Skip to main content

Search

How do I ignore alerts by Amazon Resource Names (ARN) on my AWS S3 Bucket Canarytoken?

Description: When an AWS S3 Bucket token is placed in your AWS environment, it monitors a S3 bucket of your choosing and generates alerts when that S3 bucket is accessed. The S3 bucket can be accessed by legitimate AWS resources that can be identified with an Amazon Resource Name (ARN). To ignore alerts generated when a legitimate AWS resource accesses a S3 bucket, you must add them to the "Amazon Resource Name (ARN) Ignore List" of the Canarytoken.

 

Follow the steps below to add an ARN from legitimate AWS resources to an AWS S3 bucket Canarytoken "Amazon Resource Name (ARN) Ignore List":

Step 1:

Log in to your Console.

Login User.png

Step 2:

Select the Canarytokens tile. 

S3 Ignore - Step 2.png

Step 3:

Search for the AWS S3 bucket Canarytoken you want to update the Amazon Resource Name (ARN) ignore list on. You can do this by searching for the S3 Bucket monitored by the Canarytoken.

S3 Ignore - Step 3.png

Step 4:

Select the token from the search history.

Note: we searched and selected "thinkst-testing-bucket"

S3 Ignore - Step 4.png

Step 5:

To add a specific Amazon Resource Name (ARN) to the ignore list, enter it in the "Amazon Resource Name (ARN) Ignore list" area, Press "Enter" and click "Save".

Note: The Amazon Resource Name (ARN) has to have 5 or 6 colons and must follow the same format found here, and you have to press "Enter" after inputting the ARN for this to work correctly, for example, we inputted the ARN below:

arn:aws:sts::123456789012:example/folder

S3 Ignore - Step 5.png

Step 6:

You can also add ARN patterns, that make use of the wildcards "*" and "?" to ignore multiple ARNs.

  • You make use of the wildcard "?" to match any single character in an ARN.
  • You make use of the wildcard "*" to match any strings/words in an ARN.

For example, the following ARN pattern:

arn:aws:sts:us-east-1:*:example/folder-?

Will ignore all alerts generated by AWS resources that can be identified by the following ARNs:

arn:aws:sts:us-east-1:123456789012:example/folder-1
arn:aws:sts:us-east-2:123456000000:example/folder-r
arn:aws:sts:us-east-6:111111111111:example/folder-9

Add the entry, press "Enter", then press "Save" to apply the changes.

S3 Ignore - Step 6.png

Now you shouldn't be receiving any more alerts from those legitimate AWS resources.

Note:

ARNs are composed of 6 colon separated sections. ARNs generally follow the formats.

arn:partition:service:region:account-id:resource-id
arn:partition:service:region:account-id:resource-type/resource-id
arn:partition:service:region:account-id:resource-type:resource-id

These sections appear in the following order:

  1. First section.
  2. Partion section.
  3. Service section.
  4. Region section.
  5. Account-ID section.
  6. Resource section (which includes the "resource-type" and "resource-id").

For an ARN (or an ARN pattern) to be in the ARN ignore list of an AWS S3 Bucket Canarytoken, each section of that ARN must follow the following rules.

 

Rules around the first section in an ARN:

ARNs must have the word "arn" in the first section. So the ARNs below will be allowed to be in the ARN ignore list of an AWS S3 Bucket Canarytoken:

arn:aws:sts::123456789012:example/folder
arn:aws:iam::123456789012:example/folder

While the ARNs below will not be allowed:

notarn:aws:sts::123456789012:example/folder
:aws:iam::123456789012:example/folder

If an ARN does not have the word "arn" in its first section, the following error will be shown:

Invalid FIRST Section of ARN from '...'.

S3 Ignore - Rule 1.png

 

Rules around the partition section in an ARN:

Only the following AWS partitions are allowed in the "partition" section of an ARN:

aws
aws-cn
aws-us-gov

So the ARNs below will be allowed to be in the ARN ignore list of an AWS S3 Bucket Canarytoken:

arn:aws:iam::*:example/folder
arn:aws-cn:iam::*:example/folder
arn:aws-us-gov:iam::*:example/folder

While the ARNs below will not be allowed:

arn:aws0:iam::*:example/folder
arn::iam::*:example/folder
arn:not-aws:iam::*:example/folder

If none of the allowed AWS partitions are used in the "partition" section of an ARN, the following error will be shown:

Invalid PARTITION Section of ARN from '...'.

S3 Ignore - Rule 2.png

 

Rules around the service section in an ARN:

We only allow the following AWS services to be in the "service" section of an ARN.

sts
iam

So the ARNs below will be allowed to be part of the ARN ignore list of an AWS S3 Bucket Canarytoken:

arn:aws:sts::123456789012:example/folder
arn:aws:iam::123456789012:example/folder

While the ARNs below will not be allowed:

arn:aws:s3::123456789012:example/folder
arn:aws:some-other-service::123456789012:example/folder

If none of the AWS services we allow are used in the "service" section of an ARN, the following error will be shown:

Invalid SERVICE Section of ARN from '...'.

S3 Ignore - Rule 3.png

 

Rules around the region section in an ARN:

We only allow the defined AWS Regional Endpoint Codes to be in the "region" section of an ARN. We also allow the region section of an ARN to be empty.

So the ARNs below will be allowed to be part of the ARN ignore list of an AWS S3 Bucket Canarytoken:

arn:aws:sts:us-east-1:123456789012:example/folder
arn:aws:sts:af-south-1:123456789012:example/folder
arn:aws:sts::123456789012:example/folder
arn:aws:iam::123456789012:example/folder

While the ARNs below will not be allowed:

arn:aws:sts:africa:123456789012:example/folder
arn:aws:sts:america:123456789012:example/folder

If  the "region" section of an ARN is not empty and is not one of the defined AWS Regional Endpoint Codes, the following error will be shown:

Invalid REGION Section of ARN from '...'.

S3 Ignore - Rule 5.png

Not all AWS services include regions in their ARNs. And the "region" section of the ARNs tied to these services are always empty. An example of these is the "iam" service, which always has ARNs with empty "region" sections, for example.

arn:aws:iam::123456789012:example/folder

So ARNs tied to the "iam" service will only be allowed to be part of the ARN ignore list of an AWS S3 Bucket Canarytoken, if they have an empty "region" section. So the following ARNs will be allowed:

arn:aws:iam::*:example/folder
arn:aws:iam::123456789012:example/folder1

While the ARNs below will not be allowed:

arn:aws:iam:eu-west-1:123456789012:user/testUser
arn:aws:iam:af-south-1:123456789012:user/testUser

If a non-empty region is included the "region" section of an ARN that is tied to the "iam" service, the following error will be shown:

The 'iam' service does not include regions in its ARNs, please remove the region part from the ARN '...'.

S3 Ignore - Rule 4.png

 

Rules around the account-id section in an ARN:

We only allow the following scenarios in the "account-id" section of an ARN.

  1. The "account-id" section in an ARN can just be empty, for example: 
    arn:aws:sts:af-south-1::example/folder
  2. The "account-id" section in an ARN can be composed of only the wildcard "*", for example: 
    arn:aws:sts:af-south-1:*:example/folder
  3. The "account-id" section in an ARN can be composed of only 12 digits, for example: 
    arn:aws:sts:af-south-1:123456789012:example/folder
  4. The "account-id" section in an ARN can be composed of only 64 digits and lower case english alphabet characters, for example: 
    arn:aws:iam::79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be:example/folder

So the ARNs below will not be allowed to be part of the ARN ignore list of an AWS S3 Bucket Canarytoken:

arn:aws:sts::12*:assumed-role/exampleRole
arn:aws:sts::12?:assumed-role/exampleRole
arn:aws:sts::12:assumed-role/exampleRole
arn:aws:sts::12TEST:assumed-role/exampleRole

If the "account-id" section of an ARN does not fit any of the allowed scenarios above, the following error will be shown:

Invalid ACCOUNT_ID Section of ARN from '...'.

S3 Ignore - Rule 6.png

 

Rules around the resource section in an ARN:

The "resource" section in an ARN can consists of the following subsections:

  1. The "resource-id", which is the name of the resource, or the resource identifier, or just the resource path.
  2. The "resource-type", which is just the resource type, for example "assume-role" or "user".

The "resource" section in ARNs is allowed to include a "resource-type" along side a "resource-id" in the following formats. Or not include a "resource-type" at all.

resource-id
resource-type/resource-id
resource-type:resource-id

Both the "resource-id" and the "resource-type" are allowed to have:

  1. Lower and upper case english alphabet characters.
  2. Digits.
  3. Any of the following characters: 
    +=,.@_-/

If both the "resource-id" and the "resource-type" subsections are present in the "resource" section of an ARN, then we allow the used of the wildcard characters "*" and "?" only in the "resource-id" subsection.

So the ARNs below will be allowed to be part of the ARN ignore list of an AWS S3 Bucket Canarytoken:

arn:aws:sts:us-east-1:123456789012:assumed-role/*
arn:aws:sts:us-east-1:123456789012:assumed-role:*
arn:aws:iam::123456789012:role/test-?
arn:aws:iam::123456789012:user:test-?-folder

While the following ARNs will not be allowed:

arn:aws:sts:us-east-1:123456789012:*
arn:aws:sts:us-east-1:123456789012:assumed-role-?
arn:aws:iam::123456789012:role*

If the "resource" section of an ARN does not fit any of the allowed characters and formats outlined above, the following error will be shown:

Invalid RESOURCE Section of ARN from '...'.

S3 Ignore - Rule 7.png

Was this article helpful?
0 out of 0 found this helpful
Return to top