EventBus Should Not Allow Cross Account Access

More Info:

AWS CloudWatch event buses should not allow unknown cross-account access for delivery of events.

Risk Level

High

Address

Security

Compliance Standards

AWSWAF

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the “EventBus Should Not Allow Cross Account Access” misconfiguration in AWS using AWS CLI, follow these steps:

Open your terminal or command prompt and ensure that you have the AWS CLI installed and configured with the appropriate credentials.
Run the following command to list all the Amazon EventBridge event buses in your AWS account:
```
aws events list-event-buses
```
Identify the event bus that is allowing cross-account access.
Run the following command to modify the event bus policy and restrict cross-account access:
```
aws events put-policy --event-bus-name <event-bus-name> --policy '{"Statement":[{"Sid":"RestrictCrossAccountAccess","Effect":"Deny","Principal":"*","Action":"events:PutEvents","Resource":"arn:aws:events:<region>:<account-id>:event-bus/<event-bus-name>"}]}'
```
Replace <event-bus-name> with the name of the event bus that is allowing cross-account access, <region> with the AWS region where the event bus is located, and <account-id> with your AWS account ID.
Verify that the policy has been updated by running the following command:
```
aws events describe-event-bus --name <event-bus-name>
```
The output should show the updated policy with the Deny statement.
Repeat steps 3-5 for any other event buses that are allowing cross-account access.

By following these steps, you have successfully remediated the “EventBus Should Not Allow Cross Account Access” misconfiguration in AWS using AWS CLI.

Using Python

To remediate the misconfiguration “EventBus Should Not Allow Cross Account Access” in AWS, you can follow the below steps in Python:

Create a new EventBridge event bus policy that allows access only to the specific AWS account that should have access to the event bus.

import boto3
import json

eventbridge = boto3.client('events')

account_id = boto3.client('sts').get_caller_identity().get('Account')

policy = {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowAccountAccess",
            "Effect": "Allow",
            "Principal": {
                "AWS": f"arn:aws:iam::{account_id}:root"
            },
            "Action": "events:*",
            "Resource": "arn:aws:events:us-east-1:<account_id>:event-bus/default"
        }
    ]
}

policy_json = json.dumps(policy)

eventbridge.put_permission(
    Action='events:PutEvents',
    Principal='*',
    StatementId='AllowAccountAccess',
    Condition={
        'ArnEquals': {
            'aws:SourceArn': f'arn:aws:events:us-east-1:<account_id>:event-bus/default'
        }
    }
)

eventbridge.put_event_bus_policy(
    EventBusName='default',
    Policy=policy_json
)

Remove any existing event bus policies that allow cross-account access.

policy = {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DenyCrossAccountAccess",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "events:*",
            "Resource": "arn:aws:events:us-east-1:<account_id>:event-bus/default",
            "Condition": {
                "StringNotEquals": {
                    "aws:PrincipalAccount": "<account_id>"
                }
            }
        }
    ]
}

policy_json = json.dumps(policy)

eventbridge.put_event_bus_policy(
    EventBusName='default',
    Policy=policy_json
)

Verify that the event bus policy now only allows access to the specific AWS account that should have access to the event bus.

policy = eventbridge.describe_event_bus(
    Name='default'
)['Policy']

print(policy)

This should remediate the “EventBus Should Not Allow Cross Account Access” misconfiguration in AWS.

Additional Reading:

https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CloudWatchEvents-CrossAccountEventDelivery.html

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

EventBus Should Not Allow Cross Account Access

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: