Wiz Cloud configuration findings
Overview
- Supported environment: SaaS
- Detection based on: Alerts
- Supported application or feature:
- Cloud Configuration Findings
Warning
Important note - This format is currently in beta. We highly value your feedback to improve its performance.
Configure
Pre-requisite
To setup the integration, you need to have access to Wiz Console.
Create Client ID and Client Secret
- Log in the Wiz console
- Go to
Settings>Service Accounts - Type a name for the new service account. e.g: Sekoia.io Integration
- Select
read:cloud_configurationpermission - Click
Add Service Account - Copy the Client ID and the Client Secret
Create the intake
Go to the intake page and create a new intake from the format Wiz Cloud Configuration Findings.
Raw Events Samples
In this section, you will find examples of raw logs as generated natively by the source. These examples are provided to help integrators understand the data format before ingestion into Sekoia.io. It is crucial for setting up the correct parsing stages and ensuring that all relevant information is captured.
{
"id": "projectId0",
"targetExternalId": "CloudPlatform/EncryptionKey##arn:aws:kms:eu-west-3:11111111:key/projectId0##ResourcePolicy",
"deleted": false,
"targetObjectProviderUniqueId": null,
"analyzedAt": "2022-05-01T12:34:12.935495Z",
"firstSeenAt": "2022-05-01T11:34:12.935495Z",
"severity": "HIGH",
"result": "PASS",
"status": "RESOLVED",
"remediation": null,
"resource": {
"id": "projectId0",
"providerId": null,
"name": "projectId0: ResourcePolicy",
"nativeType": "resourcePolicy",
"type": "RAW_ACCESS_POLICY",
"region": "us-east-1",
"subscription": {
"id": "projectId0",
"name": "sekoia-integration",
"externalId": "1111111111",
"cloudProvider": "AWS"
},
"projects": [
{
"id": "projectId0",
"name": "Test 1",
"riskProfile": {
"businessImpact": "MBI"
}
},
{
"id": "projectId1",
"name": "Test 3",
"riskProfile": {
"businessImpact": "MBI"
}
}
],
"tags": null
},
"rule": {
"id": "fffef92c-3161-4e0a-9acc-055b04f64381",
"graphId": "8dcab068-d52d-4509-98ab-c1e6b1415849",
"name": "Resource policy should not allow all principals with a condition of ForAllValues and PrincipalArn",
"description": "This rule checks whether the IAM resource policy is overly permissive. \nThis rule fails if the policy contains a `Statement` where:\n* `Effect` is set to `Allow`\n* `Principal` contains a wildcard (`*`, `AWS:*`)\n* `Resource` contains an ARN of `execute-api`, `s3`, or `sqs`, or a wildcard (`*`) which includes these resources\n* `Condition` of type `ForAllValues.aws:PrincipalArn` exists\n\nSetting the principal clause for all (`*`, `AWS:*`) in Amazon S3, SQS, and API Gateway resources could inadvertently allow anonymous access to resources, and the `ForAllValues` condition quantifier evaluates to `True` if no key is given, such as in the case of an unauthenticated user. \nSuch policy statement elements could inadvertently allow anonymous access to resources in these services. \nIt is strongly recommended to edit the resource policy to exclude this permissive statement.",
"remediationInstructions": "Perform the following commands to delete or modify the IAM policy via AWS CLI: \n1. First, use the following command to list the IAM entities (User\\Role\\Group) that have the policy attached (if any): \n``` \naws iam list-entities-for-policy \\\n --policy-arn <value> \n``` \nIf the policy **is not attached** to IAM entities - proceed to 2a. \nIf the policy **is attached** to one or more IAM entities - proceed to 2b. \n2a. As this policy is not in use, It is recommended to delete it. Use the following command to delete the policy: \n``` \naws iam delete-policy \\\n --policy-arn <value> \n``` \n2b. It is recommended to edit the policy to remove the permissive action. First, use the following command to view the actions of the policy: \n``` \naws iam get-policy-version \\\n --policy-arn <value> \\\n --version-id <value> \n``` \nIf you are not sure what the policy version id is, use the following command to check. The current version id is the `DefaultVersionId`. \n``` \naws iam get-policy \\\n --policy-arn <value> \n``` \nOnce you have located the overly-permissive action(s), create a new JSON file that excludes the permissive actions. Use the following command to create a new policy version and set it to default: \n``` \naws iam create-policy-version \\\n --policy-arn <value> \\\n --policy-document file://<NewPolicyVersion.json> \\\n --set-as-default \n``` \nTo fix this insecure policy, apply one of the following solutions: \n* Avoid using `\"AWS\": \"*\"` or `\"*\"` principals for the affected resources. \n Allowing wide access to a resource is insecure. Instead, use specific principals with their AWS account id. \n* For a single-valued condition key like `PrincipalArn`, use the `StringEquals` / `StringLike` condition operators instead of the `ForAllValues` operator.",
"functionAsControl": false
},
"securitySubCategories": [
{
"id": "wsct-id-10798",
"title": "AC.L1-3.1.1 Authorized Access Control - Level 1",
"category": {
"id": "wct-id-1871",
"name": "Access Control",
"framework": {
"id": "wf-id-85",
"name": "CMMC v2.0"
}
}
},
{
"id": "wsct-id-10799",
"title": "AC.L1-3.1.2 Transaction & Function Control - Level 1",
"category": {
"id": "wct-id-1871",
"name": "Access Control",
"framework": {
"id": "wf-id-85",
"name": "CMMC v2.0"
}
}
}
],
"ignoreRules": null
}
{
"id": "projectId0",
"targetExternalId": "CloudPlatform/EncryptionKey##arn:aws:kms:eu-west-3:11111111:key/projectId0##ResourcePolicy",
"deleted": false,
"targetObjectProviderUniqueId": null,
"analyzedAt": "2022-05-01T12:34:12.935495Z",
"firstSeenAt": "2022-05-01T11:34:12.935495Z",
"severity": "HIGH",
"result": "FAIL",
"status": "RESOLVED",
"remediation": null,
"resource": {
"id": "projectId0",
"providerId": null,
"name": "projectId0: ResourcePolicy",
"nativeType": "resourcePolicy",
"type": "RAW_ACCESS_POLICY",
"region": "us-east-1",
"subscription": {
"id": "projectId0",
"name": "sekoia-integration",
"externalId": "1111111111",
"cloudProvider": "AWS"
},
"projects": [
{
"id": "projectId0",
"name": "Test 1",
"riskProfile": {
"businessImpact": "MBI"
}
},
{
"id": "projectId1",
"name": "Test 3",
"riskProfile": {
"businessImpact": "MBI"
}
}
],
"tags": null
},
"rule": {
"id": "fffef92c-3161-4e0a-9acc-055b04f64381",
"graphId": "8dcab068-d52d-4509-98ab-c1e6b1415849",
"name": "Resource policy should not allow all principals with a condition of ForAllValues and PrincipalArn",
"description": "This rule checks whether the IAM resource policy is overly permissive. \nThis rule fails if the policy contains a `Statement` where:\n* `Effect` is set to `Allow`\n* `Principal` contains a wildcard (`*`, `AWS:*`)\n* `Resource` contains an ARN of `execute-api`, `s3`, or `sqs`, or a wildcard (`*`) which includes these resources\n* `Condition` of type `ForAllValues.aws:PrincipalArn` exists\n\nSetting the principal clause for all (`*`, `AWS:*`) in Amazon S3, SQS, and API Gateway resources could inadvertently allow anonymous access to resources, and the `ForAllValues` condition quantifier evaluates to `True` if no key is given, such as in the case of an unauthenticated user. \nSuch policy statement elements could inadvertently allow anonymous access to resources in these services. \nIt is strongly recommended to edit the resource policy to exclude this permissive statement.",
"remediationInstructions": "Perform the following commands to delete or modify the IAM policy via AWS CLI: \n1. First, use the following command to list the IAM entities (User\\Role\\Group) that have the policy attached (if any): \n``` \naws iam list-entities-for-policy \\\n --policy-arn <value> \n``` \nIf the policy **is not attached** to IAM entities - proceed to 2a. \nIf the policy **is attached** to one or more IAM entities - proceed to 2b. \n2a. As this policy is not in use, It is recommended to delete it. Use the following command to delete the policy: \n``` \naws iam delete-policy \\\n --policy-arn <value> \n``` \n2b. It is recommended to edit the policy to remove the permissive action. First, use the following command to view the actions of the policy: \n``` \naws iam get-policy-version \\\n --policy-arn <value> \\\n --version-id <value> \n``` \nIf you are not sure what the policy version id is, use the following command to check. The current version id is the `DefaultVersionId`. \n``` \naws iam get-policy \\\n --policy-arn <value> \n``` \nOnce you have located the overly-permissive action(s), create a new JSON file that excludes the permissive actions. Use the following command to create a new policy version and set it to default: \n``` \naws iam create-policy-version \\\n --policy-arn <value> \\\n --policy-document file://<NewPolicyVersion.json> \\\n --set-as-default \n``` \nTo fix this insecure policy, apply one of the following solutions: \n* Avoid using `\"AWS\": \"*\"` or `\"*\"` principals for the affected resources. \n Allowing wide access to a resource is insecure. Instead, use specific principals with their AWS account id. \n* For a single-valued condition key like `PrincipalArn`, use the `StringEquals` / `StringLike` condition operators instead of the `ForAllValues` operator.",
"functionAsControl": false
},
"securitySubCategories": [
{
"id": "wsct-id-10798",
"title": "AC.L1-3.1.1 Authorized Access Control - Level 1",
"category": {
"id": "wct-id-1871",
"name": "Access Control",
"framework": {
"id": "wf-id-85",
"name": "CMMC v2.0"
}
}
},
{
"id": "wsct-id-10799",
"title": "AC.L1-3.1.2 Transaction & Function Control - Level 1",
"category": {
"id": "wct-id-1871",
"name": "Access Control",
"framework": {
"id": "wf-id-85",
"name": "CMMC v2.0"
}
}
}
],
"ignoreRules": null
}
{
"id": "projectId0",
"targetExternalId": "CloudPlatform/EncryptionKey##arn:aws:kms:eu-west-3:11111111:key/projectId0##ResourcePolicy",
"deleted": false,
"targetObjectProviderUniqueId": null,
"analyzedAt": "2022-05-01T12:34:12.935495Z",
"firstSeenAt": "2022-05-01T11:34:12.935495Z",
"severity": "HIGH",
"result": "ERROR",
"status": "RESOLVED",
"remediation": null,
"resource": {
"id": "projectId0",
"providerId": null,
"name": "projectId0: ResourcePolicy",
"nativeType": "resourcePolicy",
"type": "RAW_ACCESS_POLICY",
"region": "us-east-1",
"subscription": {
"id": "projectId0",
"name": "sekoia-integration",
"externalId": "1111111111",
"cloudProvider": "AWS"
},
"projects": [
{
"id": "projectId0",
"name": "Test 1",
"riskProfile": {
"businessImpact": "MBI"
}
},
{
"id": "projectId1",
"name": "Test 3",
"riskProfile": {
"businessImpact": "MBI"
}
}
],
"tags": null
},
"rule": {
"id": "fffef92c-3161-4e0a-9acc-055b04f64381",
"graphId": "8dcab068-d52d-4509-98ab-c1e6b1415849",
"name": "Resource policy should not allow all principals with a condition of ForAllValues and PrincipalArn",
"description": "This rule checks whether the IAM resource policy is overly permissive. \nThis rule fails if the policy contains a `Statement` where:\n* `Effect` is set to `Allow`\n* `Principal` contains a wildcard (`*`, `AWS:*`)\n* `Resource` contains an ARN of `execute-api`, `s3`, or `sqs`, or a wildcard (`*`) which includes these resources\n* `Condition` of type `ForAllValues.aws:PrincipalArn` exists\n\nSetting the principal clause for all (`*`, `AWS:*`) in Amazon S3, SQS, and API Gateway resources could inadvertently allow anonymous access to resources, and the `ForAllValues` condition quantifier evaluates to `True` if no key is given, such as in the case of an unauthenticated user. \nSuch policy statement elements could inadvertently allow anonymous access to resources in these services. \nIt is strongly recommended to edit the resource policy to exclude this permissive statement.",
"remediationInstructions": "Perform the following commands to delete or modify the IAM policy via AWS CLI: \n1. First, use the following command to list the IAM entities (User\\Role\\Group) that have the policy attached (if any): \n``` \naws iam list-entities-for-policy \\\n --policy-arn <value> \n``` \nIf the policy **is not attached** to IAM entities - proceed to 2a. \nIf the policy **is attached** to one or more IAM entities - proceed to 2b. \n2a. As this policy is not in use, It is recommended to delete it. Use the following command to delete the policy: \n``` \naws iam delete-policy \\\n --policy-arn <value> \n``` \n2b. It is recommended to edit the policy to remove the permissive action. First, use the following command to view the actions of the policy: \n``` \naws iam get-policy-version \\\n --policy-arn <value> \\\n --version-id <value> \n``` \nIf you are not sure what the policy version id is, use the following command to check. The current version id is the `DefaultVersionId`. \n``` \naws iam get-policy \\\n --policy-arn <value> \n``` \nOnce you have located the overly-permissive action(s), create a new JSON file that excludes the permissive actions. Use the following command to create a new policy version and set it to default: \n``` \naws iam create-policy-version \\\n --policy-arn <value> \\\n --policy-document file://<NewPolicyVersion.json> \\\n --set-as-default \n``` \nTo fix this insecure policy, apply one of the following solutions: \n* Avoid using `\"AWS\": \"*\"` or `\"*\"` principals for the affected resources. \n Allowing wide access to a resource is insecure. Instead, use specific principals with their AWS account id. \n* For a single-valued condition key like `PrincipalArn`, use the `StringEquals` / `StringLike` condition operators instead of the `ForAllValues` operator.",
"functionAsControl": false
},
"securitySubCategories": [
{
"id": "wsct-id-10798",
"title": "AC.L1-3.1.1 Authorized Access Control - Level 1",
"category": {
"id": "wct-id-1871",
"name": "Access Control",
"framework": {
"id": "wf-id-85",
"name": "CMMC v2.0"
}
}
},
{
"id": "wsct-id-10799",
"title": "AC.L1-3.1.2 Transaction & Function Control - Level 1",
"category": {
"id": "wct-id-1871",
"name": "Access Control",
"framework": {
"id": "wf-id-85",
"name": "CMMC v2.0"
}
}
}
],
"ignoreRules": null
}
{
"id": "projectId0",
"targetExternalId": "CloudPlatform/EncryptionKey##arn:aws:kms:eu-west-3:11111111:key/projectId0##ResourcePolicy",
"deleted": false,
"targetObjectProviderUniqueId": null,
"analyzedAt": "2022-05-01T12:34:12.935495Z",
"firstSeenAt": "2022-05-01T11:34:12.935495Z",
"severity": "HIGH",
"result": "NOT_ASSESSED",
"status": "RESOLVED",
"remediation": null,
"resource": {
"id": "projectId0",
"providerId": null,
"name": "projectId0: ResourcePolicy",
"nativeType": "resourcePolicy",
"type": "RAW_ACCESS_POLICY",
"region": "us-east-1",
"subscription": {
"id": "projectId0",
"name": "sekoia-integration",
"externalId": "1111111111",
"cloudProvider": "AWS"
},
"projects": [
{
"id": "projectId0",
"name": "Test 1",
"riskProfile": {
"businessImpact": "MBI"
}
},
{
"id": "projectId1",
"name": "Test 3",
"riskProfile": {
"businessImpact": "MBI"
}
}
],
"tags": null
},
"rule": {
"id": "fffef92c-3161-4e0a-9acc-055b04f64381",
"graphId": "8dcab068-d52d-4509-98ab-c1e6b1415849",
"name": "Resource policy should not allow all principals with a condition of ForAllValues and PrincipalArn",
"description": "This rule checks whether the IAM resource policy is overly permissive. \nThis rule fails if the policy contains a `Statement` where:\n* `Effect` is set to `Allow`\n* `Principal` contains a wildcard (`*`, `AWS:*`)\n* `Resource` contains an ARN of `execute-api`, `s3`, or `sqs`, or a wildcard (`*`) which includes these resources\n* `Condition` of type `ForAllValues.aws:PrincipalArn` exists\n\nSetting the principal clause for all (`*`, `AWS:*`) in Amazon S3, SQS, and API Gateway resources could inadvertently allow anonymous access to resources, and the `ForAllValues` condition quantifier evaluates to `True` if no key is given, such as in the case of an unauthenticated user. \nSuch policy statement elements could inadvertently allow anonymous access to resources in these services. \nIt is strongly recommended to edit the resource policy to exclude this permissive statement.",
"remediationInstructions": "Perform the following commands to delete or modify the IAM policy via AWS CLI: \n1. First, use the following command to list the IAM entities (User\\Role\\Group) that have the policy attached (if any): \n``` \naws iam list-entities-for-policy \\\n --policy-arn <value> \n``` \nIf the policy **is not attached** to IAM entities - proceed to 2a. \nIf the policy **is attached** to one or more IAM entities - proceed to 2b. \n2a. As this policy is not in use, It is recommended to delete it. Use the following command to delete the policy: \n``` \naws iam delete-policy \\\n --policy-arn <value> \n``` \n2b. It is recommended to edit the policy to remove the permissive action. First, use the following command to view the actions of the policy: \n``` \naws iam get-policy-version \\\n --policy-arn <value> \\\n --version-id <value> \n``` \nIf you are not sure what the policy version id is, use the following command to check. The current version id is the `DefaultVersionId`. \n``` \naws iam get-policy \\\n --policy-arn <value> \n``` \nOnce you have located the overly-permissive action(s), create a new JSON file that excludes the permissive actions. Use the following command to create a new policy version and set it to default: \n``` \naws iam create-policy-version \\\n --policy-arn <value> \\\n --policy-document file://<NewPolicyVersion.json> \\\n --set-as-default \n``` \nTo fix this insecure policy, apply one of the following solutions: \n* Avoid using `\"AWS\": \"*\"` or `\"*\"` principals for the affected resources. \n Allowing wide access to a resource is insecure. Instead, use specific principals with their AWS account id. \n* For a single-valued condition key like `PrincipalArn`, use the `StringEquals` / `StringLike` condition operators instead of the `ForAllValues` operator.",
"functionAsControl": false
},
"securitySubCategories": [
{
"id": "wsct-id-10798",
"title": "AC.L1-3.1.1 Authorized Access Control - Level 1",
"category": {
"id": "wct-id-1871",
"name": "Access Control",
"framework": {
"id": "wf-id-85",
"name": "CMMC v2.0"
}
}
},
{
"id": "wsct-id-10799",
"title": "AC.L1-3.1.2 Transaction & Function Control - Level 1",
"category": {
"id": "wct-id-1871",
"name": "Access Control",
"framework": {
"id": "wf-id-85",
"name": "CMMC v2.0"
}
}
}
],
"ignoreRules": null
}
Detection section
The following section provides information for those who wish to learn more about the detection capabilities enabled by collecting this intake. It includes details about the built-in rule catalog, event categories, and ECS fields extracted from raw events. This is essential for users aiming to create custom detection rules, perform hunting activities, or pivot in the events page.
No related built-in rules was found. This message is automatically generated.
Event Categories
The following table lists the data source offered by this integration.
| Data Source | Description |
|---|---|
Web logs |
None |
Application logs |
None |
In details, the following table denotes the type of events produced by this integration.
| Name | Values |
|---|---|
| Kind | alert |
| Category | vulnerability |
| Type | info |
Transformed Events Samples after Ingestion
This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the built-in detection rules and hunting activities in the events page. Understanding these transformations is essential for analysts to create effective detection mechanisms with custom detection rules and to leverage the full potential of the collected data.
{
"message": "{\n \"id\": \"projectId0\",\n \"targetExternalId\": \"CloudPlatform/EncryptionKey##arn:aws:kms:eu-west-3:11111111:key/projectId0##ResourcePolicy\",\n \"deleted\": false,\n \"targetObjectProviderUniqueId\": null,\n \"analyzedAt\": \"2022-05-01T12:34:12.935495Z\", \"firstSeenAt\": \"2022-05-01T11:34:12.935495Z\",\n \"severity\": \"HIGH\",\n \"result\": \"PASS\",\n \"status\": \"RESOLVED\",\n \"remediation\": null,\n \"resource\": {\n \"id\": \"projectId0\",\n \"providerId\": null,\n \"name\": \"projectId0: ResourcePolicy\",\n \"nativeType\": \"resourcePolicy\",\n \"type\": \"RAW_ACCESS_POLICY\",\n \"region\": \"us-east-1\",\n \"subscription\": {\n \"id\": \"projectId0\",\n \"name\": \"sekoia-integration\",\n \"externalId\": \"1111111111\",\n \"cloudProvider\": \"AWS\"\n },\n \"projects\": [\n {\n \"id\": \"projectId0\",\n \"name\": \"Test 1\",\n \"riskProfile\": {\n \"businessImpact\": \"MBI\"\n }\n },\n {\n \"id\": \"projectId1\",\n \"name\": \"Test 3\",\n \"riskProfile\": {\n \"businessImpact\": \"MBI\"\n }\n }\n ],\n \"tags\": null\n },\n \"rule\": {\n \"id\": \"fffef92c-3161-4e0a-9acc-055b04f64381\",\n \"graphId\": \"8dcab068-d52d-4509-98ab-c1e6b1415849\",\n \"name\": \"Resource policy should not allow all principals with a condition of ForAllValues and PrincipalArn\",\n \"description\": \"This rule checks whether the IAM resource policy is overly permissive. \\nThis rule fails if the policy contains a `Statement` where:\\n* `Effect` is set to `Allow`\\n* `Principal` contains a wildcard (`*`, `AWS:*`)\\n* `Resource` contains an ARN of `execute-api`, `s3`, or `sqs`, or a wildcard (`*`) which includes these resources\\n* `Condition` of type `ForAllValues.aws:PrincipalArn` exists\\n\\nSetting the principal clause for all (`*`, `AWS:*`) in Amazon S3, SQS, and API Gateway resources could inadvertently allow anonymous access to resources, and the `ForAllValues` condition quantifier evaluates to `True` if no key is given, such as in the case of an unauthenticated user. \\nSuch policy statement elements could inadvertently allow anonymous access to resources in these services. \\nIt is strongly recommended to edit the resource policy to exclude this permissive statement.\",\n \"remediationInstructions\": \"Perform the following commands to delete or modify the IAM policy via AWS CLI: \\n1. First, use the following command to list the IAM entities (User\\\\Role\\\\Group) that have the policy attached (if any): \\n``` \\naws iam list-entities-for-policy \\\\\\n --policy-arn <value> \\n``` \\nIf the policy **is not attached** to IAM entities - proceed to 2a. \\nIf the policy **is attached** to one or more IAM entities - proceed to 2b. \\n2a. As this policy is not in use, It is recommended to delete it. Use the following command to delete the policy: \\n``` \\naws iam delete-policy \\\\\\n --policy-arn <value> \\n``` \\n2b. It is recommended to edit the policy to remove the permissive action. First, use the following command to view the actions of the policy: \\n``` \\naws iam get-policy-version \\\\\\n --policy-arn <value> \\\\\\n --version-id <value> \\n``` \\nIf you are not sure what the policy version id is, use the following command to check. The current version id is the `DefaultVersionId`. \\n``` \\naws iam get-policy \\\\\\n --policy-arn <value> \\n``` \\nOnce you have located the overly-permissive action(s), create a new JSON file that excludes the permissive actions. Use the following command to create a new policy version and set it to default: \\n``` \\naws iam create-policy-version \\\\\\n --policy-arn <value> \\\\\\n --policy-document file://<NewPolicyVersion.json> \\\\\\n --set-as-default \\n``` \\nTo fix this insecure policy, apply one of the following solutions: \\n* Avoid using `\\\"AWS\\\": \\\"*\\\"` or `\\\"*\\\"` principals for the affected resources. \\n Allowing wide access to a resource is insecure. Instead, use specific principals with their AWS account id. \\n* For a single-valued condition key like `PrincipalArn`, use the `StringEquals` / `StringLike` condition operators instead of the `ForAllValues` operator.\",\n \"functionAsControl\": false\n },\n \"securitySubCategories\": [\n {\n \"id\": \"wsct-id-10798\",\n \"title\": \"AC.L1-3.1.1 Authorized Access Control - Level 1\",\n \"category\": {\n \"id\": \"wct-id-1871\",\n \"name\": \"Access Control\",\n \"framework\": {\n \"id\": \"wf-id-85\",\n \"name\": \"CMMC v2.0\"\n }\n }\n },\n {\n \"id\": \"wsct-id-10799\",\n \"title\": \"AC.L1-3.1.2 Transaction & Function Control - Level 1\",\n \"category\": {\n \"id\": \"wct-id-1871\",\n \"name\": \"Access Control\",\n \"framework\": {\n \"id\": \"wf-id-85\",\n \"name\": \"CMMC v2.0\"\n }\n }\n }\n ],\n \"ignoreRules\": null\n}",
"event": {
"category": [
"vulnerability"
],
"dataset": "Cloud Configuration Finding",
"kind": "alert",
"outcome": "success",
"start": "2022-05-01T11:34:12.935495Z",
"type": [
"info"
]
},
"@timestamp": "2022-05-01T12:34:12.935495Z",
"cloud": {
"account": {
"id": "1111111111"
},
"provider": "aws",
"region": "us-east-1"
},
"log": {
"level": "HIGH"
},
"observer": {
"vendor": "Wiz"
},
"rule": {
"id": "fffef92c-3161-4e0a-9acc-055b04f64381",
"name": "Resource policy should not allow all principals with a condition of ForAllValues and PrincipalArn"
},
"wiz": {
"findings": {
"deleted": false,
"id": "projectId0",
"resource": {
"id": "projectId0",
"name": "projectId0: ResourcePolicy",
"nativeType": "resourcePolicy",
"projects": [
{
"businessImpact": "MBI",
"id": "projectId0",
"name": "Test 1"
},
{
"businessImpact": "MBI",
"id": "projectId1",
"name": "Test 3"
}
],
"type": "RAW_ACCESS_POLICY"
},
"result": "PASS",
"securitySubCategories": {
"titles": [
"AC.L1-3.1.1 Authorized Access Control - Level 1",
"AC.L1-3.1.2 Transaction & Function Control - Level 1"
]
},
"status": "RESOLVED"
}
}
}
{
"message": "{\n \"id\": \"projectId0\",\n \"targetExternalId\": \"CloudPlatform/EncryptionKey##arn:aws:kms:eu-west-3:11111111:key/projectId0##ResourcePolicy\",\n \"deleted\": false,\n \"targetObjectProviderUniqueId\": null,\n \"analyzedAt\": \"2022-05-01T12:34:12.935495Z\", \"firstSeenAt\": \"2022-05-01T11:34:12.935495Z\",\n \"severity\": \"HIGH\",\n \"result\": \"FAIL\",\n \"status\": \"RESOLVED\",\n \"remediation\": null,\n \"resource\": {\n \"id\": \"projectId0\",\n \"providerId\": null,\n \"name\": \"projectId0: ResourcePolicy\",\n \"nativeType\": \"resourcePolicy\",\n \"type\": \"RAW_ACCESS_POLICY\",\n \"region\": \"us-east-1\",\n \"subscription\": {\n \"id\": \"projectId0\",\n \"name\": \"sekoia-integration\",\n \"externalId\": \"1111111111\",\n \"cloudProvider\": \"AWS\"\n },\n \"projects\": [\n {\n \"id\": \"projectId0\",\n \"name\": \"Test 1\",\n \"riskProfile\": {\n \"businessImpact\": \"MBI\"\n }\n },\n {\n \"id\": \"projectId1\",\n \"name\": \"Test 3\",\n \"riskProfile\": {\n \"businessImpact\": \"MBI\"\n }\n }\n ],\n \"tags\": null\n },\n \"rule\": {\n \"id\": \"fffef92c-3161-4e0a-9acc-055b04f64381\",\n \"graphId\": \"8dcab068-d52d-4509-98ab-c1e6b1415849\",\n \"name\": \"Resource policy should not allow all principals with a condition of ForAllValues and PrincipalArn\",\n \"description\": \"This rule checks whether the IAM resource policy is overly permissive. \\nThis rule fails if the policy contains a `Statement` where:\\n* `Effect` is set to `Allow`\\n* `Principal` contains a wildcard (`*`, `AWS:*`)\\n* `Resource` contains an ARN of `execute-api`, `s3`, or `sqs`, or a wildcard (`*`) which includes these resources\\n* `Condition` of type `ForAllValues.aws:PrincipalArn` exists\\n\\nSetting the principal clause for all (`*`, `AWS:*`) in Amazon S3, SQS, and API Gateway resources could inadvertently allow anonymous access to resources, and the `ForAllValues` condition quantifier evaluates to `True` if no key is given, such as in the case of an unauthenticated user. \\nSuch policy statement elements could inadvertently allow anonymous access to resources in these services. \\nIt is strongly recommended to edit the resource policy to exclude this permissive statement.\",\n \"remediationInstructions\": \"Perform the following commands to delete or modify the IAM policy via AWS CLI: \\n1. First, use the following command to list the IAM entities (User\\\\Role\\\\Group) that have the policy attached (if any): \\n``` \\naws iam list-entities-for-policy \\\\\\n --policy-arn <value> \\n``` \\nIf the policy **is not attached** to IAM entities - proceed to 2a. \\nIf the policy **is attached** to one or more IAM entities - proceed to 2b. \\n2a. As this policy is not in use, It is recommended to delete it. Use the following command to delete the policy: \\n``` \\naws iam delete-policy \\\\\\n --policy-arn <value> \\n``` \\n2b. It is recommended to edit the policy to remove the permissive action. First, use the following command to view the actions of the policy: \\n``` \\naws iam get-policy-version \\\\\\n --policy-arn <value> \\\\\\n --version-id <value> \\n``` \\nIf you are not sure what the policy version id is, use the following command to check. The current version id is the `DefaultVersionId`. \\n``` \\naws iam get-policy \\\\\\n --policy-arn <value> \\n``` \\nOnce you have located the overly-permissive action(s), create a new JSON file that excludes the permissive actions. Use the following command to create a new policy version and set it to default: \\n``` \\naws iam create-policy-version \\\\\\n --policy-arn <value> \\\\\\n --policy-document file://<NewPolicyVersion.json> \\\\\\n --set-as-default \\n``` \\nTo fix this insecure policy, apply one of the following solutions: \\n* Avoid using `\\\"AWS\\\": \\\"*\\\"` or `\\\"*\\\"` principals for the affected resources. \\n Allowing wide access to a resource is insecure. Instead, use specific principals with their AWS account id. \\n* For a single-valued condition key like `PrincipalArn`, use the `StringEquals` / `StringLike` condition operators instead of the `ForAllValues` operator.\",\n \"functionAsControl\": false\n },\n \"securitySubCategories\": [\n {\n \"id\": \"wsct-id-10798\",\n \"title\": \"AC.L1-3.1.1 Authorized Access Control - Level 1\",\n \"category\": {\n \"id\": \"wct-id-1871\",\n \"name\": \"Access Control\",\n \"framework\": {\n \"id\": \"wf-id-85\",\n \"name\": \"CMMC v2.0\"\n }\n }\n },\n {\n \"id\": \"wsct-id-10799\",\n \"title\": \"AC.L1-3.1.2 Transaction & Function Control - Level 1\",\n \"category\": {\n \"id\": \"wct-id-1871\",\n \"name\": \"Access Control\",\n \"framework\": {\n \"id\": \"wf-id-85\",\n \"name\": \"CMMC v2.0\"\n }\n }\n }\n ],\n \"ignoreRules\": null\n}",
"event": {
"category": [
"vulnerability"
],
"dataset": "Cloud Configuration Finding",
"kind": "alert",
"outcome": "failure",
"start": "2022-05-01T11:34:12.935495Z",
"type": [
"info"
]
},
"@timestamp": "2022-05-01T12:34:12.935495Z",
"cloud": {
"account": {
"id": "1111111111"
},
"provider": "aws",
"region": "us-east-1"
},
"log": {
"level": "HIGH"
},
"observer": {
"vendor": "Wiz"
},
"rule": {
"id": "fffef92c-3161-4e0a-9acc-055b04f64381",
"name": "Resource policy should not allow all principals with a condition of ForAllValues and PrincipalArn"
},
"wiz": {
"findings": {
"deleted": false,
"id": "projectId0",
"resource": {
"id": "projectId0",
"name": "projectId0: ResourcePolicy",
"nativeType": "resourcePolicy",
"projects": [
{
"businessImpact": "MBI",
"id": "projectId0",
"name": "Test 1"
},
{
"businessImpact": "MBI",
"id": "projectId1",
"name": "Test 3"
}
],
"type": "RAW_ACCESS_POLICY"
},
"result": "FAIL",
"securitySubCategories": {
"titles": [
"AC.L1-3.1.1 Authorized Access Control - Level 1",
"AC.L1-3.1.2 Transaction & Function Control - Level 1"
]
},
"status": "RESOLVED"
}
}
}
{
"message": "{\n \"id\": \"projectId0\",\n \"targetExternalId\": \"CloudPlatform/EncryptionKey##arn:aws:kms:eu-west-3:11111111:key/projectId0##ResourcePolicy\",\n \"deleted\": false,\n \"targetObjectProviderUniqueId\": null,\n \"analyzedAt\": \"2022-05-01T12:34:12.935495Z\", \"firstSeenAt\": \"2022-05-01T11:34:12.935495Z\",\n \"severity\": \"HIGH\",\n \"result\": \"ERROR\",\n \"status\": \"RESOLVED\",\n \"remediation\": null,\n \"resource\": {\n \"id\": \"projectId0\",\n \"providerId\": null,\n \"name\": \"projectId0: ResourcePolicy\",\n \"nativeType\": \"resourcePolicy\",\n \"type\": \"RAW_ACCESS_POLICY\",\n \"region\": \"us-east-1\",\n \"subscription\": {\n \"id\": \"projectId0\",\n \"name\": \"sekoia-integration\",\n \"externalId\": \"1111111111\",\n \"cloudProvider\": \"AWS\"\n },\n \"projects\": [\n {\n \"id\": \"projectId0\",\n \"name\": \"Test 1\",\n \"riskProfile\": {\n \"businessImpact\": \"MBI\"\n }\n },\n {\n \"id\": \"projectId1\",\n \"name\": \"Test 3\",\n \"riskProfile\": {\n \"businessImpact\": \"MBI\"\n }\n }\n ],\n \"tags\": null\n },\n \"rule\": {\n \"id\": \"fffef92c-3161-4e0a-9acc-055b04f64381\",\n \"graphId\": \"8dcab068-d52d-4509-98ab-c1e6b1415849\",\n \"name\": \"Resource policy should not allow all principals with a condition of ForAllValues and PrincipalArn\",\n \"description\": \"This rule checks whether the IAM resource policy is overly permissive. \\nThis rule fails if the policy contains a `Statement` where:\\n* `Effect` is set to `Allow`\\n* `Principal` contains a wildcard (`*`, `AWS:*`)\\n* `Resource` contains an ARN of `execute-api`, `s3`, or `sqs`, or a wildcard (`*`) which includes these resources\\n* `Condition` of type `ForAllValues.aws:PrincipalArn` exists\\n\\nSetting the principal clause for all (`*`, `AWS:*`) in Amazon S3, SQS, and API Gateway resources could inadvertently allow anonymous access to resources, and the `ForAllValues` condition quantifier evaluates to `True` if no key is given, such as in the case of an unauthenticated user. \\nSuch policy statement elements could inadvertently allow anonymous access to resources in these services. \\nIt is strongly recommended to edit the resource policy to exclude this permissive statement.\",\n \"remediationInstructions\": \"Perform the following commands to delete or modify the IAM policy via AWS CLI: \\n1. First, use the following command to list the IAM entities (User\\\\Role\\\\Group) that have the policy attached (if any): \\n``` \\naws iam list-entities-for-policy \\\\\\n --policy-arn <value> \\n``` \\nIf the policy **is not attached** to IAM entities - proceed to 2a. \\nIf the policy **is attached** to one or more IAM entities - proceed to 2b. \\n2a. As this policy is not in use, It is recommended to delete it. Use the following command to delete the policy: \\n``` \\naws iam delete-policy \\\\\\n --policy-arn <value> \\n``` \\n2b. It is recommended to edit the policy to remove the permissive action. First, use the following command to view the actions of the policy: \\n``` \\naws iam get-policy-version \\\\\\n --policy-arn <value> \\\\\\n --version-id <value> \\n``` \\nIf you are not sure what the policy version id is, use the following command to check. The current version id is the `DefaultVersionId`. \\n``` \\naws iam get-policy \\\\\\n --policy-arn <value> \\n``` \\nOnce you have located the overly-permissive action(s), create a new JSON file that excludes the permissive actions. Use the following command to create a new policy version and set it to default: \\n``` \\naws iam create-policy-version \\\\\\n --policy-arn <value> \\\\\\n --policy-document file://<NewPolicyVersion.json> \\\\\\n --set-as-default \\n``` \\nTo fix this insecure policy, apply one of the following solutions: \\n* Avoid using `\\\"AWS\\\": \\\"*\\\"` or `\\\"*\\\"` principals for the affected resources. \\n Allowing wide access to a resource is insecure. Instead, use specific principals with their AWS account id. \\n* For a single-valued condition key like `PrincipalArn`, use the `StringEquals` / `StringLike` condition operators instead of the `ForAllValues` operator.\",\n \"functionAsControl\": false\n },\n \"securitySubCategories\": [\n {\n \"id\": \"wsct-id-10798\",\n \"title\": \"AC.L1-3.1.1 Authorized Access Control - Level 1\",\n \"category\": {\n \"id\": \"wct-id-1871\",\n \"name\": \"Access Control\",\n \"framework\": {\n \"id\": \"wf-id-85\",\n \"name\": \"CMMC v2.0\"\n }\n }\n },\n {\n \"id\": \"wsct-id-10799\",\n \"title\": \"AC.L1-3.1.2 Transaction & Function Control - Level 1\",\n \"category\": {\n \"id\": \"wct-id-1871\",\n \"name\": \"Access Control\",\n \"framework\": {\n \"id\": \"wf-id-85\",\n \"name\": \"CMMC v2.0\"\n }\n }\n }\n ],\n \"ignoreRules\": null\n}",
"event": {
"category": [
"vulnerability"
],
"dataset": "Cloud Configuration Finding",
"kind": "alert",
"outcome": "failure",
"start": "2022-05-01T11:34:12.935495Z",
"type": [
"info"
]
},
"@timestamp": "2022-05-01T12:34:12.935495Z",
"cloud": {
"account": {
"id": "1111111111"
},
"provider": "aws",
"region": "us-east-1"
},
"log": {
"level": "HIGH"
},
"observer": {
"vendor": "Wiz"
},
"rule": {
"id": "fffef92c-3161-4e0a-9acc-055b04f64381",
"name": "Resource policy should not allow all principals with a condition of ForAllValues and PrincipalArn"
},
"wiz": {
"findings": {
"deleted": false,
"id": "projectId0",
"resource": {
"id": "projectId0",
"name": "projectId0: ResourcePolicy",
"nativeType": "resourcePolicy",
"projects": [
{
"businessImpact": "MBI",
"id": "projectId0",
"name": "Test 1"
},
{
"businessImpact": "MBI",
"id": "projectId1",
"name": "Test 3"
}
],
"type": "RAW_ACCESS_POLICY"
},
"result": "ERROR",
"securitySubCategories": {
"titles": [
"AC.L1-3.1.1 Authorized Access Control - Level 1",
"AC.L1-3.1.2 Transaction & Function Control - Level 1"
]
},
"status": "RESOLVED"
}
}
}
{
"message": "{\n \"id\": \"projectId0\",\n \"targetExternalId\": \"CloudPlatform/EncryptionKey##arn:aws:kms:eu-west-3:11111111:key/projectId0##ResourcePolicy\",\n \"deleted\": false,\n \"targetObjectProviderUniqueId\": null,\n \"analyzedAt\": \"2022-05-01T12:34:12.935495Z\", \"firstSeenAt\": \"2022-05-01T11:34:12.935495Z\",\n \"severity\": \"HIGH\",\n \"result\": \"NOT_ASSESSED\",\n \"status\": \"RESOLVED\",\n \"remediation\": null,\n \"resource\": {\n \"id\": \"projectId0\",\n \"providerId\": null,\n \"name\": \"projectId0: ResourcePolicy\",\n \"nativeType\": \"resourcePolicy\",\n \"type\": \"RAW_ACCESS_POLICY\",\n \"region\": \"us-east-1\",\n \"subscription\": {\n \"id\": \"projectId0\",\n \"name\": \"sekoia-integration\",\n \"externalId\": \"1111111111\",\n \"cloudProvider\": \"AWS\"\n },\n \"projects\": [\n {\n \"id\": \"projectId0\",\n \"name\": \"Test 1\",\n \"riskProfile\": {\n \"businessImpact\": \"MBI\"\n }\n },\n {\n \"id\": \"projectId1\",\n \"name\": \"Test 3\",\n \"riskProfile\": {\n \"businessImpact\": \"MBI\"\n }\n }\n ],\n \"tags\": null\n },\n \"rule\": {\n \"id\": \"fffef92c-3161-4e0a-9acc-055b04f64381\",\n \"graphId\": \"8dcab068-d52d-4509-98ab-c1e6b1415849\",\n \"name\": \"Resource policy should not allow all principals with a condition of ForAllValues and PrincipalArn\",\n \"description\": \"This rule checks whether the IAM resource policy is overly permissive. \\nThis rule fails if the policy contains a `Statement` where:\\n* `Effect` is set to `Allow`\\n* `Principal` contains a wildcard (`*`, `AWS:*`)\\n* `Resource` contains an ARN of `execute-api`, `s3`, or `sqs`, or a wildcard (`*`) which includes these resources\\n* `Condition` of type `ForAllValues.aws:PrincipalArn` exists\\n\\nSetting the principal clause for all (`*`, `AWS:*`) in Amazon S3, SQS, and API Gateway resources could inadvertently allow anonymous access to resources, and the `ForAllValues` condition quantifier evaluates to `True` if no key is given, such as in the case of an unauthenticated user. \\nSuch policy statement elements could inadvertently allow anonymous access to resources in these services. \\nIt is strongly recommended to edit the resource policy to exclude this permissive statement.\",\n \"remediationInstructions\": \"Perform the following commands to delete or modify the IAM policy via AWS CLI: \\n1. First, use the following command to list the IAM entities (User\\\\Role\\\\Group) that have the policy attached (if any): \\n``` \\naws iam list-entities-for-policy \\\\\\n --policy-arn <value> \\n``` \\nIf the policy **is not attached** to IAM entities - proceed to 2a. \\nIf the policy **is attached** to one or more IAM entities - proceed to 2b. \\n2a. As this policy is not in use, It is recommended to delete it. Use the following command to delete the policy: \\n``` \\naws iam delete-policy \\\\\\n --policy-arn <value> \\n``` \\n2b. It is recommended to edit the policy to remove the permissive action. First, use the following command to view the actions of the policy: \\n``` \\naws iam get-policy-version \\\\\\n --policy-arn <value> \\\\\\n --version-id <value> \\n``` \\nIf you are not sure what the policy version id is, use the following command to check. The current version id is the `DefaultVersionId`. \\n``` \\naws iam get-policy \\\\\\n --policy-arn <value> \\n``` \\nOnce you have located the overly-permissive action(s), create a new JSON file that excludes the permissive actions. Use the following command to create a new policy version and set it to default: \\n``` \\naws iam create-policy-version \\\\\\n --policy-arn <value> \\\\\\n --policy-document file://<NewPolicyVersion.json> \\\\\\n --set-as-default \\n``` \\nTo fix this insecure policy, apply one of the following solutions: \\n* Avoid using `\\\"AWS\\\": \\\"*\\\"` or `\\\"*\\\"` principals for the affected resources. \\n Allowing wide access to a resource is insecure. Instead, use specific principals with their AWS account id. \\n* For a single-valued condition key like `PrincipalArn`, use the `StringEquals` / `StringLike` condition operators instead of the `ForAllValues` operator.\",\n \"functionAsControl\": false\n },\n \"securitySubCategories\": [\n {\n \"id\": \"wsct-id-10798\",\n \"title\": \"AC.L1-3.1.1 Authorized Access Control - Level 1\",\n \"category\": {\n \"id\": \"wct-id-1871\",\n \"name\": \"Access Control\",\n \"framework\": {\n \"id\": \"wf-id-85\",\n \"name\": \"CMMC v2.0\"\n }\n }\n },\n {\n \"id\": \"wsct-id-10799\",\n \"title\": \"AC.L1-3.1.2 Transaction & Function Control - Level 1\",\n \"category\": {\n \"id\": \"wct-id-1871\",\n \"name\": \"Access Control\",\n \"framework\": {\n \"id\": \"wf-id-85\",\n \"name\": \"CMMC v2.0\"\n }\n }\n }\n ],\n \"ignoreRules\": null\n}",
"event": {
"category": [
"vulnerability"
],
"dataset": "Cloud Configuration Finding",
"kind": "alert",
"start": "2022-05-01T11:34:12.935495Z",
"type": [
"info"
]
},
"@timestamp": "2022-05-01T12:34:12.935495Z",
"cloud": {
"account": {
"id": "1111111111"
},
"provider": "aws",
"region": "us-east-1"
},
"log": {
"level": "HIGH"
},
"observer": {
"vendor": "Wiz"
},
"rule": {
"id": "fffef92c-3161-4e0a-9acc-055b04f64381",
"name": "Resource policy should not allow all principals with a condition of ForAllValues and PrincipalArn"
},
"wiz": {
"findings": {
"deleted": false,
"id": "projectId0",
"resource": {
"id": "projectId0",
"name": "projectId0: ResourcePolicy",
"nativeType": "resourcePolicy",
"projects": [
{
"businessImpact": "MBI",
"id": "projectId0",
"name": "Test 1"
},
{
"businessImpact": "MBI",
"id": "projectId1",
"name": "Test 3"
}
],
"type": "RAW_ACCESS_POLICY"
},
"result": "NOT_ASSESSED",
"securitySubCategories": {
"titles": [
"AC.L1-3.1.1 Authorized Access Control - Level 1",
"AC.L1-3.1.2 Transaction & Function Control - Level 1"
]
},
"status": "RESOLVED"
}
}
}
Extracted Fields
The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.
| Name | Type | Description |
|---|---|---|
@timestamp |
date |
Date/time when the event originated. |
cloud.account.id |
keyword |
The cloud account or organization id. |
cloud.provider |
keyword |
Name of the cloud provider. |
cloud.region |
keyword |
Region in which this host, resource, or service is located. |
event.category |
keyword |
Event category. The second categorization field in the hierarchy. |
event.dataset |
keyword |
Name of the dataset. |
event.kind |
keyword |
The kind of the event. The highest categorization field in the hierarchy. |
event.start |
date |
event.start contains the date when the event started or when the activity was first observed. |
event.type |
keyword |
Event type. The third categorization field in the hierarchy. |
log.level |
keyword |
Log level of the log event. |
observer.vendor |
keyword |
Vendor name of the observer. |
rule.id |
keyword |
Rule ID |
rule.name |
keyword |
Rule name |
wiz.findings.deleted |
boolean |
|
wiz.findings.id |
keyword |
|
wiz.findings.resource.id |
keyword |
|
wiz.findings.resource.name |
keyword |
|
wiz.findings.resource.nativeType |
keyword |
|
wiz.findings.resource.projects |
array |
|
wiz.findings.resource.type |
keyword |
|
wiz.findings.result |
keyword |
|
wiz.findings.securitySubCategories.titles |
array |
|
wiz.findings.status |
keyword |
For more information on the Intake Format, please find the code of the Parser, Smart Descriptions, and Supported Events here.