Query Details
AWS Cloud Trail AWS Overly Permessive KMS
Query
AWSCloudTrail
| where (EventName == "CreateKey" or EventName == "PutKeyPolicy")
and isempty(ErrorCode)
and isempty(ErrorMessage)
| mv-expand Statement = todynamic(tostring(todynamic(RequestParameters)["policy"]))["Statement"]
| extend
Action = tostring(Statement["Action"]),
Effect = tostring(Statement["Effect"]),
Principal = tostring(Statement["Principal"])
| where Effect == "Allow" and Principal has "*"// and Action has_any ("kms:Encrypt", "kms:*")
| summarize take_any(*) by AwsEventId
| invoke AWSIdentityRole()
| project
TimeGenerated,
UserIdentityType,
Identity,
ActorRole,
TargetRole,
TargetRoleSessionName,
UserIdentityAccountId,
UserIdentityAccountName,
RecipientAccountId,
RecipientAccountName,
SessionCreationDate,
UserIdentityPrincipalid,
UserIdentityArn,
SourceIpAddress,
EventSource,
EventTypeName,
EventName,
ManagementEvent,
ReadOnly,
ErrorCode,
ErrorMessage,
Statement = todynamic(tostring(todynamic(RequestParameters)["policy"]))["Statement"],
RequestParameters,
ResponseElements,
Resources,
SessionMfaAuthenticated,
UserAgent,
AwsEventId
Explanation
This query is filtering data from the AWSCloudTrail table based on certain conditions. It selects events with the EventName "CreateKey" or "PutKeyPolicy" where there is no ErrorCode or ErrorMessage. It then expands the RequestParameters to extract the "Statement" field and assigns it to a new column called Statement. It further filters the data to only include events with Effect "Allow" and Principal containing "*". The query then summarizes the data by taking any value for each AwsEventId. It invokes the AWSIdentityRole function and projects specific columns from the result. The projected columns include information such as TimeGenerated, UserIdentityType, Identity, ActorRole, TargetRole, and more.
Details
Jose Sebastián Canós
Released: October 25, 2023
Tables
Keywords
Operators