Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

EventBus Cross Account Access

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: CWE-002

Ensure that your Amazon CloudWatch event buses are configured to allow access only to friendly AWS accounts in order to prevent unauthorized users from sharing their CloudWatch events. An AWS CloudWatch event bus is a feature that facilitates AWS accounts to share events with each other. This can be useful to AWS accounts that belong to the same organization or belong to organizations that are associated or have a similar relationship. The event bus (currently one per account, also known as default event bus) has an access policy that specifies the set of AWS accounts that are allowed to send events to the bus. To allow only friendly users to send their events data, you need to manage the permissions defined for the default event bus. Prior to running this rule by the Cloud Conformity engine, you need to provide the friendly accounts identifiers represented by a comma-separated list of valid AWS account IDs (e.g. 123456789012, 112233445566).

This rule can help you with the following compliance standards:

  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Using misconfigured and overly permissive access policies for your CloudWatch event buses can allow untrusted AWS users to send their CloudWatch events.

Audit

To determine if the Amazon CloudWatch default event bus created within your account allows unknown cross-account event delivery, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to AWS CloudWatch dashboard at https://console.aws.amazon.com/cloudwatch/.

03 In the left navigation panel, under Events section, select Event Buses.

04 On the Event Buses page, select Permissions tab and check the ID(s) of the AWS account(s) authorized to send CloudWatch events to the default event bus provisioned within the current region, listed in the Principal column (e.g. 123456789012).

05 Sign in to your Cloud Conformity console, access Event Bus Cross Account Access conformity rule settings and compare the identifier(s) found at the previous step (i.e. account ID(s)) against each identifier listed in the rule configuration section. If the identifier found within the verified event bus permissions list does not match any of the trusted account IDs listed on your Cloud Conformity console, the cross-account event delivery is not secured, therefore the AWS user is not trusted and should not be authorized to send AWS CloudWatch event data to the selected event bus, within the selected region.

06 Change the AWS region from the navigation bar and repeat step no. 4 and 5 to determine if AWS CloudWatch default event bus allows unknown cross-account event delivery within other regions.

Using AWS CLI

01 Run describe-event-bus command (OSX/Linux/UNIX) to describe the access policy that enables the external AWS account(s) to send CloudWatch events to the default event bus created in the selected AWS region: 

aws events describe-event-bus
	--region us-east-1
	--query 'Policy'

02 The command output should return the requested policy document: 

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "aaaabbbb-cccc-dddd-eeee-1234567890123456789012345",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:root"
      },
      "Action": "events:PutEvents",
      "Resource": "arn:aws:events:us-east-1:123456789012:event-bus/default"
    }
  ]
}

Within the policy document returned as output, check the ARN(s) defined as value(s) for the Principal element. Extract the necessary ID(s) from the listed ARN(s) to get the identifier(s) of the AWS account(s) authorized to send CloudWatch events to the default event bus provisioned within the selected region.

03 Sign in to your Cloud Conformity console, access Event Bus Cross Account Access conformity rule settings and compare the identifier(s) found at the previous step against each identifier listed in the rule configuration section. If the identifier found within the verified event bus permissions list does not match any of the trusted account IDs listed on your Cloud Conformity console, the cross-account event delivery is not secured, therefore the AWS user is not trusted and should not be authorized to send AWS CloudWatch event data to the selected event bus.

04 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 3 to determine if AWS CloudWatch default event bus allows unknown cross-account event delivery within other regions.

Remediation/Resolution:

Case A: To update the permissions defined for the default event bus in order authorize only trusted (friendly) AWS users to send CloudWatch event data to your AWS account, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to AWS CloudWatch dashboard at https://console.aws.amazon.com/cloudwatch/.

03 In the left navigation panel, under Events section, select Event Buses.

04 On the Event Buses page, select Permissions tab, choose the untrusted AWS accounts (see Audit section part I to identify the right account identifiers) and click Remove to delete the necessary permissions and block their access to the default event bus provisioned in the current AWS region.

05 Now click Add permissions button to add a new permission that authorizes a friendly AWS account to share its CloudWatch event data.

06 Inside Add Permission dialog box, enter the 12-digit AWS account ID to receive events from, also listed on your Cloud Conformity console.

07 Click Add to confirm the changes and create the new permission for the CloudWatch default event bus available within the current region.

08 Repeat steps no. 4 – 7 to replace other untrusted AWS account identifiers with trusted ones, defined on your Cloud Conformity console.

09 Change the AWS region from the navigation bar and repeat steps no. 4 – 8 to update the permissions defined for CloudWatch default event buses available in other regions.

Using AWS CLI

01 First, run remove-permission command (OSX/Linux/UNIX) using the access policy statement ID as identifier (see Audit section part II to identify the right statement ID number) to revoke the permission of the selected untrusted AWS account, that is currently able to put events to the default event bus (the command does not produce an output): 

aws events remove-permission
	--region us-east-1
	--statement-id aaaabbbb-cccc-dddd-eeee-1234567890123456789012345

02 Run put-permission command (OSX/Linux/UNIX) to create a new permission that permits the specified (friendly) AWS account to put events to your account's default event bus, available within the selected region. Replace the --principal parameter value with the 12-digit ID of the AWS account that is authorized to send event data to your account (the command does not produce an output): 

aws events put-permission
	--region us-east-1
	--action events:PutEvents
	--principal 123456789012
	--statement-id abcd1234-aaaa-bbbb-cccc-1234567890123456789012345

03 Repeat step no. 1 and 2 to replace other untrusted AWS account identifiers with trusted ones, listed on your Cloud Conformity console.

04 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 3 to update the permissions defined for CloudWatch default event buses provisioned in other regions.

Case B: To revoke the permissions defined for the CloudWatch default event bus available within your AWS account, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to AWS CloudWatch dashboard at https://console.aws.amazon.com/cloudwatch/.

03 In the left navigation panel, under Events section, select Event Buses.

04 On the Event Buses page, select Permissions tab, choose the untrusted AWS accounts (see Audit section part I to identify the right account identifiers) and click Remove to delete the necessary permissions and block their access to the default event bus provisioned in the current AWS region.

05 Repeat step no. 4 to remove the permissions that reference other untrusted AWS accounts, that are currently able to send events to the default event bus.

06 Change the AWS region from the navigation bar and repeat step no. 4 and 5 to revoke the permissions defined for default event buses available in other regions.

Using AWS CLI

01 Run remove-permission command (OSX/Linux/UNIX) using the access policy statement ID as identifier (see Audit section part II to identify the right statement ID number) to revoke the permission of the selected untrusted AWS account (the command does not produce an output): 

aws events remove-permission
	--region us-east-1
	--statement-id aaaabbbb-cccc-dddd-eeee-1234567890123456789012345

02 Repeat step no. 1 to remove the permissions that reference other untrusted AWS accounts, that are currently able to send events to the default event bus.

03 Change the AWS region by updating the --region command parameter value and repeat step no. 1 and 2 to revoke the permissions defined for CloudWatch default event buses available in other regions.

References

Publication date Feb 22, 2018

Related CloudWatchEvents rules