2 |
3 | 4 | # Automate audit preparation in AWS and integrate across the Three Lines Model - Transform AWS Config Conformance Packs to AWS Audit Manager Assessments 5 | 6 | Converts an AWS Config Conformance Pack into an AWS Audit Manager Assessment 7 | 8 | The Audit Manager assessment is based on a custom AWS Audit Manager framework that is comprised of custom AWS Audit Manager control sets. The Audit Manager control set contains custom AWS Audit Manager controls related to AWS Config Conformance Pack based Config rules. 9 | 10 | Pre-req- Takes a csv as input that comprises of all the Config rules within the AWS Config Conformance Pack 11 | 12 | 13 | 14 | ## Solution Design 15 | 16 |  17 | 18 | 19 | ## How To Install 20 | 21 | **Prerequisites** 22 | 23 | 1. Ensure that AWS Config is enabled in your account. 24 | 25 | 2. Follow the steps to set up AWS Audit Manager. 26 | 27 | 3. Create an Amazon Simple Storage Service (Amazon S3) bucket with the following name: s3-customauditmanagerframework-AccountId-Region where AccountId is your AWS account ID and Region is the AWS Region where you plan to deploy the CloudFormation templates in the setup. In this bucket, create a folder named CustomAuditManagerFramework_Lambda. Upload the CustomAuditManagerFramework_Lambda.zip (in the lambda folder) file there. 28 | 29 | 4. Upload the mapping file to the top directory of the S3 bucket you created in Step 3. This mapping file is a csv that maps the control name of the compliance framework to the list of AWS Config Rules in the conformance pack. Sample mapping file for NIST-CSF is provided here--nistmappingcsv1.csv (in the mappingfile folder) 30 | 31 | 5. Create an IAM user with Audit owner permissions. https://docs.aws.amazon.com/audit-manager/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies. You can use the AWSAuditManagerAdministratorAccess policy as a starting point but please remember to scope down these permissions as needed to fit your requirements. 32 | 33 | 6. If you have already configured an assessment reports destination in your Audit Manager settings then you can skip this step. Otherwise for our solution you can simply reuse the S3 bucket from step 3 and create another folder for e.g. evidences. Your assessment reports destination will be the S3 URI for e.g. s3://s3-customauditmanagerframework-AccountId-Region/evidences/ in this case where AccountId is your AWS account ID and Region is the AWS Region where you plan to deploy the CloudFormation templates in the setup. 34 | 35 | 36 | 37 | **Setup** 38 | 39 | The solution automates the initial setup and deployment in two steps: 40 | 41 | 1. Launch the **aws-auditmanager-confpack.yml** template. For parameters - 1) Provide the name of the S3 bucket and folder (from step 3 in the prerequisites) that contains the source CustomAuditManagerFramework_Lambda.zip 2) Provide the name of the mapping file (from step 4) in the ConfPackControlsMappingFile parameter 42 | 43 | 2. Launch the **aws-auditmanager-customassessment.yml** template. Provide the s3 uri (from step 6 in the prerequisites) that is the assessment destination as a parameter and 2) Provide the ARN of the Audit owner IAM user from step 5 in the pre-requisites 44 | 45 | **Cleanup** 46 | 47 | 1. Delete the CloudFormation stacks in sequence- 1) aws-auditmanager-customassessment.yml and then 2) aws-auditmanager-confpack.yml 48 | 2. Delete the custom framework as well as the custom controls created in Audit Manager (you can do this from the console) 49 | 3. Delete the Audit Manager framework ID from the SSM parameter store 50 | 51 | 52 | 53 | 54 | 55 | 56 | -------------------------------------------------------------------------------- /aws-auditmanager-conformancepack/cft/aws-auditmanager-confpack.yml: -------------------------------------------------------------------------------- 1 | # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. 2 | # SPDX-License-Identifier: MIT-0 3 | 4 | # Provisions custom AWS Audit Manager assessment based on Config checks that create a conformance pack 5 | # Pre-req: AWS Lambda that creates a custom AWS Audit Manager control set and custom AWS Audit Manager 6 | # framework 7 | 8 | 9 | # kmmahaj 10 | 11 | AWSTemplateFormatVersion: 2010-09-09 12 | Description: >- 13 | AWS CloudFormation template to create custom Audit Manager assessments. You will be 14 | billed for the AWS resources used if you create a stack from this template. (qs-1t0eilb5g) 15 | Parameters: 16 | SourceBucket: 17 | Description: S3 Bucket that contains the Custom Audit Manager Framework Lambda 18 | Type: String 19 | Default: 's3-customauditmanagerframework-2 |
3 | 4 | # Automate audit preparation in AWS and integrate across the Three Lines Model - Build a custom integration of AWS Audit Manager with AWS Security Hub 5 | 6 | Creates a custom AWS Audit Manager framework that is comprised of custom AWS Audit Manager control sets. The custom Audit Manager control set contains custom AWS Audit Manager controls related to AWS Security Hub findings that span across AWS Security Hub FSBP, CIS and PCI compliance checks. So, instead of the control set being specific to an individual AWS Security Hub compliance check (FSBP,CIS or PCI), the control set spans across Security Hub compliance checks and is specific to a security related domain – for e.g. Identity Management or Network Monitoring. 7 | 8 | 9 | ## Solution Design 10 | 11 |  12 | 13 | ## How To Install 14 | 15 | **Prerequisites** 16 | 17 | 1. Ensure that AWS Security Hub is enabled in your account. 18 | 19 | 2. Follow the steps to set up AWS Audit Manager. 20 | 21 | 3. Create an Amazon S3 bucket with the following name: s3-customauditmanagerframework-AccountId-Region where the AccountId is your AWS Account ID and Region is the AWS Region where you have deployed this template. In this bucket, create a folder named CustomAuditManagerFramework_Lambda and upload the CustomAuditManagerFramework_Lambda.zip (it's in the lambda folder) file there. 22 | 23 | 4. Audit Manager works with the Boto3 1.7 libraries. AWS Lambda doesn't ship with Boto3 1.7 by default. This implementation provides that version of Boto3 as a Lambda Layer. Upload the auditmanagerlayer.zip (it's in the layer folder) to the root folder of the S3 bucket created in step 2. 24 | 25 | 5. If you have already configured an assessment reports destination in your Audit Manager settings then you can skip this step. Otherwise, create a folder (for e.g. 'evidences) in the S3 bucket in step 2. Your assessment reports destination will be the S3 URI for e.g. s3://s3-customauditmanagerframework-AccountId-Region/evidences/. AWS Audit Manager will save your assessment reports to this bucket. 26 | 27 | 6. Create an IAM user with Audit owner permissions. https://docs.aws.amazon.com/audit-manager/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies 28 | 29 | 30 | **Setup** 31 | 32 | The solution automates the initial setup and deployment in two steps: 33 | 34 | 1. Launch the **aws-auditmanager-securityhub.yml** template. For parameters - 1) Provide the name of the S3 bucket and folder (from step 3 in the prerequisites) that contains the source CustomAuditManagerFramework_Lambda.zip 35 | 36 | 2. Launch the **aws-auditmanager-customassessment.yml** template. Provide the s3 uri (from step 5 in the prerequisites) that is the assessment destination as a parameter and 2) Provide the ARN of the Audit owner IAM user from step 6 in the pre-requisites 37 | 38 | **Cleanup** 39 | 40 | 1. Delete the CloudFormation stacks in sequence- 1) aws-auditmanager-customassessment.yml and then 2) aws-auditmanager-securityhub.yml 41 | 2. Delete the custom framework as well as the custom controls created in Audit Manager (you can do this from the console) 42 | 3. Delete the Audit Manager framework ID from the SSM parameter store 43 | 44 | 45 | 46 | 47 | 48 | 49 | -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/cft/aws-auditmanager-customassessment.yml: -------------------------------------------------------------------------------- 1 | # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. 2 | # SPDX-License-Identifier: MIT-0 3 | 4 | # Provisions custom AWS Audit Manager assessment based on Security Hub checks 5 | # Pre-req: AWS Lambda that creates a custom AWS Audit Manager control set and custom AWS Audit Manager 6 | # framework 7 | 8 | # kmmahaj 9 | 10 | AWSTemplateFormatVersion: 2010-09-09 11 | Description: >- 12 | AWS CloudFormation template to create custom Audit Manager assessments. You will be 13 | billed for the AWS resources used if you create a stack from this template.(qs-1t0eilb5g) 14 | Parameters: 15 | 16 | AssessmentDestination: 17 | Description: S3 Bucket and folder that stores the Custom Audit Manager Assessment Destination 18 | Type: String 19 | Default: 's3://s3-customauditmanagerframework-2 |
3 | 4 | # DevSecOps for Auto Healing PCI Compliance using custom AWS Config Conformance Packs and AWS CodePipeline 5 | 6 | Augments the AWS Config Conformance Pack for Operational Best Practices for PCI DSS 3.2.1 with 2 features – 7 | 1. Auto healing for PCI related AWS Config Managed rules. Adds Remediation to the PCI Conformance Packs. Implemented using Custom AWS Config Conformance Packs that leverage custom AWS Systems Manager Automation Documents provided via AWS CloudFormation 8 | 2. DevSecOps CI/CD pipeline for PCI compliance that incorporates “PCI Compliance as code” in an existing DevOps workflows. Implemented via integrating AWS Custom Config Conformance Packs with AWS CodePipeline and provided via AWS CloudFormation. 9 | 10 | 11 | 12 | ## How it Works 13 | 14 | 1. aws-pci-confpack-codepipeline.yml 15 | - Triggers an AWS CodePipeline based CI/CD pipeline whenever there is an update to the source AWS CloudFormation templates in your local Git repository. These source AWS CloudFormation templates incorporate the code for the custom AWS Config Conformance Packs. 16 | - Provisions an AWS CodePipeline automation with AWS CodeCommit and AWS CodeBuild stages for the build and deployment of the AWS Config Conformance Packs 17 | 2. aws-pci-confpack-ssmautomation-v1.yml 18 | - Provisions custom AWS Systems Manager automation documents for PCI remediation. These documents are used to provide automated remediations within the provisioned AWS Config rule using the AWS:Config:RemediationConfiguration CloudFormation construct in the AWS Config Conformance Pack. 19 | - Provisions pre-requisites for the AWS Config Conformance Pack deployment such as the AWS Systems Manager automation role, S3 buckets for logging and replication for S3 related remediations and CloudWatch logs and CloudWatch role for AWS CloudTrail related remediations for PCI compliance 20 | 3. Custom AWS Config Conformance Packs 21 | - aws-pci-conformancepack-v1-1.yml – Provisions a custom AWS Config Conformance Pack for the detection and remediation for Amazon EC2, AWS Auto Scaling and AWS Lambda based PCI Compliance violations 22 | - aws-pci-conformancepack-v1-2.yml - Provisions a custom AWS Config Conformance Pack for the detection and remediation for AWS CloudTrail, AWS KMS and AWS CodeBuild based PCI Compliance violations 23 | - aws-pci-conformancepack-v1-3.yml - Provisions a custom AWS Config Conformance Pack for the detection and remediation for Amazon Redshift, AWS RDS and AWS IAM based PCI Compliance violations. 24 | 25 | 26 | ## Solution Design 27 | 28 |  29 | 30 | ## Prerequisites 31 | 1. Custom AWS Config Conformance Packs - Set up prerequisites for deploying and building with both AWS Config Conformance Packs as well as custom AWS Config Conformance Packs with remediations. Refer to AWS documentation 32 | 2. Local Git repository and AWS CodeCommit Git repository setup – Create an AWS CodeCommit Git Repository in your AWS account and integrate it with your local Git repository. Refer to AWS documentation. 33 | 3. Staging S3 bucket – The solution creates a staging S3 bucket with the following naming convention: **s3-pciautohealconfpack--accountid-region. Substitute the accountid and region parameters in the buildspec.yml with your AWS Account ID and Region.** The buildspec.yml uses the staging S3 bucket as the template-s3-uri parameter while invoking the aws configservice put-conformance-pack cli. 34 | 4. In each of the aws-pci-conformancpack-v1-[1,2,3] templates **substitute the accountid and region parameters in the AutomationAssumeRole ARN parameter with your AWS Account ID and Region.** 35 | 36 | 37 | ## How To Install 38 | 39 | 1. **Template 1 of 2:** aws-pci-confpack-ssmautomation-v1.yml 40 | * Sets up AWS Systems Manager Automation Documents for PCI related Auto Healing and the required PCI remediation related pre-requisites. No parameters needed. Installs in approx 2-3 mins. 41 | 42 | 2. **Template 2 of 2:** aws-pci-confpack-codepipeline.yml 43 | * Sets up AWS CodePipeline based DevSecOps automation 44 | * Installs aws-pci-conformancepack-v1-[1,2,3].yml for custom AWS Config Conformance Packs with Remediation for PCI 45 | 46 | ## COVERAGE 47 | 48 | The [Coverage Matrix](coverage/AWSPCIConformancePacksAutoHealingCoverage.xlsx) provides the current coverage of this solution versus the PCI Benchmarks 49 | 50 | ## @kmmahaj 51 | -------------------------------------------------------------------------------- /aws-cloudfoundations-baseline-demo/cft/aws-pci-custom-confpack-org.yml: -------------------------------------------------------------------------------- 1 | ################################################################################ 2 | # 3 | # Provisions Org Custom Conformance Packs 4 | # 5 | # @kmmahaj 6 | # 7 | # License: 8 | # This code is made available under the MIT-0 license. See the LICENSE file. 9 | ################################################################################ 10 | 11 | Parameters: 12 | 13 | DeliveryS3Bucket: 14 | Description: The name of the Amazon S3 bucket where AWS Config stores conformance pack templates. 15 | Type: String 16 | Default: 'awsconfigconforms-orgbucket' 17 | 18 | OrganizationConformancePackName: 19 | Description: Name of the custom config conformance pack 20 | Type: String 21 | Default: 'aws-pcicustomconfpack-remediations-org' 22 | 23 | TemplateS3Uri: 24 | Description: Location of S3 file containing the conformance pack template body. Points to the conformance pack template 25 | Type: String 26 | Default: 's3://s3-pci-confpack-org/aws-pci-conformancepack-remediations-v1.yml' 27 | 28 | Resources: 29 | 30 | OrganizationConformancePack: 31 | Type: 'AWS::Config::OrganizationConformancePack' 32 | Properties: 33 | OrganizationConformancePackName: !Ref OrganizationConformancePackName 34 | DeliveryS3Bucket: !Ref DeliveryS3Bucket 35 | TemplateS3Uri: !Ref TemplateS3Uri 36 | -------------------------------------------------------------------------------- /aws-config-aggregator/README.md: -------------------------------------------------------------------------------- 1 |2 |
3 | 4 | # Enable AWS Config Aggregator across accounts and regions 5 | 6 | 1. An AWS Config Aggregator is an AWS Config resource type that collects AWS Config configuration and compliance data from multiple accounts and regions or from an AWS organization. All accounts must have AWS Config enabled. 7 | 2. The AWS account where the AWS Config Aggregator is created is called the aggregator account. The AWS account(s) that provide configuration and compliance data to this aggregator account are called the source accounts. 8 | 3. The aggregator account can be either the management account or a registered delegated administrator account. All features must be enabled in your organization. 9 | - If you are using a delegated administrator account as the aggregator account then ensure that the management account registers this account as the delegated administrator for the AWS Config service principle name (config.amazonaws.com). 10 | 4. If the Config Aggregator is configured to collect data from individual source accounts then each source account must provide authorization for the data to be collected. If the Config Aggregator is configured to collect data from an AWS organization then explicit authorization from a source account is not required. 11 | 12 | 13 | ## Option 1: Use OrganizationEnableRecorderAndAggregator.yaml - Create Config Aggregator in aggregator account for data collection across the AWS Organization 14 | 15 | 1. Enables AWS Config in your account if Config is not already enabled. Provisions recorder, delivery channel, S3 bucket and bucket policy required to enable Config 16 | 2. Launch this template from the aggregator account. Creates an AWS Config Aggregator from the aggregator account. It uses a service linked role that retrieves AWS Organization details associated with the aggregator account. 17 | - This creates an IAM role that attaches the AWSConfigRoleForOrganizations managed policy to your IAM role. Attaching this policy allows AWS Config obtain Organization details associated with the aggregator account. 18 | 19 | 20 | ## Option 2: Use AccountEnableRecorderAndAggregator-v1.yaml - Create Config Aggregator in aggregator account and add authorization in individual source region(s) of that same account 21 | 22 | 1. Enables AWS Config in your account if Config is not already enabled. Provisions recorder, delivery channel, S3 bucket and bucket policy required to enable Config 23 | 2. Launch this template from the aggregator account. Provide input for the following parameters: 24 | *AggregatorAccount*: AWS Account ID of the aggregator account 25 | *AggregatorRegion*: AWS region of the aggregator 26 | *SourceRegion1:* AWS region to aggregate 27 | *SourceRegion2:* AWS region to aggregate 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | -------------------------------------------------------------------------------- /aws-config-aggregator/cft/AccountEnableRecorderAndAggregator.yaml: -------------------------------------------------------------------------------- 1 | AWSTemplateFormatVersion: 2010-09-09 2 | Description: Enable AWS Config (qs-1t0eilb5g) 3 | 4 | Metadata: 5 | AWS::CloudFormation::Interface: 6 | ParameterGroups: 7 | - Label: 8 | default: Configuration Recorder Configuration 9 | Parameters: 10 | - GlobalResourceTypesRegion 11 | - Label: 12 | default: Configuration Aggregator Configuration 13 | Parameters: 14 | - AggregatorAccount 15 | - AggregatorRegion 16 | ParameterLabels: 17 | GlobalResourceTypesRegion: 18 | default: Global resource types region 19 | AggregatorAccount: 20 | default: Aggregator account 21 | AggregatorRegion: 22 | default: Aggregator account 23 | SourceRegion1: 24 | default: Source region 1 25 | SourceRegion2: 26 | default: Source region 2 27 | 28 | 29 | Parameters: 30 | GlobalResourceTypesRegion: 31 | Type: String 32 | Default: us-east-1 33 | Description: AWS region used to record global resources types 34 | AggregatorAccount: 35 | Type: String 36 | Description: Account ID of the aggregator 37 | AggregatorRegion: 38 | Type: String 39 | Default: us-east-1 40 | Description: AWS region of the aggregator 41 | SourceRegion1: 42 | Type: String 43 | Description: 1st region to aggregate 44 | SourceRegion2: 45 | Type: String 46 | Description: 2nd region to aggregate 47 | CreateRecorder: 48 | Type: String 49 | Default: 'yes' 50 | AllowedValues: 51 | - 'yes' 52 | - 'no' 53 | Description: Should this template create the recorder 54 | 55 | Conditions: 56 | IncludeGlobalResourceTypes: !Equals 57 | - !Ref GlobalResourceTypesRegion 58 | - !Ref AWS::Region 59 | CreateAggregator: !And 60 | - !Equals 61 | - !Ref AggregatorAccount 62 | - !Ref AWS::AccountId 63 | - !Equals 64 | - !Ref AggregatorRegion 65 | - !Ref AWS::Region 66 | CreateConfigRecorder: !Equals 67 | - !Ref CreateRecorder 68 | - 'yes' 69 | 70 | 71 | Resources: 72 | 73 | ConfigBucket: 74 | DeletionPolicy: Retain 75 | Type: AWS::S3::Bucket 76 | Properties: 77 | BucketEncryption: 78 | ServerSideEncryptionConfiguration: 79 | - ServerSideEncryptionByDefault: 80 | SSEAlgorithm: AES256 81 | 82 | ConfigBucketPolicy: 83 | Type: AWS::S3::BucketPolicy 84 | Condition: CreateConfigRecorder 85 | Properties: 86 | Bucket: !Ref ConfigBucket 87 | PolicyDocument: 88 | Version: 2012-10-17 89 | Statement: 90 | - Sid: AWSConfigBucketPermissionsCheck 91 | Effect: Allow 92 | Principal: 93 | Service: 94 | - config.amazonaws.com 95 | Action: s3:GetBucketAcl 96 | Resource: 97 | - !Sub "arn:aws:s3:::${ConfigBucket}" 98 | - Sid: DisallowHTTP 99 | Effect: Deny 100 | Principal: '*' 101 | Action: 's3:*' 102 | Resource: 103 | - !Sub "arn:aws:s3:::${ConfigBucket}" 104 | Condition: 105 | Bool: 106 | 'aws:SecureTransport': false 107 | - Sid: AWSConfigBucketDelivery 108 | Effect: Allow 109 | Principal: 110 | Service: 111 | - config.amazonaws.com 112 | Action: s3:PutObject 113 | Resource: 114 | - !Sub "arn:aws:s3:::${ConfigBucket}/AWSLogs/${AWS::AccountId}/*" 115 | 116 | ConfigRecorderRole: 117 | Type: AWS::IAM::Role 118 | Condition: CreateConfigRecorder 119 | Properties: 120 | AssumeRolePolicyDocument: 121 | Version: 2012-10-17 122 | Statement: 123 | - Effect: Allow 124 | Principal: 125 | Service: 126 | - config.amazonaws.com 127 | Action: 128 | - sts:AssumeRole 129 | Path: / 130 | ManagedPolicyArns: 131 | - arn:aws:iam::aws:policy/service-role/AWSConfigRole 132 | 133 | ConfigRecorder: 134 | Type: AWS::Config::ConfigurationRecorder 135 | Condition: CreateConfigRecorder 136 | DependsOn: 137 | - ConfigRecorderRole 138 | - ConfigBucketPolicy 139 | Properties: 140 | RoleARN: !GetAtt ConfigRecorderRole.Arn 141 | RecordingGroup: 142 | AllSupported: True 143 | IncludeGlobalResourceTypes: !If 144 | - IncludeGlobalResourceTypes 145 | - True 146 | - False 147 | 148 | DeliveryChannel: 149 | Type: AWS::Config::DeliveryChannel 150 | Condition: CreateConfigRecorder 151 | DependsOn: 152 | - ConfigBucketPolicy 153 | Properties: 154 | Name: default 155 | S3BucketName: !Ref ConfigBucket 156 | 157 | S3BucketPublicReadRule: 158 | Type: AWS::Config::ConfigRule 159 | Condition: CreateConfigRecorder 160 | DependsOn: 161 | - ConfigRecorder 162 | Properties: 163 | ConfigRuleName: stackset-s3-bucket-public-read-prohibited 164 | Description: s3-bucket-public-read-prohibited from stackset 165 | Scope: 166 | ComplianceResourceTypes: 167 | - AWS::S3::Bucket 168 | Source: 169 | Owner: AWS 170 | SourceIdentifier: S3_BUCKET_PUBLIC_READ_PROHIBITED 171 | 172 | 173 | ConfigAggregator: 174 | Type: AWS::Config::ConfigurationAggregator 175 | Condition: CreateAggregator 176 | Properties: 177 | ConfigurationAggregatorName: default 178 | AccountAggregationSources: 179 | - AccountIds: 180 | - !Ref AggregatorAccount 181 | AwsRegions: 182 | - !Ref SourceRegion1 183 | - !Ref SourceRegion2 184 | 185 | -------------------------------------------------------------------------------- /aws-config-aggregator/cft/OrganizationEnableRecorderAndAggregator.yaml: -------------------------------------------------------------------------------- 1 | AWSTemplateFormatVersion: 2010-09-09 2 | Description: Enable AWS Config Aggregator and Recorder for an Organization (qs-1t0eilb5g) 3 | 4 | Parameters: 5 | GlobalResourceTypesRegion: 6 | Type: String 7 | Default: us-east-1 8 | Description: AWS region used to record global resources types 9 | OrgAggregatorName: 10 | Type: String 11 | Default: OrganizationalRecorder 12 | AllowedPattern: "^[\\w\\-]+" 13 | ConstraintDescription: "" 14 | Description: Name of the organizational aggregator 15 | CreateRecorder: 16 | Type: String 17 | Default: 'yes' 18 | AllowedValues: 19 | - 'yes' 20 | - 'no' 21 | Description: Should this template create the recorder 22 | 23 | 24 | Conditions: 25 | IncludeGlobalResourceTypes: !Equals 26 | - !Ref GlobalResourceTypesRegion 27 | - !Ref AWS::Region 28 | CreateConfigRecorder: !Equals 29 | - !Ref CreateRecorder 30 | - 'yes' 31 | 32 | 33 | Resources: 34 | 35 | ConfigBucket: 36 | Type: AWS::S3::Bucket 37 | Properties: 38 | BucketEncryption: 39 | ServerSideEncryptionConfiguration: 40 | - ServerSideEncryptionByDefault: 41 | SSEAlgorithm: AES256 42 | 43 | ConfigBucketPolicy: 44 | Type: AWS::S3::BucketPolicy 45 | Condition: CreateConfigRecorder 46 | Properties: 47 | Bucket: !Ref ConfigBucket 48 | PolicyDocument: 49 | Version: 2012-10-17 50 | Statement: 51 | - Sid: AWSConfigBucketPermissionsCheck 52 | Effect: Allow 53 | Principal: 54 | Service: 55 | - config.amazonaws.com 56 | Action: s3:GetBucketAcl 57 | Resource: 58 | - !Sub "arn:aws:s3:::${ConfigBucket}" 59 | - Sid: DisallowHTTP 60 | Effect: Deny 61 | Principal: '*' 62 | Action: 's3:*' 63 | Resource: 64 | - !Sub "arn:aws:s3:::${ConfigBucket}" 65 | Condition: 66 | Bool: 67 | 'aws:SecureTransport': false 68 | - Sid: AWSConfigBucketDelivery 69 | Effect: Allow 70 | Principal: 71 | Service: 72 | - config.amazonaws.com 73 | Action: s3:PutObject 74 | Resource: 75 | - !Sub "arn:aws:s3:::${ConfigBucket}/AWSLogs/${AWS::AccountId}/*" 76 | 77 | ConfigRecorderRole: 78 | Type: AWS::IAM::Role 79 | Condition: CreateConfigRecorder 80 | Properties: 81 | AssumeRolePolicyDocument: 82 | Version: 2012-10-17 83 | Statement: 84 | - Effect: Allow 85 | Principal: 86 | Service: 87 | - config.amazonaws.com 88 | Action: 89 | - sts:AssumeRole 90 | Path: / 91 | ManagedPolicyArns: 92 | - arn:aws:iam::aws:policy/service-role/AWSConfigRole 93 | 94 | ConfigRecorder: 95 | Type: AWS::Config::ConfigurationRecorder 96 | Condition: CreateConfigRecorder 97 | DependsOn: 98 | - ConfigBucketPolicy 99 | Properties: 100 | RoleARN: !GetAtt ConfigRecorderRole.Arn 101 | RecordingGroup: 102 | AllSupported: True 103 | IncludeGlobalResourceTypes: !If 104 | - IncludeGlobalResourceTypes 105 | - True 106 | - False 107 | 108 | DeliveryChannel: 109 | Type: AWS::Config::DeliveryChannel 110 | Condition: CreateConfigRecorder 111 | DependsOn: 112 | - ConfigBucketPolicy 113 | Properties: 114 | Name: default 115 | S3BucketName: !Ref ConfigBucket 116 | 117 | S3BucketPublicReadRule: 118 | Type: AWS::Config::ConfigRule 119 | Condition: CreateConfigRecorder 120 | DependsOn: 121 | - ConfigRecorder 122 | Properties: 123 | ConfigRuleName: stackset-s3-bucket-public-read-prohibited 124 | Description: s3-bucket-public-read-prohibited from stackset 125 | Scope: 126 | ComplianceResourceTypes: 127 | - AWS::S3::Bucket 128 | Source: 129 | Owner: AWS 130 | SourceIdentifier: S3_BUCKET_PUBLIC_READ_PROHIBITED 131 | 132 | 133 | ConfigurationAggregator: 134 | Type: 'AWS::Config::ConfigurationAggregator' 135 | Properties: 136 | OrganizationAggregationSource: 137 | RoleArn: 138 | !Join 139 | - '' 140 | - - 'arn:aws:iam::' 141 | - !Ref 'AWS::AccountId' 142 | - ':role/aws-service-role/organizations.amazonaws.com/AWSServiceRoleForOrganizations' 143 | AllAwsRegions: true 144 | ConfigurationAggregatorName: !Ref OrgAggregatorName -------------------------------------------------------------------------------- /aws-config-aggregator/images/aggregator.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-cloud-compliance-assurance/fb8251ab8536ad36a64bac8408b29f5e7ee33df1/aws-config-aggregator/images/aggregator.png -------------------------------------------------------------------------------- /aws-config-visualization/README.md: -------------------------------------------------------------------------------- 1 |2 |
3 | 4 | ## AWS SSM Automation Runbook to Setup AWS Config with Amazon Athena and Amazon QuickSights 5 | This solution is based on the blog [Visualizing AWS Config data using Amazon Athena and Amazon QuickSight](https://aws.amazon.com/blogs/mt/visualizing-aws-config-data-using-amazon-athena-and-amazon-quicksight/). 6 | 7 | ### What does this cloudformation template do? 8 | This template will deploy a SSM Automation runbook called **Config-QuickSight-Visualization** that can be used to setup AWS Config to be used with Amazon Athena and setup Amazon Quicksights to be able to create visualize dashboards 9 | 10 | ## Running the Config-QuickSight-Visualization Automation Runbook 11 | 12 | ### Prerequisite 13 | 1. Configure [Delivering Configuration Snapshot to an Amazon S3 Bucket](https://docs.aws.amazon.com/config/latest/developerguide/deliver-snapshot-cli.html) for AWS. 14 | 1. Ensure access to your S3 Bucket that is used for AWS Config. 15 | 1. The S3 Bucket Name used with AWS Config. 16 | 1. [Amazon Quicksight Subscription](https://docs.aws.amazon.com/quicksight/latest/user/signing-up.html) enabled in your AWS Account. 17 | 1. Authorize [Amazon QuickSight access](https://docs.aws.amazon.com/quicksight/latest/user/athena.html) to the S3 bucket Athena will be using for AWS Config under Security and Permissions within Amazon Quicksights. 18 | 1. The Amazon Quicksight Username. 19 | 20 | ### Input Parameters for the Config-QuickSight-Visualization Automation Runbook 21 | * **ConfigDeliveryChannelName:** (Required) Name of your AWS Config Delievery Channel. The default is set to the value of default. 22 | * **ConfigS3BucketLocation:** (Required) AWS Config S3 Bucket Name, this is the name of your S3 Bucket you currently use for AWS Config. (ie config-bucket-1234567891) 23 | * **QuickSightUserName:** (Required) The Amazon QuickSight Username. 24 | * **AutomationAssumeRole:** (Optional) The ARN of the role that allows Automation to perform the actions on your behalf. 25 | * **DeleteConfigVisualization:** (Optional) Set this to true if you would like to delete the resources created to enable this solution. The default is set to false which will setup the solution. 26 | 27 | ## Creating Visuals in Amazon QuickSight 28 | 29 | The **Config-QuickSight-Visualization** Automation Runbook will create the below views and datasets within Amazon Athena and Amazon QuickSight. You can then use these to create your visualization dashboard. 30 | 31 | * v_config_rules_compliance 32 | * v_config_resource_compliance 33 | * v_config_rds_dbinstances 34 | * v_config_iam_resources 35 | * v_config_ec2_vpcs 36 | * v_config_ec2_instances 37 | * v_config_resources 38 | 39 | #### Creating your Analyses in Amazon QuickSight 40 | 41 | 1. From Amazon QuickSight, choose **New analysis**. 42 | 1. On the **Datasets** page, choose the **v_config_resource_compliance** data set and then choose **Create Analysis**. 43 | 44 | #### Create a Visual By Using AutoGraph 45 | 46 | 1. Create a visual by using AutoGraph, which is selected by default. 47 | 1. On the analysis page, choose **accountid** and **compliancetype** in the Fields list pane. 48 | 1. Amazon QuickSight creates a **Horizontal bar chart** using this data. 49 | 50 | #### Adding Additional Datasets to your Analyses 51 | 52 | 1. You can add more data sets to the analysis to create more visuals. 53 | 1. From within the analysis, click the **Add,edit,replace and remove datasets** icon. 54 | 1. Click **Add Datasets**. 55 | 1. Select the **v_config_rules_compliance** and click **Select** 56 | 1. In the **Visual types** pane, choose the **Vertical Bar Chart** icon. 57 | 1. On the analysis page, choose **configrulename** and **compliancetype** in the Fields list pane. 58 | 1. You can create a filter on any field in the currently selected visual. When you create a filter, it applies by default to the currently selected visual only. 59 | 1. Click on the **Filter** icon within the Amazon QuickSight side bar. 60 | 1. Under the Filters section click "**Create one...**" and select the **configrulename** field. 61 | 1. Click on the **configrulename** field and uncheck the **Select all** check box. 62 | 1. Select a couple of Config Rules you would like to dispaly in your visual and clikc **Apply**. 63 | 1. You can then click on the **Visualize** button on the side bar to return to make changes to your visual. 64 | 65 | #### Create a Dashboard 66 | 67 | 1. In the analysis, choose **Share** in the application bar at upper-right, and then choose **Publish dashboard**. 68 | 1. In the **Publish dashboard** page that opens, choose **Publish new dashboard as**, and enter the name **Config Dashboard**. 69 | 1. Choose **Publish dashboard**. 70 | 1. On the **Share dashboard** page that opens, choose the **X** icon to close it. 71 | -------------------------------------------------------------------------------- /aws-configremediations-fsbp/LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2020 Kanishk Mahajan 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /aws-configremediations-fsbp/README.md: -------------------------------------------------------------------------------- 1 |2 |
3 | 4 | # Remediations for AWS FSBP Benchmarks using AWS Config and custom AWS Systems Manager Automation Documents 5 | 6 | Template 1 first provisions AWS Systems Manager Automation Documents as well as all the required pre-reqs. Template 2 then leverages the Systems Manager Automation documents within AWS Config Remediation Rules. 7 | 8 | 9 | ## COVERAGE 10 | 11 | The solution provides remediations for the following AWS FSBP checks: 12 | * [EC2.3] Attached EBS volumes should be encrypted at-rest 13 | * [GuardDuty.1] GuardDuty should be enabled 14 | * [IAM.3] IAM users' access keys should be rotated every 90 days or less 15 | * [Lambda.1] Lambda functions should prohibit public access by other accounts 16 | * [Lambda.2] Lambda functions should use latest runtimes 17 | * [RDS.3] RDS DB instances should have encryption at-rest enabled 18 | * [SSM.1] EC2 instances should be managed by AWS Systems Manager 19 | * [AutoScaling.1] Auto Scaling groups associated with a load balancer should use load balancer health checks 20 | * [CloudTrail.1] CloudTrail should be enabled and configured with at least one multi-Region trail 21 | * [CloudTrail.2] CloudTrail should have encryption at-rest enabled 22 | * [CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials 23 | * [Config.1] AWS Config should be enabled 24 | * [EC2.1] Amazon EBS snapshots should not be public, determined by the ability to be restorable by anyone 25 | * [EC2.2] The VPC default security group should not allow inbound and outbound traffic 26 | * [IAM.1] IAM policies should not allow full * administrative privileges 27 | * [IAM.2] IAM users should not have IAM policies attached 28 | * [IAM.4] IAM root user access key should not exist 29 | * [IAM.7] Password policies for IAM users should have strong configurations 30 | * [S3.1] S3 Block Public Access setting should be enabled 31 | * [S3.2] S3 buckets should prohibit public read access 32 | * [S3.3] S3 buckets should prohibit public write access 33 | * [S3.4] S3 buckets should have server-side encryption enabled 34 | * [RDS.1] RDS snapshots should be private 35 | * [RDS.2] RDS DB instances should prohibit public access, determined by the PubliclyAccessible configuration 36 | * [SSM.2] Amazon EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation 37 | 38 | ## Solution Design 39 | 40 |  41 | 42 | 43 | ## How To Install 44 | 45 | 1. **Template 1 of 2:** aws-fsbp-systemsmanagerautomations.yml 46 | * Provisions AWS Systems Manager automation documents. These documents are used to provide automated remediations within the provisioned AWS Config Rule. 47 | * Provisions with fully built-in pre-reqs. No input parameters required. Simply install on the CloudFormation console (or CLI). Installs in approx 3-4 mins. 48 | 49 | 2. **Template 2 of 2:** aws-fsbp-configremediations.yml 50 | * Provisions AWS Config Managed Rules and attaches the custom AWS Systems Manager automation documents as AWS Config Remediations to the AWS Config Managed Rule. No input parameters. Simply install on the CloudFormation console (or CLI). Installs in approx 3-4 mins. 51 | * Leverages the output from the previous template specifically the AWS Systems Manager Automation documents 52 | 53 | 54 | ## Author 55 | 56 | Kanishk Mahajan; kmmahaj@amazon.com 57 | -------------------------------------------------------------------------------- /aws-configremediations-fsbp/coverage/AWS SecurityHub Benchmarks-Coverage-v1.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-cloud-compliance-assurance/fb8251ab8536ad36a64bac8408b29f5e7ee33df1/aws-configremediations-fsbp/coverage/AWS SecurityHub Benchmarks-Coverage-v1.xlsx -------------------------------------------------------------------------------- /aws-configremediations-fsbp/images/arch-diagramfsbp.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-cloud-compliance-assurance/fb8251ab8536ad36a64bac8408b29f5e7ee33df1/aws-configremediations-fsbp/images/arch-diagramfsbp.png -------------------------------------------------------------------------------- /aws-configremediations-pci/LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2020 Kanishk Mahajan 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /aws-configremediations-pci/README.md: -------------------------------------------------------------------------------- 1 |2 |
3 | 4 | # Remediations for PCI DSS 3.2.1 using AWS Config and custom AWS Systems Manager Automation Documents 5 | 6 | Template 1 first provisions AWS Systems Manager Automation Documents as well as all the required pre-reqs. Template 2 then leverages the Systems Manager Automation documents within AWS Config Remediation Rules. 7 | 8 | 9 | ## COVERAGE 10 | 11 | The solution provides remediations for the following PCI checks: 12 | ``` 13 | * [PCI.AutoScaling.1] Auto scaling groups associated with a load balancer should use health checks 14 | * [PCI.CloudTrail.1] CloudTrail logs should be encrypted at rest using AWS KMS CMK 15 | * [PCI.CloudTrail.2] CloudTrail should be enabled 16 | * [PCI.CloudTrail.3] CloudTrail log file validation should be enabled 17 | * [PCI.CloudTrail.4] CloudTrail trails should be integrated with CloudWatch Logs 18 | * [PCI.CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials 19 | * [PCI.CW.1] A log metric filter and alarm should exist for usage of the "root" user 20 | * [PCI.Config.1] AWS Config should be enabled 21 | * [PCI.EC2.1] Amazon EBS snapshots should not be publicly restorable 22 | * [PCI.EC2.2] VPC default security group should prohibit inbound and outbound traffic 23 | * [PCI.EC2.3] Unused EC2 security groups should be removed 24 | * [PCI.EC2.4] Unused EC2 EIPs should be removed 25 | * [PCI EC2.5] Security groups should not allow ingress from 0.0.0.0/0 to port 22 26 | * [PCI.EC2.6] Ensure VPC flow logging is enabled in all VPCs 27 | * [PCI.IAM.1] IAM root user access key should not exist 28 | * [PCI.IAM.2] IAM users should not have IAM policies attached 29 | * [PCI.IAM.3] IAM policies should not allow full * administrative privileges 30 | * [PCI.KMS.1] Customer master key (CMK) rotation should be enabled 31 | * [PCI.Lambda.1] Lambda functions should prohibit public access 32 | * [PCI.Lambda.2] Lambda functions should be in a VPC 33 | * [PCI.RDS.1] RDS snapshots should prohibit public access 34 | * [PCI.RDS.2] RDS DB Instances should prohibit public access 35 | * [PCI.Redshift.1] Amazon Redshift clusters should prohibit public access 36 | * [PCI.S3.1] S3 buckets should prohibit public write access 37 | * [PCI.S3.2] S3 buckets should prohibit public read access 38 | * [PCI.S3.3] S3 buckets should have cross-region replication enabled 39 | * [PCI.S3.4] S3 buckets should have server-side encryption enabled 40 | * [PCI.SSM.1] Amazon EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation 41 | ``` 42 | 43 | ## Solution Design 44 | 45 |  46 | 47 | 48 | ## How To Install 49 | 50 | 1. **Template 1 of 2:** aws-pci-systemsmanagerautomations.yml 51 | * Provisions AWS Systems Manager automation documents. These documents are used to provide automated remediations within the provisioned AWS Config Rule. 52 | * Provisions with fully built-in pre-reqs. No input parameters required. Simply install on the CloudFormation console (or CLI). Installs in approx 3-4 mins. 53 | 54 | 2. **Template 2 of 2:** aws-pci-configremediations.yml 55 | * Provisions AWS Config Managed Rules and attaches the custom AWS Systems Manager automation documents as AWS Config Remediations to the AWS Config Managed Rule. No input parameters. Simply install on the CloudFormation console (or CLI). Installs in approx 3-4 mins. 56 | * Leverages the output from the previous template specifically the AWS Systems Manager Automation documents 57 | 58 | 59 | -------------------------------------------------------------------------------- /aws-configremediations-pci/coverage/AWS SecurityHub Benchmarks-Coverage-v1.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-cloud-compliance-assurance/fb8251ab8536ad36a64bac8408b29f5e7ee33df1/aws-configremediations-pci/coverage/AWS SecurityHub Benchmarks-Coverage-v1.xlsx -------------------------------------------------------------------------------- /aws-configremediations-pci/images/arch-diagrampci.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-cloud-compliance-assurance/fb8251ab8536ad36a64bac8408b29f5e7ee33df1/aws-configremediations-pci/images/arch-diagrampci.png -------------------------------------------------------------------------------- /aws-devsecops-conformancepack-pci/LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2020 Kanishk Mahajan 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /aws-devsecops-conformancepack-pci/README.md: -------------------------------------------------------------------------------- 1 |2 |
3 | 4 | # DevSecOps for Auto Healing PCI Compliance using custom AWS Config Conformance Packs and AWS CodePipeline 5 | 6 | Augments the AWS Config Conformance Pack for Operational Best Practices for PCI DSS 3.2.1 with 2 features – 7 | 1. Auto healing for PCI related AWS Config Managed rules. Adds Remediation to the PCI Conformance Packs. Implemented using Custom AWS Config Conformance Packs that leverage custom AWS Systems Manager Automation Documents provided via AWS CloudFormation 8 | 2. DevSecOps CI/CD pipeline for PCI compliance that incorporates “PCI Compliance as code” in an existing DevOps workflows. Implemented via integrating AWS Custom Config Conformance Packs with AWS CodePipeline and provided via AWS CloudFormation. 9 | 10 | 11 | 12 | ## How it Works 13 | 14 | 1. aws-pci-confpack-codepipeline.yml 15 | - Triggers an AWS CodePipeline based CI/CD pipeline whenever there is an update to the source AWS CloudFormation templates in your local Git repository. These source AWS CloudFormation templates incorporate the code for the custom AWS Config Conformance Packs. 16 | - Provisions an AWS CodePipeline automation with AWS CodeCommit and AWS CodeBuild stages for the build and deployment of the AWS Config Conformance Packs 17 | 2. aws-pci-confpack-ssmautomation-v1.yml 18 | - Provisions custom AWS Systems Manager automation documents for PCI remediation. These documents are used to provide automated remediations within the provisioned AWS Config rule using the AWS:Config:RemediationConfiguration CloudFormation construct in the AWS Config Conformance Pack. 19 | - Provisions pre-requisites for the AWS Config Conformance Pack deployment such as the AWS Systems Manager automation role, S3 buckets for logging and replication for S3 related remediations and CloudWatch logs and CloudWatch role for AWS CloudTrail related remediations for PCI compliance 20 | 3. Custom AWS Config Conformance Packs 21 | - aws-pci-conformancepack-v1-1.yml – Provisions a custom AWS Config Conformance Pack for the detection and remediation for Amazon EC2, AWS Auto Scaling and AWS Lambda based PCI Compliance violations 22 | - aws-pci-conformancepack-v1-2.yml - Provisions a custom AWS Config Conformance Pack for the detection and remediation for AWS CloudTrail, AWS KMS and AWS CodeBuild based PCI Compliance violations 23 | - aws-pci-conformancepack-v1-3.yml - Provisions a custom AWS Config Conformance Pack for the detection and remediation for Amazon Redshift, AWS RDS and AWS IAM based PCI Compliance violations. 24 | 25 | 26 | ## Solution Design 27 | 28 |  29 | 30 | ## Prerequisites 31 | 1. Custom AWS Config Conformance Packs - Set up prerequisites for deploying and building with both AWS Config Conformance Packs as well as custom AWS Config Conformance Packs with remediations. Refer to AWS documentation 32 | 2. Local Git repository and AWS CodeCommit Git repository setup – Create an AWS CodeCommit Git Repository in your AWS account and integrate it with your local Git repository. Refer to AWS documentation. 33 | 3. Staging S3 bucket – The solution creates a staging S3 bucket with the following naming convention: **s3-pciautohealconfpack--accountid-region. Substitute the accountid and region parameters in the buildspec.yml with your AWS Account ID and Region.** The buildspec.yml uses the staging S3 bucket as the template-s3-uri parameter while invoking the aws configservice put-conformance-pack cli. 34 | 4. In each of the aws-pci-conformancpack-v1-[1,2,3] templates **substitute the accountid and region parameters in the AutomationAssumeRole ARN parameter with your AWS Account ID and Region.** 35 | 36 | 37 | ## How To Install 38 | 39 | 1. **Template 1 of 2:** aws-pci-confpack-ssmautomation-v1.yml 40 | * Sets up AWS Systems Manager Automation Documents for PCI related Auto Healing and the required PCI remediation related pre-requisites. No parameters needed. Installs in approx 2-3 mins. 41 | 42 | 2. **Template 2 of 2:** aws-pci-confpack-codepipeline.yml 43 | * Sets up AWS CodePipeline based DevSecOps automation 44 | * Installs aws-pci-conformancepack-v1-[1,2,3].yml for custom AWS Config Conformance Packs with Remediation for PCI 45 | 46 | ## COVERAGE 47 | 48 | The [Coverage Matrix](coverage/AWSPCIConformancePacksAutoHealingCoverage.xlsx) provides the current coverage of this solution versus the PCI Benchmarks 49 | 50 | -------------------------------------------------------------------------------- /aws-devsecops-conformancepack-pci/cft/aws-pci-conformancepack-update-v1.yml: -------------------------------------------------------------------------------- 1 | ################################################################################ 2 | # 3 | # PCI Conformance Pack with Remediations - EC2, Autoscaling, Lambda 4 | # 5 | # @kmmahaj 6 | # 7 | # License: 8 | # This code is made available under the MIT-0 license. See the LICENSE file. 9 | ################################################################################ 10 | AWSTemplateFormatVersion: '2010-09-09' 11 | Description: PCI Conformance Pack with Remediations - EC2, Autoscaling, Lambda (qs-1t0eilb5g) 12 | 13 | Parameters: 14 | 15 | DeliveryS3Bucket: 16 | Description: Delivery Bucket from AWS Config settings 17 | Type: String 18 | Default: 'config-bucket-accountid' 19 | 20 | Resources: 21 | 22 | ConformancePack: 23 | Type: 'AWS::Config::ConformancePack' 24 | Properties: 25 | ConformancePackName: CustomPCIEC2LambdaConfPack 26 | DeliveryS3Bucket: !Ref DeliveryS3Bucket 27 | TemplateBody: |- 28 | Resources: 29 | AutoScalingELBHealthCheck: 30 | Type: AWS::Config::ConfigRule 31 | Properties: 32 | ConfigRuleName: AutoScalingELBHealthCheck 33 | Description: >- 34 | [PCI.AutoScaling.1] Auto scaling groups associated with a load balancer should use health checks 35 | Scope: 36 | ComplianceResourceTypes: 37 | - "AWS::AutoScaling::AutoScalingGroup" 38 | Source: 39 | Owner: AWS 40 | SourceIdentifier: AUTOSCALING_GROUP_ELB_HEALTHCHECK_REQUIRED 41 | AutoScalingELBHealthCheckRemediation: 42 | DependsOn: AutoScalingELBHealthCheck 43 | Type: 'AWS::Config::RemediationConfiguration' 44 | Properties: 45 | ConfigRuleName: AutoScalingELBHealthCheck 46 | ResourceType: "AWS::AutoScaling::AutoScalingGroup" 47 | TargetId: "Custom-AutoScalingELBHealthCheck" 48 | TargetType: "SSM_DOCUMENT" 49 | TargetVersion: "1" 50 | Parameters: 51 | AutomationAssumeRole: 52 | StaticValue: 53 | Values: 54 | - arn:aws:iam::accountid:role/pciautomationassumerole-region 55 | ASGGroupArn: 56 | ResourceValue: 57 | Value: "RESOURCE_ID" 58 | ExecutionControls: 59 | SsmControls: 60 | ConcurrentExecutionRatePercentage: 10 61 | ErrorPercentage: 10 62 | Automatic: True 63 | MaximumAutomaticAttempts: 10 64 | RetryAttemptSeconds: 600 65 | RemoveUnusedEC2SecurityGroups: 66 | Type: AWS::Config::ConfigRule 67 | Properties: 68 | ConfigRuleName: RemoveUnusedEC2SecurityGroups 69 | Description: >- 70 | PCI.EC2.3 – Unused EC2 Security Groups should be removed 71 | Scope: 72 | ComplianceResourceTypes: 73 | - "AWS::EC2::SecurityGroup" 74 | Source: 75 | Owner: AWS 76 | SourceIdentifier: EC2_SECURITY_GROUP_ATTACHED_TO_ENI 77 | RemoveUnusedEC2SecurityGroupsRemediation: 78 | DependsOn: RemoveUnusedEC2SecurityGroups 79 | Type: 'AWS::Config::RemediationConfiguration' 80 | Properties: 81 | ConfigRuleName: RemoveUnusedEC2SecurityGroups 82 | ResourceType: "AWS::EC2::SecurityGroup" 83 | TargetId: "Custom-RemoveSecurityGroup" 84 | TargetType: "SSM_DOCUMENT" 85 | TargetVersion: "1" 86 | Parameters: 87 | AutomationAssumeRole: 88 | StaticValue: 89 | Values: 90 | - arn:aws:iam::accountid:role/pciautomationassumerole-region 91 | groupId: 92 | ResourceValue: 93 | Value: "RESOURCE_ID" 94 | ExecutionControls: 95 | SsmControls: 96 | ConcurrentExecutionRatePercentage: 10 97 | ErrorPercentage: 10 98 | Automatic: True 99 | MaximumAutomaticAttempts: 10 100 | RetryAttemptSeconds: 600 101 | RestrictDefaultSecurityGroup: 102 | Type: AWS::Config::ConfigRule 103 | Properties: 104 | ConfigRuleName: RestrictDefaultSecurityGroup 105 | Description: >- 106 | PCI.EC2.2 VPC default security group should prohibit inbound and outbound traffic 107 | Scope: 108 | ComplianceResourceTypes: 109 | - "AWS::EC2::SecurityGroup" 110 | Source: 111 | Owner: AWS 112 | SourceIdentifier: VPC_DEFAULT_SECURITY_GROUP_CLOSED 113 | RestrictDefaultSecurityGroupRemediation: 114 | DependsOn: RestrictDefaultSecurityGroup 115 | Type: 'AWS::Config::RemediationConfiguration' 116 | Properties: 117 | ConfigRuleName: RestrictDefaultSecurityGroup 118 | ResourceType: "AWS::EC2::SecurityGroup" 119 | TargetId: "Custom-RestrictSecurityGroup" 120 | TargetType: "SSM_DOCUMENT" 121 | TargetVersion: "1" 122 | Parameters: 123 | AutomationAssumeRole: 124 | StaticValue: 125 | Values: 126 | - arn:aws:iam::accountid:role/pciautomationassumerole-region 127 | IpAddressToBlock: 128 | StaticValue: 129 | Values: 130 | - '0.0.0.0/0' 131 | groupId: 132 | ResourceValue: 133 | Value: "RESOURCE_ID" 134 | ExecutionControls: 135 | SsmControls: 136 | ConcurrentExecutionRatePercentage: 10 137 | ErrorPercentage: 10 138 | Automatic: True 139 | MaximumAutomaticAttempts: 10 140 | RetryAttemptSeconds: 600 141 | ReleaseElasticIP: 142 | Type: AWS::Config::ConfigRule 143 | Properties: 144 | ConfigRuleName: ReleaseElasticIP 145 | Description: >- 146 | [PCI.EC2.4] Unused EC2 EIPs should be removed 147 | Scope: 148 | ComplianceResourceTypes: 149 | - "AWS::EC2::EIP" 150 | Source: 151 | Owner: AWS 152 | SourceIdentifier: EIP_ATTACHED 153 | ReleaseElasticIPRemediation: 154 | DependsOn: ReleaseElasticIP 155 | Type: 'AWS::Config::RemediationConfiguration' 156 | Properties: 157 | ConfigRuleName: ReleaseElasticIP 158 | ResourceType: "AWS::EC2::EIP" 159 | TargetId: "AWS-ReleaseElasticIP" 160 | TargetType: "SSM_DOCUMENT" 161 | TargetVersion: "1" 162 | Parameters: 163 | AutomationAssumeRole: 164 | StaticValue: 165 | Values: 166 | - arn:aws:iam::accountid:role/pciautomationassumerole-region 167 | AllocationId: 168 | ResourceValue: 169 | Value: "RESOURCE_ID" 170 | ExecutionControls: 171 | SsmControls: 172 | ConcurrentExecutionRatePercentage: 10 173 | ErrorPercentage: 10 174 | Automatic: True 175 | MaximumAutomaticAttempts: 10 176 | RetryAttemptSeconds: 600 177 | -------------------------------------------------------------------------------- /aws-devsecops-conformancepack-pci/cft/aws-pci-conformancepack-v1-1.yml: -------------------------------------------------------------------------------- 1 | ################################################################################ 2 | # 3 | # PCI Conformance Pack with Remediations - EC2, Autoscaling, Lambda 4 | # 5 | # @kmmahaj 6 | # 7 | # License: 8 | # This code is made available under the MIT-0 license. See the LICENSE file. 9 | ################################################################################ 10 | AWSTemplateFormatVersion: '2010-09-09' 11 | Description: PCI Conformance Pack with Remediations - EC2, Autoscaling, Lambda (qs-1t0eilb5g) 12 | 13 | Resources: 14 | AutoScalingELBHealthCheck: 15 | Type: AWS::Config::ConfigRule 16 | Properties: 17 | ConfigRuleName: AutoScalingELBHealthCheck 18 | Description: >- 19 | [PCI.AutoScaling.1] Auto scaling groups associated with a load balancer should use health checks 20 | Scope: 21 | ComplianceResourceTypes: 22 | - "AWS::AutoScaling::AutoScalingGroup" 23 | Source: 24 | Owner: AWS 25 | SourceIdentifier: AUTOSCALING_GROUP_ELB_HEALTHCHECK_REQUIRED 26 | AutoScalingELBHealthCheckRemediation: 27 | DependsOn: AutoScalingELBHealthCheck 28 | Type: 'AWS::Config::RemediationConfiguration' 29 | Properties: 30 | ConfigRuleName: AutoScalingELBHealthCheck 31 | ResourceType: "AWS::AutoScaling::AutoScalingGroup" 32 | TargetId: "Custom-AutoScalingELBHealthCheck" 33 | TargetType: "SSM_DOCUMENT" 34 | TargetVersion: "1" 35 | Parameters: 36 | AutomationAssumeRole: 37 | StaticValue: 38 | Values: 39 | - arn:aws:iam::2 |
3 | 4 | # Enable Config and Config Rules across accounts or regions 5 | 6 | ## Option 1: Enable Config in an AWS Organization 7 | 8 | 1. In the CloudFormation console, choose StackSets. On the Create StackSets page, select the option to 'Use a sample template' and select the 'Enable AWS Config' template. Since you are using AWS Organizations use service managed permissions to deploy this template 9 | 10 | ## Option 2: Enable Config in multiple accounts or regions ( not using AWS Organizations) 11 | 12 | 1. Deploy Stackset pre-requisites to enable self service permissions - Launch the AWSCloudFormationStackSetAdministrationRole.yaml template in the account where the stackset will be provisioned. Launch the AWSCloudFormationStackSetExecutionRole.yaml in each of the accounts where stack instances based on the stackset will be provisioned 13 | 14 | 2. In the CloudFormation console of the account where the AWSCloudFormationStackSetAdministrationRole.yaml was provisioned , choose StackSets. On the Create StackSets page, select the option to 'Use a sample template' and select the 'Enable AWS Config' template. Select 'self service permissions' and provide the names of the AWSCloudFormationStackSetAdministration role and AWSCloudFormationStackSetExecution role. 15 | 16 | 17 | # Enable Managed Config Rules 18 | 19 | ## Option 1: Enable Config Rule in an AWS Organization - Sample 20 | 21 | 1. Launch the sample 'OrgEnableConfigRule.yml' template from the management account of your AWS Organization. Provide the AWS Config Managed Rule identifier as a parameter. Modify this snippet for deploying other Config managed rules 22 | 23 | ## Option 2: Enable Config Rule in multiple accounts or regions (not using AWS Organizations) - Sample 24 | 25 | 1. Deploy Stackset pre-requisites to enable self service permissions - Launch the AWSCloudFormationStackSetAdministrationRole.yaml template in the account where the stackset will be provisioned. Launch the AWSCloudFormationStackSetExecutionRole.yaml in each of the accounts where stack instances based on the stackset will be provisioned 26 | 27 | 2. In the CloudFormation console of the account where the AWSCloudFormationStackSetAdministrationRole.yaml was provisioned , choose StackSets. On the Create StackSets page, select the option to 'Use a sample template' and select the 'cloudtrail-enabled' template. Select 'self service permissions' and provide the names of the AWSCloudFormationStackSetAdministration role and AWSCloudFormationStackSetExecution role. -------------------------------------------------------------------------------- /aws-enable-config/cft/AWSCloudFormationStackSetAdministrationRole.yml: -------------------------------------------------------------------------------- 1 | AWSTemplateFormatVersion: 2010-09-09 2 | Description: Configure the AWSCloudFormationStackSetAdministrationRole to enable use of AWS CloudFormation StackSets. (qs-1t0eilb5g) 3 | 4 | Resources: 5 | AdministrationRole: 6 | Type: AWS::IAM::Role 7 | Properties: 8 | RoleName: AWSCloudFormationStackSetAdministrationRole 9 | AssumeRolePolicyDocument: 10 | Version: 2012-10-17 11 | Statement: 12 | - Effect: Allow 13 | Principal: 14 | Service: cloudformation.amazonaws.com 15 | Action: 16 | - sts:AssumeRole 17 | Path: / 18 | Policies: 19 | - PolicyName: AssumeRole-AWSCloudFormationStackSetExecutionRole 20 | PolicyDocument: 21 | Version: 2012-10-17 22 | Statement: 23 | - Effect: Allow 24 | Action: 25 | - sts:AssumeRole 26 | Resource: 27 | - "arn:*:iam::*:role/AWSCloudFormationStackSetExecutionRole" 28 | -------------------------------------------------------------------------------- /aws-enable-config/cft/AWSCloudFormationStackSetExecutionRole.yml: -------------------------------------------------------------------------------- 1 | AWSTemplateFormatVersion: 2010-09-09 2 | Description: Configure the AWSCloudFormationStackSetExecutionRole to enable use of your account as a target account in AWS CloudFormation StackSets (qs-1t0eilb5g). 3 | 4 | Parameters: 5 | AdministratorAccountId: 6 | Type: String 7 | Description: AWS Account Id of the administrator account (the account in which StackSets will be created). 8 | MaxLength: 12 9 | MinLength: 12 10 | 11 | Resources: 12 | ExecutionRole: 13 | Type: AWS::IAM::Role 14 | Properties: 15 | RoleName: AWSCloudFormationStackSetExecutionRole 16 | AssumeRolePolicyDocument: 17 | Version: 2012-10-17 18 | Statement: 19 | - Effect: Allow 20 | Principal: 21 | AWS: 22 | - !Ref AdministratorAccountId 23 | Action: 24 | - sts:AssumeRole 25 | Path: / 26 | ManagedPolicyArns: 27 | - !Sub arn:${AWS::Partition}:iam::aws:policy/AdministratorAccess 28 | -------------------------------------------------------------------------------- /aws-enable-config/cft/EnableAWSConfig.yml: -------------------------------------------------------------------------------- 1 | AWSTemplateFormatVersion: 2010-09-09 2 | Description: Enable AWS Config (qs-1t0eilb5g) 3 | 4 | Metadata: 5 | AWS::CloudFormation::Interface: 6 | ParameterGroups: 7 | - Label: 8 | default: Recorder Configuration 9 | Parameters: 10 | - AllSupported 11 | - IncludeGlobalResourceTypes 12 | - ResourceTypes 13 | - Label: 14 | default: Delivery Channel Configuration 15 | Parameters: 16 | - DeliveryChannelName 17 | - Frequency 18 | - Label: 19 | default: Delivery Notifications 20 | Parameters: 21 | - TopicArn 22 | - NotificationEmail 23 | ParameterLabels: 24 | AllSupported: 25 | default: Support all resource types 26 | IncludeGlobalResourceTypes: 27 | default: Include global resource types 28 | ResourceTypes: 29 | default: List of resource types if not all supported 30 | DeliveryChannelName: 31 | default: Configuration delivery channel name 32 | Frequency: 33 | default: Snapshot delivery frequency 34 | TopicArn: 35 | default: SNS topic name 36 | NotificationEmail: 37 | default: Notification Email (optional) 38 | 39 | Parameters: 40 | AllSupported: 41 | Type: String 42 | Default: True 43 | Description: Indicates whether to record all supported resource types. 44 | AllowedValues: 45 | - True 46 | - False 47 | 48 | IncludeGlobalResourceTypes: 49 | Type: String 50 | Default: True 51 | Description: Indicates whether AWS Config records all supported global resource types. 52 | AllowedValues: 53 | - True 54 | - False 55 | 56 | ResourceTypes: 57 | Type: List2 |
3 | 4 | # Deploy custom AWS Config Conformance Packs in an AWS Organization 5 | 6 | 7 | ## 0 - Prerequsites 8 | 1. Ensure AWS Config is enabled in each account 9 | 2. Ensure an IAM role (service linked role) is provisioned in each account 10 | 3. Ensure that there is s3 bucket that allows read/write from the IAM role in each account 11 | 4. Recommended – Register delegated administrator account 12 | 13 | 14 | ## 1 - Deploy custom Config Conformance Pack 15 | 16 | 1. Launch the sample 'OrgEnableConformancePack.yml' template from the management account of your AWS Organization. The template takes the 'TemplateS3Uri' as a parameter which is the S3 template URI that hosts the conformance pack template. You can upload the sample 'org-confpack-pci' conformance pack template to S3 and test an organizational deployment of that conformance pack. Upload other conformance pack templates to S3 and use this template as a sample to deploy organization conformance packs. 17 | 18 | 19 | ## 2- Deploy custom Config Conformance Pack with remediations in an AWS Organization 20 | 21 | 1. Deploy Stackset pre-requisites to enable self service permissions - Launch the AWSCloudFormationStackSetAdministrationRole.yaml template in the account where the stackset will be provisioned. Launch the AWSCloudFormationStackSetExecutionRole.yaml in each of the accounts where stack instances based on the stackset will be provisioned 22 | 23 | 2. In the CloudFormation console of the account where the AWSCloudFormationStackSetAdministrationRole.yaml was provisioned , choose StackSets. On the Create StackSets page, select the option to 'Upload a template file' and select the 'org-confpack-pci' sample conformance pack template. Select 'self service permissions' and provide the names of the AWSCloudFormationStackSetAdministration rol sample and AWSCloudFormationStackSetExecution role. Modify this snippet for deploying other conformance Pack templates. -------------------------------------------------------------------------------- /aws-org-conformancepack/cft/AccountEnableConformancePack.yml: -------------------------------------------------------------------------------- 1 | AWSTemplateFormatVersion: 2010-09-09 2 | Description: This template automatically deploy the AWS Config Conformance Pack for Operational Best Practices for AWS Identity And Access Management. Please note resource charges for S3 buckets, Config and Conformance pack will apply. (qs-1t0eilb5g) 3 | Parameters: 4 | ConformancePackDeliveryBucket: 5 | Type: String 6 | Description: AWS Config stores intermediate files while processing conformance pack template. Please enter thename of the bucket that has been configured already for conformance pack to deliver to deliver findings. 7 | MaxAgeAccessKeyRotated: 8 | Type: String 9 | Description: This is a parameter for the conformance pack. Enter the IAM Access Key Maximum number of days without rotation. Default 90 10 | Default: '90' 11 | BlackListedIAMPolicyARN: 12 | Type: String 13 | Default: 'arn:aws:iam::aws:policy/PowerUserAccess' 14 | Description: >- 15 | This is a parameter for the conformance pack. Enter a Comma-separated list of IAM policy ARNs that should not be attached to any 16 | IAM entity. We provide as the PowerUserAccess for sample purposes only. Feel free to enter asnother policy ARN 17 | IAMUserUnusedCredentialAge: 18 | Type: String 19 | Description: >- 20 | This is a parameter for the conformance pack. Maximum number of days a credential cannot be used. The default value is 21 | 90 days. 22 | Default: '90' 23 | Resources: 24 | ConformancePack: 25 | Type: 'AWS::Config::ConformancePack' 26 | Properties: 27 | ConformancePackName: IAMBestPractices 28 | ConformancePackInputParameters: 29 | - 30 | ParameterName: AccessKeysRotatedParameterMaxAccessKeyAge 31 | ParameterValue: !Ref MaxAgeAccessKeyRotated 32 | - 33 | ParameterName: IAMPolicyBlacklistedCheckParameterPolicyArns 34 | ParameterValue: !Ref BlackListedIAMPolicyARN 35 | - 36 | ParameterName: IAMUserUnusedCredentialsCheckParameterMaxCredentialUsageAge 37 | ParameterValue: !Ref IAMUserUnusedCredentialAge 38 | DeliveryS3Bucket: !Ref ConformancePackDeliveryBucket 39 | TemplateBody: |- 40 | Parameters: 41 | AccessKeysRotatedParameterMaxAccessKeyAge: 42 | Description: Maximum number of days without rotation. Default 90. 43 | Type: String 44 | IAMPolicyBlacklistedCheckParameterPolicyArns: 45 | Description: Comma-separated list of IAM policy ARNs that should not be attached to any IAM entity. 46 | Type: String 47 | IAMUserUnusedCredentialsCheckParameterMaxCredentialUsageAge: 48 | Description: Maximum number of days a credential cannot be used. The default value 49 | is 90 days. 50 | Type: String 51 | Resources: 52 | AccessKeysRotated: 53 | Properties: 54 | ConfigRuleName: AccessKeysRotated 55 | Description: Checks whether the active access keys are rotated within the number 56 | of days specified in maxAccessKeyAge. The rule is non-compliant if the access 57 | keys have not been rotated for more than maxAccessKeyAge number of days. 58 | InputParameters: 59 | maxAccessKeyAge: 60 | Ref: AccessKeysRotatedParameterMaxAccessKeyAge 61 | Source: 62 | Owner: AWS 63 | SourceIdentifier: ACCESS_KEYS_ROTATED 64 | Type: AWS::Config::ConfigRule 65 | IAMGroupHasUsersCheck: 66 | Properties: 67 | ConfigRuleName: IAMGroupHasUsersCheck 68 | Description: Checks whether IAM groups have at least one IAM user. 69 | Source: 70 | Owner: AWS 71 | SourceIdentifier: IAM_GROUP_HAS_USERS_CHECK 72 | Type: AWS::Config::ConfigRule 73 | IAMPasswordPolicy: 74 | Properties: 75 | ConfigRuleName: IAMPasswordPolicy 76 | Description: Checks whether the account password policy for IAM users meets 77 | the specified requirements. 78 | Source: 79 | Owner: AWS 80 | SourceIdentifier: IAM_PASSWORD_POLICY 81 | Type: AWS::Config::ConfigRule 82 | IAMPolicyBlacklistedCheck: 83 | Properties: 84 | ConfigRuleName: IAMPolicyBlacklistedCheck 85 | Description: Checks that none of your IAM users, groups, or roles (excluding 86 | exceptionList) have the specified policies attached. 87 | InputParameters: 88 | policyArns: 89 | Ref: IAMPolicyBlacklistedCheckParameterPolicyArns 90 | Source: 91 | Owner: AWS 92 | SourceIdentifier: IAM_POLICY_BLACKLISTED_CHECK 93 | Type: AWS::Config::ConfigRule 94 | IAMPolicyNoStatementsWithAdminAccess: 95 | Properties: 96 | ConfigRuleName: IAMPolicyNoStatementsWithAdminAccess 97 | Source: 98 | Owner: AWS 99 | SourceIdentifier: IAM_POLICY_NO_STATEMENTS_WITH_ADMIN_ACCESS 100 | Type: AWS::Config::ConfigRule 101 | IAMRootAccessKeyCheck: 102 | Properties: 103 | ConfigRuleName: IAMRootAccessKeyCheck 104 | Description: Checks whether the root user access key is available. The rule 105 | is compliant if the user access key does not exist. 106 | Source: 107 | Owner: AWS 108 | SourceIdentifier: IAM_ROOT_ACCESS_KEY_CHECK 109 | Type: AWS::Config::ConfigRule 110 | IAMUserGroupMembershipCheck: 111 | Properties: 112 | ConfigRuleName: IAMUserGroupMembershipCheck 113 | Description: Checks whether IAM users are members of at least one IAM group. 114 | Source: 115 | Owner: AWS 116 | SourceIdentifier: IAM_USER_GROUP_MEMBERSHIP_CHECK 117 | Type: AWS::Config::ConfigRule 118 | IAMUserMFAEnabled: 119 | Properties: 120 | ConfigRuleName: IAMUserMFAEnabled 121 | Description: Checks whether the AWS Identity and Access Management users have 122 | multi-factor authentication (MFA) enabled. 123 | Source: 124 | Owner: AWS 125 | SourceIdentifier: IAM_USER_MFA_ENABLED 126 | Type: AWS::Config::ConfigRule 127 | IAMUserNoPoliciesCheck: 128 | Properties: 129 | ConfigRuleName: IAMUserNoPoliciesCheck 130 | Description: Checks that none of your IAM users have policies attached. IAM 131 | users must inherit permissions from IAM groups or roles. 132 | Source: 133 | Owner: AWS 134 | SourceIdentifier: IAM_USER_NO_POLICIES_CHECK 135 | Type: AWS::Config::ConfigRule 136 | IAMUserUnusedCredentialsCheck: 137 | Properties: 138 | ConfigRuleName: IAMUserUnusedCredentialsCheck 139 | Description: Checks whether your AWS Identity and Access Management (IAM) users 140 | have passwords or active access keys that have not been used within the specified 141 | number of days you provided. 142 | InputParameters: 143 | maxCredentialUsageAge: 144 | Ref: IAMUserUnusedCredentialsCheckParameterMaxCredentialUsageAge 145 | Source: 146 | Owner: AWS 147 | SourceIdentifier: IAM_USER_UNUSED_CREDENTIALS_CHECK 148 | Type: AWS::Config::ConfigRule 149 | MFAEnabledForIAMConsoleAccess: 150 | Properties: 151 | ConfigRuleName: MFAEnabledForIAMConsoleAccess 152 | Description: Checks whether AWS Multi-Factor Authentication (MFA) is enabled 153 | for all AWS Identity and Access Management (IAM) users that use a console 154 | password. The rule is compliant if MFA is enabled. 155 | Source: 156 | Owner: AWS 157 | SourceIdentifier: MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS 158 | Type: AWS::Config::ConfigRule 159 | RootAccountHardwareMFAEnabled: 160 | Properties: 161 | ConfigRuleName: RootAccountHardwareMFAEnabled 162 | Description: Checks whether your AWS account is enabled to use a multi-factor 163 | authentication (MFA) hardware device to sign in with root credentials. 164 | Source: 165 | Owner: AWS 166 | SourceIdentifier: ROOT_ACCOUNT_HARDWARE_MFA_ENABLED 167 | Type: AWS::Config::ConfigRule 168 | RootAccountMFAEnabled: 169 | Properties: 170 | ConfigRuleName: RootAccountMFAEnabled 171 | Description: Checks whether the root user of your AWS account requires multi-factor 172 | authentication for console sign-in. 173 | Source: 174 | Owner: AWS 175 | SourceIdentifier: ROOT_ACCOUNT_MFA_ENABLED 176 | Type: AWS::Config::ConfigRule -------------------------------------------------------------------------------- /aws-org-conformancepack/cft/OrgEnableConformancePack.yml: -------------------------------------------------------------------------------- 1 | AWSTemplateFormatVersion: 2010-09-09 2 | Description: Deploy AWS Config Conformance Pack in an AWS Organization (qs-1t0eilb5g) 3 | 4 | Parameters: 5 | 6 | OrganizationConformancePackName: 7 | Type: String 8 | Default: 'PCIDSSConformancePack' 9 | Description: Name of the Conformance Pack to be deployed in an AWS Organization 10 | 11 | TemplateS3Uri: 12 | Type: String 13 | Default: 's3://bucketname/prefix' 14 | Description: s3 template uri that hosts the conformance pack template 15 | 16 | 17 | Resources: 18 | EnableOrganizationConfigRule: 19 | Type: AWS::Config::OrganizationConformancePack 20 | Properties: 21 | OrganizationConformancePackName: !Ref OrganizationConformancePackName 22 | TemplateS3Uri: !Ref TemplateS3Uri 23 | 24 | 25 | 26 | 27 | -------------------------------------------------------------------------------- /aws-org-custom-conformancepacks/README.md: -------------------------------------------------------------------------------- 1 |2 |
3 | 4 | # Automate Cloud Foundations for Compliance in AWS 5 | 6 | 7 | 8 | ## Overview 9 | 10 | 1. Automated deployment of a custom AWS Config Conformance Pack in an AWS Organization. 11 | 2. Automated deployment of AWS Systems Manager remediation runbooks in an AWS Organization. 12 | 3. Add code for SSM remediations to a custom AWS Config Conformance Pack 13 | 4. Automated deployment of a custom AWS Config Conformance Pack with remediations in an AWS Organization. 14 | 15 | Demonstrates deployment of a custom Config conformance pack with remediations for these PCI controls: 16 | 17 | ``` 18 | * [PCI.AutoScaling.1] Auto scaling groups associated with a load balancer should use health checks 19 | * [PCI.CloudTrail.3] CloudTrail log file validation should be enabled 20 | * [PCI.CloudTrail.4] CloudTrail trails should be integrated with CloudWatch Logs 21 | * [PCI.CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials 22 | * [PCI.EC2.2] VPC default security group should prohibit inbound and outbound traffic 23 | * [PCI.EC2.3] Unused EC2 security groups should be removed 24 | * [PCI.EC2.4] Unused EC2 EIPs should be removed 25 | * [PCI EC2.5] Security groups should not allow ingress from 0.0.0.0/0 to port 22 26 | * [PCI.IAM.3] IAM policies should not allow full * administrative privileges 27 | * [PCI.KMS.1] Customer master key (CMK) rotation should be enabled 28 | * [PCI.Lambda.1] Lambda functions should prohibit public access 29 | * [PCI.RDS.1] RDS snapshots should prohibit public access 30 | * [PCI.RDS.2] RDS DB Instances should prohibit public access 31 | * [PCI.Redshift.1] Amazon Redshift clusters should prohibit public access 32 | * [PCI.S3.1] S3 buckets should prohibit public write access 33 | * [PCI.S3.2] S3 buckets should prohibit public read access 34 | ``` 35 | 36 | 37 | ## 0 - Prerequsites 38 | 1. Complete the setup in [aws-org-enable-cca](https://github.com/aws-samples/aws-cloud-compliance-assurance/tree/main/aws-org-enable-cca) 39 | 2. From your **management account**, launch the [**aws-pci-confpack-ssmautomation-v1.yml**](https://github.com/aws-samples/aws-cloud-compliance-assurance/blob/main/aws-org-custom-conformancepacks/cft/aws-pci-confpack-ssmautomation-v1.yml) as a CloudFormation stackset. [Use service-managed permissions to deploy this template automatically throughout your AWS Organization using CloudFormation stacksets](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-getting-started-create.html#stacksets-orgs-associate-stackset-with-org). 40 | 41 | 42 | ## 1 - Deploy custom Config Conformance Pack in an AWS Organization 43 | 44 | 1. In your **delegated administrator** account, create an S3 bucket. Upload the [**aws-pci-conformancepack-v1.yml**](https://github.com/aws-samples/aws-cloud-compliance-assurance/blob/main/aws-org-custom-conformancepacks/cft/aws-pci-conformancepack-v1.yml) custom conformance pack template that you want to deploy in your AWS Organization. You will use the S3 URI that contains this template as the TemplateS3Uri parameter in the next step. 45 | 2. Launch the [**aws-pci-customconfpack-org.yml**](https://github.com/aws-samples/aws-cloud-compliance-assurance/blob/main/aws-org-custom-conformancepacks/cft/aws-pci-custom-confpack-org.yml) template from your **delegated administrator** account. This template automates org wide deployment of custom conformance packs. Provide the following parameters: 46 | - **DeliveryS3Bucket**: The name of the Amazon S3 bucket where AWS Config stores artifacts for org wide deployment of conformance pack templates. Obtain this value from the Org Conformance Pack pre-requisites that you completed. 47 | - **OrganizationConformancePackName**: Name of the custom config conformance pack 48 | - **TemplateS3Uri**: S3 URI that points to the location in S3 of the custom conformance pack template that you want to deploy in your AWS Organization. 49 | 50 | ## 2- Deploy custom Config Conformance Pack with remediations in an AWS Organization 51 | 52 | 1. Replace the **accountID** used for all the **AutomationAssumeRole** parameters within the [**aws-pci-conformancepack-remediations-v1.yml**](https://github.com/aws-samples/aws-cloud-compliance-assurance/blob/main/aws-org-custom-conformancepacks/cft/aws-pci-conformancepack-remediations-v1.yml) custom Config Conformance Pack with SSM remediations template with the AWS AccountID of your **delegated administrator** account. 53 | 2. Upload the modified [**aws-pci-conformancepack-remediations-v1.yml**](https://github.com/aws-samples/aws-cloud-compliance-assurance/blob/main/aws-org-custom-conformancepacks/cft/aws-pci-conformancepack-remediations-v1.yml) custom Config Conformance Pack with SSM remediations template to an S3 bucket in your **delegated administrator** account. You will use the S3 URI that contains this template as the TemplateS3Uri parameter in the next step. 54 | 3. Launch the [**aws-pci-customconfpack-org.yml**](https://github.com/aws-samples/aws-cloud-compliance-assurance/blob/main/aws-org-custom-conformancepacks/cft/aws-pci-custom-confpack-org.yml) template from your **delegated administrator** account. This template automates org wide deployment of custom conformance packs. Provide the following parameters: 55 | - **DeliveryS3Bucket**: The name of the Amazon S3 bucket where AWS Config stores artifacts for org wide deployment of conformance pack templates. Obtain this value from the Org Conformance Pack pre-requisites that you completed. 56 | - **OrganizationConformancePackName**: Name of the custom config conformance pack with remediations 57 | - **TemplateS3Uri**: S3 URI that points to the location in S3 of the custom conformance pack template with remediations that you want to deploy in your AWS Organization. 58 | 59 | 60 | -------------------------------------------------------------------------------- /aws-org-custom-conformancepacks/cft/aws-pci-custom-confpack-org.yml: -------------------------------------------------------------------------------- 1 | ################################################################################ 2 | # 3 | # Provisions Org Custom Conformance Packs 4 | # 5 | # @kmmahaj 6 | # 7 | # License: 8 | # This code is made available under the MIT-0 license. See the LICENSE file. 9 | ################################################################################ 10 | AWSTemplateFormatVersion: 2010-09-09 11 | Description: Provisions Org Custom Conformance Packs(qs-1t0eilb5g) 12 | 13 | Parameters: 14 | 15 | DeliveryS3Bucket: 16 | Description: The name of the Amazon S3 bucket where AWS Config stores conformance pack templates. 17 | Type: String 18 | Default: 'awsconfigconforms-orgbucket' 19 | 20 | OrganizationConformancePackName: 21 | Description: Name of the custom config conformance pack 22 | Type: String 23 | Default: 'aws-pcicustomconfpack-remediations-org' 24 | 25 | TemplateS3Uri: 26 | Description: Location of S3 file containing the conformance pack template body. Points to the conformance pack template 27 | Type: String 28 | Default: 's3://s3-pci-confpack-org/aws-pci-conformancepack-remediations-v1.yml' 29 | 30 | Resources: 31 | 32 | OrganizationConformancePack: 33 | Type: 'AWS::Config::OrganizationConformancePack' 34 | Properties: 35 | OrganizationConformancePackName: !Ref OrganizationConformancePackName 36 | DeliveryS3Bucket: !Ref DeliveryS3Bucket 37 | ExcludedAccounts: 38 | - "798653331051" 39 | - "652691327122" 40 | - "227214716926" 41 | - "018299706242" 42 | - "525354019754" 43 | - "602116679243" 44 | - "187355837323" 45 | - "341476298946" 46 | - "221809298128" 47 | - "388407216922" 48 | TemplateS3Uri: !Ref TemplateS3Uri 49 | -------------------------------------------------------------------------------- /aws-org-custom-conformancepacks/cft/s3bucketpolicy.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "2012-10-17", 3 | "Statement": [ 4 | { 5 | "Effect": "Allow", 6 | "Principal": "*", 7 | "Action": [ 8 | "s3:GetObject", 9 | "s3:PutObject", 10 | "s3:DeleteObject" 11 | ], 12 | "Resource": "arn:aws:s3:::awsconfigconforms-orgbucket/*", 13 | "Condition": { 14 | "StringEquals": { 15 | "aws:PrincipalOrgID": "o-s9coreqj0c" 16 | } 17 | } 18 | }, 19 | { 20 | "Effect": "Allow", 21 | "Principal": "*", 22 | "Action": [ 23 | "s3:GetBucketAcl", 24 | "s3:ListBucket", 25 | "s3:GetBucketPolicy" 26 | ], 27 | "Resource": "arn:aws:s3:::awsconfigconforms-orgbucket", 28 | "Condition": { 29 | "StringEquals": { 30 | "aws:PrincipalOrgID": "o-s9coreqj0c" 31 | } 32 | } 33 | } 34 | ] 35 | } -------------------------------------------------------------------------------- /aws-org-enable-cca/README.md: -------------------------------------------------------------------------------- 1 |2 |
3 | 4 | # Setup configuration compliance in an AWS Organization 5 | 6 | ## Overview 7 | 8 | Demonstrates steps required to operationalize configuration compliance in AWS across an AWS Organization 9 | 10 | 11 | ## Step 1 - Enable Config in an AWS Organization 12 | 13 | **Option 1 - Use CloudFormation Stacksets** - In the CloudFormation console, choose StackSets. On the Create StackSets page, select the option to 'Use a sample template' and select the 'Enable AWS Config' template. Since you are using AWS Organizations [use service-managed permissions to deploy this template as a stackset](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-getting-started-create.html#stacksets-orgs-associate-stackset-with-org) 14 | 15 | **Option 2 - Use Systems Manager Quick Setup** - With [Quick Setup](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-quick-setup.html), a capability of AWS Systems Manager, you can quickly create a configuration recorder powered by AWS Config across your organization. Follow the [steps outlined in SSM Quick Setup](https://docs.aws.amazon.com/systems-manager/latest/userguide/quick-setup-config.html) to set up AWS Config recording with AWS Systems Manager Quick Setup in an AWS Organization 16 | 17 | ## Step 2 - Register a delegated administrator account for AWS Config 18 | 19 | From the **management account** of your AWS Organization, run the **register-delegated-administrator** command. In the following AWS CLI command, replace *delegated account id* with the delegated administrator account ID: 20 | 21 | ``` 22 | $ aws register-delegated-administrator --service-principal config.amazonaws.com\ 23 | --account-id [delegated account id] 24 | ``` 25 | 26 | ## Step 3 - Setup S3 Delivery bucket in the delegated administrator account for Conformance Pack artifacts 27 | 28 | For AWS Config to be able to store conformance pack artifacts, you will need to provide an Amazon S3 bucket in the **delegated administrator** account. This bucket name must start with the prefix **“awsconfigconforms”**. Each account in the organization must have access to this bucket. 29 | 30 | AWS Config recommends having limited permissions to the Amazon S3 bucket policy. To limit access, you can use following policy which uses **PrincipalOrgID** and **PrincipalArn** conditions in the Amazon S3 policy. This allows only accounts in an organization to have access to the bucket. You can find your organization id from the AWS Organizations console under the Settings tab. 31 | 32 | ``` 33 | { 34 | "Version": "2012-10-17", 35 | "Statement": [ 36 | { 37 | "Sid": "AllowGetPutObject", 38 | "Effect": "Allow", 39 | "Principal": "*", 40 | "Action": [ 41 | "s3:GetObject", 42 | "s3:PutObject" 43 | ], 44 | "Resource": "arn:aws:s3:::awsconfigconforms2 |
3 | 4 | # Automated Remediations for CIS Benchmarks using AWS Security Hub 5 | 6 | The solution implemented here leverages the AWS Security Hub service and provides customers with an AWS native implementation for automated remediations for these CIS violations detected by AWS Security Hub. 7 | 8 | 9 | ## How it Works 10 | 11 | This implementation is based on the following solution approach: 12 | 13 | 1. Leverages AWS Security Hub directly to provide continuous detection of CIS findings 14 | 2. Provides AWS Systems Manager Automation Documents for automated remediation for AWS Security Hub findings. All documents are automatically provisioned via an AWS CloudFormation template. 15 | 3. Provides integration of AWS Security Hub Custom Actions with AWS Systems Manager Automation Documents to provide real time remediations of AWS Security Hub FSBP findings as follows: 16 | * Leverages the ability of AWS Security Hub to send findings associated with custom actions to CloudWatch Events as Security Hub Findings - Custom Action events. 17 | * The CloudWatch Events Rule invokes the corresponding Lambda Function as the Target for the source Security Hub Custom Action event 18 | * The Lambda function processes the finding using the standard findings format provided by Security Hub - AWS Security Finding Format (ASFF) and invokes the corresponding AWS Systems Manager Automation Document with the input from the ASFF finding 19 | 20 | 21 | ## Solution Design 22 | 23 |  24 | 25 | ## How To Install 26 | 27 | 1. **Template 1 of 3:** aws-aws-cis-cloudwatchlogmetricfilters.yml 28 | * Provisions CloudWatch Logs Metric Filters. Enter email address as input. Simply install on the CloudFormation console (or CLI). Installs in approx 1-2 mins. 29 | 30 | 2. **Template 2 of 3:** aws-cis-systemsmanagerautomations.yml 31 | * Provisions AWS Systems Manager automation documents. These documents are used to provide automated remediations within the provisioned AWS Security Hub Action. 32 | * Provisions with fully built-in pre-reqs. No input parameters required. Simply install on the CloudFormation console (or CLI). Installs in approx 3-4 mins. 33 | 34 | 2. **Template 3 of 3:** aws-cis-securityhubactions.yml 35 | * Provisions AWS CloudWatch Evemts and AWS Security Hub Custom Actions. No input parameters. Simply install on the CloudFormation console (or CLI). Installs in approx 3-4 mins. 36 | * Leverages the output from the previous template specifically the AWS Systems Manager Automation documents 37 | 38 | 39 | 40 | 41 | 42 | -------------------------------------------------------------------------------- /aws-remediate-cis-securityhub/cft/aws-cis-securityhubactions.yml: -------------------------------------------------------------------------------- 1 | 2 | # ------------------------------------------------------------------------------------------------------------------------------------------------------- 3 | # CloudFormation Template 2 of 3 - Real Time Automated Remediation for CIS AWS Foundations Benchmark 4 | # 5 | # Pre-req : Uses the AWS SSM Automation CloudFormation Template. 6 | # This template integrates AWS Security Hub custom actions with Custom AWS SSM Automation Remediation Documents 7 | # 8 | # @author Kanishk Mahajan 9 | # ------------------------------------------------------------------------------------------------------------------------------------------------------- 10 | AWSTemplateFormatVersion: 2010-09-09 11 | Description: CloudFormation Template 2 of 3 - Real Time Automated Remediation for CIS AWS Foundations Benchmark. (qs-1t0eilb5g) 12 | 13 | Resources: 14 | 15 | CreateSecurityHubCustomActionTargetLambda: 16 | Type: AWS::Lambda::Function 17 | Properties: 18 | FunctionName: CreateSecurityHubCustomActionTargetLambda 19 | Description: Custom resource to create an action target in Security Hub 20 | Handler: index.lambda_handler 21 | MemorySize: 256 22 | Role: !GetAtt CreateSecurityHubCustomActionTargetLambdaRole.Arn 23 | Runtime: python3.7 24 | Timeout: 60 25 | Code: 26 | ZipFile: | 27 | import boto3 28 | import cfnresponse 29 | import os 30 | def lambda_handler(event, context): 31 | try: 32 | properties = event['ResourceProperties'] 33 | region = os.environ['AWS_REGION'] 34 | client = boto3.client('securityhub', region_name=region) 35 | responseData = {} 36 | if event['RequestType'] == 'Create': 37 | response = client.create_action_target( 38 | Name=properties['Name'], 39 | Description=properties['Description'], 40 | Id=properties['Id'] 41 | ) 42 | responseData['Arn'] = response['ActionTargetArn'] 43 | elif event['RequestType'] == 'Delete': 44 | account_id = context.invoked_function_arn.split(":")[4] 45 | client.delete_action_target( 46 | ActionTargetArn=f"arn:aws:securityhub:{region}:{account_id}:action/custom/{properties['Id']}" 47 | ) 48 | cfnresponse.send(event, context, cfnresponse.SUCCESS, responseData) 49 | except Exception as e: 50 | print(e) 51 | cfnresponse.send(event, context, cfnresponse.FAILED, {}) 52 | CreateSecurityHubCustomActionTargetLambdaRole: 53 | Type: AWS::IAM::Role 54 | Properties: 55 | AssumeRolePolicyDocument: 56 | Version: 2012-10-17 57 | Statement: 58 | - Effect: Allow 59 | Principal: { Service: lambda.amazonaws.com } 60 | Action: 61 | - sts:AssumeRole 62 | Path: / 63 | ManagedPolicyArns: 64 | - !Sub "arn:${AWS::Partition}:iam::aws:policy/AWSSecurityHubFullAccess" 65 | - !Sub "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" 66 | 67 | 68 | # ------------------------------------------------------------------------------------------------------------------------------------------------------- 69 | # CIS AWS Foundations Benchmark - 2.9 – Ensure VPC flow logging is enabled in all VPCs 70 | # ------------------------------------------------------------------------------------------------------------------------------------------------------- 71 | 72 | VPCFlowLogsEnabledRule: 73 | Type: AWS::Events::Rule 74 | Properties: 75 | Name: VPCFlowLogsEnabledRule 76 | Description: "CIS AWS Foundations Benchmark - 2.9 – Ensure VPC flow logging is enabled in all VPCs" 77 | EventPattern: 78 | source: 79 | - aws.securityhub 80 | detail-type: 81 | - Security Hub Findings - Custom Action 82 | resources: 83 | - !GetAtt VPCFlowLogsEnabledActionTarget.Arn 84 | State: "ENABLED" 85 | Targets: 86 | - 87 | Arn: 88 | Fn::GetAtt: 89 | - "VPCFlowLogsEnabledLambda" 90 | - "Arn" 91 | Id: "EnableVPCFlowLogs" 92 | 93 | VPCFlowLogsEnabledActionTarget: 94 | Type: Custom::ActionTarget 95 | Version: 1.0 96 | Properties: 97 | ServiceToken: !GetAtt CreateSecurityHubCustomActionTargetLambda.Arn 98 | Name: EnableVPCFlowLogs 99 | Description: CIS29 Event from Security Hub 100 | Id: EnableVPCFlowLogs 101 | 102 | VPCFlowLogsEnabledPermission: 103 | Type: AWS::Lambda::Permission 104 | Properties: 105 | FunctionName: 106 | Ref: "VPCFlowLogsEnabledLambda" 107 | Action: "lambda:InvokeFunction" 108 | Principal: "events.amazonaws.com" 109 | SourceArn: 110 | Fn::GetAtt: 111 | - "VPCFlowLogsEnabledRule" 112 | - "Arn" 113 | 114 | VPCFlowLogsEnabledLambda: 115 | Type: AWS::Lambda::Function 116 | DependsOn: VPCFlowLogsEnabledLambdaRole 117 | Properties: 118 | FunctionName: VPCFlowLogsEnabledLambda 119 | Description: CIS 2.9 Remediation using Custom SSM Document 120 | Handler: index.lambda_handler 121 | MemorySize: 256 122 | Role: !GetAtt VPCFlowLogsEnabledLambdaRole.Arn 123 | Runtime: python3.7 124 | Timeout: 60 125 | Environment: 126 | Variables: 127 | CloudWatchLogGroupArn : !ImportValue FlowLogsCloudWatchLogGroupArn 128 | CloudWatchLogGroupName : !ImportValue FlowLogsCloudWatchLogs 129 | FlowLogRoleArn : !ImportValue FlowLogsRoleArn 130 | Code: 131 | ZipFile: | 132 | import boto3 133 | import json 134 | import os 135 | def lambda_handler(event, context): 136 | 137 | VpcArn = str(event['detail']['findings'][0]['Resources'][0]['Id']) 138 | VpcId_1 = VpcArn.split(':')[-1] 139 | VpcId = VpcId_1.replace("vpc/","") 140 | Id = str(event['detail']['findings'][0]['Id']) 141 | CloudWatchLogGroupArn = os.environ['CloudWatchLogGroupArn'] 142 | CloudWatchLogGroupName = os.environ['CloudWatchLogGroupName'] 143 | FlowLogRoleArn = os.environ['FlowLogRoleArn'] 144 | ssm = boto3.client('ssm') 145 | try: 146 | response = ssm.start_automation_execution( 147 | DocumentName='Custom-EnableVPCFlowLogsCF', 148 | DocumentVersion='1', # default 149 | Parameters={ 150 | 'FlowLogRoleArn': [ FlowLogRoleArn ], 151 | 'CloudWatchLogGroupArn': [ CloudWatchLogGroupArn ], 152 | 'CloudWatchLogGroupName': [ CloudWatchLogGroupName ], 153 | 'VpcId': [ VpcId ] 154 | } 155 | ) 156 | 157 | except Exception as e: 158 | print(e) 159 | print("SSM automation execution error") 160 | raise 161 | 162 | VPCFlowLogsEnabledLambdaRole: 163 | Type: AWS::IAM::Role 164 | Properties: 165 | AssumeRolePolicyDocument: 166 | Version: 2012-10-17 167 | Statement: 168 | - Effect: Allow 169 | Principal: { Service: lambda.amazonaws.com } 170 | Action: 171 | - sts:AssumeRole 172 | Path: / 173 | ManagedPolicyArns: 174 | - !Sub "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" 175 | - !Sub "arn:${AWS::Partition}:iam::aws:policy/service-role/AmazonSSMAutomationRole" -------------------------------------------------------------------------------- /aws-remediate-cis-securityhub/images/arch-diagram.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-cloud-compliance-assurance/fb8251ab8536ad36a64bac8408b29f5e7ee33df1/aws-remediate-cis-securityhub/images/arch-diagram.png -------------------------------------------------------------------------------- /aws-servicecatalog-prescriptivecompliance/README-old.md: -------------------------------------------------------------------------------- 1 |2 |
3 | 4 | # Prescriptive Compliance with Service Catalog and Config 5 | 6 | Standardize the provisioning and set up of configuration compliance using AWS Service Catalog and AWS Config Rules with custom Config Remediations 7 | 8 | 9 | ## Install 10 | 11 | 1. Launch the sample 'aws-servicecatalog-prescriptivecompliance.yml' template from any account in your organization where Config is already enabled. 12 | 2. Provisions a AWS Service Catalog Portfolio with an AWS Config Remediations Product. 13 | - The AWS Config Remediations Product provides automated detection with AWS Config and automated remediations with custom AWS Systems Manager documents 14 | - Provisions all pre-reqs for AWS Systems Manager Remediations 15 | - Provisions Custom AWS Systems Manager Automation Documents to provide Automated Remediations for AWS Config 16 | - For demo purposes (for GameDay, Reinforce etc) the template provisions misconfigured resources to trigger an attack and then also provisions on demand evaluations for AWS Config to detect and then remediate the attack with provisioned custom SSM remediations 17 | - Creates a launch constraint for a "Team Member' Role. In your AWS account, create a Team Member IAM role and add an IAM user to that role to demonstrate end user access to the catalog. Ignore this step if the AWS account is provisioned by Event Engine 18 | 19 | 20 | 21 | 22 | 23 | 24 | -------------------------------------------------------------------------------- /aws-servicecatalog-prescriptivecompliance/README.md: -------------------------------------------------------------------------------- 1 |2 |
3 | 4 | # Prescriptive Compliance with Service Catalog and Config. Use a CCOE approach to standardize compliance 5 | 6 | This solution demonstrates the combined use of DevOps automation and Infrastructure as Code (IaC) via AWS CodePipeline, AWS Service Catalog and AWS CloudFormation to enable CCOE (Cloud Center of Excellence) AWS administrators and infrastructure engineers to automate the management and deployment of Service Catalog Portfolios that contain Service Catalog Products containing AWS Config rules and integrated AWS Systems Manager (SSM) remediation runbooks 7 | 8 | We will deploy this solution in a multi account organization. Our organization deployed via AWS Organizations comprises of a Shared Services account which is where CCOE (Cloud Center of Excellence) administrators can deploy shared service and can add/remove/update compliance rules. These updates flow through a devops based AWS CodePipeline deployment to the managed accounts and result in updated compliance related Service Catalog Portfolios in the managed accounts. The entire solution is setup in 1 step with Infrastructure as Code (IaC) automation using AWS CloudFormation. 9 | 10 | 11 | ## Personas 12 | 13 | 1. CCOE AWS administrator 14 | 1. The CCOE administrator performs initial setup from the shared services account. After setup, the DevOps infrastructure (AWS CodePipeline) is provisioned in the shared services account, and an AWS Service Catalog Portfolio with Config rules and integrated remediation runbooks is provisioned in the managed accounts. 15 | 2. The CCOE administrator also performs code updates from the local Git repository. The administrator checks in updated Config rules and remediation runbook templates and (optionally) an updated buildspec.yaml file. The updated code flows via AWS CodePipeline in the AWS shared services account and updates the AWS Service Catalog Portfolio in the managed accounts. 16 | 17 | 2. End user / AWS administrator in the managed accounts 18 | The end user launches the Config rules and integrated remediation runbooks from the AWS Service Catalog console in the managed account. 19 | 20 | ## What is implemented 21 | 22 | The following AWS CloudFormation templates have been implemented for this solution - 23 | 1. aws-servicecatalog-codepipeline.yaml – Sets up the AWS CodePipeline automation in the Shared Services account that distributes service catalog portfolios to the managed accounts 24 | 2. aws-servicecatalog-prescriptivecompliance.yml – Sets up the AWS Service Catalog Portfolio that consists of Service Catalog Products comprised of Config rules with remediation runbooks 25 | 26 | 27 | ## Architecture 28 | 29 |  30 | 31 | 32 | ## Pre-requisites 33 | 34 | 1. As a CCOE AWS administrator signed in to the AWS shared services account, set up the following resources. 35 | Enable AWS Config in the shared service account and all your managed accounts in the organization. [Perform step 1 from the Automate configuration compliance at scale blog post](https://aws.amazon.com/blogs/mt/automate-configuration-compliance-at-scale-in-aws/) to use Systems Manager quick setup to do that with just a few clicks from your console. 36 | 2. Integrate AWS Cloud9 local Git repository with AWS CodeCommit remote Git repository 37 | 1. Use the aws-servicecatalog-configremediations-v1.yml AWS CloudFormation template that contains AWS Config Managed rules with integrated AWS Systems Manager remediation runbooks for common cloud configuration compliance violations. You can get the AWS CloudFormation template that provides a full coverage of PCI rules with SSM remediation runbooks from this [PCI and FSBP Config Rules with built-in SSM remediations](https://github.com/aws-samples/aws-config-pci-fsbp-ssmremediations) repository 38 | 2. Create an AWS CodeCommit Git repository in the shared services account and integrate it with your local Git repository. Using AWS Cloud9 is one of the easiest ways in AWS to set up a local Git repository and integrate with CodeCommit as the remote Git repository. 39 | 3. Download these files from this solution’s GitHub repo and upload them to your Cloud9 local Git repository.The local Cloud9 Git repository contains the following files in this structure. 40 | 1. Compliance product templates: 41 | 1. aws-servicecatalog-configremediations-v1.yml in a *compliance* folder 42 | 2. aws-servicecatalog-prescriptivecompliance.yml in the root folder 43 | 2. buildspec.yml in the root folder 44 | 3. buildspec-update.yml in the root folder 45 | 4. Create an S3 staging bucket using this naming convention: s3-configremediations-*accountid*-*region*. Create a folder called *compliance* in your S3 bucket. The folder names here need to match the folder names in your local Git repository. You can create these folders with any names as long as those are the same names used while creating your local Git repository there. 46 | 5. In the following files that are available for download from the solution, substitute the *accountid* parameter with the AWS Account ID of the shared services account. Substitute the *region* parameter with the AWS region of your shared services account. Substitute the *managedaccount* and *managedregion* parameters with comma separated AWS Account IDs and comma separated AWS regions respectively of the managed accounts where the solution will be deployed. 47 | 1. buildspec.yml 48 | 2. buildspec-updates.yml 49 | 50 | 51 | ## How to Install 52 | 53 | The initial set up is done in 1 step by the CCOE (Cloud Center of Excellence) AWS Administrator from the shared services account. 54 | 55 | 1. Launch the aws-servicecatalog-codepipeline.yml template. The template takes the following parameters and you can accept all defaults. 56 | 1. RepositoryName: CodeCommit repository for the Config remediation CloudFormation templates 57 | 2. BranchName: Branch in the CodeCommit repository for the Config Remediation CloudFormation templates 58 | 3. S3StagingBucketPrefix: Prefix for the S3 Staging Bucket that stages the code copied from code commit. In our case this is s3-configremediations-*accountid*-*region* 59 | 60 | 61 | ## Validate compliance 62 | 63 | Test and validate the standardized compliance posture that CCOE teams can enforce across managed accounts using AWS Service Catalog 64 | 65 | **Step 1: Launch the Service Catalog Product** 66 | 1. Log in to the IAM console of the AWS managed account as an administrator and create an IAM user that is a member of the EnduserGroup and logout of the managed account. 67 | 2. Navigate to the AWS Service Catalog console of the managed account as the IAM end user that was created and navigate to the left sidebar and choose Products. 68 | 1. Select the *AWS ConfigRemediations Compliance Product* product, accept the defaults and select *Launch Product*. The Service Catalog product screen will auto refresh until the product has been launched. Select *Provisioned Products* from the left sidebar to validate that the product has been launched and the status shows available. 69 | 70 | **Step 2: Review provisioned Config rules with attached remediation runbooks** 71 | 1. Navigate to the AWS Config Console of the managed account. You will see that several AWS Config rules - specifically ‘cloud-trail-log-file-validation-enabled’, ‘ReleaseElasticIP’, ‘cloud_trail_cloud_watch_logs_enabled’, ‘cmk-backing-key-rotation-enabled’ and ‘cis-iam-password-policy’- with associated remediation runbooks have been provisioned for you based on the launch of the Service Catalog product. 72 | 1. These Config rules with associated remediations will provide continuous compliance for your AWS environment based on the evaluation of these provisioned rules. 73 | 74 | **Step 3: Verify automated ‘attack’ and validate compliance** 75 | 1. The solution provides built-in automation that launches a *compliance attack* by simulating misconfiguration of AWS resources. Log in as an administrator in the managed account: 76 | 1. Check that an AWS CloudTrail called ‘ReinforceTrail’ has been provisioned without log file validation and CloudWatch Logs monitoring enabled. Check that an AWS KMS Customer Master Key with description ‘Test Key Rotation’ has key rotation disabled and that there’s an Elastic IP with an unassociated EC2 instance. 77 | 2. Navigate to the AWS Systems Manager console and select Automation in the left panel and then select Executions. Since we have launched the Service Catalog Product in the managed account, our standardized compliance posture triggers AWS Config Remediations that leverage our integrated and custom AWS Systems Manager remediation runbooks. You can monitor the Execution status in the Systems Manager Automation console for each of the automations and verify their successful automation status. 78 | 3. Finally validate the compliance posture of the managed account by validating that each of the misconfigured resources are now in the desired state. Check that the AWS CloudTrail called ‘ReinforceTrail’ has been both log file validation and CloudWatch Logs monitoring enabled. Check that an AWS KMS Customer Master Key with description ‘Test Key Rotation’ has key rotation enabled and that the unassociated Elastic IP has been removed. 79 | -------------------------------------------------------------------------------- /aws-servicecatalog-prescriptivecompliance/cft/buildspec-update.yml: -------------------------------------------------------------------------------- 1 | version: 0.2 2 | phases: 3 | install: 4 | commands: 5 | - echo "Python has some SSL issues in this version so we force an upgrade which doesn't fix everything; don't be alarmed by the warnings." 6 | build: 7 | commands: 8 | - echo "S3 Upload Beginning" 9 | - python -V 10 | - export ACCID=$(aws sts get-caller-identity --query 'Account' | tr -d '"') 11 | - aws s3 sync . s3://$STAGING_BUCKET/ --delete --exclude "*" --include "*.json" --include "*.yml" --include "*.yaml" 12 | - echo "S3 Upload Complete, updating cloudformation now..." 13 | - aws cloudformation update-stack-set --stack-set-name aws-servicecatalog-prescriptivecompliance --parameters "[{\"ParameterKey\":\"S3StagingBucketURL\",\"ParameterValue\":\"https://s3-configremediations-2 |
3 | 4 | # Automate change management in AWS with AWS Systems Manager Change Manager 5 | 6 | Template 1 first provisions AWS Systems Manager Automation Documents as well as all the required pre-reqs. Template 2 then leverages the Systems Manager Automation documents within AWS Config Remediation Rules to incorporate change management in a remediation action via Systems Manager automation 7 | 8 | 9 | 10 | ## Solution architecture 11 | 12 |  13 | 14 | 15 | ## How To Install 16 | 17 | 1. **Template 1 of 2:** [aws-changemanager-ssmautomation.yml](https://github.com/aws-samples/aws-cloud-compliance-assurance/blob/main/aws-systemsmanager-changemanager/cft/aws-changemanager-configremediation.yaml) 18 | * Provisions AWS Systems Manager automation documents. These documents are used to provide automated remediations within the provisioned AWS Config Rule. 19 | * Provisions with fully built-in pre-reqs. No input parameters required. Simply install on the CloudFormation console (or CLI). Installs in approx 1-2 mins. 20 | 21 | 2. **Template 2 of 2:** [aws-changemanager-configremediation.yml](https://github.com/aws-samples/aws-cloud-compliance-assurance/blob/main/aws-systemsmanager-changemanager/cft/aws-changemanager-configremediation.yaml) 22 | * Provisions AWS Config Managed Rules and attaches the custom AWS Systems Manager automation documents as AWS Config Remediations to the AWS Config Managed Rule. No input parameters. Simply install on the CloudFormation console (or CLI). Installs in approx 1-2 mins. 23 | * Leverages the output from the previous template specifically the AWS Systems Manager Automation documents 24 | 25 | 26 | -------------------------------------------------------------------------------- /aws-systemsmanager-changemanager/cft/aws-changemanager-configremediation.yaml: -------------------------------------------------------------------------------- 1 | 2 | # ------------------------------------------------------------------------------------------------------------------------------------------------------- 3 | # CloudFormation Template 2 of 2- 4 | # 5 | # Provisions 6 | # 1/ Config rule and 7 | # 2/ Config remediation using Change Manager based SSM automation 8 | # 9 | # 10 | # @kmmahaj 11 | # ------------------------------------------------------------------------------------------------------------------------------------------------------- 12 | 13 | 14 | Resources: 15 | 16 | # ------------------------------------------------------------------------------------------------------------------------------------------------------- 17 | # CIS AWS Foundations Benchmark - 2.9 – Ensure VPC flow logging is enabled in all VPCs 18 | # 19 | # The 1st half AWS::Config::ConfigRule provides detection with SourceIdentifier - AWS Managed Config Rule 20 | # The 2nd half AWS::Config::RemediationConfiguration provides remediation with Change Manager 21 | # ------------------------------------------------------------------------------------------------------------------------------------------------------- 22 | 23 | VPCFlowLogsEnabled: 24 | Type: "AWS::Config::ConfigRule" 25 | Properties: 26 | ConfigRuleName: VPCFlowLogsEnabled 27 | Description: "Ensures VPC Flow Logs are Enabled" 28 | Source: 29 | Owner: AWS 30 | SourceIdentifier: VPC_FLOW_LOGS_ENABLED 31 | MaximumExecutionFrequency: One_Hour 32 | VPCFlowLogsEnabledRemediation: 33 | DependsOn: VPCFlowLogsEnabled 34 | Type: 'AWS::Config::RemediationConfiguration' 35 | Properties: 36 | ConfigRuleName: VPCFlowLogsEnabled 37 | TargetId: "Custom-EnableChangeManagerVPCFlowLogs" 38 | TargetType: "SSM_DOCUMENT" 39 | Parameters: 40 | AutomationAssumeRole: 41 | StaticValue: 42 | Values: 43 | - !ImportValue AutomationAssumeRoleArn 44 | CloudWatchLogGroupArn: 45 | StaticValue: 46 | Values: 47 | - !ImportValue FlowLogsCloudWatchLogGroupArn 48 | CloudWatchLogGroupName: 49 | StaticValue: 50 | Values: 51 | - !ImportValue FlowLogsCloudWatchLogs 52 | FlowLogRoleArn: 53 | StaticValue: 54 | Values: 55 | - !ImportValue FlowLogsRoleArn 56 | VpcId: 57 | ResourceValue: 58 | Value: "RESOURCE_ID" 59 | ExecutionControls: 60 | SsmControls: 61 | ConcurrentExecutionRatePercentage: 10 62 | ErrorPercentage: 10 63 | Automatic: True 64 | MaximumAutomaticAttempts: 5 65 | RetryAttemptSeconds: 60 66 | 67 | 68 | #------------------------------------------------------------------------------------------ 69 | # On Demand Config Evaluation Lambda for AWS Config Rules: 70 | # -- Provides a live demo experience to the user 71 | # -- Triggers Detection at 2 min intervals of misconfigured resources via AWS Config 72 | #------------------------------------------------------------------------------------------- 73 | 74 | OnDemandConfigEvalEventRule: 75 | Type: AWS::Events::Rule 76 | Properties: 77 | Name: OnDemandConfigEvalEventRule 78 | Description: "Trigger On Demand Evaluation of Config Rules for Game Day" 79 | State: "ENABLED" 80 | ScheduleExpression: "rate(2 minutes)" 81 | Targets: 82 | - 83 | Arn: 84 | Fn::GetAtt: 85 | - "OnDemandConfigEvalLambda" 86 | - "Arn" 87 | Id: "OnDemandConfigEval" 88 | 89 | PermissionForEventsToInvokeConfigLambda: 90 | Type: AWS::Lambda::Permission 91 | Properties: 92 | Action: lambda:InvokeFunction 93 | FunctionName: !GetAtt "OnDemandConfigEvalLambda.Arn" 94 | Principal: events.amazonaws.com 95 | SourceArn: !GetAtt "OnDemandConfigEvalEventRule.Arn" 96 | 97 | OnDemandConfigEvalLambda: 98 | Type: AWS::Lambda::Function 99 | Properties: 100 | Code: 101 | ZipFile: | 102 | import json 103 | import os 104 | import boto3 105 | import logging 106 | LOGGER = logging.getLogger() 107 | LOGGER.setLevel(logging.INFO) 108 | def lambda_handler(event, context): 109 | try: 110 | ruleName1 = os.environ['ruleName1'] 111 | client = boto3.client('config') 112 | response = client.start_config_rules_evaluation( 113 | ConfigRuleNames=[ 114 | ruleName1 115 | ] 116 | ) 117 | except Exception as e: 118 | print(e) 119 | print("AWS Config Evaluation execution error") 120 | raise 121 | Handler: index.lambda_handler 122 | MemorySize: 128 123 | Role: !GetAtt "OnDemandConfigEvalLambdaRole.Arn" 124 | Runtime: python3.7 125 | Timeout: 60 126 | Environment: 127 | Variables: 128 | ruleName1: 'VPCFlowLogsEnabled' 129 | 130 | 131 | # On Demand Config Eval Role 132 | OnDemandConfigEvalLambdaRole: 133 | Type: 'AWS::IAM::Role' 134 | Properties: 135 | RoleName: !Sub demo-OnDemandConfigEvalLambdaRole-${AWS::Region} 136 | AssumeRolePolicyDocument: 137 | Version: 2012-10-17 138 | Statement: 139 | - Effect: Allow 140 | Principal: 141 | Service: 142 | - lambda.amazonaws.com 143 | Action: 144 | - 'sts:AssumeRole' 145 | Path: / 146 | ManagedPolicyArns: 147 | - !Sub "arn:${AWS::Partition}:iam::aws:policy/AdministratorAccess" 148 | -------------------------------------------------------------------------------- /aws-systemsmanager-changemanager/images/arch-changemanager.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-cloud-compliance-assurance/fb8251ab8536ad36a64bac8408b29f5e7ee33df1/aws-systemsmanager-changemanager/images/arch-changemanager.png --------------------------------------------------------------------------------