Finding Cross-Account AWS EventBridge Usage
Overview #
Security posture recommendations for your cross-account invocations.
This notification email went to customers who were determined to have one or more impacted resources.Customer Testimonial #
“CloudQuery helped us understand the exact impact that this AWS service change would have for our organization’s 100+ AWS accounts within 5 minutes of receiving the notification. CloudQuery saved us weeks of investigative work and gave us exactly the resource ARNs we needed to alter with this change.”
EventBridge Change #
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AccountExternal",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123412341234:root"
},
"Action": "events:PutEvents",
"Resource": "arn:aws:events:us-east-1:111111111111:event-bus/wheels-on-the-bus"
}
]
}
What this Means #
- Find all impacted EventBridge Event Buses
- Update all impacted EventBridge Event Buses (Stepping through environments and testing to ensure no adverse impact)
- Validating that there are no legacy EventBridge Event Buses and they've all been updated to use IAM roles.
Customer Query #
SELECT *
FROM
(
SELECT account_id, name, policy, arn,
regexp_matches(policy, '[0-9]{12}:root', 'g') as ext_account
FROM aws_eventbridge_event_buses
) data
WHERE account_id != ext_account[1];
[0-9]{12}:root
, we look for any string that matches part of an AWS account resource identifier such as 1213412341234:root
. While we do look through the entire policy, AWS account ARNs should only exist in the Principal
block of statements.References and Useful Links #
Written by Jason Kao
Jason worked as Head of Security Research and Solutions at CloudQuery and was a Senior Data Engineer prior to taking on that role. He focused on multi-cloud environments and has particular expertise on AWS.