Solved: Splunk query to check for S3 Buckets in AWS using ...

neerajs_81 · ‎10-15-2021

Can someone help me to build a search query for the below use case ?

My use case is to detect if any S3 buckets have been set for Public access via PutBucketPolicy event. So far thanks to help from Folks ( @ITWhisperer and @isoutamo on this Community, i have got my search to check for fields Effect and Principal both should have values "Allow" and " * or {AWS:*} " respectively for the same SID. Basically the following 2 conditions must be met for a particular SID.

Effect: Allow
Principal: * OR {AWS:*}
-----------------------
Next i want to further filter based on the field "Condition" . How to just filter if "Condition" exists or not ?

Below is a snippet of raw event data

"eventName": "PutBucketPolicy"
 "awsRegion": "us-east-1"
 "sourceIPAddress": "N.N.N.N"
 "userAgent": "[S3Console/0.4
 aws-internal/3 aws-sdk-java/1.11.1002 Linux/5.4.129-72.229.amzn2int.x86_64]"
 "requestParameters": {"bucketPolicy": {"Version": "2012-10-17"
 "Statement": [{"Sid": "Access-to-specific-VPCE-only"
 "Effect": "Allow"
 "Principal": "*"
 "Action": "s3:*"
 "Resource": "arn:aws:s3:::abc-logs/*"
 "Condition": {"StringEquals": {"aws:sourceVpce": "XXX"}}}]
 "Id": "Policy14151152"}
 "bucketName": "Bucket-name"
 "Host": "host.xyz.com"
 "policy": ""}

=============

"eventName": "PutBucketPolicy"
 "awsRegion": "us-east-1"
 "sourceIPAddress": "N.N.N.N"
 "userAgent": "[S3Console/0.4
 aws-internal/3 aws-sdk-java/1.11.1002 Linux/5.4.116-64.217.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/Oracle_Corporation cfg/retry-mode/legacy]"
 "requestParameters": {"bucketPolicy": {"Version": "2012-10-17"
 "Statement": [{"Effect": "Allow"
 "Principal": "*"
 "Action": ["s3:List*"
 "s3:Get*"]
 "Resource": "arn:aws:s3::/*"
 "Condition": {"IpAddress": {"aws:SourceIp": ["N.N.N.N"
 "N.N.N.N"]}}}]}
 "bucketName": "bucket-name"
 "Host": "abc.xyz.com"
 "policy": ""}

I have tried the below 3 options to check for the presence of the field Condition , but none are working. These end up showing Events where the raw data contains a Condition defined. I want my search to not exclude those events which contain Condition

| spath requestParameters.bucketPolicy.Statement{} output=Statement
| mvexpand Statement
| spath input=Statement
| where Effect="Allow"
| where Principal="*" OR Principal.AWS="*
| where isnull(Condition) 

OR
| where Condition=""

OR
|search Condition=""

ITWhisperer · ‎10-15-2021

| spath requestParameters.bucketPolicy.Statement{} output=Statement
| mvexpand Statement
| spath input=Statement
| spath input=Statement Condition output=Condition
| where Effect="Allow"
| where Principal="*" OR Principal.AWS="*"
| where isnull(Condition)

View solution in original post

ITWhisperer · ‎10-15-2021

Please can you check the raw data you have share as it seems to have mismatched brackets, curly brackets and missing commas.

neerajs_81 · ‎10-15-2021

Kindly ignore the brackets or syntax errors if possible. I have manually copy pasted different values of Conditions from multiple events , into this one common snippet here.

Can you help me how to exclude events which have Condition defined?

ITWhisperer · ‎10-15-2021

Without the correct JSON, it is more difficult to determine what the correct spath etc. should be

neerajs_81 · ‎10-15-2021

@ITWhisperer i have now fixed the syntax of the raw events in my original question. Have provided 2 samples of such events where Condition exists. Pls let me know.

ITWhisperer · ‎10-15-2021

| spath requestParameters.bucketPolicy.Statement{} output=Statement
| mvexpand Statement
| spath input=Statement
| spath input=Statement Condition output=Condition
| where Effect="Allow"
| where Principal="*" OR Principal.AWS="*"
| where isnull(Condition)

neerajs_81 · ‎10-15-2021

Never mind. It was my oversight that i didn't see the option of "Exclude from Search" if you click on that field in the Splunk UI itself. I used that and below filter worked. Any idea as in why isnull() didnt work here but this one did. Thank you for your help as always

| search NOT Condition

ITWhisperer · ‎10-15-2021

It is hard to say without access to the real data - it works in my test environment based on the doctored events that you posted.

neerajs_81 · ‎10-15-2021

Can i send you the full raw event offline via DM ? Apparently came across one event that had multiple conditions within it and confusing the hell.

ITWhisperer · ‎10-15-2021

OK - I will delete it as soon as we are finished with it

neerajs_81 · ‎10-15-2021

I have already tried that "where isnull(Condition)" and "where isnull('Condition') in single quotes" as i mentioned in my post, surprisingly it still shows events have Condition in them.

Splunk query to check for S3 Buckets in AWS using PutBucketPolicy

field extraction

fields

subsearch

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

Alerting Best Practices: How to Create Good Detectors

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...