Skip to content

Commit 9255080

Browse files
TarekCheikhTarekCheikh
committed
Update the Architecture file
1 parent 6ac919f commit 9255080

1 file changed

Lines changed: 28 additions & 18 deletions

File tree

Architecture.md

Lines changed: 28 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -131,18 +131,24 @@ A comprehensive serverless solution for tracking IAM, STS, and Console signin ac
131131
- Message attributes for filtering
132132
- KMS encryption for sensitive alerts
133133

134-
#### b) **Alert Functions (8 total)**
134+
#### b) **Alert Functions (14 total)**
135135
**From `security_alerts.py`**:
136136

137137
1. **`check_root_activity`**: Root account login/failed login (CRITICAL)
138138
2. **`check_user_creation`**: IAM user creation (HIGH)
139139
3. **`check_admin_policy_attachment`**: Admin policy attachments (CRITICAL)
140-
- Detects: AdministratorAccess, IAMFullAccess, PowerUserAccess
140+
- Detects: AdministratorAccess, IAMFullAccess, PowerUserAccess, AWSSSOMasterAccountAdministrator, AWSIdentityCenterFullAccess, AWSSSOMemberAccountAdministrator
141141
4. **`check_dangerous_inline_policy`**: Policies with *, iam:*, sts:* (CRITICAL)
142142
5. **`check_access_key_creation`**: New access key generation (CRITICAL)
143143
6. **`check_role_trust_policy`**: External account/wildcard principals (CRITICAL)
144144
7. **`check_access_key_update`**: Access key status changes (HIGH)
145145
8. **`check_mfa_deletion`**: MFA device deletion/deactivation (CRITICAL)
146+
9. **`check_sso_permission_set_creation`**: SSO permission set creation (CRITICAL)
147+
10. **`check_sso_permission_set_update`**: SSO permission set updates (CRITICAL)
148+
11. **`check_sso_admin_policy_attachment`**: Admin policy attached to SSO permission set (CRITICAL)
149+
12. **`check_sso_account_assignment`**: SSO account assignment created (CRITICAL)
150+
13. **`check_sso_app_creation`**: SSO managed application instance creation (HIGH)
151+
14. **`check_sso_app_deletion`**: SSO managed application instance deletion (HIGH)
146152

147153
**Alert Processing**:
148154
- Real-time analysis of each stored event
@@ -264,7 +270,7 @@ with ThreadPoolExecutor(max_workers=32) as executor:
264270

265271
## Query System
266272

267-
### Pre-built Queries (9 total)
273+
### Pre-built Queries (15 total)
268274
**From `query_runner.py` QUERY_DEFINITIONS**:
269275

270276
1. **`user_lookup`**: User activity patterns and identification
@@ -276,30 +282,34 @@ with ThreadPoolExecutor(max_workers=32) as executor:
276282
7. **`role_assumptions`**: Role usage patterns and frequency analysis
277283
8. **`daily_summary`**: Daily activity summaries for compliance reporting
278284
9. **`hourly_activity`**: Peak usage analysis for capacity planning
285+
10. **`sso_permission_sets`**: SSO permission set management tracking
286+
11. **`sso_account_assignments`**: SSO account assignment tracking
287+
12. **`sso_admin_policies`**: SSO admin policy attachment detection
288+
13. **`sso_applications`**: SSO application management tracking
289+
14. **`sso_admin_users`**: SSO administrative users identification
290+
15. **`sso_activity_summary`**: SSO usage patterns by event type
279291

280292
### Query Infrastructure
281-
- **`athena_utilities.py`**: Athena query execution and table management
282-
- **`query_runner.py`**: CLI interface with Rich terminal formatting
283-
- **`analytics_queries.sql`**: Raw SQL queries for reference
293+
- **`athena_utilities.py`**: Core Athena operations (execute_athena_query, create_iam_events_table, get_table_statistics, validate_s3_location)
294+
- **`query_runner.py`**: Main CLI tool with QUERY_DEFINITIONS dictionary containing all 15 pre-built queries, Rich terminal formatting support
295+
- **`analytics_queries.sql`**: Reference SQL queries (if present)
284296

285297
## Operational Scripts
286298

287299
### Core Scripts (`scripts/` folder)
288-
- **`deploy.sh`**: SAM deployment with S3 bucket creation
289-
- **`destroy.sh`**: CloudFormation stack deletion with confirmation
290-
- **`status.sh`**: Formatted stack status and configuration display
291-
- **`validate.sh`**: Template validation with linting
292-
- **`logs.sh`**: Lambda log viewing with color formatting
293-
- **`run-query.sh`**: Query execution wrapper (calls `queries/setup.sh`)
300+
- **`deploy.sh`**: SAM deployment with S3 bucket creation, automatic AWS CLI/SAM CLI installation in venv
301+
- **`destroy.sh`**: CloudFormation stack deletion with confirmation prompt
302+
- **`status.sh`**: Formatted stack status display with colored output
303+
- **`validate.sh`**: Template validation
304+
- **`logs.sh`**: Lambda log viewing
305+
- **`run-query.sh`**: Query execution wrapper
294306
- **`setup-athena.sh`**: Athena table initialization
295307
- **`test-alerts.sh`**: SNS alert testing
296308

297-
### Query Setup (`queries/` folder)
298-
- **`setup.sh`**: Python virtual environment setup and dependency installation
299-
- Creates venv if not exists
300-
- Installs requirements.txt
301-
- Auto-detects CloudFormation outputs
302-
- Provides environment variable setup
309+
### Query Tools (`queries/` folder)
310+
- **`query_runner.py`**: Main CLI tool with 15 pre-built analytics queries
311+
- **`athena_utilities.py`**: Athena query execution and table management
312+
- **`requirements.txt`**: Python dependencies (boto3, rich for terminal formatting)
303313

304314
## Security Alert Message Format
305315
```

0 commit comments

Comments
 (0)