npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

@mapbox/patrol-rules-aws

v1.3.0

Published

AWS rules for Patrol

Downloads

10

Readme

patrol-rules-aws

Build Status

A set of functions implemented using lambda-cfn to monitor an organization's AWS infrastructure for best practices, security and compliance. Part of the Mapbox Patrol security framework.

Deploying

Please see the lambda-cfn README

Functions

The following functions are included with patrol-rules-aws. Each rule is configurable, and you will be prompted to enter configuration values when deploying the function with lambda-cfn.

allowedIAMActions

  • Description - Checks for any IAM policy created which grants actions to restricted services, except for certain allowed actions on those services. For example, if you specify "iam, cloudtrail" as the restricted resources, and then specify "iam:PassRole" as an allowed action, any policy created which grants IAM actions other than "PassRole" will trigger an alarm.
  • Trigger - API call iam:CreatePolicy, iam:CreatePolicyVersion, iam:PutGroupPolicy, iam:PutRolePolicy, iam:PutUserPolicy
  • Parameters
    • restrictedServices - Comma separated list of services on which to disallow all actions
    • allowedActions - on the restrictedServices, only allow these actions to be granted
    • ignoredRolePolicy - Comma separated list of colon delimited role:policy combinations that should be ignored if matched. The "role:policy" values are case-insensitively matched against the policy event.

assumeRole

  • Description - Checks for when an IAM principal assumes a disallowed role
  • Trigger - API call sts:AssumeRole
  • Parameters
    • disallowedRoles - Comma separated list of roles to alarm on if a user assumes said role.

cloudfrontModifyDelete

  • Description - Checks for disallowed actions on restricted CloudFront distributions.
  • Trigger - The specified API calls on the specified distributions
  • Parameters
    • protectedActions - CloudFront API call on which to alarm
    • protectedDistributions - CloudFront distributions on which to alarm
  • Note - If a Dispatch SNS Arn is provided, this alarm defaults to the Dispatch fallback channel by passing an empty slackId to Dispatch.

cloudTrail

  • Description - Checks for disallowed CloudTrail actions
  • Trigger - The specified API calls
  • Parameters
    • disallowedActions - CloudTrail API actions to alarm on if called

disallowedResources

  • Description - Checks for IAM policies that allow access to disallowed resources
  • Trigger - AWS API call
  • Parameters
    • disallowedResourceARNs - Comma separated list of AWS ARNs. An alarm will be triggered if an IAM policy grants any kind of access to these resources.
    • ignoredRolePolicy - Comma separated list of colon delimited role:policy combinations that should be ignored if matched. The "role:policy" values are case-insensitively matched against the policy event.

removeS3AccessLogging

  • Description - Checks for removing server access logging from an S3 bucket
  • Trigger - PutBucketLogging AWS API call
  • Parameters
    • bucketFilter - Comma separated list of bucket names or name patterns the rule will ignore.

removeS3ManagedEncryption

  • Description - Checks for removing encryption from an S3 bucket.
  • Trigger - DeleteBucketEncryption AWS API call
  • Parameters
    • bucketFilter - Comma separated list of bucket names or name patterns the rule will ignore.

rootLogin

  • Description - Checks if the root AWS user logged in to the console
  • Trigger - AWS Console Sign-in

publicBucketACL

  • Description - Checks if a bucket has Public Access.
  • Trigger - AWS API Call via CloudTrail

serviceLimits

  • Description - Checks for Service Limit events which does not have status equal to "OK".
  • Trigger - Trusted Advisor Check Item Refresh Notification

principalPolicySimulator

  • Description - WIP, beta quality and super noisy. Uses the simulatePrincipalPolicy functionality to report on policies created or updated which give the calling IAM Principal evalated access beyond their assign iAM policies. For example, if a user has access to create Cloudformation stacks, the user can start a stack with policies giving the stack (and therefore the user) access to resources the user would not have if they directly accessed them.
  • Trigger - API call iam:CreatePolicy, iam:CreatePolicyVersion, iam:PutGroupPolicy, iam:PutRolePolicy, iam:PutUserPolicy
  • Parameters
    • principalRegex - only Principals matching this regex will be testsed
    • ignoredServices - a comma separated list of AWS service prefixes to skip when testing. For example, to skip policies for Cloudwatch logs and ECS: logs,ecs
    • ignoredResources - Not implemented, a comma separated list of AWS resources to skip during testing.

Contributing

Please see CONTRIBUTING.md