Changes to the filter pattern triggered a false positive finding

[LuigiClemente-Awin]

Hi all

It seems that the recent change to the the pattern for the "UnauthorizedAPICalls" alert is triggering a false finding in Security Hub
3d5332a

I guess the reason is that the "official" pattern tested for is:

{($.errorCode="*UnauthorizedOperation") || ($.errorCode="AccessDenied*")}

The new pattern is:

{(($.errorCode = "*UnauthorizedOperation") || ($.errorCode = "AccessDenied*")) && (($.sourceIPAddress!="delivery.logs.amazonaws.com") && ($.eventName!="HeadBucket"))}

Is my assumption correct?

Should you revert the change or should we suppress the finding?

Thanks,

Luigi

[derylseale]

I'm seeing the same issue. When I manually changed the pattern to the old version (without the log delivery or bucket additions), then SecurityHub marked the control as passing.

[nozaq]

This is an expected behavior.

The latest version of CIS Amazon Web Services Foundations Benchmark is v1.4.0 while SecurityHub only supports the standard for v1.2.0.

UnauthorizedAPICalls alert was defined as {($.errorCode="*UnauthorizedOperation") || ($.errorCode="AccessDenied*")} in v1.2.0, but it's updated to {(($.errorCode = "*UnauthorizedOperation") || ($.errorCode = "AccessDenied*")) && (($.sourceIPAddress!="delivery.logs.amazonaws.com") && ($.eventName!="HeadBucket"))} in v1.3.0.
So our implementation uses the latest pattern, which I believe preferable, but the current CIS standard implementation in SecurityHub is still looking for the old pattern.

With that said, I would recommend suppressing the finding at this moment. I hope AWS will release the SecurityHub standard for the latest CIS benchmark in near future.

[LuigiClemente-Awin]

Thanks a lot nozaq!

Best,

Luigi

[nozaq]

@LuigiClemente-Awin You're welcome!