Real-Time Monitoring EventBridge Rule Configuration

Risk Level: Medium (should be achieved)

Ensure that each of your AWS accounts’ regions have the Conformity monitoring EventBridge rule correctly configured to ensure event data is fed into the Conformity application. Using Real-Time Monitoring in conjunction with the Conformity Bot ensures you have maximum coverage in identifying cloud misconfigurations and are able to identify them in real time.

Operational
excellence

Trend Cloud One™ – Conformity Real-Time Threat Monitoring (RTM) provides live monitoring with instant threat and remediation alerts for activities and events within yourAWS and Azure accounts. An EventBridge rule must be correctly configured in order to send event data to the Conformity Event Bus.

Audit

To determine if your AWS account has the correct set up for the AWS EventBridge Rule to enable Real-Time Monitoring (RTM), perform the following:

Using AWS Console

01 Sign in to the AWS account registered with Cloud Conformity.

02 For Real-Time Monitoring (RTM) to work, you must first ensure CloudTrail is enabled, which can be checked as part of this rule.

03 Once CloudTrail is enabled, Navigate to the EventBridge dashboard at https://console.aws.amazon.com/events/home.

04 In the left-hand navigation bar select Rules to display a list of EventBridge rules configured in your chosen region. If there are no EventBridge Rules present, RTM will not work in that region.

05 Click on the name of the rule that was set up by your original RTM set up. By default, the event rule is called CloudConforityMonitoring.

06 Under the Event pattern section, you should see a configuration of which events the event rule will match to send to the Conformity event bus. By default, the correct pattern should be:

{ 
	"account": ["115637824961"],
	"source": ["aws.s3", "aws.ec2", "aws.elasticloadbalancing", "aws.autoscaling", "aws.cloudformation", "aws.iam", "aws.dynamodb", "aws.rds", "aws.lambda", "aws.cloudfront", "aws.organizations", "aws.config", "aws.guardduty", "aws.cloudtrail", "aws.route53domains", "aws.kms", "aws.route53", "aws.sts", "aws.ecs", "aws.securityhub", "aws.signin", "aws.macie"]
}

If the expected event pattern does not match, consider how you want to configure the event pattern to ensure you are able to send AWS events to the Conformity event bus
Note: the expected event pattern can be configured and modified in the rule logic if the user has a custom event pattern they would like to enforce (this field in the rule settings is supported by Regex).

Under the Target (s) section, check that the target type is Event bus in a different account or Region and the target name and ARN is the default event bus for the Conformity account in your current region, e.g:
arn:aws:events:us-east-1:717210094962:event-bus/default
If the target is configured incorrectly, event data will not be sent to Conformity to ingest.

08 Repeat steps no. 3 – 7 for each AWS region where you intend to run Conformity Real-Time Monitoring.

09 Repeat steps no. 1 – 8 for each AWS account registered with Cloud Conformity, that you want to examine.

Using AWS CLI

01 Run list-stacks command (OSX/Linux/UNIX) to list the names of all CloudFormation stacks provisioned within the AWS account registered with Cloud Conformity:

aws cloudformation list-stacks
  --region us-east-1
  --output table
  --query 'StackSummaries[*].StackName'

02 The command output should return a table with the requested stack names:

-----------------------
|     ListStacks      |
+---------------------+
|  CloudConformity    |
|  ProductionWebApp   |
|  WebServerCFNStack  |
+---------------------+

03 Run describe-stacks command (OSX/Linux/UNIX) using custom query filters to get the version number of the access policy used by the CloudFormation stack, named "CloudConformity", provided by Cloud Conformity during the registration process:

aws cloudformation describe-stacks
  --region us-east-1
  --stack-name CloudConformity
  --query 'Stacks[*].Outputs[?(OutputKey==`Version`)].OutputValue[]'

04 The command output should return the version number for the custom access policy used:

[
	"1.0"
]

If the version number returned by the describe-stacks command output is lower than the latest policy version number (i.e. 1.1), the access policy utilized is outdated, therefore your AWS account is not using the latest version of Cloud Conformity custom access policy.

05 Repeat steps no. 1 – 4 for each AWS account registered with Cloud Conformity, that you want to examine.

Remediation / Resolution

To update the Cloud Conformity custom access policy for your AWS account, perform the following actions:

Using AWS Console

01 Sign in to the AWS account registered with Cloud Conformity.

02 Navigate to CloudFormation dashboard at https://console.aws.amazon.com/cloudformation/.

03 Select the CloudFormation stack used during the registration process to grant access to your Cloud Conformity account.

04 Click the Actions dropdown button from the CloudFormation dashboard top menu and selectUpdate Stack.

05 On the Select Template page, inside Choose a template section, select Specify an Amazon S3 template URL option and paste the following template URL: <https://s3-us-west-2.amazonaws.com/cloudconformity/CloudConformity.template> within the box. Click Next to continue the update process.

06 On the Specify Details page, within Parameters section, update the policy version number available in the Version box and click Next to continue.

07 On the Options page, leave the default settings unchanged, then click Next.

08 On the Review page, inside Capabilities section, select I acknowledge that AWS CloudFormation might create IAM resources with custom names checkbox, then click Update to update the stack. Once the update process is complete, the stack status should change from UPDATE_IN_PROGRESS to UPDATE_COMPLETE and the Cloud Conformity custom access policy should be updated to the latest version (i.e. 1.1).

09 Repeat steps no. 1 – 8 to update the custom access policy for other AWS accounts registered with Cloud Conformity.

Using AWS CLI

01 Run describe-stacks command (OSX/Linux/UNIX) to describe the parameters of the CloudFormation stack, named "CloudConformity", used by the Cloud Conformity engine during the registration process:

aws cloudformation describe-stacks
  --region us-east-1
  --stack-name CloudConformity
  --query 'Stacks[*].Parameters[]'

02 The command output should return the requested parameters metadata, information that will be useful later when the CloudFormation stack will be updated:

[
	{
		"ParameterValue": "123456789012",
		"ParameterKey": "AccountId"
	},
	{
		"ParameterValue": "1.0",
		"ParameterKey": "Version"
	},
	{
		"ParameterValue": "AAABBBCCCDDD",
		"ParameterKey": "ExternalId"
	}
]

03 Run update-stack command (OSX/Linux/UNIX) using the configuration details returned at the previous step as parameters to update the AWS CloudFormation stack used for Cloud Conformity registration. Once the update process is complete, the Cloud Conformity custom access policy will be updated to the latest version (i.e. 1.1):

aws cloudformation update-stack
  --region us-east-1
  --stack-name CloudConformity
  --template-url https://s3-us-west-2.amazonaws.com/cloudconformity/CloudConformity.template
  --capabilities "CAPABILITY_NAMED_IAM"
  --parameters ParameterKey="Version",ParameterValue="1.1" ParameterKey="AccountId",ParameterValue="123456789012" ParameterKey="ExternalId",ParameterValue="AAABBBCCCDDD"

04 The command output should return the ID of the updated AWS CloudFormation stack:

{
	"StackId": "arn:aws:cloudformation:us-east-1:123456789012:stack/CloudConformity/aaaabbbb-cccc-dddd-eeee-aaabbbcccddd"
}

05 Repeat steps no. 1 – 4 to update the custom access policy for other AWS accounts registered with Cloud Conformity.

References

AWS Command Line Interface (CLI) Documentation
cloudformation
list-stacks
describe-stacks
update-stack

Publication date Dec 14, 2023

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS Console

Using AWS CLI

References

Related Cloud Conformity rules