AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
EventBus Should Not Allow Cross Account Access
More Info:
AWS CloudWatch event buses should not allow unknown cross-account access for delivery of events.
Risk Level
High
Address
Security
Compliance Standards
AWSWAF
Triage and Remediation
Remediation
To remediate the “EventBus Should Not Allow Cross Account Access” misconfiguration in AWS using the AWS console, follow these steps:
- Login to the AWS Management Console.
- Navigate to the Amazon EventBridge service.
- Select the Event Bus that is allowing cross-account access.
- Click on the “Permissions” tab.
- In the “Event bus policies” section, click on the “Edit” button.
- Remove any statements that grant cross-account access to the Event Bus.
- Add a new statement that only allows access from the AWS account(s) that require access to the Event Bus.
- Click on the “Save” button to apply the changes.
After following these steps, the Event Bus will no longer allow cross-account access and will only allow access from the specified AWS account(s).
To remediate the “EventBus Should Not Allow Cross Account Access” misconfiguration in AWS using AWS CLI, follow these steps:
-
Open your terminal or command prompt and ensure that you have the AWS CLI installed and configured with the appropriate credentials.
-
Run the following command to list all the Amazon EventBridge event buses in your AWS account:
aws events list-event-buses -
Identify the event bus that is allowing cross-account access.
-
Run the following command to modify the event bus policy and restrict cross-account access:
aws events put-policy --event-bus-name <event-bus-name> --policy '{"Statement":[{"Sid":"RestrictCrossAccountAccess","Effect":"Deny","Principal":"*","Action":"events:PutEvents","Resource":"arn:aws:events:<region>:<account-id>:event-bus/<event-bus-name>"}]}'Replace
<event-bus-name>with the name of the event bus that is allowing cross-account access,<region>with the AWS region where the event bus is located, and<account-id>with your AWS account ID. -
Verify that the policy has been updated by running the following command:
aws events describe-event-bus --name <event-bus-name>The output should show the updated policy with the
Denystatement. -
Repeat steps 3-5 for any other event buses that are allowing cross-account access.
By following these steps, you have successfully remediated the “EventBus Should Not Allow Cross Account Access” misconfiguration in AWS using AWS CLI.
To remediate the misconfiguration “EventBus Should Not Allow Cross Account Access” in AWS, you can follow the below steps in Python:
- Create a new EventBridge event bus policy that allows access only to the specific AWS account that should have access to the event bus.
import boto3
import json
eventbridge = boto3.client('events')
account_id = boto3.client('sts').get_caller_identity().get('Account')
policy = {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAccountAccess",
"Effect": "Allow",
"Principal": {
"AWS": f"arn:aws:iam::{account_id}:root"
},
"Action": "events:*",
"Resource": "arn:aws:events:us-east-1:<account_id>:event-bus/default"
}
]
}
policy_json = json.dumps(policy)
eventbridge.put_permission(
Action='events:PutEvents',
Principal='*',
StatementId='AllowAccountAccess',
Condition={
'ArnEquals': {
'aws:SourceArn': f'arn:aws:events:us-east-1:<account_id>:event-bus/default'
}
}
)
eventbridge.put_event_bus_policy(
EventBusName='default',
Policy=policy_json
)
- Remove any existing event bus policies that allow cross-account access.
policy = {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyCrossAccountAccess",
"Effect": "Deny",
"Principal": "*",
"Action": "events:*",
"Resource": "arn:aws:events:us-east-1:<account_id>:event-bus/default",
"Condition": {
"StringNotEquals": {
"aws:PrincipalAccount": "<account_id>"
}
}
}
]
}
policy_json = json.dumps(policy)
eventbridge.put_event_bus_policy(
EventBusName='default',
Policy=policy_json
)
- Verify that the event bus policy now only allows access to the specific AWS account that should have access to the event bus.
policy = eventbridge.describe_event_bus(
Name='default'
)['Policy']
print(policy)
This should remediate the “EventBus Should Not Allow Cross Account Access” misconfiguration in AWS.