diff --git a/rules/aws_cloudtrail_rules/aws_iam_user_key_created.py b/rules/aws_cloudtrail_rules/aws_iam_user_key_created.py index b240f4326..aeee2eaf6 100644 --- a/rules/aws_cloudtrail_rules/aws_iam_user_key_created.py +++ b/rules/aws_cloudtrail_rules/aws_iam_user_key_created.py @@ -6,8 +6,9 @@ def rule(event): event.get("eventSource") == "iam.amazonaws.com" and event.get("eventName") == "CreateAccessKey" and ( - deep_get(event, "responseElements", "accessKey", "userName") - not in deep_get(event, "userIdentity", "arn") + not deep_get(event, "userIdentity", "arn", default="").endswith( + f"user/{deep_get(event, 'responseElements', 'accessKey', 'userName', default='')}" + ) ) ) @@ -16,7 +17,7 @@ def title(event): return ( f"[{deep_get(event,'userIdentity','arn')}]" " created API keys for " - f"[{deep_get(event,'responseElements','accessKey','userName')}]" + f"[{deep_get(event,'responseElements','accessKey','userName', default = '')}]" ) diff --git a/rules/aws_cloudtrail_rules/aws_iam_user_key_created.yml b/rules/aws_cloudtrail_rules/aws_iam_user_key_created.yml index db23c4e8e..93f53c144 100644 --- a/rules/aws_cloudtrail_rules/aws_iam_user_key_created.yml +++ b/rules/aws_cloudtrail_rules/aws_iam_user_key_created.yml @@ -84,6 +84,83 @@ Tests: type: IAMUser userName: user1 Name: user1 create keys for user2 + - ExpectedResult: true + Log: + awsRegion: us-east-1 + eventCategory: Management + eventID: "12345" + eventName: CreateAccessKey + eventSource: iam.amazonaws.com + eventTime: "2022-09-27 17:09:18" + eventType: AwsApiCall + eventVersion: "1.08" + managementEvent: true + readOnly: false + recipientAccountId: "123456789" + requestParameters: + userName: jack + responseElements: + accessKey: + accessKeyId: ABCDEFG + createDate: Sep 27, 2022 5:09:18 PM + status: Active + userName: jack + sourceIPAddress: cloudformation.amazonaws.com + userAgent: cloudformation.amazonaws.com + userIdentity: + accessKeyId: ABCDEFGH + accountId: "123456789" + arn: arn:aws:iam::123456789:user/jackson + invokedBy: cloudformation.amazonaws.com + principalId: ABCDEFGH + sessionContext: + attributes: + creationDate: "2022-09-27T17:08:35Z" + mfaAuthenticated: "false" + sessionIssuer: {} + webIdFederationData: {} + type: IAMUser + userName: user1 + Name: jackson create keys for jack + - ExpectedResult: true + Log: + awsRegion: us-east-1 + eventCategory: Management + eventID: "12345" + eventName: CreateAccessKey + eventSource: iam.amazonaws.com + eventTime: "2022-09-27 17:09:18" + eventType: AwsApiCall + eventVersion: "1.08" + managementEvent: true + readOnly: false + recipientAccountId: "123456789" + requestParameters: + userName: jackson + responseElements: + accessKey: + accessKeyId: ABCDEFG + createDate: Sep 27, 2022 5:09:18 PM + status: Active + userName: jackson + sourceIPAddress: cloudformation.amazonaws.com + userAgent: cloudformation.amazonaws.com + userIdentity: + accessKeyId: ABCDEFGH + accountId: "123456789" + arn: arn:aws:iam::123456789:user/jack + invokedBy: cloudformation.amazonaws.com + principalId: ABCDEFGH + sessionContext: + attributes: + creationDate: "2022-09-27T17:08:35Z" + mfaAuthenticated: "false" + sessionIssuer: {} + webIdFederationData: {} + type: IAMUser + userName: user1 + Name: jack create keys for jackson + DedupPeriodMinutes: 60 LogTypes: - AWS.CloudTrail