禁止更改Amazon CloudWatch Logs日志组设置
Amazon CloudWatch Logs可以保存比如数据库审计日志,这些日志按照一些审计要求是不允许删除和修改的,因此可以通过SCP进行限制加强保护。
Resource更换成你希望保护的Amazon CloudWatch Logs的日志组ARN;
condition中的PrincipalArn更换成能更改日志组设置的角色,比如安全管理员的ARN。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "GRLOGGROUPPOLICY",
"Effect": "Deny",
"Action": [
"logs:DeleteLogGroup",
"logs:PutRetentionPolicy"
],
"Resource": [
"arn:aws:logs:*:*:log-group:<groupname>"
],
"Condition": {
"StringNotLike": {
"aws:PrincipalArn": [
"arn:aws:iam::*:role/*SEC*"
]
}
}
}
]
}
禁止更改指定的Amazon CloudWatch
Resource更换成你希望保护的Amazon CloudWatch 事件的ARN;
condition中的PrincipalArn更换成能更改日志组设置的角色,比如安全管理员的ARN。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "GRCLOUDWATCHEVENTPOLICY",
"Effect": "Deny",
"Action": [
"events:PutRule",
"events:PutTargets",
"events:RemoveTargets",
"events:DisableRule",
"events:DeleteRule"
],
"Resource": [
"arn:aws:events:*:*:rule/aws-controltower-*"
],
"Condition": {
"ArnNotLike": {
"aws:PrincipalARN": "arn:aws:iam::*:role/AWSControlTowerExecution"
}
}
}
]
}
禁止删除AWS Config Aggregation Authorizations
AWS Config Aggregation Authorizations 可以授权账号收集你的 AWS Config 合规和配置数据。 如果删除了则无法收集汇总。
Resource更换成你希望保护的AWS Config的ARN;
condition中的PrincipalArn更换成能更改日志组设置的角色,比如安全管理员的ARN。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "GRCONFIGAGGREGATIONAUTHORIZATIONPOLICY",
"Effect": "Deny",
"Action": [
"config:DeleteAggregationAuthorization"
],
"Resource": [
"arn:aws:config:*:*:aggregation-authorization*"
],
"Condition": {
"ArnNotLike": {
"aws:PrincipalArn": "arn:aws:iam::*:role/*SEC*"
}
}
}
]
}
禁止删除日志归档账号的S3存储桶
用于存放日志的存储桶可以通过SCP禁止删除。仅允许安全管理员操作并且使用了MFA。
Resource更换成你希望保护的S3的ARN;
condition中的PrincipalArn更换成能更改日志组设置的角色,比如安全管理员的ARN。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "GRAUDITBUCKETDELETIONPROHIBITED",
"Effect": "Deny",
"Action": [
"s3:DeleteObject",
"s3:DeleteBucket"
],
"Resource": [
"arn:aws:s3:::aggregation-authorization*"
],
"Condition": {
"ArnNotLike": {
"aws:PrincipalArn": "arn:aws:iam::*:role/*SEC*"
},
"BoolIfExists": {
"aws:MultiFactorAuthPresent": [
"false"
]
}
}
}
]
}
禁止变更Cloudtrail的配置
在所有OU都要禁止变更Cloudtrail的配置,可以防止攻击者关闭cloudtrail以规避安全告警。
Resource更换成你希望保护的Cloudtrail的ARN;
condition中的PrincipalArn更换成能更改日志组设置的角色,比如安全管理员的ARN。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "GRCLOUDTRAILENABLED",
"Effect": "Deny",
"Action": [
"cloudtrail:DeleteTrail",
"cloudtrail:PutEventSelectors",
"cloudtrail:StopLogging",
"cloudtrail:UpdateTrail"
],
"Resource": ["arn:aws:cloudtrail:*:*:trail/*"],
"Condition": {
"ArnNotLike": {
"aws:PrincipalARN":"arn:aws:iam::*:role/*SEC*"
}
}
}
]
}
禁止更改SNS订阅配置
Resource更换成你希望保护的SNS的ARN;
condition中的PrincipalArn更换成能更改日志组设置的角色,比如安全管理员的ARN。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "GRSNSSUBSCRIPTIONPOLICY",
"Effect": "Deny",
"Action": [
"sns:Subscribe",
"sns:Unsubscribe"
],
"Resource": [
"arn:aws:sns:*:*:SecurityNotifications"
],
"Condition": {
"ArnNotLike": {
"aws:PrincipalARN":"arn:aws:iam::*:role/SEC"
}
}
}
]
}
禁止更改Amazon S3存储桶的加密配置
对于安全管理员已经配置好加密策略的S3存储桶,禁止更改这些安全防护措施。
Resource更换成你希望保护的SNS的ARN;
condition中的PrincipalArn更换成能更改日志组设置的角色,比如安全管理员的ARN。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "GRAUDITBUCKETENCRYPTIONENABLED",
"Effect": "Deny",
"Action": [
"s3:PutEncryptionConfiguration"
],
"Resource": ["*"],
"Condition": {
"ArnNotLike": {
"aws:PrincipalARN":"arn:aws:iam::*:role/AWSControlTowerExecution"
}
}
}
]
}
