Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Event Bus Exposed

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: CWE-003

Ensure that your Amazon CloudWatch default event bus is not configured to allow access to everyone (*) in order to prevent anonymous users from sharing their CloudWatch events. An AWS CloudWatch default event bus is a feature that facilitates AWS accounts to share events with each other. This feature can be useful to AWS accounts that belong to the same organization or belong to organizations that are associated or have a similar relationship. The event bus has an access policy that specifies the AWS entities that are allowed to send events to the bus. To follow security best practices, you need to allow only the authorized users to send their events data by managing the permissions defined for the default event bus.

This rule can help you with the following compliance standards:

  • PCI
  • GDPR
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Using an overly permissive access policy for your CloudWatch default event bus can allow unauthorized AWS users to send their CloudWatch events.

Audit

To determine if your CloudWatch default event bus available within your AWS account allows access to everyone (*), perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to AWS CloudWatch dashboard at https://console.aws.amazon.com/cloudwatch/.

03 In the left navigation panel, under Events section, select Event Buses.

04 On the Event Buses page, select Permissions tab and check the AWS entities authorized to send CloudWatch events to the default event bus provisioned within the current region, listed in the Principal column. If the Principal is set to Everybody(*), the AWS CloudWatch event bus available in the current region is exposed to everyone, therefore any AWS user can send their CloudWatch events to your default event bus.

05 Change the AWS region from the navigation bar and repeat step no. 4 to determine if the CloudWatch event buses provisioned in other AWS regions are exposed.

Using AWS CLI

01 Run describe-event-bus command (OSX/Linux/UNIX) to describe the access policy that enables AWS entities to send CloudWatch events to the default event bus created within the selected AWS region: 

aws events describe-event-bus
	--region us-east-1 --query 'Policy'

02 The command output should return the requested policy document: 

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "aaaabbbb-aaaa-bbbb-cccc-1234567890123456789012345",
      "Effect": "Allow",
      "Principal": "*",
      "Action": "events:PutEvents",
      "Resource": "arn:aws:events:us-east-1:123456789012:event-bus/default"
    }
  ]
}

Within the policy document returned as output, check the Principal element value (highlighted). If the Principal element has the following value: "*", as shown in the output example above, the Amazon CloudWatch default event bus available in the selected region is exposed to everyone (*).

03 Change the AWS region by updating the --region command parameter value and repeat step no. 1 and 2 to determine if the CloudWatch default event buses created in other AWS regions are exposed.

Remediation/Resolution:

Case A: To update the access permissions defined for the CloudWatch default event bus in order authorize only specific AWS entities to send CloudWatch event data to your AWS account, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to AWS CloudWatch dashboard at https://console.aws.amazon.com/cloudwatch/.

03 In the left navigation panel, under Events section, select Event Buses.

04 On the Event Buses page, select Permissions tab, choose the entry with the Principal attribute set to Everybody(*) and click Remove to delete the selected access permission and block public access to the default event bus provisioned in the current AWS region.

05 Click Add permissions button to add a new permission that allows a specific (authorized) AWS account to send its CloudWatch event data to your event bus.

06 Inside Add Permission dialog box, enter the 12-digit AWS account ID to receive events from.

07 Click Add to confirm the changes and create the new permission for the CloudWatch default event bus available in the current AWS region.

08 Change the AWS region from the navigation bar and repeat steps no. 4 – 7 to update the access permissions configured for CloudWatch default event buses available in other regions.

Using AWS CLI

01 Run remove-permission command (OSX/Linux/UNIX) using the access policy statement ID as identifier (see Audit section part II to identify the right statement ID number) to block public access to the default event bus (the command does not produce an output): 

aws events remove-permission
	--region us-east-1
	--statement-id aaaabbbb-aaaa-bbbb-cccc-1234567890123456789012345

02 Run put-permission command (OSX/Linux/UNIX) to create a new permission that permits a specified (trusted) AWS account to put events to your account's default event bus, available in the selected region. Replace the --principal parameter value with the 12-digit ID of the AWS account that is authorized to send event data to your account (the command does not return an output): 

aws events put-permission
	--region us-east-1
	--action events:PutEvents
	--principal 123456789012
	--statement-id aaaabbbb-aaaa-bbbb-cccc-1234567890123456789012345

03 Change the AWS region by updating the --region command parameter value and repeat step no. 1 and 2 to update the permissions defined for CloudWatch default event buses provisioned in other regions.

Remediation/Resolution:

Case B: To revoke public access to your AWS CloudWatch default event bus, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to AWS CloudWatch dashboard at https://console.aws.amazon.com/cloudwatch/.

03 In the left navigation panel, under Events section, select Event Buses.

04 On the Event Buses page, select Permissions tab, choose the permission with the Principal attribute set to Everybody(*) and click Remove to delete the permission and block the public access to the default event bus available within the current AWS region.

05 Change the AWS region from the navigation bar and repeat step no. 4 to revoke public access to CloudWatch event buses available in other regions.

Using AWS CLI

01 Run remove-permission command (OSX/Linux/UNIX) using the access policy statement ID as identifier (see Audit section part II to identify the right ID number) to revoke the permissions set for the exposed event bus (the command does not produce an output): 

aws events remove-permission
	--region us-east-1
	--statement-id aaaabbbb-aaaa-bbbb-cccc-1234567890123456789012345

02 Change the AWS region by updating the --region command parameter value and repeat step no. 1 to block public access to CloudWatch event buses available in other AWS regions.

References

Publication date May 6, 2018

Related CloudWatchEvents rules