Event Bus Should Not Be Exposed

More Info:

Your AWS CloudWatch event bus should not be exposed to everyone.

Risk Level

High

Address

Security

Compliance Standards

HITRUST, AWSWAF, SOC2, NISTCSF, PCIDSS

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the misconfiguration “Event Bus Should Not Be Exposed” for AWS using AWS CLI, you can follow the below steps:

Open your command prompt or terminal and install the AWS CLI if you haven’t already done so.
Run the following command to list all the Amazon EventBridge event buses in your AWS account:

aws events list-event-buses

Identify the event bus that is exposed and note down its ARN.
Run the following command to remove the event bus policy that is allowing public access:

aws events remove-permission --event-bus-name <event-bus-name> --statement-id <statement-id>

Replace <event-bus-name> with the name of the event bus that you want to remediate and <statement-id> with the ID of the statement in the event bus policy that is allowing public access.

After running the above command, you should receive an output similar to the following:

{
    "FailedEntryCount": 0,
    "FailedEntries": []
}

This means that the event bus policy has been successfully updated to remove public access.

Finally, run the following command to verify that the event bus policy has been updated:

aws events describe-event-bus --name <event-bus-name>

Replace <event-bus-name> with the name of the event bus that you remediated. The output should show that the event bus policy no longer allows public access.By following these steps, you can remediate the misconfiguration “Event Bus Should Not Be Exposed” for AWS using AWS CLI.

Using Python

Remediating the “Event Bus Should Not Be Exposed” misconfiguration in AWS using Python involves the following steps:

Identify the AWS account that has the exposed event bus.
Create an IAM policy that denies access to the event bus.
Attach the IAM policy to the AWS account.
Verify that the event bus is no longer exposed.

Here’s an example Python code that can be used to remediate this misconfiguration:

import boto3

# Set the AWS region
region = 'us-east-1'

# Set the name of the exposed event bus
event_bus_name = 'exposed-event-bus'

# Create an IAM policy that denies access to the event bus
policy = {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "events:PutEvents",
                "events:PutRule",
                "events:PutTargets"
            ],
            "Resource": [
                "arn:aws:events:{}:{}:event-bus/{}".format(region, aws_account_id, event_bus_name)
            ]
        }
    ]
}

# Create an IAM policy with the policy document
iam = boto3.client('iam')
policy_name = 'deny-event-bus-access-policy'
policy_response = iam.create_policy(
    PolicyName=policy_name,
    PolicyDocument=json.dumps(policy)
)

# Attach the IAM policy to the AWS account
account_id = boto3.client('sts').get_caller_identity().get('Account')
iam.attach_policy(
    PolicyArn='arn:aws:iam::{}:policy/{}'.format(account_id, policy_name),
    TargetId=account_id,
    TargetType='AWSAccount'
)

# Verify that the event bus is no longer exposed
events = boto3.client('events')
try:
    response = events.describe_event_bus(Name=event_bus_name)
    if response['Policy'] != policy_name:
        response = events.put_permission(
            EventBusName=event_bus_name,
            Action='events:PutEvents',
            Principal='*'
        )
except events.exceptions.ResourceNotFoundException:
    pass

Note: Replace the region, event_bus_name, and policy variables with the appropriate values for your use case. Also, ensure that you have the necessary permissions to create IAM policies and attach them to the AWS account.

Additional Reading:

https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CloudWatchEvents-CrossAccountEventDelivery.html

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

Event Bus Should Not Be Exposed

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: