Support aws.sts sns notifications

2025-01-31 16:52:25 +01:00 · 2025-01-31 16:52:25 +01:00 · c13d5fc536
commit c13d5fc536
parent 7c06e91ea8
2 changed files with 140 additions and 9 deletions
--- a/ops_bot/aws.py
+++ b/ops_bot/aws.py
@ -28,7 +28,7 @@ def handle_notification(payload: Any) -> List[Tuple[str, str]]:
 def handle_json_notification(payload: Any, body: Any) -> List[Tuple[str, str]]:
    if "AlarmName" not in body:
-        payload_str = payload.get("Message")
+        payload_str = json.dumps(body, indent=2)
        msg = "Received unknown json payload type over AWS SNS"
        msg += f"""\n<br/>
 ```json
@ -61,6 +61,49 @@ def handle_json_notification(payload: Any, body: Any) -> List[Tuple[str, str]]:
    return [(plain, formatted)]
 def handle_cloudtrail_sts(payload: Any) -> List[Tuple[str, str]]:
    region = payload["region"]
    # event_type = payload["detail"]["eventType"]
    event_name = payload["detail"]["eventName"]
    event_time = payload["detail"]["eventTime"]
    account_id = payload["detail"]["recipientAccountId"]
    user_type = payload["detail"]["userIdentity"]["type"]
    user = "Unknown user"
    if user_type == "SAMLUser":
        user = payload["detail"]["userIdentity"]["userName"]
    assumed_role = None
    if (
        "responseElements" in payload["detail"]
        and "assumedRoleUser" in payload["detail"]["responseElements"]
    ):
        assumed_role = payload["detail"]["responseElements"]["assumedRoleUser"]["arn"]
    color = COLOR_ALARM
    if event_name == "AssumeRoleWithSAML":
        title = f"AWS SAML Sign detected by user `{user}`."
    else:
        title = event_name
    subject = event_name
    formatted = [
        x
        for x in [
            f"<font color={color}>**🚨 ALERT[{subject}]** </font>: {title}",
            f"- **Region**: {region}",
            f"- **Assumed Role**: {assumed_role}",
            f"- **Event Time**: {event_time}",
            f"- **Account ID**: {account_id}",
        ]
        if x is not None
    ]
    plain = title
    return [(plain, "<br/>".join(formatted))]
 def handle_cloudtrail_signin(payload: Any) -> List[Tuple[str, str]]:
    region = payload["region"]
    event_type = payload["detail"]["eventType"]
@ -156,14 +199,16 @@ async def parse_sns_event(
    elif payload.get("Type") == "Notification":
        try:
            body = json.loads(payload.get("Message"))
            if "source" in body:
                source = body["source"]
                if source == "aws.signin":
                    return handle_cloudtrail_signin(body)
                if source == "aws.sts":
                    return handle_cloudtrail_sts(body)
                else:
                    return handle_cloudtrail_generic(body)
            return handle_json_notification(payload, body)
        except Exception:
            return handle_notification(payload)
    elif "source" in payload:
        source = payload["source"]
        if source == "aws.signin":
            return handle_cloudtrail_signin(payload)
        else:
            return handle_cloudtrail_generic(payload)
    raise Exception("Unnown SNS payload type")
--- a/tests/test_ops_bot.py
+++ b/tests/test_ops_bot.py
@ -145,6 +145,85 @@ sns_signin_failure = """
 }
 """
 sns_sts_saml = """
 {
  "version": "0",
  "id": "f7ea4d10-ee27-ee26-efa3-7fe107e12ba4",
  "detail-type": "AWS API Call via CloudTrail",
  "source": "aws.sts",
  "account": "1234567890",
  "time": "2025-01-31T15:34:20Z",
  "region": "eu-west-1",
  "resources": [],
  "detail": {
    "eventVersion": "1.08",
    "userIdentity": {
      "type": "SAMLUser",
      "principalId": "redacted:user@example.com",
      "userName": "user@example.com",
      "identityProvider": "redacted"
    },
    "eventTime": "2025-01-31T15:34:20Z",
    "eventSource": "sts.amazonaws.com",
    "eventName": "AssumeRoleWithSAML",
    "awsRegion": "eu-west-1",
    "sourceIPAddress": "54.0.0.0",
    "userAgent": "aws-internal/3 aws-sdk-java/1.12.779 Linux/4.14.355-275.570.amzn2.x86_64 OpenJDK_64-Bit_Server_VM/17.0.13+11-LTS java/17.0.13 vendor/Amazon.com_Inc. cfg/retry-mode/standard cfg/auth-source#imds",
    "requestParameters": {
      "sAMLAssertionID": "_d1e7a65e-2298-4c0f-88b7-4e62f5a7a00c",
      "roleSessionName": "user@example.com",
      "roleArn": "arn:aws:iam::1234567890:role/aws-reserved/sso.amazonaws.com/eu-west-1/AWSReservedSSO_AWSAdministratorAccess_abcd1234",
      "principalArn": "arn:aws:iam::1234567890:saml-provider/AWSSSO_aslksdafkj212_DO_NOT_DELETE",
      "durationSeconds": 3600
    },
    "responseElements": {
      "credentials": {
        "accessKeyId": "ASredacted",
        "sessionToken": "redacted",
        "expiration": "Jan 31, 2025, 4:34:19 PM"
      },
      "assumedRoleUser": {
        "assumedRoleId": "redacted:user@example.com",
        "arn": "arn:aws:sts::1234567890:assumed-role/AWSReservedSSO_AWSAdministratorAccess_abcd1234/user@example.com"
      },
      "subject": "user@example.com",
      "subjectType": "persistent",
      "issuer": "https://portal.sso.eu-west-1.amazonaws.com/saml/assertion/NjQ2NzQ5Mjg5MzMxX2lucy1hY2MwZGYyZTYzOGZkYjNm",
      "audience": "https://signin.aws.amazon.com/saml",
      "nameQualifier": "12346"
    },
    "requestID": "42ba0a94-8f19-4a1b-9bac-9e8eb6ac1c15",
    "eventID": "0f652a57-36ad-4a85-8651-252f256660e8",
    "readOnly": true,
    "resources": [
      {
        "accountId": "1234567890",
        "type": "AWS::IAM::Role",
        "ARN": "arn:aws:iam::1234567890:role/aws-reserved/sso.amazonaws.com/eu-west-1/AWSReservedSSO_AWSAdministratorAccess_abcd1234"
      },
      {
        "accountId": "1234567890",
        "type": "AWS::IAM::SAMLProvider",
        "ARN": "arn:aws:iam::1234567890:saml-provider/AWSSSO_aslksdafkj212_DO_NOT_DELETE"
      }
    ],
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "1234567890",
    "eventCategory": "Management",
    "tlsDetails": {
      "tlsVersion": "TLSv1.3",
      "cipherSuite": "TLS_AES_128_GCM_SHA256",
      "clientProvidedHostHeader": "sts.eu-west-1.amazonaws.com"
    }
  }
 }
 """
 def wrap_sns_msg(msg: str) -> dict:
    return {"Type": "Notification", "Message": msg}
 async def test_aws_sns_notification() -> None:
    r = await aws.parse_sns_event(None, json.loads(sns_notification), None)
@ -170,14 +249,21 @@ async def test_aws_sns_unsubscribe() -> None:
 async def test_aws_sns_signin() -> None:
-    r = await aws.parse_sns_event(None, json.loads(sns_signin), None)
+    r = await aws.parse_sns_event(None, wrap_sns_msg(sns_signin), None)
    print(r)
    expected = "<font color=#dc3545>**🚨 ALERT[AwsConsoleSignIn]** </font>: AWS Console Sign detected by user `user@example.com`.<br/>- **Region**: eu-north-1<br/>- **MFA Used**: Yes<br/>- **Event Time**: 2025-01-31T14:03:15Z<br/>- **Account ID**: 1234567890"
    assert r[0][1] == expected
 async def test_aws_sns_signin_failure() -> None:
-    r = await aws.parse_sns_event(None, json.loads(sns_signin_failure), None)
+    r = await aws.parse_sns_event(None, wrap_sns_msg(sns_signin_failure), None)
    print(r)
    expected = "<font color=#ffc107>**🚨 ALERT[AwsConsoleSignIn]** </font>: Failed AWS Console Sign attempt by user `user@example.com`.<br/>- **Region**: eu-north-1<br/>- **MFA Used**: Yes<br/>- **Error Message**: Failed authentication<br/>- **Event Time**: 2025-01-31T14:01:49Z<br/>- **Account ID**: 1234567890"
    assert r[0][1] == expected
 async def test_aws_sns_sts_saml() -> None:
    r = await aws.parse_sns_event(None, wrap_sns_msg(sns_sts_saml), None)
    print(r)
    expected = "<font color=#dc3545>**🚨 ALERT[AssumeRoleWithSAML]** </font>: AWS SAML Sign detected by user `user@example.com`.<br/>- **Region**: eu-west-1<br/>- **Assumed Role**: arn:aws:sts::1234567890:assumed-role/AWSReservedSSO_AWSAdministratorAccess_abcd1234/user@example.com<br/>- **Event Time**: 2025-01-31T15:34:20Z<br/>- **Account ID**: 1234567890"
    assert r[0][1] == expected