topic Re: Splunk query to check for S3 Buckets in AWS using PutBucketPolicy in Splunk Search

Splunk query to check for S3 Buckets in AWS using PutBucketPolicy

neerajs_81 — Fri, 15 Oct 2021 13:26:44 GMT

Can someone help me to build a search query for the below use case ?

My use case is to detect if any S3 buckets have been set for Public access via PutBucketPolicy event. So far thanks to help from Folks ( @ITWhisperer and @isoutamo on this Community, i have got my search to check for fields Effect and Principal both should have values "Allow" and " * or {AWS:*} " respectively for the same SID. Basically the following 2 conditions must be met for a particular SID.

Effect: Allow
Principal: * OR {AWS:*}
-----------------------
Next i want to further filter based on the field "Condition" . How to just filter if "Condition" exists or not ?

Below is a snippet of raw event data

"eventName": "PutBucketPolicy" "awsRegion": "us-east-1" "sourceIPAddress": "N.N.N.N" "userAgent": "[S3Console/0.4 aws-internal/3 aws-sdk-java/1.11.1002 Linux/5.4.129-72.229.amzn2int.x86_64]" "requestParameters": {"bucketPolicy": {"Version": "2012-10-17" "Statement": [{"Sid": "Access-to-specific-VPCE-only" "Effect": "Allow" "Principal": "*" "Action": "s3:*" "Resource": "arn:aws:s3:::abc-logs/*" "Condition": {"StringEquals": {"aws:sourceVpce": "XXX"}}}] "Id": "Policy14151152"} "bucketName": "Bucket-name" "Host": "host.xyz.com" "policy": ""} ============= "eventName": "PutBucketPolicy" "awsRegion": "us-east-1" "sourceIPAddress": "N.N.N.N" "userAgent": "[S3Console/0.4 aws-internal/3 aws-sdk-java/1.11.1002 Linux/5.4.116-64.217.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/Oracle_Corporation cfg/retry-mode/legacy]" "requestParameters": {"bucketPolicy": {"Version": "2012-10-17" "Statement": [{"Effect": "Allow" "Principal": "*" "Action": ["s3:List*" "s3:Get*"] "Resource": "arn:aws:s3::/*" "Condition": {"IpAddress": {"aws:SourceIp": ["N.N.N.N" "N.N.N.N"]}}}]} "bucketName": "bucket-name" "Host": "abc.xyz.com" "policy": ""}

I have tried the below 3 options to check for the presence of the field Condition , but none are working. These end up showing Events where the raw data contains a Condition defined. I want my search to not exclude those events which contain Condition

| spath requestParameters.bucketPolicy.Statement{} output=Statement | mvexpand Statement | spath input=Statement | where Effect="Allow" | where Principal="*" OR Principal.AWS="* | where isnull(Condition) OR | where Condition="" OR |search Condition=""

Re: Splunk query to check for S3 Buckets in AWS using PutBucketPolicy

ITWhisperer — Fri, 15 Oct 2021 12:25:34 GMT

Please can you check the raw data you have share as it seems to have mismatched brackets, curly brackets and missing commas.

Re: Splunk query to check for S3 Buckets in AWS using PutBucketPolicy

neerajs_81 — Fri, 15 Oct 2021 12:30:22 GMT

Kindly ignore the brackets or syntax errors if possible. I have manually copy pasted different values of Conditions from multiple events , into this one common snippet here.

Can you help me how to exclude events which have Condition defined?

Re: Splunk query to check for S3 Buckets in AWS using PutBucketPolicy

ITWhisperer — Fri, 15 Oct 2021 12:34:37 GMT

Without the correct JSON, it is more difficult to determine what the correct spath etc. should be

Re: Splunk query to check for S3 Buckets in AWS using PutBucketPolicy

neerajs_81 — Fri, 15 Oct 2021 13:25:27 GMT

@ITWhisperer i have now fixed the syntax of the raw events in my original question. Have provided 2 samples of such events where Condition exists. Pls let me know.

Re: Splunk query to check for S3 Buckets in AWS using PutBucketPolicy

ITWhisperer — Fri, 15 Oct 2021 13:38:34 GMT

| spath requestParameters.bucketPolicy.Statement{} output=Statement | mvexpand Statement | spath input=Statement | spath input=Statement Condition output=Condition | where Effect="Allow" | where Principal="*" OR Principal.AWS="*" | where isnull(Condition)

Re: Splunk query to check for S3 Buckets in AWS using PutBucketPolicy

neerajs_81 — Fri, 15 Oct 2021 14:05:43 GMT

I have already tried that "where isnull(Condition)" and "where isnull('Condition') in single quotes" as i mentioned in my post, surprisingly it still shows events have Condition in them.

Re: Splunk query to check for S3 Buckets in AWS using PutBucketPolicy

neerajs_81 — Fri, 15 Oct 2021 14:11:22 GMT

Never mind. It was my oversight that i didn't see the option of "Exclude from Search" if you click on that field in the Splunk UI itself. I used that and below filter worked. Any idea as in why isnull() didnt work here but this one did. Thank you for your help as always

| search NOT Condition

Re: Splunk query to check for S3 Buckets in AWS using PutBucketPolicy

ITWhisperer — Fri, 15 Oct 2021 14:15:04 GMT

It is hard to say without access to the real data - it works in my test environment based on the doctored events that you posted.

Re: Splunk query to check for S3 Buckets in AWS using PutBucketPolicy

neerajs_81 — Fri, 15 Oct 2021 15:05:19 GMT

Can i send you the full raw event offline via DM ? Apparently came across one event that had multiple conditions within it and confusing the hell.

Re: Splunk query to check for S3 Buckets in AWS using PutBucketPolicy

ITWhisperer — Fri, 15 Oct 2021 15:09:36 GMT

OK - I will delete it as soon as we are finished with it