@@ -131,18 +131,24 @@ A comprehensive serverless solution for tracking IAM, STS, and Console signin ac
131131 - Message attributes for filtering
132132 - KMS encryption for sensitive alerts
133133
134- #### b) ** Alert Functions (8 total)**
134+ #### b) ** Alert Functions (14 total)**
135135** From ` security_alerts.py ` ** :
136136
1371371 . ** ` check_root_activity ` ** : Root account login/failed login (CRITICAL)
1381382 . ** ` check_user_creation ` ** : IAM user creation (HIGH)
1391393 . ** ` check_admin_policy_attachment ` ** : Admin policy attachments (CRITICAL)
140- - Detects: AdministratorAccess, IAMFullAccess, PowerUserAccess
140+ - Detects: AdministratorAccess, IAMFullAccess, PowerUserAccess, AWSSSOMasterAccountAdministrator, AWSIdentityCenterFullAccess, AWSSSOMemberAccountAdministrator
1411414 . ** ` check_dangerous_inline_policy ` ** : Policies with * , iam:* , sts:* (CRITICAL)
1421425 . ** ` check_access_key_creation ` ** : New access key generation (CRITICAL)
1431436 . ** ` check_role_trust_policy ` ** : External account/wildcard principals (CRITICAL)
1441447 . ** ` check_access_key_update ` ** : Access key status changes (HIGH)
1451458 . ** ` check_mfa_deletion ` ** : MFA device deletion/deactivation (CRITICAL)
146+ 9 . ** ` check_sso_permission_set_creation ` ** : SSO permission set creation (CRITICAL)
147+ 10 . ** ` check_sso_permission_set_update ` ** : SSO permission set updates (CRITICAL)
148+ 11 . ** ` check_sso_admin_policy_attachment ` ** : Admin policy attached to SSO permission set (CRITICAL)
149+ 12 . ** ` check_sso_account_assignment ` ** : SSO account assignment created (CRITICAL)
150+ 13 . ** ` check_sso_app_creation ` ** : SSO managed application instance creation (HIGH)
151+ 14 . ** ` check_sso_app_deletion ` ** : SSO managed application instance deletion (HIGH)
146152
147153** Alert Processing** :
148154- Real-time analysis of each stored event
@@ -264,7 +270,7 @@ with ThreadPoolExecutor(max_workers=32) as executor:
264270
265271## Query System
266272
267- ### Pre-built Queries (9 total)
273+ ### Pre-built Queries (15 total)
268274** From ` query_runner.py ` QUERY_DEFINITIONS** :
269275
2702761 . ** ` user_lookup ` ** : User activity patterns and identification
@@ -276,30 +282,34 @@ with ThreadPoolExecutor(max_workers=32) as executor:
2762827 . ** ` role_assumptions ` ** : Role usage patterns and frequency analysis
2772838 . ** ` daily_summary ` ** : Daily activity summaries for compliance reporting
2782849 . ** ` hourly_activity ` ** : Peak usage analysis for capacity planning
285+ 10 . ** ` sso_permission_sets ` ** : SSO permission set management tracking
286+ 11 . ** ` sso_account_assignments ` ** : SSO account assignment tracking
287+ 12 . ** ` sso_admin_policies ` ** : SSO admin policy attachment detection
288+ 13 . ** ` sso_applications ` ** : SSO application management tracking
289+ 14 . ** ` sso_admin_users ` ** : SSO administrative users identification
290+ 15 . ** ` sso_activity_summary ` ** : SSO usage patterns by event type
279291
280292### Query Infrastructure
281- - ** ` athena_utilities.py ` ** : Athena query execution and table management
282- - ** ` query_runner.py ` ** : CLI interface with Rich terminal formatting
283- - ** ` analytics_queries.sql ` ** : Raw SQL queries for reference
293+ - ** ` athena_utilities.py ` ** : Core Athena operations (execute_athena_query, create_iam_events_table, get_table_statistics, validate_s3_location)
294+ - ** ` query_runner.py ` ** : Main CLI tool with QUERY_DEFINITIONS dictionary containing all 15 pre-built queries, Rich terminal formatting support
295+ - ** ` analytics_queries.sql ` ** : Reference SQL queries (if present)
284296
285297## Operational Scripts
286298
287299### Core Scripts (` scripts/ ` folder)
288- - ** ` deploy.sh ` ** : SAM deployment with S3 bucket creation
289- - ** ` destroy.sh ` ** : CloudFormation stack deletion with confirmation
290- - ** ` status.sh ` ** : Formatted stack status and configuration display
291- - ** ` validate.sh ` ** : Template validation with linting
292- - ** ` logs.sh ` ** : Lambda log viewing with color formatting
293- - ** ` run-query.sh ` ** : Query execution wrapper (calls ` queries/setup.sh ` )
300+ - ** ` deploy.sh ` ** : SAM deployment with S3 bucket creation, automatic AWS CLI/SAM CLI installation in venv
301+ - ** ` destroy.sh ` ** : CloudFormation stack deletion with confirmation prompt
302+ - ** ` status.sh ` ** : Formatted stack status display with colored output
303+ - ** ` validate.sh ` ** : Template validation
304+ - ** ` logs.sh ` ** : Lambda log viewing
305+ - ** ` run-query.sh ` ** : Query execution wrapper
294306- ** ` setup-athena.sh ` ** : Athena table initialization
295307- ** ` test-alerts.sh ` ** : SNS alert testing
296308
297- ### Query Setup (` queries/ ` folder)
298- - ** ` setup.sh ` ** : Python virtual environment setup and dependency installation
299- - Creates venv if not exists
300- - Installs requirements.txt
301- - Auto-detects CloudFormation outputs
302- - Provides environment variable setup
309+ ### Query Tools (` queries/ ` folder)
310+ - ** ` query_runner.py ` ** : Main CLI tool with 15 pre-built analytics queries
311+ - ** ` athena_utilities.py ` ** : Athena query execution and table management
312+ - ** ` requirements.txt ` ** : Python dependencies (boto3, rich for terminal formatting)
303313
304314## Security Alert Message Format
305315```
0 commit comments