Skip to content

Instantly share code, notes, and snippets.

@RooieRakkert
Last active April 29, 2021 11:51
Show Gist options
  • Save RooieRakkert/7489a38cda8aaa00faa2a7fa868b8a73 to your computer and use it in GitHub Desktop.
Save RooieRakkert/7489a38cda8aaa00faa2a7fa868b8a73 to your computer and use it in GitHub Desktop.
from python_rules import Rule, deep_get
import rapidjson
def original_get(e, key='event.original', default=None):
# used to return event.original field, deserialized into dictionary
# if key not found, we return empty dict
nested = deep_get(e, *key.split('.'))
if nested is None:
return default
try:
# deserialize, for example a field with '.flattened.' or 'event.original'
return rapidjson.loads(nested)
except: # couldn't be deseralized
return nested
class ConsoleLoginNoSAML(Rule):
# src: https://bit.ly/3a3KtdA
id = "c3e4e9f8-2e3a-4ab6-8824-5a8cc72ea1b1"
title = "Console Login Without SAML"
description = "AWS console login without using SAML"
author = "Bouke Hendriks"
date = "2021/04/08"
tags = []
status = "experimental"
level = "medium"
relation_fields = ['user.name']
relation_period = 604800 # one week
def rule(self, e):
event = original_get(e)
account_id = deep_get(event, 'recipientAccountId')
self.description = f"AWS logins detected without SAML in account [{account_id}]"
event_name = deep_get(event, 'eventName')
if event_name != 'ConsoleLogin':
return False
additional_event_data = deep_get(event, 'additionalEventData', default={})
return (
deep_get(event, 'userIdentity', 'type') != 'AssumedRole'
and not additional_event_data.get('SamlProviderArn')
)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment