elastic · animehart · Jul 14, 2025 · Jul 15, 2025 · Jul 18, 2025 · Jul 21, 2025
@@ -28,8 +28,8 @@ metadata:
 
     1. Create an IAM role for managing incidents with AWS:
      - Create a trust relationship policy document that allows <iam_user> to manage AWS incidents, and save it locally as /tmp/TrustPolicy.json:
-    ```
-     {
+    ```json
+    {
         "Version": "2012-10-17",
         "Statement": [
             {

@@ -31,26 +31,26 @@ metadata:
 
     The command output should return an array that contains all the SSL/TLS certificates currently stored in IAM and their metadata (name, ID, expiration date, etc):
 
-    ```
+    ```json
     {
-     "ServerCertificateMetadataList": [
-     {
-     "ServerCertificateId": "EHDGFRW7EJFYTE88D",
-     "ServerCertificateName": "MyServerCertificate",
-     "Expiration": "2018-07-10T23:59:59Z",
-     "Path": "/",
-     "Arn": "arn:aws:iam::012345678910:server-certificate/MySSLCertificate",
-     "UploadDate": "2018-06-10T11:56:08Z"
-     }
-     ]
+        "ServerCertificateMetadataList": [
+            {
+                "ServerCertificateId": "EHDGFRW7EJFYTE88D",
+                "ServerCertificateName": "MyServerCertificate",
+                "Expiration": "2018-07-10T23:59:59Z",
+                "Path": "/",
+                "Arn": "arn:aws:iam::012345678910:server-certificate/MySSLCertificate",
+                "UploadDate": "2018-06-10T11:56:08Z"
+            }
+        ]
     }
     ```
 
     Verify the `ServerCertificateName` and `Expiration` parameter value (expiration date) for each SSL/TLS certificate returned by the list-server-certificates command and determine if there are any expired server certificates currently stored in AWS IAM.
     If so, use the AWS API to remove them.
 
     If this command returns:
-    ```
+    ```json
     { { "ServerCertificateMetadataList": [] }
-    { { "ServerCertificateMetadataList": [] }
+    { "ServerCertificateMetadataList": [] }
-    { { "ServerCertificateMetadataList": [] }
+    { "ServerCertificateMetadataList": [] }
     ```
     This means that there are no expired certificates, It DOES NOT mean that no certificates exist.

@@ -19,17 +19,19 @@ metadata:
     2. Select the Check box next to the Bucket.
     3. Click on 'Permissions', then Click on `Bucket Policy`.
     4. Ensure that a policy is listed that matches:
-    ```
-    '{
-     "Sid": <optional>,
-     "Effect": "Deny",
-     "Principal": "*",
-     "Action": "s3:*",
-     "Resource": "arn:aws:s3:::<bucket_name>/*",
-     "Condition": {
-     "Bool": {
-     "aws:SecureTransport": "false"
-     }'
+    ```json
+    {
+        "Sid": "<optional>",
+        "Effect": "Deny",
+        "Principal": "*",
+        "Action": "s3:*",
+        "Resource": "arn:aws:s3:::<bucket_name>/*",
+        "Condition": {
+            "Bool": {
+                "aws:SecureTransport": "false"
+            }
+        }
+    }
     ```
     `<optional>` and `<bucket_name>` will be specific to your account
 
@@ -55,19 +57,19 @@ metadata:
     3. Click on 'Permissions'.
     4. Click 'Bucket Policy'
     5. Add this to the existing policy filling in the required information
-    ```
+    ```json
     {
-     "Sid": <optional>",
-     "Effect": "Deny",
-     "Principal": "*",
-     "Action": "s3:*",
-     "Resource": "arn:aws:s3:::<bucket_name>/*",
-     "Condition": {
-     "Bool": {
-     "aws:SecureTransport": "false"
-     }
-     }
-     }
+        "Sid": "<optional>",
+        "Effect": "Deny",
+        "Principal": "*",
+        "Action": "s3:*",
+        "Resource": "arn:aws:s3:::<bucket_name>/*",
+        "Condition": {
+            "Bool": {
+                "aws:SecureTransport": "false"
+            }
+        }
+    }
     ```
     6. Save
     7. Repeat for all the buckets in your AWS account that contain sensitive data.
@@ -97,19 +99,19 @@ metadata:
     ```
 
     15. Modify the policy.json file by adding in this statement:
-    ```
+    ```json
     {
-     "Sid": <optional>",
-     "Effect": "Deny",
-     "Principal": "*",
-     "Action": "s3:*",
-     "Resource": "arn:aws:s3:::<bucket_name>/*",
-     "Condition": {
-     "Bool": {
-     "aws:SecureTransport": "false"
-     }
-     }
-     }
+        "Sid": "<optional>",
+        "Effect": "Deny",
+        "Principal": "*",
+        "Action": "s3:*",
+        "Resource": "arn:aws:s3:::<bucket_name>/*",
+        "Condition": {
+            "Bool": {
+                "aws:SecureTransport": "false"
+            }
+        }
+    }
     ```
     16. Apply this modified policy back to the S3 bucket:
     ```

@@ -38,14 +38,14 @@ metadata:
     ```
     Output if Block Public access is enabled:
 
-    ```
+    ```json
     {
-     "PublicAccessBlockConfiguration": {
-     "BlockPublicAcls": true,
-     "IgnorePublicAcls": true,
-     "BlockPublicPolicy": true,
-     "RestrictPublicBuckets": true
-     }
+        "PublicAccessBlockConfiguration": {
+            "BlockPublicAcls": true,
+            "IgnorePublicAcls": true,
+            "BlockPublicPolicy": true,
+            "RestrictPublicBuckets": true
+        }
     }
     ```
 
@@ -66,14 +66,14 @@ metadata:
 
     Output if Block Public access is enabled:
 
-    ```
+    ```json
     {
-     "PublicAccessBlockConfiguration": {
-     "IgnorePublicAcls": true, 
-     "BlockPublicPolicy": true, 
-     "BlockPublicAcls": true, 
-     "RestrictPublicBuckets": true
-     }
+        "PublicAccessBlockConfiguration": {
+            "IgnorePublicAcls": true,
+            "BlockPublicPolicy": true,
+            "BlockPublicAcls": true,
+            "RestrictPublicBuckets": true
+        }
     }
     ```
 

@@ -36,7 +36,7 @@ metadata:
 
     Sample Output:
 
-    ```
+    ```json
     {
         "ConfigurationRecorders": [
             {

@@ -37,7 +37,7 @@ metadata:
 
     Sample Output for a bucket with logging enabled:
 
-    ```
+    ```json
     {
         "LoggingEnabled": {
             "TargetPrefix": "<Prefix_Test>",
@@ -67,7 +67,7 @@ metadata:
     aws cloudtrail describe-trails --region <region-name> --query trailList[*].S3BucketName
     ```
     8. Copy and add target bucket name at `<Logging_BucketName>`, Prefix for logfile at `<LogFilePrefix>` and optionally add an email address in the following template and save it as `<FileName.Json>`:
-    ```
+    ```json
     {
         "LoggingEnabled": {
             "TargetBucket": "<Logging_BucketName>",

@@ -56,40 +56,40 @@ metadata:
     **From Command Line:**
 
     11. Create a policy document and name it as `role_policy_document.json` and paste the following content:
-    ```
+    ```json
     {
-     "Version": "2012-10-17",
-     "Statement": [
-     {
-     "Sid": "test",
-     "Effect": "Allow",
-     "Principal": {
-     "Service": "ec2.amazonaws.com"
-     },
-     "Action": "sts:AssumeRole"
-     }
-     ]
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Sid": "test",
+                "Effect": "Allow",
+                "Principal": {
+                    "Service": "ec2.amazonaws.com"
+                },
+                "Action": "sts:AssumeRole"
+            }
+        ]
     }
     ```
     12. Create another policy document and name it as `iam_policy.json` and paste the following content:
-    ```
+    ```json
     {
-     "Version": "2012-10-17",
-     "Statement": [
-     {
-     "Effect": "Allow",
-     "Action":[
-     "logs:CreateLogGroup",
-     "logs:CreateLogStream",
-     "logs:DescribeLogGroups",
-     "logs:DescribeLogStreams",
-     "logs:PutLogEvents",
-     "logs:GetLogEvents",
-     "logs:FilterLogEvents"
-     ],
-     "Resource": "*"
-     }
-     ]
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Effect": "Allow",
+                "Action": [
+                    "logs:CreateLogGroup",
+                    "logs:CreateLogStream",
+                    "logs:DescribeLogGroups",
+                    "logs:DescribeLogStreams",
+                    "logs:PutLogEvents",
+                    "logs:GetLogEvents",
+                    "logs:FilterLogEvents"
+                ],
+                "Resource": "*"
+            }
+        ]
     }
     ```
     13. Run the below command to create an IAM role:

@@ -53,14 +53,14 @@ metadata:
     az account get-access-token --query "{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/subscriptionID/providers/Microsoft.Security/autoProvisioningSettings/default?api-version=2017-08-01-preview -d@"input.json"'
     ```
     Where `input.json` contains the Request body json data as mentioned below.
-    ```
-     {
-     "id": "/subscriptions/<Your_Subscription_Id>/providers/Microsoft.Security/autoProvisioningSettings/default",
-     "name": "default",
-     "type": "Microsoft.Security/autoProvisioningSettings",
-     "properties": {
-     "autoProvision": "On"
-     }
+    ```json
+    {
+        "id": "/subscriptions/<Your_Subscription_Id>/providers/Microsoft.Security/autoProvisioningSettings/default",
+        "name": "default",
+        "type": "Microsoft.Security/autoProvisioningSettings",
+        "properties": {
+            "autoProvision": "On"
+        }
     }
     ```
   impact: ''

@@ -40,18 +40,18 @@ metadata:
     az account get-access-token --query "{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts/default1?api-version=2017-08-01-preview -d@"input.json"'
     ```
     Where `input.json` contains the data below, replacing `validEmailAddress` with a single email address or multiple comma-separated email addresses:
-    ```
-     {
-     "id": "/subscriptions/<Your_Subscription_Id>/providers/Microsoft.Security/securityContacts/default1",
-     "name": "default1",
-     "type": "Microsoft.Security/securityContacts",
-     "properties": {
-     "email": "<validEmailAddress>",
-     "alertNotifications": "On",
-     "alertsToAdmins": "On",
-     "notificationsByRole": "Owner"
-     }
-     }
+    ```json
+    {
+        "id": "/subscriptions/<Your_Subscription_Id>/providers/Microsoft.Security/securityContacts/default1",
+        "name": "default1",
+        "type": "Microsoft.Security/securityContacts",
+        "properties": {
+            "email": "<validEmailAddress>",
+            "alertNotifications": "On",
+            "alertsToAdmins": "On",
+            "notificationsByRole": "Owner"
+        }
+    }
     ```
   impact: ''
   default_value: ''

@@ -46,17 +46,17 @@ metadata:
     ```
     Where `input.json` contains the data below, replacing `validEmailAddress` with a single email address or multiple comma-separated email addresses:
 
-    ```
-     {
-     "id": "/subscriptions/<Your_Subscription_Id>/providers/Microsoft.Security/securityContacts/default",
-     "name": "default",
-     "type": "Microsoft.Security/securityContacts",
-     "properties": {
-     "email": "<validEmailAddress>",
-     "alertNotifications": "On",
-     "alertsToAdmins": "On"
-     }
-     }
+    ```json
+    {
+        "id": "/subscriptions/<Your_Subscription_Id>/providers/Microsoft.Security/securityContacts/default",
+        "name": "default",
+        "type": "Microsoft.Security/securityContacts",
+        "properties": {
+            "email": "<validEmailAddress>",
+            "alertNotifications": "On",
+            "alertsToAdmins": "On"
+        }
+    }
     ```
   impact: ''
   default_value: ''

@@ -41,17 +41,17 @@ metadata:
     az account get-access-token --query "{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/<$0>/providers/Microsoft.Security/securityContacts/default1?api-version=2017-08-01-preview -d@"input.json"'
     ```
     Where `input.json` contains the data below, replacing `validEmailAddress` with a single email address or multiple comma-separated email addresses:
-    ```
-     {
-     "id": "/subscriptions/<Your_Subscription_Id>/providers/Microsoft.Security/securityContacts/default1",
-     "name": "default1",
-     "type": "Microsoft.Security/securityContacts",
-     "properties": {
-     "email": "<validEmailAddress>",
-     "alertNotifications": "On",
-     "alertsToAdmins": "On"
-     }
-     }
+    ```json
+    {
+        "id": "/subscriptions/<Your_Subscription_Id>/providers/Microsoft.Security/securityContacts/default1",
+        "name": "default1",
+        "type": "Microsoft.Security/securityContacts",
+        "properties": {
+            "email": "<validEmailAddress>",
+            "alertNotifications": "On",
+            "alertsToAdmins": "On"
+        }
+    }
     ```
   impact: ''
   default_value: ''
-Original file line number
+Diff line change
@@ Expand Up / @@ -36,7 +36,7 @@ metadata: @@
         Sample Output:
-        ```
+        ```json
         {
             "ConfigurationRecorders": [
                 {
@@ Expand Down @@