Support aws.sts sns notifications

2025-01-31 16:52:25 +01:00 · 2025-01-31 16:52:25 +01:00 · c13d5fc536
commit c13d5fc536
parent 7c06e91ea8
2 changed files with 140 additions and 9 deletions
--- a/tests/test_ops_bot.py
+++ b/tests/test_ops_bot.py
@ -145,6 +145,85 @@ sns_signin_failure = """
 }
 """

+sns_sts_saml = """
+{
+  "version": "0",
+  "id": "f7ea4d10-ee27-ee26-efa3-7fe107e12ba4",
+  "detail-type": "AWS API Call via CloudTrail",
+  "source": "aws.sts",
+  "account": "1234567890",
+  "time": "2025-01-31T15:34:20Z",
+  "region": "eu-west-1",
+  "resources": [],
+  "detail": {
+    "eventVersion": "1.08",
+    "userIdentity": {
+      "type": "SAMLUser",
+      "principalId": "redacted:user@example.com",
+      "userName": "user@example.com",
+      "identityProvider": "redacted"
+    },
+    "eventTime": "2025-01-31T15:34:20Z",
+    "eventSource": "sts.amazonaws.com",
+    "eventName": "AssumeRoleWithSAML",
+    "awsRegion": "eu-west-1",
+    "sourceIPAddress": "54.0.0.0",
+    "userAgent": "aws-internal/3 aws-sdk-java/1.12.779 Linux/4.14.355-275.570.amzn2.x86_64 OpenJDK_64-Bit_Server_VM/17.0.13+11-LTS java/17.0.13 vendor/Amazon.com_Inc. cfg/retry-mode/standard cfg/auth-source#imds",
+    "requestParameters": {
+      "sAMLAssertionID": "_d1e7a65e-2298-4c0f-88b7-4e62f5a7a00c",
+      "roleSessionName": "user@example.com",
+      "roleArn": "arn:aws:iam::1234567890:role/aws-reserved/sso.amazonaws.com/eu-west-1/AWSReservedSSO_AWSAdministratorAccess_abcd1234",
+      "principalArn": "arn:aws:iam::1234567890:saml-provider/AWSSSO_aslksdafkj212_DO_NOT_DELETE",
+      "durationSeconds": 3600
+    },
+    "responseElements": {
+      "credentials": {
+        "accessKeyId": "ASredacted",
+        "sessionToken": "redacted",
+        "expiration": "Jan 31, 2025, 4:34:19 PM"
+      },
+      "assumedRoleUser": {
+        "assumedRoleId": "redacted:user@example.com",
+        "arn": "arn:aws:sts::1234567890:assumed-role/AWSReservedSSO_AWSAdministratorAccess_abcd1234/user@example.com"
+      },
+      "subject": "user@example.com",
+      "subjectType": "persistent",
+      "issuer": "https://portal.sso.eu-west-1.amazonaws.com/saml/assertion/NjQ2NzQ5Mjg5MzMxX2lucy1hY2MwZGYyZTYzOGZkYjNm",
+      "audience": "https://signin.aws.amazon.com/saml",
+      "nameQualifier": "12346"
+    },
+    "requestID": "42ba0a94-8f19-4a1b-9bac-9e8eb6ac1c15",
+    "eventID": "0f652a57-36ad-4a85-8651-252f256660e8",
+    "readOnly": true,
+    "resources": [
+      {
+        "accountId": "1234567890",
+        "type": "AWS::IAM::Role",
+        "ARN": "arn:aws:iam::1234567890:role/aws-reserved/sso.amazonaws.com/eu-west-1/AWSReservedSSO_AWSAdministratorAccess_abcd1234"
+      },
+      {
+        "accountId": "1234567890",
+        "type": "AWS::IAM::SAMLProvider",
+        "ARN": "arn:aws:iam::1234567890:saml-provider/AWSSSO_aslksdafkj212_DO_NOT_DELETE"
+      }
+    ],
+    "eventType": "AwsApiCall",
+    "managementEvent": true,
+    "recipientAccountId": "1234567890",
+    "eventCategory": "Management",
+    "tlsDetails": {
+      "tlsVersion": "TLSv1.3",
+      "cipherSuite": "TLS_AES_128_GCM_SHA256",
+      "clientProvidedHostHeader": "sts.eu-west-1.amazonaws.com"
+    }
+  }
+}
+"""
+
+
+def wrap_sns_msg(msg: str) -> dict:
+    return {"Type": "Notification", "Message": msg}
+

 async def test_aws_sns_notification() -> None:
    r = await aws.parse_sns_event(None, json.loads(sns_notification), None)
@ -170,14 +249,21 @@ async def test_aws_sns_unsubscribe() -> None:


 async def test_aws_sns_signin() -> None:
-    r = await aws.parse_sns_event(None, json.loads(sns_signin), None)
+    r = await aws.parse_sns_event(None, wrap_sns_msg(sns_signin), None)
    print(r)
    expected = "<font color=#dc3545>**🚨 ALERT[AwsConsoleSignIn]** </font>: AWS Console Sign detected by user `user@example.com`.<br/>- **Region**: eu-north-1<br/>- **MFA Used**: Yes<br/>- **Event Time**: 2025-01-31T14:03:15Z<br/>- **Account ID**: 1234567890"
    assert r[0][1] == expected


 async def test_aws_sns_signin_failure() -> None:
-    r = await aws.parse_sns_event(None, json.loads(sns_signin_failure), None)
+    r = await aws.parse_sns_event(None, wrap_sns_msg(sns_signin_failure), None)
    print(r)
    expected = "<font color=#ffc107>**🚨 ALERT[AwsConsoleSignIn]** </font>: Failed AWS Console Sign attempt by user `user@example.com`.<br/>- **Region**: eu-north-1<br/>- **MFA Used**: Yes<br/>- **Error Message**: Failed authentication<br/>- **Event Time**: 2025-01-31T14:01:49Z<br/>- **Account ID**: 1234567890"
    assert r[0][1] == expected
+
+
+async def test_aws_sns_sts_saml() -> None:
+    r = await aws.parse_sns_event(None, wrap_sns_msg(sns_sts_saml), None)
+    print(r)
+    expected = "<font color=#dc3545>**🚨 ALERT[AssumeRoleWithSAML]** </font>: AWS SAML Sign detected by user `user@example.com`.<br/>- **Region**: eu-west-1<br/>- **Assumed Role**: arn:aws:sts::1234567890:assumed-role/AWSReservedSSO_AWSAdministratorAccess_abcd1234/user@example.com<br/>- **Event Time**: 2025-01-31T15:34:20Z<br/>- **Account ID**: 1234567890"
+    assert r[0][1] == expected