├── CODE_OF_CONDUCT.md
├── CONTRIBUTING.md
├── LICENSE
├── aws-auditmanager-securityhub
├── CODE_OF_CONDUCT.md
├── CONTRIBUTING.md
├── LICENSE
├── README.md
├── cft
│ ├── aws-auditmanager-customassessment.yml
│ └── aws-auditmanager-securityhub.yml
├── images
│ └── arch-diagram.png
├── lab
│ ├── images
│ │ ├── 1.png
│ │ ├── 10.PNG
│ │ ├── 11.PNG
│ │ ├── 12.PNG
│ │ ├── 14.PNG
│ │ ├── 15.PNG
│ │ ├── 16.PNG
│ │ ├── 17.PNG
│ │ ├── 18.PNG
│ │ ├── 19.PNG
│ │ ├── 2.PNG
│ │ ├── 20.PNG
│ │ ├── 21.PNG
│ │ ├── 22.PNG
│ │ ├── 23.PNG
│ │ ├── 24.PNG
│ │ ├── 25.PNG
│ │ ├── 26.PNG
│ │ ├── 27.PNG
│ │ ├── 28.PNG
│ │ ├── 29.PNG
│ │ ├── 3.PNG
│ │ ├── 30.PNG
│ │ ├── 31.PNG
│ │ ├── 4.PNG
│ │ ├── 5.PNG
│ │ ├── 6.PNG
│ │ ├── 7.PNG
│ │ ├── 8.PNG
│ │ ├── 9.PNG
│ │ ├── cft
│ │ │ ├── 1.PNG
│ │ │ ├── 10.PNG
│ │ │ ├── 11.PNG
│ │ │ ├── 12.PNG
│ │ │ ├── 13.PNG
│ │ │ ├── 14.PNG
│ │ │ ├── 15.PNG
│ │ │ ├── 16.PNG
│ │ │ ├── 17.PNG
│ │ │ ├── 18.PNG
│ │ │ ├── 19.PNG
│ │ │ ├── 2.PNG
│ │ │ ├── 3-not.PNG
│ │ │ ├── 3.PNG
│ │ │ ├── 4.PNG
│ │ │ ├── 5.PNG
│ │ │ ├── 6.PNG
│ │ │ ├── 7.PNG
│ │ │ ├── 8.PNG
│ │ │ ├── 9.PNG
│ │ │ ├── Customassessment on notepad.PNG
│ │ │ ├── SecurityHubImages.PNG
│ │ │ ├── arch-diagram.png
│ │ │ ├── confpack-5.PNG
│ │ │ ├── confpack-6.PNG
│ │ │ ├── confpack-7.PNG
│ │ │ ├── confpack-8.PNG
│ │ │ ├── confpack-9.PNG
│ │ │ ├── customcontrol-2.png
│ │ │ ├── customcontrol-4.png
│ │ │ ├── onnotepad.PNG
│ │ │ └── part2github.PNG
│ │ ├── customcontrol-1.png
│ │ ├── customcontrol-2.png
│ │ ├── customcontrol-3.png
│ │ ├── customcontrol-4.png
│ │ ├── manual-1.PNG
│ │ ├── manual-10.PNG
│ │ ├── manual-11.PNG
│ │ ├── manual-12.PNG
│ │ ├── manual-13.PNG
│ │ ├── manual-14.PNG
│ │ ├── manual-15.PNG
│ │ ├── manual-16.PNG
│ │ ├── manual-17.png
│ │ ├── manual-18.png
│ │ ├── manual-19.png
│ │ ├── manual-2.PNG
│ │ ├── manual-20.png
│ │ ├── manual-21.PNG
│ │ ├── manual-22.png
│ │ ├── manual-23.PNG
│ │ ├── manual-24.PNG
│ │ ├── manual-25.PNG
│ │ ├── manual-3.PNG
│ │ ├── manual-4.png
│ │ ├── manual-5.PNG
│ │ ├── manual-6.PNG
│ │ ├── manual-7.PNG
│ │ ├── manual-8.PNG
│ │ └── manual-9.PNG
│ └── index.md
├── lambda
│ ├── CustomAuditManagerFramework_Lambda.py
│ ├── CustomAuditManagerFramework_Lambda.zip
│ └── auditmanagerlayer.zip
└── layer
│ └── auditmanagerlayer.zip
├── aws-backupauditmanager-securityhub
├── LICENSE
├── README.md
├── cft
│ └── aws-backupauditmanager-securityhub.yaml
└── images
│ ├── arch-diagram.png
│ └── backupauditmanager-securityhub.png
├── aws-cis-contributorinsights
└── cft
│ └── CIS-ContributorInsights.yaml
├── aws-ecr-continuouscompliance
├── LICENSE
├── README.md
├── cft
│ └── aws-ecr-continuouscompliance-v1.yaml
└── images
│ └── arch-diagram.png
├── aws-guardduty-detect-securityhubremediate
├── README.md
├── cft
│ ├── aws-guarddutydetect-securityhubremediate-v1.yml
│ ├── aws-guarddutydetect-securityhubremediate.yml
│ ├── threatlist.txt
│ └── vpc-setup-v1.json
└── images
│ └── arch-diagram.png
├── aws-remediate-cis-securityhub
├── README.md
├── cft
│ ├── aws-cis-cloudwatchlogmetricfilters.yml
│ ├── aws-cis-securityhubactions.yml
│ └── aws-cis-systemsmanagerautomations.yml
└── images
│ └── arch-diagram.png
├── aws-remediate-fsbp-securityhub
├── README.md
├── cft
│ ├── aws-security-hub-fsbp-remediations-template1.yml
│ └── aws-security-hub-fsbp-remediations-template2.yml
└── images
│ └── arch-diagram.png
└── aws-remediate-pci-securityhub
├── README.md
├── cft
├── aws-securevpcsetup.template
├── aws-security-hub-pci-remediations-template1.yml
└── aws-security-hub-pci-remediations-template2.yml
└── images
└── arch-diagram.png
/CODE_OF_CONDUCT.md:
--------------------------------------------------------------------------------
1 | ## Code of Conduct
2 | This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct).
3 | For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact
4 | opensource-codeofconduct@amazon.com with any additional questions or comments.
5 |
--------------------------------------------------------------------------------
/CONTRIBUTING.md:
--------------------------------------------------------------------------------
1 | # Contributing Guidelines
2 |
3 | Thank you for your interest in contributing to our project. Whether it's a bug report, new feature, correction, or additional
4 | documentation, we greatly value feedback and contributions from our community.
5 |
6 | Please read through this document before submitting any issues or pull requests to ensure we have all the necessary
7 | information to effectively respond to your bug report or contribution.
8 |
9 |
10 | ## Reporting Bugs/Feature Requests
11 |
12 | We welcome you to use the GitHub issue tracker to report bugs or suggest features.
13 |
14 | When filing an issue, please check existing open, or recently closed, issues to make sure somebody else hasn't already
15 | reported the issue. Please try to include as much information as you can. Details like these are incredibly useful:
16 |
17 | * A reproducible test case or series of steps
18 | * The version of our code being used
19 | * Any modifications you've made relevant to the bug
20 | * Anything unusual about your environment or deployment
21 |
22 |
23 | ## Contributing via Pull Requests
24 | Contributions via pull requests are much appreciated. Before sending us a pull request, please ensure that:
25 |
26 | 1. You are working against the latest source on the *main* branch.
27 | 2. You check existing open, and recently merged, pull requests to make sure someone else hasn't addressed the problem already.
28 | 3. You open an issue to discuss any significant work - we would hate for your time to be wasted.
29 |
30 | To send us a pull request, please:
31 |
32 | 1. Fork the repository.
33 | 2. Modify the source; please focus on the specific change you are contributing. If you also reformat all the code, it will be hard for us to focus on your change.
34 | 3. Ensure local tests pass.
35 | 4. Commit to your fork using clear commit messages.
36 | 5. Send us a pull request, answering any default questions in the pull request interface.
37 | 6. Pay attention to any automated CI failures reported in the pull request, and stay involved in the conversation.
38 |
39 | GitHub provides additional document on [forking a repository](https://help.github.com/articles/fork-a-repo/) and
40 | [creating a pull request](https://help.github.com/articles/creating-a-pull-request/).
41 |
42 |
43 | ## Finding contributions to work on
44 | Looking at the existing issues is a great way to find something to contribute on. As our projects, by default, use the default GitHub issue labels (enhancement/bug/duplicate/help wanted/invalid/question/wontfix), looking at any 'help wanted' issues is a great place to start.
45 |
46 |
47 | ## Code of Conduct
48 | This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct).
49 | For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact
50 | opensource-codeofconduct@amazon.com with any additional questions or comments.
51 |
52 |
53 | ## Security issue notifications
54 | If you discover a potential security issue in this project we ask that you notify AWS/Amazon Security via our [vulnerability reporting page](http://aws.amazon.com/security/vulnerability-reporting/). Please do **not** create a public github issue.
55 |
56 |
57 | ## Licensing
58 |
59 | See the [LICENSE](LICENSE) file for our project's licensing. We will ask you to confirm the licensing of your contribution.
60 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 |
3 | Permission is hereby granted, free of charge, to any person obtaining a copy of
4 | this software and associated documentation files (the "Software"), to deal in
5 | the Software without restriction, including without limitation the rights to
6 | use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
7 | the Software, and to permit persons to whom the Software is furnished to do so.
8 |
9 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
10 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
11 | FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
12 | COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
13 | IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
14 | CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
15 |
16 |
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/CODE_OF_CONDUCT.md:
--------------------------------------------------------------------------------
1 | ## Code of Conduct
2 | This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct).
3 | For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact
4 | opensource-codeofconduct@amazon.com with any additional questions or comments.
5 |
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/CONTRIBUTING.md:
--------------------------------------------------------------------------------
1 | # Contributing Guidelines
2 |
3 | Thank you for your interest in contributing to our project. Whether it's a bug report, new feature, correction, or additional
4 | documentation, we greatly value feedback and contributions from our community.
5 |
6 | Please read through this document before submitting any issues or pull requests to ensure we have all the necessary
7 | information to effectively respond to your bug report or contribution.
8 |
9 |
10 | ## Reporting Bugs/Feature Requests
11 |
12 | We welcome you to use the GitHub issue tracker to report bugs or suggest features.
13 |
14 | When filing an issue, please check existing open, or recently closed, issues to make sure somebody else hasn't already
15 | reported the issue. Please try to include as much information as you can. Details like these are incredibly useful:
16 |
17 | * A reproducible test case or series of steps
18 | * The version of our code being used
19 | * Any modifications you've made relevant to the bug
20 | * Anything unusual about your environment or deployment
21 |
22 |
23 | ## Contributing via Pull Requests
24 | Contributions via pull requests are much appreciated. Before sending us a pull request, please ensure that:
25 |
26 | 1. You are working against the latest source on the *main* branch.
27 | 2. You check existing open, and recently merged, pull requests to make sure someone else hasn't addressed the problem already.
28 | 3. You open an issue to discuss any significant work - we would hate for your time to be wasted.
29 |
30 | To send us a pull request, please:
31 |
32 | 1. Fork the repository.
33 | 2. Modify the source; please focus on the specific change you are contributing. If you also reformat all the code, it will be hard for us to focus on your change.
34 | 3. Ensure local tests pass.
35 | 4. Commit to your fork using clear commit messages.
36 | 5. Send us a pull request, answering any default questions in the pull request interface.
37 | 6. Pay attention to any automated CI failures reported in the pull request, and stay involved in the conversation.
38 |
39 | GitHub provides additional document on [forking a repository](https://help.github.com/articles/fork-a-repo/) and
40 | [creating a pull request](https://help.github.com/articles/creating-a-pull-request/).
41 |
42 |
43 | ## Finding contributions to work on
44 | Looking at the existing issues is a great way to find something to contribute on. As our projects, by default, use the default GitHub issue labels (enhancement/bug/duplicate/help wanted/invalid/question/wontfix), looking at any 'help wanted' issues is a great place to start.
45 |
46 |
47 | ## Code of Conduct
48 | This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct).
49 | For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact
50 | opensource-codeofconduct@amazon.com with any additional questions or comments.
51 |
52 |
53 | ## Security issue notifications
54 | If you discover a potential security issue in this project we ask that you notify AWS/Amazon Security via our [vulnerability reporting page](http://aws.amazon.com/security/vulnerability-reporting/). Please do **not** create a public github issue.
55 |
56 |
57 | ## Licensing
58 |
59 | See the [LICENSE](LICENSE) file for our project's licensing. We will ask you to confirm the licensing of your contribution.
60 |
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/LICENSE:
--------------------------------------------------------------------------------
1 | Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 |
3 | Permission is hereby granted, free of charge, to any person obtaining a copy of
4 | this software and associated documentation files (the "Software"), to deal in
5 | the Software without restriction, including without limitation the rights to
6 | use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
7 | the Software, and to permit persons to whom the Software is furnished to do so.
8 |
9 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
10 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
11 | FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
12 | COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
13 | IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
14 | CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
15 |
16 |
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/README.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | # Automate audit preparation in AWS and integrate across the Three Lines Model - Build a custom integration of AWS Audit Manager with AWS Security Hub
5 |
6 | Creates a custom AWS Audit Manager framework that is comprised of custom AWS Audit Manager control sets. The custom Audit Manager control set contains custom AWS Audit Manager controls related to AWS Security Hub findings that span across AWS Security Hub FSBP, CIS and PCI compliance checks. So, instead of the control set being specific to an individual AWS Security Hub compliance check (FSBP,CIS or PCI), the control set spans across Security Hub compliance checks and is specific to a security related domain – for e.g. Identity Management or Network Monitoring.
7 |
8 |
9 | ## Solution Design
10 |
11 | 
12 |
13 | ## How To Install
14 |
15 | **Prerequisites**
16 |
17 | 1. Ensure that AWS Security Hub is enabled in your account.
18 |
19 | 2. Follow the steps to set up AWS Audit Manager.
20 |
21 | 3. Create an Amazon S3 bucket with the following name: s3-customauditmanagerframework-AccountId-Region where the AccountId is your AWS Account ID and Region is the AWS Region where you have deployed this template. In this bucket, create a folder named CustomAuditManagerFramework_Lambda and upload the CustomAuditManagerFramework_Lambda.zip (it's in the lambda folder) file there.
22 |
23 | 4. Audit Manager works with the Boto3 1.7 libraries. AWS Lambda doesn't ship with Boto3 1.7 by default. This implementation provides that version of Boto3 as a Lambda Layer. Upload the auditmanagerlayer.zip (it's in the layer folder) to the root folder of the S3 bucket created in step 2.
24 |
25 | 5. If you have already configured an assessment reports destination in your Audit Manager settings then you can skip this step. Otherwise, create a folder (for e.g. 'evidences) in the S3 bucket in step 2. Your assessment reports destination will be the S3 URI for e.g. s3://s3-customauditmanagerframework-AccountId-Region/evidences/. AWS Audit Manager will save your assessment reports to this bucket.
26 |
27 | 6. Create an IAM user with Audit owner permissions. https://docs.aws.amazon.com/audit-manager/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies
28 |
29 |
30 | **Setup**
31 |
32 | The solution automates the initial setup and deployment in two steps:
33 |
34 | 1. Launch the **aws-auditmanager-securityhub.yml** template. For parameters - 1) Provide the name of the S3 bucket and folder (from step 3 in the prerequisites) that contains the source CustomAuditManagerFramework_Lambda.zip
35 |
36 | 2. Launch the **aws-auditmanager-customassessment.yml** template. Provide the s3 uri (from step 5 in the prerequisites) that is the assessment destination as a parameter and 2) Provide the ARN of the Audit owner IAM user from step 6 in the pre-requisites
37 |
38 | **Cleanup**
39 |
40 | 1. Delete the CloudFormation stacks in sequence- 1) aws-auditmanager-customassessment.yml and then 2) aws-auditmanager-securityhub.yml
41 | 2. Delete the custom framework as well as the custom controls created in Audit Manager (you can do this from the console)
42 | 3. Delete the Audit Manager framework ID from the SSM parameter store
43 |
44 |
45 |
46 |
47 |
48 |
49 |
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/cft/aws-auditmanager-customassessment.yml:
--------------------------------------------------------------------------------
1 | # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | # SPDX-License-Identifier: MIT-0
3 |
4 | # Provisions custom AWS Audit Manager assessment based on Security Hub checks
5 | # Pre-req: AWS Lambda that creates a custom AWS Audit Manager control set and custom AWS Audit Manager
6 | # framework
7 |
8 | # kmmahaj
9 |
10 | AWSTemplateFormatVersion: 2010-09-09
11 | Description: >-
12 | AWS CloudFormation template to create custom Audit Manager assessments. You will be
13 | billed for the AWS resources used if you create a stack from this template.
14 | Parameters:
15 |
16 | AssessmentDestination:
17 | Description: S3 Bucket and folder that stores the Custom Audit Manager Assessment Destination
18 | Type: String
19 | Default: 's3://s3-customauditmanagerframework--/evidences/'
20 | MinLength: '1'
21 | MaxLength: '255'
22 |
23 | AuditOwnerArn:
24 | Description: ARN for IAM Audit Owner in your account.
25 | Type: String
26 | Default: 'arn:aws:iam::341476298946:user/AuditManagerAdmin'
27 | MinLength: '1'
28 | MaxLength: '255'
29 |
30 | Resources:
31 |
32 | #---------------------------------------------------------------------------------------------------
33 | # 1- Provision Custom Audit Manager Assessment
34 | # - Use SSM Parameter Store to retrieve the Framework ID created by the custom backed Lambda
35 | # --------------------------------------------------------------------------------------------------
36 |
37 | CustomAuditManagerAssessment:
38 | Type: AWS::AuditManager::Assessment
39 | Properties:
40 | AssessmentReportsDestination:
41 | Destination: !Ref AssessmentDestination
42 | DestinationType: 'S3'
43 | Description: 'Custom Security Hub Assessment'
44 | FrameworkId: '{{resolve:ssm:CustomSecurityHubFrameworkID:1}}'
45 | Name: 'CustomSecurityHubAssessment'
46 | Roles:
47 | - 'RoleArn': !Ref AuditOwnerArn
48 | 'RoleType': 'PROCESS_OWNER'
49 | Scope:
50 | AwsAccounts:
51 | - 'Id': !Ref 'AWS::AccountId'
52 | AwsServices:
53 | - 'ServiceName': 's3'
54 | - 'ServiceName': 'iam'
55 | - 'ServiceName': 'cloudtrail'
56 | - 'ServiceName': 'lambda'
57 | - 'ServiceName': 'ec2'
58 | - 'ServiceName': 'rds'
59 |
60 |
61 |
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/cft/aws-auditmanager-securityhub.yml:
--------------------------------------------------------------------------------
1 | # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | # SPDX-License-Identifier: MIT-0
3 |
4 | # Provisions custom AWS Audit Manager assessment based on Security Hub checks
5 | # Pre-req: AWS Lambda that creates a custom AWS Audit Manager control set and custom AWS Audit Manager
6 | # framework
7 |
8 | # kmmahaj
9 |
10 | AWSTemplateFormatVersion: 2010-09-09
11 | Description: >-
12 | AWS CloudFormation template to create custom Audit Manager assessments. You will be
13 | billed for the AWS resources used if you create a stack from this template.
14 | Parameters:
15 | SourceBucket:
16 | Description: S3 Bucket that contains the Custom Audit Manager Framework Lambda
17 | Type: String
18 | Default: 's3-customauditmanagerframework--'
19 | MinLength: '1'
20 | MaxLength: '255'
21 |
22 | Resources:
23 |
24 | #---------------------------------------------------------------------------------------------------
25 | #
26 | # 1- Create Custom Audit Manager Control Sets for IAM, API and Network Monitoring
27 | # based on Security Hub checks across PCI,CIS and FSBP frameworks
28 | # 2- Create Custom Audit Manager Framework based on custom Audit Manager control set
29 | # --------------------------------------------------------------------------------------------------
30 |
31 | #Custom Lambda backed Resource for creating the Custom Audit Manager Framework
32 | CreateCustomAuditManagerFramework:
33 | Type: 'Custom::CreateCustomAuditManagerFramework'
34 | DependsOn:
35 | - CustomAuditManagerFrameworkExecutePermission
36 | Properties:
37 | ServiceToken: !GetAtt 'CustomAuditManagerFrameworkLambda.Arn'
38 | SourceAccountId: !Ref 'AWS::AccountId'
39 |
40 | #Permission for CFN to invoke custom lambda backed resource
41 | CustomAuditManagerFrameworkExecutePermission:
42 | Type: 'AWS::Lambda::Permission'
43 | Properties:
44 | Action: 'lambda:InvokeFunction'
45 | FunctionName: !GetAtt 'CustomAuditManagerFrameworkLambda.Arn'
46 | Principal: 'cloudformation.amazonaws.com'
47 | SourceAccount: !Ref 'AWS::AccountId'
48 |
49 | #Lambda Function that creates the custom Audit Manager framework
50 | CustomAuditManagerFrameworkLambda:
51 | Type: 'AWS::Lambda::Function'
52 | Properties:
53 | FunctionName: !Join
54 | - ''
55 | - - CustomAuditManagerFramework_
56 | - Lambda
57 | Role: !GetAtt CustomAuditManagerFrameworkLambdaRole.Arn
58 | Code:
59 | S3Bucket: !Ref SourceBucket
60 | S3Key: !Join
61 | - ''
62 | - - CustomAuditManagerFramework_Lambda
63 | - /
64 | - CustomAuditManagerFramework_Lambda
65 | - .zip
66 | Description: CustomAuditManagerFrameworkLambda
67 | Handler: CustomAuditManagerFramework_Lambda.lambda_handler
68 | MemorySize: '256'
69 | Runtime: python3.7
70 | Layers:
71 | - !Ref AuditManagerLayer
72 | Environment:
73 | Variables:
74 | SourceAccountId : !Ref 'AWS::AccountId'
75 | Timeout: 300
76 |
77 | #Lambda Layer for AWS Audit Manager
78 | AuditManagerLayer:
79 | Type: AWS::Lambda::LayerVersion
80 | Properties:
81 | CompatibleRuntimes:
82 | - python3.6
83 | - python3.7
84 | - python3.8
85 | Content:
86 | S3Bucket: !Ref SourceBucket
87 | S3Key: auditmanagerlayer.zip
88 | Description: Boto3 layer for audit manager
89 | LayerName: AuditManagerLayer
90 | LicenseInfo: MIT
91 |
92 | #IAM Role for the CustomAuditManagerFramework Lambda
93 | CustomAuditManagerFrameworkLambdaRole:
94 | Type: 'AWS::IAM::Role'
95 | Properties:
96 | RoleName: !Sub securityhub-customauditmanagerframeworkrole-${AWS::Region}
97 | AssumeRolePolicyDocument:
98 | Version: 2012-10-17
99 | Statement:
100 | - Sid: AllowLambdaAssumeRole
101 | Effect: Allow
102 | Principal:
103 | Service: lambda.amazonaws.com
104 | Action: 'sts:AssumeRole'
105 | Policies:
106 | - PolicyName: CustomAuditManagerFrameworkLambdaPolicy
107 | PolicyDocument:
108 | Version: 2012-10-17
109 | Statement:
110 | - Sid: '1'
111 | Action:
112 | - 's3:*'
113 | Effect: Allow
114 | Resource:
115 | - !Sub arn:${AWS::Partition}:s3:::${SourceBucket}
116 | - !Sub arn:${AWS::Partition}:s3:::${SourceBucket}/*
117 | - Sid: '2'
118 | Action:
119 | - 'logs:CreateLogGroup'
120 | - 'logs:CreateLogStream'
121 | - 'logs:PutLogEvents'
122 | - 'logs:DescribeLogStreams'
123 | Effect: Allow
124 | Resource: '*'
125 | - Sid: '3'
126 | Action:
127 | - 'ssm:*'
128 | Effect: Allow
129 | Resource: '*'
130 | ManagedPolicyArns:
131 | - !Sub 'arn:${AWS::Partition}:iam::aws:policy/AWSAuditManagerAdministratorAccess'
132 | - !Sub 'arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole'
133 |
134 |
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/images/arch-diagram.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/images/arch-diagram.png
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/1.png
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/10.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/10.PNG
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/11.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/11.PNG
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/12.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/12.PNG
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/14.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/14.PNG
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/15.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/15.PNG
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/16.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/16.PNG
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/17.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/17.PNG
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/18.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/18.PNG
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/19.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/19.PNG
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/2.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/2.PNG
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/20.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/20.PNG
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/21.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/21.PNG
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/22.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/22.PNG
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/23.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/23.PNG
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/24.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/24.PNG
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/25.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/25.PNG
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/26.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/26.PNG
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/27.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/27.PNG
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/28.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/28.PNG
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/29.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/29.PNG
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/3.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/3.PNG
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/30.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/30.PNG
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/31.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/31.PNG
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/4.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/4.PNG
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/5.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/5.PNG
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/6.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/6.PNG
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/7.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/7.PNG
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/8.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/8.PNG
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/9.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/9.PNG
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/cft/1.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/cft/1.PNG
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/cft/10.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/cft/10.PNG
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/cft/11.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/cft/11.PNG
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/cft/12.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/cft/12.PNG
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/cft/13.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/cft/13.PNG
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/cft/14.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/cft/14.PNG
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/cft/15.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/cft/15.PNG
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/cft/16.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/cft/16.PNG
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/cft/17.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/cft/17.PNG
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/cft/18.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/cft/18.PNG
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/cft/19.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/cft/19.PNG
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/cft/2.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/cft/2.PNG
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/cft/3-not.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/cft/3-not.PNG
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/cft/3.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/cft/3.PNG
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/cft/4.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/cft/4.PNG
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/cft/5.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/cft/5.PNG
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/cft/6.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/cft/6.PNG
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/cft/7.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/cft/7.PNG
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/cft/8.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/cft/8.PNG
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/cft/9.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/cft/9.PNG
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/cft/Customassessment on notepad.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/cft/Customassessment on notepad.PNG
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/cft/SecurityHubImages.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/cft/SecurityHubImages.PNG
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/cft/arch-diagram.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/cft/arch-diagram.png
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/cft/confpack-5.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/cft/confpack-5.PNG
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/cft/confpack-6.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/cft/confpack-6.PNG
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/cft/confpack-7.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/cft/confpack-7.PNG
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/cft/confpack-8.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/cft/confpack-8.PNG
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/cft/confpack-9.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/cft/confpack-9.PNG
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/cft/customcontrol-2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/cft/customcontrol-2.png
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/cft/customcontrol-4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/cft/customcontrol-4.png
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/cft/onnotepad.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/cft/onnotepad.PNG
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/cft/part2github.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/cft/part2github.PNG
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/customcontrol-1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/customcontrol-1.png
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/customcontrol-2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/customcontrol-2.png
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/customcontrol-3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/customcontrol-3.png
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/customcontrol-4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/customcontrol-4.png
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/manual-1.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/manual-1.PNG
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/manual-10.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/manual-10.PNG
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/manual-11.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/manual-11.PNG
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/manual-12.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/manual-12.PNG
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/manual-13.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/manual-13.PNG
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/manual-14.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/manual-14.PNG
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/manual-15.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/manual-15.PNG
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/manual-16.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/manual-16.PNG
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/manual-17.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/manual-17.png
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/manual-18.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/manual-18.png
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/manual-19.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/manual-19.png
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/manual-2.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/manual-2.PNG
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/manual-20.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/manual-20.png
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/manual-21.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/manual-21.PNG
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/manual-22.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/manual-22.png
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/manual-23.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/manual-23.PNG
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/manual-24.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/manual-24.PNG
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/manual-25.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/manual-25.PNG
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/manual-3.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/manual-3.PNG
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/manual-4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/manual-4.png
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/manual-5.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/manual-5.PNG
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/manual-6.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/manual-6.PNG
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/manual-7.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/manual-7.PNG
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/manual-8.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/manual-8.PNG
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/images/manual-9.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lab/images/manual-9.PNG
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lab/index.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | ## Build AWS Audit Manager Assessments
5 |
6 | In this lab, we will create a custom Audit Manager Assessment by configuring custom controls, frameworks and assessments with AWS Audit Manager.
7 |
8 | ## Prerequisites
9 | 1. [Enable AWS Config](https://docs.aws.amazon.com/config/latest/developerguide/getting-started.html) in your AWS Account
10 | 2. [Setup AWS Audit Manager](https://docs.aws.amazon.com/audit-manager/latest/userguide/setting-up.html#setup-audit-manager). In the [AWS Audit Manager console](https://console.aws.amazon.com/auditmanager/home), configure your [AWS Audit Manager settings](https://docs.aws.amazon.com/audit-manager/latest/userguide/console-settings.html).
11 | 3. Create an [IAM user with Audit owner permissions](https://docs.aws.amazon.com/audit-manager/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies). You can use the AWSAuditManagerAdministratorAccess policy as a starting point for this lab, but scope down these permissions as appropriate for your requirements.
12 | 4. If you have already configured an [assessment reports destination](https://docs.aws.amazon.com/audit-manager/latest/userguide/console-settings.html#settings-destination) in your AWS Audit Manager settings, you can skip this step. Otherwise, you can simply reuse the Amazon S3 bucket you created in step 2. The bucket must be in the same AWS Region as your assessment. Create a folder in the bucket for evidence and then create a directory. Your assessment reports destination will be the Amazon S3 URI (for example, s3://s3-customauditmanagerframework--/evidences/). AWS Audit Manager will save your assessment reports to this bucket.
13 |
14 |
15 | ## Create a custom control
16 |
17 | We will configure a custom control that is comprised of 3 data sources. Each data source collects evidence based on the evaluation of a specific AWS Config rule.
18 |
19 | 1. Navigate to the [AWS Audit Manager console](https://console.aws.amazon.com/auditmanager/home) and from the left navigation pane, select **Control library**, and then select **Create custom control**.
20 | 
21 |
22 | 2. Under **Control name**, enter a name (for example, Custom Control) and an optional description and then select **Next**.
23 | 
24 |
25 | 3. In **Configure data sources for this control**, choose **Automated evidence**. Under **Select an evidence type by mapping to a data source**, select **Compliance checks for resource configurations from AWS Config**. In **Specify an AWS Config rule**, select **CLOUD_TRAIL_ENCRYPTION_ENABLED**. Select **Add data source** to add another data source
26 | 
27 |
28 | 4. Follow Step 3 above and add the **CLOUD_TRAIL_ENABLED** and **S3_ACCOUNT_LEVEL_PUBLIC_ACCESS_BLOCKS** AWS Config Rules as data sources. Select **Next**
29 | 
30 |
31 | 5. On the **Review and create** screen, skip defining the action plan and choose **Create custom control**.
32 | 
33 |
34 | 6. Figure below shows the Custom control displayed in the Control library:
35 | 
36 |
37 |
38 | ## Create a custom framework
39 |
40 | Custom frameworks allow you to organize controls into control sets in a way that suits your unique requirements. Follow these steps to create a custom framework using the custom control you created in the previous section.
41 |
42 | 1. From the left panel, select **Framework library**, and then select **Create custom framework**.
43 | 
44 |
45 | 2. In the **Specify framework details**, enter a name for the framework (for example, Record Custom Control). Enter an optional compliance type and description, and then select **Next**.
46 | 
47 |
48 | 3. In **Specify the controls in the control set**, and under **Control set name**, provide a name for the control set (for example, Custom Control Set). Under **Select control type**, select **Custom controls**, and then select **Add to control set**. The custom control you created earlier should be displayed under **Selected controls**.
49 | 
50 |
51 | 5. On the **Review and create** screen, select **Create custom framework**.
52 | 
53 |
54 | The figure below shows the custom framework, which consists of the custom control that we had configured earlier.
55 | 
56 |
57 |
58 | ## Create a custom assessment
59 |
60 | An Audit Manager assessment is an implementation of the AWS Audit Manager framework. It collects the evidence related to the AWS Config Rules that you created and converts it into an auditor-friendly format, and attaches the evidence to the custom control in the framework.
61 |
62 | 1. From the left navigation pane, select **Assessments**, and then select **Create assessment**.
63 | 
64 |
65 | 2. In **Specify assessment details**, under **Assessment Details** enter a name for the assessment (for example, Record Custom Control) and an optional description. Under **Assessments reports destination**, provide the [Amazon S3](https://aws.amazon.com/s3/) from Step 5 in the prerequisites section . Under **Frameworks**, select the **Record Custom Control framework** and then select **Next**.
66 | 
67 |
68 | 3. In **Edit AWS accounts in scope** select your current account in scope for the assessment and then select **Next**
69 | 
70 |
71 | 4. Under **AWS services**, select all services in scope that are automatically detected by Audit Manager and then select **Next**.
72 | 
73 |
74 | 5. Under **Specify audit owners**, select the Audit owner user that you created in Step 4 in the prerequisites section.
75 |  and then select **Next**
76 |
77 | 6. On the **Review and create** screen, select **Create assessment**.
78 |
79 |
80 | ## Review evidence
81 | Once you create an assessment, it will automatically start collecting evidence for the custom controls that you had configured within the assessment. It may take *24 hours* for the evidence to appear on the Audit Manager Console.
82 |
83 | 1. On the [AWS Audit Manager console](https://console.aws.amazon.com/auditmanager/home), from the left paneL, select **Assessments**. Select the **Record Custom Control assessment**.
84 |
85 | 2. In **Control sets**, select the custom control you created earlier.
86 | 
87 |
88 | 3. On the **Evidence folders** tab, you can review the evidence collection. Select an **Evidence folder**.
89 | 
90 |
91 | 4. In the **Evidence** list, check that AWS Audit Manager has recorded compliance status at different points in time. Under the **Time** column in **Evidence** if you select one of the time slots (such as 6:17:38 PM UTC), the evidence description is displayed. Select **View JSON** next to **responseElements** to view the evidence.
92 | 
93 | 
94 |
95 | 5. You can also select evidence from your custom control to add to an assessment report. You can then generate the assessment report. From the [AWS Audit Manager console](https://console.aws.amazon.com/auditmanager/home), go back to the **Evidence folder** list. To add evidence to an assessment report, select the evidence, and then select **Add to assessment report** as shown
96 | 
97 |
98 | 6. From the [AWS Audit Manager console](https://console.aws.amazon.com/auditmanager/home) select your custom assessment *Record Custom Control*. Select **Assessment report selection** in the bottom panel and select **Generate assessment report**. Provide the report with a name and description.
99 | 
100 | 
101 |
102 | 7. On the [AWS Audit Manager console](https://console.aws.amazon.com/auditmanager/home), navigate to **Assessment reports**. You can now select and download the assessment report, which includes all your selected evidence.
103 | 
104 |
105 | 8. You can also navigate to the [S3](https://console.aws.amazon.com/s3/) bucket that you had configured as the assessment reports destination earlier and view the assessment report from there
106 | 
107 |
108 |
109 | ## Automate building of custom Audit Manager Assessments based on Security Hub findings
110 |
111 | ## Overview
112 | AWS Security Hub provides an out of the box integration with AWS Audit Manager where Security Hub findings based on Security Hub security standards are sent to Audit Manager. If compliance checks from Security Hub security standards are the only data source for an Audit Manager control then the out of the box Audit Manager control set (as well as the Audit Manager framework and assessment) correspond to one of the three supported AWS Security Hub security standards – Foundational Security Best Practices (FSBP), Center for Internet Security (CIS) or Payment Card Industry (PCI).
113 |
114 | In this lab, we will deploy a solution that builds custom controls in AWS Audit Manager based on Security Hub findings
115 |
116 | The Audit Manager custom controls are organized into control sets. The custom control set in our solution contains AWS Audit Manager controls related to AWS Security Hub findings that span across the FSBP, CIS and PCI standards. The Audit Manager control set is not specific to the Security Hub security standard but it is specific to a security-related domain (for example, identity management or network monitoring). The Audit Manager control set includes controls from all three Security Hub security standards (FSBP, CIS or PCI) as they relate to that specific domain. This is a common use case where customers want to delegate audit assurance responsibilities to security administrators based on their subject matter expertise.
117 |
118 | Refer to [Integrate across the Three Lines Model (Part 1): Build a custom automation of AWS Audit Manager with AWS Security Hub](https://aws.amazon.com/blogs/mt/integrate-across-the-three-lines-model-part-1-build-a-custom-automation-of-aws-audit-manager-with-aws-security-hub/) for a full description of this solution.
119 |
120 | ## Prerequisites
121 | 1. [Enable Security Hub](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-enable.html#securityhub-enable-console) in your account
122 | 2. [Setup AWS Audit Manager](https://docs.aws.amazon.com/audit-manager/latest/userguide/setting-up.html#setup-audit-manager). In the [AWS Audit Manager console](https://console.aws.amazon.com/auditmanager/home), configure your [AWS Audit Manager settings](https://docs.aws.amazon.com/audit-manager/latest/userguide/console-settings.html).
123 | 3. Create an [IAM user with Audit owner permissions](https://docs.aws.amazon.com/audit-manager/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies). You can use the AWSAuditManagerAdministratorAccess policy as a starting point for this lab, but scope down these permissions as appropriate for your requirements.
124 | 4. Create an Amazon S3 bucket with the following name: s3-customauditmanagerframework-*AccountId*-*Region* where *AccountId* is your AWS account ID and *Region* is the AWS Region where you plan to deploy the CloudFormation templates. In this bucket, create a folder named *CustomAuditManagerFramework_Lambda*. [Create a directory](https://docs.aws.amazon.com/AmazonS3/latest/user-guide/create-folder.html) and then upload the [CustomAuditManagerFramework_Lambda.zip](https://github.com/aws-samples/aws-securityhub-remediations/blob/main/aws-auditmanager-securityhub/lambda/CustomAuditManagerFramework_Lambda.zip) file there.
125 | 4. If you have already configured an [assessment reports destination](https://docs.aws.amazon.com/audit-manager/latest/userguide/console-settings.html#settings-destination) in your AWS Audit Manager settings, you can skip this step. Otherwise, you can simply reuse the Amazon S3 bucket you created in step 4. The bucket must be in the same AWS Region as your assessment. Create a folder in the bucket for evidence and then [create a directory](https://docs.aws.amazon.com/AmazonS3/latest/user-guide/create-folder.html). Your assessment reports destination will be the Amazon S3 URI (for example, s3://s3-customauditmanagerframework-*AccountId*-*Region*/evidences/). AWS Audit Manager will save your assessment reports to this bucket.
126 | 5. Audit Manager works with the [Boto3 1.7](https://boto3.amazonaws.com/v1/documentation/api/1.7.74/index.html) libraries. AWS Lambda doesn’t ship with Boto3 1.7 by default. This implementation provides that version of Boto3 as a [Lambda layer](https://docs.aws.amazon.com/lambda/latest/dg/configuration-layers.html). Upload the [auditmanagerlayer.zip](https://github.com/aws-samples/aws-securityhub-remediations/blob/main/aws-auditmanager-securityhub/layer/auditmanagerlayer.zip) to the top directory of the Amazon S3 bucket you created in step 4.
127 |
128 |
129 | ## Install the solution
130 |
131 | 1. In the [AWS Audit CloudFormation console](https://console.aws.amazon.com/cloudformation), create a stack to launch the [aws-auditmanager-securityhub.yml](https://github.com/aws-samples/aws-securityhub-remediations/blob/main/aws-auditmanager-securityhub/cft/aws-auditmanager-securityhub.yml) template. In **Parameters**, enter the values for the parameters based on their descriptions in the template. The template takes the following parameters:
132 | **SourceBucket**: The name of the Amazon S3 bucket that contains the AWS Lambda source code. This is the bucket you created in step 3 of the prerequisites. Replace and with the AWS account ID and Region where you are deploying this template.
133 |
134 | 2. In the [AWS Audit CloudFormation console](https://console.aws.amazon.com/cloudformation), create a stack to launch the [aws-auditmanager-customassessment.yml](https://github.com/aws-samples/aws-securityhub-remediations/blob/main/aws-auditmanager-securityhub/cft/aws-auditmanager-customassessment.yml) template. In **Parameters**, enter the values for the parameters based on their descriptions in the template. The template takes the following parameters:
135 | **AssessmentDestination**: The S3 URI in which AWS Audit Manager will save your assessment reports. This is the S3 URI from step 4 of the prerequisites. Replace *AccountID* and *Region* with the AWS account ID and Region where you are deploying this template.
136 | **AuditOwnerArn**: The ARN for the IAM user that you created in step 3 of the prerequisites.
137 |
138 | ## Review the Custom Audit Manager Controls, Framework and Assessment
139 |
140 | 1. Navigate to the [AWS Audit Manager console](https://console.aws.amazon.com/auditmanager/home). From the left panel, select **Control library** and then select **Custom Control** on the right panel. You will see the list of custom controls that have been created for IAM and Networking monitoring related areas that span across the Security Hub compliance standards.
141 | 
142 |
143 | 2. Click on the *CustomMonitoringSecurityHubControl* to view the data sources for this custom control. All data sources use Security Hub Findings, however they span across the 3 compliance standards supported by Security Hub and are specific to monitoring related findings
144 | 
145 |
146 | 3. Click on the *CustomIAMSecurityHubControl* to view the data sources for this custom control. All data sources use Security Hub Findings, however they span across the 3 compliance standards supported by Security Hub and are specific to IAM related findings
147 | 
148 |
149 | 4. From the left panel, select **Framework Library** and then select **Custom Framework** on the right pane to view the custom Audit Manager framework *Security Hub Custom Framework* that was provisioned by the solution.
150 | 
151 |
152 | 5. Select the custom framework from the previous step. Under the **Control** section, you will see that this framework incorporates custom Security Hub controls that you reviewed in the **Custom Control** tab from Step 1.
153 | 
154 |
155 | 6. On the left hand panel, select **Assessments** and you will see that a custom assessment was provisioned by the solution. Select the custom assessment named **CustomSecurityHubAssessment** and view the custom controls that correspond to the assessment.
156 | 
157 | 
158 |
159 | Once you create an assessment, it will automatically start collecting evidence for the custom controls that you have configured within the assessment. It may take 24 hours for the evidence to appear on the Audit Manager Console.
160 |
161 | ## Customizing AWS Audit Manager - Automate building of custom AWS Audit Manager assessments - Transform an AWS Config Conformance Pack to an AWS Audit Manager Assessment
162 |
163 | AWS Config conformance packs provide a sample mapping between a supported compliance standard and AWS Config Managed Rules. Conformance packs enable the grouping of multiple AWS Config rules to a specfic control id within the compliance standard. By transforming AWS Config conformance packs into custom Audit Manager assessments we can extend Audit Manager to provide custom assessments for dozens of compliance standards that are not supported out of the box by Audit Manager.
164 |
165 | In this lab, we will deploy a solution that builds custom controls in AWS Audit Manager. The Audit Manager custom controls are organized into control sets. Each control set corresponds to a control id in the conformance pack. The Audit Manager control set comprises of the AWS Config rules mapped to the control id by the AWS Config conformance pack. Our solution then creates a custom framework and a custom assessment based on these custom controls.
166 |
167 | Refer to [Integrate across the Three Lines Model (Part 2): Transform AWS Config conformance packs into AWS Audit Manager assessments](https://aws.amazon.com/blogs/mt/integrate-across-the-three-lines-model-part-2-transform-aws-config-conformance-packs-into-aws-audit-manager-assessments/) for a full description of this solution. This solution is also available from the [AWS Cloud Compliance and Assurance Reference Solution](https://github.com/aws-samples/aws-cloud-compliance-assurance)
168 |
169 |
170 | ## Prerequisites
171 | 1. Ensure that you have completed all the prerequisites from the *Build AWS Audit Manager Assessments* lab
172 | 2. Create a control mapping file. This is a CSV file where each row contains a control ID for the compliance standard as the first column. The remaining columns of that row each contain one AWS Config rule that maps to the control ID. A row can have any number of columns. You can use the [sample mapping file](https://github.com/aws-samples/aws-config-pci-fsbp-ssmremediations/blob/main/aws-auditmanager-conformancepack/mappingfile/nerc-cipmappingfile.csv) for NERC-CIP here directly or create your own for any of the supported compliance standards. The mapping of these rules to the control ID of the compliance standard is created manually by the user from the compliance standard’s [conformance pack documentation](https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-nerc.html).
173 | 3. Create an Amazon S3 bucket with the following name: s3-customauditmanagerframework-- where is your AWS account ID and is the AWS Region where you plan to deploy the CloudFormation templates. In this bucket, create a folder named CustomAuditManagerFramework_Lambda. [Create a directory](https://docs.aws.amazon.com/AmazonS3/latest/user-guide/create-folder.html) and then upload the [CustomAuditManagerFramework_Lambda.zip](https://github.com/aws-samples/aws-config-pci-fsbp-ssmremediations/blob/main/aws-auditmanager-conformancepack/lambda/CustomAuditManagerFramework_Lambda.zip) file there.
174 | 4. Upload the control mapping file to the top directory of the S3 bucket.
175 | 5. Audit Manager works with the [Boto3 1.7](https://boto3.amazonaws.com/v1/documentation/api/1.7.74/index.html) libraries. AWS Lambda doesn’t ship with Boto3 1.7 by default. This implementation provides that version of Boto3 as a [Lambda layer](https://docs.aws.amazon.com/lambda/latest/dg/configuration-layers.html). Upload the [auditmanagerlayer.zip](https://github.com/aws-samples/aws-config-pci-fsbp-ssmremediations/tree/main/aws-auditmanager-conformancepack/layer) to the top directory of the Amazon S3 bucket you created in step 3.
176 |
177 |
178 | ## Install the solution
179 |
180 | 1. In the [AWS Audit CloudFormation console](https://console.aws.amazon.com/cloudformation), create a stack to launch the [aws-auditmanager-confpack.yml](https://github.com/aws-samples/aws-config-pci-fsbp-ssmremediations/blob/main/aws-auditmanager-conformancepack/cft/aws-auditmanager-confpack.yml) template. In **Parameters**, enter the values for the parameters based on their descriptions in the template. The template takes the following parameters:
181 | **SourceBucket**: The name of the Amazon S3 bucket that contains the AWS Lambda source code. This is the bucket you created in step 3 of the prerequisites. Replace and with the AWS account ID and Region where you are deploying this template.
182 | **ConfPackControlsMappingFile**: This is the full name of the control mapping file, including the .csv extension (for example, nerc-cipmappingfile.csv) created in in step 2 of the prerequisites and uploaded to S3 in step 4 of the prerequisites.
183 |
184 | 2. In the [AWS Audit CloudFormation console](https://console.aws.amazon.com/cloudformation), create a stack to launch the [aws-auditmanager-customassessment.yml](https://github.com/aws-samples/aws-config-pci-fsbp-ssmremediations/blob/main/aws-auditmanager-conformancepack/cft/aws-auditmanager-customassessment.yml) template. In **Parameters**, enter the values for the parameters based on their descriptions in the template. The template takes the following parameters:
185 | **AssessmentDestination**: The S3 URI in which AWS Audit Manager will save your assessment reports. This is the S3 URI from step 4 of the prerequisites from the *Customizing AWS Audit Manager - Build a custom Audit Manager Assessment* lab. Replace and with the AWS account ID and Region where you are deploying this template.
186 | **AuditOwnerArn**: The ARN for the IAM user that you created in step 3 of the prerequisites from the *Customizing AWS Audit Manager - Build a custom Audit Manager Assessment* lab
187 |
188 | ## Review the Custom Audit Manager Controls, Framework and Assessment
189 |
190 | 1. Navigate to the [AWS Audit Manager console](https://console.aws.amazon.com/auditmanager/home). From the left panel, select **Control library** and then select **Custom Control** on the right panel. You will see the list of custom controls that have been created for the NERC-CIP compliance standard.
191 | 
192 |
193 | 2. From the left panel, select **Framework Library** and then select **Custom Framework** on the right pane to view the custom Audit Manager framework *Config Conformance Pack Custom Framework* that was provisioned by the solution
194 | 
195 |
196 | 3. Select the custom framework from the previous step. Under the **Control** section, you will see that this framework incorporates custom NERC-CIP controls that you reviewed in the **Custom Control** tab from Step 1
197 | 
198 |
199 | 4. On the left hand panel, select **Assessments** and you will see that a custom assessment was provisioned by the solution. Select the custom assessment named **CustomConfigCongPackAssessment** and view the custom controls that correspond to the NERC-CIP compliance standard
200 | 
201 | 
202 |
203 | Once you create an assessment, it will automatically start collecting evidence for the custom controls that you have configured within the assessment. It may take 24 hours for the evidence to appear on the Audit Manager Console.
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lambda/CustomAuditManagerFramework_Lambda.py:
--------------------------------------------------------------------------------
1 |
2 | # CreateAuditManagerAssessment-SecurityHub Lambda
3 | # - Selects several AWS Security Hub checks as a data source
4 | # - Creates Custom Audit Manager Control Sets for IAM, API and Network Monitoring based on
5 | # Security Hub checks across PCI,CIS and FSBP frameworks
6 | # - Creates an AWS Audit Manager custom framework with the control set above that uses Security Hub as a data source
7 | # - Creates an AWS Audit Manager assessment based on the custom framework above
8 |
9 | # @kmmahaj
10 | #
11 | ## License:
12 | ## This code is made available under the MIT-0 license. See the LICENSE file.
13 |
14 |
15 | import json
16 | import copy
17 | import sys
18 | import datetime
19 | import boto3
20 | import botocore
21 | import time
22 | import logging
23 | import random
24 | import urllib3
25 | from botocore.exceptions import ClientError
26 |
27 |
28 | logger = logging.getLogger()
29 | logger.setLevel(logging.INFO)
30 | http = urllib3.PoolManager()
31 |
32 | def cfnsend(event, context, responseStatus, responseData, physicalResourceId=None, noEcho=False, reason=None):
33 |
34 | responseUrl = ''
35 | StackId =''
36 | RequestId =''
37 | LogicalResourceId =''
38 |
39 | if 'ResponseURL' in event:
40 | responseUrl = event['ResponseURL']
41 |
42 | if 'StackId' in event:
43 | StackId = event['StackId']
44 |
45 | if 'RequestId' in event:
46 | RequestId = event['RequestId']
47 |
48 | if 'LogicalResourceId' in event:
49 | LogicalResourceId = event['LogicalResourceId']
50 |
51 | responseBody = {
52 | 'Status' : responseStatus,
53 | 'Reason' : reason or "See the details in CloudWatch Log Stream: {}".format(context.log_stream_name),
54 | 'PhysicalResourceId' : physicalResourceId or context.log_stream_name,
55 | 'StackId' : StackId,
56 | 'RequestId' : RequestId,
57 | 'LogicalResourceId' : LogicalResourceId,
58 | 'NoEcho' : noEcho,
59 | 'Data' : responseData
60 | }
61 |
62 | json_responseBody = json.dumps(responseBody)
63 |
64 | print("Response body:")
65 | print(json_responseBody)
66 |
67 | headers = {
68 | 'content-type' : '',
69 | 'content-length' : str(len(json_responseBody))
70 | }
71 |
72 | try:
73 | response = http.request('PUT', responseUrl, headers=headers, body=json_responseBody)
74 | print("Status code:", response.status)
75 |
76 |
77 | except Exception as e:
78 |
79 | print("send(..) failed executing http.request(..):", e)
80 |
81 |
82 | def create_custom_auditmanager_control(controls, controltype):
83 |
84 | auditmanager = boto3.client('auditmanager')
85 | securityhubcontrol_List= []
86 | control_id =""
87 |
88 | #Create a Custom Security Hub Control Source - Security Hub Control Source
89 | securityhub_controlmappingsource_template = {}
90 | securityhub_controlmappingsource_template['sourceName'] = 'Custom Security Hub Control Source'
91 | securityhub_controlmappingsource_template['sourceDescription'] = 'Security Hub checks'
92 | securityhub_controlmappingsource_template['sourceSetUpOption'] = 'System_Controls_Mapping'
93 | securityhub_controlmappingsource_template['sourceType'] = 'AWS_Security_Hub'
94 | sourceKeyword = {
95 | 'keywordInputType': 'SELECT_FROM_LIST',
96 | 'keywordValue': 'Security Hub checks'
97 | }
98 | securityhub_controlmappingsource_template['sourceKeyword'] = sourceKeyword
99 |
100 | for controlname in controls:
101 | securityhub_controlmappingsource = copy.deepcopy(securityhub_controlmappingsource_template)
102 | securityhub_controlmappingsource['sourceKeyword']['keywordValue'] = controlname
103 | securityhubcontrol_List.append(securityhub_controlmappingsource)
104 |
105 |
106 | #Create a Custom Security Hub Control
107 | name = 'Custom' + controltype + 'SecurityHubControl'
108 | response_control = auditmanager.create_control(name=name, controlMappingSources=securityhubcontrol_List)
109 | control_id = response_control['control']['id']
110 |
111 | return control_id
112 |
113 |
114 | def lambda_handler(event, context):
115 |
116 | print ("boto3 version: " + boto3.__version__)
117 | auditmanager = boto3.client('auditmanager')
118 | ssm = boto3.client('ssm')
119 |
120 | logger.info('EVENT Received: {}'.format(event))
121 | responseData = {}
122 | controlSets_List =[]
123 |
124 | #Handle cfnsend delete event
125 | eventType = event['RequestType']
126 | if eventType == 'Delete':
127 | logger.info(f'Request Type is Delete; unsupported')
128 | cfnsend(event, context, 'SUCCESS', responseData)
129 | return 'SUCCESS'
130 |
131 | #Create a Custom Security Hub IAM Audit Manager Control
132 | iam_controls = ['IAM.1', 'IAM.2', 'IAM.3', 'IAM.4', 'IAM.5', 'IAM.6', 'PCI.IAM.7', '1.16', '1.20', 'PCI.IAM.8']
133 | iam_controlid = create_custom_auditmanager_control(iam_controls,'IAM')
134 |
135 | #Create a Custom Security Hub IAM Control Set
136 | sh_iam_controlset = {}
137 | sh_iam_controlset['name'] = 'Custom Security Hub IAM Control Set'
138 | sh_iam_controlset['controls'] = []
139 | iam_controldict ={}
140 | iam_controldict['id'] = iam_controlid
141 | sh_iam_controlset['controls'].append(iam_controldict)
142 | controlSets_List.append(sh_iam_controlset)
143 |
144 | #Create a Custom Security Hub Montoring Audit Manager Control
145 | monitoring_controls = ['APIGateway.1', '2.9', '3.10', '3.11', '3.12', '3.13', '3.14', 'PCI.EC2.6']
146 | monitoring_controlid = create_custom_auditmanager_control(monitoring_controls, 'Monitoring')
147 |
148 | #Create a Custom Security Hub Monitoring Control Set
149 | sh_mon_controlset = {}
150 | sh_mon_controlset['name'] = 'Custom Security Hub Monitoring Control Set'
151 | sh_mon_controlset['controls'] = []
152 | mon_controldict ={}
153 | mon_controldict['id'] = monitoring_controlid
154 | sh_mon_controlset['controls'].append(mon_controldict)
155 | controlSets_List.append(sh_mon_controlset)
156 |
157 | #Create a Custom Security Hub Framework that contains 1) IAM Control Set and 2) Network Monitoring Control Set
158 |
159 | response_framework = auditmanager.create_assessment_framework(name='Security Hub Custom Framework',
160 | controlSets=controlSets_List)
161 |
162 | #Write the framework id to the parameter
163 | frameworkid = response_framework['framework']['id']
164 | # write to ssm parameter store
165 | ssm.put_parameter(Name='CustomSecurityHubFrameworkID', Type='String', Value=frameworkid, Overwrite=True)
166 | print('frameworkId is ' + frameworkid)
167 |
168 | cfnsend(event, context, 'SUCCESS', responseData)
169 | return 'SUCCESS'
170 |
171 |
172 |
173 |
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lambda/CustomAuditManagerFramework_Lambda.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lambda/CustomAuditManagerFramework_Lambda.zip
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/lambda/auditmanagerlayer.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/lambda/auditmanagerlayer.zip
--------------------------------------------------------------------------------
/aws-auditmanager-securityhub/layer/auditmanagerlayer.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-auditmanager-securityhub/layer/auditmanagerlayer.zip
--------------------------------------------------------------------------------
/aws-backupauditmanager-securityhub/LICENSE:
--------------------------------------------------------------------------------
1 | Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 |
3 | Permission is hereby granted, free of charge, to any person obtaining a copy of
4 | this software and associated documentation files (the "Software"), to deal in
5 | the Software without restriction, including without limitation the rights to
6 | use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
7 | the Software, and to permit persons to whom the Software is furnished to do so.
8 |
9 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
10 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
11 | FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
12 | COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
13 | IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
14 | CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
15 |
16 |
--------------------------------------------------------------------------------
/aws-backupauditmanager-securityhub/README.md:
--------------------------------------------------------------------------------
1 | # Automated backup compliance with AWS Backup Audit Manager and AWS Security Hub
2 |
3 | Integrates Backup Audit Manager with Security Hub. The solution provisions a AWS Backup Audit Manager framework with 5 default controls (and you can additional controls to the template). These generate and trigger AWS Config rules and the rule evaluations are converted to Security Hub findings.
4 |
5 | ## Prerequisites
6 |
7 | 1. Enable resource tracking for AWS Backup Audit Manager
8 | 2. Enable Security Hub
9 |
10 | ## How it Works
11 | 1. Provisions AWS Backup Audit Manager framework
12 | 2. Provisions Amazon CloudWatch Events (EventBridge) Rule:
13 | 1. The CloudWatch Events Rule is triggered based on a compliance change of a backup control
14 | 3. Provisions AWS Lambda as a target for the CloudWatch Events Rule:
15 | 1. Obtains event details from the Config recording resource type and converts rule evaluation to a security hub finding
16 |
17 |
18 | ## Solution Architecture
19 |
20 | 
21 |
22 | ## Install
23 |
24 | 1. 1 step install - Launch the [**aws-backupauditmanager-securityhub.yaml**](https://github.com/aws-samples/aws-securityhub-remediations/blob/main/aws-backupauditmanager-securityhub/cft/aws-backupauditmanager-securityhub.yaml) template. The template takes no parameters.
25 |
26 | ## Test
27 |
28 | 1. Launch an EC2 instance/RDS/Aurora etc without an associated backup plan
29 | 2. Validate that an AWS Config rule gets generated and evaluated based on evaluation of the BACKUP_RESOURCES_PROTECTED_BY_BACKUP_PLAN control from the provisioned Backup Audit Manager framework
30 | 3. Validate that a security hub finding gets generated based on the Config rule evaluation
31 |
32 |
--------------------------------------------------------------------------------
/aws-backupauditmanager-securityhub/cft/aws-backupauditmanager-securityhub.yaml:
--------------------------------------------------------------------------------
1 | AWSTemplateFormatVersion: '2010-09-09'
2 | Description: Automated Backup Compliance using AWS Backup Audit Manager and AWS Security Hub
3 |
4 | # ----------------------------------------------------------------------------------------------------------
5 | # CloudFormation Template 1 of 1 -
6 | #
7 | #
8 | # 1- Provisions an AWS Backup Audit Manager framework with 5 default controls
9 | # 2- Provisions CloudWatchEvents (EventBridge) Rule:
10 | # - CloudWatchEvents Rule is triggered based on a AWS Config rule evaluation of a backup audit manager control
11 | # 3- Provisions a Compliance Lambda as a target for the CloudWatch Events Rule.
12 | # 4- Compliance Lambda:
13 | # - Obtains event details from the Config rule
14 | # - Creates a finding in AWS Security Hub
15 | #
16 | # @kmmahaj
17 | ##
18 | ## License:
19 | ## This code is made available under the MIT-0 license. See the LICENSE file.
20 | # ------------------------------------------------------------...............................................
21 |
22 |
23 | Resources:
24 |
25 | # --------------------------------------------------------------------------------------------------
26 | # 1- Provisions an AWS Backup Audit Manager framework with 5 default controls
27 | # --------------------------------------------------------------------------------------------------
28 |
29 | SecurityHubBackupFramework:
30 | Type: AWS::Backup::Framework
31 | Properties:
32 | FrameworkControls:
33 | - ControlName: BACKUP_RESOURCES_PROTECTED_BY_BACKUP_PLAN
34 | - ControlName: BACKUP_RECOVERY_POINT_MINIMUM_RETENTION_CHECK
35 | ControlInputParameters:
36 | - ParameterName: requiredRetentionDays
37 | ParameterValue: '35'
38 | - ControlName: BACKUP_RECOVERY_POINT_MANUAL_DELETION_DISABLED
39 | - ControlName: BACKUP_PLAN_MIN_FREQUENCY_AND_MIN_RETENTION_CHECK
40 | ControlInputParameters:
41 | - ParameterName: requiredRetentionDays
42 | ParameterValue: '35'
43 | - ParameterName: requiredFrequencyUnit
44 | ParameterValue: 'hours'
45 | - ParameterName: requiredFrequencyValue
46 | ParameterValue: '24'
47 | - ControlName: BACKUP_RECOVERY_POINT_ENCRYPTED
48 |
49 | # --------------------------------------------------------------------------------------------------
50 | # 2- Provisions a CloudWatchEvents Rule based on an AWS Config rule evaluation of a backup audit manager control
51 | # 3- Provisions a Lambda that creates a finding in AWS Security Hub
52 | # --------------------------------------------------------------------------------------------------
53 |
54 | CaptureBackupConfigRuleEvents:
55 | Type: AWS::Events::Rule
56 | Properties:
57 | Description: Capture Backup Config Rule Events and Trigger an Action
58 | EventPattern:
59 | detail-type:
60 | - Config Rules Compliance Change
61 | source:
62 | - aws.config
63 | Name: CaptureBackupConfigRuleEvent
64 | State: ENABLED
65 | Targets:
66 | - Arn: !GetAtt "BackupToSecHubSendFindingsLambda.Arn"
67 | Id: IDCaptureBackupConfigRuleEvents
68 |
69 | BackupToSecHubSendFindingsLambda:
70 | Type: AWS::Lambda::Function
71 | Properties:
72 | FunctionName: Backup2SecurityHubSendFindingsLambda
73 | Description: Maps Config rule evaluation based on Backup Audit control into ASFF before importing to Security Hub
74 | Handler: index.lambda_handler
75 | MemorySize: 384
76 | Role: !GetAtt BackupToSecHubSendFindingsLambdaRole.Arn
77 | Runtime: python3.7
78 | Timeout: 70
79 | Environment:
80 | Variables:
81 | account_num: !Ref 'AWS::AccountId'
82 | region: !Ref 'AWS::Region'
83 | Code:
84 | ZipFile: |
85 | import json
86 | import boto3
87 | import datetime
88 | import uuid
89 | import os
90 |
91 | config = boto3.client('config')
92 | sechub = boto3.client('securityhub')
93 |
94 | def get_description_of_rule(config_rule_name):
95 | description = ""
96 | try:
97 | response = config.describe_config_rules(
98 | ConfigRuleNames=[config_rule_name]
99 | )
100 | if 'Description' in response['ConfigRules'][0]:
101 | description = response['ConfigRules'][0]['Description']
102 | else:
103 | description = response['ConfigRules'][0]['ConfigRuleName']
104 | return description
105 | except Exception as error:
106 | print("Error: ", error)
107 | raise
108 |
109 | def lambda_handler(event, context):
110 |
111 | # Get Config event details
112 | finding_id = event['id']
113 | eventDetails = event['detail']
114 | config_rule_name = eventDetails['configRuleName']
115 | config_rule_arn = eventDetails['configRuleARN']
116 | resource_type = eventDetails['resourceType']
117 | resource_id = eventDetails['resourceId']
118 | awsRegion = eventDetails['awsRegion']
119 | accountId = event['detail']['awsAccountId']
120 | new_status = eventDetails['newEvaluationResult']['complianceType']
121 | description = get_description_of_rule(config_rule_name)
122 | # send finding to Security Hub
123 | severity = "LOW"
124 | title = config_rule_name
125 | status = 'FAILED'
126 | if new_status == 'COMPLIANT':
127 | status = 'PASSED'
128 | # ISO Time
129 | iso8061Time = datetime.datetime.utcnow().replace(tzinfo=datetime.timezone.utc).isoformat()
130 | # import security hub boto3 client
131 | try:
132 | response = sechub.batch_import_findings(
133 | Findings=[
134 | {
135 | 'SchemaVersion': '2018-10-08',
136 | 'Id': finding_id,
137 | 'ProductArn': 'arn:aws:securityhub:' + awsRegion + ':' + accountId + ':product/' + accountId + '/default',
138 | 'GeneratorId': config_rule_arn,
139 | 'AwsAccountId': accountId,
140 | 'Types': [ 'Software and Configuration Checks' ],
141 | 'FirstObservedAt': iso8061Time,
142 | 'UpdatedAt': iso8061Time,
143 | 'CreatedAt': iso8061Time,
144 | 'Severity': {
145 | 'Label': severity
146 | },
147 | 'Title': title,
148 | 'Description': description,
149 | 'Resources': [
150 | {
151 | 'Type': resource_type,
152 | 'Id': resource_id,
153 | 'Partition': 'aws',
154 | 'Region': awsRegion,
155 | }
156 | ],
157 | 'WorkflowState': 'NEW',
158 | 'Compliance': {'Status': status},
159 | 'RecordState': 'ACTIVE'
160 | }
161 | ]
162 | )
163 | print(response)
164 | except Exception as e:
165 | print(e)
166 | print("Submitting finding to Security Hub failed, please troubleshoot further")
167 | raise
168 |
169 | BackupToSecHubSendFindingsLambdaRole:
170 | Type: AWS::IAM::Role
171 | Properties:
172 | Policies:
173 | - PolicyName: BackupToSecHubSendFindingsLambda-Policy
174 | PolicyDocument:
175 | Version: 2012-10-17
176 | Statement:
177 | - Effect: Allow
178 | Action:
179 | - cloudwatch:PutMetricData
180 | - securityhub:BatchImportFindings
181 | - config:DescribeConfigRules
182 | Resource: '*'
183 | - Effect: Allow
184 | Action:
185 | - logs:CreateLogGroup
186 | - logs:CreateLogStream
187 | - logs:PutLogEvents
188 | Resource: '*'
189 | AssumeRolePolicyDocument:
190 | Version: 2012-10-17
191 | Statement:
192 | - Effect: Allow
193 | Principal: { Service: lambda.amazonaws.com }
194 | Action:
195 | - sts:AssumeRole
196 |
197 | PermissionForEventsToInvokeLambdachk:
198 | Type: AWS::Lambda::Permission
199 | Properties:
200 | Action: lambda:InvokeFunction
201 | FunctionName: !GetAtt "BackupToSecHubSendFindingsLambda.Arn"
202 | Principal: events.amazonaws.com
203 | SourceArn: !GetAtt "CaptureBackupConfigRuleEvents.Arn"
204 |
205 |
--------------------------------------------------------------------------------
/aws-backupauditmanager-securityhub/images/arch-diagram.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-backupauditmanager-securityhub/images/arch-diagram.png
--------------------------------------------------------------------------------
/aws-backupauditmanager-securityhub/images/backupauditmanager-securityhub.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-backupauditmanager-securityhub/images/backupauditmanager-securityhub.png
--------------------------------------------------------------------------------
/aws-ecr-continuouscompliance/LICENSE:
--------------------------------------------------------------------------------
1 | Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 |
3 | Permission is hereby granted, free of charge, to any person obtaining a copy of
4 | this software and associated documentation files (the "Software"), to deal in
5 | the Software without restriction, including without limitation the rights to
6 | use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
7 | the Software, and to permit persons to whom the Software is furnished to do so.
8 |
9 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
10 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
11 | FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
12 | COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
13 | IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
14 | CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
15 |
16 |
--------------------------------------------------------------------------------
/aws-ecr-continuouscompliance/README.md:
--------------------------------------------------------------------------------
1 | # Automated Container Image Compliance with AWS ECR and AWS Security Hub
2 |
3 |
4 | * AWS ECR Image Vulnerabilities to be pushed as findings to AWS Security Hub
5 | * AWS Security Hub Remediation action restricts access to any AWS ECR container image when a vulnerability is detected during an image scan
6 | * Demonstrates **"Custom Detection"** AND **"Custom Remediation"** by AWS Security Hub.
7 |
8 |
9 | ## What is Built
10 |
11 | 1. **Template: aws-ecr-continuouscompliance-v1.yml**: Provisions the following components:
12 | * Amazon CloudWatch Events (EventBridge) Rule:
13 | * The CloudWatch Events Rule is triggered based on a AWS ECR Event for a completed Image Scan
14 | * AWS Lambda as a target for the CloudWatch Events Rule:
15 | * Obtains event details from the AWS ECR Completed Image scan event.
16 | * Sends Finding to AWS Security Hub via ASFF (https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html)
17 | * AWS Security Hub based Remediation
18 | * Creates an Amazon CloudWatch Events Rule which is triggered based on a AWS Security Hub Custom Action (https://docs.aws.amazon.com/securityhub/latest/userguide/finding-send-to-custom-action.html)
19 | * Provisions an AWS Lambda as a target for the AWS Security Hub Custom Action
20 | * AWS Lambda that creates an AWS ECR repository policy that denies access if the Image scan event has a vulnerability (Critical or High)
21 |
22 |
23 | ## How it Works and Solution Design
24 | 1. Triggers an AWS Security Hub finding whenever an image is scanned in ECR - either when configuring the ECR repository for a scan on push (https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html#scanning-new-repository) or via a manual scan.
25 | 1. Provisions an Amazon CloudWatch Events (EventBridge) Rule that gets triggered based on AWS ECR Event (https://docs.aws.amazon.com/AmazonECR/latest/userguide/ecr-eventbridge.html) on a completed image scan. The target for Amazon CloudWatch Events (EventBridge) Rule is an AWS Lambda function that translates the event from the Image Scan into AWS Security Finding Format (https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html) for Security Hub.
26 | 2. Provisions an AWS Security Hub Custom Action for remediation. The Security Hub based Remediation attaches an AWS ECR Repository Policy (https://docs.aws.amazon.com/AmazonECR/latest/userguide/repository-policies.html)that is scoped for controlling access to the specific individual Amazon ECR repository where the vulnerable image is detected
27 |
28 |
29 | 
30 |
31 |
32 | ## Set up and Test
33 |
34 | 1. **Initial Setup**
35 | * 1 step setup. Launch the aws-ecr-continuouscompliance-v1.yml template. The template takes no parameters.
36 | 2. **Test - Push an image to ECR**
37 | * Push an image with known vulnerabilities to ECR (e.g. nginx:latest). Follow the steps as outlined here (https://docs.aws.amazon.com/AmazonECR/latest/userguide/docker-push-ecr-image.html)
38 | * Navigate to the AWS Security Hub console and click on Findings in the left panel. Select the relevant finding and with our solution you can also optionally search for ECR related findings by adding a filter with ResourceType is AwsEcr in the top panel . [*(Show Security Hub Findings image)*.]
39 | * With the relevant finding selected in the AWS Security Hub Findings panel, select Actions from the top of the panel and click on the ‘ECR1’ action.
40 | * Navigate to the AWS ECR console, select the Repository that contains the vulnerable image and validate the Deny permissions policy provisioned by the Security Hub remediation action by selecting Permissions in the left panel
41 |
42 | ## @kmmahaj
--------------------------------------------------------------------------------
/aws-ecr-continuouscompliance/cft/aws-ecr-continuouscompliance-v1.yaml:
--------------------------------------------------------------------------------
1 | AWSTemplateFormatVersion: '2010-09-09'
2 | Description: Automated Image Scan Compliance for AWS EKS using AWS ECR and AWS Security Hub
3 |
4 | # ----------------------------------------------------------------------------------------------------------
5 | # CloudFormation Template 1 of 1 -
6 | #
7 | #
8 | # 1- Provisions CloudWatchEvents (EventBridge) Rule:
9 | # - CloudWatchEvents Rule is triggered based on a AWS ECR Event for a completed Image Scan
10 | # 2- Provisions a Compliance Lambda as a target for the CloudWatch Events Rule.
11 | # 3- Compliance Lambda:
12 | # - Obtains event details from the ECR Complated Image scan event
13 | # - Creates a finding in AWS Security Hub
14 | # 4 - Provisions an AWS Security Hub Custom Action
15 | # - Performs remediation by attaching restricted policy to ECR repository
16 | #
17 | #
18 | # @kmmahaj
19 | ##
20 | ## License:
21 | ## This code is made available under the MIT-0 license. See the LICENSE file.
22 | # ------------------------------------------------------------...............................................
23 |
24 |
25 | Resources:
26 |
27 | # --------------------------------------------------------------------------------------------------
28 | # 1- Provisions a CloudWatchEvents Rule that is triggered based on ECR Image Scan Event
29 | # 2- Provisions a Lambda that creates a finding in AWS Security Hub
30 | # --------------------------------------------------------------------------------------------------
31 |
32 | CaptureECRImageScanEvents:
33 | Type: AWS::Events::Rule
34 | Properties:
35 | Description: Capture ECR Scan Events and Trigger an Action
36 | EventPattern:
37 | detail-type:
38 | - ECR Image Scan
39 | source:
40 | - aws.ecr
41 | Name: CaptureECRScanEvent
42 | State: ENABLED
43 | Targets:
44 | - Arn: !GetAtt "ECRToSecHubSendFindingsLambda.Arn"
45 | Id: IDCaptureECRImageScanEvents
46 |
47 | ECRToSecHubSendFindingsLambda:
48 | Type: AWS::Lambda::Function
49 | Properties:
50 | FunctionName: ECR2SecurityHubSendFindingsLambda
51 | Description: Maps ECR Scan Finding into ASFF before importing to Security Hub
52 | Handler: index.lambda_handler
53 | MemorySize: 384
54 | Role: !GetAtt ECRToSecHubSendFindingsLambdaRole.Arn
55 | Runtime: python3.7
56 | Timeout: 70
57 | Environment:
58 | Variables:
59 | account_num: !Ref 'AWS::AccountId'
60 | region: !Ref 'AWS::Region'
61 | Code:
62 | ZipFile: |
63 | import json
64 | import boto3
65 | import datetime
66 | import uuid
67 | import os
68 | def lambda_handler(event, context):
69 | # import Lambda ENV VARs
70 | accountId = os.environ['account_num']
71 | awsRegion = os.environ['region']
72 | # Get ECR event details
73 | eventDetails = event['detail']
74 | repoName = eventDetails['repository-name']
75 | findingsevcounts = eventDetails['finding-severity-counts']
76 | numCritical = 0
77 | numMedium = 0
78 | numHigh = 0
79 | if findingsevcounts.get('CRITICAL'):
80 | numCritical = findingsevcounts['CRITICAL']
81 | if findingsevcounts.get('MEDIUM'):
82 | numMedium = findingsevcounts['MEDIUM']
83 | if findingsevcounts.get('HIGH'):
84 | numHigh = findingsevcounts['HIGH']
85 |
86 | # send finding to Security Hub
87 | severity = "LOW"
88 | title = "ECR Finding"
89 | ECRComplianceRating = 'PASSED'
90 | if numMedium:
91 | severity = "MEDIUM"
92 | title = "Medium ECR Vulnerability"
93 | ECRComplianceRating = 'FAILED'
94 | if numHigh:
95 | severity = "HIGH"
96 | title = "High ECR Vulnerability"
97 | ECRComplianceRating = 'FAILED'
98 | if numCritical:
99 | severity = "CRITICAL"
100 | title = "Critical ECR Vulnerability"
101 | ECRComplianceRating = 'FAILED'
102 |
103 |
104 | # ISO Time
105 | iso8061Time = datetime.datetime.utcnow().replace(tzinfo=datetime.timezone.utc).isoformat()
106 | # ASFF BIF Id
107 | asffID = str(uuid.uuid4())
108 | # import security hub boto3 client
109 | sechub = boto3.client('securityhub')
110 | # call BIF
111 | try:
112 | response = sechub.batch_import_findings(
113 | Findings=[
114 | {
115 | 'SchemaVersion': '2018-10-08',
116 | 'Id': asffID,
117 | 'ProductArn': 'arn:aws:securityhub:' + awsRegion + ':' + accountId + ':product/' + accountId + '/default',
118 | 'ProductFields': {
119 | 'ECRRepoName': repoName,
120 | },
121 | 'GeneratorId': asffID,
122 | 'AwsAccountId': accountId,
123 | 'Types': [ 'Software and Configuration Checks' ],
124 | 'FirstObservedAt': iso8061Time,
125 | 'UpdatedAt': iso8061Time,
126 | 'CreatedAt': iso8061Time,
127 | 'Severity': {
128 | 'Label': severity
129 | },
130 | 'Title': title,
131 | 'Description': title,
132 | 'Resources': [
133 | {
134 | 'Type': 'AwsEcr',
135 | 'Id': 'AWS::::Account:' + accountId,
136 | 'Partition': 'aws',
137 | 'Region': awsRegion,
138 | }
139 | ],
140 | 'WorkflowState': 'NEW',
141 | 'Compliance': {'Status': ECRComplianceRating},
142 | 'RecordState': 'ACTIVE'
143 | }
144 | ]
145 | )
146 | print(response)
147 | except Exception as e:
148 | print(e)
149 | print("Submitting finding to Security Hub failed, please troubleshoot further")
150 | raise
151 |
152 | ECRToSecHubSendFindingsLambdaRole:
153 | Type: AWS::IAM::Role
154 | Properties:
155 | Policies:
156 | - PolicyName: ECRToSecHubSendFindingsLambda-Policy
157 | PolicyDocument:
158 | Version: 2012-10-17
159 | Statement:
160 | - Effect: Allow
161 | Action:
162 | - cloudwatch:PutMetricData
163 | - securityhub:BatchImportFindings
164 | Resource: '*'
165 | - Effect: Allow
166 | Action:
167 | - logs:CreateLogGroup
168 | - logs:CreateLogStream
169 | - logs:PutLogEvents
170 | Resource: '*'
171 | AssumeRolePolicyDocument:
172 | Version: 2012-10-17
173 | Statement:
174 | - Effect: Allow
175 | Principal: { Service: lambda.amazonaws.com }
176 | Action:
177 | - sts:AssumeRole
178 |
179 | PermissionForEventsToInvokeLambdachk:
180 | Type: AWS::Lambda::Permission
181 | Properties:
182 | Action: lambda:InvokeFunction
183 | FunctionName: !GetAtt "ECRToSecHubSendFindingsLambda.Arn"
184 | Principal: events.amazonaws.com
185 | SourceArn: !GetAtt "CaptureECRImageScanEvents.Arn"
186 |
187 |
188 | # -------------------------------------------------------------------------------------------------------------------------------------------------------
189 | # 3. Create Remediation in Security Hub
190 | # -------------------------------------------------------------------------------------------------------------------------------------------------------
191 |
192 | CreateSecurityHubCustomActionTargetLambda:
193 | Type: AWS::Lambda::Function
194 | Properties:
195 | FunctionName: CreateSecurityHubCustomActionTargetLambda-ECR
196 | Description: Custom resource to create an action target in Security Hub
197 | Handler: index.lambda_handler
198 | MemorySize: 256
199 | Role: !GetAtt CreateSecurityHubCustomActionTargetLambdaRole.Arn
200 | Runtime: python3.7
201 | Timeout: 60
202 | Environment:
203 | Variables:
204 | Region: !Ref 'AWS::Region'
205 | Code:
206 | ZipFile: |
207 | import boto3
208 | import cfnresponse
209 | import os
210 | def lambda_handler(event, context):
211 | try:
212 | properties = event['ResourceProperties']
213 | region = os.environ['Region']
214 | client = boto3.client('securityhub', region_name=region)
215 | responseData = {}
216 | if event['RequestType'] == 'Create':
217 | response = client.create_action_target(
218 | Name=properties['Name'],
219 | Description=properties['Description'],
220 | Id=properties['Id']
221 | )
222 | responseData['Arn'] = response['ActionTargetArn']
223 | elif event['RequestType'] == 'Delete':
224 | account_id = context.invoked_function_arn.split(":")[4]
225 | client.delete_action_target(
226 | ActionTargetArn=f"arn:aws:securityhub:{region}:{account_id}:action/custom/{properties['Id']}"
227 | )
228 | cfnresponse.send(event, context, cfnresponse.SUCCESS, responseData)
229 | except Exception as e:
230 | print(e)
231 | cfnresponse.send(event, context, cfnresponse.FAILED, {})
232 |
233 | CreateSecurityHubCustomActionTargetLambdaRole:
234 | Type: AWS::IAM::Role
235 | Properties:
236 | Policies:
237 | - PolicyName: CreateActionTarget-LambdaPolicy-ECR
238 | PolicyDocument:
239 | Version: 2012-10-17
240 | Statement:
241 | - Effect: Allow
242 | Action:
243 | - cloudwatch:PutMetricData
244 | Resource: '*'
245 | - Effect: Allow
246 | Action:
247 | - logs:CreateLogGroup
248 | - logs:CreateLogStream
249 | - logs:PutLogEvents
250 | Resource: '*'
251 | - Effect: Allow
252 | Action:
253 | - securityhub:CreateActionTarget
254 | - securityhub:DeleteActionTarget
255 | Resource: '*'
256 | AssumeRolePolicyDocument:
257 | Version: 2012-10-17
258 | Statement:
259 | - Effect: Allow
260 | Principal: { Service: lambda.amazonaws.com }
261 | Action:
262 | - sts:AssumeRole
263 |
264 | # -------------------------------------------------------------------------------------------------------------------------------------------------------
265 | # Create Remediation to deny ECR repository access
266 | # -------------------------------------------------------------------------------------------------------------------------------------------------------
267 |
268 | ECRAccessProhibitedRule:
269 | Type: AWS::Events::Rule
270 | Properties:
271 | Name: ECRAccessProhibitedRule
272 | Description: "ECR1 - Deny Access to ECR due to vulnerability assesment"
273 | EventPattern:
274 | source:
275 | - aws.securityhub
276 | detail-type:
277 | - Security Hub Findings - Custom Action
278 | resources:
279 | - !GetAtt ECRActionTarget.Arn
280 | State: "ENABLED"
281 | Targets:
282 | -
283 | Arn:
284 | Fn::GetAtt:
285 | - "ECRAccessProhibitedLambda"
286 | - "Arn"
287 | Id: "ECR1"
288 |
289 | ECRActionTarget:
290 | Type: Custom::ActionTarget
291 | Version: 1.0
292 | Properties:
293 | ServiceToken: !GetAtt CreateSecurityHubCustomActionTargetLambda.Arn
294 | Name: ECR1
295 | Description: Deny Access to ECR
296 | Id: ECR11
297 |
298 | ECRAccessProhibitedLambdaPermission:
299 | Type: AWS::Lambda::Permission
300 | Properties:
301 | FunctionName:
302 | Ref: "ECRAccessProhibitedLambda"
303 | Action: "lambda:InvokeFunction"
304 | Principal: "events.amazonaws.com"
305 | SourceArn:
306 | Fn::GetAtt:
307 | - "ECRAccessProhibitedRule"
308 | - "Arn"
309 |
310 | ECRAccessProhibitedLambda:
311 | Type: AWS::Lambda::Function
312 | Properties:
313 | FunctionName: ECRAccessProhibitedLambda
314 | Description: "ECR1 - Deny Access to ECR due to vulnerability assesment"
315 | Handler: index.lambda_handler
316 | MemorySize: 256
317 | Role: !GetAtt ECRAccessProhibitedLambdaRole.Arn
318 | Runtime: python3.7
319 | Timeout: 60
320 | Code:
321 | ZipFile: |
322 | import boto3
323 | import json
324 | import os
325 | def lambda_handler(event, context):
326 |
327 | repoName = str(event['detail']['findings'][0]['ProductFields']['ECRRepoName'])
328 | ecr = boto3.client('ecr')
329 | try:
330 | policyText = '{\n "Version" : "2008-10-17",\n "Statement" : [ {\n "Sid" : "deny all",\n "Effect" : "Deny",\n "Principal" : "*",\n "Action" : [ "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage", "ecr:BatchCheckLayerAvailability" ]\n } ]\n}'
331 | response = ecr.set_repository_policy(
332 | repositoryName=repoName,
333 | policyText=policyText
334 | )
335 |
336 | except Exception as e:
337 | print(e)
338 | print("SSM automation execution error")
339 | raise
340 |
341 | ECRAccessProhibitedLambdaRole:
342 | Type: AWS::IAM::Role
343 | Properties:
344 | Policies:
345 | - PolicyName: ECRAccessProhibitedLambdaPolicy
346 | PolicyDocument:
347 | Version: 2012-10-17
348 | Statement:
349 | - Effect: Allow
350 | Action:
351 | - cloudwatch:PutMetricData
352 | Resource: '*'
353 | - Effect: Allow
354 | Action:
355 | - logs:CreateLogGroup
356 | - logs:CreateLogStream
357 | - logs:PutLogEvents
358 | Resource: '*'
359 | - Effect: Allow
360 | Action:
361 | - ssm:StartAutomationExecution
362 | - ecr:*
363 | - iam:PassRole
364 | - securityhub:UpdateFindings
365 | Resource: '*'
366 | AssumeRolePolicyDocument:
367 | Version: 2012-10-17
368 | Statement:
369 | - Effect: Allow
370 | Principal: { Service: lambda.amazonaws.com }
371 | Action:
372 | - sts:AssumeRole
373 |
--------------------------------------------------------------------------------
/aws-ecr-continuouscompliance/images/arch-diagram.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-ecr-continuouscompliance/images/arch-diagram.png
--------------------------------------------------------------------------------
/aws-guardduty-detect-securityhubremediate/README.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | ## AWS GuardDuty Detection with AWS Security Hub Remediation
6 |
7 | 1. AWS GuardDuty **Detects** Findings; AWS Security Hub **Remediates** those findings.
8 | 2. **AWS GuardDuty** - Provides automated finding generation for EC2 Malicious IP, EC2 Brute Force Attacks and non compliant IAM Password Policy change. Can be extended for any GuardDuty EC2 or IAM related threat findings.
9 | 3. **AWS Security Hub** - Automated Remediations for AWS GuardDuty Findings with AWS Security Hub Custom Actions
10 |
11 | ## How it Works
12 |
13 | 1. Automated - Automated Attack generation for EC2 Malicious IP and Brute Force Attacks.
14 | 2. User Generated - Update Password Policy to a non CIS compliant password policy.
15 | 3. AWS GuardDuty detects and sends findings to AWS Security Hub
16 | 4. AWS Security Hub Custom Actions are provisioned by the CloudFormation template. Remediate GD Findings based on user action
17 |
18 | ## Solution Design
19 |
20 | 
21 |
22 |
23 | ## How To Install -
24 |
25 | 0. Step 0 - Pre-req: 1) Enable GuardDuty and Security Hub from the AWS Console. 2) Create an EC2 Key Pair.
26 |
27 | 1. **Template 1 of 2:** vpc-setup-v1.json
28 | * 1-click install. No parameters needed.
29 | * Provisions a multiple VPC environment to provide an AWS environment with built-in security groups and networking
30 |
31 |
32 | 2. **Template 2 of 2:** aws-guarddutydetect-securityhubremediate-v1.yml
33 | * 1-click install. Enter EC2 key pair.
34 | * After the install - Add EIP of EC2 in VPC3 to a text based threat list; upload threat list to the provisioned S3 bucket. Added S3 URL to GuardDuty Threat List
35 |
36 |
37 |
38 | ## @kmmahaj
39 |
40 |
41 |
42 |
--------------------------------------------------------------------------------
/aws-guardduty-detect-securityhubremediate/cft/aws-guarddutydetect-securityhubremediate-v1.yml:
--------------------------------------------------------------------------------
1 | ---
2 | AWSTemplateFormatVersion: '2010-09-09'
3 | Description: GuardDuty for EC2 and IAM with Security Hub
4 |
5 | # ---------------------------------------------------------------------------------------------------------------
6 | # CloudFormation Template 2 of 2
7 | #
8 | # GuardDuty detects EC2 and IAM attacks. Security Hub Remediates.
9 | #
10 | # EC2 Recon Attack, EC2 Maliciuous IP and IAM Password Policy change with AWS GuardDuty.
11 | # Can be extended for any GuardDuty EC2 or IAM related threat findings
12 | # Also automates GuardDuty Finding generation
13 | #
14 | # Automated Remediations for GuardDuty for EC2 and IAM using AWS Security Hub
15 | #
16 | #
17 | # @kmmahaj
18 | ##
19 | ## License:
20 | ## This code is made available under the MIT-0 license. See the LICENSE file.
21 | # ----------------------------------------------------------------------------------------------------------------
22 |
23 | Parameters:
24 | KeyName:
25 | Description: EC2 Key Pair
26 | Type: "AWS::EC2::KeyPair::KeyName"
27 | EmailAddress:
28 | Type: String
29 | Description: SNS Email Address
30 | Default: "kmmahaj@amazon.com"
31 | Mappings:
32 | RegionMap:
33 | us-east-2:
34 | "AMALINUX" : "ami-0e01ce4ee18447327"
35 | us-east-1:
36 | "AMALINUX" : "ami-0fc61db8544a617ed"
37 | us-west-1:
38 | "AMALINUX" : "ami-09a7fe78668f1e2c0"
39 | us-west-2:
40 | "AMALINUX" : "ami-0ce21b51cb31a48b8"
41 |
42 | Resources:
43 |
44 | # -----------------------------------------------------------------------------------------------------------------------
45 | # GuardDuty Setup
46 | # Provisions GuardDuty CW Events, Remediation Lambdas, SNS topic and Associated Roles
47 | #
48 | # .......................................................................................................................
49 |
50 | # GuardDuty CloudWatch Event - For GuardDuty Finding: Stealth:IAM/PasswordPolicyChange
51 | GuardDutyIAMEvent:
52 | DependsOn:
53 | - GuardDutyRemediationIAMLambda
54 | - SnsTopic
55 | Type: AWS::Events::Rule
56 | Properties:
57 | Name: GuardDuty-IAM-Finding
58 | Description: "GuardDuty IAM Event"
59 | EventPattern:
60 | source:
61 | - aws.guardduty
62 | detail:
63 | type:
64 | - Stealth:IAMUser/PasswordPolicyChange
65 | State: ENABLED
66 | Targets:
67 | -
68 | Arn: !Ref SnsTopic
69 | Id: "GuardDutyIAMEvent-SNS-Trigger"
70 |
71 |
72 | # GuardDuty CloudWatch Event - For GuardDuty Finding: Recon:EC2/Portscan
73 | GuardDutyEC2Event:
74 | DependsOn:
75 | - SnsTopic
76 | Type: AWS::Events::Rule
77 | Properties:
78 | Name: GuardDuty-EC2-Finding
79 | Description: "GuardDuty EC2 Event"
80 | EventPattern:
81 | source:
82 | - aws.guardduty
83 | detail:
84 | type:
85 | - Recon:EC2/Portscan
86 | State: ENABLED
87 | Targets:
88 | -
89 | Arn: !Ref SnsTopic
90 | Id: "GuardDutyEC2Event-SNS-Trigger"
91 |
92 | SnsTopic:
93 | Type: "AWS::SNS::Topic"
94 | SnsSubscription:
95 | Type: "AWS::SNS::Subscription"
96 | Properties:
97 | Endpoint: !Ref EmailAddress
98 | Protocol: "email"
99 | TopicArn: !Ref SnsTopic
100 |
101 | EventTopicPolicy:
102 | Type: 'AWS::SNS::TopicPolicy'
103 | Properties:
104 | PolicyDocument:
105 | Statement:
106 | - Effect: Allow
107 | Principal:
108 | Service: events.amazonaws.com
109 | Action: 'sns:Publish'
110 | Resource: '*'
111 | Topics:
112 | - !Ref SnsTopic
113 |
114 | # S3 Threat List Bucket for GuardDuty
115 | GDThreatListBucket:
116 | Type: AWS::S3::Bucket
117 | Properties:
118 | BucketName: !Sub "s3-gd-${AWS::AccountId}-${AWS::Region}"
119 | BucketEncryption:
120 | ServerSideEncryptionConfiguration:
121 | - ServerSideEncryptionByDefault:
122 | SSEAlgorithm: AES256
123 | AccessControl: BucketOwnerFullControl
124 | LifecycleConfiguration:
125 | Rules:
126 | -
127 | AbortIncompleteMultipartUpload:
128 | DaysAfterInitiation: 3
129 | NoncurrentVersionExpirationInDays: 3
130 | Status: Enabled
131 | PublicAccessBlockConfiguration:
132 | BlockPublicAcls: true
133 | BlockPublicPolicy: true
134 | IgnorePublicAcls: true
135 | RestrictPublicBuckets: true
136 | Tags:
137 | -
138 | Key: Description
139 | Value: S3 Bucket for GD Threat List
140 | VersioningConfiguration:
141 | Status: Enabled
142 |
143 |
144 | # -------------------------------------------------------------------------------------------------------------------------------------------------------
145 | # 3. Create Remediation in Security Hub
146 | # -------------------------------------------------------------------------------------------------------------------------------------------------------
147 |
148 | CreateSecurityHubCustomActionTargetLambda:
149 | Type: AWS::Lambda::Function
150 | Properties:
151 | FunctionName: CreateSecurityHubCustomActionTargetLambda-GuardDuty
152 | Description: Custom resource to create an action target in Security Hub
153 | Handler: index.lambda_handler
154 | MemorySize: 256
155 | Role: !GetAtt CreateSecurityHubCustomActionTargetLambdaRole.Arn
156 | Runtime: python3.7
157 | Timeout: 60
158 | Environment:
159 | Variables:
160 | Region: !Ref 'AWS::Region'
161 | Code:
162 | ZipFile: |
163 | import boto3
164 | import cfnresponse
165 | import os
166 | def lambda_handler(event, context):
167 | try:
168 | properties = event['ResourceProperties']
169 | region = os.environ['Region']
170 | client = boto3.client('securityhub', region_name=region)
171 | responseData = {}
172 | if event['RequestType'] == 'Create':
173 | response = client.create_action_target(
174 | Name=properties['Name'],
175 | Description=properties['Description'],
176 | Id=properties['Id']
177 | )
178 | responseData['Arn'] = response['ActionTargetArn']
179 | elif event['RequestType'] == 'Delete':
180 | account_id = context.invoked_function_arn.split(":")[4]
181 | client.delete_action_target(
182 | ActionTargetArn=f"arn:aws:securityhub:{region}:{account_id}:action/custom/{properties['Id']}"
183 | )
184 | cfnresponse.send(event, context, cfnresponse.SUCCESS, responseData)
185 | except Exception as e:
186 | print(e)
187 | cfnresponse.send(event, context, cfnresponse.FAILED, {})
188 |
189 | CreateSecurityHubCustomActionTargetLambdaRole:
190 | Type: AWS::IAM::Role
191 | Properties:
192 | Policies:
193 | - PolicyName: CreateActionTarget-LambdaPolicy-GuardDuty
194 | PolicyDocument:
195 | Version: 2012-10-17
196 | Statement:
197 | - Effect: Allow
198 | Action:
199 | - cloudwatch:PutMetricData
200 | Resource: '*'
201 | - Effect: Allow
202 | Action:
203 | - logs:CreateLogGroup
204 | - logs:CreateLogStream
205 | - logs:PutLogEvents
206 | Resource: '*'
207 | - Effect: Allow
208 | Action:
209 | - securityhub:CreateActionTarget
210 | - securityhub:DeleteActionTarget
211 | Resource: '*'
212 | AssumeRolePolicyDocument:
213 | Version: 2012-10-17
214 | Statement:
215 | - Effect: Allow
216 | Principal: { Service: lambda.amazonaws.com }
217 | Action:
218 | - sts:AssumeRole
219 |
220 | # -------------------------------------------------------------------------------------------------------------------------------------------------------
221 | # Create Security Hub Remediation to Block Malicious EC2
222 | # -------------------------------------------------------------------------------------------------------------------------------------------------------
223 |
224 | GDEC2RemediateRule:
225 | Type: AWS::Events::Rule
226 | Properties:
227 | Name: GDEC2RemediateRule
228 | Description: "GD-RemeEC2 - Stop or Quarantine Malicious EC2"
229 | EventPattern:
230 | source:
231 | - aws.securityhub
232 | detail-type:
233 | - Security Hub Findings - Custom Action
234 | resources:
235 | - !GetAtt GDEC2ActionTarget.Arn
236 | State: "ENABLED"
237 | Targets:
238 | -
239 | Arn:
240 | Fn::GetAtt:
241 | - "GDEC2RemediateLambda"
242 | - "Arn"
243 | Id: "GDRemeEC2"
244 |
245 | GDEC2ActionTarget:
246 | Type: Custom::ActionTarget
247 | Version: 1.0
248 | Properties:
249 | ServiceToken: !GetAtt CreateSecurityHubCustomActionTargetLambda.Arn
250 | Name: GDRemeEC2
251 | Description: Stop or Quarantine Malicious EC2
252 | Id: GDRemeEC2
253 |
254 | GDEC2RemediateLambdaPermission:
255 | Type: AWS::Lambda::Permission
256 | Properties:
257 | FunctionName:
258 | Ref: "GDEC2RemediateLambda"
259 | Action: "lambda:InvokeFunction"
260 | Principal: "events.amazonaws.com"
261 | SourceArn:
262 | Fn::GetAtt:
263 | - "GDEC2RemediateRule"
264 | - "Arn"
265 |
266 | GDEC2RemediateLambda:
267 | DependsOn:
268 | - EC2VPC1
269 | - GDEC2RemediateLambdaRole
270 | Type: "AWS::Lambda::Function"
271 | Properties:
272 | Handler: "index.handler"
273 | Environment:
274 | Variables:
275 | INSTANCE_ID: !Ref EC2VPC1
276 | Role:
277 | Fn::GetAtt:
278 | - "GDEC2RemediateLambdaRole"
279 | - "Arn"
280 | Code:
281 | ZipFile: |
282 | from __future__ import print_function
283 | from botocore.exceptions import ClientError
284 | import boto3
285 | import json
286 | import os
287 |
288 | def handler(event, context):
289 | try:
290 | ec2 = boto3.client('ec2')
291 | instanceID = os.environ['INSTANCE_ID']
292 | response = ec2.stop_instances(
293 | InstanceIds=[
294 | instanceID,
295 | ],
296 | )
297 | except ClientError as e:
298 | print(e)
299 | return response
300 | Runtime: "python3.7"
301 | Timeout: "35"
302 |
303 | GDEC2RemediateLambdaRole:
304 | Type: AWS::IAM::Role
305 | Properties:
306 | AssumeRolePolicyDocument:
307 | Version: 2012-10-17
308 | Statement:
309 | - Effect: Allow
310 | Principal:
311 | Service:
312 | - lambda.amazonaws.com
313 | Action:
314 | - 'sts:AssumeRole'
315 | Path: /
316 | ManagedPolicyArns:
317 | - arn:aws:iam::aws:policy/AmazonEC2FullAccess
318 | - arn:aws:iam::aws:policy/CloudWatchLogsFullAccess
319 |
320 |
321 | # -------------------------------------------------------------------------------------------------------------------------------------------------------
322 | # Create Security Hub Remediation to Update IAM Password Policy
323 | # -------------------------------------------------------------------------------------------------------------------------------------------------------
324 |
325 | GDIAMRemediateRule:
326 | Type: AWS::Events::Rule
327 | Properties:
328 | Name: GDIAMRemediateRule
329 | Description: "GD-RemeIAM - Update Password Policy"
330 | EventPattern:
331 | source:
332 | - aws.securityhub
333 | detail-type:
334 | - Security Hub Findings - Custom Action
335 | resources:
336 | - !GetAtt GDIAMActionTarget.Arn
337 | State: "ENABLED"
338 | Targets:
339 | -
340 | Arn:
341 | Fn::GetAtt:
342 | - "GuardDutyRemediationIAMLambda"
343 | - "Arn"
344 | Id: "GDRemeIAM"
345 |
346 | GDIAMActionTarget:
347 | Type: Custom::ActionTarget
348 | Version: 1.0
349 | Properties:
350 | ServiceToken: !GetAtt CreateSecurityHubCustomActionTargetLambda.Arn
351 | Name: GDRemeIAM
352 | Description: Update Password Policy
353 | Id: GDRemeIAM
354 |
355 | GDIAMRemediateLambdaPermission:
356 | Type: AWS::Lambda::Permission
357 | Properties:
358 | FunctionName:
359 | Ref: "GuardDutyRemediationIAMLambda"
360 | Action: "lambda:InvokeFunction"
361 | Principal: "events.amazonaws.com"
362 | SourceArn:
363 | Fn::GetAtt:
364 | - "GDIAMRemediateRule"
365 | - "Arn"
366 |
367 | # Remediation Lambda - IAM
368 | GuardDutyRemediationIAMLambda:
369 | DependsOn:
370 | - GuardDutyRemediationLambdaIAMRole
371 | Type: "AWS::Lambda::Function"
372 | Properties:
373 | Handler: "index.handler"
374 | Role:
375 | Fn::GetAtt:
376 | - "GuardDutyRemediationLambdaIAMRole"
377 | - "Arn"
378 | Code:
379 | ZipFile: |
380 | from __future__ import print_function
381 | from botocore.exceptions import ClientError
382 | import boto3
383 | import json
384 | import os
385 |
386 | def handler(event, context):
387 | try:
388 | iam = boto3.client('iam')
389 | response = iam.update_account_password_policy(
390 | AllowUsersToChangePassword=True,
391 | HardExpiry=True,
392 | MaxPasswordAge=90 ,
393 | MinimumPasswordLength=14,
394 | PasswordReusePrevention=24,
395 | RequireLowercaseCharacters=True,
396 | RequireNumbers=True,
397 | RequireSymbols=True,
398 | RequireUppercaseCharacters=True)
399 |
400 | except ClientError as e:
401 | print(e)
402 | return response
403 | Runtime: "python3.7"
404 | Timeout: "35"
405 |
406 | # Remediation Lambda - IAM Role
407 | GuardDutyRemediationLambdaIAMRole:
408 | Type: 'AWS::IAM::Role'
409 | Properties:
410 | AssumeRolePolicyDocument:
411 | Version: 2012-10-17
412 | Statement:
413 | - Effect: Allow
414 | Principal:
415 | Service:
416 | - lambda.amazonaws.com
417 | Action:
418 | - 'sts:AssumeRole'
419 | Path: /
420 | ManagedPolicyArns:
421 | - arn:aws:iam::aws:policy/IAMFullAccess
422 | - arn:aws:iam::aws:policy/CloudWatchLogsFullAccess
423 |
424 | # -----------------------------------------------------------------------------------------------------------------------
425 | # EC2 Set up
426 | # Provisions EC2 instances in the relevant subnets and associated security groups for VPC1 and VPC3
427 | # with ssh and icmp access
428 | # User Data section is self contained to generate malicious access
429 | # .......................................................................................................................
430 |
431 | EIPEC2VPC3:
432 | Type: AWS::EC2::EIP
433 | Properties:
434 | InstanceId: !Ref EC2VPC3
435 | Domain: vpc
436 |
437 | EC2VPC1:
438 | Type: "AWS::EC2::Instance"
439 | DependsOn:
440 | - SGEC2VPC1
441 | - EIPEC2VPC3
442 | - EC2VPC1InstanceProfile
443 | Properties:
444 | ImageId: !FindInMap [RegionMap, !Ref "AWS::Region", AMALINUX] # Dynamic mapping + Pseudo Parameter
445 | InstanceType: t2.micro
446 | IamInstanceProfile: !Ref EC2VPC1InstanceProfile
447 | KeyName: !Ref KeyName
448 | NetworkInterfaces:
449 | - AssociatePublicIpAddress: "true"
450 | DeviceIndex: "0"
451 | GroupSet:
452 | - Ref: SGEC2VPC1
453 | SubnetId: !ImportValue subnetvpc1
454 | UserData:
455 | Fn::Base64: !Sub
456 | - |
457 | #!/bin/bash -ex
458 |
459 | # Start SSM Agent
460 | sudo yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm
461 |
462 | # Install pre-reqs
463 | export PATH=$PATH:/usr/local/bin:/usr/sbin:/root/.local/bin
464 | echo 'export PATH=/root/.local/bin:/usr/sbin:$PATH' >> /home/ec2-user/.profile
465 | sudo yum update -y
466 | sudo yum install -y nmap git python python2-pip python-argparse gcc gcc-c++ glib2-devel
467 |
468 | # Create findings file and generate finding
469 | touch /home/ec2-user/gd-portscan.sh
470 | cat <> /home/ec2-user/gd-portscan.sh
471 | #!/bin/bash
472 | for j in {1..10}
473 | do
474 | sudo nmap -sT ${IP}
475 | done
476 | EOF
477 |
478 | sudo chmod +x /home/ec2-user/gd-portscan.sh
479 | ./gd-portscan.sh
480 | -
481 | Profile:
482 | !Ref EC2VPC1InstanceProfile
483 | Region:
484 | !Ref "AWS::Region"
485 | IP:
486 | !Ref EIPEC2VPC3
487 |
488 | EC2VPC3:
489 | Type: "AWS::EC2::Instance"
490 | DependsOn:
491 | - SGEC2VPC3
492 | Properties:
493 | ImageId: !FindInMap [RegionMap, !Ref "AWS::Region", AMALINUX] # Dynamic mapping + Pseudo Parameter
494 | InstanceType: t2.micro
495 | KeyName: !Ref KeyName
496 | NetworkInterfaces:
497 | - AssociatePublicIpAddress: "true"
498 | DeviceIndex: "0"
499 | GroupSet:
500 | - Ref: SGEC2VPC3
501 | SubnetId: !ImportValue subnetvpc3
502 |
503 | EC2VPC1InstanceProfile:
504 | DependsOn:
505 | - EC2VPC1Role
506 | Type: AWS::IAM::InstanceProfile
507 | Properties:
508 | Path: /
509 | Roles:
510 | - !Ref EC2VPC1Role
511 |
512 |
513 | EC2VPC1Role:
514 | Type: AWS::IAM::Role
515 | Properties:
516 | AssumeRolePolicyDocument:
517 | Version: 2012-10-17
518 | Statement:
519 | -
520 | Effect: Allow
521 | Principal:
522 | Service:
523 | - ec2.amazonaws.com
524 | Action:
525 | - sts:AssumeRole
526 | Path: /
527 | ManagedPolicyArns:
528 | - arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM
529 | Policies:
530 | -
531 | PolicyName: GuardDutyPolicy
532 | PolicyDocument:
533 | Version: 2012-10-17
534 | Statement:
535 | -
536 | Effect: Allow
537 | Action:
538 | - guardduty:GetDetector
539 | - guardduty:ListDetectors
540 | - guardduty:CreateThreatIntelSet
541 | - guardduty:UpdateThreatIntelSet
542 | Resource: '*'
543 | -
544 | Effect: Allow
545 | Action:
546 | - ssm:PutParameter
547 | - ssm:DescribeParameters
548 | - ssm:GetParameters
549 | - ssm:DeleteParameter
550 | Resource: '*'
551 | -
552 | Effect: Allow
553 | Action:
554 | - iam:*
555 | Resource: '*'
556 | -
557 | Effect: Allow
558 | Action:
559 | - dynamodb:*
560 | Resource: '*'
561 | -
562 | Effect: Allow
563 | Action: s3:*
564 | Resource: '*'
565 | -
566 | Effect: Allow
567 | Action:
568 | - iam:PutRolePolicy
569 | Resource:
570 | Fn::Join:
571 | - ':'
572 | - ["arn:aws:iam:",!Ref "AWS::AccountId", "role/aws-service-role/guardduty.amazonaws.com/*"]
573 |
574 |
575 | SGEC2VPC1:
576 | Type: "AWS::EC2::SecurityGroup"
577 | Properties:
578 | GroupDescription: !Join ["", ["Stack", "-", !Ref "AWS::StackId", "-", "VPC1"]]
579 | VpcId: !ImportValue vpc1id
580 | SecurityGroupIngress:
581 | -
582 | CidrIp: 0.0.0.0/0
583 | IpProtocol: tcp
584 | ToPort: 22
585 | FromPort: 22
586 | -
587 | CidrIp: 0.0.0.0/0
588 | IpProtocol: icmp
589 | ToPort: "-1"
590 | FromPort: "-1"
591 | SecurityGroupEgress:
592 | -
593 | CidrIp: 0.0.0.0/0
594 | ToPort: "-1"
595 | IpProtocol: "-1"
596 |
597 | SGEC2VPC1LockDown:
598 | Type: "AWS::EC2::SecurityGroup"
599 | Properties:
600 | GroupDescription: !Join ["", ["Stack", "-", !Ref "AWS::StackId", "-", "VPC1"]]
601 | VpcId: !ImportValue vpc1id
602 | SecurityGroupIngress:
603 | -
604 | CidrIp: 10.10.0.0/16
605 | IpProtocol: icmp
606 | ToPort: "-1"
607 | FromPort: "-1"
608 | SecurityGroupEgress:
609 | -
610 | CidrIp: 10.10.0.0/16
611 | FromPort: "-1"
612 | ToPort: "-1"
613 | IpProtocol: icmp
614 |
615 | SGEC2VPC3:
616 | Type: "AWS::EC2::SecurityGroup"
617 | Properties:
618 | GroupDescription: !Join ["", ["Stack", "-", !Ref "AWS::StackId", "-", "VPC3"]]
619 | VpcId: !ImportValue vpc3id
620 | SecurityGroupIngress:
621 | -
622 | CidrIp: 0.0.0.0/0
623 | IpProtocol: tcp
624 | ToPort: 22
625 | FromPort: 22
626 | -
627 | CidrIp: 0.0.0.0/0
628 | IpProtocol: icmp
629 | ToPort: "-1"
630 | FromPort: "-1"
631 | SecurityGroupEgress:
632 | -
633 | CidrIp: 0.0.0.0/0
634 | ToPort: "-1"
635 | IpProtocol: "-1"
--------------------------------------------------------------------------------
/aws-guardduty-detect-securityhubremediate/cft/aws-guarddutydetect-securityhubremediate.yml:
--------------------------------------------------------------------------------
1 | ---
2 | AWSTemplateFormatVersion: '2010-09-09'
3 | Description: GuardDuty for EC2 and IAM with Security Hub
4 |
5 | # ---------------------------------------------------------------------------------------------------------------
6 | # CloudFormation Template 2 of 2
7 | #
8 | # GuardDuty detects EC2 and IAM attacks. Security Hub Remediates.
9 | #
10 | # EC2 Recon Attack, EC2 Maliciuous IP and IAM Password Policy change with AWS GuardDuty.
11 | # Can be extended for any GuardDuty EC2 or IAM related threat findings
12 | # Also automates GuardDuty Finding generation
13 | #
14 | # Automated Remediations for GuardDuty for EC2 and IAM using AWS Security Hub
15 | #
16 | #
17 | # @kmmahaj
18 | ##
19 | ## License:
20 | ## This code is made available under the MIT-0 license. See the LICENSE file.
21 | # ----------------------------------------------------------------------------------------------------------------
22 |
23 | Parameters:
24 | KeyName:
25 | Description: EC2 Key Pair
26 | Type: "AWS::EC2::KeyPair::KeyName"
27 | EmailAddress:
28 | Description: Email address for receiving alerts.
29 | Type: String
30 | AllowedPattern: ".+"
31 | LatestAWSLinuxAmiId:
32 | Type: 'AWS::SSM::Parameter::Value'
33 | Default: '/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2'
34 |
35 | Resources:
36 |
37 | # -----------------------------------------------------------------------------------------------------------------------
38 | # GuardDuty Setup
39 | # Provisions GuardDuty CW Events, Remediation Lambdas, SNS topic and Associated Roles
40 | #
41 | # .......................................................................................................................
42 |
43 | # GuardDuty CloudWatch Event - For GuardDuty Finding: Stealth:IAM/PasswordPolicyChange
44 | GuardDutyIAMEvent:
45 | DependsOn:
46 | - GuardDutyRemediationIAMLambda
47 | - SnsTopic
48 | Type: AWS::Events::Rule
49 | Properties:
50 | Name: GuardDuty-IAM-Finding
51 | Description: "GuardDuty IAM Event"
52 | EventPattern:
53 | source:
54 | - aws.guardduty
55 | detail:
56 | type:
57 | - Stealth:IAMUser/PasswordPolicyChange
58 | State: ENABLED
59 | Targets:
60 | -
61 | Arn: !Ref SnsTopic
62 | Id: "GuardDutyIAMEvent-SNS-Trigger"
63 |
64 |
65 | # GuardDuty CloudWatch Event - For GuardDuty Finding: Recon:EC2/Portscan
66 | GuardDutyEC2Event:
67 | DependsOn:
68 | - SnsTopic
69 | Type: AWS::Events::Rule
70 | Properties:
71 | Name: GuardDuty-EC2-Finding
72 | Description: "GuardDuty EC2 Event"
73 | EventPattern:
74 | source:
75 | - aws.guardduty
76 | detail:
77 | type:
78 | - Recon:EC2/Portscan
79 | State: ENABLED
80 | Targets:
81 | -
82 | Arn: !Ref SnsTopic
83 | Id: "GuardDutyEC2Event-SNS-Trigger"
84 |
85 | SnsTopic:
86 | Type: "AWS::SNS::Topic"
87 | SnsSubscription:
88 | Type: "AWS::SNS::Subscription"
89 | Properties:
90 | Endpoint: !Ref EmailAddress
91 | Protocol: "email"
92 | TopicArn: !Ref SnsTopic
93 |
94 | EventTopicPolicy:
95 | Type: 'AWS::SNS::TopicPolicy'
96 | Properties:
97 | PolicyDocument:
98 | Statement:
99 | - Effect: Allow
100 | Principal:
101 | Service: events.amazonaws.com
102 | Action: 'sns:Publish'
103 | Resource: '*'
104 | Topics:
105 | - !Ref SnsTopic
106 |
107 | # S3 Threat List Bucket for GuardDuty
108 | GDThreatListBucket:
109 | Type: AWS::S3::Bucket
110 | Properties:
111 | BucketName: !Sub "s3-gd-${AWS::AccountId}-${AWS::Region}"
112 | BucketEncryption:
113 | ServerSideEncryptionConfiguration:
114 | - ServerSideEncryptionByDefault:
115 | SSEAlgorithm: AES256
116 | AccessControl: BucketOwnerFullControl
117 | LifecycleConfiguration:
118 | Rules:
119 | -
120 | AbortIncompleteMultipartUpload:
121 | DaysAfterInitiation: 3
122 | NoncurrentVersionExpirationInDays: 3
123 | Status: Enabled
124 | PublicAccessBlockConfiguration:
125 | BlockPublicAcls: true
126 | BlockPublicPolicy: true
127 | IgnorePublicAcls: true
128 | RestrictPublicBuckets: true
129 | Tags:
130 | -
131 | Key: Description
132 | Value: S3 Bucket for GD Threat List
133 | VersioningConfiguration:
134 | Status: Enabled
135 |
136 |
137 | # -------------------------------------------------------------------------------------------------------------------------------------------------------
138 | # 3. Create Remediation in Security Hub
139 | # -------------------------------------------------------------------------------------------------------------------------------------------------------
140 |
141 | CreateSecurityHubCustomActionTargetLambda:
142 | Type: AWS::Lambda::Function
143 | Properties:
144 | FunctionName: CreateSecurityHubCustomActionTargetLambda-GuardDuty
145 | Description: Custom resource to create an action target in Security Hub
146 | Handler: index.lambda_handler
147 | MemorySize: 256
148 | Role: !GetAtt CreateSecurityHubCustomActionTargetLambdaRole.Arn
149 | Runtime: python3.7
150 | Timeout: 60
151 | Environment:
152 | Variables:
153 | Region: !Ref 'AWS::Region'
154 | Code:
155 | ZipFile: |
156 | import boto3
157 | import cfnresponse
158 | import os
159 | def lambda_handler(event, context):
160 | try:
161 | properties = event['ResourceProperties']
162 | region = os.environ['Region']
163 | client = boto3.client('securityhub', region_name=region)
164 | responseData = {}
165 | if event['RequestType'] == 'Create':
166 | response = client.create_action_target(
167 | Name=properties['Name'],
168 | Description=properties['Description'],
169 | Id=properties['Id']
170 | )
171 | responseData['Arn'] = response['ActionTargetArn']
172 | elif event['RequestType'] == 'Delete':
173 | account_id = context.invoked_function_arn.split(":")[4]
174 | client.delete_action_target(
175 | ActionTargetArn=f"arn:aws:securityhub:{region}:{account_id}:action/custom/{properties['Id']}"
176 | )
177 | cfnresponse.send(event, context, cfnresponse.SUCCESS, responseData)
178 | except Exception as e:
179 | print(e)
180 | cfnresponse.send(event, context, cfnresponse.FAILED, {})
181 |
182 | CreateSecurityHubCustomActionTargetLambdaRole:
183 | Type: AWS::IAM::Role
184 | Properties:
185 | Policies:
186 | - PolicyName: CreateActionTarget-LambdaPolicy-GuardDuty
187 | PolicyDocument:
188 | Version: 2012-10-17
189 | Statement:
190 | - Effect: Allow
191 | Action:
192 | - cloudwatch:PutMetricData
193 | Resource: '*'
194 | - Effect: Allow
195 | Action:
196 | - logs:CreateLogGroup
197 | - logs:CreateLogStream
198 | - logs:PutLogEvents
199 | Resource: '*'
200 | - Effect: Allow
201 | Action:
202 | - securityhub:CreateActionTarget
203 | - securityhub:DeleteActionTarget
204 | Resource: '*'
205 | AssumeRolePolicyDocument:
206 | Version: 2012-10-17
207 | Statement:
208 | - Effect: Allow
209 | Principal: { Service: lambda.amazonaws.com }
210 | Action:
211 | - sts:AssumeRole
212 |
213 | # -------------------------------------------------------------------------------------------------------------------------------------------------------
214 | # Create Security Hub Remediation to Block Malicious EC2
215 | # -------------------------------------------------------------------------------------------------------------------------------------------------------
216 |
217 | GDEC2RemediateRule:
218 | Type: AWS::Events::Rule
219 | Properties:
220 | Name: GDEC2RemediateRule
221 | Description: "GD-RemeEC2 - Stop or Quarantine Malicious EC2"
222 | EventPattern:
223 | source:
224 | - aws.securityhub
225 | detail-type:
226 | - Security Hub Findings - Custom Action
227 | resources:
228 | - !GetAtt GDEC2ActionTarget.Arn
229 | State: "ENABLED"
230 | Targets:
231 | -
232 | Arn:
233 | Fn::GetAtt:
234 | - "GDEC2RemediateLambda"
235 | - "Arn"
236 | Id: "GDRemeEC2"
237 |
238 | GDEC2ActionTarget:
239 | Type: Custom::ActionTarget
240 | Version: 1.0
241 | Properties:
242 | ServiceToken: !GetAtt CreateSecurityHubCustomActionTargetLambda.Arn
243 | Name: GDRemeEC2
244 | Description: Stop or Quarantine Malicious EC2
245 | Id: GDRemeEC2
246 |
247 | GDEC2RemediateLambdaPermission:
248 | Type: AWS::Lambda::Permission
249 | Properties:
250 | FunctionName:
251 | Ref: "GDEC2RemediateLambda"
252 | Action: "lambda:InvokeFunction"
253 | Principal: "events.amazonaws.com"
254 | SourceArn:
255 | Fn::GetAtt:
256 | - "GDEC2RemediateRule"
257 | - "Arn"
258 |
259 | GDEC2RemediateLambda:
260 | DependsOn:
261 | - EC2VPC1
262 | - GDEC2RemediateLambdaRole
263 | Type: "AWS::Lambda::Function"
264 | Properties:
265 | Handler: "index.handler"
266 | Environment:
267 | Variables:
268 | INSTANCE_ID: !Ref EC2VPC1
269 | Role:
270 | Fn::GetAtt:
271 | - "GDEC2RemediateLambdaRole"
272 | - "Arn"
273 | Code:
274 | ZipFile: |
275 | from __future__ import print_function
276 | from botocore.exceptions import ClientError
277 | import boto3
278 | import json
279 | import os
280 |
281 | def handler(event, context):
282 | try:
283 | ec2 = boto3.client('ec2')
284 | instanceID = os.environ['INSTANCE_ID']
285 | response = ec2.stop_instances(
286 | InstanceIds=[
287 | instanceID,
288 | ],
289 | )
290 | except ClientError as e:
291 | print(e)
292 | return response
293 | Runtime: "python3.7"
294 | Timeout: "35"
295 |
296 | GDEC2RemediateLambdaRole:
297 | Type: AWS::IAM::Role
298 | Properties:
299 | AssumeRolePolicyDocument:
300 | Version: 2012-10-17
301 | Statement:
302 | - Effect: Allow
303 | Principal:
304 | Service:
305 | - lambda.amazonaws.com
306 | Action:
307 | - 'sts:AssumeRole'
308 | Path: /
309 | ManagedPolicyArns:
310 | - arn:aws:iam::aws:policy/AmazonEC2FullAccess
311 | - arn:aws:iam::aws:policy/CloudWatchLogsFullAccess
312 |
313 |
314 | # -------------------------------------------------------------------------------------------------------------------------------------------------------
315 | # Create Security Hub Remediation to Update IAM Password Policy
316 | # -------------------------------------------------------------------------------------------------------------------------------------------------------
317 |
318 | GDIAMRemediateRule:
319 | Type: AWS::Events::Rule
320 | Properties:
321 | Name: GDIAMRemediateRule
322 | Description: "GD-RemeIAM - Update Password Policy"
323 | EventPattern:
324 | source:
325 | - aws.securityhub
326 | detail-type:
327 | - Security Hub Findings - Custom Action
328 | resources:
329 | - !GetAtt GDIAMActionTarget.Arn
330 | State: "ENABLED"
331 | Targets:
332 | -
333 | Arn:
334 | Fn::GetAtt:
335 | - "GuardDutyRemediationIAMLambda"
336 | - "Arn"
337 | Id: "GDRemeIAM"
338 |
339 | GDIAMActionTarget:
340 | Type: Custom::ActionTarget
341 | Version: 1.0
342 | Properties:
343 | ServiceToken: !GetAtt CreateSecurityHubCustomActionTargetLambda.Arn
344 | Name: GDRemeIAM
345 | Description: Update Password Policy
346 | Id: GDRemeIAM
347 |
348 | GDIAMRemediateLambdaPermission:
349 | Type: AWS::Lambda::Permission
350 | Properties:
351 | FunctionName:
352 | Ref: "GuardDutyRemediationIAMLambda"
353 | Action: "lambda:InvokeFunction"
354 | Principal: "events.amazonaws.com"
355 | SourceArn:
356 | Fn::GetAtt:
357 | - "GDIAMRemediateRule"
358 | - "Arn"
359 |
360 | # Remediation Lambda - IAM
361 | GuardDutyRemediationIAMLambda:
362 | DependsOn:
363 | - GuardDutyRemediationLambdaIAMRole
364 | Type: "AWS::Lambda::Function"
365 | Properties:
366 | Handler: "index.handler"
367 | Role:
368 | Fn::GetAtt:
369 | - "GuardDutyRemediationLambdaIAMRole"
370 | - "Arn"
371 | Code:
372 | ZipFile: |
373 | from __future__ import print_function
374 | from botocore.exceptions import ClientError
375 | import boto3
376 | import json
377 | import os
378 |
379 | def handler(event, context):
380 | try:
381 | iam = boto3.client('iam')
382 | response = iam.update_account_password_policy(
383 | AllowUsersToChangePassword=True,
384 | HardExpiry=True,
385 | MaxPasswordAge=90 ,
386 | MinimumPasswordLength=14,
387 | PasswordReusePrevention=24,
388 | RequireLowercaseCharacters=True,
389 | RequireNumbers=True,
390 | RequireSymbols=True,
391 | RequireUppercaseCharacters=True)
392 |
393 | except ClientError as e:
394 | print(e)
395 | return response
396 | Runtime: "python3.7"
397 | Timeout: "35"
398 |
399 | # Remediation Lambda - IAM Role
400 | GuardDutyRemediationLambdaIAMRole:
401 | Type: 'AWS::IAM::Role'
402 | Properties:
403 | AssumeRolePolicyDocument:
404 | Version: 2012-10-17
405 | Statement:
406 | - Effect: Allow
407 | Principal:
408 | Service:
409 | - lambda.amazonaws.com
410 | Action:
411 | - 'sts:AssumeRole'
412 | Path: /
413 | ManagedPolicyArns:
414 | - arn:aws:iam::aws:policy/IAMFullAccess
415 | - arn:aws:iam::aws:policy/CloudWatchLogsFullAccess
416 |
417 | #------------------------------------------------------------------------------------------------------
418 | # VPC Set up
419 | #
420 | #------------------------------------------------------------------------------------------------------
421 |
422 | vpc1:
423 | Type: AWS::EC2::VPC
424 | DependsOn:
425 | - igw1
426 | Properties:
427 | CidrBlock: '10.10.0.0/16'
428 | EnableDnsSupport: true
429 | EnableDnsHostnames: true
430 |
431 | igw1:
432 | Type: AWS::EC2::InternetGateway
433 | Properties:
434 | Tags:
435 | - Key: Name
436 | Value: 'IGW1'
437 |
438 | igwattach1:
439 | Type: AWS::EC2::VPCGatewayAttachment
440 | Properties:
441 | InternetGatewayId: !Ref igw1
442 | VpcId: !Ref vpc1
443 |
444 | subnetvpc1:
445 | Type: AWS::EC2::Subnet
446 | Properties:
447 | VpcId: !Ref vpc1
448 | AvailabilityZone: !Select [ 0, !GetAZs '' ]
449 | CidrBlock: '10.10.0.0/20'
450 | MapPublicIpOnLaunch: true
451 |
452 | rtablesubnetvpc1:
453 | Type: AWS::EC2::RouteTable
454 | Properties:
455 | VpcId: !Ref vpc1
456 |
457 | rtpublicvpc1:
458 | Type: AWS::EC2::Route
459 | DependsOn: igwattach1
460 | Properties:
461 | RouteTableId: !Ref rtablesubnetvpc1
462 | DestinationCidrBlock: 0.0.0.0/0
463 | GatewayId: !Ref igw1
464 |
465 | subnetvpc1rtable:
466 | Type: AWS::EC2::SubnetRouteTableAssociation
467 | Properties:
468 | RouteTableId: !Ref rtablesubnetvpc1
469 | SubnetId: !Ref subnetvpc1
470 |
471 | vpc3:
472 | Type: AWS::EC2::VPC
473 | DependsOn:
474 | - igw3
475 | Properties:
476 | CidrBlock: '10.11.0.0/16'
477 | EnableDnsSupport: true
478 | EnableDnsHostnames: true
479 |
480 | igw3:
481 | Type: AWS::EC2::InternetGateway
482 | Properties:
483 | Tags:
484 | - Key: Name
485 | Value: 'IGW3'
486 |
487 | igwattach3:
488 | Type: AWS::EC2::VPCGatewayAttachment
489 | Properties:
490 | InternetGatewayId: !Ref igw3
491 | VpcId: !Ref vpc3
492 |
493 | subnetvpc3:
494 | Type: AWS::EC2::Subnet
495 | Properties:
496 | VpcId: !Ref vpc3
497 | AvailabilityZone: !Select [ 0, !GetAZs '' ]
498 | CidrBlock: '10.11.0.0/20'
499 | MapPublicIpOnLaunch: true
500 |
501 | rtablesubnetvpc3:
502 | Type: AWS::EC2::RouteTable
503 | Properties:
504 | VpcId: !Ref vpc3
505 |
506 | rtpublicvpc3:
507 | Type: AWS::EC2::Route
508 | DependsOn: igwattach3
509 | Properties:
510 | RouteTableId: !Ref rtablesubnetvpc3
511 | DestinationCidrBlock: 0.0.0.0/0
512 | GatewayId: !Ref igw3
513 |
514 | subnetvpc3rtable:
515 | Type: AWS::EC2::SubnetRouteTableAssociation
516 | Properties:
517 | RouteTableId: !Ref rtablesubnetvpc3
518 | SubnetId: !Ref subnetvpc3
519 |
520 | # -----------------------------------------------------------------------------------------------------------------------
521 | # EC2 Set up
522 | # Provisions EC2 instances in the relevant subnets and associated security groups for VPC1 and VPC3
523 | # with ssh and icmp access
524 | # User Data section is self contained to generate malicious access
525 | # .......................................................................................................................
526 |
527 | EIPEC2VPC3:
528 | Type: AWS::EC2::EIP
529 | Properties:
530 | InstanceId: !Ref EC2VPC3
531 | Domain: vpc
532 |
533 | EC2VPC1:
534 | Type: "AWS::EC2::Instance"
535 | DependsOn:
536 | - SGEC2VPC1
537 | - EIPEC2VPC3
538 | - EC2VPC1InstanceProfile
539 | Properties:
540 | # ImageId: !FindInMap [RegionMap, !Ref "AWS::Region", AMALINUX] # Dynamic mapping + Pseudo Parameter
541 | ImageId: !Ref LatestAWSLinuxAmiId
542 | InstanceType: t2.micro
543 | IamInstanceProfile: !Ref EC2VPC1InstanceProfile
544 | KeyName: !Ref KeyName
545 | NetworkInterfaces:
546 | - AssociatePublicIpAddress: "true"
547 | DeviceIndex: "0"
548 | GroupSet:
549 | - Ref: SGEC2VPC1
550 | SubnetId: !Ref subnetvpc1
551 | UserData:
552 | Fn::Base64: !Sub
553 | - |
554 | #!/bin/bash -ex
555 |
556 | # Start SSM Agent
557 | sudo yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm
558 |
559 | # Install pre-reqs
560 | export PATH=$PATH:/usr/local/bin:/usr/sbin:/root/.local/bin
561 | echo 'export PATH=/root/.local/bin:/usr/sbin:$PATH' >> /home/ec2-user/.profile
562 | sudo yum update -y
563 | sudo yum install -y nmap git python python2-pip python-argparse gcc gcc-c++ glib2-devel
564 |
565 | # Create findings file and generate finding
566 | touch /home/ec2-user/gd-portscan.sh
567 | cat <> /home/ec2-user/gd-portscan.sh
568 | #!/bin/bash
569 | for j in {1..10}
570 | do
571 | sudo nmap -sT ${IP}
572 | done
573 | EOF
574 |
575 | sudo chmod +x /home/ec2-user/gd-portscan.sh
576 | ./gd-portscan.sh
577 | -
578 | Profile:
579 | !Ref EC2VPC1InstanceProfile
580 | Region:
581 | !Ref "AWS::Region"
582 | IP:
583 | !Ref EIPEC2VPC3
584 |
585 | EC2VPC3:
586 | Type: "AWS::EC2::Instance"
587 | DependsOn:
588 | - SGEC2VPC3
589 | Properties:
590 | # ImageId: !FindInMap [RegionMap, !Ref "AWS::Region", AMALINUX] # Dynamic mapping + Pseudo Parameter
591 | ImageId: !Ref LatestAWSLinuxAmiId
592 | InstanceType: t2.micro
593 | KeyName: !Ref KeyName
594 | NetworkInterfaces:
595 | - AssociatePublicIpAddress: "true"
596 | DeviceIndex: "0"
597 | GroupSet:
598 | - Ref: SGEC2VPC3
599 | SubnetId: !Ref subnetvpc3
600 |
601 | EC2VPC1InstanceProfile:
602 | DependsOn:
603 | - EC2VPC1Role
604 | Type: AWS::IAM::InstanceProfile
605 | Properties:
606 | Path: /
607 | Roles:
608 | - !Ref EC2VPC1Role
609 |
610 | EC2VPC1Role:
611 | Type: AWS::IAM::Role
612 | Properties:
613 | AssumeRolePolicyDocument:
614 | Version: 2012-10-17
615 | Statement:
616 | -
617 | Effect: Allow
618 | Principal:
619 | Service:
620 | - ec2.amazonaws.com
621 | Action:
622 | - sts:AssumeRole
623 | Path: /
624 | ManagedPolicyArns:
625 | - arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM
626 | Policies:
627 | -
628 | PolicyName: GuardDutyPolicy
629 | PolicyDocument:
630 | Version: 2012-10-17
631 | Statement:
632 | -
633 | Effect: Allow
634 | Action:
635 | - guardduty:GetDetector
636 | - guardduty:ListDetectors
637 | - guardduty:CreateThreatIntelSet
638 | - guardduty:UpdateThreatIntelSet
639 | Resource: '*'
640 | -
641 | Effect: Allow
642 | Action:
643 | - ssm:PutParameter
644 | - ssm:DescribeParameters
645 | - ssm:GetParameters
646 | - ssm:DeleteParameter
647 | Resource: '*'
648 | -
649 | Effect: Allow
650 | Action:
651 | - iam:*
652 | Resource: '*'
653 | -
654 | Effect: Allow
655 | Action:
656 | - dynamodb:*
657 | Resource: '*'
658 | -
659 | Effect: Allow
660 | Action: s3:*
661 | Resource: '*'
662 | -
663 | Effect: Allow
664 | Action:
665 | - iam:PutRolePolicy
666 | Resource:
667 | Fn::Join:
668 | - ':'
669 | - ["arn:aws:iam:",!Ref "AWS::AccountId", "role/aws-service-role/guardduty.amazonaws.com/*"]
670 |
671 |
672 | SGEC2VPC1:
673 | Type: "AWS::EC2::SecurityGroup"
674 | Properties:
675 | GroupDescription: !Join ["", ["Stack", "-", !Ref "AWS::StackId", "-", "VPC1"]]
676 | VpcId: !Ref vpc1
677 | SecurityGroupIngress:
678 | -
679 | CidrIp: !GetAtt vpc3.CidrBlock
680 | IpProtocol: tcp
681 | ToPort: 22
682 | FromPort: 22
683 | -
684 | CidrIp: !GetAtt vpc3.CidrBlock
685 | IpProtocol: icmp
686 | ToPort: "-1"
687 | FromPort: "-1"
688 | -
689 | CidrIp: !GetAtt vpc1.CidrBlock
690 | IpProtocol: tcp
691 | ToPort: 22
692 | FromPort: 22
693 | -
694 | CidrIp: !GetAtt vpc1.CidrBlock
695 | IpProtocol: icmp
696 | ToPort: "-1"
697 | FromPort: "-1"
698 | SecurityGroupEgress:
699 | -
700 | CidrIp: 0.0.0.0/0
701 | ToPort: "-1"
702 | IpProtocol: "-1"
703 |
704 | SGEC2VPC1LockDown:
705 | Type: "AWS::EC2::SecurityGroup"
706 | Properties:
707 | GroupDescription: !Join ["", ["Stack", "-", !Ref "AWS::StackId", "-", "VPC1"]]
708 | VpcId: !Ref vpc1
709 | SecurityGroupIngress:
710 | -
711 | CidrIp: !GetAtt vpc3.CidrBlock
712 | IpProtocol: tcp
713 | ToPort: 22
714 | FromPort: 22
715 | -
716 | CidrIp: !GetAtt vpc3.CidrBlock
717 | IpProtocol: icmp
718 | ToPort: "-1"
719 | FromPort: "-1"
720 | -
721 | CidrIp: !GetAtt vpc1.CidrBlock
722 | IpProtocol: tcp
723 | ToPort: 22
724 | FromPort: 22
725 | -
726 | CidrIp: !GetAtt vpc1.CidrBlock
727 | IpProtocol: icmp
728 | ToPort: "-1"
729 | FromPort: "-1"
730 | SecurityGroupEgress:
731 | -
732 | CidrIp: 10.10.0.0/16
733 | FromPort: "-1"
734 | ToPort: "-1"
735 | IpProtocol: icmp
736 |
737 | SGEC2VPC3:
738 | Type: "AWS::EC2::SecurityGroup"
739 | Properties:
740 | GroupDescription: !Join ["", ["Stack", "-", !Ref "AWS::StackId", "-", "VPC3"]]
741 | VpcId: !Ref vpc3
742 | SecurityGroupIngress:
743 | -
744 | CidrIp: !GetAtt vpc3.CidrBlock
745 | IpProtocol: tcp
746 | ToPort: 22
747 | FromPort: 22
748 | -
749 | CidrIp: !GetAtt vpc3.CidrBlock
750 | IpProtocol: icmp
751 | ToPort: "-1"
752 | FromPort: "-1"
753 | -
754 | CidrIp: !GetAtt vpc1.CidrBlock
755 | IpProtocol: tcp
756 | ToPort: 22
757 | FromPort: 22
758 | -
759 | CidrIp: !GetAtt vpc1.CidrBlock
760 | IpProtocol: icmp
761 | ToPort: "-1"
762 | FromPort: "-1"
763 |
764 | SecurityGroupEgress:
765 | -
766 | CidrIp: 0.0.0.0/0
767 | ToPort: "-1"
768 | IpProtocol: "-1"
--------------------------------------------------------------------------------
/aws-guardduty-detect-securityhubremediate/cft/threatlist.txt:
--------------------------------------------------------------------------------
1 | 54.196.109.139
2 | 52.38.112.213
3 | 34.238.24.106
4 | 54.88.165.10
--------------------------------------------------------------------------------
/aws-guardduty-detect-securityhubremediate/cft/vpc-setup-v1.json:
--------------------------------------------------------------------------------
1 | # ---------------------------------------------------------------------------------------------------------------
2 | # CloudFormation Template 1 of 2 -
3 | # Provisions a multiple VPC environment to provide an AWS environment with built-in security groups and networking
4 | #
5 | # @author Kanishk Mahajan
6 | #
7 | ##
8 | ## License:
9 | ## This code is made available under the MIT-0 license. See the LICENSE file.
10 | # ----------------------------------------------------------------------------------------------------------------
11 |
12 |
13 |
14 | {
15 | "Resources" : {
16 | "vpc1" : {
17 | "Type" : "AWS::EC2::VPC",
18 | "Properties" : {
19 | "CidrBlock" : "10.10.0.0/16",
20 | "EnableDnsSupport" : true,
21 | "EnableDnsHostnames" : true,
22 | "InstanceTenancy" : "default",
23 | "Tags" : [ {"Key" : "Name", "Value" : "vpc1"} ]
24 | }
25 | },
26 | "vpc3" : {
27 | "Type" : "AWS::EC2::VPC",
28 | "Properties" : {
29 | "CidrBlock" : "10.11.0.0/16",
30 | "EnableDnsSupport" : true,
31 | "EnableDnsHostnames" : true,
32 | "InstanceTenancy" : "default",
33 | "Tags" : [ {"Key" : "Name", "Value" : "vpc3"} ]
34 | }
35 | },
36 | "vpc1snA1" : {
37 | "Type" : "AWS::EC2::Subnet",
38 | "Properties" : {
39 | "VpcId" : {"Ref" : "vpc1"},
40 | "Tags" : [ {"Key" : "Name", "Value" : "vpc1_sn_A1"} ],
41 | "AvailabilityZone" : {
42 | "Fn::Select" : [
43 | "0",
44 | {
45 | "Fn::GetAZs" : ""
46 | }
47 | ]
48 | },
49 | "CidrBlock" : "10.10.0.0/20"
50 | }
51 | },
52 | "vpc1snA2" : {
53 | "Type" : "AWS::EC2::Subnet",
54 | "Properties" : {
55 | "VpcId" : {"Ref" : "vpc1"},
56 | "Tags" : [ {"Key" : "Name", "Value" : "vpc1_sn_A2"} ],
57 | "AvailabilityZone" : {
58 | "Fn::Select" : [
59 | "0",
60 | {
61 | "Fn::GetAZs" : ""
62 | }
63 | ]
64 | },
65 | "CidrBlock" : "10.10.64.0/20"
66 | }
67 | },
68 | "vpc1snA3" : {
69 | "Type" : "AWS::EC2::Subnet",
70 | "Properties" : {
71 | "VpcId" : {"Ref" : "vpc1"},
72 | "Tags" : [ {"Key" : "Name", "Value" : "vpc1_sn_A3"} ],
73 | "AvailabilityZone" : {
74 | "Fn::Select" : [
75 | "0",
76 | {
77 | "Fn::GetAZs" : ""
78 | }
79 | ]
80 | },
81 | "CidrBlock" : "10.10.128.0/20"
82 | }
83 | },
84 | "vpc1snA4" : {
85 | "Type" : "AWS::EC2::Subnet",
86 | "Properties" : {
87 | "VpcId" : {"Ref" : "vpc1"},
88 | "Tags" : [ {"Key" : "Name", "Value" : "vpc1_sn_A4"} ],
89 | "AvailabilityZone" : {
90 | "Fn::Select" : [
91 | "0",
92 | {
93 | "Fn::GetAZs" : ""
94 | }
95 | ]
96 | },
97 | "CidrBlock" : "10.10.192.0/20"
98 | }
99 | },
100 | "vpc1snB1" : {
101 | "Type" : "AWS::EC2::Subnet",
102 | "Properties" : {
103 | "VpcId" : {"Ref" : "vpc1"},
104 | "Tags" : [ {"Key" : "Name", "Value" : "vpc1_sn_B1"} ],
105 | "AvailabilityZone" : {
106 | "Fn::Select" : [
107 | "1",
108 | {
109 | "Fn::GetAZs" : ""
110 | }
111 | ]
112 | },
113 | "CidrBlock" : "10.10.16.0/20"
114 | }
115 | },
116 | "vpc1snB2" : {
117 | "Type" : "AWS::EC2::Subnet",
118 | "Properties" : {
119 | "VpcId" : {"Ref" : "vpc1"},
120 | "Tags" : [ {"Key" : "Name", "Value" : "vpc1_sn_B2"} ],
121 | "AvailabilityZone" : {
122 | "Fn::Select" : [
123 | "1",
124 | {
125 | "Fn::GetAZs" : ""
126 | }
127 | ]
128 | },
129 | "CidrBlock" : "10.10.80.0/20"
130 | }
131 | },
132 | "vpc1snB3" : {
133 | "Type" : "AWS::EC2::Subnet",
134 | "Properties" : {
135 | "VpcId" : {"Ref" : "vpc1"},
136 | "Tags" : [ {"Key" : "Name", "Value" : "vpc1_sn_B3"} ],
137 | "AvailabilityZone" : {
138 | "Fn::Select" : [
139 | "1",
140 | {
141 | "Fn::GetAZs" : ""
142 | }
143 | ]
144 | },
145 | "CidrBlock" : "10.10.144.0/20"
146 | }
147 | },
148 | "vpc1snB4" : {
149 | "Type" : "AWS::EC2::Subnet",
150 | "Properties" : {
151 | "VpcId" : {"Ref" : "vpc1"},
152 | "Tags" : [ {"Key" : "Name", "Value" : "vpc1_sn_B4"} ],
153 | "AvailabilityZone" : {
154 | "Fn::Select" : [
155 | "1",
156 | {
157 | "Fn::GetAZs" : ""
158 | }
159 | ]
160 | },
161 | "CidrBlock" : "10.10.208.0/20"
162 | }
163 | },
164 | "vpc3snA1" : {
165 | "Type" : "AWS::EC2::Subnet",
166 | "Properties" : {
167 | "VpcId" : {"Ref" : "vpc3"},
168 | "Tags" : [ {"Key" : "Name", "Value" : "vpc3_sn_A1"} ],
169 | "AvailabilityZone" : {
170 | "Fn::Select" : [
171 | "0",
172 | {
173 | "Fn::GetAZs" : ""
174 | }
175 | ]
176 | },
177 | "CidrBlock" : "10.11.0.0/20"
178 | }
179 | },
180 | "vpc3snA2" : {
181 | "Type" : "AWS::EC2::Subnet",
182 | "Properties" : {
183 | "VpcId" : {"Ref" : "vpc3"},
184 | "Tags" : [ {"Key" : "Name", "Value" : "vpc3_sn_A2"} ],
185 | "AvailabilityZone" : {
186 | "Fn::Select" : [
187 | "0",
188 | {
189 | "Fn::GetAZs" : ""
190 | }
191 | ]
192 | },
193 | "CidrBlock" : "10.11.16.0/20"
194 | }
195 | },
196 | "igwvpc1" : {
197 | "Type" : "AWS::EC2::InternetGateway",
198 | "DependsOn" : "vpc1",
199 | "Properties" : {
200 | "Tags" : [ {"Key" : "Name", "Value" : "IGW-VPC1"} ]
201 | }
202 | },
203 | "igwvpc1attachment" : {
204 | "DependsOn" : "igwvpc1",
205 | "Type" : "AWS::EC2::VPCGatewayAttachment",
206 | "Properties" : {
207 | "InternetGatewayId" : {"Ref" : "igwvpc1"},
208 | "VpcId" : {"Ref" : "vpc1"}
209 | }
210 | },
211 | "igwvpc3" : {
212 | "Type" : "AWS::EC2::InternetGateway",
213 | "DependsOn" : "vpc3",
214 | "Properties" : {
215 | "Tags" : [ {"Key" : "Name", "Value" : "IGW-VPC3"} ]
216 | }
217 | },
218 | "igwvpc3attachment" : {
219 | "DependsOn" : "igwvpc3",
220 | "Type" : "AWS::EC2::VPCGatewayAttachment",
221 | "Properties" : {
222 | "InternetGatewayId" : {"Ref" : "igwvpc3"},
223 | "VpcId" : {"Ref" : "vpc3"}
224 | }
225 | },
226 | "rtpublic" : {
227 | "Type" : "AWS::EC2::RouteTable",
228 | "Properties" : {
229 | "VpcId" : {"Ref" : "vpc1"},
230 | "Tags" : [ {"Key" : "Name", "Value" : "RT-Public"} ]
231 | }
232 | },
233 | "rtpublicdefault" : {
234 | "Type" : "AWS::EC2::Route",
235 | "DependsOn" : "igwvpc1attachment",
236 | "Properties" : {
237 | "RouteTableId" : { "Ref" : "rtpublic" },
238 | "DestinationCidrBlock" : "0.0.0.0/0",
239 | "GatewayId" : { "Ref" : "igwvpc1" }
240 | }
241 | },
242 | "rtpublicdefaultvpc3" : {
243 | "Type" : "AWS::EC2::Route",
244 | "DependsOn" : "igwvpc3attachment",
245 | "Properties" : {
246 | "RouteTableId" : { "Ref" : "routetableprivatevpc3" },
247 | "DestinationCidrBlock" : "0.0.0.0/0",
248 | "GatewayId" : { "Ref" : "igwvpc3" }
249 | }
250 | },
251 | "rtpublicpubA" : {
252 | "Type" : "AWS::EC2::SubnetRouteTableAssociation",
253 | "Properties" : {
254 | "RouteTableId" : {"Ref" : "rtpublic" },
255 | "SubnetId" : {"Ref" : "vpc1snA1" }
256 | }
257 | },
258 | "rtpublicpubB" : {
259 | "Type" : "AWS::EC2::SubnetRouteTableAssociation",
260 | "Properties" : {
261 | "RouteTableId" : {"Ref" : "rtpublic" },
262 | "SubnetId" : {"Ref" : "vpc1snB1" }
263 | }
264 | },
265 | "sgbastion" : {
266 | "Type" : "AWS::EC2::SecurityGroup",
267 | "Properties" : {
268 | "GroupName" : "SG-BASTION",
269 | "GroupDescription" : "SG-BASTION",
270 | "SecurityGroupIngress" : [{
271 | "IpProtocol" : "tcp",
272 | "FromPort" : 22,
273 | "ToPort" : 22,
274 | "CidrIp" : "0.0.0.0/0"
275 | }],
276 | "Tags" : [ {"Key" : "Name", "Value" : "SG-BASTION"} ],
277 | "VpcId" : {"Ref" : "vpc1"}
278 | }
279 | },
280 | "sginternal" : {
281 | "Type" : "AWS::EC2::SecurityGroup",
282 | "Properties" : {
283 | "GroupName" : "SG-INTERNAL",
284 | "GroupDescription" : "SG-INTERNAL",
285 | "SecurityGroupIngress" : [{
286 | "IpProtocol" : "tcp",
287 | "FromPort" : 22,
288 | "ToPort" : 22,
289 | "SourceSecurityGroupId" : {"Ref" : "sgbastion"}
290 | }],
291 | "Tags" : [ {"Key" : "Name", "Value" : "SG-INTERNAL"} ],
292 | "VpcId" : {"Ref" : "vpc1"}
293 | }
294 | },
295 | "sginternalselfref" : {
296 | "Type": "AWS::EC2::SecurityGroupIngress",
297 | "Properties": {
298 | "GroupId": {
299 | "Ref": "sginternal"
300 | },
301 | "IpProtocol": -1,
302 | "FromPort": -1,
303 | "ToPort": -1,
304 | "SourceSecurityGroupId": {
305 | "Ref": "sginternal"
306 | }
307 | }
308 | },
309 | "rtprivatea" : {
310 | "Type" : "AWS::EC2::RouteTable",
311 | "Properties" : {
312 | "VpcId" : {"Ref" : "vpc1"},
313 | "Tags" : [ {"Key" : "Name", "Value" : "RT-PrivateA"} ]
314 | }
315 | },
316 | "rtprivateb" : {
317 | "Type" : "AWS::EC2::RouteTable",
318 | "Properties" : {
319 | "VpcId" : {"Ref" : "vpc1"},
320 | "Tags" : [ {"Key" : "Name", "Value" : "RT-PrivateB"} ]
321 | }
322 | },
323 | "rtprivatec" : {
324 | "Type" : "AWS::EC2::RouteTable",
325 | "Properties" : {
326 | "VpcId" : {"Ref" : "vpc1"},
327 | "Tags" : [ {"Key" : "Name", "Value" : "RT-PrivateC"} ]
328 | }
329 | },
330 | "rtprivatea3" : {
331 | "Type" : "AWS::EC2::SubnetRouteTableAssociation",
332 | "Properties" : {
333 | "RouteTableId" : {"Ref" : "rtprivatea" },
334 | "SubnetId" : {"Ref" : "vpc1snA3" }
335 | }
336 | },
337 | "routetableprivatevpc3" : {
338 | "Type" : "AWS::EC2::RouteTable",
339 | "Properties" : {
340 | "VpcId" : {"Ref" : "vpc3"},
341 | "Tags" : [ {"Key" : "Name", "Value" : "RT-Private-VPC3"} ]
342 | }
343 | },
344 | "rtsubnetassocprivatevpc3" : {
345 | "Type" : "AWS::EC2::SubnetRouteTableAssociation",
346 | "Properties" : {
347 | "RouteTableId" : {"Ref" : "routetableprivatevpc3" },
348 | "SubnetId" : {"Ref" : "vpc3snA1" }
349 | }
350 | },
351 | "rtprivatea4" : {
352 | "Type" : "AWS::EC2::SubnetRouteTableAssociation",
353 | "Properties" : {
354 | "RouteTableId" : {"Ref" : "rtprivatea" },
355 | "SubnetId" : {"Ref" : "vpc1snA4" }
356 | }
357 | },
358 | "rtprivateb3" : {
359 | "Type" : "AWS::EC2::SubnetRouteTableAssociation",
360 | "Properties" : {
361 | "RouteTableId" : {"Ref" : "rtprivateb" },
362 | "SubnetId" : {"Ref" : "vpc1snB3" }
363 | }
364 | },
365 | "rtprivateb4" : {
366 | "Type" : "AWS::EC2::SubnetRouteTableAssociation",
367 | "Properties" : {
368 | "RouteTableId" : {"Ref" : "rtprivateb" },
369 | "SubnetId" : {"Ref" : "vpc1snB4" }
370 | }
371 | }
372 | },
373 | "Outputs" : {
374 | "vpc1id" : {
375 | "Description" : "ID of VPC 1",
376 | "Value" : {"Ref" : "vpc1"},
377 | "Export" : {
378 | "Name" : "vpc1id"
379 | }
380 | },
381 | "vpc3id" : {
382 | "Description" : "ID of VPC 3",
383 | "Value" : {"Ref" : "vpc3"},
384 | "Export" : {
385 | "Name" : "vpc3id"
386 | }
387 | },
388 | "subnetvpc1" : {
389 | "Description" : "ID of Subnet in VPC 1",
390 | "Value" : {"Ref" : "vpc1snA1"},
391 | "Export" : {
392 | "Name" : "subnetvpc1"
393 | }
394 | },
395 | "subnetvpc3" : {
396 | "Description" : "ID of Subnet in VPC 3",
397 | "Value" : {"Ref" : "vpc3snA1"},
398 | "Export" : {
399 | "Name" : "subnetvpc3"
400 | }
401 | },
402 | "routetablesubnetvpc1" : {
403 | "Description" : "ID of RouteTable for VPC 1 Subnet",
404 | "Value" : {"Ref" : "rtpublic"},
405 | "Export" : {
406 | "Name" : "routetablesubnetvpc1"
407 | }
408 | },
409 | "routetablesubnetvpc3" : {
410 | "Description" : "ID of RouteTable for VPC 3 Subnet",
411 | "Value" : {"Ref" : "routetableprivatevpc3"},
412 | "Export" : {
413 | "Name" : "routetablesubnetvpc3"
414 | }
415 | }
416 | }
417 |
418 | }
--------------------------------------------------------------------------------
/aws-guardduty-detect-securityhubremediate/images/arch-diagram.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-guardduty-detect-securityhubremediate/images/arch-diagram.png
--------------------------------------------------------------------------------
/aws-remediate-cis-securityhub/README.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | # Automated Remediations for CIS Benchmarks using AWS Security Hub
5 |
6 | The solution implemented here leverages the AWS Security Hub service and provides customers with an AWS native implementation for automated remediations for these CIS violations detected by AWS Security Hub.
7 |
8 |
9 | ## How it Works
10 |
11 | This implementation is based on the following solution approach:
12 |
13 | 1. Leverages AWS Security Hub directly to provide continuous detection of CIS findings
14 | 2. Provides AWS Systems Manager Automation Documents for automated remediation for AWS Security Hub findings. All documents are automatically provisioned via an AWS CloudFormation template.
15 | 3. Provides integration of AWS Security Hub Custom Actions with AWS Systems Manager Automation Documents to provide real time remediations of AWS Security Hub FSBP findings as follows:
16 | * Leverages the ability of AWS Security Hub to send findings associated with custom actions to CloudWatch Events as Security Hub Findings - Custom Action events.
17 | * The CloudWatch Events Rule invokes the corresponding Lambda Function as the Target for the source Security Hub Custom Action event
18 | * The Lambda function processes the finding using the standard findings format provided by Security Hub - AWS Security Finding Format (ASFF) and invokes the corresponding AWS Systems Manager Automation Document with the input from the ASFF finding
19 |
20 |
21 | ## Solution Design
22 |
23 | 
24 |
25 | ## How To Install
26 |
27 | 1. **Template 1 of 3:** aws-aws-cis-cloudwatchlogmetricfilters.yml
28 | * Provisions CloudWatch Logs Metric Filters. Enter email address as input. Simply install on the CloudFormation console (or CLI). Installs in approx 1-2 mins.
29 |
30 | 2. **Template 2 of 3:** aws-cis-systemsmanagerautomations.yml
31 | * Provisions AWS Systems Manager automation documents. These documents are used to provide automated remediations within the provisioned AWS Security Hub Action.
32 | * Provisions with fully built-in pre-reqs. No input parameters required. Simply install on the CloudFormation console (or CLI). Installs in approx 3-4 mins.
33 |
34 | 2. **Template 3 of 3:** aws-cis-securityhubactions.yml
35 | * Provisions AWS CloudWatch Evemts and AWS Security Hub Custom Actions. No input parameters. Simply install on the CloudFormation console (or CLI). Installs in approx 3-4 mins.
36 | * Leverages the output from the previous template specifically the AWS Systems Manager Automation documents
37 |
38 |
39 | ## @kmmahaj
40 |
41 |
42 |
43 |
--------------------------------------------------------------------------------
/aws-remediate-cis-securityhub/images/arch-diagram.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-remediate-cis-securityhub/images/arch-diagram.png
--------------------------------------------------------------------------------
/aws-remediate-fsbp-securityhub/README.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | # Automated Remediations for Foundational Security Benchmarks using AWS Security Hub
5 |
6 | The AWS Foundational Security Best Practices (FSBP) standard is a set of controls that detect when your deployed accounts and resources deviate from AWS security best practices.
7 |
8 | The solution implemented here leverages the AWS Security Hub service and provides customers with an AWS native implementation for automated remediations for these FSBP violations detected by AWS Security Hub.
9 |
10 |
11 | ## How it Works
12 |
13 | This implementation is based on the following solution approach:
14 |
15 | 1. Leverages AWS Security Hub directly to provide continuous detection of FSBP findings
16 | 2. Provides AWS Systems Manager Automation Documents for automated remediation for AWS Security Hub findings. All documents are automatically provisioned via an AWS CloudFormation template.
17 | 3. Provides integration of AWS Security Hub Custom Actions with AWS Systems Manager Automation Documents to provide real time remediations of AWS Security Hub FSBP findings as follows:
18 | * Leverages the ability of AWS Security Hub to send findings associated with custom actions to CloudWatch Events as Security Hub Findings - Custom Action events.
19 | * The CloudWatch Events Rule invokes the corresponding Lambda Function as the Target for the source Security Hub Custom Action event
20 | * The Lambda function processes the finding using the standard findings format provided by Security Hub - AWS Security Finding Format (ASFF) and invokes the corresponding AWS Systems Manager Automation Document with the input from the ASFF finding
21 |
22 |
23 | ## Solution Design
24 |
25 | 
26 |
27 | ## How To Install
28 |
29 | 1. **Template 1 of 2:** aws-security-hub-fsbp-remediations-template1.yml
30 | * Provisions AWS Systems Manager automation documents. These documents are used to provide automated remediations within the provisioned AWS Security Hub Action.
31 | * Provisions with fully built-in pre-reqs. No input parameters required. Simply install on the CloudFormation console (or CLI). Installs in approx 3-4 mins.
32 |
33 | 2. **Template 2 of 2:** aws-security-hub-fsbp-remediations-template2.yml
34 | * Provisions AWS CloudWatch Evemts and AWS Security Hub Custom Actions. No input parameters. Simply install on the CloudFormation console (or CLI). Installs in approx 3-4 mins.
35 | * Leverages the output from the previous template specifically the AWS Systems Manager Automation documents
36 |
37 | ## COVERAGE
38 |
39 | The solution provides remediations for the following AWS Security Hub FSBP checks:
40 | * [EC2.3] Attached EBS volumes should be encrypted at-rest
41 | * [GuardDuty.1] GuardDuty should be enabled
42 | * [IAM.3] IAM users' access keys should be rotated every 90 days or less
43 | * [Lambda.1] Lambda functions should prohibit public access by other accounts
44 | * [Lambda.2] Lambda functions should use latest runtimes
45 | * [RDS.3] RDS DB instances should have encryption at-rest enabled
46 | * [SSM.1] EC2 instances should be managed by AWS Systems Manager
47 |
48 | Additionally coverage for remediations for the following Foundational Security Best Practices Controls is also provided by this solution due to the coverage for remediations for PCI Controls:
49 | * [AutoScaling.1] Auto Scaling groups associated with a load balancer should use load balancer health checks
50 | * [CloudTrail.1] CloudTrail should be enabled and configured with at least one multi-Region trail
51 | * [CloudTrail.2] CloudTrail should have encryption at-rest enabled
52 | * [CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials
53 | * [Config.1] AWS Config should be enabled
54 | * [EC2.1] Amazon EBS snapshots should not be public, determined by the ability to be restorable by anyone
55 | * [EC2.2] The VPC default security group should not allow inbound and outbound traffic
56 | * [IAM.1] IAM policies should not allow full * administrative privileges
57 | * [IAM.2] IAM users should not have IAM policies attached
58 | * [IAM.4] IAM root user access key should not exist
59 | * [IAM.7] Password policies for IAM users should have strong configurations
60 | * [S3.1] S3 Block Public Access setting should be enabled
61 | * [S3.2] S3 buckets should prohibit public read access
62 | * [S3.3] S3 buckets should prohibit public write access
63 | * [S3.4] S3 buckets should have server-side encryption enabled
64 | * [RDS.1] RDS snapshots should be private
65 | * [RDS.2] RDS DB instances should prohibit public access, determined by the PubliclyAccessible configuration
66 | * [SSM.2] Amazon EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation
67 |
68 | ## @kmmahaj
69 |
70 |
71 |
72 |
--------------------------------------------------------------------------------
/aws-remediate-fsbp-securityhub/cft/aws-security-hub-fsbp-remediations-template1.yml:
--------------------------------------------------------------------------------
1 |
2 | Description: AWS Security Hub FSBP Remediations Systems Manager Automation Documents and Prerequisites
3 | AWSTemplateFormatVersion: "2010-09-09"
4 |
5 | # @author Kanishk Mahajan
6 | #
7 | ## License:
8 | ## This code is made available under the MIT-0 license. See the LICENSE file.
9 |
10 | Outputs:
11 | AutomationAssumeRoleArn:
12 | Description: Arn for AutomationAssumeRole
13 | Value: !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${AutomationAssumeRole}'
14 | Export: # added to export
15 | Name: FSBP-AutomationAssumeRoleArn
16 |
17 | SSMInstanceProfileRoleArn:
18 | Description: Arn for SSMInstanceProfileRole
19 | Value: !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${SSMInstanceProfileRole}'
20 | Export: # added to export
21 | Name: FSBP-SSMInstanceProfileRoleArn
22 |
23 | KMSKeyArn:
24 | Description: Arn for KMS CMK
25 | Value: !Sub "arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/${KmsKeyId}"
26 | Export: # added to export
27 | Name: FSBP-KMSKeyArn
28 |
29 | Resources:
30 |
31 | # SSM Automation Role
32 | AutomationAssumeRole:
33 | Type: 'AWS::IAM::Role'
34 | Properties:
35 | RoleName: !Sub fsbp-automationassumerole-${AWS::Region}
36 | AssumeRolePolicyDocument:
37 | Version: 2012-10-17
38 | Statement:
39 | - Effect: Allow
40 | Principal:
41 | Service:
42 | - ssm.amazonaws.com
43 | - events.amazonaws.com
44 | - ec2.amazonaws.com
45 | Action:
46 | - 'sts:AssumeRole'
47 | Path: /
48 | ManagedPolicyArns:
49 | - !Sub "arn:${AWS::Partition}:iam::aws:policy/AdministratorAccess"
50 |
51 |
52 | # SSM Instance Profile Role
53 | SSMInstanceProfileRole:
54 | Type: 'AWS::IAM::Role'
55 | Properties:
56 | RoleName: !Sub fsbp-ssminstanceprofilerole-${AWS::Region}
57 | AssumeRolePolicyDocument:
58 | Version: 2012-10-17
59 | Statement:
60 | - Effect: Allow
61 | Principal:
62 | Service:
63 | - ec2.amazonaws.com
64 | Action:
65 | - 'sts:AssumeRole'
66 | Path: /
67 | ManagedPolicyArns:
68 | - !Sub "arn:${AWS::Partition}:iam::aws:policy/AmazonSSMManagedInstanceCore"
69 |
70 | # KMS key
71 | KmsKeyId:
72 | Type: 'AWS::KMS::Key'
73 | Properties:
74 | EnableKeyRotation: true
75 | Enabled: true
76 | KeyUsage: ENCRYPT_DECRYPT
77 | KeyPolicy:
78 | Version: '2012-10-17'
79 | Statement:
80 | - Sid: FSBPKMS
81 | Effect: Allow
82 | Principal:
83 | AWS: !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:root"
84 | Action: 'kms:*'
85 | Resource: '*'
86 |
87 | KmsKeyIdAlias:
88 | Type: AWS::KMS::Alias
89 | Properties:
90 | AliasName: alias/FSBP-CMK
91 | TargetKeyId:
92 | Fn::GetAtt:
93 | - KmsKeyId
94 | - Arn
95 |
96 | # [IAM.3]
97 | FSBPIAM3Automation:
98 | Type: AWS::SSM::Document
99 | Properties:
100 | DocumentType: Automation
101 | Name: FSBPIAM3Automation
102 | Content:
103 | schemaVersion: '0.3'
104 | assumeRole: !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${AutomationAssumeRole}"
105 | parameters:
106 | username:
107 | type: String
108 | default: 'fsbpadmin'
109 | AutomationAssumeRole:
110 | type: String
111 | default: !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${AutomationAssumeRole}"
112 | mainSteps:
113 | - name: rotateiam90days
114 | action: 'aws:executeScript'
115 | inputs:
116 | Runtime: python3.6
117 | Handler: rotateiam90days_handler
118 | Script: |
119 | def rotateiam90days_handler(events, context):
120 | import boto3
121 | import datetime
122 | import json
123 | import os
124 | iam = boto3.client('iam')
125 | securityhub = boto3.client('securityhub')
126 | iam_resource = boto3.resource('iam')
127 | try:
128 | username = events['username']
129 | todaysDatetime = datetime.datetime.now(datetime.timezone.utc)
130 | paginator = iam.get_paginator('list_access_keys')
131 | for response in paginator.paginate(UserName=username):
132 | for keyMetadata in response['AccessKeyMetadata']:
133 | accessKeyId = str(keyMetadata['AccessKeyId'])
134 | keyAgeFinder = todaysDatetime - keyMetadata['CreateDate']
135 | if keyAgeFinder <= datetime.timedelta(days=90):
136 | print("Access key: " + accessKeyId + " is compliant")
137 | else:
138 | print("Access key over 90 days old found!")
139 | access_key = iam_resource.AccessKey(username, accessKeyId)
140 | access_key.deactivate()
141 | except Exception as e:
142 | print(e)
143 | raise
144 | InputPayload:
145 | AutomationAssumeRole: '{{AutomationAssumeRole}}'
146 | username: '{{username}}'
147 |
148 |
149 | #[RDS.3]
150 | FSBPRDS3Automation:
151 | Type: AWS::SSM::Document
152 | Properties:
153 | DocumentType: Automation
154 | Name: FSBPRDS3Automation
155 | Content:
156 | schemaVersion: '0.3'
157 | assumeRole: !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${AutomationAssumeRole}"
158 | parameters:
159 | AutomationAssumeRole:
160 | type: String
161 | default: !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${AutomationAssumeRole}"
162 | dbinstanceId:
163 | type: String
164 | kmskeyArn:
165 | type: String
166 | mainSteps:
167 | - name: EncryptRDSDBInstance
168 | action: 'aws:executeScript'
169 | inputs:
170 | Runtime: python3.6
171 | Handler: script_handler
172 | Script: "def script_handler(events, context):\r\n import boto3\r\n import time\r\n client = boto3.client('rds')\r\n dbinstanceId = events['dbinstanceId']\r\n kmskeyArn = events['kmskeyArn']\r\n \r\n response_snapshot = client.create_db_snapshot(\r\n DBSnapshotIdentifier=\"fsbp-snapshot-\" + dbinstanceId,\r\n DBInstanceIdentifier=dbinstanceId\r\n )\r\n \r\n response_snapshotA = client.get_waiter('db_snapshot_available').wait(\r\n DBSnapshotIdentifier='fsbp-snapshot-' + dbinstanceId,\r\n DBInstanceIdentifier=dbinstanceId\r\n )\r\n\r\n \r\n response_snapshotCopy = client.copy_db_snapshot(\r\n SourceDBSnapshotIdentifier=\"fsbp-snapshot-\" + dbinstanceId,\r\n TargetDBSnapshotIdentifier=\"fsbp-snapshot-encrypted-\" + dbinstanceId,\r\n KmsKeyId=kmskeyArn,\r\n CopyTags=True\r\n )\r\n \r\n response_snapshotB = client.get_waiter('db_snapshot_available').wait(\r\n DBSnapshotIdentifier='fsbp-snapshot-encrypted-' + dbinstanceId,\r\n DBInstanceIdentifier=dbinstanceId\r\n )\r\n\r\n response_restore = client.restore_db_instance_from_db_snapshot(\r\n DBInstanceIdentifier='fsbp-encrypted-' + dbinstanceId,\r\n DBSnapshotIdentifier='fsbp-snapshot-encrypted-' + dbinstanceId\r\n )\r\n\r\n response_snapshotC = client.get_waiter('db_instance_available').wait(\r\n DBInstanceIdentifier='fsbp-encrypted-' + dbinstanceId\r\n )\r\n\r\n response_delete1 = client.delete_db_snapshot(\r\n DBSnapshotIdentifier='fsbp-snapshot-' + dbinstanceId\r\n )\r\n \r\n response_delete2 = client.get_waiter('db_snapshot_deleted').wait(\r\n DBSnapshotIdentifier='fsbp-snapshot-' + dbinstanceId,\r\n WaiterConfig={\r\n 'Delay': 5,\r\n 'MaxAttempts': 30\r\n }\r\n )\r\n\r\n response_delete3 = client.delete_db_instance(\r\n DBInstanceIdentifier=dbinstanceId,\r\n SkipFinalSnapshot=True\r\n )\r\n \r\n response_wait = client.get_waiter('db_instance_deleted').wait(\r\n DBInstanceIdentifier=dbinstanceId\r\n )\r\n \r\n response_newinstance = client.modify_db_instance( \r\n DBInstanceIdentifier='fsbp-encrypted-' + dbinstanceId,\r\n ApplyImmediately=True, \r\n NewDBInstanceIdentifier=dbinstanceId\r\n )\r\n \r\n time.sleep(60)\r\n\r\n response_final = client.get_waiter('db_instance_available').wait(\r\n DBInstanceIdentifier=dbinstanceId\r\n )\r\n \r\n"
173 | InputPayload:
174 | AutomationAssumeRole: '{{AutomationAssumeRole}}'
175 | dbinstanceId: '{{dbinstanceId}}'
176 | kmskeyArn: '{{kmskeyArn}}'
177 |
178 | #[EC2.3]
179 | FSBPEC23Automation:
180 | Type: AWS::SSM::Document
181 | Properties:
182 | DocumentType: Automation
183 | Name: FSBPEC23Automation
184 | Content:
185 | schemaVersion: '0.3'
186 | assumeRole: !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${AutomationAssumeRole}"
187 | parameters:
188 | AutomationAssumeRole:
189 | type: String
190 | default: !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${AutomationAssumeRole}"
191 | ebsvolumeId:
192 | type: String
193 | sourceregion:
194 | type: String
195 | kmskeyArn:
196 | type: String
197 | mainSteps:
198 | - name: EncryptEBSVolume
199 | action: 'aws:executeScript'
200 | inputs:
201 | Runtime: python3.6
202 | Handler: script_handler
203 | Script: "def script_handler(events, context):\r\n # TODO implement\r\n import json\r\n import boto3\r\n \r\n client = boto3.client('ec2')\r\n ebsvolumeId = events['ebsvolumeId']\r\n kmskeyArn = events['kmskeyArn']\r\n sourceregion = events['sourceregion']\r\n \r\n print('0. Describe Volume')\r\n \r\n response_volume = client.describe_volumes(\r\n VolumeIds=[\r\n ebsvolumeId\r\n ] \r\n )\r\n instanceid = response_volume['Volumes'][0]['Attachments'][0]['InstanceId']\r\n size= response_volume['Volumes'][0]['Size']\r\n availabilityzone = response_volume['Volumes'][0]['AvailabilityZone']\r\n \r\n response_snapshot = client.create_snapshot(\r\n Description='New FSBP snapshot',\r\n VolumeId=ebsvolumeId\r\n )\r\n \r\n snapshotid = response_snapshot['SnapshotId']\r\n \r\n response_snapshotA = client.get_waiter('snapshot_completed').wait(\r\n SnapshotIds=[snapshotid]\r\n )\r\n\r\n print('2. Copy and Encrypt. Creating encrypted snapshot from unencrypted copy')\r\n \r\n response_snapshotCopy = client.copy_snapshot(\r\n Description='New FSBP Encrypted snapshot.',\r\n DestinationRegion=sourceregion,\r\n SourceRegion=sourceregion,\r\n SourceSnapshotId=snapshotid,\r\n KmsKeyId=kmskeyArn,\r\n Encrypted=True\r\n )\r\n \r\n snapshotencryptedId = response_snapshot['SnapshotId']\r\n \r\n response_snapshotB = client.get_waiter('snapshot_completed').wait(\r\n SnapshotIds=[snapshotencryptedId]\r\n )\r\n \r\n print('3. Create volume from encrypted snapshot')\r\n \r\n response_volume_encrypted = client.create_volume(\r\n AvailabilityZone=availabilityzone,\r\n Size=size,\r\n VolumeType='gp2',\r\n KmsKeyId=kmskeyArn,\r\n Encrypted=True\r\n )\r\n\r\n encryptedVolumeId = response_volume_encrypted['VolumeId']\r\n \r\n response_snapshotC = client.get_waiter('volume_available').wait(\r\n VolumeIds=[encryptedVolumeId]\r\n )\r\n\r\n print('4. Stop original instance or terminate original instance if instance in asg')\r\n \r\n asgclient = boto3.client('autoscaling')\r\n \r\n response_asg = asgclient.describe_auto_scaling_instances(\r\n InstanceIds=[\r\n instanceid\r\n ]\r\n )\r\n \r\n if not response_asg['AutoScalingInstances']:\r\n response_terminateinstance = client.terminate_instances(\r\n InstanceIds=[\r\n instanceid\r\n ]\r\n )\r\n else:\r\n response_stopinstance = client.stop_instances(\r\n InstanceIds=[\r\n instanceid\r\n ]\r\n )\r\n \r\n response_instanceA = client.get_waiter('instance_stopped').wait(\r\n InstanceIds=[instanceid]\r\n )\r\n \r\n print('5. Detach original volume')\r\n \r\n response_detach_volume = client.detach_volume(\r\n VolumeId=ebsvolumeId\r\n )\r\n\r\n response_snapshotC = client.get_waiter('volume_available').wait(\r\n VolumeIds=[ebsvolumeId]\r\n )\r\n \r\n print('6. Delete original volume')\r\n \r\n response = client.delete_volume(\r\n VolumeId=ebsvolumeId\r\n )\r\n \r\n response_volumeA = client.get_waiter('volume_deleted').wait(\r\n VolumeIds=[ebsvolumeId]\r\n )\r\n \r\n print('7. Delete original snapshot')\r\n \r\n response = client.delete_snapshot(\r\n SnapshotId=snapshotid\r\n )"
204 | InputPayload:
205 | AutomationAssumeRole: '{{AutomationAssumeRole}}'
206 | ebsvolumeId: '{{ebsvolumeId}}'
207 | sourceregion: '{{sourceregion}}'
208 | kmskeyArn: '{{kmskeyArn}}'
209 |
210 |
211 | #[GuardDuty.1]
212 | FSBPGuardDuty1Automation:
213 | Type: AWS::SSM::Document
214 | Properties:
215 | DocumentType: Automation
216 | Name: FSBPGuardDuty1Automation
217 | Content:
218 | schemaVersion: '0.3'
219 | assumeRole: !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${AutomationAssumeRole}"
220 | parameters:
221 | AutomationAssumeRole:
222 | type: String
223 | default: !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${AutomationAssumeRole}"
224 | findingpublishingfrequency:
225 | type: String
226 | mainSteps:
227 | - name: EnableGuardDuty
228 | action: 'aws:executeScript'
229 | inputs:
230 | Runtime: python3.7
231 | Handler: script_handler
232 | Script: "def script_handler(events, context):\r\n import boto3\r\n client = boto3.client('guardduty')\r\n findingpublishingfrequency= events['findingpublishingfrequency']\r\n\r\n response = client.create_detector(\r\n Enable=True,\r\n FindingPublishingFrequency=findingpublishingfrequency\r\n )\r\n"
233 | InputPayload:
234 | AutomationAssumeRole: '{{AutomationAssumeRole}}'
235 | functionname: '{{findingpublishingfrequency}}'
236 |
237 | #[Lambda.2]
238 | FSBPLambda2Automation:
239 | Type: AWS::SSM::Document
240 | Properties:
241 | DocumentType: Automation
242 | Name: FSBPLambda2Automation
243 | Content:
244 | schemaVersion: '0.3'
245 | assumeRole: !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${AutomationAssumeRole}"
246 | parameters:
247 | AutomationAssumeRole:
248 | type: String
249 | default: !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${AutomationAssumeRole}"
250 | accountID:
251 | type: String
252 | functionname:
253 | type: String
254 | mainSteps:
255 | - name: LatestRuntime
256 | action: 'aws:executeScript'
257 | inputs:
258 | Runtime: python3.7
259 | Handler: script_handler
260 | Script: "def script_handler(events, context):\r\n import boto3\r\n client = boto3.client('lambda')\r\n functionname = events['functionname']\r\n \r\n response = client.get_function_configuration(\r\n FunctionName=functionname\r\n )\r\n runtime = response['Runtime']\r\n \r\n if 'python' in runtime:\r\n runtime = 'python3.8'\r\n if 'node' in runtime:\r\n runtime = 'nodejs12.x'\r\n if 'java' in runtime:\r\n runtime = 'java11'\r\n if 'dotnet' in runtime:\r\n runtime = 'dotnetcore3.1'\r\n if 'ruby' in runtime:\r\n runtime = 'ruby2.7'\r\n if 'go' in runtime:\r\n runtime = 'go1.x'\r\n \r\n response = client.update_function_configuration(\r\n FunctionName=functionname,\r\n Runtime=runtime\r\n )\r\n \r\n\r\n"
261 | InputPayload:
262 | AutomationAssumeRole: '{{AutomationAssumeRole}}'
263 | functionname: '{{functionname}}'
264 |
265 | #[Lambda.1]
266 | FSBPLambda1Automation:
267 | Type: AWS::SSM::Document
268 | Properties:
269 | DocumentType: Automation
270 | Name: FSBPLambda1Automation
271 | Content:
272 | schemaVersion: '0.3'
273 | assumeRole: !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${AutomationAssumeRole}"
274 | parameters:
275 | AutomationAssumeRole:
276 | type: String
277 | default: !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${AutomationAssumeRole}"
278 | accountID:
279 | type: String
280 | functionname:
281 | type: String
282 | mainSteps:
283 | - name: RestrictLambda
284 | action: 'aws:executeScript'
285 | inputs:
286 | Runtime: python3.6
287 | Handler: script_handler
288 | Script: "def script_handler(events, context):\r\n import boto3\r\n import json\r\n \r\n client = boto3.client('lambda')\r\n functionname = events['functionname']\r\n accountID = events['accountID']\r\n response = client.get_policy(FunctionName=functionname)\r\n policy = response['Policy']\r\n policy_json = json.loads(policy)\r\n statements = policy_json['Statement']\r\n \r\n for statement in statements:\r\n Principal = str(statement['Principal']).replace(\"{'Service': '\",\"\")[:-2]\r\n Action = statement['Action']\r\n Resource = statement['Resource']\r\n StatementId = statement ['Sid']\r\n NewStatementId = \"New\" + StatementId\r\n \r\n response_old = client.remove_permission(\r\n FunctionName=functionname,\r\n StatementId=StatementId\r\n )\r\n\r\n response = client.add_permission(\r\n FunctionName=functionname,\r\n StatementId=NewStatementId,\r\n Action=Action,\r\n Principal=Principal,\r\n SourceAccount= accountID\r\n )"
289 | InputPayload:
290 | AutomationAssumeRole: '{{AutomationAssumeRole}}'
291 | accountID: '{{accountID}}'
292 | functionname: '{{functionname}}'
293 |
--------------------------------------------------------------------------------
/aws-remediate-fsbp-securityhub/images/arch-diagram.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-remediate-fsbp-securityhub/images/arch-diagram.png
--------------------------------------------------------------------------------
/aws-remediate-pci-securityhub/README.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | # Automated Remediations for PCI DSS 3.2.1 using AWS Security Hub
5 |
6 | AWS provides an Operational Best Practices for PCI DSS 3.2.1 that provide a sample mapping between the Payment Card Data Security Standard (PCI DSS) 3.2.1 and AWS Security Hub checks.
7 |
8 | The solution implemented here leverages the AWS Security Hub service and provides customers with an AWS native implementation for automated remediations for these PCI policy violations detected by AWS Security Hub.
9 |
10 |
11 | ## How it Works
12 |
13 | This implementation is based on the following solution approach:
14 |
15 | 1. Leverages AWS Security Hub directly to provide continuous detection of PCI findings
16 | 2. Provides AWS Systems Manager Automation Documents for automated remediation for AWS Security Hub findings. All documents are automatically provisioned via an AWS CloudFormation template.
17 | 3. Provides integration of AWS Security Hub Custom Actions with AWS Systems Manager Automation Documents to provide real time remediations of AWS Security Hub PCI findings as follows:
18 | * Leverages the ability of AWS Security Hub to send findings associated with custom actions to CloudWatch Events as Security Hub Findings - Custom Action events.
19 | * The CloudWatch Events Rule invokes the corresponding Lambda Function as the Target for the source Security Hub Custom Action event
20 | * The Lambda function processes the finding using the standard findings format provided by Security Hub - AWS Security Finding Format (ASFF) and invokes the corresponding AWS Systems Manager Automation Document with the input from the ASFF finding
21 |
22 |
23 | ## Solution Design
24 |
25 | 
26 |
27 | ## How To Install
28 |
29 | 1. **Template 1 of 2:** aws-security-hub-pci-remediations-template1.yml
30 | * Provisions AWS Systems Manager automation documents. These documents are used to provide automated remediations within the provisioned AWS Security Hub Action.
31 | * Provisions with fully built-in pre-reqs. No input parameters required. Simply install on the CloudFormation console (or CLI). Installs in approx 3-4 mins.
32 |
33 | 2. **Template 2 of 2:** aws-security-hub-pci-remediations-template2.yml
34 | * Provisions AWS CloudWatch Evemts and AWS Security Hub Custom Actions. No input parameters. Simply install on the CloudFormation console (or CLI). Installs in approx 3-4 mins.
35 | * Leverages the output from the previous template specifically the AWS Systems Manager Automation documents
36 |
37 | ## COVERAGE
38 |
39 | The solution provides remediations for the following AWS Security Hub PCI checks:
40 | * [PCI.AutoScaling.1] Auto scaling groups associated with a load balancer should use health checks
41 | * [PCI.CloudTrail.1] CloudTrail logs should be encrypted at rest using AWS KMS CMK
42 | * [PCI.CloudTrail.2] CloudTrail should be enabled
43 | * [PCI.CloudTrail.3] CloudTrail log file validation should be enabled
44 | * [PCI.CloudTrail.4] CloudTrail trails should be integrated with CloudWatch Logs
45 | * [PCI.CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials
46 | * [PCI.CW.1] A log metric filter and alarm should exist for usage of the "root" user
47 | * [PCI.Config.1] AWS Config should be enabled
48 | * [PCI.EC2.1] Amazon EBS snapshots should not be publicly restorable
49 | * [PCI.EC2.2] VPC default security group should prohibit inbound and outbound traffic
50 | * [PCI.EC2.3] Unused EC2 security groups should be removed
51 | * [PCI.EC2.4] Unused EC2 EIPs should be removed
52 | * [PCI EC2.5] Security groups should not allow ingress from 0.0.0.0/0 to port 22
53 | * [PCI.EC2.6] Ensure VPC flow logging is enabled in all VPCs
54 | * [PCI.IAM.1] IAM root user access key should not exist
55 | * [PCI.IAM.2] IAM users should not have IAM policies attached
56 | * [PCI.IAM.3] IAM policies should not allow full * administrative privileges
57 | * [PCI.KMS.1] Customer master key (CMK) rotation should be enabled
58 | * [PCI.Lambda.1] Lambda functions should prohibit public access
59 | * [PCI.Lambda.2] Lambda functions should be in a VPC
60 | * [PCI.RDS.1] RDS snapshots should prohibit public access
61 | * [PCI.RDS.2] RDS DB Instances should prohibit public access
62 | * [PCI.Redshift.1] Amazon Redshift clusters should prohibit public access
63 | * [PCI.S3.1] S3 buckets should prohibit public write access
64 | * [PCI.S3.2] S3 buckets should prohibit public read access
65 | * [PCI.S3.3] S3 buckets should have cross-region replication enabled
66 | * [PCI.S3.4] S3 buckets should have server-side encryption enabled
67 | * [PCI.SSM.1] Amazon EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation
68 |
69 |
70 | ## @kmmahaj
71 |
72 |
73 |
74 |
--------------------------------------------------------------------------------
/aws-remediate-pci-securityhub/cft/aws-securevpcsetup.template:
--------------------------------------------------------------------------------
1 | # ---------------------------------------------------------------------------------------------------------------
2 | # CloudFormation Template 1 of 1 -
3 | # Provisions a multiple VPC environment to provide an AWS environment with built-in security groups and networking
4 | #
5 | # @author Kanishk Mahajan
6 | # ----------------------------------------------------------------------------------------------------------------
7 |
8 |
9 | {
10 | "Resources" : {
11 | "vpc1" : {
12 | "Type" : "AWS::EC2::VPC",
13 | "Properties" : {
14 | "CidrBlock" : "10.33.64.0/18",
15 | "EnableDnsSupport" : true,
16 | "EnableDnsHostnames" : true,
17 | "InstanceTenancy" : "default",
18 | "Tags" : [ {"Key" : "Name", "Value" : "vpc1"} ]
19 | }
20 | },
21 | "vpc1snA1" : {
22 | "Type" : "AWS::EC2::Subnet",
23 | "Properties" : {
24 | "VpcId" : {"Ref" : "vpc1"},
25 | "Tags" : [ {"Key" : "Name", "Value" : "vpc1_sn_A1"} ],
26 | "AvailabilityZone" : {
27 | "Fn::Select" : [
28 | "0",
29 | {
30 | "Fn::GetAZs" : ""
31 | }
32 | ]
33 | },
34 | "CidrBlock" : "10.33.64.0/20"
35 | }
36 | },
37 | "vpc1snA2" : {
38 | "Type" : "AWS::EC2::Subnet",
39 | "Properties" : {
40 | "VpcId" : {"Ref" : "vpc1"},
41 | "Tags" : [ {"Key" : "Name", "Value" : "vpc1_sn_A2"} ],
42 | "AvailabilityZone" : {
43 | "Fn::Select" : [
44 | "0",
45 | {
46 | "Fn::GetAZs" : ""
47 | }
48 | ]
49 | },
50 | "CidrBlock" : "10.33.80.0/20"
51 | }
52 | },
53 | "vpc1snA3" : {
54 | "Type" : "AWS::EC2::Subnet",
55 | "Properties" : {
56 | "VpcId" : {"Ref" : "vpc1"},
57 | "Tags" : [ {"Key" : "Name", "Value" : "vpc1_sn_A3"} ],
58 | "AvailabilityZone" : {
59 | "Fn::Select" : [
60 | "1",
61 | {
62 | "Fn::GetAZs" : ""
63 | }
64 | ]
65 | },
66 | "CidrBlock" : "10.33.96.0/20"
67 | }
68 | },
69 | "vpc1snA4" : {
70 | "Type" : "AWS::EC2::Subnet",
71 | "Properties" : {
72 | "VpcId" : {"Ref" : "vpc1"},
73 | "Tags" : [ {"Key" : "Name", "Value" : "vpc1_sn_A4"} ],
74 | "AvailabilityZone" : {
75 | "Fn::Select" : [
76 | "1",
77 | {
78 | "Fn::GetAZs" : ""
79 | }
80 | ]
81 | },
82 | "CidrBlock" : "10.33.112.0/20"
83 | }
84 | },
85 | "igwvpc1" : {
86 | "Type" : "AWS::EC2::InternetGateway",
87 | "DependsOn" : "vpc1",
88 | "Properties" : {
89 | "Tags" : [ {"Key" : "Name", "Value" : "IGW-VPC1"} ]
90 | }
91 | },
92 | "igwvpc1attachment" : {
93 | "DependsOn" : "igwvpc1",
94 | "Type" : "AWS::EC2::VPCGatewayAttachment",
95 | "Properties" : {
96 | "InternetGatewayId" : {"Ref" : "igwvpc1"},
97 | "VpcId" : {"Ref" : "vpc1"}
98 | }
99 | },
100 | "rtpublic" : {
101 | "Type" : "AWS::EC2::RouteTable",
102 | "Properties" : {
103 | "VpcId" : {"Ref" : "vpc1"},
104 | "Tags" : [ {"Key" : "Name", "Value" : "RT-Public"} ]
105 | }
106 | },
107 | "rtpublicdefault" : {
108 | "Type" : "AWS::EC2::Route",
109 | "DependsOn" : "igwvpc1attachment",
110 | "Properties" : {
111 | "RouteTableId" : { "Ref" : "rtpublic" },
112 | "DestinationCidrBlock" : "0.0.0.0/0",
113 | "GatewayId" : { "Ref" : "igwvpc1" }
114 | }
115 | },
116 | "rtpublicpubA" : {
117 | "Type" : "AWS::EC2::SubnetRouteTableAssociation",
118 | "Properties" : {
119 | "RouteTableId" : {"Ref" : "rtpublic" },
120 | "SubnetId" : {"Ref" : "vpc1snA1" }
121 | }
122 | },
123 | "sgbastion" : {
124 | "Type" : "AWS::EC2::SecurityGroup",
125 | "Properties" : {
126 | "GroupName" : "SG-BASTION",
127 | "GroupDescription" : "SG-BASTION",
128 | "SecurityGroupIngress" : [{
129 | "IpProtocol" : "tcp",
130 | "FromPort" : 22,
131 | "ToPort" : 22,
132 | "CidrIp" : "0.0.0.0/0"
133 | }],
134 | "Tags" : [ {"Key" : "Name", "Value" : "SG-BASTION"} ],
135 | "VpcId" : {"Ref" : "vpc1"}
136 | }
137 | },
138 | "sginternal" : {
139 | "Type" : "AWS::EC2::SecurityGroup",
140 | "Properties" : {
141 | "GroupName" : "SG-INTERNAL",
142 | "GroupDescription" : "SG-INTERNAL",
143 | "SecurityGroupIngress" : [{
144 | "IpProtocol" : "tcp",
145 | "FromPort" : 22,
146 | "ToPort" : 22,
147 | "SourceSecurityGroupId" : {"Ref" : "sgbastion"}
148 | }],
149 | "Tags" : [ {"Key" : "Name", "Value" : "SG-INTERNAL"} ],
150 | "VpcId" : {"Ref" : "vpc1"}
151 | }
152 | },
153 | "sginternalselfref" : {
154 | "Type": "AWS::EC2::SecurityGroupIngress",
155 | "Properties": {
156 | "GroupId": {
157 | "Ref": "sginternal"
158 | },
159 | "IpProtocol": -1,
160 | "FromPort": -1,
161 | "ToPort": -1,
162 | "SourceSecurityGroupId": {
163 | "Ref": "sginternal"
164 | }
165 | }
166 | },
167 | "rtprivatea" : {
168 | "Type" : "AWS::EC2::RouteTable",
169 | "Properties" : {
170 | "VpcId" : {"Ref" : "vpc1"},
171 | "Tags" : [ {"Key" : "Name", "Value" : "RT-PrivateA"} ]
172 | }
173 | },
174 | "rtprivateb" : {
175 | "Type" : "AWS::EC2::RouteTable",
176 | "Properties" : {
177 | "VpcId" : {"Ref" : "vpc1"},
178 | "Tags" : [ {"Key" : "Name", "Value" : "RT-PrivateB"} ]
179 | }
180 | },
181 | "rtprivatec" : {
182 | "Type" : "AWS::EC2::RouteTable",
183 | "Properties" : {
184 | "VpcId" : {"Ref" : "vpc1"},
185 | "Tags" : [ {"Key" : "Name", "Value" : "RT-PrivateC"} ]
186 | }
187 | },
188 | "rtprivatea3" : {
189 | "Type" : "AWS::EC2::SubnetRouteTableAssociation",
190 | "Properties" : {
191 | "RouteTableId" : {"Ref" : "rtprivatea" },
192 | "SubnetId" : {"Ref" : "vpc1snA3" }
193 | }
194 | },
195 | "rtprivatea4" : {
196 | "Type" : "AWS::EC2::SubnetRouteTableAssociation",
197 | "Properties" : {
198 | "RouteTableId" : {"Ref" : "rtprivatea" },
199 | "SubnetId" : {"Ref" : "vpc1snA4" }
200 | }
201 | }
202 | },
203 | "Outputs" : {
204 | "vpc1id" : {
205 | "Description" : "ID of VPC 1",
206 | "Value" : {"Ref" : "vpc1"},
207 | "Export" : {
208 | "Name" : "vpc1id"
209 | }
210 | },
211 | "vpc1sn1cidr" : {
212 | "Description" : "CIDR of VPC 1 Subnet A1",
213 | "Value" : "10.33.64.0/20",
214 | "Export" : {
215 | "Name" : "vpc1sn1cidr"
216 | }
217 | },
218 | "subnetvpc1A1" : {
219 | "Description" : "ID of Subnet A1 in VPC 1",
220 | "Value" : {"Ref" : "vpc1snA1"},
221 | "Export" : {
222 | "Name" : "subnetvpc1A1"
223 | }
224 | },
225 | "subnetvpc1A2" : {
226 | "Description" : "ID of Subnet A2 in VPC 1",
227 | "Value" : {"Ref" : "vpc1snA2"},
228 | "Export" : {
229 | "Name" : "subnetvpc1A2"
230 | }
231 | },
232 | "subnetvpc1A3" : {
233 | "Description" : "ID of Subnet A3 in VPC 1",
234 | "Value" : {"Ref" : "vpc1snA3"},
235 | "Export" : {
236 | "Name" : "subnetvpc1A3"
237 | }
238 | },
239 | "securitygroupid" : {
240 | "Description" : "ID of Public Bastion SG",
241 | "Value" : {"Ref" : "sgbastion"},
242 | "Export" : {
243 | "Name" : "securitygroupid"
244 | }
245 | },
246 | "subnetvpc1A4" : {
247 | "Description" : "ID of Subnet A4 in VPC 1",
248 | "Value" : {"Ref" : "vpc1snA4"},
249 | "Export" : {
250 | "Name" : "subnetvpc1A4"
251 | }
252 | },
253 | "routetablesubnetvpc1" : {
254 | "Description" : "ID of RouteTable for VPC 1 A1 Subnet",
255 | "Value" : {"Ref" : "rtpublic"},
256 | "Export" : {
257 | "Name" : "routetablesubnetvpc1"
258 | }
259 | }
260 | }
261 |
262 | }
--------------------------------------------------------------------------------
/aws-remediate-pci-securityhub/images/arch-diagram.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-securityhub-remediations/59fc765d93929a59dc27888c0a147e67ba4947ed/aws-remediate-pci-securityhub/images/arch-diagram.png
--------------------------------------------------------------------------------