the balnk
account_name_&User Namein excle - Update
Userssheet if there are User with no entery - Users are unique values of userName column - Extract Users of all accounts in report and add them to
UsersSheet to find inactive usersUsersexport can be QAR report of unique accounts ofaccountIdcolumn
- Same applies to GovCloud
# Accounts & Notes
739384132772 admin-ge
409448342956 aviation-geas-uk-limited-nonprod # No Record
792432308175 aviation-geas-uk-limited-prod # No access
171844140004 cc-architecture-001 # Management Account
437661846534 cc-architecture-009 # Management Account
710001197670 cloud-hub
376079469356 cloud-inventory
207755114178 corp-dba
736489861251 corporate-brt # Admin Account
589115327840 ctr-eng-grlimited # Management Account
409245127384 digital-network-prod
188894168332 digital-public-cloudops # No Record
264560008398 digital-vesg-secops # No Record
589623221417 geadmin # Admin Account
737859062117 gecc # Management Account
556003251088 gecirt
141111311552 ge-cloud-hosting
899774137266 gehc-master # No access
702036537659 gehc-master-sandbox # No Record
504948279284 mas-co
432403552778 mas-co-dev # No Record
538763039462 master-payer-av # Management Account
506599280386 master-payer-en # Management Account
520077232870 master-payer-en-it-sandbox
582019957860 master-payer-hc # Management Account
767495976932 master-payer-vn-commercial
277688789493 public-cloud-prod
056639395895 savings-plan-av
173157443582 savings-plan-en
379768029683 savings-plan-hc
341164887133 savings-plan-vn-comm
836234625243 svc-acct-av
155656796956 svc-acct-en
847195756354 svc-acct-hc
683968165177 warden-ge # No accessaws cloudtrail lookup-events --max-items 100 --query "Events[?eventCategory == 'Management']"
aws cloudtrail lookup-events --max-items 100 --query "Events[?eventSource == 'signin.amazonaws.com']"
# Past 90 days report
STIME=$(date --date="90 day ago" +%FT%R:%S.%3N) # 90 days ago - start-time
ETIME=$(date +%FT%R:%S.%3N) # today - end-time
aws cloudtrail lookup-events --start-time $STIME --end-time $ETIME --query "Events[?eventSource == 'signin.amazonaws.com']"
# Root Access
aws cloudtrail lookup-events --lookup-attributes AttributeKey=Username,AttributeValue='Root'
- Getting started with GuardDuty
- GuardDuty is a Regional service, meaning any of the configuration procedures must be repeated in each Region that you want to monitor with GuardDuty.
- We highly recommend that you enable GuardDuty in all supported AWS Regions. This enables GuardDuty to generate findings about unauthorized or unusual activity even in Regions that you are not actively using.
- Any user with administrator privileges in an AWS account can enable GuardDuty, however, following the security best practice of least privilege, it is recommended that you create an IAM role, user, or group to manage GuardDuty specifically.
- When you enable GuardDuty for the first time in any AWS Region, by default, it also enables all the available protection types that are supported in that Region, including Malware Protection. GuardDuty creates a service–linked role for your account called
AWSServiceRoleForAmazonGuardDuty.
- AWS service integrations with GuardDuty
- Managing multiple accounts in Amazon GuardDuty
- Managing GuardDuty accounts with AWS Organizations
- Suspending or disabling GuardDuty
- Quotas for Amazon GuardDuty
- Regions and endpoints
# Aero GD Test
404063023013 av-ctr-llz # GD Admin
791232313887 av-ctr-ads-nonprod # GD Memebr
534701031479 aviation-ctr-nonprod # GD Member- Step 1: Enable Amazon GuardDuty
- Standalone account environment
- Multi-account environment
- Step 2: Generate sample findings and explore basic operations
- Step 3: Configure exporting GuardDuty findings to an Amazon S3 bucket
- Step 4: Set up GuardDuty finding alerts through SNS
- Enable for all - Org Level
- Enable for New Accounts
- By Invitation
- ELB & ALB logs centralization - Existed via CloudTrail
- NFW logs - will follow CloudTrail logs
- Dedicated WAF - Existed on service accounts for commercial but shared in GovCloud
- Dedicated CloudTrail - Not exist! Global CloudTrail is Shared as before
- 2645-6000-8398 digital-vesg-secops
- 3704-2060-6186 gov-cloud-hub
- 3704-2060-6186 gov-cloud-hub
- ec2:PrefixList
- ec2:TransitGateway
- 6107-9831-9622 gov-public-cloud-prod
- network-firewall:StatefulRulegroup
- network-firewall:StatelessRulegroup
- 7100-0119-7670 cloud-hub
- ec2:PrefixList
- ec2:TransitGateway
- 2776-8878-9493 public-cloud-prod
- network-firewall:StatefulRulegroup
- network-firewall:StatelessRulegroup
# From GovCloud TMP src/
cat ../backup/${ACCOUNT_ALIAS}/shared-ram-backup.json | jq -r '.ListResourceShareSelf | {ListResourceShareSelf: map({arn: .arn, type: .type})}'
# From TMP src/
cat ../backup/cloud-hub-ram-share-after.json | jq -r '.ResourcesSelf | {ResourcesSelf: map({arn: .arn, type: .type})}'- 7393-8413-2772 admin-ge
- 7154-7719-2348 gov-public-cloud-security
- 2645-6000-8398 digital-vesg-secops: arn:aws:s3:::aws-waf-logs-cloud-hosting # via firehose
- 8362-3462-5243 svc-acct-av: arn:aws:s3:::aws-waf-logs-cloud-hosting-geav
- 1556-5679-6956 svc-acct-en: arn:aws:s3:::aws-waf-logs-cloud-hosting-geen
- 8471-9575-6354 svc-acct-hc: arn:aws:s3:::aws-waf-logs-cloud-hosting-gehc
- gecc: cloud-hosting-waf-base-ruleset
- master-payer-av: cloud-hosting-geav
- master-payer-en: cloud-hosting-geen
- master-payer-hc: cloud-hosting-gehc
- gov-gecc: arn:aws-us-gov:s3:::aws-waf-logs-cloud-hosting
- gov-master-payer-av: arn:aws-us-gov:s3:::aws-waf-logs-aero-mp
- gov-master-payer-av: arn:aws-us-gov:s3:::aws-waf-logs-aero-mp-prd
- gov-master-payer-en: arn:aws-us-gov:s3:::aws-waf-logs-vn-mp
- gov-gecc: cloud-hosting-waf-base-ruleset
- gov-master-payer-av: cloud-hosting-waf-base-ruleset-av
- gov-master-payer-av: cloud-hosting-waf-base-ruleset-av-prd
- gov-master-payer-en: cloud-hosting-waf-base-ruleset