├── CODE_OF_CONDUCT.md ├── CONTRIBUTING.md ├── LICENSE ├── aws-auditmanager-securityhub ├── CODE_OF_CONDUCT.md ├── CONTRIBUTING.md ├── LICENSE ├── README.md ├── cft │ ├── aws-auditmanager-customassessment.yml │ └── aws-auditmanager-securityhub.yml ├── images │ └── arch-diagram.png ├── lab │ ├── images │ │ ├── 1.png │ │ ├── 10.PNG │ │ ├── 11.PNG │ │ ├── 12.PNG │ │ ├── 14.PNG │ │ ├── 15.PNG │ │ ├── 16.PNG │ │ ├── 17.PNG │ │ ├── 18.PNG │ │ ├── 19.PNG │ │ ├── 2.PNG │ │ ├── 20.PNG │ │ ├── 21.PNG │ │ ├── 22.PNG │ │ ├── 23.PNG │ │ ├── 24.PNG │ │ ├── 25.PNG │ │ ├── 26.PNG │ │ ├── 27.PNG │ │ ├── 28.PNG │ │ ├── 29.PNG │ │ ├── 3.PNG │ │ ├── 30.PNG │ │ ├── 31.PNG │ │ ├── 4.PNG │ │ ├── 5.PNG │ │ ├── 6.PNG │ │ ├── 7.PNG │ │ ├── 8.PNG │ │ ├── 9.PNG │ │ ├── cft │ │ │ ├── 1.PNG │ │ │ ├── 10.PNG │ │ │ ├── 11.PNG │ │ │ ├── 12.PNG │ │ │ ├── 13.PNG │ │ │ ├── 14.PNG │ │ │ ├── 15.PNG │ │ │ ├── 16.PNG │ │ │ ├── 17.PNG │ │ │ ├── 18.PNG │ │ │ ├── 19.PNG │ │ │ ├── 2.PNG │ │ │ ├── 3-not.PNG │ │ │ ├── 3.PNG │ │ │ ├── 4.PNG │ │ │ ├── 5.PNG │ │ │ ├── 6.PNG │ │ │ ├── 7.PNG │ │ │ ├── 8.PNG │ │ │ ├── 9.PNG │ │ │ ├── Customassessment on notepad.PNG │ │ │ ├── SecurityHubImages.PNG │ │ │ ├── arch-diagram.png │ │ │ ├── confpack-5.PNG │ │ │ ├── confpack-6.PNG │ │ │ ├── confpack-7.PNG │ │ │ ├── confpack-8.PNG │ │ │ ├── confpack-9.PNG │ │ │ ├── customcontrol-2.png │ │ │ ├── customcontrol-4.png │ │ │ ├── onnotepad.PNG │ │ │ └── part2github.PNG │ │ ├── customcontrol-1.png │ │ ├── customcontrol-2.png │ │ ├── customcontrol-3.png │ │ ├── customcontrol-4.png │ │ ├── manual-1.PNG │ │ ├── manual-10.PNG │ │ ├── manual-11.PNG │ │ ├── manual-12.PNG │ │ ├── manual-13.PNG │ │ ├── manual-14.PNG │ │ ├── manual-15.PNG │ │ ├── manual-16.PNG │ │ ├── manual-17.png │ │ ├── manual-18.png │ │ ├── manual-19.png │ │ ├── manual-2.PNG │ │ ├── manual-20.png │ │ ├── manual-21.PNG │ │ ├── manual-22.png │ │ ├── manual-23.PNG │ │ ├── manual-24.PNG │ │ ├── manual-25.PNG │ │ ├── manual-3.PNG │ │ ├── manual-4.png │ │ ├── manual-5.PNG │ │ ├── manual-6.PNG │ │ ├── manual-7.PNG │ │ ├── manual-8.PNG │ │ └── manual-9.PNG │ └── index.md ├── lambda │ ├── CustomAuditManagerFramework_Lambda.py │ ├── CustomAuditManagerFramework_Lambda.zip │ └── auditmanagerlayer.zip └── layer │ └── auditmanagerlayer.zip ├── aws-backupauditmanager-securityhub ├── LICENSE ├── README.md ├── cft │ └── aws-backupauditmanager-securityhub.yaml └── images │ ├── arch-diagram.png │ └── backupauditmanager-securityhub.png ├── aws-cis-contributorinsights └── cft │ └── CIS-ContributorInsights.yaml ├── aws-ecr-continuouscompliance ├── LICENSE ├── README.md ├── cft │ └── aws-ecr-continuouscompliance-v1.yaml └── images │ └── arch-diagram.png ├── aws-guardduty-detect-securityhubremediate ├── README.md ├── cft │ ├── aws-guarddutydetect-securityhubremediate-v1.yml │ ├── aws-guarddutydetect-securityhubremediate.yml │ ├── threatlist.txt │ └── vpc-setup-v1.json └── images │ └── arch-diagram.png ├── aws-remediate-cis-securityhub ├── README.md ├── cft │ ├── aws-cis-cloudwatchlogmetricfilters.yml │ ├── aws-cis-securityhubactions.yml │ └── aws-cis-systemsmanagerautomations.yml └── images │ └── arch-diagram.png ├── aws-remediate-fsbp-securityhub ├── README.md ├── cft │ ├── aws-security-hub-fsbp-remediations-template1.yml │ └── aws-security-hub-fsbp-remediations-template2.yml └── images │ └── arch-diagram.png └── aws-remediate-pci-securityhub ├── README.md ├── cft ├── aws-securevpcsetup.template ├── aws-security-hub-pci-remediations-template1.yml └── aws-security-hub-pci-remediations-template2.yml └── images └── arch-diagram.png /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | ## Code of Conduct 2 | This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct). 3 | For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact 4 | opensource-codeofconduct@amazon.com with any additional questions or comments. 5 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing Guidelines 2 | 3 | Thank you for your interest in contributing to our project. Whether it's a bug report, new feature, correction, or additional 4 | documentation, we greatly value feedback and contributions from our community. 5 | 6 | Please read through this document before submitting any issues or pull requests to ensure we have all the necessary 7 | information to effectively respond to your bug report or contribution. 8 | 9 | 10 | ## Reporting Bugs/Feature Requests 11 | 12 | We welcome you to use the GitHub issue tracker to report bugs or suggest features. 13 | 14 | When filing an issue, please check existing open, or recently closed, issues to make sure somebody else hasn't already 15 | reported the issue. Please try to include as much information as you can. Details like these are incredibly useful: 16 | 17 | * A reproducible test case or series of steps 18 | * The version of our code being used 19 | * Any modifications you've made relevant to the bug 20 | * Anything unusual about your environment or deployment 21 | 22 | 23 | ## Contributing via Pull Requests 24 | Contributions via pull requests are much appreciated. Before sending us a pull request, please ensure that: 25 | 26 | 1. You are working against the latest source on the *main* branch. 27 | 2. You check existing open, and recently merged, pull requests to make sure someone else hasn't addressed the problem already. 28 | 3. You open an issue to discuss any significant work - we would hate for your time to be wasted. 29 | 30 | To send us a pull request, please: 31 | 32 | 1. Fork the repository. 33 | 2. Modify the source; please focus on the specific change you are contributing. If you also reformat all the code, it will be hard for us to focus on your change. 34 | 3. Ensure local tests pass. 35 | 4. Commit to your fork using clear commit messages. 36 | 5. Send us a pull request, answering any default questions in the pull request interface. 37 | 6. Pay attention to any automated CI failures reported in the pull request, and stay involved in the conversation. 38 | 39 | GitHub provides additional document on [forking a repository](https://help.github.com/articles/fork-a-repo/) and 40 | [creating a pull request](https://help.github.com/articles/creating-a-pull-request/). 41 | 42 | 43 | ## Finding contributions to work on 44 | Looking at the existing issues is a great way to find something to contribute on. As our projects, by default, use the default GitHub issue labels (enhancement/bug/duplicate/help wanted/invalid/question/wontfix), looking at any 'help wanted' issues is a great place to start. 45 | 46 | 47 | ## Code of Conduct 48 | This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct). 49 | For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact 50 | opensource-codeofconduct@amazon.com with any additional questions or comments. 51 | 52 | 53 | ## Security issue notifications 54 | If you discover a potential security issue in this project we ask that you notify AWS/Amazon Security via our [vulnerability reporting page](http://aws.amazon.com/security/vulnerability-reporting/). Please do **not** create a public github issue. 55 | 56 | 57 | ## Licensing 58 | 59 | See the [LICENSE](LICENSE) file for our project's licensing. We will ask you to confirm the licensing of your contribution. 60 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. 2 | 3 | Permission is hereby granted, free of charge, to any person obtaining a copy of 4 | this software and associated documentation files (the "Software"), to deal in 5 | the Software without restriction, including without limitation the rights to 6 | use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of 7 | the Software, and to permit persons to whom the Software is furnished to do so. 8 | 9 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 10 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS 11 | FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR 12 | COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER 13 | IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 14 | CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 15 | 16 | -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | ## Code of Conduct 2 | This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct). 3 | For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact 4 | opensource-codeofconduct@amazon.com with any additional questions or comments. 5 | -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing Guidelines 2 | 3 | Thank you for your interest in contributing to our project. Whether it's a bug report, new feature, correction, or additional 4 | documentation, we greatly value feedback and contributions from our community. 5 | 6 | Please read through this document before submitting any issues or pull requests to ensure we have all the necessary 7 | information to effectively respond to your bug report or contribution. 8 | 9 | 10 | ## Reporting Bugs/Feature Requests 11 | 12 | We welcome you to use the GitHub issue tracker to report bugs or suggest features. 13 | 14 | When filing an issue, please check existing open, or recently closed, issues to make sure somebody else hasn't already 15 | reported the issue. Please try to include as much information as you can. Details like these are incredibly useful: 16 | 17 | * A reproducible test case or series of steps 18 | * The version of our code being used 19 | * Any modifications you've made relevant to the bug 20 | * Anything unusual about your environment or deployment 21 | 22 | 23 | ## Contributing via Pull Requests 24 | Contributions via pull requests are much appreciated. Before sending us a pull request, please ensure that: 25 | 26 | 1. You are working against the latest source on the *main* branch. 27 | 2. You check existing open, and recently merged, pull requests to make sure someone else hasn't addressed the problem already. 28 | 3. You open an issue to discuss any significant work - we would hate for your time to be wasted. 29 | 30 | To send us a pull request, please: 31 | 32 | 1. Fork the repository. 33 | 2. Modify the source; please focus on the specific change you are contributing. If you also reformat all the code, it will be hard for us to focus on your change. 34 | 3. Ensure local tests pass. 35 | 4. Commit to your fork using clear commit messages. 36 | 5. Send us a pull request, answering any default questions in the pull request interface. 37 | 6. Pay attention to any automated CI failures reported in the pull request, and stay involved in the conversation. 38 | 39 | GitHub provides additional document on [forking a repository](https://help.github.com/articles/fork-a-repo/) and 40 | [creating a pull request](https://help.github.com/articles/creating-a-pull-request/). 41 | 42 | 43 | ## Finding contributions to work on 44 | Looking at the existing issues is a great way to find something to contribute on. As our projects, by default, use the default GitHub issue labels (enhancement/bug/duplicate/help wanted/invalid/question/wontfix), looking at any 'help wanted' issues is a great place to start. 45 | 46 | 47 | ## Code of Conduct 48 | This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct). 49 | For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact 50 | opensource-codeofconduct@amazon.com with any additional questions or comments. 51 | 52 | 53 | ## Security issue notifications 54 | If you discover a potential security issue in this project we ask that you notify AWS/Amazon Security via our [vulnerability reporting page](http://aws.amazon.com/security/vulnerability-reporting/). Please do **not** create a public github issue. 55 | 56 | 57 | ## Licensing 58 | 59 | See the [LICENSE](LICENSE) file for our project's licensing. We will ask you to confirm the licensing of your contribution. 60 | -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/LICENSE: -------------------------------------------------------------------------------- 1 | Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. 2 | 3 | Permission is hereby granted, free of charge, to any person obtaining a copy of 4 | this software and associated documentation files (the "Software"), to deal in 5 | the Software without restriction, including without limitation the rights to 6 | use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of 7 | the Software, and to permit persons to whom the Software is furnished to do so. 8 | 9 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 10 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS 11 | FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR 12 | COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER 13 | IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 14 | CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 15 | 16 | -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/README.md: -------------------------------------------------------------------------------- 1 |

2 |

3 | 4 | # Automate audit preparation in AWS and integrate across the Three Lines Model - Build a custom integration of AWS Audit Manager with AWS Security Hub 5 | 6 | Creates a custom AWS Audit Manager framework that is comprised of custom AWS Audit Manager control sets. The custom Audit Manager control set contains custom AWS Audit Manager controls related to AWS Security Hub findings that span across AWS Security Hub FSBP, CIS and PCI compliance checks. So, instead of the control set being specific to an individual AWS Security Hub compliance check (FSBP,CIS or PCI), the control set spans across Security Hub compliance checks and is specific to a security related domain – for e.g. Identity Management or Network Monitoring. 7 | 8 | 9 | ## Solution Design 10 | 11 | ![](images/arch-diagram.png) 12 | 13 | ## How To Install 14 | 15 | **Prerequisites** 16 | 17 | 1. Ensure that AWS Security Hub is enabled in your account. 18 | 19 | 2. Follow the steps to set up AWS Audit Manager. 20 | 21 | 3. Create an Amazon S3 bucket with the following name: s3-customauditmanagerframework-AccountId-Region where the AccountId is your AWS Account ID and Region is the AWS Region where you have deployed this template. In this bucket, create a folder named CustomAuditManagerFramework_Lambda and upload the CustomAuditManagerFramework_Lambda.zip (it's in the lambda folder) file there. 22 | 23 | 4. Audit Manager works with the Boto3 1.7 libraries. AWS Lambda doesn't ship with Boto3 1.7 by default. This implementation provides that version of Boto3 as a Lambda Layer. Upload the auditmanagerlayer.zip (it's in the layer folder) to the root folder of the S3 bucket created in step 2. 24 | 25 | 5. If you have already configured an assessment reports destination in your Audit Manager settings then you can skip this step. Otherwise, create a folder (for e.g. 'evidences) in the S3 bucket in step 2. Your assessment reports destination will be the S3 URI for e.g. s3://s3-customauditmanagerframework-AccountId-Region/evidences/. AWS Audit Manager will save your assessment reports to this bucket. 26 | 27 | 6. Create an IAM user with Audit owner permissions. https://docs.aws.amazon.com/audit-manager/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies 28 | 29 | 30 | **Setup** 31 | 32 | The solution automates the initial setup and deployment in two steps: 33 | 34 | 1. Launch the **aws-auditmanager-securityhub.yml** template. For parameters - 1) Provide the name of the S3 bucket and folder (from step 3 in the prerequisites) that contains the source CustomAuditManagerFramework_Lambda.zip 35 | 36 | 2. Launch the **aws-auditmanager-customassessment.yml** template. Provide the s3 uri (from step 5 in the prerequisites) that is the assessment destination as a parameter and 2) Provide the ARN of the Audit owner IAM user from step 6 in the pre-requisites 37 | 38 | **Cleanup** 39 | 40 | 1. Delete the CloudFormation stacks in sequence- 1) aws-auditmanager-customassessment.yml and then 2) aws-auditmanager-securityhub.yml 41 | 2. Delete the custom framework as well as the custom controls created in Audit Manager (you can do this from the console) 42 | 3. Delete the Audit Manager framework ID from the SSM parameter store 43 | 44 | 45 | 46 | 47 | 48 | 49 | -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/cft/aws-auditmanager-customassessment.yml: -------------------------------------------------------------------------------- 1 | # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. 2 | # SPDX-License-Identifier: MIT-0 3 | 4 | # Provisions custom AWS Audit Manager assessment based on Security Hub checks 5 | # Pre-req: AWS Lambda that creates a custom AWS Audit Manager control set and custom AWS Audit Manager 6 | # framework 7 | 8 | # kmmahaj 9 | 10 | AWSTemplateFormatVersion: 2010-09-09 11 | Description: >- 12 | AWS CloudFormation template to create custom Audit Manager assessments. You will be 13 | billed for the AWS resources used if you create a stack from this template. 14 | Parameters: 15 | 16 | AssessmentDestination: 17 | Description: S3 Bucket and folder that stores the Custom Audit Manager Assessment Destination 18 | Type: String 19 | Default: 's3://s3-customauditmanagerframework--/evidences/' 20 | MinLength: '1' 21 | MaxLength: '255' 22 | 23 | AuditOwnerArn: 24 | Description: ARN for IAM Audit Owner in your account. 25 | Type: String 26 | Default: 'arn:aws:iam::341476298946:user/AuditManagerAdmin' 27 | MinLength: '1' 28 | MaxLength: '255' 29 | 30 | Resources: 31 | 32 | #--------------------------------------------------------------------------------------------------- 33 | # 1- Provision Custom Audit Manager Assessment 34 | # - Use SSM Parameter Store to retrieve the Framework ID created by the custom backed Lambda 35 | # -------------------------------------------------------------------------------------------------- 36 | 37 | CustomAuditManagerAssessment: 38 | Type: AWS::AuditManager::Assessment 39 | Properties: 40 | AssessmentReportsDestination: 41 | Destination: !Ref AssessmentDestination 42 | DestinationType: 'S3' 43 | Description: 'Custom Security Hub Assessment' 44 | FrameworkId: '{{resolve:ssm:CustomSecurityHubFrameworkID:1}}' 45 | Name: 'CustomSecurityHubAssessment' 46 | Roles: 47 | - 'RoleArn': !Ref AuditOwnerArn 48 | 'RoleType': 'PROCESS_OWNER' 49 | Scope: 50 | AwsAccounts: 51 | - 'Id': !Ref 'AWS::AccountId' 52 | AwsServices: 53 | - 'ServiceName': 's3' 54 | - 'ServiceName': 'iam' 55 | - 'ServiceName': 'cloudtrail' 56 | - 'ServiceName': 'lambda' 57 | - 'ServiceName': 'ec2' 58 | - 'ServiceName': 'rds' 59 | 60 | 61 | -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/cft/aws-auditmanager-securityhub.yml: -------------------------------------------------------------------------------- 1 | # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. 2 | # SPDX-License-Identifier: MIT-0 3 | 4 | # Provisions custom AWS Audit Manager assessment based on Security Hub checks 5 | # Pre-req: AWS Lambda that creates a custom AWS Audit Manager control set and custom AWS Audit Manager 6 | # framework 7 | 8 | # kmmahaj 9 | 10 | AWSTemplateFormatVersion: 2010-09-09 11 | Description: >- 12 | AWS CloudFormation template to create custom Audit Manager assessments. You will be 13 | billed for the AWS resources used if you create a stack from this template. 14 | Parameters: 15 | SourceBucket: 16 | Description: S3 Bucket that contains the Custom Audit Manager Framework Lambda 17 | Type: String 18 | Default: 's3-customauditmanagerframework--' 19 | MinLength: '1' 20 | MaxLength: '255' 21 | 22 | Resources: 23 | 24 | #--------------------------------------------------------------------------------------------------- 25 | # 26 | # 1- Create Custom Audit Manager Control Sets for IAM, API and Network Monitoring 27 | # based on Security Hub checks across PCI,CIS and FSBP frameworks 28 | # 2- Create Custom Audit Manager Framework based on custom Audit Manager control set 29 | # -------------------------------------------------------------------------------------------------- 30 | 31 | #Custom Lambda backed Resource for creating the Custom Audit Manager Framework 32 | CreateCustomAuditManagerFramework: 33 | Type: 'Custom::CreateCustomAuditManagerFramework' 34 | DependsOn: 35 | - CustomAuditManagerFrameworkExecutePermission 36 | Properties: 37 | ServiceToken: !GetAtt 'CustomAuditManagerFrameworkLambda.Arn' 38 | SourceAccountId: !Ref 'AWS::AccountId' 39 | 40 | #Permission for CFN to invoke custom lambda backed resource 41 | CustomAuditManagerFrameworkExecutePermission: 42 | Type: 'AWS::Lambda::Permission' 43 | Properties: 44 | Action: 'lambda:InvokeFunction' 45 | FunctionName: !GetAtt 'CustomAuditManagerFrameworkLambda.Arn' 46 | Principal: 'cloudformation.amazonaws.com' 47 | SourceAccount: !Ref 'AWS::AccountId' 48 | 49 | #Lambda Function that creates the custom Audit Manager framework 50 | CustomAuditManagerFrameworkLambda: 51 | Type: 'AWS::Lambda::Function' 52 | Properties: 53 | FunctionName: !Join 54 | - '' 55 | - - CustomAuditManagerFramework_ 56 | - Lambda 57 | Role: !GetAtt CustomAuditManagerFrameworkLambdaRole.Arn 58 | Code: 59 | S3Bucket: !Ref SourceBucket 60 | S3Key: !Join 61 | - '' 62 | - - CustomAuditManagerFramework_Lambda 63 | - / 64 | - CustomAuditManagerFramework_Lambda 65 | - .zip 66 | Description: CustomAuditManagerFrameworkLambda 67 | Handler: CustomAuditManagerFramework_Lambda.lambda_handler 68 | MemorySize: '256' 69 | Runtime: python3.7 70 | Layers: 71 | - !Ref AuditManagerLayer 72 | Environment: 73 | Variables: 74 | SourceAccountId : !Ref 'AWS::AccountId' 75 | Timeout: 300 76 | 77 | #Lambda Layer for AWS Audit Manager 78 | AuditManagerLayer: 79 | Type: AWS::Lambda::LayerVersion 80 | Properties: 81 | CompatibleRuntimes: 82 | - python3.6 83 | - python3.7 84 | - python3.8 85 | Content: 86 | S3Bucket: !Ref SourceBucket 87 | S3Key: auditmanagerlayer.zip 88 | Description: Boto3 layer for audit manager 89 | LayerName: AuditManagerLayer 90 | LicenseInfo: MIT 91 | 92 | #IAM Role for the CustomAuditManagerFramework Lambda 93 | CustomAuditManagerFrameworkLambdaRole: 94 | Type: 'AWS::IAM::Role' 95 | Properties: 96 | RoleName: !Sub securityhub-customauditmanagerframeworkrole-${AWS::Region} 97 | AssumeRolePolicyDocument: 98 | Version: 2012-10-17 99 | Statement: 100 | - Sid: AllowLambdaAssumeRole 101 | Effect: Allow 102 | Principal: 103 | Service: lambda.amazonaws.com 104 | Action: 'sts:AssumeRole' 105 | Policies: 106 | - PolicyName: CustomAuditManagerFrameworkLambdaPolicy 107 | PolicyDocument: 108 | Version: 2012-10-17 109 | Statement: 110 | - Sid: '1' 111 | Action: 112 | - 's3:*' 113 | Effect: Allow 114 | Resource: 115 | - !Sub arn:${AWS::Partition}:s3:::${SourceBucket} 116 | - !Sub arn:${AWS::Partition}:s3:::${SourceBucket}/* 117 | - Sid: '2' 118 | Action: 119 | - 'logs:CreateLogGroup' 120 | - 'logs:CreateLogStream' 121 | - 'logs:PutLogEvents' 122 | - 'logs:DescribeLogStreams' 123 | Effect: Allow 124 | Resource: '*' 125 | - Sid: '3' 126 | Action: 127 | - 'ssm:*' 128 | Effect: Allow 129 | Resource: '*' 130 | ManagedPolicyArns: 131 | - !Sub 'arn:${AWS::Partition}:iam::aws:policy/AWSAuditManagerAdministratorAccess' 132 | - !Sub 'arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole' 133 | 134 | -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/images/arch-diagram.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/images/arch-diagram.png -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/1.png -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/10.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/10.PNG -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/11.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/11.PNG -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/12.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/12.PNG -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/14.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/14.PNG -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/15.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/15.PNG -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/16.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/16.PNG -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/17.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/17.PNG -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/18.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/18.PNG -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/19.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/19.PNG -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/2.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/2.PNG -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/20.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/20.PNG -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/21.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/21.PNG -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/22.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/22.PNG -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/23.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/23.PNG -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/24.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/24.PNG -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/25.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/25.PNG -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/26.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/26.PNG -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/27.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/27.PNG -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/28.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/28.PNG -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/29.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/29.PNG -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/3.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/3.PNG -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/30.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/30.PNG -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/31.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/31.PNG -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/4.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/4.PNG -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/5.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/5.PNG -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/6.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/6.PNG -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/7.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/7.PNG -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/8.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/8.PNG -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/9.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/9.PNG -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/cft/1.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/cft/1.PNG -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/cft/10.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/cft/10.PNG -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/cft/11.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/cft/11.PNG -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/cft/12.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/cft/12.PNG -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/cft/13.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/cft/13.PNG -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/cft/14.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/cft/14.PNG -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/cft/15.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/cft/15.PNG -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/cft/16.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/cft/16.PNG -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/cft/17.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/cft/17.PNG -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/cft/18.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/cft/18.PNG -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/cft/19.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/cft/19.PNG -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/cft/2.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/cft/2.PNG -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/cft/3-not.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/cft/3-not.PNG -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/cft/3.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/cft/3.PNG -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/cft/4.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/cft/4.PNG -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/cft/5.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/cft/5.PNG -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/cft/6.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/cft/6.PNG -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/cft/7.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/cft/7.PNG -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/cft/8.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/cft/8.PNG -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/cft/9.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/cft/9.PNG -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/cft/Customassessment on notepad.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/cft/Customassessment on notepad.PNG -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/cft/SecurityHubImages.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/cft/SecurityHubImages.PNG -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/cft/arch-diagram.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/cft/arch-diagram.png -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/cft/confpack-5.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/cft/confpack-5.PNG -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/cft/confpack-6.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/cft/confpack-6.PNG -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/cft/confpack-7.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/cft/confpack-7.PNG -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/cft/confpack-8.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/cft/confpack-8.PNG -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/cft/confpack-9.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/cft/confpack-9.PNG -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/cft/customcontrol-2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/cft/customcontrol-2.png -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/cft/customcontrol-4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/cft/customcontrol-4.png -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/cft/onnotepad.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/cft/onnotepad.PNG -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/cft/part2github.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/cft/part2github.PNG -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/customcontrol-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/customcontrol-1.png -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/customcontrol-2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/customcontrol-2.png -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/customcontrol-3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/customcontrol-3.png -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/customcontrol-4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/customcontrol-4.png -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/manual-1.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/manual-1.PNG -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/manual-10.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/manual-10.PNG -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/manual-11.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/manual-11.PNG -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/manual-12.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/manual-12.PNG -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/manual-13.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/manual-13.PNG -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/manual-14.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/manual-14.PNG -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/manual-15.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/manual-15.PNG -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/manual-16.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/manual-16.PNG -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/manual-17.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/manual-17.png -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/manual-18.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/manual-18.png -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/manual-19.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/manual-19.png -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/manual-2.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/manual-2.PNG -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/manual-20.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/manual-20.png -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/manual-21.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/manual-21.PNG -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/manual-22.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/manual-22.png -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/manual-23.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/manual-23.PNG -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/manual-24.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/manual-24.PNG -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/manual-25.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/manual-25.PNG -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/manual-3.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/manual-3.PNG -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/manual-4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/manual-4.png -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/manual-5.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/manual-5.PNG -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/manual-6.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/manual-6.PNG -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/manual-7.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/manual-7.PNG -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/manual-8.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/manual-8.PNG -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/images/manual-9.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/manual-9.PNG -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lab/index.md: -------------------------------------------------------------------------------- 1 |

2 |

3 | 4 | ## Build AWS Audit Manager Assessments 5 | 6 | In this lab, we will create a custom Audit Manager Assessment by configuring custom controls, frameworks and assessments with AWS Audit Manager. 7 | 8 | ## Prerequisites 9 | 1. [Enable AWS Config](https://docs.aws.amazon.com/config/latest/developerguide/getting-started.html) in your AWS Account 10 | 2. [Setup AWS Audit Manager](https://docs.aws.amazon.com/audit-manager/latest/userguide/setting-up.html#setup-audit-manager). In the [AWS Audit Manager console](https://console.aws.amazon.com/auditmanager/home), configure your [AWS Audit Manager settings](https://docs.aws.amazon.com/audit-manager/latest/userguide/console-settings.html). 11 | 3. Create an [IAM user with Audit owner permissions](https://docs.aws.amazon.com/audit-manager/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies). You can use the AWSAuditManagerAdministratorAccess policy as a starting point for this lab, but scope down these permissions as appropriate for your requirements. 12 | 4. If you have already configured an [assessment reports destination](https://docs.aws.amazon.com/audit-manager/latest/userguide/console-settings.html#settings-destination) in your AWS Audit Manager settings, you can skip this step. Otherwise, you can simply reuse the Amazon S3 bucket you created in step 2. The bucket must be in the same AWS Region as your assessment. Create a folder in the bucket for evidence and then create a directory. Your assessment reports destination will be the Amazon S3 URI (for example, s3://s3-customauditmanagerframework--/evidences/). AWS Audit Manager will save your assessment reports to this bucket. 13 | 14 | 15 | ## Create a custom control 16 | 17 | We will configure a custom control that is comprised of 3 data sources. Each data source collects evidence based on the evaluation of a specific AWS Config rule. 18 | 19 | 1. Navigate to the [AWS Audit Manager console](https://console.aws.amazon.com/auditmanager/home) and from the left navigation pane, select **Control library**, and then select **Create custom control**. 20 | ![](images/manual-1.PNG) 21 | 22 | 2. Under **Control name**, enter a name (for example, Custom Control) and an optional description and then select **Next**. 23 | ![](images/manual-2.PNG) 24 | 25 | 3. In **Configure data sources for this control**, choose **Automated evidence**. Under **Select an evidence type by mapping to a data source**, select **Compliance checks for resource configurations from AWS Config**. In **Specify an AWS Config rule**, select **CLOUD_TRAIL_ENCRYPTION_ENABLED**. Select **Add data source** to add another data source 26 | ![](images/manual-3.PNG) 27 | 28 | 4. Follow Step 3 above and add the **CLOUD_TRAIL_ENABLED** and **S3_ACCOUNT_LEVEL_PUBLIC_ACCESS_BLOCKS** AWS Config Rules as data sources. Select **Next** 29 | ![](images/manual-4.png) 30 | 31 | 5. On the **Review and create** screen, skip defining the action plan and choose **Create custom control**. 32 | ![](images/manual-5.PNG) 33 | 34 | 6. Figure below shows the Custom control displayed in the Control library: 35 | ![](images/manual-6.PNG) 36 | 37 | 38 | ## Create a custom framework 39 | 40 | Custom frameworks allow you to organize controls into control sets in a way that suits your unique requirements. Follow these steps to create a custom framework using the custom control you created in the previous section. 41 | 42 | 1. From the left panel, select **Framework library**, and then select **Create custom framework**. 43 | ![](images/manual-7.PNG) 44 | 45 | 2. In the **Specify framework details**, enter a name for the framework (for example, Record Custom Control). Enter an optional compliance type and description, and then select **Next**. 46 | ![](images/manual-8.PNG) 47 | 48 | 3. In **Specify the controls in the control set**, and under **Control set name**, provide a name for the control set (for example, Custom Control Set). Under **Select control type**, select **Custom controls**, and then select **Add to control set**. The custom control you created earlier should be displayed under **Selected controls**. 49 | ![](images/manual-9.PNG) 50 | 51 | 5. On the **Review and create** screen, select **Create custom framework**. 52 | ![](images/manual-10.PNG) 53 | 54 | The figure below shows the custom framework, which consists of the custom control that we had configured earlier. 55 | ![](images/manual-11.PNG) 56 | 57 | 58 | ## Create a custom assessment 59 | 60 | An Audit Manager assessment is an implementation of the AWS Audit Manager framework. It collects the evidence related to the AWS Config Rules that you created and converts it into an auditor-friendly format, and attaches the evidence to the custom control in the framework. 61 | 62 | 1. From the left navigation pane, select **Assessments**, and then select **Create assessment**. 63 | ![](images/manual-12.PNG) 64 | 65 | 2. In **Specify assessment details**, under **Assessment Details** enter a name for the assessment (for example, Record Custom Control) and an optional description. Under **Assessments reports destination**, provide the [Amazon S3](https://aws.amazon.com/s3/) from Step 5 in the prerequisites section . Under **Frameworks**, select the **Record Custom Control framework** and then select **Next**. 66 | ![](images/manual-13.PNG) 67 | 68 | 3. In **Edit AWS accounts in scope** select your current account in scope for the assessment and then select **Next** 69 | ![](images/manual-14.PNG) 70 | 71 | 4. Under **AWS services**, select all services in scope that are automatically detected by Audit Manager and then select **Next**. 72 | ![](images/manual-15.PNG) 73 | 74 | 5. Under **Specify audit owners**, select the Audit owner user that you created in Step 4 in the prerequisites section. 75 | ![](images/manual-16.PNG) and then select **Next** 76 | 77 | 6. On the **Review and create** screen, select **Create assessment**. 78 | 79 | 80 | ## Review evidence 81 | Once you create an assessment, it will automatically start collecting evidence for the custom controls that you had configured within the assessment. It may take *24 hours* for the evidence to appear on the Audit Manager Console. 82 | 83 | 1. On the [AWS Audit Manager console](https://console.aws.amazon.com/auditmanager/home), from the left paneL, select **Assessments**. Select the **Record Custom Control assessment**. 84 | 85 | 2. In **Control sets**, select the custom control you created earlier. 86 | ![](images/manual-17.png) 87 | 88 | 3. On the **Evidence folders** tab, you can review the evidence collection. Select an **Evidence folder**. 89 | ![](images/manual-18.png) 90 | 91 | 4. In the **Evidence** list, check that AWS Audit Manager has recorded compliance status at different points in time. Under the **Time** column in **Evidence** if you select one of the time slots (such as 6:17:38 PM UTC), the evidence description is displayed. Select **View JSON** next to **responseElements** to view the evidence. 92 | ![](images/manual-19.png) 93 | ![](images/manual-20.png) 94 | 95 | 5. You can also select evidence from your custom control to add to an assessment report. You can then generate the assessment report. From the [AWS Audit Manager console](https://console.aws.amazon.com/auditmanager/home), go back to the **Evidence folder** list. To add evidence to an assessment report, select the evidence, and then select **Add to assessment report** as shown 96 | ![](images/manual-21.PNG) 97 | 98 | 6. From the [AWS Audit Manager console](https://console.aws.amazon.com/auditmanager/home) select your custom assessment *Record Custom Control*. Select **Assessment report selection** in the bottom panel and select **Generate assessment report**. Provide the report with a name and description. 99 | ![](images/manual-22.png) 100 | ![](images/manual-23.PNG) 101 | 102 | 7. On the [AWS Audit Manager console](https://console.aws.amazon.com/auditmanager/home), navigate to **Assessment reports**. You can now select and download the assessment report, which includes all your selected evidence. 103 | ![](images/manual-24.PNG) 104 | 105 | 8. You can also navigate to the [S3](https://console.aws.amazon.com/s3/) bucket that you had configured as the assessment reports destination earlier and view the assessment report from there 106 | ![](images/manual-25.PNG) 107 | 108 | 109 | ## Automate building of custom Audit Manager Assessments based on Security Hub findings 110 | 111 | ## Overview 112 | AWS Security Hub provides an out of the box integration with AWS Audit Manager where Security Hub findings based on Security Hub security standards are sent to Audit Manager. If compliance checks from Security Hub security standards are the only data source for an Audit Manager control then the out of the box Audit Manager control set (as well as the Audit Manager framework and assessment) correspond to one of the three supported AWS Security Hub security standards – Foundational Security Best Practices (FSBP), Center for Internet Security (CIS) or Payment Card Industry (PCI). 113 | 114 | In this lab, we will deploy a solution that builds custom controls in AWS Audit Manager based on Security Hub findings 115 | 116 | The Audit Manager custom controls are organized into control sets. The custom control set in our solution contains AWS Audit Manager controls related to AWS Security Hub findings that span across the FSBP, CIS and PCI standards. The Audit Manager control set is not specific to the Security Hub security standard but it is specific to a security-related domain (for example, identity management or network monitoring). The Audit Manager control set includes controls from all three Security Hub security standards (FSBP, CIS or PCI) as they relate to that specific domain. This is a common use case where customers want to delegate audit assurance responsibilities to security administrators based on their subject matter expertise. 117 | 118 | Refer to [Integrate across the Three Lines Model (Part 1): Build a custom automation of AWS Audit Manager with AWS Security Hub](https://aws.amazon.com/blogs/mt/integrate-across-the-three-lines-model-part-1-build-a-custom-automation-of-aws-audit-manager-with-aws-security-hub/) for a full description of this solution. 119 | 120 | ## Prerequisites 121 | 1. [Enable Security Hub](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-enable.html#securityhub-enable-console) in your account 122 | 2. [Setup AWS Audit Manager](https://docs.aws.amazon.com/audit-manager/latest/userguide/setting-up.html#setup-audit-manager). In the [AWS Audit Manager console](https://console.aws.amazon.com/auditmanager/home), configure your [AWS Audit Manager settings](https://docs.aws.amazon.com/audit-manager/latest/userguide/console-settings.html). 123 | 3. Create an [IAM user with Audit owner permissions](https://docs.aws.amazon.com/audit-manager/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies). You can use the AWSAuditManagerAdministratorAccess policy as a starting point for this lab, but scope down these permissions as appropriate for your requirements. 124 | 4. Create an Amazon S3 bucket with the following name: s3-customauditmanagerframework-*AccountId*-*Region* where *AccountId* is your AWS account ID and *Region* is the AWS Region where you plan to deploy the CloudFormation templates. In this bucket, create a folder named *CustomAuditManagerFramework_Lambda*. [Create a directory](https://docs.aws.amazon.com/AmazonS3/latest/user-guide/create-folder.html) and then upload the [CustomAuditManagerFramework_Lambda.zip](https://github.com/aws-samples/aws-securityhub-remediations/blob/main/aws-auditmanager-securityhub/lambda/CustomAuditManagerFramework_Lambda.zip) file there. 125 | 4. If you have already configured an [assessment reports destination](https://docs.aws.amazon.com/audit-manager/latest/userguide/console-settings.html#settings-destination) in your AWS Audit Manager settings, you can skip this step. Otherwise, you can simply reuse the Amazon S3 bucket you created in step 4. The bucket must be in the same AWS Region as your assessment. Create a folder in the bucket for evidence and then [create a directory](https://docs.aws.amazon.com/AmazonS3/latest/user-guide/create-folder.html). Your assessment reports destination will be the Amazon S3 URI (for example, s3://s3-customauditmanagerframework-*AccountId*-*Region*/evidences/). AWS Audit Manager will save your assessment reports to this bucket. 126 | 5. Audit Manager works with the [Boto3 1.7](https://boto3.amazonaws.com/v1/documentation/api/1.7.74/index.html) libraries. AWS Lambda doesn’t ship with Boto3 1.7 by default. This implementation provides that version of Boto3 as a [Lambda layer](https://docs.aws.amazon.com/lambda/latest/dg/configuration-layers.html). Upload the [auditmanagerlayer.zip](https://github.com/aws-samples/aws-securityhub-remediations/blob/main/aws-auditmanager-securityhub/layer/auditmanagerlayer.zip) to the top directory of the Amazon S3 bucket you created in step 4. 127 | 128 | 129 | ## Install the solution 130 | 131 | 1. In the [AWS Audit CloudFormation console](https://console.aws.amazon.com/cloudformation), create a stack to launch the [aws-auditmanager-securityhub.yml](https://github.com/aws-samples/aws-securityhub-remediations/blob/main/aws-auditmanager-securityhub/cft/aws-auditmanager-securityhub.yml) template. In **Parameters**, enter the values for the parameters based on their descriptions in the template. The template takes the following parameters: 132 | **SourceBucket**: The name of the Amazon S3 bucket that contains the AWS Lambda source code. This is the bucket you created in step 3 of the prerequisites. Replace and with the AWS account ID and Region where you are deploying this template. 133 | 134 | 2. In the [AWS Audit CloudFormation console](https://console.aws.amazon.com/cloudformation), create a stack to launch the [aws-auditmanager-customassessment.yml](https://github.com/aws-samples/aws-securityhub-remediations/blob/main/aws-auditmanager-securityhub/cft/aws-auditmanager-customassessment.yml) template. In **Parameters**, enter the values for the parameters based on their descriptions in the template. The template takes the following parameters: 135 | **AssessmentDestination**: The S3 URI in which AWS Audit Manager will save your assessment reports. This is the S3 URI from step 4 of the prerequisites. Replace *AccountID* and *Region* with the AWS account ID and Region where you are deploying this template. 136 | **AuditOwnerArn**: The ARN for the IAM user that you created in step 3 of the prerequisites. 137 | 138 | ## Review the Custom Audit Manager Controls, Framework and Assessment 139 | 140 | 1. Navigate to the [AWS Audit Manager console](https://console.aws.amazon.com/auditmanager/home). From the left panel, select **Control library** and then select **Custom Control** on the right panel. You will see the list of custom controls that have been created for IAM and Networking monitoring related areas that span across the Security Hub compliance standards. 141 | ![](images/cft/12.PNG) 142 | 143 | 2. Click on the *CustomMonitoringSecurityHubControl* to view the data sources for this custom control. All data sources use Security Hub Findings, however they span across the 3 compliance standards supported by Security Hub and are specific to monitoring related findings 144 | ![](images/cft/customcontrol-2.png) 145 | 146 | 3. Click on the *CustomIAMSecurityHubControl* to view the data sources for this custom control. All data sources use Security Hub Findings, however they span across the 3 compliance standards supported by Security Hub and are specific to IAM related findings 147 | ![](images/cft/customcontrol-4.png) 148 | 149 | 4. From the left panel, select **Framework Library** and then select **Custom Framework** on the right pane to view the custom Audit Manager framework *Security Hub Custom Framework* that was provisioned by the solution. 150 | ![](images/cft/17.PNG) 151 | 152 | 5. Select the custom framework from the previous step. Under the **Control** section, you will see that this framework incorporates custom Security Hub controls that you reviewed in the **Custom Control** tab from Step 1. 153 | ![](images/cft/18.PNG) 154 | 155 | 6. On the left hand panel, select **Assessments** and you will see that a custom assessment was provisioned by the solution. Select the custom assessment named **CustomSecurityHubAssessment** and view the custom controls that correspond to the assessment. 156 | ![](images/cft/10.PNG) 157 | ![](images/cft/19.PNG) 158 | 159 | Once you create an assessment, it will automatically start collecting evidence for the custom controls that you have configured within the assessment. It may take 24 hours for the evidence to appear on the Audit Manager Console. 160 | 161 | ## Customizing AWS Audit Manager - Automate building of custom AWS Audit Manager assessments - Transform an AWS Config Conformance Pack to an AWS Audit Manager Assessment 162 | 163 | AWS Config conformance packs provide a sample mapping between a supported compliance standard and AWS Config Managed Rules. Conformance packs enable the grouping of multiple AWS Config rules to a specfic control id within the compliance standard. By transforming AWS Config conformance packs into custom Audit Manager assessments we can extend Audit Manager to provide custom assessments for dozens of compliance standards that are not supported out of the box by Audit Manager. 164 | 165 | In this lab, we will deploy a solution that builds custom controls in AWS Audit Manager. The Audit Manager custom controls are organized into control sets. Each control set corresponds to a control id in the conformance pack. The Audit Manager control set comprises of the AWS Config rules mapped to the control id by the AWS Config conformance pack. Our solution then creates a custom framework and a custom assessment based on these custom controls. 166 | 167 | Refer to [Integrate across the Three Lines Model (Part 2): Transform AWS Config conformance packs into AWS Audit Manager assessments](https://aws.amazon.com/blogs/mt/integrate-across-the-three-lines-model-part-2-transform-aws-config-conformance-packs-into-aws-audit-manager-assessments/) for a full description of this solution. This solution is also available from the [AWS Cloud Compliance and Assurance Reference Solution](https://github.com/aws-samples/aws-cloud-compliance-assurance) 168 | 169 | 170 | ## Prerequisites 171 | 1. Ensure that you have completed all the prerequisites from the *Build AWS Audit Manager Assessments* lab 172 | 2. Create a control mapping file. This is a CSV file where each row contains a control ID for the compliance standard as the first column. The remaining columns of that row each contain one AWS Config rule that maps to the control ID. A row can have any number of columns. You can use the [sample mapping file](https://github.com/aws-samples/aws-config-pci-fsbp-ssmremediations/blob/main/aws-auditmanager-conformancepack/mappingfile/nerc-cipmappingfile.csv) for NERC-CIP here directly or create your own for any of the supported compliance standards. The mapping of these rules to the control ID of the compliance standard is created manually by the user from the compliance standard’s [conformance pack documentation](https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-nerc.html). 173 | 3. Create an Amazon S3 bucket with the following name: s3-customauditmanagerframework-- where is your AWS account ID and is the AWS Region where you plan to deploy the CloudFormation templates. In this bucket, create a folder named CustomAuditManagerFramework_Lambda. [Create a directory](https://docs.aws.amazon.com/AmazonS3/latest/user-guide/create-folder.html) and then upload the [CustomAuditManagerFramework_Lambda.zip](https://github.com/aws-samples/aws-config-pci-fsbp-ssmremediations/blob/main/aws-auditmanager-conformancepack/lambda/CustomAuditManagerFramework_Lambda.zip) file there. 174 | 4. Upload the control mapping file to the top directory of the S3 bucket. 175 | 5. Audit Manager works with the [Boto3 1.7](https://boto3.amazonaws.com/v1/documentation/api/1.7.74/index.html) libraries. AWS Lambda doesn’t ship with Boto3 1.7 by default. This implementation provides that version of Boto3 as a [Lambda layer](https://docs.aws.amazon.com/lambda/latest/dg/configuration-layers.html). Upload the [auditmanagerlayer.zip](https://github.com/aws-samples/aws-config-pci-fsbp-ssmremediations/tree/main/aws-auditmanager-conformancepack/layer) to the top directory of the Amazon S3 bucket you created in step 3. 176 | 177 | 178 | ## Install the solution 179 | 180 | 1. In the [AWS Audit CloudFormation console](https://console.aws.amazon.com/cloudformation), create a stack to launch the [aws-auditmanager-confpack.yml](https://github.com/aws-samples/aws-config-pci-fsbp-ssmremediations/blob/main/aws-auditmanager-conformancepack/cft/aws-auditmanager-confpack.yml) template. In **Parameters**, enter the values for the parameters based on their descriptions in the template. The template takes the following parameters: 181 | **SourceBucket**: The name of the Amazon S3 bucket that contains the AWS Lambda source code. This is the bucket you created in step 3 of the prerequisites. Replace and with the AWS account ID and Region where you are deploying this template. 182 | **ConfPackControlsMappingFile**: This is the full name of the control mapping file, including the .csv extension (for example, nerc-cipmappingfile.csv) created in in step 2 of the prerequisites and uploaded to S3 in step 4 of the prerequisites. 183 | 184 | 2. In the [AWS Audit CloudFormation console](https://console.aws.amazon.com/cloudformation), create a stack to launch the [aws-auditmanager-customassessment.yml](https://github.com/aws-samples/aws-config-pci-fsbp-ssmremediations/blob/main/aws-auditmanager-conformancepack/cft/aws-auditmanager-customassessment.yml) template. In **Parameters**, enter the values for the parameters based on their descriptions in the template. The template takes the following parameters: 185 | **AssessmentDestination**: The S3 URI in which AWS Audit Manager will save your assessment reports. This is the S3 URI from step 4 of the prerequisites from the *Customizing AWS Audit Manager - Build a custom Audit Manager Assessment* lab. Replace and with the AWS account ID and Region where you are deploying this template. 186 | **AuditOwnerArn**: The ARN for the IAM user that you created in step 3 of the prerequisites from the *Customizing AWS Audit Manager - Build a custom Audit Manager Assessment* lab 187 | 188 | ## Review the Custom Audit Manager Controls, Framework and Assessment 189 | 190 | 1. Navigate to the [AWS Audit Manager console](https://console.aws.amazon.com/auditmanager/home). From the left panel, select **Control library** and then select **Custom Control** on the right panel. You will see the list of custom controls that have been created for the NERC-CIP compliance standard. 191 | ![](images/cft/confpack-5.PNG) 192 | 193 | 2. From the left panel, select **Framework Library** and then select **Custom Framework** on the right pane to view the custom Audit Manager framework *Config Conformance Pack Custom Framework* that was provisioned by the solution 194 | ![](images/cft/confpack-6.PNG) 195 | 196 | 3. Select the custom framework from the previous step. Under the **Control** section, you will see that this framework incorporates custom NERC-CIP controls that you reviewed in the **Custom Control** tab from Step 1 197 | ![](images/cft/confpack-7.PNG) 198 | 199 | 4. On the left hand panel, select **Assessments** and you will see that a custom assessment was provisioned by the solution. Select the custom assessment named **CustomConfigCongPackAssessment** and view the custom controls that correspond to the NERC-CIP compliance standard 200 | ![](images/cft/confpack-8.PNG) 201 | ![](images/cft/confpack-9.PNG) 202 | 203 | Once you create an assessment, it will automatically start collecting evidence for the custom controls that you have configured within the assessment. It may take 24 hours for the evidence to appear on the Audit Manager Console. -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lambda/CustomAuditManagerFramework_Lambda.py: -------------------------------------------------------------------------------- 1 | 2 | # CreateAuditManagerAssessment-SecurityHub Lambda 3 | # - Selects several AWS Security Hub checks as a data source 4 | # - Creates Custom Audit Manager Control Sets for IAM, API and Network Monitoring based on 5 | # Security Hub checks across PCI,CIS and FSBP frameworks 6 | # - Creates an AWS Audit Manager custom framework with the control set above that uses Security Hub as a data source 7 | # - Creates an AWS Audit Manager assessment based on the custom framework above 8 | 9 | # @kmmahaj 10 | # 11 | ## License: 12 | ## This code is made available under the MIT-0 license. See the LICENSE file. 13 | 14 | 15 | import json 16 | import copy 17 | import sys 18 | import datetime 19 | import boto3 20 | import botocore 21 | import time 22 | import logging 23 | import random 24 | import urllib3 25 | from botocore.exceptions import ClientError 26 | 27 | 28 | logger = logging.getLogger() 29 | logger.setLevel(logging.INFO) 30 | http = urllib3.PoolManager() 31 | 32 | def cfnsend(event, context, responseStatus, responseData, physicalResourceId=None, noEcho=False, reason=None): 33 | 34 | responseUrl = '' 35 | StackId ='' 36 | RequestId ='' 37 | LogicalResourceId ='' 38 | 39 | if 'ResponseURL' in event: 40 | responseUrl = event['ResponseURL'] 41 | 42 | if 'StackId' in event: 43 | StackId = event['StackId'] 44 | 45 | if 'RequestId' in event: 46 | RequestId = event['RequestId'] 47 | 48 | if 'LogicalResourceId' in event: 49 | LogicalResourceId = event['LogicalResourceId'] 50 | 51 | responseBody = { 52 | 'Status' : responseStatus, 53 | 'Reason' : reason or "See the details in CloudWatch Log Stream: {}".format(context.log_stream_name), 54 | 'PhysicalResourceId' : physicalResourceId or context.log_stream_name, 55 | 'StackId' : StackId, 56 | 'RequestId' : RequestId, 57 | 'LogicalResourceId' : LogicalResourceId, 58 | 'NoEcho' : noEcho, 59 | 'Data' : responseData 60 | } 61 | 62 | json_responseBody = json.dumps(responseBody) 63 | 64 | print("Response body:") 65 | print(json_responseBody) 66 | 67 | headers = { 68 | 'content-type' : '', 69 | 'content-length' : str(len(json_responseBody)) 70 | } 71 | 72 | try: 73 | response = http.request('PUT', responseUrl, headers=headers, body=json_responseBody) 74 | print("Status code:", response.status) 75 | 76 | 77 | except Exception as e: 78 | 79 | print("send(..) failed executing http.request(..):", e) 80 | 81 | 82 | def create_custom_auditmanager_control(controls, controltype): 83 | 84 | auditmanager = boto3.client('auditmanager') 85 | securityhubcontrol_List= [] 86 | control_id ="" 87 | 88 | #Create a Custom Security Hub Control Source - Security Hub Control Source 89 | securityhub_controlmappingsource_template = {} 90 | securityhub_controlmappingsource_template['sourceName'] = 'Custom Security Hub Control Source' 91 | securityhub_controlmappingsource_template['sourceDescription'] = 'Security Hub checks' 92 | securityhub_controlmappingsource_template['sourceSetUpOption'] = 'System_Controls_Mapping' 93 | securityhub_controlmappingsource_template['sourceType'] = 'AWS_Security_Hub' 94 | sourceKeyword = { 95 | 'keywordInputType': 'SELECT_FROM_LIST', 96 | 'keywordValue': 'Security Hub checks' 97 | } 98 | securityhub_controlmappingsource_template['sourceKeyword'] = sourceKeyword 99 | 100 | for controlname in controls: 101 | securityhub_controlmappingsource = copy.deepcopy(securityhub_controlmappingsource_template) 102 | securityhub_controlmappingsource['sourceKeyword']['keywordValue'] = controlname 103 | securityhubcontrol_List.append(securityhub_controlmappingsource) 104 | 105 | 106 | #Create a Custom Security Hub Control 107 | name = 'Custom' + controltype + 'SecurityHubControl' 108 | response_control = auditmanager.create_control(name=name, controlMappingSources=securityhubcontrol_List) 109 | control_id = response_control['control']['id'] 110 | 111 | return control_id 112 | 113 | 114 | def lambda_handler(event, context): 115 | 116 | print ("boto3 version: " + boto3.__version__) 117 | auditmanager = boto3.client('auditmanager') 118 | ssm = boto3.client('ssm') 119 | 120 | logger.info('EVENT Received: {}'.format(event)) 121 | responseData = {} 122 | controlSets_List =[] 123 | 124 | #Handle cfnsend delete event 125 | eventType = event['RequestType'] 126 | if eventType == 'Delete': 127 | logger.info(f'Request Type is Delete; unsupported') 128 | cfnsend(event, context, 'SUCCESS', responseData) 129 | return 'SUCCESS' 130 | 131 | #Create a Custom Security Hub IAM Audit Manager Control 132 | iam_controls = ['IAM.1', 'IAM.2', 'IAM.3', 'IAM.4', 'IAM.5', 'IAM.6', 'PCI.IAM.7', '1.16', '1.20', 'PCI.IAM.8'] 133 | iam_controlid = create_custom_auditmanager_control(iam_controls,'IAM') 134 | 135 | #Create a Custom Security Hub IAM Control Set 136 | sh_iam_controlset = {} 137 | sh_iam_controlset['name'] = 'Custom Security Hub IAM Control Set' 138 | sh_iam_controlset['controls'] = [] 139 | iam_controldict ={} 140 | iam_controldict['id'] = iam_controlid 141 | sh_iam_controlset['controls'].append(iam_controldict) 142 | controlSets_List.append(sh_iam_controlset) 143 | 144 | #Create a Custom Security Hub Montoring Audit Manager Control 145 | monitoring_controls = ['APIGateway.1', '2.9', '3.10', '3.11', '3.12', '3.13', '3.14', 'PCI.EC2.6'] 146 | monitoring_controlid = create_custom_auditmanager_control(monitoring_controls, 'Monitoring') 147 | 148 | #Create a Custom Security Hub Monitoring Control Set 149 | sh_mon_controlset = {} 150 | sh_mon_controlset['name'] = 'Custom Security Hub Monitoring Control Set' 151 | sh_mon_controlset['controls'] = [] 152 | mon_controldict ={} 153 | mon_controldict['id'] = monitoring_controlid 154 | sh_mon_controlset['controls'].append(mon_controldict) 155 | controlSets_List.append(sh_mon_controlset) 156 | 157 | #Create a Custom Security Hub Framework that contains 1) IAM Control Set and 2) Network Monitoring Control Set 158 | 159 | response_framework = auditmanager.create_assessment_framework(name='Security Hub Custom Framework', 160 | controlSets=controlSets_List) 161 | 162 | #Write the framework id to the parameter 163 | frameworkid = response_framework['framework']['id'] 164 | # write to ssm parameter store 165 | ssm.put_parameter(Name='CustomSecurityHubFrameworkID', Type='String', Value=frameworkid, Overwrite=True) 166 | print('frameworkId is ' + frameworkid) 167 | 168 | cfnsend(event, context, 'SUCCESS', responseData) 169 | return 'SUCCESS' 170 | 171 | 172 | 173 | -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lambda/CustomAuditManagerFramework_Lambda.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lambda/CustomAuditManagerFramework_Lambda.zip -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/lambda/auditmanagerlayer.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lambda/auditmanagerlayer.zip -------------------------------------------------------------------------------- /aws-auditmanager-securityhub/layer/auditmanagerlayer.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/layer/auditmanagerlayer.zip -------------------------------------------------------------------------------- /aws-backupauditmanager-securityhub/LICENSE: -------------------------------------------------------------------------------- 1 | Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. 2 | 3 | Permission is hereby granted, free of charge, to any person obtaining a copy of 4 | this software and associated documentation files (the "Software"), to deal in 5 | the Software without restriction, including without limitation the rights to 6 | use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of 7 | the Software, and to permit persons to whom the Software is furnished to do so. 8 | 9 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 10 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS 11 | FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR 12 | COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER 13 | IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 14 | CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 15 | 16 | -------------------------------------------------------------------------------- /aws-backupauditmanager-securityhub/README.md: -------------------------------------------------------------------------------- 1 | # Automated backup compliance with AWS Backup Audit Manager and AWS Security Hub 2 | 3 | Integrates Backup Audit Manager with Security Hub. The solution provisions a AWS Backup Audit Manager framework with 5 default controls (and you can additional controls to the template). These generate and trigger AWS Config rules and the rule evaluations are converted to Security Hub findings. 4 | 5 | ## Prerequisites 6 | 7 | 1. Enable resource tracking for AWS Backup Audit Manager 8 | 2. Enable Security Hub 9 | 10 | ## How it Works 11 | 1. Provisions AWS Backup Audit Manager framework 12 | 2. Provisions Amazon CloudWatch Events (EventBridge) Rule: 13 | 1. The CloudWatch Events Rule is triggered based on a compliance change of a backup control 14 | 3. Provisions AWS Lambda as a target for the CloudWatch Events Rule: 15 | 1. Obtains event details from the Config recording resource type and converts rule evaluation to a security hub finding 16 | 17 | 18 | ## Solution Architecture 19 | 20 | ![](images/backupauditmanager-securityhub.png) 21 | 22 | ## Install 23 | 24 | 1. 1 step install - Launch the [**aws-backupauditmanager-securityhub.yaml**](https://github.com/aws-samples/aws-securityhub-remediations/blob/main/aws-backupauditmanager-securityhub/cft/aws-backupauditmanager-securityhub.yaml) template. The template takes no parameters. 25 | 26 | ## Test 27 | 28 | 1. Launch an EC2 instance/RDS/Aurora etc without an associated backup plan 29 | 2. Validate that an AWS Config rule gets generated and evaluated based on evaluation of the BACKUP_RESOURCES_PROTECTED_BY_BACKUP_PLAN control from the provisioned Backup Audit Manager framework 30 | 3. Validate that a security hub finding gets generated based on the Config rule evaluation 31 | 32 | -------------------------------------------------------------------------------- /aws-backupauditmanager-securityhub/cft/aws-backupauditmanager-securityhub.yaml: -------------------------------------------------------------------------------- 1 | AWSTemplateFormatVersion: '2010-09-09' 2 | Description: Automated Backup Compliance using AWS Backup Audit Manager and AWS Security Hub 3 | 4 | # ---------------------------------------------------------------------------------------------------------- 5 | # CloudFormation Template 1 of 1 - 6 | # 7 | # 8 | # 1- Provisions an AWS Backup Audit Manager framework with 5 default controls 9 | # 2- Provisions CloudWatchEvents (EventBridge) Rule: 10 | # - CloudWatchEvents Rule is triggered based on a AWS Config rule evaluation of a backup audit manager control 11 | # 3- Provisions a Compliance Lambda as a target for the CloudWatch Events Rule. 12 | # 4- Compliance Lambda: 13 | # - Obtains event details from the Config rule 14 | # - Creates a finding in AWS Security Hub 15 | # 16 | # @kmmahaj 17 | ## 18 | ## License: 19 | ## This code is made available under the MIT-0 license. See the LICENSE file. 20 | # ------------------------------------------------------------............................................... 21 | 22 | 23 | Resources: 24 | 25 | # -------------------------------------------------------------------------------------------------- 26 | # 1- Provisions an AWS Backup Audit Manager framework with 5 default controls 27 | # -------------------------------------------------------------------------------------------------- 28 | 29 | SecurityHubBackupFramework: 30 | Type: AWS::Backup::Framework 31 | Properties: 32 | FrameworkControls: 33 | - ControlName: BACKUP_RESOURCES_PROTECTED_BY_BACKUP_PLAN 34 | - ControlName: BACKUP_RECOVERY_POINT_MINIMUM_RETENTION_CHECK 35 | ControlInputParameters: 36 | - ParameterName: requiredRetentionDays 37 | ParameterValue: '35' 38 | - ControlName: BACKUP_RECOVERY_POINT_MANUAL_DELETION_DISABLED 39 | - ControlName: BACKUP_PLAN_MIN_FREQUENCY_AND_MIN_RETENTION_CHECK 40 | ControlInputParameters: 41 | - ParameterName: requiredRetentionDays 42 | ParameterValue: '35' 43 | - ParameterName: requiredFrequencyUnit 44 | ParameterValue: 'hours' 45 | - ParameterName: requiredFrequencyValue 46 | ParameterValue: '24' 47 | - ControlName: BACKUP_RECOVERY_POINT_ENCRYPTED 48 | 49 | # -------------------------------------------------------------------------------------------------- 50 | # 2- Provisions a CloudWatchEvents Rule based on an AWS Config rule evaluation of a backup audit manager control 51 | # 3- Provisions a Lambda that creates a finding in AWS Security Hub 52 | # -------------------------------------------------------------------------------------------------- 53 | 54 | CaptureBackupConfigRuleEvents: 55 | Type: AWS::Events::Rule 56 | Properties: 57 | Description: Capture Backup Config Rule Events and Trigger an Action 58 | EventPattern: 59 | detail-type: 60 | - Config Rules Compliance Change 61 | source: 62 | - aws.config 63 | Name: CaptureBackupConfigRuleEvent 64 | State: ENABLED 65 | Targets: 66 | - Arn: !GetAtt "BackupToSecHubSendFindingsLambda.Arn" 67 | Id: IDCaptureBackupConfigRuleEvents 68 | 69 | BackupToSecHubSendFindingsLambda: 70 | Type: AWS::Lambda::Function 71 | Properties: 72 | FunctionName: Backup2SecurityHubSendFindingsLambda 73 | Description: Maps Config rule evaluation based on Backup Audit control into ASFF before importing to Security Hub 74 | Handler: index.lambda_handler 75 | MemorySize: 384 76 | Role: !GetAtt BackupToSecHubSendFindingsLambdaRole.Arn 77 | Runtime: python3.7 78 | Timeout: 70 79 | Environment: 80 | Variables: 81 | account_num: !Ref 'AWS::AccountId' 82 | region: !Ref 'AWS::Region' 83 | Code: 84 | ZipFile: | 85 | import json 86 | import boto3 87 | import datetime 88 | import uuid 89 | import os 90 | 91 | config = boto3.client('config') 92 | sechub = boto3.client('securityhub') 93 | 94 | def get_description_of_rule(config_rule_name): 95 | description = "" 96 | try: 97 | response = config.describe_config_rules( 98 | ConfigRuleNames=[config_rule_name] 99 | ) 100 | if 'Description' in response['ConfigRules'][0]: 101 | description = response['ConfigRules'][0]['Description'] 102 | else: 103 | description = response['ConfigRules'][0]['ConfigRuleName'] 104 | return description 105 | except Exception as error: 106 | print("Error: ", error) 107 | raise 108 | 109 | def lambda_handler(event, context): 110 | 111 | # Get Config event details 112 | finding_id = event['id'] 113 | eventDetails = event['detail'] 114 | config_rule_name = eventDetails['configRuleName'] 115 | config_rule_arn = eventDetails['configRuleARN'] 116 | resource_type = eventDetails['resourceType'] 117 | resource_id = eventDetails['resourceId'] 118 | awsRegion = eventDetails['awsRegion'] 119 | accountId = event['detail']['awsAccountId'] 120 | new_status = eventDetails['newEvaluationResult']['complianceType'] 121 | description = get_description_of_rule(config_rule_name) 122 | # send finding to Security Hub 123 | severity = "LOW" 124 | title = config_rule_name 125 | status = 'FAILED' 126 | if new_status == 'COMPLIANT': 127 | status = 'PASSED' 128 | # ISO Time 129 | iso8061Time = datetime.datetime.utcnow().replace(tzinfo=datetime.timezone.utc).isoformat() 130 | # import security hub boto3 client 131 | try: 132 | response = sechub.batch_import_findings( 133 | Findings=[ 134 | { 135 | 'SchemaVersion': '2018-10-08', 136 | 'Id': finding_id, 137 | 'ProductArn': 'arn:aws:securityhub:' + awsRegion + ':' + accountId + ':product/' + accountId + '/default', 138 | 'GeneratorId': config_rule_arn, 139 | 'AwsAccountId': accountId, 140 | 'Types': [ 'Software and Configuration Checks' ], 141 | 'FirstObservedAt': iso8061Time, 142 | 'UpdatedAt': iso8061Time, 143 | 'CreatedAt': iso8061Time, 144 | 'Severity': { 145 | 'Label': severity 146 | }, 147 | 'Title': title, 148 | 'Description': description, 149 | 'Resources': [ 150 | { 151 | 'Type': resource_type, 152 | 'Id': resource_id, 153 | 'Partition': 'aws', 154 | 'Region': awsRegion, 155 | } 156 | ], 157 | 'WorkflowState': 'NEW', 158 | 'Compliance': {'Status': status}, 159 | 'RecordState': 'ACTIVE' 160 | } 161 | ] 162 | ) 163 | print(response) 164 | except Exception as e: 165 | print(e) 166 | print("Submitting finding to Security Hub failed, please troubleshoot further") 167 | raise 168 | 169 | BackupToSecHubSendFindingsLambdaRole: 170 | Type: AWS::IAM::Role 171 | Properties: 172 | Policies: 173 | - PolicyName: BackupToSecHubSendFindingsLambda-Policy 174 | PolicyDocument: 175 | Version: 2012-10-17 176 | Statement: 177 | - Effect: Allow 178 | Action: 179 | - cloudwatch:PutMetricData 180 | - securityhub:BatchImportFindings 181 | - config:DescribeConfigRules 182 | Resource: '*' 183 | - Effect: Allow 184 | Action: 185 | - logs:CreateLogGroup 186 | - logs:CreateLogStream 187 | - logs:PutLogEvents 188 | Resource: '*' 189 | AssumeRolePolicyDocument: 190 | Version: 2012-10-17 191 | Statement: 192 | - Effect: Allow 193 | Principal: { Service: lambda.amazonaws.com } 194 | Action: 195 | - sts:AssumeRole 196 | 197 | PermissionForEventsToInvokeLambdachk: 198 | Type: AWS::Lambda::Permission 199 | Properties: 200 | Action: lambda:InvokeFunction 201 | FunctionName: !GetAtt "BackupToSecHubSendFindingsLambda.Arn" 202 | Principal: events.amazonaws.com 203 | SourceArn: !GetAtt "CaptureBackupConfigRuleEvents.Arn" 204 | 205 | -------------------------------------------------------------------------------- /aws-backupauditmanager-securityhub/images/arch-diagram.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-backupauditmanager-securityhub/images/arch-diagram.png -------------------------------------------------------------------------------- /aws-backupauditmanager-securityhub/images/backupauditmanager-securityhub.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-backupauditmanager-securityhub/images/backupauditmanager-securityhub.png -------------------------------------------------------------------------------- /aws-ecr-continuouscompliance/LICENSE: -------------------------------------------------------------------------------- 1 | Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. 2 | 3 | Permission is hereby granted, free of charge, to any person obtaining a copy of 4 | this software and associated documentation files (the "Software"), to deal in 5 | the Software without restriction, including without limitation the rights to 6 | use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of 7 | the Software, and to permit persons to whom the Software is furnished to do so. 8 | 9 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 10 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS 11 | FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR 12 | COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER 13 | IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 14 | CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 15 | 16 | -------------------------------------------------------------------------------- /aws-ecr-continuouscompliance/README.md: -------------------------------------------------------------------------------- 1 | # Automated Container Image Compliance with AWS ECR and AWS Security Hub 2 | 3 | 4 | * AWS ECR Image Vulnerabilities to be pushed as findings to AWS Security Hub 5 | * AWS Security Hub Remediation action restricts access to any AWS ECR container image when a vulnerability is detected during an image scan 6 | * Demonstrates **"Custom Detection"** AND **"Custom Remediation"** by AWS Security Hub. 7 | 8 | 9 | ## What is Built 10 | 11 | 1. **Template: aws-ecr-continuouscompliance-v1.yml**: Provisions the following components: 12 | * Amazon CloudWatch Events (EventBridge) Rule: 13 | * The CloudWatch Events Rule is triggered based on a AWS ECR Event for a completed Image Scan 14 | * AWS Lambda as a target for the CloudWatch Events Rule: 15 | * Obtains event details from the AWS ECR Completed Image scan event. 16 | * Sends Finding to AWS Security Hub via ASFF (https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html) 17 | * AWS Security Hub based Remediation 18 | * Creates an Amazon CloudWatch Events Rule which is triggered based on a AWS Security Hub Custom Action (https://docs.aws.amazon.com/securityhub/latest/userguide/finding-send-to-custom-action.html) 19 | * Provisions an AWS Lambda as a target for the AWS Security Hub Custom Action 20 | * AWS Lambda that creates an AWS ECR repository policy that denies access if the Image scan event has a vulnerability (Critical or High) 21 | 22 | 23 | ## How it Works and Solution Design 24 | 1. Triggers an AWS Security Hub finding whenever an image is scanned in ECR - either when configuring the ECR repository for a scan on push (https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html#scanning-new-repository) or via a manual scan. 25 | 1. Provisions an Amazon CloudWatch Events (EventBridge) Rule that gets triggered based on AWS ECR Event (https://docs.aws.amazon.com/AmazonECR/latest/userguide/ecr-eventbridge.html) on a completed image scan. The target for Amazon CloudWatch Events (EventBridge) Rule is an AWS Lambda function that translates the event from the Image Scan into AWS Security Finding Format (https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html) for Security Hub. 26 | 2. Provisions an AWS Security Hub Custom Action for remediation. The Security Hub based Remediation attaches an AWS ECR Repository Policy (https://docs.aws.amazon.com/AmazonECR/latest/userguide/repository-policies.html)that is scoped for controlling access to the specific individual Amazon ECR repository where the vulnerable image is detected 27 | 28 | 29 | ![](images/arch-diagram.png) 30 | 31 | 32 | ## Set up and Test 33 | 34 | 1. **Initial Setup** 35 | * 1 step setup. Launch the aws-ecr-continuouscompliance-v1.yml template. The template takes no parameters. 36 | 2. **Test - Push an image to ECR** 37 | * Push an image with known vulnerabilities to ECR (e.g. nginx:latest). Follow the steps as outlined here (https://docs.aws.amazon.com/AmazonECR/latest/userguide/docker-push-ecr-image.html) 38 | * Navigate to the AWS Security Hub console and click on Findings in the left panel. Select the relevant finding and with our solution you can also optionally search for ECR related findings by adding a filter with ResourceType is AwsEcr in the top panel . [*(Show Security Hub Findings image)*.] 39 | * With the relevant finding selected in the AWS Security Hub Findings panel, select Actions from the top of the panel and click on the ‘ECR1’ action. 40 | * Navigate to the AWS ECR console, select the Repository that contains the vulnerable image and validate the Deny permissions policy provisioned by the Security Hub remediation action by selecting Permissions in the left panel 41 | 42 | ## @kmmahaj -------------------------------------------------------------------------------- /aws-ecr-continuouscompliance/cft/aws-ecr-continuouscompliance-v1.yaml: -------------------------------------------------------------------------------- 1 | AWSTemplateFormatVersion: '2010-09-09' 2 | Description: Automated Image Scan Compliance for AWS EKS using AWS ECR and AWS Security Hub 3 | 4 | # ---------------------------------------------------------------------------------------------------------- 5 | # CloudFormation Template 1 of 1 - 6 | # 7 | # 8 | # 1- Provisions CloudWatchEvents (EventBridge) Rule: 9 | # - CloudWatchEvents Rule is triggered based on a AWS ECR Event for a completed Image Scan 10 | # 2- Provisions a Compliance Lambda as a target for the CloudWatch Events Rule. 11 | # 3- Compliance Lambda: 12 | # - Obtains event details from the ECR Complated Image scan event 13 | # - Creates a finding in AWS Security Hub 14 | # 4 - Provisions an AWS Security Hub Custom Action 15 | # - Performs remediation by attaching restricted policy to ECR repository 16 | # 17 | # 18 | # @kmmahaj 19 | ## 20 | ## License: 21 | ## This code is made available under the MIT-0 license. See the LICENSE file. 22 | # ------------------------------------------------------------............................................... 23 | 24 | 25 | Resources: 26 | 27 | # -------------------------------------------------------------------------------------------------- 28 | # 1- Provisions a CloudWatchEvents Rule that is triggered based on ECR Image Scan Event 29 | # 2- Provisions a Lambda that creates a finding in AWS Security Hub 30 | # -------------------------------------------------------------------------------------------------- 31 | 32 | CaptureECRImageScanEvents: 33 | Type: AWS::Events::Rule 34 | Properties: 35 | Description: Capture ECR Scan Events and Trigger an Action 36 | EventPattern: 37 | detail-type: 38 | - ECR Image Scan 39 | source: 40 | - aws.ecr 41 | Name: CaptureECRScanEvent 42 | State: ENABLED 43 | Targets: 44 | - Arn: !GetAtt "ECRToSecHubSendFindingsLambda.Arn" 45 | Id: IDCaptureECRImageScanEvents 46 | 47 | ECRToSecHubSendFindingsLambda: 48 | Type: AWS::Lambda::Function 49 | Properties: 50 | FunctionName: ECR2SecurityHubSendFindingsLambda 51 | Description: Maps ECR Scan Finding into ASFF before importing to Security Hub 52 | Handler: index.lambda_handler 53 | MemorySize: 384 54 | Role: !GetAtt ECRToSecHubSendFindingsLambdaRole.Arn 55 | Runtime: python3.7 56 | Timeout: 70 57 | Environment: 58 | Variables: 59 | account_num: !Ref 'AWS::AccountId' 60 | region: !Ref 'AWS::Region' 61 | Code: 62 | ZipFile: | 63 | import json 64 | import boto3 65 | import datetime 66 | import uuid 67 | import os 68 | def lambda_handler(event, context): 69 | # import Lambda ENV VARs 70 | accountId = os.environ['account_num'] 71 | awsRegion = os.environ['region'] 72 | # Get ECR event details 73 | eventDetails = event['detail'] 74 | repoName = eventDetails['repository-name'] 75 | findingsevcounts = eventDetails['finding-severity-counts'] 76 | numCritical = 0 77 | numMedium = 0 78 | numHigh = 0 79 | if findingsevcounts.get('CRITICAL'): 80 | numCritical = findingsevcounts['CRITICAL'] 81 | if findingsevcounts.get('MEDIUM'): 82 | numMedium = findingsevcounts['MEDIUM'] 83 | if findingsevcounts.get('HIGH'): 84 | numHigh = findingsevcounts['HIGH'] 85 | 86 | # send finding to Security Hub 87 | severity = "LOW" 88 | title = "ECR Finding" 89 | ECRComplianceRating = 'PASSED' 90 | if numMedium: 91 | severity = "MEDIUM" 92 | title = "Medium ECR Vulnerability" 93 | ECRComplianceRating = 'FAILED' 94 | if numHigh: 95 | severity = "HIGH" 96 | title = "High ECR Vulnerability" 97 | ECRComplianceRating = 'FAILED' 98 | if numCritical: 99 | severity = "CRITICAL" 100 | title = "Critical ECR Vulnerability" 101 | ECRComplianceRating = 'FAILED' 102 | 103 | 104 | # ISO Time 105 | iso8061Time = datetime.datetime.utcnow().replace(tzinfo=datetime.timezone.utc).isoformat() 106 | # ASFF BIF Id 107 | asffID = str(uuid.uuid4()) 108 | # import security hub boto3 client 109 | sechub = boto3.client('securityhub') 110 | # call BIF 111 | try: 112 | response = sechub.batch_import_findings( 113 | Findings=[ 114 | { 115 | 'SchemaVersion': '2018-10-08', 116 | 'Id': asffID, 117 | 'ProductArn': 'arn:aws:securityhub:' + awsRegion + ':' + accountId + ':product/' + accountId + '/default', 118 | 'ProductFields': { 119 | 'ECRRepoName': repoName, 120 | }, 121 | 'GeneratorId': asffID, 122 | 'AwsAccountId': accountId, 123 | 'Types': [ 'Software and Configuration Checks' ], 124 | 'FirstObservedAt': iso8061Time, 125 | 'UpdatedAt': iso8061Time, 126 | 'CreatedAt': iso8061Time, 127 | 'Severity': { 128 | 'Label': severity 129 | }, 130 | 'Title': title, 131 | 'Description': title, 132 | 'Resources': [ 133 | { 134 | 'Type': 'AwsEcr', 135 | 'Id': 'AWS::::Account:' + accountId, 136 | 'Partition': 'aws', 137 | 'Region': awsRegion, 138 | } 139 | ], 140 | 'WorkflowState': 'NEW', 141 | 'Compliance': {'Status': ECRComplianceRating}, 142 | 'RecordState': 'ACTIVE' 143 | } 144 | ] 145 | ) 146 | print(response) 147 | except Exception as e: 148 | print(e) 149 | print("Submitting finding to Security Hub failed, please troubleshoot further") 150 | raise 151 | 152 | ECRToSecHubSendFindingsLambdaRole: 153 | Type: AWS::IAM::Role 154 | Properties: 155 | Policies: 156 | - PolicyName: ECRToSecHubSendFindingsLambda-Policy 157 | PolicyDocument: 158 | Version: 2012-10-17 159 | Statement: 160 | - Effect: Allow 161 | Action: 162 | - cloudwatch:PutMetricData 163 | - securityhub:BatchImportFindings 164 | Resource: '*' 165 | - Effect: Allow 166 | Action: 167 | - logs:CreateLogGroup 168 | - logs:CreateLogStream 169 | - logs:PutLogEvents 170 | Resource: '*' 171 | AssumeRolePolicyDocument: 172 | Version: 2012-10-17 173 | Statement: 174 | - Effect: Allow 175 | Principal: { Service: lambda.amazonaws.com } 176 | Action: 177 | - sts:AssumeRole 178 | 179 | PermissionForEventsToInvokeLambdachk: 180 | Type: AWS::Lambda::Permission 181 | Properties: 182 | Action: lambda:InvokeFunction 183 | FunctionName: !GetAtt "ECRToSecHubSendFindingsLambda.Arn" 184 | Principal: events.amazonaws.com 185 | SourceArn: !GetAtt "CaptureECRImageScanEvents.Arn" 186 | 187 | 188 | # ------------------------------------------------------------------------------------------------------------------------------------------------------- 189 | # 3. Create Remediation in Security Hub 190 | # ------------------------------------------------------------------------------------------------------------------------------------------------------- 191 | 192 | CreateSecurityHubCustomActionTargetLambda: 193 | Type: AWS::Lambda::Function 194 | Properties: 195 | FunctionName: CreateSecurityHubCustomActionTargetLambda-ECR 196 | Description: Custom resource to create an action target in Security Hub 197 | Handler: index.lambda_handler 198 | MemorySize: 256 199 | Role: !GetAtt CreateSecurityHubCustomActionTargetLambdaRole.Arn 200 | Runtime: python3.7 201 | Timeout: 60 202 | Environment: 203 | Variables: 204 | Region: !Ref 'AWS::Region' 205 | Code: 206 | ZipFile: | 207 | import boto3 208 | import cfnresponse 209 | import os 210 | def lambda_handler(event, context): 211 | try: 212 | properties = event['ResourceProperties'] 213 | region = os.environ['Region'] 214 | client = boto3.client('securityhub', region_name=region) 215 | responseData = {} 216 | if event['RequestType'] == 'Create': 217 | response = client.create_action_target( 218 | Name=properties['Name'], 219 | Description=properties['Description'], 220 | Id=properties['Id'] 221 | ) 222 | responseData['Arn'] = response['ActionTargetArn'] 223 | elif event['RequestType'] == 'Delete': 224 | account_id = context.invoked_function_arn.split(":")[4] 225 | client.delete_action_target( 226 | ActionTargetArn=f"arn:aws:securityhub:{region}:{account_id}:action/custom/{properties['Id']}" 227 | ) 228 | cfnresponse.send(event, context, cfnresponse.SUCCESS, responseData) 229 | except Exception as e: 230 | print(e) 231 | cfnresponse.send(event, context, cfnresponse.FAILED, {}) 232 | 233 | CreateSecurityHubCustomActionTargetLambdaRole: 234 | Type: AWS::IAM::Role 235 | Properties: 236 | Policies: 237 | - PolicyName: CreateActionTarget-LambdaPolicy-ECR 238 | PolicyDocument: 239 | Version: 2012-10-17 240 | Statement: 241 | - Effect: Allow 242 | Action: 243 | - cloudwatch:PutMetricData 244 | Resource: '*' 245 | - Effect: Allow 246 | Action: 247 | - logs:CreateLogGroup 248 | - logs:CreateLogStream 249 | - logs:PutLogEvents 250 | Resource: '*' 251 | - Effect: Allow 252 | Action: 253 | - securityhub:CreateActionTarget 254 | - securityhub:DeleteActionTarget 255 | Resource: '*' 256 | AssumeRolePolicyDocument: 257 | Version: 2012-10-17 258 | Statement: 259 | - Effect: Allow 260 | Principal: { Service: lambda.amazonaws.com } 261 | Action: 262 | - sts:AssumeRole 263 | 264 | # ------------------------------------------------------------------------------------------------------------------------------------------------------- 265 | # Create Remediation to deny ECR repository access 266 | # ------------------------------------------------------------------------------------------------------------------------------------------------------- 267 | 268 | ECRAccessProhibitedRule: 269 | Type: AWS::Events::Rule 270 | Properties: 271 | Name: ECRAccessProhibitedRule 272 | Description: "ECR1 - Deny Access to ECR due to vulnerability assesment" 273 | EventPattern: 274 | source: 275 | - aws.securityhub 276 | detail-type: 277 | - Security Hub Findings - Custom Action 278 | resources: 279 | - !GetAtt ECRActionTarget.Arn 280 | State: "ENABLED" 281 | Targets: 282 | - 283 | Arn: 284 | Fn::GetAtt: 285 | - "ECRAccessProhibitedLambda" 286 | - "Arn" 287 | Id: "ECR1" 288 | 289 | ECRActionTarget: 290 | Type: Custom::ActionTarget 291 | Version: 1.0 292 | Properties: 293 | ServiceToken: !GetAtt CreateSecurityHubCustomActionTargetLambda.Arn 294 | Name: ECR1 295 | Description: Deny Access to ECR 296 | Id: ECR11 297 | 298 | ECRAccessProhibitedLambdaPermission: 299 | Type: AWS::Lambda::Permission 300 | Properties: 301 | FunctionName: 302 | Ref: "ECRAccessProhibitedLambda" 303 | Action: "lambda:InvokeFunction" 304 | Principal: "events.amazonaws.com" 305 | SourceArn: 306 | Fn::GetAtt: 307 | - "ECRAccessProhibitedRule" 308 | - "Arn" 309 | 310 | ECRAccessProhibitedLambda: 311 | Type: AWS::Lambda::Function 312 | Properties: 313 | FunctionName: ECRAccessProhibitedLambda 314 | Description: "ECR1 - Deny Access to ECR due to vulnerability assesment" 315 | Handler: index.lambda_handler 316 | MemorySize: 256 317 | Role: !GetAtt ECRAccessProhibitedLambdaRole.Arn 318 | Runtime: python3.7 319 | Timeout: 60 320 | Code: 321 | ZipFile: | 322 | import boto3 323 | import json 324 | import os 325 | def lambda_handler(event, context): 326 | 327 | repoName = str(event['detail']['findings'][0]['ProductFields']['ECRRepoName']) 328 | ecr = boto3.client('ecr') 329 | try: 330 | policyText = '{\n "Version" : "2008-10-17",\n "Statement" : [ {\n "Sid" : "deny all",\n "Effect" : "Deny",\n "Principal" : "*",\n "Action" : [ "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage", "ecr:BatchCheckLayerAvailability" ]\n } ]\n}' 331 | response = ecr.set_repository_policy( 332 | repositoryName=repoName, 333 | policyText=policyText 334 | ) 335 | 336 | except Exception as e: 337 | print(e) 338 | print("SSM automation execution error") 339 | raise 340 | 341 | ECRAccessProhibitedLambdaRole: 342 | Type: AWS::IAM::Role 343 | Properties: 344 | Policies: 345 | - PolicyName: ECRAccessProhibitedLambdaPolicy 346 | PolicyDocument: 347 | Version: 2012-10-17 348 | Statement: 349 | - Effect: Allow 350 | Action: 351 | - cloudwatch:PutMetricData 352 | Resource: '*' 353 | - Effect: Allow 354 | Action: 355 | - logs:CreateLogGroup 356 | - logs:CreateLogStream 357 | - logs:PutLogEvents 358 | Resource: '*' 359 | - Effect: Allow 360 | Action: 361 | - ssm:StartAutomationExecution 362 | - ecr:* 363 | - iam:PassRole 364 | - securityhub:UpdateFindings 365 | Resource: '*' 366 | AssumeRolePolicyDocument: 367 | Version: 2012-10-17 368 | Statement: 369 | - Effect: Allow 370 | Principal: { Service: lambda.amazonaws.com } 371 | Action: 372 | - sts:AssumeRole 373 | -------------------------------------------------------------------------------- /aws-ecr-continuouscompliance/images/arch-diagram.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-ecr-continuouscompliance/images/arch-diagram.png -------------------------------------------------------------------------------- /aws-guardduty-detect-securityhubremediate/README.md: -------------------------------------------------------------------------------- 1 |

2 |

3 | 4 | 5 | ## AWS GuardDuty Detection with AWS Security Hub Remediation 6 | 7 | 1. AWS GuardDuty **Detects** Findings; AWS Security Hub **Remediates** those findings. 8 | 2. **AWS GuardDuty** - Provides automated finding generation for EC2 Malicious IP, EC2 Brute Force Attacks and non compliant IAM Password Policy change. Can be extended for any GuardDuty EC2 or IAM related threat findings. 9 | 3. **AWS Security Hub** - Automated Remediations for AWS GuardDuty Findings with AWS Security Hub Custom Actions 10 | 11 | ## How it Works 12 | 13 | 1. Automated - Automated Attack generation for EC2 Malicious IP and Brute Force Attacks. 14 | 2. User Generated - Update Password Policy to a non CIS compliant password policy. 15 | 3. AWS GuardDuty detects and sends findings to AWS Security Hub 16 | 4. AWS Security Hub Custom Actions are provisioned by the CloudFormation template. Remediate GD Findings based on user action 17 | 18 | ## Solution Design 19 | 20 | ![](images/arch-diagram.png) 21 | 22 | 23 | ## How To Install - 24 | 25 | 0. Step 0 - Pre-req: 1) Enable GuardDuty and Security Hub from the AWS Console. 2) Create an EC2 Key Pair. 26 | 27 | 1. **Template 1 of 2:** vpc-setup-v1.json 28 | * 1-click install. No parameters needed. 29 | * Provisions a multiple VPC environment to provide an AWS environment with built-in security groups and networking 30 | 31 | 32 | 2. **Template 2 of 2:** aws-guarddutydetect-securityhubremediate-v1.yml 33 | * 1-click install. Enter EC2 key pair. 34 | * After the install - Add EIP of EC2 in VPC3 to a text based threat list; upload threat list to the provisioned S3 bucket. Added S3 URL to GuardDuty Threat List 35 | 36 | 37 | 38 | ## @kmmahaj 39 | 40 | 41 | 42 | -------------------------------------------------------------------------------- /aws-guardduty-detect-securityhubremediate/cft/aws-guarddutydetect-securityhubremediate-v1.yml: -------------------------------------------------------------------------------- 1 | --- 2 | AWSTemplateFormatVersion: '2010-09-09' 3 | Description: GuardDuty for EC2 and IAM with Security Hub 4 | 5 | # --------------------------------------------------------------------------------------------------------------- 6 | # CloudFormation Template 2 of 2 7 | # 8 | # GuardDuty detects EC2 and IAM attacks. Security Hub Remediates. 9 | # 10 | # EC2 Recon Attack, EC2 Maliciuous IP and IAM Password Policy change with AWS GuardDuty. 11 | # Can be extended for any GuardDuty EC2 or IAM related threat findings 12 | # Also automates GuardDuty Finding generation 13 | # 14 | # Automated Remediations for GuardDuty for EC2 and IAM using AWS Security Hub 15 | # 16 | # 17 | # @kmmahaj 18 | ## 19 | ## License: 20 | ## This code is made available under the MIT-0 license. See the LICENSE file. 21 | # ---------------------------------------------------------------------------------------------------------------- 22 | 23 | Parameters: 24 | KeyName: 25 | Description: EC2 Key Pair 26 | Type: "AWS::EC2::KeyPair::KeyName" 27 | EmailAddress: 28 | Type: String 29 | Description: SNS Email Address 30 | Default: "kmmahaj@amazon.com" 31 | Mappings: 32 | RegionMap: 33 | us-east-2: 34 | "AMALINUX" : "ami-0e01ce4ee18447327" 35 | us-east-1: 36 | "AMALINUX" : "ami-0fc61db8544a617ed" 37 | us-west-1: 38 | "AMALINUX" : "ami-09a7fe78668f1e2c0" 39 | us-west-2: 40 | "AMALINUX" : "ami-0ce21b51cb31a48b8" 41 | 42 | Resources: 43 | 44 | # ----------------------------------------------------------------------------------------------------------------------- 45 | # GuardDuty Setup 46 | # Provisions GuardDuty CW Events, Remediation Lambdas, SNS topic and Associated Roles 47 | # 48 | # ....................................................................................................................... 49 | 50 | # GuardDuty CloudWatch Event - For GuardDuty Finding: Stealth:IAM/PasswordPolicyChange 51 | GuardDutyIAMEvent: 52 | DependsOn: 53 | - GuardDutyRemediationIAMLambda 54 | - SnsTopic 55 | Type: AWS::Events::Rule 56 | Properties: 57 | Name: GuardDuty-IAM-Finding 58 | Description: "GuardDuty IAM Event" 59 | EventPattern: 60 | source: 61 | - aws.guardduty 62 | detail: 63 | type: 64 | - Stealth:IAMUser/PasswordPolicyChange 65 | State: ENABLED 66 | Targets: 67 | - 68 | Arn: !Ref SnsTopic 69 | Id: "GuardDutyIAMEvent-SNS-Trigger" 70 | 71 | 72 | # GuardDuty CloudWatch Event - For GuardDuty Finding: Recon:EC2/Portscan 73 | GuardDutyEC2Event: 74 | DependsOn: 75 | - SnsTopic 76 | Type: AWS::Events::Rule 77 | Properties: 78 | Name: GuardDuty-EC2-Finding 79 | Description: "GuardDuty EC2 Event" 80 | EventPattern: 81 | source: 82 | - aws.guardduty 83 | detail: 84 | type: 85 | - Recon:EC2/Portscan 86 | State: ENABLED 87 | Targets: 88 | - 89 | Arn: !Ref SnsTopic 90 | Id: "GuardDutyEC2Event-SNS-Trigger" 91 | 92 | SnsTopic: 93 | Type: "AWS::SNS::Topic" 94 | SnsSubscription: 95 | Type: "AWS::SNS::Subscription" 96 | Properties: 97 | Endpoint: !Ref EmailAddress 98 | Protocol: "email" 99 | TopicArn: !Ref SnsTopic 100 | 101 | EventTopicPolicy: 102 | Type: 'AWS::SNS::TopicPolicy' 103 | Properties: 104 | PolicyDocument: 105 | Statement: 106 | - Effect: Allow 107 | Principal: 108 | Service: events.amazonaws.com 109 | Action: 'sns:Publish' 110 | Resource: '*' 111 | Topics: 112 | - !Ref SnsTopic 113 | 114 | # S3 Threat List Bucket for GuardDuty 115 | GDThreatListBucket: 116 | Type: AWS::S3::Bucket 117 | Properties: 118 | BucketName: !Sub "s3-gd-${AWS::AccountId}-${AWS::Region}" 119 | BucketEncryption: 120 | ServerSideEncryptionConfiguration: 121 | - ServerSideEncryptionByDefault: 122 | SSEAlgorithm: AES256 123 | AccessControl: BucketOwnerFullControl 124 | LifecycleConfiguration: 125 | Rules: 126 | - 127 | AbortIncompleteMultipartUpload: 128 | DaysAfterInitiation: 3 129 | NoncurrentVersionExpirationInDays: 3 130 | Status: Enabled 131 | PublicAccessBlockConfiguration: 132 | BlockPublicAcls: true 133 | BlockPublicPolicy: true 134 | IgnorePublicAcls: true 135 | RestrictPublicBuckets: true 136 | Tags: 137 | - 138 | Key: Description 139 | Value: S3 Bucket for GD Threat List 140 | VersioningConfiguration: 141 | Status: Enabled 142 | 143 | 144 | # ------------------------------------------------------------------------------------------------------------------------------------------------------- 145 | # 3. Create Remediation in Security Hub 146 | # ------------------------------------------------------------------------------------------------------------------------------------------------------- 147 | 148 | CreateSecurityHubCustomActionTargetLambda: 149 | Type: AWS::Lambda::Function 150 | Properties: 151 | FunctionName: CreateSecurityHubCustomActionTargetLambda-GuardDuty 152 | Description: Custom resource to create an action target in Security Hub 153 | Handler: index.lambda_handler 154 | MemorySize: 256 155 | Role: !GetAtt CreateSecurityHubCustomActionTargetLambdaRole.Arn 156 | Runtime: python3.7 157 | Timeout: 60 158 | Environment: 159 | Variables: 160 | Region: !Ref 'AWS::Region' 161 | Code: 162 | ZipFile: | 163 | import boto3 164 | import cfnresponse 165 | import os 166 | def lambda_handler(event, context): 167 | try: 168 | properties = event['ResourceProperties'] 169 | region = os.environ['Region'] 170 | client = boto3.client('securityhub', region_name=region) 171 | responseData = {} 172 | if event['RequestType'] == 'Create': 173 | response = client.create_action_target( 174 | Name=properties['Name'], 175 | Description=properties['Description'], 176 | Id=properties['Id'] 177 | ) 178 | responseData['Arn'] = response['ActionTargetArn'] 179 | elif event['RequestType'] == 'Delete': 180 | account_id = context.invoked_function_arn.split(":")[4] 181 | client.delete_action_target( 182 | ActionTargetArn=f"arn:aws:securityhub:{region}:{account_id}:action/custom/{properties['Id']}" 183 | ) 184 | cfnresponse.send(event, context, cfnresponse.SUCCESS, responseData) 185 | except Exception as e: 186 | print(e) 187 | cfnresponse.send(event, context, cfnresponse.FAILED, {}) 188 | 189 | CreateSecurityHubCustomActionTargetLambdaRole: 190 | Type: AWS::IAM::Role 191 | Properties: 192 | Policies: 193 | - PolicyName: CreateActionTarget-LambdaPolicy-GuardDuty 194 | PolicyDocument: 195 | Version: 2012-10-17 196 | Statement: 197 | - Effect: Allow 198 | Action: 199 | - cloudwatch:PutMetricData 200 | Resource: '*' 201 | - Effect: Allow 202 | Action: 203 | - logs:CreateLogGroup 204 | - logs:CreateLogStream 205 | - logs:PutLogEvents 206 | Resource: '*' 207 | - Effect: Allow 208 | Action: 209 | - securityhub:CreateActionTarget 210 | - securityhub:DeleteActionTarget 211 | Resource: '*' 212 | AssumeRolePolicyDocument: 213 | Version: 2012-10-17 214 | Statement: 215 | - Effect: Allow 216 | Principal: { Service: lambda.amazonaws.com } 217 | Action: 218 | - sts:AssumeRole 219 | 220 | # ------------------------------------------------------------------------------------------------------------------------------------------------------- 221 | # Create Security Hub Remediation to Block Malicious EC2 222 | # ------------------------------------------------------------------------------------------------------------------------------------------------------- 223 | 224 | GDEC2RemediateRule: 225 | Type: AWS::Events::Rule 226 | Properties: 227 | Name: GDEC2RemediateRule 228 | Description: "GD-RemeEC2 - Stop or Quarantine Malicious EC2" 229 | EventPattern: 230 | source: 231 | - aws.securityhub 232 | detail-type: 233 | - Security Hub Findings - Custom Action 234 | resources: 235 | - !GetAtt GDEC2ActionTarget.Arn 236 | State: "ENABLED" 237 | Targets: 238 | - 239 | Arn: 240 | Fn::GetAtt: 241 | - "GDEC2RemediateLambda" 242 | - "Arn" 243 | Id: "GDRemeEC2" 244 | 245 | GDEC2ActionTarget: 246 | Type: Custom::ActionTarget 247 | Version: 1.0 248 | Properties: 249 | ServiceToken: !GetAtt CreateSecurityHubCustomActionTargetLambda.Arn 250 | Name: GDRemeEC2 251 | Description: Stop or Quarantine Malicious EC2 252 | Id: GDRemeEC2 253 | 254 | GDEC2RemediateLambdaPermission: 255 | Type: AWS::Lambda::Permission 256 | Properties: 257 | FunctionName: 258 | Ref: "GDEC2RemediateLambda" 259 | Action: "lambda:InvokeFunction" 260 | Principal: "events.amazonaws.com" 261 | SourceArn: 262 | Fn::GetAtt: 263 | - "GDEC2RemediateRule" 264 | - "Arn" 265 | 266 | GDEC2RemediateLambda: 267 | DependsOn: 268 | - EC2VPC1 269 | - GDEC2RemediateLambdaRole 270 | Type: "AWS::Lambda::Function" 271 | Properties: 272 | Handler: "index.handler" 273 | Environment: 274 | Variables: 275 | INSTANCE_ID: !Ref EC2VPC1 276 | Role: 277 | Fn::GetAtt: 278 | - "GDEC2RemediateLambdaRole" 279 | - "Arn" 280 | Code: 281 | ZipFile: | 282 | from __future__ import print_function 283 | from botocore.exceptions import ClientError 284 | import boto3 285 | import json 286 | import os 287 | 288 | def handler(event, context): 289 | try: 290 | ec2 = boto3.client('ec2') 291 | instanceID = os.environ['INSTANCE_ID'] 292 | response = ec2.stop_instances( 293 | InstanceIds=[ 294 | instanceID, 295 | ], 296 | ) 297 | except ClientError as e: 298 | print(e) 299 | return response 300 | Runtime: "python3.7" 301 | Timeout: "35" 302 | 303 | GDEC2RemediateLambdaRole: 304 | Type: AWS::IAM::Role 305 | Properties: 306 | AssumeRolePolicyDocument: 307 | Version: 2012-10-17 308 | Statement: 309 | - Effect: Allow 310 | Principal: 311 | Service: 312 | - lambda.amazonaws.com 313 | Action: 314 | - 'sts:AssumeRole' 315 | Path: / 316 | ManagedPolicyArns: 317 | - arn:aws:iam::aws:policy/AmazonEC2FullAccess 318 | - arn:aws:iam::aws:policy/CloudWatchLogsFullAccess 319 | 320 | 321 | # ------------------------------------------------------------------------------------------------------------------------------------------------------- 322 | # Create Security Hub Remediation to Update IAM Password Policy 323 | # ------------------------------------------------------------------------------------------------------------------------------------------------------- 324 | 325 | GDIAMRemediateRule: 326 | Type: AWS::Events::Rule 327 | Properties: 328 | Name: GDIAMRemediateRule 329 | Description: "GD-RemeIAM - Update Password Policy" 330 | EventPattern: 331 | source: 332 | - aws.securityhub 333 | detail-type: 334 | - Security Hub Findings - Custom Action 335 | resources: 336 | - !GetAtt GDIAMActionTarget.Arn 337 | State: "ENABLED" 338 | Targets: 339 | - 340 | Arn: 341 | Fn::GetAtt: 342 | - "GuardDutyRemediationIAMLambda" 343 | - "Arn" 344 | Id: "GDRemeIAM" 345 | 346 | GDIAMActionTarget: 347 | Type: Custom::ActionTarget 348 | Version: 1.0 349 | Properties: 350 | ServiceToken: !GetAtt CreateSecurityHubCustomActionTargetLambda.Arn 351 | Name: GDRemeIAM 352 | Description: Update Password Policy 353 | Id: GDRemeIAM 354 | 355 | GDIAMRemediateLambdaPermission: 356 | Type: AWS::Lambda::Permission 357 | Properties: 358 | FunctionName: 359 | Ref: "GuardDutyRemediationIAMLambda" 360 | Action: "lambda:InvokeFunction" 361 | Principal: "events.amazonaws.com" 362 | SourceArn: 363 | Fn::GetAtt: 364 | - "GDIAMRemediateRule" 365 | - "Arn" 366 | 367 | # Remediation Lambda - IAM 368 | GuardDutyRemediationIAMLambda: 369 | DependsOn: 370 | - GuardDutyRemediationLambdaIAMRole 371 | Type: "AWS::Lambda::Function" 372 | Properties: 373 | Handler: "index.handler" 374 | Role: 375 | Fn::GetAtt: 376 | - "GuardDutyRemediationLambdaIAMRole" 377 | - "Arn" 378 | Code: 379 | ZipFile: | 380 | from __future__ import print_function 381 | from botocore.exceptions import ClientError 382 | import boto3 383 | import json 384 | import os 385 | 386 | def handler(event, context): 387 | try: 388 | iam = boto3.client('iam') 389 | response = iam.update_account_password_policy( 390 | AllowUsersToChangePassword=True, 391 | HardExpiry=True, 392 | MaxPasswordAge=90 , 393 | MinimumPasswordLength=14, 394 | PasswordReusePrevention=24, 395 | RequireLowercaseCharacters=True, 396 | RequireNumbers=True, 397 | RequireSymbols=True, 398 | RequireUppercaseCharacters=True) 399 | 400 | except ClientError as e: 401 | print(e) 402 | return response 403 | Runtime: "python3.7" 404 | Timeout: "35" 405 | 406 | # Remediation Lambda - IAM Role 407 | GuardDutyRemediationLambdaIAMRole: 408 | Type: 'AWS::IAM::Role' 409 | Properties: 410 | AssumeRolePolicyDocument: 411 | Version: 2012-10-17 412 | Statement: 413 | - Effect: Allow 414 | Principal: 415 | Service: 416 | - lambda.amazonaws.com 417 | Action: 418 | - 'sts:AssumeRole' 419 | Path: / 420 | ManagedPolicyArns: 421 | - arn:aws:iam::aws:policy/IAMFullAccess 422 | - arn:aws:iam::aws:policy/CloudWatchLogsFullAccess 423 | 424 | # ----------------------------------------------------------------------------------------------------------------------- 425 | # EC2 Set up 426 | # Provisions EC2 instances in the relevant subnets and associated security groups for VPC1 and VPC3 427 | # with ssh and icmp access 428 | # User Data section is self contained to generate malicious access 429 | # ....................................................................................................................... 430 | 431 | EIPEC2VPC3: 432 | Type: AWS::EC2::EIP 433 | Properties: 434 | InstanceId: !Ref EC2VPC3 435 | Domain: vpc 436 | 437 | EC2VPC1: 438 | Type: "AWS::EC2::Instance" 439 | DependsOn: 440 | - SGEC2VPC1 441 | - EIPEC2VPC3 442 | - EC2VPC1InstanceProfile 443 | Properties: 444 | ImageId: !FindInMap [RegionMap, !Ref "AWS::Region", AMALINUX] # Dynamic mapping + Pseudo Parameter 445 | InstanceType: t2.micro 446 | IamInstanceProfile: !Ref EC2VPC1InstanceProfile 447 | KeyName: !Ref KeyName 448 | NetworkInterfaces: 449 | - AssociatePublicIpAddress: "true" 450 | DeviceIndex: "0" 451 | GroupSet: 452 | - Ref: SGEC2VPC1 453 | SubnetId: !ImportValue subnetvpc1 454 | UserData: 455 | Fn::Base64: !Sub 456 | - | 457 | #!/bin/bash -ex 458 | 459 | # Start SSM Agent 460 | sudo yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm 461 | 462 | # Install pre-reqs 463 | export PATH=$PATH:/usr/local/bin:/usr/sbin:/root/.local/bin 464 | echo 'export PATH=/root/.local/bin:/usr/sbin:$PATH' >> /home/ec2-user/.profile 465 | sudo yum update -y 466 | sudo yum install -y nmap git python python2-pip python-argparse gcc gcc-c++ glib2-devel 467 | 468 | # Create findings file and generate finding 469 | touch /home/ec2-user/gd-portscan.sh 470 | cat <> /home/ec2-user/gd-portscan.sh 471 | #!/bin/bash 472 | for j in {1..10} 473 | do 474 | sudo nmap -sT ${IP} 475 | done 476 | EOF 477 | 478 | sudo chmod +x /home/ec2-user/gd-portscan.sh 479 | ./gd-portscan.sh 480 | - 481 | Profile: 482 | !Ref EC2VPC1InstanceProfile 483 | Region: 484 | !Ref "AWS::Region" 485 | IP: 486 | !Ref EIPEC2VPC3 487 | 488 | EC2VPC3: 489 | Type: "AWS::EC2::Instance" 490 | DependsOn: 491 | - SGEC2VPC3 492 | Properties: 493 | ImageId: !FindInMap [RegionMap, !Ref "AWS::Region", AMALINUX] # Dynamic mapping + Pseudo Parameter 494 | InstanceType: t2.micro 495 | KeyName: !Ref KeyName 496 | NetworkInterfaces: 497 | - AssociatePublicIpAddress: "true" 498 | DeviceIndex: "0" 499 | GroupSet: 500 | - Ref: SGEC2VPC3 501 | SubnetId: !ImportValue subnetvpc3 502 | 503 | EC2VPC1InstanceProfile: 504 | DependsOn: 505 | - EC2VPC1Role 506 | Type: AWS::IAM::InstanceProfile 507 | Properties: 508 | Path: / 509 | Roles: 510 | - !Ref EC2VPC1Role 511 | 512 | 513 | EC2VPC1Role: 514 | Type: AWS::IAM::Role 515 | Properties: 516 | AssumeRolePolicyDocument: 517 | Version: 2012-10-17 518 | Statement: 519 | - 520 | Effect: Allow 521 | Principal: 522 | Service: 523 | - ec2.amazonaws.com 524 | Action: 525 | - sts:AssumeRole 526 | Path: / 527 | ManagedPolicyArns: 528 | - arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM 529 | Policies: 530 | - 531 | PolicyName: GuardDutyPolicy 532 | PolicyDocument: 533 | Version: 2012-10-17 534 | Statement: 535 | - 536 | Effect: Allow 537 | Action: 538 | - guardduty:GetDetector 539 | - guardduty:ListDetectors 540 | - guardduty:CreateThreatIntelSet 541 | - guardduty:UpdateThreatIntelSet 542 | Resource: '*' 543 | - 544 | Effect: Allow 545 | Action: 546 | - ssm:PutParameter 547 | - ssm:DescribeParameters 548 | - ssm:GetParameters 549 | - ssm:DeleteParameter 550 | Resource: '*' 551 | - 552 | Effect: Allow 553 | Action: 554 | - iam:* 555 | Resource: '*' 556 | - 557 | Effect: Allow 558 | Action: 559 | - dynamodb:* 560 | Resource: '*' 561 | - 562 | Effect: Allow 563 | Action: s3:* 564 | Resource: '*' 565 | - 566 | Effect: Allow 567 | Action: 568 | - iam:PutRolePolicy 569 | Resource: 570 | Fn::Join: 571 | - ':' 572 | - ["arn:aws:iam:",!Ref "AWS::AccountId", "role/aws-service-role/guardduty.amazonaws.com/*"] 573 | 574 | 575 | SGEC2VPC1: 576 | Type: "AWS::EC2::SecurityGroup" 577 | Properties: 578 | GroupDescription: !Join ["", ["Stack", "-", !Ref "AWS::StackId", "-", "VPC1"]] 579 | VpcId: !ImportValue vpc1id 580 | SecurityGroupIngress: 581 | - 582 | CidrIp: 0.0.0.0/0 583 | IpProtocol: tcp 584 | ToPort: 22 585 | FromPort: 22 586 | - 587 | CidrIp: 0.0.0.0/0 588 | IpProtocol: icmp 589 | ToPort: "-1" 590 | FromPort: "-1" 591 | SecurityGroupEgress: 592 | - 593 | CidrIp: 0.0.0.0/0 594 | ToPort: "-1" 595 | IpProtocol: "-1" 596 | 597 | SGEC2VPC1LockDown: 598 | Type: "AWS::EC2::SecurityGroup" 599 | Properties: 600 | GroupDescription: !Join ["", ["Stack", "-", !Ref "AWS::StackId", "-", "VPC1"]] 601 | VpcId: !ImportValue vpc1id 602 | SecurityGroupIngress: 603 | - 604 | CidrIp: 10.10.0.0/16 605 | IpProtocol: icmp 606 | ToPort: "-1" 607 | FromPort: "-1" 608 | SecurityGroupEgress: 609 | - 610 | CidrIp: 10.10.0.0/16 611 | FromPort: "-1" 612 | ToPort: "-1" 613 | IpProtocol: icmp 614 | 615 | SGEC2VPC3: 616 | Type: "AWS::EC2::SecurityGroup" 617 | Properties: 618 | GroupDescription: !Join ["", ["Stack", "-", !Ref "AWS::StackId", "-", "VPC3"]] 619 | VpcId: !ImportValue vpc3id 620 | SecurityGroupIngress: 621 | - 622 | CidrIp: 0.0.0.0/0 623 | IpProtocol: tcp 624 | ToPort: 22 625 | FromPort: 22 626 | - 627 | CidrIp: 0.0.0.0/0 628 | IpProtocol: icmp 629 | ToPort: "-1" 630 | FromPort: "-1" 631 | SecurityGroupEgress: 632 | - 633 | CidrIp: 0.0.0.0/0 634 | ToPort: "-1" 635 | IpProtocol: "-1" -------------------------------------------------------------------------------- /aws-guardduty-detect-securityhubremediate/cft/aws-guarddutydetect-securityhubremediate.yml: -------------------------------------------------------------------------------- 1 | --- 2 | AWSTemplateFormatVersion: '2010-09-09' 3 | Description: GuardDuty for EC2 and IAM with Security Hub 4 | 5 | # --------------------------------------------------------------------------------------------------------------- 6 | # CloudFormation Template 2 of 2 7 | # 8 | # GuardDuty detects EC2 and IAM attacks. Security Hub Remediates. 9 | # 10 | # EC2 Recon Attack, EC2 Maliciuous IP and IAM Password Policy change with AWS GuardDuty. 11 | # Can be extended for any GuardDuty EC2 or IAM related threat findings 12 | # Also automates GuardDuty Finding generation 13 | # 14 | # Automated Remediations for GuardDuty for EC2 and IAM using AWS Security Hub 15 | # 16 | # 17 | # @kmmahaj 18 | ## 19 | ## License: 20 | ## This code is made available under the MIT-0 license. See the LICENSE file. 21 | # ---------------------------------------------------------------------------------------------------------------- 22 | 23 | Parameters: 24 | KeyName: 25 | Description: EC2 Key Pair 26 | Type: "AWS::EC2::KeyPair::KeyName" 27 | EmailAddress: 28 | Description: Email address for receiving alerts. 29 | Type: String 30 | AllowedPattern: ".+" 31 | LatestAWSLinuxAmiId: 32 | Type: 'AWS::SSM::Parameter::Value' 33 | Default: '/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2' 34 | 35 | Resources: 36 | 37 | # ----------------------------------------------------------------------------------------------------------------------- 38 | # GuardDuty Setup 39 | # Provisions GuardDuty CW Events, Remediation Lambdas, SNS topic and Associated Roles 40 | # 41 | # ....................................................................................................................... 42 | 43 | # GuardDuty CloudWatch Event - For GuardDuty Finding: Stealth:IAM/PasswordPolicyChange 44 | GuardDutyIAMEvent: 45 | DependsOn: 46 | - GuardDutyRemediationIAMLambda 47 | - SnsTopic 48 | Type: AWS::Events::Rule 49 | Properties: 50 | Name: GuardDuty-IAM-Finding 51 | Description: "GuardDuty IAM Event" 52 | EventPattern: 53 | source: 54 | - aws.guardduty 55 | detail: 56 | type: 57 | - Stealth:IAMUser/PasswordPolicyChange 58 | State: ENABLED 59 | Targets: 60 | - 61 | Arn: !Ref SnsTopic 62 | Id: "GuardDutyIAMEvent-SNS-Trigger" 63 | 64 | 65 | # GuardDuty CloudWatch Event - For GuardDuty Finding: Recon:EC2/Portscan 66 | GuardDutyEC2Event: 67 | DependsOn: 68 | - SnsTopic 69 | Type: AWS::Events::Rule 70 | Properties: 71 | Name: GuardDuty-EC2-Finding 72 | Description: "GuardDuty EC2 Event" 73 | EventPattern: 74 | source: 75 | - aws.guardduty 76 | detail: 77 | type: 78 | - Recon:EC2/Portscan 79 | State: ENABLED 80 | Targets: 81 | - 82 | Arn: !Ref SnsTopic 83 | Id: "GuardDutyEC2Event-SNS-Trigger" 84 | 85 | SnsTopic: 86 | Type: "AWS::SNS::Topic" 87 | SnsSubscription: 88 | Type: "AWS::SNS::Subscription" 89 | Properties: 90 | Endpoint: !Ref EmailAddress 91 | Protocol: "email" 92 | TopicArn: !Ref SnsTopic 93 | 94 | EventTopicPolicy: 95 | Type: 'AWS::SNS::TopicPolicy' 96 | Properties: 97 | PolicyDocument: 98 | Statement: 99 | - Effect: Allow 100 | Principal: 101 | Service: events.amazonaws.com 102 | Action: 'sns:Publish' 103 | Resource: '*' 104 | Topics: 105 | - !Ref SnsTopic 106 | 107 | # S3 Threat List Bucket for GuardDuty 108 | GDThreatListBucket: 109 | Type: AWS::S3::Bucket 110 | Properties: 111 | BucketName: !Sub "s3-gd-${AWS::AccountId}-${AWS::Region}" 112 | BucketEncryption: 113 | ServerSideEncryptionConfiguration: 114 | - ServerSideEncryptionByDefault: 115 | SSEAlgorithm: AES256 116 | AccessControl: BucketOwnerFullControl 117 | LifecycleConfiguration: 118 | Rules: 119 | - 120 | AbortIncompleteMultipartUpload: 121 | DaysAfterInitiation: 3 122 | NoncurrentVersionExpirationInDays: 3 123 | Status: Enabled 124 | PublicAccessBlockConfiguration: 125 | BlockPublicAcls: true 126 | BlockPublicPolicy: true 127 | IgnorePublicAcls: true 128 | RestrictPublicBuckets: true 129 | Tags: 130 | - 131 | Key: Description 132 | Value: S3 Bucket for GD Threat List 133 | VersioningConfiguration: 134 | Status: Enabled 135 | 136 | 137 | # ------------------------------------------------------------------------------------------------------------------------------------------------------- 138 | # 3. Create Remediation in Security Hub 139 | # ------------------------------------------------------------------------------------------------------------------------------------------------------- 140 | 141 | CreateSecurityHubCustomActionTargetLambda: 142 | Type: AWS::Lambda::Function 143 | Properties: 144 | FunctionName: CreateSecurityHubCustomActionTargetLambda-GuardDuty 145 | Description: Custom resource to create an action target in Security Hub 146 | Handler: index.lambda_handler 147 | MemorySize: 256 148 | Role: !GetAtt CreateSecurityHubCustomActionTargetLambdaRole.Arn 149 | Runtime: python3.7 150 | Timeout: 60 151 | Environment: 152 | Variables: 153 | Region: !Ref 'AWS::Region' 154 | Code: 155 | ZipFile: | 156 | import boto3 157 | import cfnresponse 158 | import os 159 | def lambda_handler(event, context): 160 | try: 161 | properties = event['ResourceProperties'] 162 | region = os.environ['Region'] 163 | client = boto3.client('securityhub', region_name=region) 164 | responseData = {} 165 | if event['RequestType'] == 'Create': 166 | response = client.create_action_target( 167 | Name=properties['Name'], 168 | Description=properties['Description'], 169 | Id=properties['Id'] 170 | ) 171 | responseData['Arn'] = response['ActionTargetArn'] 172 | elif event['RequestType'] == 'Delete': 173 | account_id = context.invoked_function_arn.split(":")[4] 174 | client.delete_action_target( 175 | ActionTargetArn=f"arn:aws:securityhub:{region}:{account_id}:action/custom/{properties['Id']}" 176 | ) 177 | cfnresponse.send(event, context, cfnresponse.SUCCESS, responseData) 178 | except Exception as e: 179 | print(e) 180 | cfnresponse.send(event, context, cfnresponse.FAILED, {}) 181 | 182 | CreateSecurityHubCustomActionTargetLambdaRole: 183 | Type: AWS::IAM::Role 184 | Properties: 185 | Policies: 186 | - PolicyName: CreateActionTarget-LambdaPolicy-GuardDuty 187 | PolicyDocument: 188 | Version: 2012-10-17 189 | Statement: 190 | - Effect: Allow 191 | Action: 192 | - cloudwatch:PutMetricData 193 | Resource: '*' 194 | - Effect: Allow 195 | Action: 196 | - logs:CreateLogGroup 197 | - logs:CreateLogStream 198 | - logs:PutLogEvents 199 | Resource: '*' 200 | - Effect: Allow 201 | Action: 202 | - securityhub:CreateActionTarget 203 | - securityhub:DeleteActionTarget 204 | Resource: '*' 205 | AssumeRolePolicyDocument: 206 | Version: 2012-10-17 207 | Statement: 208 | - Effect: Allow 209 | Principal: { Service: lambda.amazonaws.com } 210 | Action: 211 | - sts:AssumeRole 212 | 213 | # ------------------------------------------------------------------------------------------------------------------------------------------------------- 214 | # Create Security Hub Remediation to Block Malicious EC2 215 | # ------------------------------------------------------------------------------------------------------------------------------------------------------- 216 | 217 | GDEC2RemediateRule: 218 | Type: AWS::Events::Rule 219 | Properties: 220 | Name: GDEC2RemediateRule 221 | Description: "GD-RemeEC2 - Stop or Quarantine Malicious EC2" 222 | EventPattern: 223 | source: 224 | - aws.securityhub 225 | detail-type: 226 | - Security Hub Findings - Custom Action 227 | resources: 228 | - !GetAtt GDEC2ActionTarget.Arn 229 | State: "ENABLED" 230 | Targets: 231 | - 232 | Arn: 233 | Fn::GetAtt: 234 | - "GDEC2RemediateLambda" 235 | - "Arn" 236 | Id: "GDRemeEC2" 237 | 238 | GDEC2ActionTarget: 239 | Type: Custom::ActionTarget 240 | Version: 1.0 241 | Properties: 242 | ServiceToken: !GetAtt CreateSecurityHubCustomActionTargetLambda.Arn 243 | Name: GDRemeEC2 244 | Description: Stop or Quarantine Malicious EC2 245 | Id: GDRemeEC2 246 | 247 | GDEC2RemediateLambdaPermission: 248 | Type: AWS::Lambda::Permission 249 | Properties: 250 | FunctionName: 251 | Ref: "GDEC2RemediateLambda" 252 | Action: "lambda:InvokeFunction" 253 | Principal: "events.amazonaws.com" 254 | SourceArn: 255 | Fn::GetAtt: 256 | - "GDEC2RemediateRule" 257 | - "Arn" 258 | 259 | GDEC2RemediateLambda: 260 | DependsOn: 261 | - EC2VPC1 262 | - GDEC2RemediateLambdaRole 263 | Type: "AWS::Lambda::Function" 264 | Properties: 265 | Handler: "index.handler" 266 | Environment: 267 | Variables: 268 | INSTANCE_ID: !Ref EC2VPC1 269 | Role: 270 | Fn::GetAtt: 271 | - "GDEC2RemediateLambdaRole" 272 | - "Arn" 273 | Code: 274 | ZipFile: | 275 | from __future__ import print_function 276 | from botocore.exceptions import ClientError 277 | import boto3 278 | import json 279 | import os 280 | 281 | def handler(event, context): 282 | try: 283 | ec2 = boto3.client('ec2') 284 | instanceID = os.environ['INSTANCE_ID'] 285 | response = ec2.stop_instances( 286 | InstanceIds=[ 287 | instanceID, 288 | ], 289 | ) 290 | except ClientError as e: 291 | print(e) 292 | return response 293 | Runtime: "python3.7" 294 | Timeout: "35" 295 | 296 | GDEC2RemediateLambdaRole: 297 | Type: AWS::IAM::Role 298 | Properties: 299 | AssumeRolePolicyDocument: 300 | Version: 2012-10-17 301 | Statement: 302 | - Effect: Allow 303 | Principal: 304 | Service: 305 | - lambda.amazonaws.com 306 | Action: 307 | - 'sts:AssumeRole' 308 | Path: / 309 | ManagedPolicyArns: 310 | - arn:aws:iam::aws:policy/AmazonEC2FullAccess 311 | - arn:aws:iam::aws:policy/CloudWatchLogsFullAccess 312 | 313 | 314 | # ------------------------------------------------------------------------------------------------------------------------------------------------------- 315 | # Create Security Hub Remediation to Update IAM Password Policy 316 | # ------------------------------------------------------------------------------------------------------------------------------------------------------- 317 | 318 | GDIAMRemediateRule: 319 | Type: AWS::Events::Rule 320 | Properties: 321 | Name: GDIAMRemediateRule 322 | Description: "GD-RemeIAM - Update Password Policy" 323 | EventPattern: 324 | source: 325 | - aws.securityhub 326 | detail-type: 327 | - Security Hub Findings - Custom Action 328 | resources: 329 | - !GetAtt GDIAMActionTarget.Arn 330 | State: "ENABLED" 331 | Targets: 332 | - 333 | Arn: 334 | Fn::GetAtt: 335 | - "GuardDutyRemediationIAMLambda" 336 | - "Arn" 337 | Id: "GDRemeIAM" 338 | 339 | GDIAMActionTarget: 340 | Type: Custom::ActionTarget 341 | Version: 1.0 342 | Properties: 343 | ServiceToken: !GetAtt CreateSecurityHubCustomActionTargetLambda.Arn 344 | Name: GDRemeIAM 345 | Description: Update Password Policy 346 | Id: GDRemeIAM 347 | 348 | GDIAMRemediateLambdaPermission: 349 | Type: AWS::Lambda::Permission 350 | Properties: 351 | FunctionName: 352 | Ref: "GuardDutyRemediationIAMLambda" 353 | Action: "lambda:InvokeFunction" 354 | Principal: "events.amazonaws.com" 355 | SourceArn: 356 | Fn::GetAtt: 357 | - "GDIAMRemediateRule" 358 | - "Arn" 359 | 360 | # Remediation Lambda - IAM 361 | GuardDutyRemediationIAMLambda: 362 | DependsOn: 363 | - GuardDutyRemediationLambdaIAMRole 364 | Type: "AWS::Lambda::Function" 365 | Properties: 366 | Handler: "index.handler" 367 | Role: 368 | Fn::GetAtt: 369 | - "GuardDutyRemediationLambdaIAMRole" 370 | - "Arn" 371 | Code: 372 | ZipFile: | 373 | from __future__ import print_function 374 | from botocore.exceptions import ClientError 375 | import boto3 376 | import json 377 | import os 378 | 379 | def handler(event, context): 380 | try: 381 | iam = boto3.client('iam') 382 | response = iam.update_account_password_policy( 383 | AllowUsersToChangePassword=True, 384 | HardExpiry=True, 385 | MaxPasswordAge=90 , 386 | MinimumPasswordLength=14, 387 | PasswordReusePrevention=24, 388 | RequireLowercaseCharacters=True, 389 | RequireNumbers=True, 390 | RequireSymbols=True, 391 | RequireUppercaseCharacters=True) 392 | 393 | except ClientError as e: 394 | print(e) 395 | return response 396 | Runtime: "python3.7" 397 | Timeout: "35" 398 | 399 | # Remediation Lambda - IAM Role 400 | GuardDutyRemediationLambdaIAMRole: 401 | Type: 'AWS::IAM::Role' 402 | Properties: 403 | AssumeRolePolicyDocument: 404 | Version: 2012-10-17 405 | Statement: 406 | - Effect: Allow 407 | Principal: 408 | Service: 409 | - lambda.amazonaws.com 410 | Action: 411 | - 'sts:AssumeRole' 412 | Path: / 413 | ManagedPolicyArns: 414 | - arn:aws:iam::aws:policy/IAMFullAccess 415 | - arn:aws:iam::aws:policy/CloudWatchLogsFullAccess 416 | 417 | #------------------------------------------------------------------------------------------------------ 418 | # VPC Set up 419 | # 420 | #------------------------------------------------------------------------------------------------------ 421 | 422 | vpc1: 423 | Type: AWS::EC2::VPC 424 | DependsOn: 425 | - igw1 426 | Properties: 427 | CidrBlock: '10.10.0.0/16' 428 | EnableDnsSupport: true 429 | EnableDnsHostnames: true 430 | 431 | igw1: 432 | Type: AWS::EC2::InternetGateway 433 | Properties: 434 | Tags: 435 | - Key: Name 436 | Value: 'IGW1' 437 | 438 | igwattach1: 439 | Type: AWS::EC2::VPCGatewayAttachment 440 | Properties: 441 | InternetGatewayId: !Ref igw1 442 | VpcId: !Ref vpc1 443 | 444 | subnetvpc1: 445 | Type: AWS::EC2::Subnet 446 | Properties: 447 | VpcId: !Ref vpc1 448 | AvailabilityZone: !Select [ 0, !GetAZs '' ] 449 | CidrBlock: '10.10.0.0/20' 450 | MapPublicIpOnLaunch: true 451 | 452 | rtablesubnetvpc1: 453 | Type: AWS::EC2::RouteTable 454 | Properties: 455 | VpcId: !Ref vpc1 456 | 457 | rtpublicvpc1: 458 | Type: AWS::EC2::Route 459 | DependsOn: igwattach1 460 | Properties: 461 | RouteTableId: !Ref rtablesubnetvpc1 462 | DestinationCidrBlock: 0.0.0.0/0 463 | GatewayId: !Ref igw1 464 | 465 | subnetvpc1rtable: 466 | Type: AWS::EC2::SubnetRouteTableAssociation 467 | Properties: 468 | RouteTableId: !Ref rtablesubnetvpc1 469 | SubnetId: !Ref subnetvpc1 470 | 471 | vpc3: 472 | Type: AWS::EC2::VPC 473 | DependsOn: 474 | - igw3 475 | Properties: 476 | CidrBlock: '10.11.0.0/16' 477 | EnableDnsSupport: true 478 | EnableDnsHostnames: true 479 | 480 | igw3: 481 | Type: AWS::EC2::InternetGateway 482 | Properties: 483 | Tags: 484 | - Key: Name 485 | Value: 'IGW3' 486 | 487 | igwattach3: 488 | Type: AWS::EC2::VPCGatewayAttachment 489 | Properties: 490 | InternetGatewayId: !Ref igw3 491 | VpcId: !Ref vpc3 492 | 493 | subnetvpc3: 494 | Type: AWS::EC2::Subnet 495 | Properties: 496 | VpcId: !Ref vpc3 497 | AvailabilityZone: !Select [ 0, !GetAZs '' ] 498 | CidrBlock: '10.11.0.0/20' 499 | MapPublicIpOnLaunch: true 500 | 501 | rtablesubnetvpc3: 502 | Type: AWS::EC2::RouteTable 503 | Properties: 504 | VpcId: !Ref vpc3 505 | 506 | rtpublicvpc3: 507 | Type: AWS::EC2::Route 508 | DependsOn: igwattach3 509 | Properties: 510 | RouteTableId: !Ref rtablesubnetvpc3 511 | DestinationCidrBlock: 0.0.0.0/0 512 | GatewayId: !Ref igw3 513 | 514 | subnetvpc3rtable: 515 | Type: AWS::EC2::SubnetRouteTableAssociation 516 | Properties: 517 | RouteTableId: !Ref rtablesubnetvpc3 518 | SubnetId: !Ref subnetvpc3 519 | 520 | # ----------------------------------------------------------------------------------------------------------------------- 521 | # EC2 Set up 522 | # Provisions EC2 instances in the relevant subnets and associated security groups for VPC1 and VPC3 523 | # with ssh and icmp access 524 | # User Data section is self contained to generate malicious access 525 | # ....................................................................................................................... 526 | 527 | EIPEC2VPC3: 528 | Type: AWS::EC2::EIP 529 | Properties: 530 | InstanceId: !Ref EC2VPC3 531 | Domain: vpc 532 | 533 | EC2VPC1: 534 | Type: "AWS::EC2::Instance" 535 | DependsOn: 536 | - SGEC2VPC1 537 | - EIPEC2VPC3 538 | - EC2VPC1InstanceProfile 539 | Properties: 540 | # ImageId: !FindInMap [RegionMap, !Ref "AWS::Region", AMALINUX] # Dynamic mapping + Pseudo Parameter 541 | ImageId: !Ref LatestAWSLinuxAmiId 542 | InstanceType: t2.micro 543 | IamInstanceProfile: !Ref EC2VPC1InstanceProfile 544 | KeyName: !Ref KeyName 545 | NetworkInterfaces: 546 | - AssociatePublicIpAddress: "true" 547 | DeviceIndex: "0" 548 | GroupSet: 549 | - Ref: SGEC2VPC1 550 | SubnetId: !Ref subnetvpc1 551 | UserData: 552 | Fn::Base64: !Sub 553 | - | 554 | #!/bin/bash -ex 555 | 556 | # Start SSM Agent 557 | sudo yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm 558 | 559 | # Install pre-reqs 560 | export PATH=$PATH:/usr/local/bin:/usr/sbin:/root/.local/bin 561 | echo 'export PATH=/root/.local/bin:/usr/sbin:$PATH' >> /home/ec2-user/.profile 562 | sudo yum update -y 563 | sudo yum install -y nmap git python python2-pip python-argparse gcc gcc-c++ glib2-devel 564 | 565 | # Create findings file and generate finding 566 | touch /home/ec2-user/gd-portscan.sh 567 | cat <> /home/ec2-user/gd-portscan.sh 568 | #!/bin/bash 569 | for j in {1..10} 570 | do 571 | sudo nmap -sT ${IP} 572 | done 573 | EOF 574 | 575 | sudo chmod +x /home/ec2-user/gd-portscan.sh 576 | ./gd-portscan.sh 577 | - 578 | Profile: 579 | !Ref EC2VPC1InstanceProfile 580 | Region: 581 | !Ref "AWS::Region" 582 | IP: 583 | !Ref EIPEC2VPC3 584 | 585 | EC2VPC3: 586 | Type: "AWS::EC2::Instance" 587 | DependsOn: 588 | - SGEC2VPC3 589 | Properties: 590 | # ImageId: !FindInMap [RegionMap, !Ref "AWS::Region", AMALINUX] # Dynamic mapping + Pseudo Parameter 591 | ImageId: !Ref LatestAWSLinuxAmiId 592 | InstanceType: t2.micro 593 | KeyName: !Ref KeyName 594 | NetworkInterfaces: 595 | - AssociatePublicIpAddress: "true" 596 | DeviceIndex: "0" 597 | GroupSet: 598 | - Ref: SGEC2VPC3 599 | SubnetId: !Ref subnetvpc3 600 | 601 | EC2VPC1InstanceProfile: 602 | DependsOn: 603 | - EC2VPC1Role 604 | Type: AWS::IAM::InstanceProfile 605 | Properties: 606 | Path: / 607 | Roles: 608 | - !Ref EC2VPC1Role 609 | 610 | EC2VPC1Role: 611 | Type: AWS::IAM::Role 612 | Properties: 613 | AssumeRolePolicyDocument: 614 | Version: 2012-10-17 615 | Statement: 616 | - 617 | Effect: Allow 618 | Principal: 619 | Service: 620 | - ec2.amazonaws.com 621 | Action: 622 | - sts:AssumeRole 623 | Path: / 624 | ManagedPolicyArns: 625 | - arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM 626 | Policies: 627 | - 628 | PolicyName: GuardDutyPolicy 629 | PolicyDocument: 630 | Version: 2012-10-17 631 | Statement: 632 | - 633 | Effect: Allow 634 | Action: 635 | - guardduty:GetDetector 636 | - guardduty:ListDetectors 637 | - guardduty:CreateThreatIntelSet 638 | - guardduty:UpdateThreatIntelSet 639 | Resource: '*' 640 | - 641 | Effect: Allow 642 | Action: 643 | - ssm:PutParameter 644 | - ssm:DescribeParameters 645 | - ssm:GetParameters 646 | - ssm:DeleteParameter 647 | Resource: '*' 648 | - 649 | Effect: Allow 650 | Action: 651 | - iam:* 652 | Resource: '*' 653 | - 654 | Effect: Allow 655 | Action: 656 | - dynamodb:* 657 | Resource: '*' 658 | - 659 | Effect: Allow 660 | Action: s3:* 661 | Resource: '*' 662 | - 663 | Effect: Allow 664 | Action: 665 | - iam:PutRolePolicy 666 | Resource: 667 | Fn::Join: 668 | - ':' 669 | - ["arn:aws:iam:",!Ref "AWS::AccountId", "role/aws-service-role/guardduty.amazonaws.com/*"] 670 | 671 | 672 | SGEC2VPC1: 673 | Type: "AWS::EC2::SecurityGroup" 674 | Properties: 675 | GroupDescription: !Join ["", ["Stack", "-", !Ref "AWS::StackId", "-", "VPC1"]] 676 | VpcId: !Ref vpc1 677 | SecurityGroupIngress: 678 | - 679 | CidrIp: !GetAtt vpc3.CidrBlock 680 | IpProtocol: tcp 681 | ToPort: 22 682 | FromPort: 22 683 | - 684 | CidrIp: !GetAtt vpc3.CidrBlock 685 | IpProtocol: icmp 686 | ToPort: "-1" 687 | FromPort: "-1" 688 | - 689 | CidrIp: !GetAtt vpc1.CidrBlock 690 | IpProtocol: tcp 691 | ToPort: 22 692 | FromPort: 22 693 | - 694 | CidrIp: !GetAtt vpc1.CidrBlock 695 | IpProtocol: icmp 696 | ToPort: "-1" 697 | FromPort: "-1" 698 | SecurityGroupEgress: 699 | - 700 | CidrIp: 0.0.0.0/0 701 | ToPort: "-1" 702 | IpProtocol: "-1" 703 | 704 | SGEC2VPC1LockDown: 705 | Type: "AWS::EC2::SecurityGroup" 706 | Properties: 707 | GroupDescription: !Join ["", ["Stack", "-", !Ref "AWS::StackId", "-", "VPC1"]] 708 | VpcId: !Ref vpc1 709 | SecurityGroupIngress: 710 | - 711 | CidrIp: !GetAtt vpc3.CidrBlock 712 | IpProtocol: tcp 713 | ToPort: 22 714 | FromPort: 22 715 | - 716 | CidrIp: !GetAtt vpc3.CidrBlock 717 | IpProtocol: icmp 718 | ToPort: "-1" 719 | FromPort: "-1" 720 | - 721 | CidrIp: !GetAtt vpc1.CidrBlock 722 | IpProtocol: tcp 723 | ToPort: 22 724 | FromPort: 22 725 | - 726 | CidrIp: !GetAtt vpc1.CidrBlock 727 | IpProtocol: icmp 728 | ToPort: "-1" 729 | FromPort: "-1" 730 | SecurityGroupEgress: 731 | - 732 | CidrIp: 10.10.0.0/16 733 | FromPort: "-1" 734 | ToPort: "-1" 735 | IpProtocol: icmp 736 | 737 | SGEC2VPC3: 738 | Type: "AWS::EC2::SecurityGroup" 739 | Properties: 740 | GroupDescription: !Join ["", ["Stack", "-", !Ref "AWS::StackId", "-", "VPC3"]] 741 | VpcId: !Ref vpc3 742 | SecurityGroupIngress: 743 | - 744 | CidrIp: !GetAtt vpc3.CidrBlock 745 | IpProtocol: tcp 746 | ToPort: 22 747 | FromPort: 22 748 | - 749 | CidrIp: !GetAtt vpc3.CidrBlock 750 | IpProtocol: icmp 751 | ToPort: "-1" 752 | FromPort: "-1" 753 | - 754 | CidrIp: !GetAtt vpc1.CidrBlock 755 | IpProtocol: tcp 756 | ToPort: 22 757 | FromPort: 22 758 | - 759 | CidrIp: !GetAtt vpc1.CidrBlock 760 | IpProtocol: icmp 761 | ToPort: "-1" 762 | FromPort: "-1" 763 | 764 | SecurityGroupEgress: 765 | - 766 | CidrIp: 0.0.0.0/0 767 | ToPort: "-1" 768 | IpProtocol: "-1" -------------------------------------------------------------------------------- /aws-guardduty-detect-securityhubremediate/cft/threatlist.txt: -------------------------------------------------------------------------------- 1 | 54.196.109.139 2 | 52.38.112.213 3 | 34.238.24.106 4 | 54.88.165.10 -------------------------------------------------------------------------------- /aws-guardduty-detect-securityhubremediate/cft/vpc-setup-v1.json: -------------------------------------------------------------------------------- 1 | # --------------------------------------------------------------------------------------------------------------- 2 | # CloudFormation Template 1 of 2 - 3 | # Provisions a multiple VPC environment to provide an AWS environment with built-in security groups and networking 4 | # 5 | # @author Kanishk Mahajan 6 | # 7 | ## 8 | ## License: 9 | ## This code is made available under the MIT-0 license. See the LICENSE file. 10 | # ---------------------------------------------------------------------------------------------------------------- 11 | 12 | 13 | 14 | { 15 | "Resources" : { 16 | "vpc1" : { 17 | "Type" : "AWS::EC2::VPC", 18 | "Properties" : { 19 | "CidrBlock" : "10.10.0.0/16", 20 | "EnableDnsSupport" : true, 21 | "EnableDnsHostnames" : true, 22 | "InstanceTenancy" : "default", 23 | "Tags" : [ {"Key" : "Name", "Value" : "vpc1"} ] 24 | } 25 | }, 26 | "vpc3" : { 27 | "Type" : "AWS::EC2::VPC", 28 | "Properties" : { 29 | "CidrBlock" : "10.11.0.0/16", 30 | "EnableDnsSupport" : true, 31 | "EnableDnsHostnames" : true, 32 | "InstanceTenancy" : "default", 33 | "Tags" : [ {"Key" : "Name", "Value" : "vpc3"} ] 34 | } 35 | }, 36 | "vpc1snA1" : { 37 | "Type" : "AWS::EC2::Subnet", 38 | "Properties" : { 39 | "VpcId" : {"Ref" : "vpc1"}, 40 | "Tags" : [ {"Key" : "Name", "Value" : "vpc1_sn_A1"} ], 41 | "AvailabilityZone" : { 42 | "Fn::Select" : [ 43 | "0", 44 | { 45 | "Fn::GetAZs" : "" 46 | } 47 | ] 48 | }, 49 | "CidrBlock" : "10.10.0.0/20" 50 | } 51 | }, 52 | "vpc1snA2" : { 53 | "Type" : "AWS::EC2::Subnet", 54 | "Properties" : { 55 | "VpcId" : {"Ref" : "vpc1"}, 56 | "Tags" : [ {"Key" : "Name", "Value" : "vpc1_sn_A2"} ], 57 | "AvailabilityZone" : { 58 | "Fn::Select" : [ 59 | "0", 60 | { 61 | "Fn::GetAZs" : "" 62 | } 63 | ] 64 | }, 65 | "CidrBlock" : "10.10.64.0/20" 66 | } 67 | }, 68 | "vpc1snA3" : { 69 | "Type" : "AWS::EC2::Subnet", 70 | "Properties" : { 71 | "VpcId" : {"Ref" : "vpc1"}, 72 | "Tags" : [ {"Key" : "Name", "Value" : "vpc1_sn_A3"} ], 73 | "AvailabilityZone" : { 74 | "Fn::Select" : [ 75 | "0", 76 | { 77 | "Fn::GetAZs" : "" 78 | } 79 | ] 80 | }, 81 | "CidrBlock" : "10.10.128.0/20" 82 | } 83 | }, 84 | "vpc1snA4" : { 85 | "Type" : "AWS::EC2::Subnet", 86 | "Properties" : { 87 | "VpcId" : {"Ref" : "vpc1"}, 88 | "Tags" : [ {"Key" : "Name", "Value" : "vpc1_sn_A4"} ], 89 | "AvailabilityZone" : { 90 | "Fn::Select" : [ 91 | "0", 92 | { 93 | "Fn::GetAZs" : "" 94 | } 95 | ] 96 | }, 97 | "CidrBlock" : "10.10.192.0/20" 98 | } 99 | }, 100 | "vpc1snB1" : { 101 | "Type" : "AWS::EC2::Subnet", 102 | "Properties" : { 103 | "VpcId" : {"Ref" : "vpc1"}, 104 | "Tags" : [ {"Key" : "Name", "Value" : "vpc1_sn_B1"} ], 105 | "AvailabilityZone" : { 106 | "Fn::Select" : [ 107 | "1", 108 | { 109 | "Fn::GetAZs" : "" 110 | } 111 | ] 112 | }, 113 | "CidrBlock" : "10.10.16.0/20" 114 | } 115 | }, 116 | "vpc1snB2" : { 117 | "Type" : "AWS::EC2::Subnet", 118 | "Properties" : { 119 | "VpcId" : {"Ref" : "vpc1"}, 120 | "Tags" : [ {"Key" : "Name", "Value" : "vpc1_sn_B2"} ], 121 | "AvailabilityZone" : { 122 | "Fn::Select" : [ 123 | "1", 124 | { 125 | "Fn::GetAZs" : "" 126 | } 127 | ] 128 | }, 129 | "CidrBlock" : "10.10.80.0/20" 130 | } 131 | }, 132 | "vpc1snB3" : { 133 | "Type" : "AWS::EC2::Subnet", 134 | "Properties" : { 135 | "VpcId" : {"Ref" : "vpc1"}, 136 | "Tags" : [ {"Key" : "Name", "Value" : "vpc1_sn_B3"} ], 137 | "AvailabilityZone" : { 138 | "Fn::Select" : [ 139 | "1", 140 | { 141 | "Fn::GetAZs" : "" 142 | } 143 | ] 144 | }, 145 | "CidrBlock" : "10.10.144.0/20" 146 | } 147 | }, 148 | "vpc1snB4" : { 149 | "Type" : "AWS::EC2::Subnet", 150 | "Properties" : { 151 | "VpcId" : {"Ref" : "vpc1"}, 152 | "Tags" : [ {"Key" : "Name", "Value" : "vpc1_sn_B4"} ], 153 | "AvailabilityZone" : { 154 | "Fn::Select" : [ 155 | "1", 156 | { 157 | "Fn::GetAZs" : "" 158 | } 159 | ] 160 | }, 161 | "CidrBlock" : "10.10.208.0/20" 162 | } 163 | }, 164 | "vpc3snA1" : { 165 | "Type" : "AWS::EC2::Subnet", 166 | "Properties" : { 167 | "VpcId" : {"Ref" : "vpc3"}, 168 | "Tags" : [ {"Key" : "Name", "Value" : "vpc3_sn_A1"} ], 169 | "AvailabilityZone" : { 170 | "Fn::Select" : [ 171 | "0", 172 | { 173 | "Fn::GetAZs" : "" 174 | } 175 | ] 176 | }, 177 | "CidrBlock" : "10.11.0.0/20" 178 | } 179 | }, 180 | "vpc3snA2" : { 181 | "Type" : "AWS::EC2::Subnet", 182 | "Properties" : { 183 | "VpcId" : {"Ref" : "vpc3"}, 184 | "Tags" : [ {"Key" : "Name", "Value" : "vpc3_sn_A2"} ], 185 | "AvailabilityZone" : { 186 | "Fn::Select" : [ 187 | "0", 188 | { 189 | "Fn::GetAZs" : "" 190 | } 191 | ] 192 | }, 193 | "CidrBlock" : "10.11.16.0/20" 194 | } 195 | }, 196 | "igwvpc1" : { 197 | "Type" : "AWS::EC2::InternetGateway", 198 | "DependsOn" : "vpc1", 199 | "Properties" : { 200 | "Tags" : [ {"Key" : "Name", "Value" : "IGW-VPC1"} ] 201 | } 202 | }, 203 | "igwvpc1attachment" : { 204 | "DependsOn" : "igwvpc1", 205 | "Type" : "AWS::EC2::VPCGatewayAttachment", 206 | "Properties" : { 207 | "InternetGatewayId" : {"Ref" : "igwvpc1"}, 208 | "VpcId" : {"Ref" : "vpc1"} 209 | } 210 | }, 211 | "igwvpc3" : { 212 | "Type" : "AWS::EC2::InternetGateway", 213 | "DependsOn" : "vpc3", 214 | "Properties" : { 215 | "Tags" : [ {"Key" : "Name", "Value" : "IGW-VPC3"} ] 216 | } 217 | }, 218 | "igwvpc3attachment" : { 219 | "DependsOn" : "igwvpc3", 220 | "Type" : "AWS::EC2::VPCGatewayAttachment", 221 | "Properties" : { 222 | "InternetGatewayId" : {"Ref" : "igwvpc3"}, 223 | "VpcId" : {"Ref" : "vpc3"} 224 | } 225 | }, 226 | "rtpublic" : { 227 | "Type" : "AWS::EC2::RouteTable", 228 | "Properties" : { 229 | "VpcId" : {"Ref" : "vpc1"}, 230 | "Tags" : [ {"Key" : "Name", "Value" : "RT-Public"} ] 231 | } 232 | }, 233 | "rtpublicdefault" : { 234 | "Type" : "AWS::EC2::Route", 235 | "DependsOn" : "igwvpc1attachment", 236 | "Properties" : { 237 | "RouteTableId" : { "Ref" : "rtpublic" }, 238 | "DestinationCidrBlock" : "0.0.0.0/0", 239 | "GatewayId" : { "Ref" : "igwvpc1" } 240 | } 241 | }, 242 | "rtpublicdefaultvpc3" : { 243 | "Type" : "AWS::EC2::Route", 244 | "DependsOn" : "igwvpc3attachment", 245 | "Properties" : { 246 | "RouteTableId" : { "Ref" : "routetableprivatevpc3" }, 247 | "DestinationCidrBlock" : "0.0.0.0/0", 248 | "GatewayId" : { "Ref" : "igwvpc3" } 249 | } 250 | }, 251 | "rtpublicpubA" : { 252 | "Type" : "AWS::EC2::SubnetRouteTableAssociation", 253 | "Properties" : { 254 | "RouteTableId" : {"Ref" : "rtpublic" }, 255 | "SubnetId" : {"Ref" : "vpc1snA1" } 256 | } 257 | }, 258 | "rtpublicpubB" : { 259 | "Type" : "AWS::EC2::SubnetRouteTableAssociation", 260 | "Properties" : { 261 | "RouteTableId" : {"Ref" : "rtpublic" }, 262 | "SubnetId" : {"Ref" : "vpc1snB1" } 263 | } 264 | }, 265 | "sgbastion" : { 266 | "Type" : "AWS::EC2::SecurityGroup", 267 | "Properties" : { 268 | "GroupName" : "SG-BASTION", 269 | "GroupDescription" : "SG-BASTION", 270 | "SecurityGroupIngress" : [{ 271 | "IpProtocol" : "tcp", 272 | "FromPort" : 22, 273 | "ToPort" : 22, 274 | "CidrIp" : "0.0.0.0/0" 275 | }], 276 | "Tags" : [ {"Key" : "Name", "Value" : "SG-BASTION"} ], 277 | "VpcId" : {"Ref" : "vpc1"} 278 | } 279 | }, 280 | "sginternal" : { 281 | "Type" : "AWS::EC2::SecurityGroup", 282 | "Properties" : { 283 | "GroupName" : "SG-INTERNAL", 284 | "GroupDescription" : "SG-INTERNAL", 285 | "SecurityGroupIngress" : [{ 286 | "IpProtocol" : "tcp", 287 | "FromPort" : 22, 288 | "ToPort" : 22, 289 | "SourceSecurityGroupId" : {"Ref" : "sgbastion"} 290 | }], 291 | "Tags" : [ {"Key" : "Name", "Value" : "SG-INTERNAL"} ], 292 | "VpcId" : {"Ref" : "vpc1"} 293 | } 294 | }, 295 | "sginternalselfref" : { 296 | "Type": "AWS::EC2::SecurityGroupIngress", 297 | "Properties": { 298 | "GroupId": { 299 | "Ref": "sginternal" 300 | }, 301 | "IpProtocol": -1, 302 | "FromPort": -1, 303 | "ToPort": -1, 304 | "SourceSecurityGroupId": { 305 | "Ref": "sginternal" 306 | } 307 | } 308 | }, 309 | "rtprivatea" : { 310 | "Type" : "AWS::EC2::RouteTable", 311 | "Properties" : { 312 | "VpcId" : {"Ref" : "vpc1"}, 313 | "Tags" : [ {"Key" : "Name", "Value" : "RT-PrivateA"} ] 314 | } 315 | }, 316 | "rtprivateb" : { 317 | "Type" : "AWS::EC2::RouteTable", 318 | "Properties" : { 319 | "VpcId" : {"Ref" : "vpc1"}, 320 | "Tags" : [ {"Key" : "Name", "Value" : "RT-PrivateB"} ] 321 | } 322 | }, 323 | "rtprivatec" : { 324 | "Type" : "AWS::EC2::RouteTable", 325 | "Properties" : { 326 | "VpcId" : {"Ref" : "vpc1"}, 327 | "Tags" : [ {"Key" : "Name", "Value" : "RT-PrivateC"} ] 328 | } 329 | }, 330 | "rtprivatea3" : { 331 | "Type" : "AWS::EC2::SubnetRouteTableAssociation", 332 | "Properties" : { 333 | "RouteTableId" : {"Ref" : "rtprivatea" }, 334 | "SubnetId" : {"Ref" : "vpc1snA3" } 335 | } 336 | }, 337 | "routetableprivatevpc3" : { 338 | "Type" : "AWS::EC2::RouteTable", 339 | "Properties" : { 340 | "VpcId" : {"Ref" : "vpc3"}, 341 | "Tags" : [ {"Key" : "Name", "Value" : "RT-Private-VPC3"} ] 342 | } 343 | }, 344 | "rtsubnetassocprivatevpc3" : { 345 | "Type" : "AWS::EC2::SubnetRouteTableAssociation", 346 | "Properties" : { 347 | "RouteTableId" : {"Ref" : "routetableprivatevpc3" }, 348 | "SubnetId" : {"Ref" : "vpc3snA1" } 349 | } 350 | }, 351 | "rtprivatea4" : { 352 | "Type" : "AWS::EC2::SubnetRouteTableAssociation", 353 | "Properties" : { 354 | "RouteTableId" : {"Ref" : "rtprivatea" }, 355 | "SubnetId" : {"Ref" : "vpc1snA4" } 356 | } 357 | }, 358 | "rtprivateb3" : { 359 | "Type" : "AWS::EC2::SubnetRouteTableAssociation", 360 | "Properties" : { 361 | "RouteTableId" : {"Ref" : "rtprivateb" }, 362 | "SubnetId" : {"Ref" : "vpc1snB3" } 363 | } 364 | }, 365 | "rtprivateb4" : { 366 | "Type" : "AWS::EC2::SubnetRouteTableAssociation", 367 | "Properties" : { 368 | "RouteTableId" : {"Ref" : "rtprivateb" }, 369 | "SubnetId" : {"Ref" : "vpc1snB4" } 370 | } 371 | } 372 | }, 373 | "Outputs" : { 374 | "vpc1id" : { 375 | "Description" : "ID of VPC 1", 376 | "Value" : {"Ref" : "vpc1"}, 377 | "Export" : { 378 | "Name" : "vpc1id" 379 | } 380 | }, 381 | "vpc3id" : { 382 | "Description" : "ID of VPC 3", 383 | "Value" : {"Ref" : "vpc3"}, 384 | "Export" : { 385 | "Name" : "vpc3id" 386 | } 387 | }, 388 | "subnetvpc1" : { 389 | "Description" : "ID of Subnet in VPC 1", 390 | "Value" : {"Ref" : "vpc1snA1"}, 391 | "Export" : { 392 | "Name" : "subnetvpc1" 393 | } 394 | }, 395 | "subnetvpc3" : { 396 | "Description" : "ID of Subnet in VPC 3", 397 | "Value" : {"Ref" : "vpc3snA1"}, 398 | "Export" : { 399 | "Name" : "subnetvpc3" 400 | } 401 | }, 402 | "routetablesubnetvpc1" : { 403 | "Description" : "ID of RouteTable for VPC 1 Subnet", 404 | "Value" : {"Ref" : "rtpublic"}, 405 | "Export" : { 406 | "Name" : "routetablesubnetvpc1" 407 | } 408 | }, 409 | "routetablesubnetvpc3" : { 410 | "Description" : "ID of RouteTable for VPC 3 Subnet", 411 | "Value" : {"Ref" : "routetableprivatevpc3"}, 412 | "Export" : { 413 | "Name" : "routetablesubnetvpc3" 414 | } 415 | } 416 | } 417 | 418 | } -------------------------------------------------------------------------------- /aws-guardduty-detect-securityhubremediate/images/arch-diagram.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-guardduty-detect-securityhubremediate/images/arch-diagram.png -------------------------------------------------------------------------------- /aws-remediate-cis-securityhub/README.md: -------------------------------------------------------------------------------- 1 |

2 |

3 | 4 | # Automated Remediations for CIS Benchmarks using AWS Security Hub 5 | 6 | The solution implemented here leverages the AWS Security Hub service and provides customers with an AWS native implementation for automated remediations for these CIS violations detected by AWS Security Hub. 7 | 8 | 9 | ## How it Works 10 | 11 | This implementation is based on the following solution approach: 12 | 13 | 1. Leverages AWS Security Hub directly to provide continuous detection of CIS findings 14 | 2. Provides AWS Systems Manager Automation Documents for automated remediation for AWS Security Hub findings. All documents are automatically provisioned via an AWS CloudFormation template. 15 | 3. Provides integration of AWS Security Hub Custom Actions with AWS Systems Manager Automation Documents to provide real time remediations of AWS Security Hub FSBP findings as follows: 16 | * Leverages the ability of AWS Security Hub to send findings associated with custom actions to CloudWatch Events as Security Hub Findings - Custom Action events. 17 | * The CloudWatch Events Rule invokes the corresponding Lambda Function as the Target for the source Security Hub Custom Action event 18 | * The Lambda function processes the finding using the standard findings format provided by Security Hub - AWS Security Finding Format (ASFF) and invokes the corresponding AWS Systems Manager Automation Document with the input from the ASFF finding 19 | 20 | 21 | ## Solution Design 22 | 23 | ![](images/arch-diagram.png) 24 | 25 | ## How To Install 26 | 27 | 1. **Template 1 of 3:** aws-aws-cis-cloudwatchlogmetricfilters.yml 28 | * Provisions CloudWatch Logs Metric Filters. Enter email address as input. Simply install on the CloudFormation console (or CLI). Installs in approx 1-2 mins. 29 | 30 | 2. **Template 2 of 3:** aws-cis-systemsmanagerautomations.yml 31 | * Provisions AWS Systems Manager automation documents. These documents are used to provide automated remediations within the provisioned AWS Security Hub Action. 32 | * Provisions with fully built-in pre-reqs. No input parameters required. Simply install on the CloudFormation console (or CLI). Installs in approx 3-4 mins. 33 | 34 | 2. **Template 3 of 3:** aws-cis-securityhubactions.yml 35 | * Provisions AWS CloudWatch Evemts and AWS Security Hub Custom Actions. No input parameters. Simply install on the CloudFormation console (or CLI). Installs in approx 3-4 mins. 36 | * Leverages the output from the previous template specifically the AWS Systems Manager Automation documents 37 | 38 | 39 | ## @kmmahaj 40 | 41 | 42 | 43 | -------------------------------------------------------------------------------- /aws-remediate-cis-securityhub/images/arch-diagram.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-remediate-cis-securityhub/images/arch-diagram.png -------------------------------------------------------------------------------- /aws-remediate-fsbp-securityhub/README.md: -------------------------------------------------------------------------------- 1 |

2 |

3 | 4 | # Automated Remediations for Foundational Security Benchmarks using AWS Security Hub 5 | 6 | The AWS Foundational Security Best Practices (FSBP) standard is a set of controls that detect when your deployed accounts and resources deviate from AWS security best practices. 7 | 8 | The solution implemented here leverages the AWS Security Hub service and provides customers with an AWS native implementation for automated remediations for these FSBP violations detected by AWS Security Hub. 9 | 10 | 11 | ## How it Works 12 | 13 | This implementation is based on the following solution approach: 14 | 15 | 1. Leverages AWS Security Hub directly to provide continuous detection of FSBP findings 16 | 2. Provides AWS Systems Manager Automation Documents for automated remediation for AWS Security Hub findings. All documents are automatically provisioned via an AWS CloudFormation template. 17 | 3. Provides integration of AWS Security Hub Custom Actions with AWS Systems Manager Automation Documents to provide real time remediations of AWS Security Hub FSBP findings as follows: 18 | * Leverages the ability of AWS Security Hub to send findings associated with custom actions to CloudWatch Events as Security Hub Findings - Custom Action events. 19 | * The CloudWatch Events Rule invokes the corresponding Lambda Function as the Target for the source Security Hub Custom Action event 20 | * The Lambda function processes the finding using the standard findings format provided by Security Hub - AWS Security Finding Format (ASFF) and invokes the corresponding AWS Systems Manager Automation Document with the input from the ASFF finding 21 | 22 | 23 | ## Solution Design 24 | 25 | ![](images/arch-diagram.png) 26 | 27 | ## How To Install 28 | 29 | 1. **Template 1 of 2:** aws-security-hub-fsbp-remediations-template1.yml 30 | * Provisions AWS Systems Manager automation documents. These documents are used to provide automated remediations within the provisioned AWS Security Hub Action. 31 | * Provisions with fully built-in pre-reqs. No input parameters required. Simply install on the CloudFormation console (or CLI). Installs in approx 3-4 mins. 32 | 33 | 2. **Template 2 of 2:** aws-security-hub-fsbp-remediations-template2.yml 34 | * Provisions AWS CloudWatch Evemts and AWS Security Hub Custom Actions. No input parameters. Simply install on the CloudFormation console (or CLI). Installs in approx 3-4 mins. 35 | * Leverages the output from the previous template specifically the AWS Systems Manager Automation documents 36 | 37 | ## COVERAGE 38 | 39 | The solution provides remediations for the following AWS Security Hub FSBP checks: 40 | * [EC2.3] Attached EBS volumes should be encrypted at-rest 41 | * [GuardDuty.1] GuardDuty should be enabled 42 | * [IAM.3] IAM users' access keys should be rotated every 90 days or less 43 | * [Lambda.1] Lambda functions should prohibit public access by other accounts 44 | * [Lambda.2] Lambda functions should use latest runtimes 45 | * [RDS.3] RDS DB instances should have encryption at-rest enabled 46 | * [SSM.1] EC2 instances should be managed by AWS Systems Manager 47 | 48 | Additionally coverage for remediations for the following Foundational Security Best Practices Controls is also provided by this solution due to the coverage for remediations for PCI Controls: 49 | * [AutoScaling.1] Auto Scaling groups associated with a load balancer should use load balancer health checks 50 | * [CloudTrail.1] CloudTrail should be enabled and configured with at least one multi-Region trail 51 | * [CloudTrail.2] CloudTrail should have encryption at-rest enabled 52 | * [CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials 53 | * [Config.1] AWS Config should be enabled 54 | * [EC2.1] Amazon EBS snapshots should not be public, determined by the ability to be restorable by anyone 55 | * [EC2.2] The VPC default security group should not allow inbound and outbound traffic 56 | * [IAM.1] IAM policies should not allow full * administrative privileges 57 | * [IAM.2] IAM users should not have IAM policies attached 58 | * [IAM.4] IAM root user access key should not exist 59 | * [IAM.7] Password policies for IAM users should have strong configurations 60 | * [S3.1] S3 Block Public Access setting should be enabled 61 | * [S3.2] S3 buckets should prohibit public read access 62 | * [S3.3] S3 buckets should prohibit public write access 63 | * [S3.4] S3 buckets should have server-side encryption enabled 64 | * [RDS.1] RDS snapshots should be private 65 | * [RDS.2] RDS DB instances should prohibit public access, determined by the PubliclyAccessible configuration 66 | * [SSM.2] Amazon EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation 67 | 68 | ## @kmmahaj 69 | 70 | 71 | 72 | -------------------------------------------------------------------------------- /aws-remediate-fsbp-securityhub/cft/aws-security-hub-fsbp-remediations-template1.yml: -------------------------------------------------------------------------------- 1 | 2 | Description: AWS Security Hub FSBP Remediations Systems Manager Automation Documents and Prerequisites 3 | AWSTemplateFormatVersion: "2010-09-09" 4 | 5 | # @author Kanishk Mahajan 6 | # 7 | ## License: 8 | ## This code is made available under the MIT-0 license. See the LICENSE file. 9 | 10 | Outputs: 11 | AutomationAssumeRoleArn: 12 | Description: Arn for AutomationAssumeRole 13 | Value: !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${AutomationAssumeRole}' 14 | Export: # added to export 15 | Name: FSBP-AutomationAssumeRoleArn 16 | 17 | SSMInstanceProfileRoleArn: 18 | Description: Arn for SSMInstanceProfileRole 19 | Value: !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${SSMInstanceProfileRole}' 20 | Export: # added to export 21 | Name: FSBP-SSMInstanceProfileRoleArn 22 | 23 | KMSKeyArn: 24 | Description: Arn for KMS CMK 25 | Value: !Sub "arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/${KmsKeyId}" 26 | Export: # added to export 27 | Name: FSBP-KMSKeyArn 28 | 29 | Resources: 30 | 31 | # SSM Automation Role 32 | AutomationAssumeRole: 33 | Type: 'AWS::IAM::Role' 34 | Properties: 35 | RoleName: !Sub fsbp-automationassumerole-${AWS::Region} 36 | AssumeRolePolicyDocument: 37 | Version: 2012-10-17 38 | Statement: 39 | - Effect: Allow 40 | Principal: 41 | Service: 42 | - ssm.amazonaws.com 43 | - events.amazonaws.com 44 | - ec2.amazonaws.com 45 | Action: 46 | - 'sts:AssumeRole' 47 | Path: / 48 | ManagedPolicyArns: 49 | - !Sub "arn:${AWS::Partition}:iam::aws:policy/AdministratorAccess" 50 | 51 | 52 | # SSM Instance Profile Role 53 | SSMInstanceProfileRole: 54 | Type: 'AWS::IAM::Role' 55 | Properties: 56 | RoleName: !Sub fsbp-ssminstanceprofilerole-${AWS::Region} 57 | AssumeRolePolicyDocument: 58 | Version: 2012-10-17 59 | Statement: 60 | - Effect: Allow 61 | Principal: 62 | Service: 63 | - ec2.amazonaws.com 64 | Action: 65 | - 'sts:AssumeRole' 66 | Path: / 67 | ManagedPolicyArns: 68 | - !Sub "arn:${AWS::Partition}:iam::aws:policy/AmazonSSMManagedInstanceCore" 69 | 70 | # KMS key 71 | KmsKeyId: 72 | Type: 'AWS::KMS::Key' 73 | Properties: 74 | EnableKeyRotation: true 75 | Enabled: true 76 | KeyUsage: ENCRYPT_DECRYPT 77 | KeyPolicy: 78 | Version: '2012-10-17' 79 | Statement: 80 | - Sid: FSBPKMS 81 | Effect: Allow 82 | Principal: 83 | AWS: !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:root" 84 | Action: 'kms:*' 85 | Resource: '*' 86 | 87 | KmsKeyIdAlias: 88 | Type: AWS::KMS::Alias 89 | Properties: 90 | AliasName: alias/FSBP-CMK 91 | TargetKeyId: 92 | Fn::GetAtt: 93 | - KmsKeyId 94 | - Arn 95 | 96 | # [IAM.3] 97 | FSBPIAM3Automation: 98 | Type: AWS::SSM::Document 99 | Properties: 100 | DocumentType: Automation 101 | Name: FSBPIAM3Automation 102 | Content: 103 | schemaVersion: '0.3' 104 | assumeRole: !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${AutomationAssumeRole}" 105 | parameters: 106 | username: 107 | type: String 108 | default: 'fsbpadmin' 109 | AutomationAssumeRole: 110 | type: String 111 | default: !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${AutomationAssumeRole}" 112 | mainSteps: 113 | - name: rotateiam90days 114 | action: 'aws:executeScript' 115 | inputs: 116 | Runtime: python3.6 117 | Handler: rotateiam90days_handler 118 | Script: | 119 | def rotateiam90days_handler(events, context): 120 | import boto3 121 | import datetime 122 | import json 123 | import os 124 | iam = boto3.client('iam') 125 | securityhub = boto3.client('securityhub') 126 | iam_resource = boto3.resource('iam') 127 | try: 128 | username = events['username'] 129 | todaysDatetime = datetime.datetime.now(datetime.timezone.utc) 130 | paginator = iam.get_paginator('list_access_keys') 131 | for response in paginator.paginate(UserName=username): 132 | for keyMetadata in response['AccessKeyMetadata']: 133 | accessKeyId = str(keyMetadata['AccessKeyId']) 134 | keyAgeFinder = todaysDatetime - keyMetadata['CreateDate'] 135 | if keyAgeFinder <= datetime.timedelta(days=90): 136 | print("Access key: " + accessKeyId + " is compliant") 137 | else: 138 | print("Access key over 90 days old found!") 139 | access_key = iam_resource.AccessKey(username, accessKeyId) 140 | access_key.deactivate() 141 | except Exception as e: 142 | print(e) 143 | raise 144 | InputPayload: 145 | AutomationAssumeRole: '{{AutomationAssumeRole}}' 146 | username: '{{username}}' 147 | 148 | 149 | #[RDS.3] 150 | FSBPRDS3Automation: 151 | Type: AWS::SSM::Document 152 | Properties: 153 | DocumentType: Automation 154 | Name: FSBPRDS3Automation 155 | Content: 156 | schemaVersion: '0.3' 157 | assumeRole: !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${AutomationAssumeRole}" 158 | parameters: 159 | AutomationAssumeRole: 160 | type: String 161 | default: !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${AutomationAssumeRole}" 162 | dbinstanceId: 163 | type: String 164 | kmskeyArn: 165 | type: String 166 | mainSteps: 167 | - name: EncryptRDSDBInstance 168 | action: 'aws:executeScript' 169 | inputs: 170 | Runtime: python3.6 171 | Handler: script_handler 172 | Script: "def script_handler(events, context):\r\n import boto3\r\n import time\r\n client = boto3.client('rds')\r\n dbinstanceId = events['dbinstanceId']\r\n kmskeyArn = events['kmskeyArn']\r\n \r\n response_snapshot = client.create_db_snapshot(\r\n DBSnapshotIdentifier=\"fsbp-snapshot-\" + dbinstanceId,\r\n DBInstanceIdentifier=dbinstanceId\r\n )\r\n \r\n response_snapshotA = client.get_waiter('db_snapshot_available').wait(\r\n DBSnapshotIdentifier='fsbp-snapshot-' + dbinstanceId,\r\n DBInstanceIdentifier=dbinstanceId\r\n )\r\n\r\n \r\n response_snapshotCopy = client.copy_db_snapshot(\r\n SourceDBSnapshotIdentifier=\"fsbp-snapshot-\" + dbinstanceId,\r\n TargetDBSnapshotIdentifier=\"fsbp-snapshot-encrypted-\" + dbinstanceId,\r\n KmsKeyId=kmskeyArn,\r\n CopyTags=True\r\n )\r\n \r\n response_snapshotB = client.get_waiter('db_snapshot_available').wait(\r\n DBSnapshotIdentifier='fsbp-snapshot-encrypted-' + dbinstanceId,\r\n DBInstanceIdentifier=dbinstanceId\r\n )\r\n\r\n response_restore = client.restore_db_instance_from_db_snapshot(\r\n DBInstanceIdentifier='fsbp-encrypted-' + dbinstanceId,\r\n DBSnapshotIdentifier='fsbp-snapshot-encrypted-' + dbinstanceId\r\n )\r\n\r\n response_snapshotC = client.get_waiter('db_instance_available').wait(\r\n DBInstanceIdentifier='fsbp-encrypted-' + dbinstanceId\r\n )\r\n\r\n response_delete1 = client.delete_db_snapshot(\r\n DBSnapshotIdentifier='fsbp-snapshot-' + dbinstanceId\r\n )\r\n \r\n response_delete2 = client.get_waiter('db_snapshot_deleted').wait(\r\n DBSnapshotIdentifier='fsbp-snapshot-' + dbinstanceId,\r\n WaiterConfig={\r\n 'Delay': 5,\r\n 'MaxAttempts': 30\r\n }\r\n )\r\n\r\n response_delete3 = client.delete_db_instance(\r\n DBInstanceIdentifier=dbinstanceId,\r\n SkipFinalSnapshot=True\r\n )\r\n \r\n response_wait = client.get_waiter('db_instance_deleted').wait(\r\n DBInstanceIdentifier=dbinstanceId\r\n )\r\n \r\n response_newinstance = client.modify_db_instance( \r\n DBInstanceIdentifier='fsbp-encrypted-' + dbinstanceId,\r\n ApplyImmediately=True, \r\n NewDBInstanceIdentifier=dbinstanceId\r\n )\r\n \r\n time.sleep(60)\r\n\r\n response_final = client.get_waiter('db_instance_available').wait(\r\n DBInstanceIdentifier=dbinstanceId\r\n )\r\n \r\n" 173 | InputPayload: 174 | AutomationAssumeRole: '{{AutomationAssumeRole}}' 175 | dbinstanceId: '{{dbinstanceId}}' 176 | kmskeyArn: '{{kmskeyArn}}' 177 | 178 | #[EC2.3] 179 | FSBPEC23Automation: 180 | Type: AWS::SSM::Document 181 | Properties: 182 | DocumentType: Automation 183 | Name: FSBPEC23Automation 184 | Content: 185 | schemaVersion: '0.3' 186 | assumeRole: !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${AutomationAssumeRole}" 187 | parameters: 188 | AutomationAssumeRole: 189 | type: String 190 | default: !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${AutomationAssumeRole}" 191 | ebsvolumeId: 192 | type: String 193 | sourceregion: 194 | type: String 195 | kmskeyArn: 196 | type: String 197 | mainSteps: 198 | - name: EncryptEBSVolume 199 | action: 'aws:executeScript' 200 | inputs: 201 | Runtime: python3.6 202 | Handler: script_handler 203 | Script: "def script_handler(events, context):\r\n # TODO implement\r\n import json\r\n import boto3\r\n \r\n client = boto3.client('ec2')\r\n ebsvolumeId = events['ebsvolumeId']\r\n kmskeyArn = events['kmskeyArn']\r\n sourceregion = events['sourceregion']\r\n \r\n print('0. Describe Volume')\r\n \r\n response_volume = client.describe_volumes(\r\n VolumeIds=[\r\n ebsvolumeId\r\n ] \r\n )\r\n instanceid = response_volume['Volumes'][0]['Attachments'][0]['InstanceId']\r\n size= response_volume['Volumes'][0]['Size']\r\n availabilityzone = response_volume['Volumes'][0]['AvailabilityZone']\r\n \r\n response_snapshot = client.create_snapshot(\r\n Description='New FSBP snapshot',\r\n VolumeId=ebsvolumeId\r\n )\r\n \r\n snapshotid = response_snapshot['SnapshotId']\r\n \r\n response_snapshotA = client.get_waiter('snapshot_completed').wait(\r\n SnapshotIds=[snapshotid]\r\n )\r\n\r\n print('2. Copy and Encrypt. Creating encrypted snapshot from unencrypted copy')\r\n \r\n response_snapshotCopy = client.copy_snapshot(\r\n Description='New FSBP Encrypted snapshot.',\r\n DestinationRegion=sourceregion,\r\n SourceRegion=sourceregion,\r\n SourceSnapshotId=snapshotid,\r\n KmsKeyId=kmskeyArn,\r\n Encrypted=True\r\n )\r\n \r\n snapshotencryptedId = response_snapshot['SnapshotId']\r\n \r\n response_snapshotB = client.get_waiter('snapshot_completed').wait(\r\n SnapshotIds=[snapshotencryptedId]\r\n )\r\n \r\n print('3. Create volume from encrypted snapshot')\r\n \r\n response_volume_encrypted = client.create_volume(\r\n AvailabilityZone=availabilityzone,\r\n Size=size,\r\n VolumeType='gp2',\r\n KmsKeyId=kmskeyArn,\r\n Encrypted=True\r\n )\r\n\r\n encryptedVolumeId = response_volume_encrypted['VolumeId']\r\n \r\n response_snapshotC = client.get_waiter('volume_available').wait(\r\n VolumeIds=[encryptedVolumeId]\r\n )\r\n\r\n print('4. Stop original instance or terminate original instance if instance in asg')\r\n \r\n asgclient = boto3.client('autoscaling')\r\n \r\n response_asg = asgclient.describe_auto_scaling_instances(\r\n InstanceIds=[\r\n instanceid\r\n ]\r\n )\r\n \r\n if not response_asg['AutoScalingInstances']:\r\n response_terminateinstance = client.terminate_instances(\r\n InstanceIds=[\r\n instanceid\r\n ]\r\n )\r\n else:\r\n response_stopinstance = client.stop_instances(\r\n InstanceIds=[\r\n instanceid\r\n ]\r\n )\r\n \r\n response_instanceA = client.get_waiter('instance_stopped').wait(\r\n InstanceIds=[instanceid]\r\n )\r\n \r\n print('5. Detach original volume')\r\n \r\n response_detach_volume = client.detach_volume(\r\n VolumeId=ebsvolumeId\r\n )\r\n\r\n response_snapshotC = client.get_waiter('volume_available').wait(\r\n VolumeIds=[ebsvolumeId]\r\n )\r\n \r\n print('6. Delete original volume')\r\n \r\n response = client.delete_volume(\r\n VolumeId=ebsvolumeId\r\n )\r\n \r\n response_volumeA = client.get_waiter('volume_deleted').wait(\r\n VolumeIds=[ebsvolumeId]\r\n )\r\n \r\n print('7. Delete original snapshot')\r\n \r\n response = client.delete_snapshot(\r\n SnapshotId=snapshotid\r\n )" 204 | InputPayload: 205 | AutomationAssumeRole: '{{AutomationAssumeRole}}' 206 | ebsvolumeId: '{{ebsvolumeId}}' 207 | sourceregion: '{{sourceregion}}' 208 | kmskeyArn: '{{kmskeyArn}}' 209 | 210 | 211 | #[GuardDuty.1] 212 | FSBPGuardDuty1Automation: 213 | Type: AWS::SSM::Document 214 | Properties: 215 | DocumentType: Automation 216 | Name: FSBPGuardDuty1Automation 217 | Content: 218 | schemaVersion: '0.3' 219 | assumeRole: !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${AutomationAssumeRole}" 220 | parameters: 221 | AutomationAssumeRole: 222 | type: String 223 | default: !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${AutomationAssumeRole}" 224 | findingpublishingfrequency: 225 | type: String 226 | mainSteps: 227 | - name: EnableGuardDuty 228 | action: 'aws:executeScript' 229 | inputs: 230 | Runtime: python3.7 231 | Handler: script_handler 232 | Script: "def script_handler(events, context):\r\n import boto3\r\n client = boto3.client('guardduty')\r\n findingpublishingfrequency= events['findingpublishingfrequency']\r\n\r\n response = client.create_detector(\r\n Enable=True,\r\n FindingPublishingFrequency=findingpublishingfrequency\r\n )\r\n" 233 | InputPayload: 234 | AutomationAssumeRole: '{{AutomationAssumeRole}}' 235 | functionname: '{{findingpublishingfrequency}}' 236 | 237 | #[Lambda.2] 238 | FSBPLambda2Automation: 239 | Type: AWS::SSM::Document 240 | Properties: 241 | DocumentType: Automation 242 | Name: FSBPLambda2Automation 243 | Content: 244 | schemaVersion: '0.3' 245 | assumeRole: !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${AutomationAssumeRole}" 246 | parameters: 247 | AutomationAssumeRole: 248 | type: String 249 | default: !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${AutomationAssumeRole}" 250 | accountID: 251 | type: String 252 | functionname: 253 | type: String 254 | mainSteps: 255 | - name: LatestRuntime 256 | action: 'aws:executeScript' 257 | inputs: 258 | Runtime: python3.7 259 | Handler: script_handler 260 | Script: "def script_handler(events, context):\r\n import boto3\r\n client = boto3.client('lambda')\r\n functionname = events['functionname']\r\n \r\n response = client.get_function_configuration(\r\n FunctionName=functionname\r\n )\r\n runtime = response['Runtime']\r\n \r\n if 'python' in runtime:\r\n runtime = 'python3.8'\r\n if 'node' in runtime:\r\n runtime = 'nodejs12.x'\r\n if 'java' in runtime:\r\n runtime = 'java11'\r\n if 'dotnet' in runtime:\r\n runtime = 'dotnetcore3.1'\r\n if 'ruby' in runtime:\r\n runtime = 'ruby2.7'\r\n if 'go' in runtime:\r\n runtime = 'go1.x'\r\n \r\n response = client.update_function_configuration(\r\n FunctionName=functionname,\r\n Runtime=runtime\r\n )\r\n \r\n\r\n" 261 | InputPayload: 262 | AutomationAssumeRole: '{{AutomationAssumeRole}}' 263 | functionname: '{{functionname}}' 264 | 265 | #[Lambda.1] 266 | FSBPLambda1Automation: 267 | Type: AWS::SSM::Document 268 | Properties: 269 | DocumentType: Automation 270 | Name: FSBPLambda1Automation 271 | Content: 272 | schemaVersion: '0.3' 273 | assumeRole: !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${AutomationAssumeRole}" 274 | parameters: 275 | AutomationAssumeRole: 276 | type: String 277 | default: !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${AutomationAssumeRole}" 278 | accountID: 279 | type: String 280 | functionname: 281 | type: String 282 | mainSteps: 283 | - name: RestrictLambda 284 | action: 'aws:executeScript' 285 | inputs: 286 | Runtime: python3.6 287 | Handler: script_handler 288 | Script: "def script_handler(events, context):\r\n import boto3\r\n import json\r\n \r\n client = boto3.client('lambda')\r\n functionname = events['functionname']\r\n accountID = events['accountID']\r\n response = client.get_policy(FunctionName=functionname)\r\n policy = response['Policy']\r\n policy_json = json.loads(policy)\r\n statements = policy_json['Statement']\r\n \r\n for statement in statements:\r\n Principal = str(statement['Principal']).replace(\"{'Service': '\",\"\")[:-2]\r\n Action = statement['Action']\r\n Resource = statement['Resource']\r\n StatementId = statement ['Sid']\r\n NewStatementId = \"New\" + StatementId\r\n \r\n response_old = client.remove_permission(\r\n FunctionName=functionname,\r\n StatementId=StatementId\r\n )\r\n\r\n response = client.add_permission(\r\n FunctionName=functionname,\r\n StatementId=NewStatementId,\r\n Action=Action,\r\n Principal=Principal,\r\n SourceAccount= accountID\r\n )" 289 | InputPayload: 290 | AutomationAssumeRole: '{{AutomationAssumeRole}}' 291 | accountID: '{{accountID}}' 292 | functionname: '{{functionname}}' 293 | -------------------------------------------------------------------------------- /aws-remediate-fsbp-securityhub/images/arch-diagram.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-remediate-fsbp-securityhub/images/arch-diagram.png -------------------------------------------------------------------------------- /aws-remediate-pci-securityhub/README.md: -------------------------------------------------------------------------------- 1 |

2 |

3 | 4 | # Automated Remediations for PCI DSS 3.2.1 using AWS Security Hub 5 | 6 | AWS provides an Operational Best Practices for PCI DSS 3.2.1 that provide a sample mapping between the Payment Card Data Security Standard (PCI DSS) 3.2.1 and AWS Security Hub checks. 7 | 8 | The solution implemented here leverages the AWS Security Hub service and provides customers with an AWS native implementation for automated remediations for these PCI policy violations detected by AWS Security Hub. 9 | 10 | 11 | ## How it Works 12 | 13 | This implementation is based on the following solution approach: 14 | 15 | 1. Leverages AWS Security Hub directly to provide continuous detection of PCI findings 16 | 2. Provides AWS Systems Manager Automation Documents for automated remediation for AWS Security Hub findings. All documents are automatically provisioned via an AWS CloudFormation template. 17 | 3. Provides integration of AWS Security Hub Custom Actions with AWS Systems Manager Automation Documents to provide real time remediations of AWS Security Hub PCI findings as follows: 18 | * Leverages the ability of AWS Security Hub to send findings associated with custom actions to CloudWatch Events as Security Hub Findings - Custom Action events. 19 | * The CloudWatch Events Rule invokes the corresponding Lambda Function as the Target for the source Security Hub Custom Action event 20 | * The Lambda function processes the finding using the standard findings format provided by Security Hub - AWS Security Finding Format (ASFF) and invokes the corresponding AWS Systems Manager Automation Document with the input from the ASFF finding 21 | 22 | 23 | ## Solution Design 24 | 25 | ![](images/arch-diagram.png) 26 | 27 | ## How To Install 28 | 29 | 1. **Template 1 of 2:** aws-security-hub-pci-remediations-template1.yml 30 | * Provisions AWS Systems Manager automation documents. These documents are used to provide automated remediations within the provisioned AWS Security Hub Action. 31 | * Provisions with fully built-in pre-reqs. No input parameters required. Simply install on the CloudFormation console (or CLI). Installs in approx 3-4 mins. 32 | 33 | 2. **Template 2 of 2:** aws-security-hub-pci-remediations-template2.yml 34 | * Provisions AWS CloudWatch Evemts and AWS Security Hub Custom Actions. No input parameters. Simply install on the CloudFormation console (or CLI). Installs in approx 3-4 mins. 35 | * Leverages the output from the previous template specifically the AWS Systems Manager Automation documents 36 | 37 | ## COVERAGE 38 | 39 | The solution provides remediations for the following AWS Security Hub PCI checks: 40 | * [PCI.AutoScaling.1] Auto scaling groups associated with a load balancer should use health checks 41 | * [PCI.CloudTrail.1] CloudTrail logs should be encrypted at rest using AWS KMS CMK 42 | * [PCI.CloudTrail.2] CloudTrail should be enabled 43 | * [PCI.CloudTrail.3] CloudTrail log file validation should be enabled 44 | * [PCI.CloudTrail.4] CloudTrail trails should be integrated with CloudWatch Logs 45 | * [PCI.CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials 46 | * [PCI.CW.1] A log metric filter and alarm should exist for usage of the "root" user 47 | * [PCI.Config.1] AWS Config should be enabled 48 | * [PCI.EC2.1] Amazon EBS snapshots should not be publicly restorable 49 | * [PCI.EC2.2] VPC default security group should prohibit inbound and outbound traffic 50 | * [PCI.EC2.3] Unused EC2 security groups should be removed 51 | * [PCI.EC2.4] Unused EC2 EIPs should be removed 52 | * [PCI EC2.5] Security groups should not allow ingress from 0.0.0.0/0 to port 22 53 | * [PCI.EC2.6] Ensure VPC flow logging is enabled in all VPCs 54 | * [PCI.IAM.1] IAM root user access key should not exist 55 | * [PCI.IAM.2] IAM users should not have IAM policies attached 56 | * [PCI.IAM.3] IAM policies should not allow full * administrative privileges 57 | * [PCI.KMS.1] Customer master key (CMK) rotation should be enabled 58 | * [PCI.Lambda.1] Lambda functions should prohibit public access 59 | * [PCI.Lambda.2] Lambda functions should be in a VPC 60 | * [PCI.RDS.1] RDS snapshots should prohibit public access 61 | * [PCI.RDS.2] RDS DB Instances should prohibit public access 62 | * [PCI.Redshift.1] Amazon Redshift clusters should prohibit public access 63 | * [PCI.S3.1] S3 buckets should prohibit public write access 64 | * [PCI.S3.2] S3 buckets should prohibit public read access 65 | * [PCI.S3.3] S3 buckets should have cross-region replication enabled 66 | * [PCI.S3.4] S3 buckets should have server-side encryption enabled 67 | * [PCI.SSM.1] Amazon EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation 68 | 69 | 70 | ## @kmmahaj 71 | 72 | 73 | 74 | -------------------------------------------------------------------------------- /aws-remediate-pci-securityhub/cft/aws-securevpcsetup.template: -------------------------------------------------------------------------------- 1 | # --------------------------------------------------------------------------------------------------------------- 2 | # CloudFormation Template 1 of 1 - 3 | # Provisions a multiple VPC environment to provide an AWS environment with built-in security groups and networking 4 | # 5 | # @author Kanishk Mahajan 6 | # ---------------------------------------------------------------------------------------------------------------- 7 | 8 | 9 | { 10 | "Resources" : { 11 | "vpc1" : { 12 | "Type" : "AWS::EC2::VPC", 13 | "Properties" : { 14 | "CidrBlock" : "10.33.64.0/18", 15 | "EnableDnsSupport" : true, 16 | "EnableDnsHostnames" : true, 17 | "InstanceTenancy" : "default", 18 | "Tags" : [ {"Key" : "Name", "Value" : "vpc1"} ] 19 | } 20 | }, 21 | "vpc1snA1" : { 22 | "Type" : "AWS::EC2::Subnet", 23 | "Properties" : { 24 | "VpcId" : {"Ref" : "vpc1"}, 25 | "Tags" : [ {"Key" : "Name", "Value" : "vpc1_sn_A1"} ], 26 | "AvailabilityZone" : { 27 | "Fn::Select" : [ 28 | "0", 29 | { 30 | "Fn::GetAZs" : "" 31 | } 32 | ] 33 | }, 34 | "CidrBlock" : "10.33.64.0/20" 35 | } 36 | }, 37 | "vpc1snA2" : { 38 | "Type" : "AWS::EC2::Subnet", 39 | "Properties" : { 40 | "VpcId" : {"Ref" : "vpc1"}, 41 | "Tags" : [ {"Key" : "Name", "Value" : "vpc1_sn_A2"} ], 42 | "AvailabilityZone" : { 43 | "Fn::Select" : [ 44 | "0", 45 | { 46 | "Fn::GetAZs" : "" 47 | } 48 | ] 49 | }, 50 | "CidrBlock" : "10.33.80.0/20" 51 | } 52 | }, 53 | "vpc1snA3" : { 54 | "Type" : "AWS::EC2::Subnet", 55 | "Properties" : { 56 | "VpcId" : {"Ref" : "vpc1"}, 57 | "Tags" : [ {"Key" : "Name", "Value" : "vpc1_sn_A3"} ], 58 | "AvailabilityZone" : { 59 | "Fn::Select" : [ 60 | "1", 61 | { 62 | "Fn::GetAZs" : "" 63 | } 64 | ] 65 | }, 66 | "CidrBlock" : "10.33.96.0/20" 67 | } 68 | }, 69 | "vpc1snA4" : { 70 | "Type" : "AWS::EC2::Subnet", 71 | "Properties" : { 72 | "VpcId" : {"Ref" : "vpc1"}, 73 | "Tags" : [ {"Key" : "Name", "Value" : "vpc1_sn_A4"} ], 74 | "AvailabilityZone" : { 75 | "Fn::Select" : [ 76 | "1", 77 | { 78 | "Fn::GetAZs" : "" 79 | } 80 | ] 81 | }, 82 | "CidrBlock" : "10.33.112.0/20" 83 | } 84 | }, 85 | "igwvpc1" : { 86 | "Type" : "AWS::EC2::InternetGateway", 87 | "DependsOn" : "vpc1", 88 | "Properties" : { 89 | "Tags" : [ {"Key" : "Name", "Value" : "IGW-VPC1"} ] 90 | } 91 | }, 92 | "igwvpc1attachment" : { 93 | "DependsOn" : "igwvpc1", 94 | "Type" : "AWS::EC2::VPCGatewayAttachment", 95 | "Properties" : { 96 | "InternetGatewayId" : {"Ref" : "igwvpc1"}, 97 | "VpcId" : {"Ref" : "vpc1"} 98 | } 99 | }, 100 | "rtpublic" : { 101 | "Type" : "AWS::EC2::RouteTable", 102 | "Properties" : { 103 | "VpcId" : {"Ref" : "vpc1"}, 104 | "Tags" : [ {"Key" : "Name", "Value" : "RT-Public"} ] 105 | } 106 | }, 107 | "rtpublicdefault" : { 108 | "Type" : "AWS::EC2::Route", 109 | "DependsOn" : "igwvpc1attachment", 110 | "Properties" : { 111 | "RouteTableId" : { "Ref" : "rtpublic" }, 112 | "DestinationCidrBlock" : "0.0.0.0/0", 113 | "GatewayId" : { "Ref" : "igwvpc1" } 114 | } 115 | }, 116 | "rtpublicpubA" : { 117 | "Type" : "AWS::EC2::SubnetRouteTableAssociation", 118 | "Properties" : { 119 | "RouteTableId" : {"Ref" : "rtpublic" }, 120 | "SubnetId" : {"Ref" : "vpc1snA1" } 121 | } 122 | }, 123 | "sgbastion" : { 124 | "Type" : "AWS::EC2::SecurityGroup", 125 | "Properties" : { 126 | "GroupName" : "SG-BASTION", 127 | "GroupDescription" : "SG-BASTION", 128 | "SecurityGroupIngress" : [{ 129 | "IpProtocol" : "tcp", 130 | "FromPort" : 22, 131 | "ToPort" : 22, 132 | "CidrIp" : "0.0.0.0/0" 133 | }], 134 | "Tags" : [ {"Key" : "Name", "Value" : "SG-BASTION"} ], 135 | "VpcId" : {"Ref" : "vpc1"} 136 | } 137 | }, 138 | "sginternal" : { 139 | "Type" : "AWS::EC2::SecurityGroup", 140 | "Properties" : { 141 | "GroupName" : "SG-INTERNAL", 142 | "GroupDescription" : "SG-INTERNAL", 143 | "SecurityGroupIngress" : [{ 144 | "IpProtocol" : "tcp", 145 | "FromPort" : 22, 146 | "ToPort" : 22, 147 | "SourceSecurityGroupId" : {"Ref" : "sgbastion"} 148 | }], 149 | "Tags" : [ {"Key" : "Name", "Value" : "SG-INTERNAL"} ], 150 | "VpcId" : {"Ref" : "vpc1"} 151 | } 152 | }, 153 | "sginternalselfref" : { 154 | "Type": "AWS::EC2::SecurityGroupIngress", 155 | "Properties": { 156 | "GroupId": { 157 | "Ref": "sginternal" 158 | }, 159 | "IpProtocol": -1, 160 | "FromPort": -1, 161 | "ToPort": -1, 162 | "SourceSecurityGroupId": { 163 | "Ref": "sginternal" 164 | } 165 | } 166 | }, 167 | "rtprivatea" : { 168 | "Type" : "AWS::EC2::RouteTable", 169 | "Properties" : { 170 | "VpcId" : {"Ref" : "vpc1"}, 171 | "Tags" : [ {"Key" : "Name", "Value" : "RT-PrivateA"} ] 172 | } 173 | }, 174 | "rtprivateb" : { 175 | "Type" : "AWS::EC2::RouteTable", 176 | "Properties" : { 177 | "VpcId" : {"Ref" : "vpc1"}, 178 | "Tags" : [ {"Key" : "Name", "Value" : "RT-PrivateB"} ] 179 | } 180 | }, 181 | "rtprivatec" : { 182 | "Type" : "AWS::EC2::RouteTable", 183 | "Properties" : { 184 | "VpcId" : {"Ref" : "vpc1"}, 185 | "Tags" : [ {"Key" : "Name", "Value" : "RT-PrivateC"} ] 186 | } 187 | }, 188 | "rtprivatea3" : { 189 | "Type" : "AWS::EC2::SubnetRouteTableAssociation", 190 | "Properties" : { 191 | "RouteTableId" : {"Ref" : "rtprivatea" }, 192 | "SubnetId" : {"Ref" : "vpc1snA3" } 193 | } 194 | }, 195 | "rtprivatea4" : { 196 | "Type" : "AWS::EC2::SubnetRouteTableAssociation", 197 | "Properties" : { 198 | "RouteTableId" : {"Ref" : "rtprivatea" }, 199 | "SubnetId" : {"Ref" : "vpc1snA4" } 200 | } 201 | } 202 | }, 203 | "Outputs" : { 204 | "vpc1id" : { 205 | "Description" : "ID of VPC 1", 206 | "Value" : {"Ref" : "vpc1"}, 207 | "Export" : { 208 | "Name" : "vpc1id" 209 | } 210 | }, 211 | "vpc1sn1cidr" : { 212 | "Description" : "CIDR of VPC 1 Subnet A1", 213 | "Value" : "10.33.64.0/20", 214 | "Export" : { 215 | "Name" : "vpc1sn1cidr" 216 | } 217 | }, 218 | "subnetvpc1A1" : { 219 | "Description" : "ID of Subnet A1 in VPC 1", 220 | "Value" : {"Ref" : "vpc1snA1"}, 221 | "Export" : { 222 | "Name" : "subnetvpc1A1" 223 | } 224 | }, 225 | "subnetvpc1A2" : { 226 | "Description" : "ID of Subnet A2 in VPC 1", 227 | "Value" : {"Ref" : "vpc1snA2"}, 228 | "Export" : { 229 | "Name" : "subnetvpc1A2" 230 | } 231 | }, 232 | "subnetvpc1A3" : { 233 | "Description" : "ID of Subnet A3 in VPC 1", 234 | "Value" : {"Ref" : "vpc1snA3"}, 235 | "Export" : { 236 | "Name" : "subnetvpc1A3" 237 | } 238 | }, 239 | "securitygroupid" : { 240 | "Description" : "ID of Public Bastion SG", 241 | "Value" : {"Ref" : "sgbastion"}, 242 | "Export" : { 243 | "Name" : "securitygroupid" 244 | } 245 | }, 246 | "subnetvpc1A4" : { 247 | "Description" : "ID of Subnet A4 in VPC 1", 248 | "Value" : {"Ref" : "vpc1snA4"}, 249 | "Export" : { 250 | "Name" : "subnetvpc1A4" 251 | } 252 | }, 253 | "routetablesubnetvpc1" : { 254 | "Description" : "ID of RouteTable for VPC 1 A1 Subnet", 255 | "Value" : {"Ref" : "rtpublic"}, 256 | "Export" : { 257 | "Name" : "routetablesubnetvpc1" 258 | } 259 | } 260 | } 261 | 262 | } -------------------------------------------------------------------------------- /aws-remediate-pci-securityhub/images/arch-diagram.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-remediate-pci-securityhub/images/arch-diagram.png --------------------------------------------------------------------------------