├── source
├── layer
│ ├── py.typed
│ ├── .coveragerc
│ ├── __init__.py
│ └── test
│ │ ├── __init__.py
│ │ ├── file_utilities.py
│ │ └── test_logger.py
├── .prettierignore
├── playbooks
│ ├── SC
│ │ ├── ssmdocs
│ │ │ ├── scripts
│ │ │ │ └── .coveragerc
│ │ │ ├── descriptions
│ │ │ │ ├── RDS.1.md
│ │ │ │ ├── EC2.1.md
│ │ │ │ ├── Macie.1.md
│ │ │ │ ├── EC2.19.md
│ │ │ │ ├── GuardDuty.1.md
│ │ │ │ ├── Athena.4.md
│ │ │ │ ├── EC2.6.md
│ │ │ │ ├── ECR.1.md
│ │ │ │ ├── ECS.5.md
│ │ │ │ ├── SSM.4.md
│ │ │ │ ├── CloudTrail.6.md
│ │ │ │ ├── DynamoDB.6.md
│ │ │ │ ├── EC2.8.md
│ │ │ │ ├── S3.4.md
│ │ │ │ ├── SQS.1.md
│ │ │ │ ├── EC2.15.md
│ │ │ │ ├── ELB.1.md
│ │ │ │ ├── S3.5.md
│ │ │ │ ├── S3.6.md
│ │ │ │ ├── CloudTrail.1.md
│ │ │ │ ├── CloudTrail.4.md
│ │ │ │ ├── CloudTrail.7.md
│ │ │ │ ├── IAM.18.md
│ │ │ │ ├── S3.1.md
│ │ │ │ ├── EC2.10.md
│ │ │ │ ├── SNS.1.md
│ │ │ │ ├── ElastiCache.1.md
│ │ │ │ ├── ElastiCache.3.md
│ │ │ │ ├── SecretsManager.4.md
│ │ │ │ ├── APIGateway.5.md
│ │ │ │ ├── EC2.7.md
│ │ │ │ ├── ElastiCache.2.md
│ │ │ │ ├── CloudFront.1.md
│ │ │ │ ├── CloudWatch.16.md
│ │ │ │ ├── SNS.2.md
│ │ │ │ ├── EC2.4.md
│ │ │ │ ├── IAM.7.md
│ │ │ │ ├── AutoScaling.3.md
│ │ │ │ ├── CloudTrail.5.md
│ │ │ │ ├── DynamoDB.5.md
│ │ │ │ ├── EC2.23.md
│ │ │ │ ├── CloudTrail.2.md
│ │ │ │ ├── CloudFront.12.md
│ │ │ │ ├── IAM.3.md
│ │ │ │ ├── Autoscaling.5.md
│ │ │ │ ├── SecretsManager.1.md
│ │ │ │ ├── CodeBuild.5.md
│ │ │ │ ├── CloudFormation.1.md
│ │ │ │ ├── GuardDuty.2.md
│ │ │ │ ├── GuardDuty.4.md
│ │ │ │ ├── RDS.7.md
│ │ │ │ ├── APIGateway.1.md
│ │ │ │ ├── RDS.16.md
│ │ │ │ ├── RDS.5.md
│ │ │ │ ├── RDS.6.md
│ │ │ │ ├── RDS.8.md
│ │ │ │ ├── RDS.13.md
│ │ │ │ ├── Redshift.1.md
│ │ │ │ ├── Redshift.4.md
│ │ │ │ ├── EC2.18.md
│ │ │ │ ├── IAM.8.md
│ │ │ │ ├── Lambda.1.md
│ │ │ │ ├── Redshift.3.md
│ │ │ │ ├── CodeBuild.2.md
│ │ │ │ ├── Redshift.6.md
│ │ │ │ ├── KMS.4.md
│ │ │ │ ├── S3.13.md
│ │ │ │ ├── DynamoDB.1.md
│ │ │ │ ├── Config.1.md
│ │ │ │ ├── SSM.1.md
│ │ │ │ ├── SecretsManager.3.md
│ │ │ │ ├── EC2.2.md
│ │ │ │ ├── AutoScaling.1.md
│ │ │ │ ├── RDS.4.md
│ │ │ │ ├── S3.11.md
│ │ │ │ └── RDS.2.md
│ │ │ └── SC_IAM.22.ts
│ │ ├── tsconfig.json
│ │ ├── cdk.json
│ │ ├── description.txt
│ │ ├── support.txt
│ │ └── README.md
│ ├── AFSBP
│ │ ├── tsconfig.json
│ │ ├── cdk.json
│ │ ├── description.txt
│ │ ├── support.txt
│ │ ├── ssmdocs
│ │ │ └── scripts
│ │ │ │ ├── test
│ │ │ │ └── test_s3-6_deserialize_api_list.py
│ │ │ │ └── deserializeApiList.py
│ │ └── README.md
│ ├── CIS120
│ │ ├── tsconfig.json
│ │ ├── ssmdocs
│ │ │ └── scripts
│ │ │ │ └── .coveragerc
│ │ ├── cdk.json
│ │ ├── description.txt
│ │ ├── support.txt
│ │ └── README.md
│ ├── CIS140
│ │ ├── tsconfig.json
│ │ ├── cdk.json
│ │ ├── description.txt
│ │ ├── ssmdocs
│ │ │ ├── CIS140_3.5.ts
│ │ │ ├── CIS140_3.8.ts
│ │ │ ├── CIS140_3.9.ts
│ │ │ ├── CIS140_1.14.ts
│ │ │ ├── CIS140_2.1.2.ts
│ │ │ ├── CIS140_1.17.ts
│ │ │ ├── CIS140_2.1.1.ts
│ │ │ ├── CIS140_3.6.ts
│ │ │ ├── CIS140_2.2.1.ts
│ │ │ ├── CIS140_3.7.ts
│ │ │ ├── CIS140_1.8.ts
│ │ │ ├── CIS140_3.1.ts
│ │ │ ├── CIS140_5.3.ts
│ │ │ ├── CIS140_3.2.ts
│ │ │ ├── CIS140_3.3.ts
│ │ │ ├── CIS140_3.4.ts
│ │ │ ├── CIS140_2.1.5.1.ts
│ │ │ ├── CIS140_2.1.5.2.ts
│ │ │ ├── CIS140_1.12.ts
│ │ │ └── CIS140_4.1.ts
│ │ ├── support.txt
│ │ └── README.md
│ ├── CIS300
│ │ ├── tsconfig.json
│ │ ├── cdk.json
│ │ ├── description.txt
│ │ ├── ssmdocs
│ │ │ ├── CIS300_5.6.ts
│ │ │ ├── CIS300_3.3.ts
│ │ │ ├── CIS300_3.6.ts
│ │ │ ├── CIS300_3.7.ts
│ │ │ ├── CIS300_1.14.ts
│ │ │ ├── CIS300_2.1.1.ts
│ │ │ ├── CIS300_1.17.ts
│ │ │ ├── CIS300_2.2.1.ts
│ │ │ ├── CIS300_3.5.ts
│ │ │ ├── CIS300_2.3.3.ts
│ │ │ ├── CIS300_3.1.ts
│ │ │ ├── CIS300_5.4.ts
│ │ │ ├── CIS300_3.2.ts
│ │ │ ├── CIS300_3.4.ts
│ │ │ ├── CIS300_2.3.2.ts
│ │ │ ├── CIS300_1.8.ts
│ │ │ ├── CIS300_2.1.4.1.ts
│ │ │ └── CIS300_1.12.ts
│ │ ├── support.txt
│ │ └── README.md
│ ├── PCI321
│ │ ├── tsconfig.json
│ │ ├── ssmdocs
│ │ │ └── scripts
│ │ │ │ ├── .coveragerc
│ │ │ │ └── pci_get_input_values.py
│ │ ├── cdk.json
│ │ ├── description.txt
│ │ ├── support.txt
│ │ └── README.md
│ ├── NEWPLAYBOOK
│ │ ├── tsconfig.json
│ │ ├── ssmdocs
│ │ │ └── scripts
│ │ │ │ └── .coveragerc
│ │ ├── cdk.json
│ │ ├── description.txt
│ │ ├── support.txt
│ │ └── README.md
│ ├── NIST80053
│ │ ├── tsconfig.json
│ │ ├── cdk.json
│ │ ├── description.txt
│ │ ├── ssmdocs
│ │ │ ├── NIST80053_ELB.1.ts
│ │ │ ├── NIST80053_S3.6.ts
│ │ │ ├── NIST80053_EC2.8.ts
│ │ │ ├── NIST80053_Macie.1.ts
│ │ │ ├── NIST80053_SSM.4.ts
│ │ │ ├── NIST80053_EC2.6.ts
│ │ │ ├── NIST80053_KMS.4.ts
│ │ │ ├── NIST80053_RDS.4.ts
│ │ │ ├── NIST80053_S3.5.ts
│ │ │ ├── NIST80053_Config.1.ts
│ │ │ ├── NIST80053_EC2.4.ts
│ │ │ ├── NIST80053_ECS.5.ts
│ │ │ ├── NIST80053_IAM.3.ts
│ │ │ ├── NIST80053_IAM.7.ts
│ │ │ ├── NIST80053_S3.13.ts
│ │ │ ├── NIST80053_EC2.1.ts
│ │ │ ├── NIST80053_RDS.1.ts
│ │ │ ├── NIST80053_S3.4.ts
│ │ │ ├── NIST80053_EC2.10.ts
│ │ │ ├── NIST80053_GuardDuty.1.ts
│ │ │ ├── NIST80053_RDS.5.ts
│ │ │ ├── NIST80053_DynamoDB.1.ts
│ │ │ ├── NIST80053_EC2.15.ts
│ │ │ ├── NIST80053_EC2.7.ts
│ │ │ ├── NIST80053_ElastiCache.1.ts
│ │ │ ├── NIST80053_Lambda.1.ts
│ │ │ ├── NIST80053_S3.1.ts
│ │ │ ├── NIST80053_S3.9.ts
│ │ │ ├── NIST80053_SNS.1.ts
│ │ │ ├── NIST80053_SQS.1.ts
│ │ │ ├── NIST80053_ECR.1.ts
│ │ │ ├── NIST80053_IAM.8.ts
│ │ │ ├── NIST80053_S3.11.ts
│ │ │ ├── NIST80053_DynamoDB.6.ts
│ │ │ ├── NIST80053_EC2.18.ts
│ │ │ ├── NIST80053_RDS.2.ts
│ │ │ ├── NIST80053_SNS.2.ts
│ │ │ ├── NIST80053_CloudWatch.16.ts
│ │ │ ├── NIST80053_EC2.2.ts
│ │ │ ├── NIST80053_ElastiCache.2.ts
│ │ │ ├── NIST80053_RDS.7.ts
│ │ │ ├── NIST80053_RDS.8.ts
│ │ │ ├── NIST80053_SecretsManager.3.ts
│ │ │ ├── NIST80053_CloudFront.12.ts
│ │ │ ├── NIST80053_CloudTrail.2.ts
│ │ │ ├── NIST80053_CodeBuild.5.ts
│ │ │ ├── NIST80053_EC2.23.ts
│ │ │ ├── NIST80053_RDS.16.ts
│ │ │ ├── NIST80053_RDS.6.ts
│ │ │ ├── NIST80053_Redshift.4.ts
│ │ │ ├── NIST80053_SecretsManager.1.ts
│ │ │ ├── NIST80053_Autoscaling.5.ts
│ │ │ ├── NIST80053_CloudFormation.1.ts
│ │ │ ├── NIST80053_CloudFront.1.ts
│ │ │ ├── NIST80053_CloudTrail.4.ts
│ │ │ ├── NIST80053_EC2.19.ts
│ │ │ ├── NIST80053_RDS.13.ts
│ │ │ ├── NIST80053_Redshift.1.ts
│ │ │ ├── NIST80053_SecretsManager.4.ts
│ │ │ ├── NIST80053_APIGateway.5.ts
│ │ │ ├── NIST80053_CloudTrail.5.ts
│ │ │ ├── NIST80053_CodeBuild.2.ts
│ │ │ ├── NIST80053_ElastiCache.3.ts
│ │ │ ├── NIST80053_AutoScaling.1.ts
│ │ │ ├── NIST80053_AutoScaling.3.ts
│ │ │ ├── NIST80053_Redshift.3.ts
│ │ │ ├── NIST80053_Redshift.6.ts
│ │ │ ├── NIST80053_EC2.13.ts
│ │ │ ├── NIST80053_S3.2.ts
│ │ │ └── NIST80053_CloudTrail.1.ts
│ │ ├── support.txt
│ │ └── README.md
│ └── common
│ │ ├── test
│ │ ├── __init__.py
│ │ ├── test_deserialize_json.py
│ │ └── conftest.py
│ │ └── deserialize_json.py
├── remediation_runbooks
│ └── scripts
│ │ ├── .coveragerc
│ │ ├── test
│ │ ├── __init__.py
│ │ ├── test_GetLogGroupNameFromArn.py
│ │ ├── conftest.py
│ │ ├── test_AppendSuffix.py
│ │ └── test_CastToString.py
│ │ ├── CastToString.py
│ │ ├── GetLogGroupNameFromArn.py
│ │ ├── AppendSuffix.py
│ │ ├── EnableAWSConfig_summary.py
│ │ ├── CreateCloudTrailMultiRegionTrail_process_results.py
│ │ ├── EnablePrivateRepositoryScanning.py
│ │ └── ConfigureAutoScalingLaunchConfigurationToDisablePublicIP.py
├── .prettierrc
├── webui
│ ├── public
│ │ ├── logo.png
│ │ ├── favicon.ico
│ │ ├── cognito-login-banner.png
│ │ ├── manifest.json
│ │ └── aws-exports.template.json
│ ├── tsconfig.node.json
│ ├── src
│ │ ├── pages
│ │ │ ├── findings
│ │ │ │ └── FindingsOverviewPage.tsx
│ │ │ └── history
│ │ │ │ └── RemediationHistoryOverviewPage.tsx
│ │ ├── __tests__
│ │ │ └── server.ts
│ │ ├── utils
│ │ │ └── userPermissions.ts
│ │ ├── styles.css
│ │ └── components
│ │ │ ├── EmptyTableState.tsx
│ │ │ ├── ProtectedRoute.tsx
│ │ │ └── navigation
│ │ │ └── Breadcrumbs.tsx
│ └── index.html
├── blueprints
│ ├── jira
│ │ ├── ticket_generator
│ │ │ └── test
│ │ │ │ └── __init__.py
│ │ └── cdk
│ │ │ └── cdk.json
│ ├── servicenow
│ │ ├── ticket_generator
│ │ │ └── test
│ │ │ │ └── __init__.py
│ │ └── cdk
│ │ │ └── cdk.json
│ ├── cdk
│ │ └── cdk.json
│ └── pyproject.toml
├── Orchestrator
│ ├── .coveragerc
│ └── test
│ │ └── __init__.py
├── solution_deploy
│ ├── source
│ │ ├── .coveragerc
│ │ └── test
│ │ │ ├── __init__.py
│ │ │ └── conftest.py
│ └── cdk.json
├── .npmignore
├── data-models
│ ├── tsconfig.cjs.json
│ ├── tsconfig.esm.json
│ ├── index.ts
│ ├── apiActions.ts
│ ├── package.json
│ └── searchCriteria.ts
├── lib
│ ├── cdk-helper
│ │ ├── choice-param.ts
│ │ ├── choice-param.test.ts
│ │ └── override-logical-id.ts
│ ├── parameters
│ │ └── test
│ │ │ └── __snapshots__
│ │ │ └── admin-account-param.test.ts.snap
│ └── member
│ │ └── cloud-trail-event-processor
│ │ └── package.json
├── lambdas
│ ├── common
│ │ ├── utils
│ │ │ ├── logger.ts
│ │ │ ├── tracer.ts
│ │ │ └── clock.ts
│ │ ├── constants
│ │ │ └── apiConstant.ts
│ │ └── __tests__
│ │ │ └── jestAfterEnvSetup.ts
│ ├── tsconfig.json
│ └── api
│ │ └── README.md
└── test
│ ├── regex_registry.test.ts
│ ├── test_data
│ ├── tstest-cis29.yaml
│ └── tstest-rds1.yaml
│ ├── utils.ts
│ ├── snapshot-serializer.ts
│ └── orchestrator_logs.test.ts
├── simtest
└── simtest
│ └── __init__.py
├── test-stack
├── lambda
│ └── test
│ │ └── __init__.py
├── cdk
│ ├── cdk.json
│ └── bin
│ │ └── app.ts
└── common
│ └── controls.json
├── docs
└── automated-security-response-on-aws-architecture-diagram.png
├── .github
├── PULL_REQUEST_TEMPLATE.md
└── ISSUE_TEMPLATE
│ ├── documentation-improvements.md
│ └── feature_request.md
├── pyproject.toml
├── CODE_OF_CONDUCT.md
├── deployment
├── manifest-generator
│ └── package.json
├── utils
│ └── package.json
└── solution_env.sh
├── mypy.ini
└── SECURITY.md
/source/layer/py.typed:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/source/.prettierignore:
--------------------------------------------------------------------------------
1 | dist/
--------------------------------------------------------------------------------
/source/layer/.coveragerc:
--------------------------------------------------------------------------------
1 | [run]
2 | include = ./*
3 |
--------------------------------------------------------------------------------
/source/playbooks/SC/ssmdocs/scripts/.coveragerc:
--------------------------------------------------------------------------------
1 | [run]
2 | include = ./*
3 |
--------------------------------------------------------------------------------
/source/remediation_runbooks/scripts/.coveragerc:
--------------------------------------------------------------------------------
1 | [run]
2 | include = ./*
3 |
--------------------------------------------------------------------------------
/source/.prettierrc:
--------------------------------------------------------------------------------
1 | {
2 | "printWidth": 120,
3 | "singleQuote": true
4 | }
5 |
--------------------------------------------------------------------------------
/source/playbooks/AFSBP/tsconfig.json:
--------------------------------------------------------------------------------
1 | {
2 | "extends": "../../tsconfig.json"
3 | }
4 |
--------------------------------------------------------------------------------
/source/playbooks/CIS120/tsconfig.json:
--------------------------------------------------------------------------------
1 | {
2 | "extends": "../../tsconfig.json"
3 | }
4 |
--------------------------------------------------------------------------------
/source/playbooks/CIS140/tsconfig.json:
--------------------------------------------------------------------------------
1 | {
2 | "extends": "../../tsconfig.json"
3 | }
4 |
--------------------------------------------------------------------------------
/source/playbooks/CIS300/tsconfig.json:
--------------------------------------------------------------------------------
1 | {
2 | "extends": "../../tsconfig.json"
3 | }
4 |
--------------------------------------------------------------------------------
/source/playbooks/PCI321/tsconfig.json:
--------------------------------------------------------------------------------
1 | {
2 | "extends": "../../tsconfig.json"
3 | }
4 |
--------------------------------------------------------------------------------
/source/playbooks/SC/tsconfig.json:
--------------------------------------------------------------------------------
1 | {
2 | "extends": "../../tsconfig.json"
3 | }
4 |
--------------------------------------------------------------------------------
/source/playbooks/NEWPLAYBOOK/tsconfig.json:
--------------------------------------------------------------------------------
1 | {
2 | "extends": "../../tsconfig.json"
3 | }
4 |
--------------------------------------------------------------------------------
/source/playbooks/NIST80053/tsconfig.json:
--------------------------------------------------------------------------------
1 | {
2 | "extends": "../../tsconfig.json"
3 | }
4 |
--------------------------------------------------------------------------------
/source/playbooks/CIS120/ssmdocs/scripts/.coveragerc:
--------------------------------------------------------------------------------
1 | [run]
2 | include = ./*
3 | relative_files = True
--------------------------------------------------------------------------------
/source/playbooks/PCI321/ssmdocs/scripts/.coveragerc:
--------------------------------------------------------------------------------
1 | [run]
2 | include = ./*
3 | relative_files = True
--------------------------------------------------------------------------------
/source/playbooks/NEWPLAYBOOK/ssmdocs/scripts/.coveragerc:
--------------------------------------------------------------------------------
1 | [run]
2 | include = ./*
3 | relative_files = True
--------------------------------------------------------------------------------
/simtest/simtest/__init__.py:
--------------------------------------------------------------------------------
1 | # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | # SPDX-License-Identifier: Apache-2.0
3 |
--------------------------------------------------------------------------------
/source/layer/__init__.py:
--------------------------------------------------------------------------------
1 | # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | # SPDX-License-Identifier: Apache-2.0
3 |
--------------------------------------------------------------------------------
/source/webui/public/logo.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-solutions/automated-security-response-on-aws/main/source/webui/public/logo.png
--------------------------------------------------------------------------------
/source/layer/test/__init__.py:
--------------------------------------------------------------------------------
1 | # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | # SPDX-License-Identifier: Apache-2.0
3 |
--------------------------------------------------------------------------------
/source/webui/public/favicon.ico:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-solutions/automated-security-response-on-aws/main/source/webui/public/favicon.ico
--------------------------------------------------------------------------------
/test-stack/lambda/test/__init__.py:
--------------------------------------------------------------------------------
1 | # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | # SPDX-License-Identifier: Apache-2.0
3 |
--------------------------------------------------------------------------------
/source/playbooks/common/test/__init__.py:
--------------------------------------------------------------------------------
1 | # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | # SPDX-License-Identifier: Apache-2.0
3 |
--------------------------------------------------------------------------------
/source/remediation_runbooks/scripts/test/__init__.py:
--------------------------------------------------------------------------------
1 | # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | # SPDX-License-Identifier: Apache-2.0
3 |
--------------------------------------------------------------------------------
/source/blueprints/jira/ticket_generator/test/__init__.py:
--------------------------------------------------------------------------------
1 | # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | # SPDX-License-Identifier: Apache-2.0
3 |
--------------------------------------------------------------------------------
/source/webui/public/cognito-login-banner.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-solutions/automated-security-response-on-aws/main/source/webui/public/cognito-login-banner.png
--------------------------------------------------------------------------------
/source/blueprints/servicenow/ticket_generator/test/__init__.py:
--------------------------------------------------------------------------------
1 | # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | # SPDX-License-Identifier: Apache-2.0
3 |
--------------------------------------------------------------------------------
/source/Orchestrator/.coveragerc:
--------------------------------------------------------------------------------
1 | [run]
2 | include = ./*
3 | omit =
4 | ./applogger.py
5 | ./awsapi_cached_client.py
6 | ./logger.py
7 | ./metrics.py
8 | ./utils.py
--------------------------------------------------------------------------------
/source/playbooks/AFSBP/cdk.json:
--------------------------------------------------------------------------------
1 | {
2 | "app": "npx ts-node bin/afsbp.ts",
3 | "versionReporting": false,
4 | "context": {
5 | "aws-cdk:enableDiffNoFail": "true"
6 | }
7 | }
8 |
--------------------------------------------------------------------------------
/source/playbooks/CIS120/cdk.json:
--------------------------------------------------------------------------------
1 | {
2 | "app": "npx ts-node bin/cis120.ts",
3 | "versionReporting": false,
4 | "context": {
5 | "aws-cdk:enableDiffNoFail": "true"
6 | }
7 | }
8 |
--------------------------------------------------------------------------------
/source/playbooks/CIS140/cdk.json:
--------------------------------------------------------------------------------
1 | {
2 | "app": "npx ts-node bin/cis140.ts",
3 | "versionReporting": false,
4 | "context": {
5 | "aws-cdk:enableDiffNoFail": "true"
6 | }
7 | }
8 |
--------------------------------------------------------------------------------
/source/playbooks/CIS300/cdk.json:
--------------------------------------------------------------------------------
1 | {
2 | "app": "npx ts-node bin/cis300.ts",
3 | "versionReporting": false,
4 | "context": {
5 | "aws-cdk:enableDiffNoFail": "true"
6 | }
7 | }
8 |
--------------------------------------------------------------------------------
/source/playbooks/PCI321/cdk.json:
--------------------------------------------------------------------------------
1 | {
2 | "app": "npx ts-node bin/pci321.ts",
3 | "versionReporting": false,
4 | "context": {
5 | "aws-cdk:enableDiffNoFail": "true"
6 | }
7 | }
8 |
--------------------------------------------------------------------------------
/source/solution_deploy/source/.coveragerc:
--------------------------------------------------------------------------------
1 | [run]
2 | include = ./*
3 | omit =
4 | ./applogger.py
5 | ./awsapi_cached_client.py
6 | ./logger.py
7 | ./metrics.py
8 | ./utils.py
--------------------------------------------------------------------------------
/source/playbooks/SC/cdk.json:
--------------------------------------------------------------------------------
1 | {
2 | "app": "npx ts-node bin/security_controls.ts",
3 | "versionReporting": false,
4 | "context": {
5 | "aws-cdk:enableDiffNoFail": "true"
6 | }
7 | }
8 |
--------------------------------------------------------------------------------
/source/.npmignore:
--------------------------------------------------------------------------------
1 | *.ts
2 | !*.d.ts
3 |
4 | # CDK asset staging directory
5 | .cdk.staging
6 | cdk.out
7 |
8 | # non-npm
9 | source
10 | python_tests
11 | python_lib
12 | .pytest_cache
13 |
--------------------------------------------------------------------------------
/source/playbooks/NEWPLAYBOOK/cdk.json:
--------------------------------------------------------------------------------
1 | {
2 | "app": "npx ts-node bin/newplaybook.ts",
3 | "versionReporting": false,
4 | "context": {
5 | "aws-cdk:enableDiffNoFail": "true"
6 | }
7 | }
8 |
--------------------------------------------------------------------------------
/source/playbooks/NIST80053/cdk.json:
--------------------------------------------------------------------------------
1 | {
2 | "app": "npx ts-node bin/nist80053.ts",
3 | "versionReporting": false,
4 | "context": {
5 | "aws-cdk:enableDiffNoFail": "true"
6 | }
7 | }
--------------------------------------------------------------------------------
/docs/automated-security-response-on-aws-architecture-diagram.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-solutions/automated-security-response-on-aws/main/docs/automated-security-response-on-aws-architecture-diagram.png
--------------------------------------------------------------------------------
/test-stack/cdk/cdk.json:
--------------------------------------------------------------------------------
1 | {
2 | "app": "npx ts-node bin/app.ts",
3 | "versionReporting": false,
4 | "context": {
5 | "aws-cdk:enableDiffNoFail": "true",
6 | "@aws-cdk/aws-iam:standardizedServicePrincipals": true
7 | }
8 | }
9 |
--------------------------------------------------------------------------------
/.github/PULL_REQUEST_TEMPLATE.md:
--------------------------------------------------------------------------------
1 | *Issue #, if available:*
2 |
3 | *Description of changes:*
4 |
5 |
6 | By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.
--------------------------------------------------------------------------------
/source/blueprints/cdk/cdk.json:
--------------------------------------------------------------------------------
1 | {
2 | "app": "npx ts-node bin/app.ts",
3 | "versionReporting": false,
4 | "context": {
5 | "aws-cdk:enableDiffNoFail": "true",
6 | "@aws-cdk/aws-iam:standardizedServicePrincipals": true
7 | }
8 | }
9 |
--------------------------------------------------------------------------------
/source/blueprints/jira/cdk/cdk.json:
--------------------------------------------------------------------------------
1 | {
2 | "app": "npx ts-node bin/app.ts",
3 | "versionReporting": false,
4 | "context": {
5 | "aws-cdk:enableDiffNoFail": "true",
6 | "@aws-cdk/aws-iam:standardizedServicePrincipals": true
7 | }
8 | }
9 |
--------------------------------------------------------------------------------
/source/data-models/tsconfig.cjs.json:
--------------------------------------------------------------------------------
1 | {
2 | "extends": "../tsconfig.json",
3 | "compilerOptions": {
4 | "outDir": "./cjs",
5 | "skipLibCheck": true,
6 | },
7 | "include": ["*.ts"],
8 | "exclude": ["node_modules"]
9 | }
10 |
--------------------------------------------------------------------------------
/pyproject.toml:
--------------------------------------------------------------------------------
1 | [project]
2 | name = "automated_security_response_on_aws"
3 | version = "3.0.1"
4 |
5 | [tool.setuptools]
6 | package-dir = {"" = "source"}
7 | packages = ["layer"]
8 |
9 | [tool.setuptools.package-data]
10 | "layer" = ["py.typed"]
11 |
--------------------------------------------------------------------------------
/source/blueprints/servicenow/cdk/cdk.json:
--------------------------------------------------------------------------------
1 | {
2 | "app": "npx ts-node bin/app.ts",
3 | "versionReporting": false,
4 | "context": {
5 | "aws-cdk:enableDiffNoFail": "true",
6 | "@aws-cdk/aws-iam:standardizedServicePrincipals": true
7 | }
8 | }
9 |
--------------------------------------------------------------------------------
/source/solution_deploy/cdk.json:
--------------------------------------------------------------------------------
1 | {
2 | "app": "npx ts-node bin/solution_deploy.ts",
3 | "versionReporting": false,
4 | "context": {
5 | "aws-cdk:enableDiffNoFail": "true",
6 | "@aws-cdk/aws-iam:standardizedServicePrincipals": true
7 | }
8 | }
9 |
--------------------------------------------------------------------------------
/source/Orchestrator/test/__init__.py:
--------------------------------------------------------------------------------
1 | # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | # SPDX-License-Identifier: Apache-2.0
3 | import os
4 | import sys
5 |
6 | sys.path.append(os.path.join(os.path.dirname(__file__), "..", "..", "layer"))
7 |
--------------------------------------------------------------------------------
/source/lib/cdk-helper/choice-param.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 |
4 | enum ChoiceParam {
5 | Yes = 'yes',
6 | No = 'no',
7 | }
8 |
9 | export default ChoiceParam;
10 |
--------------------------------------------------------------------------------
/source/solution_deploy/source/test/__init__.py:
--------------------------------------------------------------------------------
1 | # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | # SPDX-License-Identifier: Apache-2.0
3 | import os
4 | import sys
5 |
6 | sys.path.append(os.path.join(os.path.dirname(__file__), "..", "..", "..", "layer"))
7 |
--------------------------------------------------------------------------------
/source/data-models/tsconfig.esm.json:
--------------------------------------------------------------------------------
1 | {
2 | "extends": "../tsconfig.json",
3 | "compilerOptions": {
4 | "target": "es2022",
5 | "module": "esnext",
6 | "outDir": "./esm",
7 | "skipLibCheck": true,
8 | },
9 | "include": ["*.ts"],
10 | "exclude": ["node_modules"]
11 | }
12 |
--------------------------------------------------------------------------------
/source/remediation_runbooks/scripts/CastToString.py:
--------------------------------------------------------------------------------
1 | # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | # SPDX-License-Identifier: Apache-2.0
3 | def cast_to_string(event, _) -> str:
4 | parameter_to_cast = event["DesiredParameter"]
5 | return str(event[parameter_to_cast])
6 |
--------------------------------------------------------------------------------
/source/lambdas/common/utils/logger.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Logger } from '@aws-lambda-powertools/logger';
4 |
5 | export function getLogger(serviceName: string) {
6 | return new Logger({ serviceName });
7 | }
8 |
--------------------------------------------------------------------------------
/source/webui/tsconfig.node.json:
--------------------------------------------------------------------------------
1 | {
2 | "compilerOptions": {
3 | "composite": true,
4 | "skipLibCheck": true,
5 | "module": "ESNext",
6 | "moduleResolution": "bundler",
7 | "allowSyntheticDefaultImports": true
8 | },
9 | "include": ["vite.config.ts"]
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/SC/description.txt:
--------------------------------------------------------------------------------
1 | AWS Security Hub Automated Response and Remediation is an add-on solution that
2 | enables AWS Security Hub customers to remediate security findings with a
3 | single click using predefined response and remediation actions packaged in
4 | “Playbooks”. This Playbook, SecurityControls, is
5 |
--------------------------------------------------------------------------------
/CODE_OF_CONDUCT.md:
--------------------------------------------------------------------------------
1 | ## Code of Conduct
2 | This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct). For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact opensource-codeofconduct@amazon.com with any additional questions or comments.
--------------------------------------------------------------------------------
/source/lambdas/common/utils/tracer.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Tracer } from '@aws-lambda-powertools/tracer';
4 |
5 | export function getTracer(serviceName: string) {
6 | return new Tracer({ serviceName: serviceName });
7 | }
8 |
--------------------------------------------------------------------------------
/source/webui/src/pages/findings/FindingsOverviewPage.tsx:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import FindingsTable from './findings-table/FindingsTable.tsx';
4 |
5 | export const FindingsOverviewPage = () => {
6 | return ;
7 | };
8 |
--------------------------------------------------------------------------------
/test-stack/common/controls.json:
--------------------------------------------------------------------------------
1 | {
2 | "SC200": ["S3.9", "KMS.4", "SecretsManager.1", "SQS.1"],
3 | "AFSBP100": ["S3.9", "SecretsManager.1", "SQS.1"],
4 | "NIST500": ["S3.9", "KMS.4", "SecretsManager.1", "SQS.1"],
5 | "PCI321": ["PCI.KMS.1"],
6 | "CIS120": ["2.8"],
7 | "CIS300": ["3.6"],
8 | "CIS140": ["3.6", "3.8"]
9 | }
--------------------------------------------------------------------------------
/source/blueprints/pyproject.toml:
--------------------------------------------------------------------------------
1 | [tool.poetry]
2 | name = "automated_security_response_on_aws"
3 | package-mode = false
4 |
5 | [tool.poetry.dependencies]
6 | aws-lambda-powertools = {version = "3.1.0", extras = ["tracer"]}
7 | python = "^3.11"
8 |
9 | [build-system]
10 | requires = ["poetry-core"]
11 | build-backend = "poetry.core.masonry.api"
12 |
--------------------------------------------------------------------------------
/source/data-models/index.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 |
4 | export * from './user';
5 | export * from './apiActions';
6 | export * from './finding';
7 | export * from './remediation';
8 | export * from './searchCriteria';
9 | export * from './schemaTypes';
10 |
--------------------------------------------------------------------------------
/source/lambdas/common/constants/apiConstant.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | export const SCOPE_NAME = 'FindingsAPI';
4 | export const DEFAULT_PAGE_SIZE = 50;
5 | export const MAX_PRESIGNED_URL_EXPIRY_SECONDS = 86400; // 1 day
6 | export const FINDING_PRINCIPAL = 'Automated';
7 |
--------------------------------------------------------------------------------
/source/playbooks/NIST80053/description.txt:
--------------------------------------------------------------------------------
1 | Automated Response on AWS is an add-on solution that
2 | enables AWS Security Hub customers to remediate security findings with a single click
3 | using predefined response and remediation actions packaged in “Playbooks”. This Playbook, NIST80053, includes remediations for many of the NIST 800-53Rev5 Security Standard findings.
--------------------------------------------------------------------------------
/source/webui/src/pages/history/RemediationHistoryOverviewPage.tsx:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import RemediationHistoryTable from './history-table/RemediationHistoryTable.tsx';
4 |
5 | export const RemediationHistoryOverviewPage = () => {
6 | return ;
7 | };
8 |
--------------------------------------------------------------------------------
/source/playbooks/PCI321/description.txt:
--------------------------------------------------------------------------------
1 | AWS Security Hub Automated Response and Remediation is an add-on solution that
2 | enables AWS Security Hub customers to remediate security findings with a single click
3 | using predefined response and remediation actions packaged in “Playbooks”. This Playbook,
4 | PCI v3.2.1, includes remediations for many of the PCI-DSS v3.2.1 findings.
5 |
--------------------------------------------------------------------------------
/source/playbooks/common/deserialize_json.py:
--------------------------------------------------------------------------------
1 | # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | # SPDX-License-Identifier: Apache-2.0
3 | import json
4 |
5 |
6 | def event_handler(event, _):
7 | try:
8 | return json.loads(event["SerializedJson"])
9 | except Exception as e:
10 | print(e)
11 | exit("Failed to deserialize data")
12 |
--------------------------------------------------------------------------------
/deployment/manifest-generator/package.json:
--------------------------------------------------------------------------------
1 | {
2 | "name": "manifest-generator",
3 | "version": "3.0.1",
4 | "private": true,
5 | "description": "Create a manifest.json that lists all files to include in a WebUI deployment",
6 | "main": "app.js",
7 | "author": {
8 | "name": "aws-solutions-builder"
9 | },
10 | "dependencies": {
11 | "minimist": "*"
12 | }
13 | }
14 |
--------------------------------------------------------------------------------
/source/lambdas/common/utils/clock.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 |
4 | export interface Clock {
5 | now(): Date;
6 | }
7 |
8 | class SystemClock implements Clock {
9 | now(): Date {
10 | return new Date();
11 | }
12 | }
13 |
14 | export const getClock = (): Clock => new SystemClock();
15 |
--------------------------------------------------------------------------------
/source/playbooks/CIS120/description.txt:
--------------------------------------------------------------------------------
1 | AWS Security Hub Automated Response and Remediation is an add-on solution that
2 | enables AWS Security Hub customers to remediate security findings with a single click
3 | using predefined response and remediation actions packaged in “Playbooks”. This Playbook, CIS v1.2.0, includes remediations for many of the CIS AWS Foundations Benchmark v1.2.0 findings.
4 |
--------------------------------------------------------------------------------
/source/playbooks/CIS140/description.txt:
--------------------------------------------------------------------------------
1 | AWS Security Hub Automated Response and Remediation is an add-on solution that
2 | enables AWS Security Hub customers to remediate security findings with a single click
3 | using predefined response and remediation actions packaged in “Playbooks”. This Playbook, CIS v1.4.0, includes remediations for many of the CIS AWS Foundations Benchmark v1.4.0 findings.
4 |
--------------------------------------------------------------------------------
/source/playbooks/CIS300/description.txt:
--------------------------------------------------------------------------------
1 | AWS Security Hub Automated Response and Remediation is an add-on solution that
2 | enables AWS Security Hub customers to remediate security findings with a single click
3 | using predefined response and remediation actions packaged in “Playbooks”. This Playbook, CIS v3.0.0, includes remediations for many of the CIS AWS Foundations Benchmark v3.0.0 findings.
4 |
--------------------------------------------------------------------------------
/source/test/regex_registry.test.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { getRegexRegistry, RegexTestCase } from './regex_registry';
4 |
5 | const testCases: RegexTestCase[] = getRegexRegistry().getAllCases();
6 |
7 | test.each(testCases)('%s', (testCase: RegexTestCase) => {
8 | testCase.runTests();
9 | });
10 |
--------------------------------------------------------------------------------
/source/playbooks/AFSBP/description.txt:
--------------------------------------------------------------------------------
1 | AWS Security Hub Automated Response and Remediation is an add-on solution that
2 | enables AWS Security Hub customers to remediate security findings with a single click
3 | using predefined response and remediation actions packaged in “Playbooks”. This Playbook, AWS FSBP v1.0.0, includes remediations for many of the AWS Foundational Security Best Practices v1.0.0 findings.
4 |
--------------------------------------------------------------------------------
/source/lib/parameters/test/__snapshots__/admin-account-param.test.ts.snap:
--------------------------------------------------------------------------------
1 | // Jest Snapshot v1, https://jestjs.io/docs/snapshot-testing
2 |
3 | exports[`admin account param stack matches snapshot 1`] = `
4 | {
5 | "Parameters": {
6 | "SecHubAdminAccount": {
7 | "AllowedPattern": "^\\d{12}$",
8 | "Description": "Admin account number",
9 | "Type": "String",
10 | },
11 | },
12 | }
13 | `;
14 |
--------------------------------------------------------------------------------
/source/remediation_runbooks/scripts/GetLogGroupNameFromArn.py:
--------------------------------------------------------------------------------
1 | # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | # SPDX-License-Identifier: Apache-2.0
3 | from typing import TypedDict
4 |
5 |
6 | class GetLogGroupNameFromArnEvent(TypedDict):
7 | Arn: str
8 |
9 |
10 | def get_log_group_name_from_arn(event: GetLogGroupNameFromArnEvent, _) -> str:
11 | return event["Arn"].split(":")[6]
12 |
--------------------------------------------------------------------------------
/source/webui/public/manifest.json:
--------------------------------------------------------------------------------
1 | {
2 | "short_name": "ASR",
3 | "name": "Automated Security Response on AWS",
4 | "icons": [
5 | {
6 | "src": "favicon.ico",
7 | "sizes": "64x64 32x32 24x24 16x16",
8 | "type": "image/x-icon"
9 | }
10 | ],
11 | "start_url": ".",
12 | "display": "standalone",
13 | "theme_color": "#000000",
14 | "background_color": "#ffffff"
15 | }
16 |
--------------------------------------------------------------------------------
/source/lambdas/common/__tests__/jestAfterEnvSetup.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 |
4 | import { DynamoDBTestSetup } from './dynamodbSetup';
5 |
6 | beforeAll(async () => {
7 | await DynamoDBTestSetup.initialize();
8 | await DynamoDBTestSetup.cleanup();
9 | });
10 |
11 | afterAll(async () => {
12 | jest.restoreAllMocks();
13 | await DynamoDBTestSetup.cleanup();
14 | });
15 |
--------------------------------------------------------------------------------
/source/playbooks/common/test/test_deserialize_json.py:
--------------------------------------------------------------------------------
1 | # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | # SPDX-License-Identifier: Apache-2.0
3 | import json
4 |
5 | from deserialize_json import event_handler
6 |
7 |
8 | def event(object):
9 | return {"SerializedJson": json.dumps(object)}
10 |
11 |
12 | def test_deserialize():
13 | object = {"MinRetentionPeriod": "7"}
14 | assert event_handler(event(object), {}) == object
15 |
--------------------------------------------------------------------------------
/source/layer/test/file_utilities.py:
--------------------------------------------------------------------------------
1 | # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | # SPDX-License-Identifier: Apache-2.0
3 | import json
4 |
5 |
6 | def load_test_data(file, region):
7 | testdata = open(file)
8 | rawdata = testdata.read()
9 | rawdata = rawdata.replace("us-east-1", region)
10 | # Replace all occurences of us-east-1 with
11 | event = json.loads(rawdata)
12 | testdata.close
13 | return event
14 |
--------------------------------------------------------------------------------
/source/data-models/apiActions.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 |
4 | export type SuppressionResult = {
5 | suppressed: boolean;
6 | };
7 |
8 | export type RemediationResult = {
9 | remediationStatus: 'IN_PROGRESS' | 'FAILED';
10 | executionIdsByFindingId?: Map;
11 | error?: string;
12 | };
13 |
14 | export type ActionResult = SuppressionResult | RemediationResult;
15 |
--------------------------------------------------------------------------------
/source/lib/cdk-helper/choice-param.test.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import ChoiceParam from './choice-param';
4 |
5 | describe('choice param', function () {
6 | it('yes has expected value', function () {
7 | expect(ChoiceParam.Yes).toEqual('yes');
8 | });
9 |
10 | it('no has expected value', function () {
11 | expect(ChoiceParam.No).toEqual('no');
12 | });
13 | });
14 |
--------------------------------------------------------------------------------
/source/webui/src/__tests__/server.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { setupServer } from 'msw/node';
4 | import { handlers } from '../mocks/handlers.ts';
5 |
6 | // configures a mock server for unit tests.
7 | // call server.use() in test to set up handlers.
8 | export const MOCK_SERVER_URL = 'http://localhost:3001/';
9 | export const server = setupServer(...handlers(MOCK_SERVER_URL));
10 |
--------------------------------------------------------------------------------
/mypy.ini:
--------------------------------------------------------------------------------
1 | [mypy]
2 | warn_unused_configs = True
3 | warn_redundant_casts = True
4 | warn_unused_ignores = True
5 |
6 | strict_equality = True
7 | strict_concatenate = True
8 |
9 | check_untyped_defs = True
10 |
11 | disallow_subclassing_any = True
12 | disallow_untyped_decorators = True
13 | disallow_any_generics = True
14 |
15 | disallow_incomplete_defs = True
16 |
17 | no_implicit_reexport = True
18 |
19 | warn_return_any = True
20 |
21 | [mypy-moto]
22 | ignore_missing_imports = True
23 |
--------------------------------------------------------------------------------
/deployment/utils/package.json:
--------------------------------------------------------------------------------
1 | {
2 | "name": "@amzn/asr-deployment-utils",
3 | "version": "3.0.1",
4 | "description": "Deployment scripts for Automated Security Response on AWS",
5 | "author": {
6 | "name": "Amazon Web Services",
7 | "url": "https://aws.amazon.com/solutions",
8 | "organization": true
9 | },
10 | "license": "Apache-2.0",
11 | "scripts": {
12 | "test": "npm ci && jest --coverage"
13 | },
14 | "devDependencies": {
15 | "jest": "29.7.0"
16 | }
17 | }
--------------------------------------------------------------------------------
/source/lambdas/tsconfig.json:
--------------------------------------------------------------------------------
1 | {
2 | "extends": "../tsconfig.json", // Inherits from the base tsconfig.json
3 | "compilerOptions": {
4 | "experimentalDecorators": true,
5 | "outDir": null,
6 | "noUnusedLocals": false
7 | },
8 | "exclude": [
9 | "node_modules",
10 | "coverage/**/*", // Exclude coverage directory to avoid file conflicts
11 | "dist/**/*", // Exclude dist directory to avoid file conflicts
12 | "**/*.config.js",
13 | "**/__tests__/**"
14 | ]
15 | }
--------------------------------------------------------------------------------
/source/remediation_runbooks/scripts/test/test_GetLogGroupNameFromArn.py:
--------------------------------------------------------------------------------
1 | # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | # SPDX-License-Identifier: Apache-2.0
3 | from GetLogGroupNameFromArn import get_log_group_name_from_arn
4 |
5 |
6 | def test_get_log_group_name_from_arn():
7 | arn = "arn:aws:logs:us-east-1:111111111111:log-group:/aws/apigateway/welcome"
8 | result = get_log_group_name_from_arn({"Arn": arn}, None)
9 | assert result == "/aws/apigateway/welcome"
10 |
--------------------------------------------------------------------------------
/source/playbooks/NEWPLAYBOOK/description.txt:
--------------------------------------------------------------------------------
1 | AWS Security Hub Automated Response and Remediation is an add-on solution that
2 | enables AWS Security Hub customers to remediate security findings with a
3 | single click using predefined response and remediation actions packaged in
4 | “Playbooks”. This Playbook, NEWPLAYBOOK, is an example customers can use to
5 | create custom playbooks. It is not deployable without modification. Please
6 | see the AWS Security Hub Automated Response and Remediation Implementation
7 | Guide for more information.
8 |
--------------------------------------------------------------------------------
/SECURITY.md:
--------------------------------------------------------------------------------
1 | ## Reporting Security Issues
2 |
3 | We take all security reports seriously. When we receive such reports,
4 | we will investigate and subsequently address any potential vulnerabilities as
5 | quickly as possible. If you discover a potential security issue in this project,
6 | please notify AWS/Amazon Security via our [vulnerability reporting page](http://aws.amazon.com/security/vulnerability-reporting/) or directly via email
7 | to [AWS Security](mailto:aws-security@amazon.com).
8 | Please do *not* create a public GitHub issue in this project.
--------------------------------------------------------------------------------
/source/remediation_runbooks/scripts/AppendSuffix.py:
--------------------------------------------------------------------------------
1 | # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | # SPDX-License-Identifier: Apache-2.0
3 | from typing import TypedDict
4 |
5 |
6 | class AppendSuffixEvent(TypedDict):
7 | OriginalString: str
8 | MaxLen: int
9 | Suffix: str
10 |
11 |
12 | def append_suffix(event: AppendSuffixEvent, _) -> str:
13 | prefix_len = event["MaxLen"] - len(event["Suffix"])
14 | new_name = event["OriginalString"][:prefix_len] + event["Suffix"]
15 | return new_name
16 |
--------------------------------------------------------------------------------
/source/playbooks/SC/ssmdocs/descriptions/RDS.1.md:
--------------------------------------------------------------------------------
1 | ### Document Name - ASR-AFSBP_1.0.0_RDS.1
2 | ## What does this document do?
3 | This document changes public RDS snapshot to private
4 |
5 | ## Input Parameters
6 | * Finding: (Required) Security Hub finding details JSON
7 | * AutomationAssumeRole: (Required) The ARN of the role that allows Automation to perform the actions on your behalf.
8 |
9 | ## Documentation Links
10 | * [AWS FSBP RDS.1](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-rds-1)
11 |
--------------------------------------------------------------------------------
/source/playbooks/SC/ssmdocs/descriptions/EC2.1.md:
--------------------------------------------------------------------------------
1 | ### Document Name - ASR-AFSBP_1.0.0_EC2.1
2 | ## What does this document do?
3 | This document changes all public EC2 snapshots to private
4 |
5 | ## Input Parameters
6 | * Finding: (Required) Security Hub finding details JSON
7 | * AutomationAssumeRole: (Required) The ARN of the role that allows Automation to perform the actions on your behalf.
8 |
9 | ## Documentation Links
10 | * [AWS FSBP EC2.1](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-ec2-1)
11 |
--------------------------------------------------------------------------------
/source/playbooks/SC/ssmdocs/descriptions/Macie.1.md:
--------------------------------------------------------------------------------
1 | ### Document Name - ASR-SC_2.0.0_Macie.1
2 |
3 | ## What does this document do?
4 | This document enables AWS Macie with the maximum allowed publishing frequency (SIX_HOURS).
5 |
6 | ## Input Parameters
7 | * Finding: (Required) Security Hub finding details JSON
8 | * AutomationAssumeRole: (Required) The ARN of the role that allows Automation to perform the actions on your behalf.
9 |
10 | ## Documentation Links
11 | * [Macie.1](https://docs.aws.amazon.com/securityhub/latest/userguide/macie-controls.html#macie-1)
12 |
--------------------------------------------------------------------------------
/source/lib/cdk-helper/override-logical-id.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { CfnResource } from 'aws-cdk-lib';
4 | import { IConstruct } from 'constructs';
5 |
6 | export default function overrideLogicalId(resource: IConstruct, logicalId: string) {
7 | const cfnResource = resource.node.defaultChild as CfnResource;
8 | if (!cfnResource) {
9 | throw new Error('Unable to override logical ID, not a CfnResource');
10 | }
11 | cfnResource.overrideLogicalId(logicalId);
12 | }
13 |
--------------------------------------------------------------------------------
/.github/ISSUE_TEMPLATE/documentation-improvements.md:
--------------------------------------------------------------------------------
1 | ---
2 | name: Documentation improvements
3 | about: Suggest a documentation update
4 | title: ""
5 | labels: documentation
6 | assignees: ""
7 | ---
8 |
9 | **What were you initially searching for in the docs?**
10 |
11 |
12 |
13 | **Is this related to an existing part of the documentation? Please share a link**
14 |
15 | **Describe how we could make it clearer**
16 |
17 | **If you have a proposed update, please share it here**
--------------------------------------------------------------------------------
/source/remediation_runbooks/scripts/EnableAWSConfig_summary.py:
--------------------------------------------------------------------------------
1 | # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | # SPDX-License-Identifier: Apache-2.0
3 | def process_results(event, _):
4 | print(f'Created encrypted SNS topic {event["sns_topic_arn"]}')
5 | print(f'Created encrypted Config bucket {event["config_bucket"]}')
6 | print(
7 | f'Created access logging for Config bucket in bucket {event["logging_bucket"]}'
8 | )
9 | remediation_message = event["enable_config_message"]
10 | return {"Message": remediation_message, "Status": "Success"}
11 |
--------------------------------------------------------------------------------
/source/webui/src/utils/userPermissions.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 |
4 | export const getHighestUserGroup = (groups: string[] | null): string | null => {
5 | return groups?.find((group) => ['AdminGroup', 'DelegatedAdminGroup', 'AccountOperatorGroup'].includes(group)) || null;
6 | };
7 |
8 | export const canAccessUsers = (groups: string[] | null): boolean => {
9 | const highestGroup = getHighestUserGroup(groups);
10 | return highestGroup === 'AdminGroup' || highestGroup === 'DelegatedAdminGroup';
11 | };
12 |
--------------------------------------------------------------------------------
/source/playbooks/SC/ssmdocs/descriptions/EC2.19.md:
--------------------------------------------------------------------------------
1 | ### Document Name - ASR-AFSBP_1.0.0_EC2.19
2 |
3 | ## What does this document do?
4 | This document disables unrestricted access to high risk ports.
5 |
6 | ## Input Parameters
7 | * Finding: (Required) Security Hub finding details JSON
8 | * AutomationAssumeRole: (Required) The ARN of the role that allows Automation to perform the actions on your behalf.
9 |
10 | ## Output Parameters
11 | * Remediation.Output
12 |
13 | ## Documentation Links
14 | * [AFSBP v1.0.0 EC2.19](https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-19)
--------------------------------------------------------------------------------
/source/playbooks/SC/ssmdocs/descriptions/GuardDuty.1.md:
--------------------------------------------------------------------------------
1 | ### Document Name - ASR-AFSBP_1.0.0_GuardDuty.1
2 |
3 | ## What does this document do?
4 | This document enables GuardDuty.
5 |
6 | ## Input Parameters
7 | * Finding: (Required) Security Hub finding details JSON
8 | * AutomationAssumeRole: (Required) The ARN of the role that allows Automation to perform the actions on your behalf.
9 |
10 | ## Output Parameters
11 | * Remediation.Output
12 |
13 | ## Documentation Links
14 | * [AWS FSBP v1.0.0 GuardDuty.1](https://docs.aws.amazon.com/securityhub/latest/userguide/guardduty-controls.html#guardduty-1)
--------------------------------------------------------------------------------
/source/playbooks/SC/ssmdocs/descriptions/Athena.4.md:
--------------------------------------------------------------------------------
1 | ### Document Name - ASR-SC_2.0.0_Athena.4
2 |
3 | ## What does this document do?
4 | This document enables logging for Athena Work Groups.
5 |
6 | ## Input Parameters
7 | * Finding: (Required) Security Hub finding details JSON
8 | * AutomationAssumeRole: (Required) The ARN of the role that allows Automation to perform the actions on your behalf.
9 |
10 | ## Output Parameters
11 | * Remediation.Output - Output from the remediation
12 |
13 | ## Documentation Links
14 | * [Athena.4](https://docs.aws.amazon.com/securityhub/latest/userguide/athena-controls.html#athena-4)
--------------------------------------------------------------------------------
/source/playbooks/SC/ssmdocs/descriptions/EC2.6.md:
--------------------------------------------------------------------------------
1 | ### Document Name - ASR-AFSBP_1.0.0_EC2.6
2 |
3 | ## What does this document do?
4 | Enables VPC Flow Logs for a VPC
5 |
6 | ## Input Parameters
7 | * Finding: (Required) Security Hub finding details JSON
8 | * AutomationAssumeRole: (Required) The ARN of the role that allows Automation to perform the actions on your behalf.
9 |
10 | ## Output Parameters
11 | * Remediation.Output - Remediation results
12 |
13 | ## Documentation Links
14 | * [AWS FSBP EC2.6](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-ec2-6)
15 |
--------------------------------------------------------------------------------
/source/playbooks/SC/ssmdocs/descriptions/ECR.1.md:
--------------------------------------------------------------------------------
1 | ### Document Name - ASR-AFSBP_1.0.0_ECR.1
2 |
3 | ## What does this document do?
4 | This document enables image scanning configuration on a private ECR repository.
5 |
6 | ## Input Parameters
7 | * Finding: (Required) Security Hub finding details JSON
8 | * AutomationAssumeRole: (Required) The ARN of the role that allows Automation to perform the actions on your behalf.
9 |
10 | ## Output Parameters
11 | * Remediation.Output
12 |
13 | ## Documentation Links
14 | * [AFSBP v1.0.0 ECR.1](https://docs.aws.amazon.com/securityhub/latest/userguide/ecr-controls.html#ecr-1)
--------------------------------------------------------------------------------
/source/playbooks/SC/ssmdocs/descriptions/ECS.5.md:
--------------------------------------------------------------------------------
1 | ### Document Name - ASR-AFSBP_1.0.0_ECS.5
2 |
3 | ## What does this document do?
4 | This document triggers the ECS.5 (ASR-LimitECSRootFilesystemAccess) remediation runbook.
5 |
6 | ## Input Parameters
7 | * Finding: (Required) Security Hub finding details JSON
8 | * AutomationAssumeRole: (Required) The ARN of the role that allows Automation to perform the actions on your behalf.
9 |
10 | ## Output Parameters
11 | * Remediation.Output
12 |
13 | ## Documentation Links
14 | * [AFSBP v1.0.0 ECS.5](https://docs.aws.amazon.com/securityhub/latest/userguide/ecs-controls.html#ecs-5)
--------------------------------------------------------------------------------
/.github/ISSUE_TEMPLATE/feature_request.md:
--------------------------------------------------------------------------------
1 | ---
2 | name: Feature request
3 | about: Suggest an idea for this solution
4 | title: ""
5 | labels: feature-request, enhancement
6 | assignees: ""
7 | ---
8 |
9 | **Is your feature request related to a problem? Please describe.**
10 |
11 |
12 |
13 | **Describe the feature you'd like**
14 |
15 |
16 |
17 | **Additional context**
18 |
19 |
--------------------------------------------------------------------------------
/source/playbooks/SC/ssmdocs/descriptions/SSM.4.md:
--------------------------------------------------------------------------------
1 | ### Document Name - ASR-AFSBP_1.0.0_SSM.4
2 |
3 | ## What does this document do?
4 | This document modifies SSM document permissions to prevent cross-account public access.
5 |
6 | ## Input Parameters
7 | * DocumentArn: (Required) SSM Document ARN that will be changed.
8 | * AutomationAssumeRole: (Required) The ARN of the role that allows Automation to perform the actions on your behalf.
9 |
10 | ## Output Parameters
11 | * Remediation.Output
12 |
13 | ## Documentation Links
14 | * [AFSBP v1.0.0 SSM.4](https://docs.aws.amazon.com/securityhub/latest/userguide/ssm-controls.html#ssm-4)
--------------------------------------------------------------------------------
/source/webui/src/styles.css:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
3 | * SPDX-License-Identifier: Apache-2.0
4 | */
5 |
6 | body,
7 | html {
8 | margin: 0;
9 | height: 100%;
10 | }
11 | .amplify-button--primary {
12 | background-color: #eb5f07;
13 | }
14 |
15 | .amplify-tabs-item[data-state="active"] {
16 | color: black;
17 | border-color: #eb5f07;
18 | }
19 |
20 | /* Keep a sticky top navigation bar at the top of the screen when scrolling down */
21 | #top-nav {
22 | position: sticky;
23 | left: 0;
24 | top: 0;
25 | right: 0;
26 | z-index: 1000;
27 | }
--------------------------------------------------------------------------------
/source/playbooks/SC/ssmdocs/descriptions/CloudTrail.6.md:
--------------------------------------------------------------------------------
1 | ### Document Name - ASR-CIS_1.2.0_2.3
2 |
3 | ## What does this document do?
4 | This document blocks public access to the CloudTrail S3 bucket.
5 |
6 | ## Input Parameters
7 | * Finding: (Required) Security Hub finding details JSON
8 | * AutomationAssumeRole: (Required) The ARN of the role that allows Automation to perform the actions on your behalf.
9 |
10 | ## Output Parameters
11 | * Remediation.Output
12 |
13 | ## Documentation Links
14 | * [CIS v1.2.0 2.3](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-2.3)
15 |
--------------------------------------------------------------------------------
/source/playbooks/SC/ssmdocs/descriptions/DynamoDB.6.md:
--------------------------------------------------------------------------------
1 | ### Document Name - ASR-SC_2_0_0_DynamoDB.6
2 |
3 | ## What does this document do?
4 | This document enables deletion protection for a DynamoDB table.
5 |
6 | ## Input Parameters
7 | * Finding: (Required) Security Hub finding details JSON
8 | * AutomationAssumeRole: (Required) The ARN of the role that allows Automation to perform the actions on your behalf.
9 |
10 | ## Output Parameters
11 | * Remediation.Output - Output from the remediation
12 |
13 | ## Documentation Links
14 | * [DynamoDB.6](https://docs.aws.amazon.com/securityhub/latest/userguide/dynamodb-controls.html#dynamodb-6)
--------------------------------------------------------------------------------
/source/playbooks/SC/ssmdocs/descriptions/EC2.8.md:
--------------------------------------------------------------------------------
1 | ### Document Name - ASR-AFSBP_1.0.0_EC2.8
2 | ## What does this document do?
3 | This document enables IMDSv2 on an Instance for an AWS account in the current region by calling another SSM document.
4 | ## Input Parameters
5 | * Finding: (Required) Security Hub finding details JSON
6 | * AutomationAssumeRole: (Required) The ARN of the role that allows Automation to perform the actions on your behalf.
7 | ## Output Parameters
8 | * Remediation.Output
9 |
10 | ## Documentation Links
11 | * [AWS FSBP EC2.8](https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-8)
12 |
--------------------------------------------------------------------------------
/source/playbooks/CIS300/ssmdocs/CIS300_5.6.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { EnableIMDSV2OnInstance } from '../../SC/ssmdocs/SC_EC2.8';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new EnableIMDSV2OnInstance(stage, id, { ...props, controlId: '5.6' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/NIST80053/ssmdocs/NIST80053_ELB.1.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { EnforceHTTPSForALB } from '../../SC/ssmdocs/SC_ELB.1';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new EnforceHTTPSForALB(stage, id, { ...props, controlId: 'ELB.1' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/SC/ssmdocs/descriptions/S3.4.md:
--------------------------------------------------------------------------------
1 | ### Document Name - ASR-AFSBP_1.0.0_S3.4
2 |
3 | ## What does this document do?
4 | This document enables AES-256 as the default encryption for an S3 bucket.
5 |
6 | ## Input Parameters
7 | * Finding: (Required) Security Hub finding details JSON
8 | * AutomationAssumeRole: (Required) The ARN of the role that allows Automation to perform the actions on your behalf.
9 |
10 | ## Output Parameters
11 | * Remediation.Output
12 |
13 | ## Documentation Links
14 | * [AWS FSBP v1.0.0 S3.4](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-s3-4)
15 |
--------------------------------------------------------------------------------
/source/playbooks/SC/ssmdocs/descriptions/SQS.1.md:
--------------------------------------------------------------------------------
1 | ### Document Name - ASR-AFSBP_1.0.0_SQS.1
2 |
3 | ## What does this document do?
4 | This document enables encryption at rest using AWS KMS for SQS Queues.
5 |
6 | ## Input Parameters
7 | * Finding: (Required) Security Hub finding details JSON
8 | * AutomationAssumeRole: (Required) The ARN of the role that allows Automation to perform the actions on your behalf.
9 |
10 | ## Output Parameters
11 | * Remediation.Output
12 |
13 | ## Documentation Links
14 | * [AWS FSBP v1.0.0 SQS.1](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-sqs-1)
15 |
--------------------------------------------------------------------------------
/source/playbooks/common/test/conftest.py:
--------------------------------------------------------------------------------
1 | # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | # SPDX-License-Identifier: Apache-2.0
3 | import os
4 |
5 | import pytest
6 |
7 |
8 | @pytest.fixture(scope="module", autouse=True)
9 | def aws_credentials():
10 | os.environ["AWS_ACCESS_KEY_ID"] = "testing"
11 | os.environ["AWS_SECRET_ACCESS_KEY"] = "testing"
12 | os.environ["AWS_SECURITY_TOKEN"] = "testing"
13 | os.environ["AWS_SESSION_TOKEN"] = "testing"
14 | os.environ["AWS_DEFAULT_REGION"] = "us-east-1"
15 | os.environ["SOLUTION_ID"] = "SOTestID"
16 | os.environ["AWS_ACCOUNT"] = "123456789012"
17 |
--------------------------------------------------------------------------------
/source/test/test_data/tstest-cis29.yaml:
--------------------------------------------------------------------------------
1 | # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | description: |
5 | ### Document Name - ASR-CIS_1.2.0_2.9
6 | schemaVersion: '0.3'
7 | assumeRole: '{{ AutomationAssumeRole }}'
8 | outputs:
9 | - VerifySGRules.Response
10 | parameters:
11 | Finding:
12 | type: StringMap
13 | description: The input from Step function for 2.9 finding
14 | AutomationAssumeRole:
15 | type: String
16 | description: (Optional) The ARN of the role that allows Automation to perform the actions on your behalf.
17 | default: ''
18 |
--------------------------------------------------------------------------------
/deployment/solution_env.sh:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 | # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
3 | # SPDX-License-Identifier: Apache-2.0
4 | export SOLUTION_ID='SO0111'
5 | export SOLUTION_NAME='Automated Security Response on AWS'
6 | export SOLUTION_TRADEMARKEDNAME='automated-security-response-on-aws'
7 | # The following are estimations for the max number of remediation runbooks to reach the template size limit.
8 | # Adjust these values as needed, depending on the template size as more remediations are added.
9 | export SC_MEMBER_STACK_LIMIT=85
10 | export NIST_MEMBER_STACK_LIMIT=63
11 | export AFSBP_MEMBER_STACK_LIMIT=63
--------------------------------------------------------------------------------
/source/playbooks/CIS140/ssmdocs/CIS140_3.5.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { EnableAWSConfigDocument } from '../../SC/ssmdocs/SC_Config.1';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new EnableAWSConfigDocument(stage, id, { ...props, controlId: '3.5' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/CIS140/ssmdocs/CIS140_3.8.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { EnableKeyRotationDocument } from '../../SC/ssmdocs/SC_KMS.4';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new EnableKeyRotationDocument(stage, id, { ...props, controlId: '3.8' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/CIS140/ssmdocs/CIS140_3.9.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { EnableVPCFlowLogsDocument } from '../../SC/ssmdocs/SC_EC2.6';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new EnableVPCFlowLogsDocument(stage, id, { ...props, controlId: '3.9' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/CIS300/ssmdocs/CIS300_3.3.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { EnableAWSConfigDocument } from '../../SC/ssmdocs/SC_Config.1';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new EnableAWSConfigDocument(stage, id, { ...props, controlId: '3.3' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/CIS300/ssmdocs/CIS300_3.6.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { EnableKeyRotationDocument } from '../../SC/ssmdocs/SC_KMS.4';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new EnableKeyRotationDocument(stage, id, { ...props, controlId: '3.6' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/CIS300/ssmdocs/CIS300_3.7.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { EnableVPCFlowLogsDocument } from '../../SC/ssmdocs/SC_EC2.6';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new EnableVPCFlowLogsDocument(stage, id, { ...props, controlId: '3.7' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/NIST80053/ssmdocs/NIST80053_S3.6.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { S3BlockDenylistDocument } from '../../SC/ssmdocs/SC_S3.6';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new S3BlockDenylistDocument(stage, id, { ...props, controlId: 'S3.6' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/SC/ssmdocs/descriptions/EC2.15.md:
--------------------------------------------------------------------------------
1 | ### Document Name - ASR-AFSBP_1.0.0_EC2.15
2 |
3 | ## What does this document do?
4 | This document disables auto assignment of public IP addresses on a subnet.
5 |
6 | ## Input Parameters
7 | * Finding: (Required) Security Hub finding details JSON
8 | * AutomationAssumeRole: (Required) The ARN of the role that allows Automation to perform the actions on your behalf.
9 |
10 | ## Output Parameters
11 | * Remediation.Output
12 |
13 | ## Documentation Links
14 | * [AWS FSBP v1.0.0 EC2.15](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-ec2-15)
--------------------------------------------------------------------------------
/source/playbooks/SC/ssmdocs/descriptions/ELB.1.md:
--------------------------------------------------------------------------------
1 | ### Document Name - ASR-SC_2_0_0_ELB.1
2 |
3 | ## What does this document do?
4 | This document executes the remediation runbook (ASR-EnforceHTTPSForALB) for the ELB.1 remediation.
5 |
6 | ## Input Parameters
7 | * Finding: (Required) Security Hub finding details JSON
8 | * AutomationAssumeRole: (Required) The ARN of the role that allows Automation to perform the actions on your behalf.
9 |
10 | ## Output Parameters
11 | * Remediation.Output - Output from the remediation
12 |
13 | ## Documentation Links
14 | * [ELB.1](https://docs.aws.amazon.com/securityhub/latest/userguide/elb-controls.html#elb-1)
--------------------------------------------------------------------------------
/source/playbooks/SC/ssmdocs/descriptions/S3.5.md:
--------------------------------------------------------------------------------
1 | ### Document Name - ASR-AFSBP_1.0.0_S3.5
2 |
3 | ## What does this document do?
4 | This document adds a bucket policy to restrict internet access to https only.
5 |
6 | ## Input Parameters
7 | * Finding: (Required) Security Hub finding details JSON
8 | * AutomationAssumeRole: (Required) The ARN of the role that allows Automation to perform the actions on your behalf.
9 |
10 | ## Output Parameters
11 | * Remediation.Output
12 |
13 | ## Documentation Links
14 | * [AWS FSBP v1.0.0 S3.5](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-s3-5)
15 |
--------------------------------------------------------------------------------
/source/playbooks/SC/ssmdocs/descriptions/S3.6.md:
--------------------------------------------------------------------------------
1 | ### Document Name - ASR-AFSBP_1.0.0_S3.6
2 |
3 | ## What does this document do?
4 | This document restricts cross-account access to a bucket in the local account.
5 |
6 | ## Input Parameters
7 | * Finding: (Required) Security Hub finding details JSON
8 | * AutomationAssumeRole: (Required) The ARN of the role that allows Automation to perform the actions on your behalf.
9 |
10 | ## Output Parameters
11 | * Remediation.Output
12 |
13 | ## Documentation Links
14 | * [AWS FSBP v1.0.0 S3.6](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-s3-6)
15 |
--------------------------------------------------------------------------------
/source/solution_deploy/source/test/conftest.py:
--------------------------------------------------------------------------------
1 | # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | # SPDX-License-Identifier: Apache-2.0
3 | import os
4 |
5 | import pytest
6 |
7 |
8 | @pytest.fixture(scope="module", autouse=True)
9 | def aws_credentials():
10 | os.environ["AWS_ACCESS_KEY_ID"] = "testing"
11 | os.environ["AWS_SECRET_ACCESS_KEY"] = "testing"
12 | os.environ["AWS_SECURITY_TOKEN"] = "testing"
13 | os.environ["AWS_SESSION_TOKEN"] = "testing"
14 | os.environ["AWS_DEFAULT_REGION"] = "us-east-1"
15 | os.environ["SOLUTION_ID"] = "SOTestID"
16 | os.environ["AWS_ACCOUNT"] = "123456789012"
17 |
--------------------------------------------------------------------------------
/source/playbooks/CIS140/ssmdocs/CIS140_1.14.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { RevokeUnrotatedKeysDocument } from '../../SC/ssmdocs/SC_IAM.3';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new RevokeUnrotatedKeysDocument(stage, id, { ...props, controlId: '1.14' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/CIS140/ssmdocs/CIS140_2.1.2.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { SetSSLBucketPolicyDocument } from '../../SC/ssmdocs/SC_S3.5';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new SetSSLBucketPolicyDocument(stage, id, { ...props, controlId: '2.1.2' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/CIS300/ssmdocs/CIS300_1.14.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { RevokeUnrotatedKeysDocument } from '../../SC/ssmdocs/SC_IAM.3';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new RevokeUnrotatedKeysDocument(stage, id, { ...props, controlId: '1.14' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/CIS300/ssmdocs/CIS300_2.1.1.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { SetSSLBucketPolicyDocument } from '../../SC/ssmdocs/SC_S3.5';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new SetSSLBucketPolicyDocument(stage, id, { ...props, controlId: '2.1.1' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/NIST80053/ssmdocs/NIST80053_EC2.8.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { EnableIMDSV2OnInstance } from '../../SC/ssmdocs/SC_EC2.8';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new EnableIMDSV2OnInstance(stage, id, { ...props, controlId: 'EC2.8' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/NIST80053/ssmdocs/NIST80053_Macie.1.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { EnableMacieDocument } from '../../SC/ssmdocs/SC_Macie.1';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new EnableMacieDocument(stage, id, { ...props, controlId: 'Macie.1' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/NIST80053/ssmdocs/NIST80053_SSM.4.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
5 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
6 | import { DisablePublicSSMDocument } from '../../SC/ssmdocs/SC_SSM.4';
7 |
8 | export function createControlRunbook(scope: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new DisablePublicSSMDocument(scope, id, { ...props, controlId: 'SSM.4' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/SC/ssmdocs/descriptions/CloudTrail.1.md:
--------------------------------------------------------------------------------
1 | ### Document Name - ASR-AFSBP_1.0.0_CloudTrail.1
2 | ## What does this document do?
3 | Creates a multi-region trail with KMS encryption and enables CloudTrail
4 | Note: this remediation will create a NEW trail.
5 |
6 | ## Input Parameters
7 | * Finding: (Required) Security Hub finding details JSON
8 | * AutomationAssumeRole: (Required) The ARN of the role that allows Automation to perform the actions on your behalf.
9 |
10 | ## Documentation Links
11 | * [AWS FSBP CloudTrail.1](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-cloudtrail-1)
12 |
--------------------------------------------------------------------------------
/source/playbooks/SC/ssmdocs/descriptions/CloudTrail.4.md:
--------------------------------------------------------------------------------
1 | ### Document Name - ASR-AFSBP_1.0.0_CloudTrail.4
2 |
3 | ## What does this document do?
4 | This document enables CloudTrail log file validation.
5 |
6 | ## Input Parameters
7 | * Finding: (Required) Security Hub finding details JSON
8 | * AutomationAssumeRole: (Required) The ARN of the role that allows Automation to perform the actions on your behalf.
9 |
10 | ## Output Parameters
11 | * Remediation.Output
12 |
13 | ## Documentation Links
14 | * [AWS FSBP v1.0.0 CloudTrail.4](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-cloudtrail-4)
15 |
--------------------------------------------------------------------------------
/source/playbooks/SC/ssmdocs/descriptions/CloudTrail.7.md:
--------------------------------------------------------------------------------
1 | ### Document Name - ASR-CIS_1.2.0_2.6
2 |
3 | ## What does this document do?
4 | Configures access logging for a CloudTrail S3 bucket.
5 |
6 | ## Input Parameters
7 | * Finding: (Required) Security Hub finding details JSON
8 | * AutomationAssumeRole: (Required) The ARN of the role that allows Automation to perform the actions on your behalf.
9 |
10 | ## Output Parameters
11 | * Remediation.Output - Remediation results
12 |
13 | ## Documentation Links
14 | * [CIS v1.2.0 2.6](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-2.6)
15 |
--------------------------------------------------------------------------------
/source/playbooks/SC/ssmdocs/descriptions/IAM.18.md:
--------------------------------------------------------------------------------
1 | ### Document Name - ASR-CIS_1.2.0_1.20
2 |
3 | ## What does this document do?
4 | Creates a support role to allow AWS Support access.
5 |
6 | ## Input Parameters
7 | * Finding: (Required) Security Hub finding details JSON
8 | * AutomationAssumeRole: (Required) The ARN of the role that allows Automation to perform the actions on your behalf.
9 |
10 | ## Output Parameters
11 | * Remediation.Output - Output of CreateRole API.
12 |
13 | ## Documentation Links
14 | * [CIS v1.2.0 1.20](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.20)
15 |
--------------------------------------------------------------------------------
/source/playbooks/SC/ssmdocs/descriptions/S3.1.md:
--------------------------------------------------------------------------------
1 | ### Document Name - ASR-AFSBP_1.0.0_S3.1
2 |
3 | ## What does this document do?
4 | This document blocks public access to all buckets by default at the account level.
5 |
6 | ## Input Parameters
7 | * Finding: (Required) Security Hub finding details JSON
8 | * AutomationAssumeRole: (Required) The ARN of the role that allows Automation to perform the actions on your behalf.
9 |
10 | ## Output Parameters
11 | * Remediation.Output
12 |
13 | ## Documentation Links
14 | * [AWS FSBP v1.0.0 S3.1](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-s3-1)
15 |
--------------------------------------------------------------------------------
/source/test/test_data/tstest-rds1.yaml:
--------------------------------------------------------------------------------
1 | # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | description: |
5 | ### Document Name - ASR-SECTEST_1.2.3_TEST.1
6 | schemaVersion: '0.3'
7 | assumeRole: '{{ AutomationAssumeRole }}'
8 | outputs:
9 | - VerifySGRules.Response
10 | parameters:
11 | Finding:
12 | type: StringMap
13 | description: The input from Step function for TEST1 finding
14 | AutomationAssumeRole:
15 | type: String
16 | description: (Optional) The ARN of the role that allows Automation to perform the actions on your behalf.
17 | default: ''
18 |
--------------------------------------------------------------------------------
/source/playbooks/CIS140/ssmdocs/CIS140_1.17.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { CreateIAMSupportRoleDocument } from '../../SC/ssmdocs/SC_IAM.18';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new CreateIAMSupportRoleDocument(stage, id, { ...props, controlId: '1.17' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/CIS300/ssmdocs/CIS300_1.17.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { CreateIAMSupportRoleDocument } from '../../SC/ssmdocs/SC_IAM.18';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new CreateIAMSupportRoleDocument(stage, id, { ...props, controlId: '1.17' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/NIST80053/ssmdocs/NIST80053_EC2.6.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { EnableVPCFlowLogsDocument } from '../../SC/ssmdocs/SC_EC2.6';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new EnableVPCFlowLogsDocument(stage, id, { ...props, controlId: 'EC2.6' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/NIST80053/ssmdocs/NIST80053_KMS.4.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { EnableKeyRotationDocument } from '../../SC/ssmdocs/SC_KMS.4';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new EnableKeyRotationDocument(stage, id, { ...props, controlId: 'KMS.4' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/NIST80053/ssmdocs/NIST80053_RDS.4.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { EncryptRDSSnapshotDocument } from '../../SC/ssmdocs/SC_RDS.4';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new EncryptRDSSnapshotDocument(stage, id, { ...props, controlId: 'RDS.4' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/NIST80053/ssmdocs/NIST80053_S3.5.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { SetSSLBucketPolicyDocument } from '../../SC/ssmdocs/SC_S3.5';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new SetSSLBucketPolicyDocument(stage, id, { ...props, controlId: 'S3.5' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/SC/ssmdocs/descriptions/EC2.10.md:
--------------------------------------------------------------------------------
1 | ### Document Name - ASR-SC_EC2.10
2 |
3 | ## What does this document do?
4 | This document created and attaches a service interface endpoint to the given VPC. By default, it allows access for all subnets in the VPC.
5 | ## Input Parameters
6 | * Finding: (Required) Security Hub finding details JSON
7 | * AutomationAssumeRole: (Required) The ARN of the role that allows Automation to perform the actions on your behalf.
8 |
9 | ## Output Parameters
10 | * Remediation.Output
11 |
12 | ## Documentation Links
13 | * [EC2.10 Control](https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-10)
--------------------------------------------------------------------------------
/source/playbooks/SC/ssmdocs/descriptions/SNS.1.md:
--------------------------------------------------------------------------------
1 | ### Document Name - ASR-AFSBP_1.0.0_SNS.1
2 |
3 | ## What does this document do?
4 | This document enables encryption at rest using AWS KMS for SNS topics.
5 |
6 | ## Input Parameters
7 | * Finding: (Required) Security Hub finding details JSON
8 | * AutomationAssumeRole: (Required) The ARN of the role that allows Automation to perform the actions on your behalf.
9 |
10 | ## Output Parameters
11 | * Remediation.Output
12 |
13 | ## Documentation Links
14 | * [AWS FSBP v1.0.0 SNS.1](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-sns-1)
--------------------------------------------------------------------------------
/source/remediation_runbooks/scripts/test/conftest.py:
--------------------------------------------------------------------------------
1 | # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | # SPDX-License-Identifier: Apache-2.0
3 | import os
4 |
5 | import pytest
6 |
7 |
8 | @pytest.fixture(scope="module", autouse=True)
9 | def aws_credentials():
10 | os.environ["AWS_ACCESS_KEY_ID"] = "testing"
11 | os.environ["AWS_SECRET_ACCESS_KEY"] = "testing"
12 | os.environ["AWS_SECURITY_TOKEN"] = "testing"
13 | os.environ["AWS_SESSION_TOKEN"] = "testing"
14 | os.environ["AWS_DEFAULT_REGION"] = "us-east-1"
15 | os.environ["SOLUTION_ID"] = "SOTestID"
16 | os.environ["AWS_ACCOUNT"] = "123456789012"
17 |
--------------------------------------------------------------------------------
/source/playbooks/CIS120/support.txt:
--------------------------------------------------------------------------------
1 | CIS v1.2.0 Remediation Playbook - Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. Licensed under the Apache License, Version 2.0 (the 'License'); You may not use this product template except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.
2 |
3 | Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
4 |
--------------------------------------------------------------------------------
/source/playbooks/CIS140/support.txt:
--------------------------------------------------------------------------------
1 | CIS v1.4.0 Remediation Playbook - Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. Licensed under the Apache License, Version 2.0 (the 'License'); You may not use this product template except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.
2 |
3 | Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
4 |
--------------------------------------------------------------------------------
/source/playbooks/CIS300/support.txt:
--------------------------------------------------------------------------------
1 | CIS v3.0.0 Remediation Playbook - Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. Licensed under the Apache License, Version 2.0 (the 'License'); You may not use this product template except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.
2 |
3 | Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
4 |
--------------------------------------------------------------------------------
/source/playbooks/NIST80053/ssmdocs/NIST80053_Config.1.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { EnableAWSConfigDocument } from '../../SC/ssmdocs/SC_Config.1';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new EnableAWSConfigDocument(stage, id, { ...props, controlId: 'Config.1' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/NIST80053/ssmdocs/NIST80053_EC2.4.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { TerminateEC2InstanceDocument } from '../../SC/ssmdocs/SC_EC2.4';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new TerminateEC2InstanceDocument(stage, id, { ...props, controlId: 'EC2.4' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/NIST80053/ssmdocs/NIST80053_ECS.5.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { LimitECSRootFilesystemAccess } from '../../SC/ssmdocs/SC_ECS.5';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new LimitECSRootFilesystemAccess(stage, id, { ...props, controlId: 'ECS.5' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/NIST80053/ssmdocs/NIST80053_IAM.3.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { RevokeUnrotatedKeysDocument } from '../../SC/ssmdocs/SC_IAM.3';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new RevokeUnrotatedKeysDocument(stage, id, { ...props, controlId: 'IAM.3' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/NIST80053/ssmdocs/NIST80053_IAM.7.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { SetIAMPasswordPolicyDocument } from '../../SC/ssmdocs/SC_IAM.7';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new SetIAMPasswordPolicyDocument(stage, id, { ...props, controlId: 'IAM.7' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/NIST80053/ssmdocs/NIST80053_S3.13.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { SetS3LifecyclePolicyDocument } from '../../SC/ssmdocs/SC_S3.13';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new SetS3LifecyclePolicyDocument(stage, id, { ...props, controlId: 'S3.13' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/PCI321/support.txt:
--------------------------------------------------------------------------------
1 | PCI v3.2.1 Remediation Playbook - Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. Licensed under the Apache License, Version 2.0 (the 'License'); You may not use this product template except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.
2 |
3 | Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
4 |
--------------------------------------------------------------------------------
/source/remediation_runbooks/scripts/CreateCloudTrailMultiRegionTrail_process_results.py:
--------------------------------------------------------------------------------
1 | # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | # SPDX-License-Identifier: Apache-2.0
3 | def process_results(event, _):
4 | print(f'Created encrypted CloudTrail bucket {event["cloudtrail_bucket"]}')
5 | print(
6 | f'Created access logging for CloudTrail bucket in bucket {event["logging_bucket"]}'
7 | )
8 | print("Enabled multi-region AWS CloudTrail")
9 | return {
10 | "response": {
11 | "message": "AWS CloudTrail successfully enabled",
12 | "status": "Success",
13 | }
14 | }
15 |
--------------------------------------------------------------------------------
/source/playbooks/AFSBP/support.txt:
--------------------------------------------------------------------------------
1 | AWS FSBP v1.0.0 Remediation Playbook - Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. Licensed under the Apache License, Version 2.0 (the 'License'); You may not use this product template except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.
2 |
3 | Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
4 |
--------------------------------------------------------------------------------
/source/playbooks/CIS140/ssmdocs/CIS140_2.1.1.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { EnableDefaultEncryptionS3Document } from '../../SC/ssmdocs/SC_S3.4';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new EnableDefaultEncryptionS3Document(stage, id, { ...props, controlId: '2.1.1' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/CIS140/ssmdocs/CIS140_3.6.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { ConfigureS3BucketLoggingDocument } from '../../SC/ssmdocs/SC_CloudTrail.7';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new ConfigureS3BucketLoggingDocument(stage, id, { ...props, controlId: '3.6' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/NIST80053/ssmdocs/NIST80053_EC2.1.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { MakeEBSSnapshotsPrivateDocument } from '../../SC/ssmdocs/SC_EC2.1';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new MakeEBSSnapshotsPrivateDocument(stage, id, { ...props, controlId: 'EC2.1' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/NIST80053/ssmdocs/NIST80053_RDS.1.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { MakeRDSSnapshotPrivateDocument } from '../../SC/ssmdocs/SC_RDS.1';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new MakeRDSSnapshotPrivateDocument(stage, id, { ...props, controlId: 'RDS.1' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/NIST80053/ssmdocs/NIST80053_S3.4.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { EnableDefaultEncryptionS3Document } from '../../SC/ssmdocs/SC_S3.4';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new EnableDefaultEncryptionS3Document(stage, id, { ...props, controlId: 'S3.4' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/NIST80053/support.txt:
--------------------------------------------------------------------------------
1 | NIST SP 800-53 Remediation Playbook - Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. Licensed under the Apache License, Version 2.0 (the 'License'); You may not use this product template except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.
2 |
3 | Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
4 |
--------------------------------------------------------------------------------
/source/playbooks/SC/ssmdocs/descriptions/ElastiCache.1.md:
--------------------------------------------------------------------------------
1 | ### Document Name - ASR-SC_2_0_0_ElastiCache.1
2 |
3 | ## What does this document do?
4 | This document enabled automatic backups for Redis OSS ElastiCache clusters.
5 |
6 | ## Input Parameters
7 | * Finding: (Required) Security Hub finding details JSON
8 | * AutomationAssumeRole: (Required) The ARN of the role that allows Automation to perform the actions on your behalf.
9 |
10 | ## Output Parameters
11 | * Remediation.Output - Output from the remediation
12 |
13 | ## Documentation Links
14 | * [ElastiCache.1](https://docs.aws.amazon.com/securityhub/latest/userguide/elasticache-controls.html#elasticache-1)
--------------------------------------------------------------------------------
/source/playbooks/SC/ssmdocs/descriptions/ElastiCache.3.md:
--------------------------------------------------------------------------------
1 | ### Document Name - ASR-SC_2_0_0_ElastiCache.3
2 |
3 | ## What does this document do?
4 | This document enables automatic failover for ElastiCache replication groups.
5 |
6 | ## Input Parameters
7 | * Finding: (Required) Security Hub finding details JSON
8 | * AutomationAssumeRole: (Required) The ARN of the role that allows Automation to perform the actions on your behalf.
9 |
10 | ## Output Parameters
11 | * Remediation.Output - Output from the remediation
12 |
13 | ## Documentation Links
14 | * [ElastiCache.3](https://docs.aws.amazon.com/securityhub/latest/userguide/elasticache-controls.html#elasticache-3)
--------------------------------------------------------------------------------
/source/playbooks/SC/ssmdocs/descriptions/SecretsManager.4.md:
--------------------------------------------------------------------------------
1 | ### Document Name - ASR-AFSBP_1.0.0_SecretsManager.4
2 |
3 | ## What does this document do?
4 | This document rotates a secret and sets its rotation period to 90 days.
5 |
6 | ## Input Parameters
7 | * Finding: (Required) Security Hub finding details JSON
8 | * AutomationAssumeRole: (Required) The ARN of the role that allows Automation to perform the actions on your behalf.
9 |
10 | ## Output Parameters
11 | * Remediation.Output
12 |
13 | ## Documentation Links
14 | * [AFSBP v1.0.0 SecretsManager.4](https://docs.aws.amazon.com/securityhub/latest/userguide/secretsmanager-controls.html#secretsmanager-4)
--------------------------------------------------------------------------------
/source/playbooks/SC/support.txt:
--------------------------------------------------------------------------------
1 | NEWPLAYBOOK example Remediation Playbook - Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. Licensed under the Apache License, Version 2.0 (the 'License'); You may not use this product template except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.
2 |
3 | Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
4 |
--------------------------------------------------------------------------------
/source/test/utils.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Template } from 'aws-cdk-lib/assertions';
4 |
5 | /**
6 | * Omits the hash from the template snapshot for testing
7 | */
8 | export function omitWaitResourceHash(template: Template, templateJSON: { [p: string]: any }) {
9 | const waitResources = template.findResources('Custom::Wait');
10 |
11 | for (const waitResource in waitResources) {
12 | templateJSON['Resources'][waitResource]['Properties']['DocumentPropertiesHash'] =
13 | 'Omitted to remove snapshot dependency on document hash';
14 | }
15 | }
16 |
--------------------------------------------------------------------------------
/source/playbooks/CIS140/ssmdocs/CIS140_2.2.1.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { EnableEbsEncryptionByDefaultDocument } from '../../SC/ssmdocs/SC_EC2.7';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new EnableEbsEncryptionByDefaultDocument(stage, id, { ...props, controlId: '2.2.1' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/CIS140/ssmdocs/CIS140_3.7.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { EnableCloudTrailEncryptionDocument } from '../../SC/ssmdocs/SC_CloudTrail.2';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new EnableCloudTrailEncryptionDocument(stage, id, { ...props, controlId: '3.7' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/CIS300/ssmdocs/CIS300_2.2.1.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { EnableEbsEncryptionByDefaultDocument } from '../../SC/ssmdocs/SC_EC2.7';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new EnableEbsEncryptionByDefaultDocument(stage, id, { ...props, controlId: '2.2.1' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/CIS300/ssmdocs/CIS300_3.5.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { EnableCloudTrailEncryptionDocument } from '../../SC/ssmdocs/SC_CloudTrail.2';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new EnableCloudTrailEncryptionDocument(stage, id, { ...props, controlId: '3.5' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/NIST80053/ssmdocs/NIST80053_EC2.10.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
5 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
6 | import { AttachServiceVPCEndpointDocument } from '../../SC/ssmdocs/SC_EC2.10';
7 |
8 | export function createControlRunbook(scope: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new AttachServiceVPCEndpointDocument(scope, id, { ...props, controlId: 'EC2.10' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/NIST80053/ssmdocs/NIST80053_GuardDuty.1.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { EnableGuardDutyDocument } from '../../SC/ssmdocs/SC_GuardDuty.1';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new EnableGuardDutyDocument(stage, id, { ...props, controlId: 'GuardDuty.1' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/NIST80053/ssmdocs/NIST80053_RDS.5.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { EnableMultiAZOnRDSInstanceDocument } from '../../SC/ssmdocs/SC_RDS.5';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new EnableMultiAZOnRDSInstanceDocument(stage, id, { ...props, controlId: 'RDS.5' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/SC/ssmdocs/descriptions/APIGateway.5.md:
--------------------------------------------------------------------------------
1 | ### Document Name - ASR-NIST_800_53_APIGateway.5
2 |
3 | ## What does this document do?
4 | This document enables encryption on API Gateway REST API cache data
5 |
6 | ## Input Parameters
7 | * Finding: (Required) Security Hub finding details JSON
8 | * AutomationAssumeRole: (Required) The ARN of the role that allows Automation to perform the actions on your behalf.
9 |
10 | ## Output Parameters
11 | * Remediation.Output - Output from the remediation
12 |
13 | ## Documentation Links
14 | * [NIST APIGateway.5](https://docs.aws.amazon.com/securityhub/latest/userguide/apigateway-controls.html#apigateway-5)
--------------------------------------------------------------------------------
/source/playbooks/SC/ssmdocs/descriptions/EC2.7.md:
--------------------------------------------------------------------------------
1 | ### Document Name - ASR-AFSBP_1.0.0_EC2.7
2 | ## What does this document do?
3 | This document enables `EBS Encryption by default` for an AWS account in the current region by calling another SSM document
4 | ## Input Parameters
5 | * Finding: (Required) Security Hub finding details JSON
6 | * AutomationAssumeRole: (Required) The ARN of the role that allows Automation to perform the actions on your behalf.
7 | ## Output Parameters
8 | * Remediation.Output
9 |
10 | ## Documentation Links
11 | * [AWS FSBP EC2.7](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-ec2-7)
12 |
--------------------------------------------------------------------------------
/source/playbooks/SC/ssmdocs/descriptions/ElastiCache.2.md:
--------------------------------------------------------------------------------
1 | ### Document Name - ASR-SC_2_0_0_ElastiCache.2
2 |
3 | ## What does this document do?
4 | This document enables automatic minor version upgrades for ElastiCache clusters.
5 |
6 | ## Input Parameters
7 | * Finding: (Required) Security Hub finding details JSON
8 | * AutomationAssumeRole: (Required) The ARN of the role that allows Automation to perform the actions on your behalf.
9 |
10 | ## Output Parameters
11 | * Remediation.Output - Output from the remediation
12 |
13 | ## Documentation Links
14 | * [ElastiCache.1](https://docs.aws.amazon.com/securityhub/latest/userguide/elasticache-controls.html#elasticache-2)
--------------------------------------------------------------------------------
/source/playbooks/CIS140/ssmdocs/CIS140_1.8.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { SetIAMPasswordPolicyDocument } from '../../SC/ssmdocs/SC_IAM.7';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new SetIAMPasswordPolicyDocument(stage, id, { ...props, controlId: '1.8', otherControlIds: ['1.9'] });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/NEWPLAYBOOK/support.txt:
--------------------------------------------------------------------------------
1 | NEWPLAYBOOK example Remediation Playbook - Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. Licensed under the Apache License, Version 2.0 (the 'License'); You may not use this product template except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.
2 |
3 | Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
4 |
--------------------------------------------------------------------------------
/source/playbooks/NIST80053/ssmdocs/NIST80053_DynamoDB.1.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { ConfigureDynamoDBAutoScaling } from '../../SC/ssmdocs/SC_DynamoDB.1';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new ConfigureDynamoDBAutoScaling(stage, id, { ...props, controlId: 'DynamoDB.1' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/NIST80053/ssmdocs/NIST80053_EC2.15.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { DisablePublicIPAutoAssignDocument } from '../../SC/ssmdocs/SC_EC2.15';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new DisablePublicIPAutoAssignDocument(stage, id, { ...props, controlId: 'EC2.15' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/NIST80053/ssmdocs/NIST80053_EC2.7.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { EnableEbsEncryptionByDefaultDocument } from '../../SC/ssmdocs/SC_EC2.7';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new EnableEbsEncryptionByDefaultDocument(stage, id, { ...props, controlId: 'EC2.7' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/NIST80053/ssmdocs/NIST80053_ElastiCache.1.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { EnableElastiCacheBackups } from '../../SC/ssmdocs/SC_ElastiCache.1';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new EnableElastiCacheBackups(stage, id, { ...props, controlId: 'ElastiCache.1' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/NIST80053/ssmdocs/NIST80053_Lambda.1.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { RemoveLambdaPublicAccessDocument } from '../../SC/ssmdocs/SC_Lambda.1';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new RemoveLambdaPublicAccessDocument(stage, id, { ...props, controlId: 'Lambda.1' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/NIST80053/ssmdocs/NIST80053_S3.1.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { ConfigureS3PublicAccessBlockDocument } from '../../SC/ssmdocs/SC_S3.1';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new ConfigureS3PublicAccessBlockDocument(stage, id, { ...props, controlId: 'S3.1' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/NIST80053/ssmdocs/NIST80053_S3.9.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { ConfigureS3BucketLoggingDocument } from '../../SC/ssmdocs/SC_CloudTrail.7';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new ConfigureS3BucketLoggingDocument(stage, id, { ...props, controlId: 'S3.9' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/NIST80053/ssmdocs/NIST80053_SNS.1.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { EnableEncryptionForSNSTopicDocument } from '../../SC/ssmdocs/SC_SNS.1';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new EnableEncryptionForSNSTopicDocument(stage, id, { ...props, controlId: 'SNS.1' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/NIST80053/ssmdocs/NIST80053_SQS.1.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { EnableEncryptionForSQSQueueDocument } from '../../SC/ssmdocs/SC_SQS.1';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new EnableEncryptionForSQSQueueDocument(stage, id, { ...props, controlId: 'SQS.1' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/SC/ssmdocs/descriptions/CloudFront.1.md:
--------------------------------------------------------------------------------
1 | ### Document Name - ASR-AFSBP_1.0.0_CloudFront.1
2 |
3 | ## What does this document do?
4 | This document configures a default root object to be returned when visiting a CloudFront distribution.
5 |
6 | ## Input Parameters
7 | * Finding: (Required) Security Hub finding details JSON
8 | * AutomationAssumeRole: (Required) The ARN of the role that allows Automation to perform the actions on your behalf.
9 |
10 | ## Output Parameters
11 | * Remediation.Output
12 |
13 | ## Documentation Links
14 | * [AWS FSBP v1.0.0 CloudFront.1](https://docs.aws.amazon.com/securityhub/latest/userguide/cloudfront-controls.html#cloudfront-1)
--------------------------------------------------------------------------------
/source/playbooks/SC/ssmdocs/descriptions/CloudWatch.16.md:
--------------------------------------------------------------------------------
1 | ### Document Name - ASR-NIST_800_53_CloudWatch.16
2 |
3 | ## What does this document do?
4 | This document configures the retention period for a CloudWatch log group.
5 |
6 | ## Input Parameters
7 | * Finding: (Required) Security Hub finding details JSON
8 | * AutomationAssumeRole: (Required) The ARN of the role that allows Automation to perform the actions on your behalf.
9 |
10 | ## Output Parameters
11 | * Remediation.Output - Output from the remediation
12 |
13 | ## Documentation Links
14 | * [NIST CloudWatch.16](https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-16)
15 |
--------------------------------------------------------------------------------
/source/playbooks/SC/ssmdocs/descriptions/SNS.2.md:
--------------------------------------------------------------------------------
1 | ### Document Name - ASR-AFSBP_1.0.0_SNS.2
2 |
3 | ## What does this document do?
4 | This document enables logging of delivery status for notification messages sent to a topic.
5 |
6 | ## Input Parameters
7 | * Finding: (Required) Security Hub finding details JSON
8 | * AutomationAssumeRole: (Required) The ARN of the role that allows Automation to perform the actions on your behalf.
9 |
10 | ## Output Parameters
11 | * Remediation.Output
12 |
13 | ## Documentation Links
14 | * [AWS FSBP v1.0.0 SNS.2](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-sns-2)
--------------------------------------------------------------------------------
/source/playbooks/CIS140/ssmdocs/CIS140_3.1.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { CreateCloudTrailMultiRegionTrailDocument } from '../../SC/ssmdocs/SC_CloudTrail.1';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new CreateCloudTrailMultiRegionTrailDocument(stage, id, { ...props, controlId: '3.1' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/CIS140/ssmdocs/CIS140_5.3.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { RemoveVPCDefaultSecurityGroupRulesDocument } from '../../SC/ssmdocs/SC_EC2.2';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new RemoveVPCDefaultSecurityGroupRulesDocument(stage, id, { ...props, controlId: '5.3' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/CIS300/ssmdocs/CIS300_2.3.3.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { DisablePublicAccessToRDSInstanceDocument } from '../../SC/ssmdocs/SC_RDS.2';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new DisablePublicAccessToRDSInstanceDocument(stage, id, { ...props, controlId: '2.3.3' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/CIS300/ssmdocs/CIS300_3.1.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { CreateCloudTrailMultiRegionTrailDocument } from '../../SC/ssmdocs/SC_CloudTrail.1';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new CreateCloudTrailMultiRegionTrailDocument(stage, id, { ...props, controlId: '3.1' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/CIS300/ssmdocs/CIS300_5.4.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { RemoveVPCDefaultSecurityGroupRulesDocument } from '../../SC/ssmdocs/SC_EC2.2';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new RemoveVPCDefaultSecurityGroupRulesDocument(stage, id, { ...props, controlId: '5.4' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/NIST80053/ssmdocs/NIST80053_ECR.1.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { EnablePrivateRepositoryScanningDocument } from '../../SC/ssmdocs/SC_ECR.1';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new EnablePrivateRepositoryScanningDocument(stage, id, { ...props, controlId: 'ECR.1' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/NIST80053/ssmdocs/NIST80053_IAM.8.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { RevokeUnusedIAMUserCredentialsDocument } from '../../SC/ssmdocs/SC_IAM.8';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new RevokeUnusedIAMUserCredentialsDocument(stage, id, { ...props, controlId: 'IAM.8' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/NIST80053/ssmdocs/NIST80053_S3.11.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { EnableBucketEventNotificationsDocument } from '../../SC/ssmdocs/SC_S3.11';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new EnableBucketEventNotificationsDocument(stage, id, { ...props, controlId: 'S3.11' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/SC/ssmdocs/descriptions/EC2.4.md:
--------------------------------------------------------------------------------
1 | ### Document Name - ASR-AFSBP_1.0.0_EC2.4
2 |
3 | ## What does this document do?
4 | This document terminates an EC2 instance if it has been stopped for longer than the allowed number of days defined by the AllowedDays parameter.
5 |
6 | ## Input Parameters
7 | * Finding: (Required) Security Hub finding details JSON
8 | * AutomationAssumeRole: (Required) The ARN of the role that allows Automation to perform the actions on your behalf.
9 |
10 | ## Output Parameters
11 | * Remediation.Output
12 |
13 | ## Documentation Links
14 | * [AFSBP v1.0.0 EC2.4](https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-4)
--------------------------------------------------------------------------------
/source/playbooks/SC/ssmdocs/descriptions/IAM.7.md:
--------------------------------------------------------------------------------
1 | ### Document Name - ASR-AFSBP_1.0.0_IAM.7
2 |
3 | ## What does this document do?
4 | This document establishes a default password policy.
5 |
6 | ## Security Standards and Controls
7 | * AWS FSBP IAM.7
8 |
9 | ## Input Parameters
10 | * Finding: (Required) Security Hub finding details JSON
11 | * AutomationAssumeRole: (Required) The ARN of the role that allows Automation to perform the actions on your behalf.
12 | ## Output Parameters
13 | * Remediation.Output
14 |
15 | ## Documentation Links
16 | * [AWS FSBP IAM.7](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-iam-7)
17 |
--------------------------------------------------------------------------------
/source/playbooks/CIS140/ssmdocs/CIS140_3.2.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { EnableCloudTrailLogFileValidationDocument } from '../../SC/ssmdocs/SC_CloudTrail.4';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new EnableCloudTrailLogFileValidationDocument(stage, id, { ...props, controlId: '3.2' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/CIS140/ssmdocs/CIS140_3.3.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { ConfigureS3BucketPublicAccessBlockDocument } from '../../SC/ssmdocs/SC_CloudTrail.6';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new ConfigureS3BucketPublicAccessBlockDocument(stage, id, { ...props, controlId: '3.3' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/CIS140/ssmdocs/CIS140_3.4.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { EnableCloudTrailToCloudWatchLoggingDocument } from '../../SC/ssmdocs/SC_CloudTrail.5';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new EnableCloudTrailToCloudWatchLoggingDocument(stage, id, { ...props, controlId: '3.4' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/CIS300/ssmdocs/CIS300_3.2.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { EnableCloudTrailLogFileValidationDocument } from '../../SC/ssmdocs/SC_CloudTrail.4';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new EnableCloudTrailLogFileValidationDocument(stage, id, { ...props, controlId: '3.2' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/NIST80053/ssmdocs/NIST80053_DynamoDB.6.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { EnableDynamoDBDeletionProtection } from '../../SC/ssmdocs/SC_DynamoDB.6';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new EnableDynamoDBDeletionProtection(stage, id, { ...props, controlId: 'DynamoDB.6' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/NIST80053/ssmdocs/NIST80053_EC2.18.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { RevokeUnauthorizedInboundRulesDocument } from '../../SC/ssmdocs/SC_EC2.18';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new RevokeUnauthorizedInboundRulesDocument(stage, id, { ...props, controlId: 'EC2.18' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/NIST80053/ssmdocs/NIST80053_RDS.2.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { DisablePublicAccessToRDSInstanceDocument } from '../../SC/ssmdocs/SC_RDS.2';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new DisablePublicAccessToRDSInstanceDocument(stage, id, { ...props, controlId: 'RDS.2' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/NIST80053/ssmdocs/NIST80053_SNS.2.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { EnableDeliveryLoggingForSNSTopicDocument } from '../../SC/ssmdocs/SC_SNS.2';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new EnableDeliveryLoggingForSNSTopicDocument(stage, id, { ...props, controlId: 'SNS.2' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/SC/ssmdocs/descriptions/AutoScaling.3.md:
--------------------------------------------------------------------------------
1 | ### Document Name - ASR-NIST_800_53_AutoScaling.3
2 |
3 | ## What does this document do?
4 | This document configures Launch Configurations to require IMDSv2
5 |
6 | ## Input Parameters
7 | * Finding: (Required) Security Hub finding details JSON
8 | * AutomationAssumeRole: (Required) The ARN of the role that allows Automation to perform the actions on your behalf.
9 |
10 | ## Output Parameters
11 | * Remediation.Output - Output from the remediation
12 |
13 | ## Documentation Links
14 | * [NIST AutoScaling.3](https://docs.aws.amazon.com/securityhub/latest/userguide/apigateway-controls.html#autoscaling-3)
--------------------------------------------------------------------------------
/source/playbooks/SC/ssmdocs/descriptions/CloudTrail.5.md:
--------------------------------------------------------------------------------
1 | ### Document Name - ASR-AFSBP_1.0.0_CloudTrail.5
2 |
3 | ## What does this document do?
4 | This document configures CloudTrail to log to CloudWatch Logs.
5 |
6 | ## Input Parameters
7 | * Finding: (Required) Security Hub finding details JSON
8 | * AutomationAssumeRole: (Required) The ARN of the role that allows Automation to perform the actions on your behalf.
9 |
10 | ## Output Parameters
11 | * Remediation.Output - Remediation results
12 |
13 | ## Documentation Links
14 | * [AWS FSBP v1.0.0 CloudTrail.5](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-cloudtrail-5)
15 |
--------------------------------------------------------------------------------
/source/playbooks/SC/ssmdocs/descriptions/DynamoDB.5.md:
--------------------------------------------------------------------------------
1 | ### Document Name - ASR-SC_2_0_0_DynamoDB.5
2 |
3 | ## What does this document do?
4 | This document tags a DynamoDB table with the tags specified in the Security Hub control parameters for DynamoDB.5.
5 |
6 | ## Input Parameters
7 | * Finding: (Required) Security Hub finding details JSON
8 | * AutomationAssumeRole: (Required) The ARN of the role that allows Automation to perform the actions on your behalf.
9 |
10 | ## Output Parameters
11 | * Remediation.Output - Output from the remediation
12 |
13 | ## Documentation Links
14 | * [DynamoDB.5](https://docs.aws.amazon.com/securityhub/latest/userguide/dynamodb-controls.html#dynamodb-5)
--------------------------------------------------------------------------------
/source/playbooks/SC/ssmdocs/descriptions/EC2.23.md:
--------------------------------------------------------------------------------
1 | ### Document Name - ASR-AFSBP_1.0.0_EC2.23
2 |
3 | ## What does this document do?
4 | This document turns off AutoAcceptSharedAttachments on a transit gateway to ensure that only authorized VPC attachment requests are accepted.
5 |
6 | ## Input Parameters
7 | * Finding: (Required) Security Hub finding details JSON
8 | * AutomationAssumeRole: (Required) The ARN of the role that allows Automation to perform the actions on your behalf.
9 |
10 | ## Output Parameters
11 | * Remediation.Output
12 |
13 | ## Documentation Links
14 | * [AFSBP v1.0.0 EC2.23](https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-23)
--------------------------------------------------------------------------------
/test-stack/cdk/bin/app.ts:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env node
2 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
3 | // SPDX-License-Identifier: Apache-2.0
4 | import * as cdk from "aws-cdk-lib";
5 | import { TestStack } from "../test-stack";
6 |
7 | const app = new cdk.App();
8 |
9 | const testStack = new TestStack(app, "TestStack", {
10 | analyticsReporting: false, // CDK::Metadata breaks StackSets in some regions
11 | synthesizer: new cdk.DefaultStackSynthesizer({
12 | generateBootstrapVersionRule: false,
13 | }),
14 | description: "Stack containing automated test resources for ASR.",
15 | });
16 | testStack.templateOptions.templateFormatVersion = "2010-09-09";
17 |
--------------------------------------------------------------------------------
/source/playbooks/CIS300/ssmdocs/CIS300_3.4.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { ConfigureS3BucketLoggingDocument } from '../../SC/ssmdocs/SC_CloudTrail.7';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new ConfigureS3BucketLoggingDocument(stage, id, {
10 | ...props,
11 | controlId: '3.4',
12 | });
13 | }
14 |
--------------------------------------------------------------------------------
/source/playbooks/NIST80053/ssmdocs/NIST80053_CloudWatch.16.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { SetLogGroupRetentionDaysDocument } from '../../SC/ssmdocs/SC_CloudWatch.16';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new SetLogGroupRetentionDaysDocument(stage, id, { ...props, controlId: 'CloudWatch.16' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/NIST80053/ssmdocs/NIST80053_EC2.2.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { RemoveVPCDefaultSecurityGroupRulesDocument } from '../../SC/ssmdocs/SC_EC2.2';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new RemoveVPCDefaultSecurityGroupRulesDocument(stage, id, { ...props, controlId: 'EC2.2' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/NIST80053/ssmdocs/NIST80053_ElastiCache.2.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { EnableElastiCacheVersionUpgrades } from '../../SC/ssmdocs/SC_ElastiCache.2';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new EnableElastiCacheVersionUpgrades(stage, id, { ...props, controlId: 'ElastiCache.2' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/NIST80053/ssmdocs/NIST80053_RDS.7.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { EnableRDSClusterDeletionProtectionDocument } from '../../SC/ssmdocs/SC_RDS.7';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new EnableRDSClusterDeletionProtectionDocument(stage, id, { ...props, controlId: 'RDS.7' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/NIST80053/ssmdocs/NIST80053_RDS.8.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { EnableRDSInstanceDeletionProtectionDocument } from '../../SC/ssmdocs/SC_RDS.8';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new EnableRDSInstanceDeletionProtectionDocument(stage, id, { ...props, controlId: 'RDS.8' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/NIST80053/ssmdocs/NIST80053_SecretsManager.3.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { RemoveUnusedSecretDocument } from '../../SC/ssmdocs/SC_SecretsManager.3';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new RemoveUnusedSecretDocument(stage, id, { ...props, controlId: 'SecretsManager.3' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/SC/ssmdocs/SC_IAM.22.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { ControlRunbookDocument } from './control_runbook';
5 | import { PlaybookProps } from '../lib/control_runbooks-construct';
6 | import { RevokeUnusedIAMUserCredentialsDocument } from './SC_IAM.8';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new RevokeUnusedIAMUserCredentialsDocument(stage, id, {
10 | ...props,
11 | controlId: 'IAM.22',
12 | parameterToPass: '45',
13 | });
14 | }
15 |
--------------------------------------------------------------------------------
/source/playbooks/SC/ssmdocs/descriptions/CloudTrail.2.md:
--------------------------------------------------------------------------------
1 | ### Document Name - ASR-AFSBP_1.0.0_CloudTrail.2
2 | ## What does this document do?
3 | This document enables SSE KMS encryption for log files using the ASR remediation KMS CMK
4 | ## Input Parameters
5 | * Finding: (Required) Security Hub finding details JSON
6 | * AutomationAssumeRole: (Required) The ARN of the role that allows Automation to perform the actions on your behalf.
7 | ## Output Parameters
8 | * Remediation.Output - Output from the remediation
9 |
10 | ## Documentation Links
11 | * [AWS FSBP CloudTrail.2](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-cloudtrail-2)
12 |
--------------------------------------------------------------------------------
/source/webui/index.html:
--------------------------------------------------------------------------------
1 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 | Automated Security Response on AWS
14 |
15 |
16 |
17 |
18 |
19 |
20 |
--------------------------------------------------------------------------------
/source/playbooks/CIS300/ssmdocs/CIS300_2.3.2.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { EnableMinorVersionUpgradeOnRDSDBInstanceDocument } from '../../SC/ssmdocs/SC_RDS.13';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new EnableMinorVersionUpgradeOnRDSDBInstanceDocument(stage, id, { ...props, controlId: '2.3.2' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/NIST80053/ssmdocs/NIST80053_CloudFront.12.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { SetCloudFrontOriginDomainDocument } from '../../SC/ssmdocs/SC_CloudFront.12';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new SetCloudFrontOriginDomainDocument(stage, id, { ...props, controlId: 'CloudFront.12' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/NIST80053/ssmdocs/NIST80053_CloudTrail.2.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { EnableCloudTrailEncryptionDocument } from '../../SC/ssmdocs/SC_CloudTrail.2';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new EnableCloudTrailEncryptionDocument(stage, id, { ...props, controlId: 'CloudTrail.2' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/NIST80053/ssmdocs/NIST80053_CodeBuild.5.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { RemoveCodeBuildPrivilegedModeDocument } from '../../SC/ssmdocs/SC_CodeBuild.5';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new RemoveCodeBuildPrivilegedModeDocument(stage, id, { ...props, controlId: 'CodeBuild.5' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/NIST80053/ssmdocs/NIST80053_EC2.23.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { DisableTGWAutoAcceptSharedAttachmentsDocument } from '../../SC/ssmdocs/SC_EC2.23';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new DisableTGWAutoAcceptSharedAttachmentsDocument(stage, id, { ...props, controlId: 'EC2.23' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/NIST80053/ssmdocs/NIST80053_RDS.16.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { EnableCopyTagsToSnapshotOnRDSClusterDocument } from '../../SC/ssmdocs/SC_RDS.16';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new EnableCopyTagsToSnapshotOnRDSClusterDocument(stage, id, { ...props, controlId: 'RDS.16' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/NIST80053/ssmdocs/NIST80053_RDS.6.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { EnableEnhancedMonitoringOnRDSInstanceDocument } from '../../SC/ssmdocs/SC_RDS.6';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new EnableEnhancedMonitoringOnRDSInstanceDocument(stage, id, { ...props, controlId: 'RDS.6' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/SC/ssmdocs/descriptions/CloudFront.12.md:
--------------------------------------------------------------------------------
1 | ### Document Name - ASR-NIST_800_53_CloudFront.12
2 | ## What does this document do?
3 | This document enables sets the origin domain to a non-existent value to prevent a potential malicious takeover.
4 | ## Input Parameters
5 | * Finding: (Required) Security Hub finding details JSON
6 | * AutomationAssumeRole: (Required) The ARN of the role that allows Automation to perform the actions on your behalf.
7 | ## Output Parameters
8 | * Remediation.Output - Output from the remediation
9 |
10 | ## Documentation Links
11 | * [NIST CloudFront.1](https://docs.aws.amazon.com/securityhub/latest/userguide/cloudfront-controls.html#cloudfront-12)
12 |
--------------------------------------------------------------------------------
/source/playbooks/NIST80053/ssmdocs/NIST80053_Redshift.4.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { EnableRedshiftClusterAuditLoggingDocument } from '../../SC/ssmdocs/SC_Redshift.4';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new EnableRedshiftClusterAuditLoggingDocument(stage, id, { ...props, controlId: 'Redshift.4' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/NIST80053/ssmdocs/NIST80053_SecretsManager.1.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { EnableAutoSecretRotationDocument } from '../../SC/ssmdocs/SC_SecretsManager.1';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new EnableAutoSecretRotationDocument(stage, id, { ...props, controlId: 'SecretsManager.1' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/SC/ssmdocs/descriptions/IAM.3.md:
--------------------------------------------------------------------------------
1 | ### Document Name - ASR-AFSBP_1.0.0_IAM.3
2 |
3 | ## What does this document do?
4 | This document disables active keys that have not been rotated for more than 90 days. Note that this remediation is **DISRUPTIVE**.
5 |
6 | ## Input Parameters
7 | * Finding: (Required) Security Hub finding details JSON
8 | * AutomationAssumeRole: (Required) The ARN of the role that allows Automation to perform the actions on your behalf.
9 |
10 | ## Output Parameters
11 | * Remediation.Output
12 |
13 | ## Documentation Links
14 | * [AWS FSBP v1.0.0 IAM.3](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-iam-3)
15 |
--------------------------------------------------------------------------------
/source/playbooks/AFSBP/ssmdocs/scripts/test/test_s3-6_deserialize_api_list.py:
--------------------------------------------------------------------------------
1 | # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | # SPDX-License-Identifier: Apache-2.0
3 | import deserializeApiList as script
4 |
5 |
6 | def event():
7 | return {
8 | "SerializedList": '{"blacklistedActionPattern":"s3:DeleteBucketPolicy,s3:PutBucketAcl,s3:PutBucketPolicy,s3:PutObjectAcl,s3:PutEncryptionConfiguration"}'
9 | }
10 |
11 |
12 | def expected():
13 | return "s3:DeleteBucketPolicy,s3:PutBucketAcl,s3:PutBucketPolicy,s3:PutObjectAcl,s3:PutEncryptionConfiguration"
14 |
15 |
16 | def test_extract_list():
17 | assert script.runbook_handler(event(), {}) == expected()
18 |
--------------------------------------------------------------------------------
/source/playbooks/NIST80053/ssmdocs/NIST80053_Autoscaling.5.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { ConfigureLaunchConfigNoPublicIPDocument } from '../../SC/ssmdocs/SC_Autoscaling.5';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new ConfigureLaunchConfigNoPublicIPDocument(stage, id, { ...props, controlId: 'Autoscaling.5' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/NIST80053/ssmdocs/NIST80053_CloudFormation.1.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { ConfigureSNSTopicForStackDocument } from '../../SC/ssmdocs/SC_CloudFormation.1';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new ConfigureSNSTopicForStackDocument(stage, id, { ...props, controlId: 'CloudFormation.1' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/NIST80053/ssmdocs/NIST80053_CloudFront.1.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { EnableCloudFrontDefaultRootObjectDocument } from '../../SC/ssmdocs/SC_CloudFront.1';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new EnableCloudFrontDefaultRootObjectDocument(stage, id, { ...props, controlId: 'CloudFront.1' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/NIST80053/ssmdocs/NIST80053_CloudTrail.4.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { EnableCloudTrailLogFileValidationDocument } from '../../SC/ssmdocs/SC_CloudTrail.4';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new EnableCloudTrailLogFileValidationDocument(stage, id, { ...props, controlId: 'CloudTrail.4' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/NIST80053/ssmdocs/NIST80053_EC2.19.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { DisableUnrestrictedAccessToHighRiskPortsDocument } from '../../SC/ssmdocs/SC_EC2.19';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new DisableUnrestrictedAccessToHighRiskPortsDocument(stage, id, { ...props, controlId: 'EC2.19' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/NIST80053/ssmdocs/NIST80053_RDS.13.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { EnableMinorVersionUpgradeOnRDSDBInstanceDocument } from '../../SC/ssmdocs/SC_RDS.13';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new EnableMinorVersionUpgradeOnRDSDBInstanceDocument(stage, id, { ...props, controlId: 'RDS.13' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/NIST80053/ssmdocs/NIST80053_Redshift.1.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { DisablePublicAccessToRedshiftClusterDocument } from '../../SC/ssmdocs/SC_Redshift.1';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new DisablePublicAccessToRedshiftClusterDocument(stage, id, { ...props, controlId: 'Redshift.1' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/NIST80053/ssmdocs/NIST80053_SecretsManager.4.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { UpdateSecretRotationPeriodDocument } from '../../SC/ssmdocs/SC_SecretsManager.4';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new UpdateSecretRotationPeriodDocument(stage, id, { ...props, controlId: 'SecretsManager.4' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/CIS140/ssmdocs/CIS140_2.1.5.1.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { ConfigureS3PublicAccessBlockDocument } from '../../SC/ssmdocs/SC_S3.1';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new ConfigureS3PublicAccessBlockDocument(stage, id, { ...props, controlId: '2.1.5.1' }); //NOSONAR This is not an IP Address.
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/CIS300/ssmdocs/CIS300_1.8.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { SetIAMPasswordPolicyDocument } from '../../SC/ssmdocs/SC_IAM.7';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new SetIAMPasswordPolicyDocument(stage, id, {
10 | ...props,
11 | controlId: '1.8',
12 | otherControlIds: ['1.9'],
13 | });
14 | }
15 |
--------------------------------------------------------------------------------
/source/playbooks/CIS300/ssmdocs/CIS300_2.1.4.1.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { ConfigureS3PublicAccessBlockDocument } from '../../SC/ssmdocs/SC_S3.1';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new ConfigureS3PublicAccessBlockDocument(stage, id, { ...props, controlId: '2.1.4.1' }); // NOSONAR This is not an IP Address.
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/NIST80053/ssmdocs/NIST80053_APIGateway.5.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { EnableAPIGatewayCacheDataEncryptionDocument } from '../../SC/ssmdocs/SC_APIGateway.5';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new EnableAPIGatewayCacheDataEncryptionDocument(stage, id, { ...props, controlId: 'APIGateway.5' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/NIST80053/ssmdocs/NIST80053_CloudTrail.5.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { EnableCloudTrailToCloudWatchLoggingDocument } from '../../SC/ssmdocs/SC_CloudTrail.5';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new EnableCloudTrailToCloudWatchLoggingDocument(stage, id, { ...props, controlId: 'CloudTrail.5' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/NIST80053/ssmdocs/NIST80053_CodeBuild.2.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { ReplaceCodeBuildClearTextCredentialsDocument } from '../../SC/ssmdocs/SC_CodeBuild.2';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new ReplaceCodeBuildClearTextCredentialsDocument(stage, id, { ...props, controlId: 'CodeBuild.2' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/NIST80053/ssmdocs/NIST80053_ElastiCache.3.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { EnableElastiCacheReplicationGroupFailover } from '../../SC/ssmdocs/SC_ElastiCache.3';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new EnableElastiCacheReplicationGroupFailover(stage, id, { ...props, controlId: 'ElastiCache.3' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/PCI321/README.md:
--------------------------------------------------------------------------------
1 | # Payment Card Industry Data Security Standard v3.2.1 Playbook
2 |
3 | The Payment Card Industry Data Security Standard (PCI-DSS) playbook creates the necessary AWS resources for remediating the controls listed in `PCI321/lib/pci321_remediations.ts`.
4 |
5 | See the [Automated Security Response on AWS Implementation Guide](https://docs.aws.amazon.com/solutions/latest/automated-security-response-on-aws/welcome.html) for more information on this Playbook.
6 |
7 | See [PCI DSS controls](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-pci-controls.html) for more information on controls and remediations in [AWS Security Hub](https://aws.amazon.com/security-hub)
8 |
9 |
--------------------------------------------------------------------------------
/source/playbooks/NIST80053/ssmdocs/NIST80053_AutoScaling.1.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { EnableAutoScalingGroupELBHealthCheckDocument } from '../../SC/ssmdocs/SC_AutoScaling.1';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new EnableAutoScalingGroupELBHealthCheckDocument(stage, id, { ...props, controlId: 'AutoScaling.1' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/NIST80053/ssmdocs/NIST80053_AutoScaling.3.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { ConfigureLaunchConfigToRequireIMDSv2Document } from '../../SC/ssmdocs/SC_AutoScaling.3';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new ConfigureLaunchConfigToRequireIMDSv2Document(stage, id, { ...props, controlId: 'AutoScaling.3' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/NIST80053/ssmdocs/NIST80053_Redshift.3.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { EnableAutomaticSnapshotsOnRedshiftClusterDocument } from '../../SC/ssmdocs/SC_Redshift.3';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new EnableAutomaticSnapshotsOnRedshiftClusterDocument(stage, id, { ...props, controlId: 'Redshift.3' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/SC/ssmdocs/descriptions/Autoscaling.5.md:
--------------------------------------------------------------------------------
1 | ### Document Name - ASR-NIST_800_53_Autoscaling.5
2 |
3 | ## What does this document do?
4 | This document configures Launch Configurations to not assign a public IP address
5 |
6 | ## Input Parameters
7 | * Finding: (Required) Security Hub finding details JSON
8 | * AutomationAssumeRole: (Required) The ARN of the role that allows Automation to perform the actions on your behalf.
9 |
10 | ## Output Parameters
11 | * Remediation.Output - Output from the remediation
12 |
13 | ## Documentation Links
14 | * [NIST AutoScaling.5](https://docs.aws.amazon.com/securityhub/latest/userguide/apigateway-controls.html#autoscaling-5)
--------------------------------------------------------------------------------
/source/playbooks/SC/ssmdocs/descriptions/SecretsManager.1.md:
--------------------------------------------------------------------------------
1 | ### Document Name - ASR-AFSBP_1.0.0_SecretsManager.1
2 |
3 | ## What does this document do?
4 | This document enables automatic rotation on a Secrets Manager secret if a Lambda function is already associated with it.
5 |
6 | ## Input Parameters
7 | * Finding: (Required) Security Hub finding details JSON
8 | * AutomationAssumeRole: (Required) The ARN of the role that allows Automation to perform the actions on your behalf.
9 |
10 | ## Output Parameters
11 | * Remediation.Output
12 |
13 | ## Documentation Links
14 | * [AFSBP v1.0.0 SecretsManager.1](https://docs.aws.amazon.com/securityhub/latest/userguide/secretsmanager-controls.html#secretsmanager-1)
--------------------------------------------------------------------------------
/source/playbooks/CIS140/ssmdocs/CIS140_2.1.5.2.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { ConfigureS3BucketPublicAccessBlockDocument } from '../../SC/ssmdocs/SC_S3.2';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new ConfigureS3BucketPublicAccessBlockDocument(stage, id, { ...props, controlId: '2.1.5.2' }); //NOSONAR This is not an IP Address.
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/SC/ssmdocs/descriptions/CodeBuild.5.md:
--------------------------------------------------------------------------------
1 | ### Document Name - ASR-AFSBP_1.0.0_CodeBuild.5
2 |
3 | ## What does this document do?
4 | This document removes CodeBuild project privileged mode to remove a build project's Docker container access to all devices.
5 |
6 | ## Input Parameters
7 | * Finding: (Required) Security Hub finding details JSON
8 | * AutomationAssumeRole: (Required) The ARN of the role that allows Automation to perform the actions on your behalf.
9 |
10 | ## Output Parameters
11 | * Remediation.Output
12 |
13 | ## Documentation Links
14 | * [AWS FSBP v1.0.0 CodeBuild.5](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-codebuild-5)
15 |
--------------------------------------------------------------------------------
/source/webui/public/aws-exports.template.json:
--------------------------------------------------------------------------------
1 | {
2 | "API": {
3 | "endpoints": [
4 | {
5 | "name": "",
6 | "endpoint": ""
7 | }
8 | ]
9 | },
10 | "loggingLevel": "INFO",
11 | "Auth": {
12 | "region": "",
13 | "userPoolId": "",
14 | "userPoolWebClientId": "",
15 | "mandatorySignIn": true,
16 | "oauth": {
17 | "domain": "",
18 | "scope": [
19 | ],
20 | "redirectSignIn": "",
21 | "redirectSignOut": "",
22 | "responseType": "",
23 | "clientId": ""
24 | }
25 | },
26 | "ticketingEnabled": "false"
27 | }
28 |
--------------------------------------------------------------------------------
/source/layer/test/test_logger.py:
--------------------------------------------------------------------------------
1 | # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | # SPDX-License-Identifier: Apache-2.0
3 | from layer.logger import Logger
4 |
5 |
6 | def test_logger_init_debug():
7 | logger_test = Logger(loglevel="debug")
8 | assert logger_test.log.getEffectiveLevel() == 10
9 |
10 |
11 | def test_logger_init_info():
12 | logger_test = Logger(loglevel="info")
13 | assert logger_test.log.getEffectiveLevel() == 20
14 |
15 |
16 | def test_logger_init_warning():
17 | logger_test = Logger(loglevel="warning")
18 | assert logger_test.log.getEffectiveLevel() == 30
19 |
20 |
21 | # TODO
22 | # 1. Add a test for DateTimeEncoder
23 | # 2. Add a test for _format
24 |
--------------------------------------------------------------------------------
/source/lib/member/cloud-trail-event-processor/package.json:
--------------------------------------------------------------------------------
1 | {
2 | "name": "@amzn/cloud-trail-event-processor",
3 | "version": "3.0.1",
4 | "description": "Filters CloudsTrail events from the member stacks to create the ASR Action Log",
5 | "author": {
6 | "name": "Amazon Web Services",
7 | "url": "https://aws.amazon.com/solutions",
8 | "organization": true
9 | },
10 | "license": "Apache-2.0",
11 | "scripts": {
12 | "test": "jest --coverage"
13 | },
14 | "devDependencies": {
15 | "@aws-sdk/client-cloudwatch-logs": "3.840.0",
16 | "@aws-sdk/client-s3": "3.842.0",
17 | "@aws-sdk/client-sts": "3.840.0",
18 | "aws-sdk-client-mock": "4.1.0",
19 | "jest": "29.7.0"
20 | }
21 | }
22 |
--------------------------------------------------------------------------------
/source/playbooks/NIST80053/ssmdocs/NIST80053_Redshift.6.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { EnableAutomaticVersionUpgradeOnRedshiftClusterDocument } from '../../SC/ssmdocs/SC_Redshift.6';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new EnableAutomaticVersionUpgradeOnRedshiftClusterDocument(stage, id, { ...props, controlId: 'Redshift.6' });
10 | }
11 |
--------------------------------------------------------------------------------
/source/playbooks/SC/ssmdocs/descriptions/CloudFormation.1.md:
--------------------------------------------------------------------------------
1 | ### Document Name - ASR-AFSBP_1.0.0_CloudFormation.1
2 |
3 | ## What does this document do?
4 | This document configures an SNS topic for notifications from a CloudFormation stack by calling another document.
5 |
6 | ## Input Parameters
7 | * Finding: (Required) Security Hub finding details JSON
8 | * AutomationAssumeRole: (Required) The ARN of the role that allows Automation to perform the actions on your behalf.
9 |
10 | ## Output Parameters
11 | * Remediation.Output
12 |
13 | ## Documentation Links
14 | * [AWS FSBP v1.0.0 CloudFormation.1](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-cloudformation-1)
15 |
--------------------------------------------------------------------------------
/source/playbooks/SC/ssmdocs/descriptions/GuardDuty.2.md:
--------------------------------------------------------------------------------
1 | ### Document Name - ASR-SC_GuardDuty.2
2 |
3 | ## What does this document do?
4 | This document tags a GuardDuty filter with the required tags specified in Security Hub. If no required tags are specified, the document adds a default tag to remediate the finding.
5 | ## Input Parameters
6 | * Finding: (Required) Security Hub finding details JSON
7 | * AutomationAssumeRole: (Required) The ARN of the role that allows Automation to perform the actions on your behalf.
8 |
9 | ## Output Parameters
10 | * Remediation.Output
11 |
12 | ## Documentation Links
13 | * [GuardDuty.2 Control](https://docs.aws.amazon.com/securityhub/latest/userguide/guardduty-controls.html#guardduty-2)
--------------------------------------------------------------------------------
/source/playbooks/SC/ssmdocs/descriptions/GuardDuty.4.md:
--------------------------------------------------------------------------------
1 | ### Document Name - ASR-SC_GuardDuty.4
2 |
3 | ## What does this document do?
4 | This document tags a GuardDuty detector with the required tags specified in Security Hub. If no required tags are specified, the document adds a default tag to remediate the finding.
5 | ## Input Parameters
6 | * Finding: (Required) Security Hub finding details JSON
7 | * AutomationAssumeRole: (Required) The ARN of the role that allows Automation to perform the actions on your behalf.
8 |
9 | ## Output Parameters
10 | * Remediation.Output
11 |
12 | ## Documentation Links
13 | * [GuardDuty.4 Control](https://docs.aws.amazon.com/securityhub/latest/userguide/guardduty-controls.html#guardduty-4)
--------------------------------------------------------------------------------
/source/playbooks/CIS120/README.md:
--------------------------------------------------------------------------------
1 | # Center for Internet Security AWS Foundations Benchmark v1.2.0 Playbook
2 |
3 | The Center for Internet Security AWS Foundations Benchmark v1.2.0 (CIS) playbook creates the necessary AWS resources for remediating the controls listed under `CIS120/lib/cis120_remediations.ts`.
4 |
5 | See the [Automated Security Response on AWS Implementation Guide](https://docs.aws.amazon.com/solutions/latest/automated-security-response-on-aws/welcome.html) for more information on this Playbook.
6 |
7 | See [CIS v1.2.0 controls](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html) for more information on controls and remediations in [AWS Security Hub](https://aws.amazon.com/security-hub)
--------------------------------------------------------------------------------
/source/playbooks/CIS140/README.md:
--------------------------------------------------------------------------------
1 | # Center for Internet Security AWS Foundations Benchmark v1.4.0 Playbook
2 |
3 | The Center for Internet Security AWS Foundations Benchmark v1.4.0 (CIS) playbook creates the necessary AWS resources for remediating the controls listed in `CIS140/lib/cis140_remediations.ts`.
4 |
5 | See the [Automated Security Response on AWS Implementation Guide](https://docs.aws.amazon.com/solutions/latest/automated-security-response-on-aws/welcome.html) for more information on this Playbook.
6 |
7 | See [CIS v1.4.0 controls](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html) for more information on controls and remediations in [AWS Security Hub](https://aws.amazon.com/security-hub)
--------------------------------------------------------------------------------
/source/playbooks/CIS140/ssmdocs/CIS140_1.12.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { RevokeUnusedIAMUserCredentialsDocument } from '../../SC/ssmdocs/SC_IAM.8';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new RevokeUnusedIAMUserCredentialsDocument(stage, id, {
10 | ...props,
11 | controlId: '1.12',
12 | parameterToPass: '45',
13 | });
14 | }
15 |
--------------------------------------------------------------------------------
/source/playbooks/CIS300/ssmdocs/CIS300_1.12.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { RevokeUnusedIAMUserCredentialsDocument } from '../../SC/ssmdocs/SC_IAM.8';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new RevokeUnusedIAMUserCredentialsDocument(stage, id, {
10 | ...props,
11 | controlId: '1.12',
12 | parameterToPass: '45',
13 | });
14 | }
15 |
--------------------------------------------------------------------------------
/source/playbooks/SC/ssmdocs/descriptions/RDS.7.md:
--------------------------------------------------------------------------------
1 | ### Document Name - ASR-AFSBP_1.0.0_RDS.7
2 |
3 | ## What does this document do?
4 | This document enables `Deletion Protection` on a given Amazon RDS cluster by calling another SSM document.
5 |
6 | ## Input Parameters
7 | * Finding: (Required) Security Hub finding details JSON
8 | * AutomationAssumeRole: (Required) The ARN of the role that allows Automation to perform the actions on your behalf.
9 |
10 | ## Output Parameters
11 | * Remediation.Output - The standard HTTP response from the ModifyDBCluster API.
12 |
13 | ## Documentation Links
14 | * [AWS FSBP RDS.7](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-rds-7)
15 |
--------------------------------------------------------------------------------
/source/remediation_runbooks/scripts/EnablePrivateRepositoryScanning.py:
--------------------------------------------------------------------------------
1 | # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | # SPDX-License-Identifier: Apache-2.0
3 | import boto3
4 | from botocore.config import Config
5 |
6 | boto_config = Config(retries={"mode": "standard", "max_attempts": 10})
7 |
8 |
9 | def connect_to_ecr():
10 | return boto3.client("ecr", config=boto_config)
11 |
12 |
13 | def lambda_handler(event, _):
14 | repository_name = event["RepositoryName"]
15 | ecr = connect_to_ecr()
16 |
17 | response = ecr.put_image_scanning_configuration(
18 | repositoryName=repository_name, imageScanningConfiguration={"scanOnPush": True}
19 | )
20 |
21 | return response
22 |
--------------------------------------------------------------------------------
/source/playbooks/SC/ssmdocs/descriptions/APIGateway.1.md:
--------------------------------------------------------------------------------
1 | ### Document Name - ASR-SC_2_0_0_APIGateway.1
2 |
3 | ## What does this document do?
4 | This document sets the logging level for the given API Gateway stage to the `loggingLevel` set in the Security Hub control parameters, otherwise "INFO".
5 |
6 | ## Input Parameters
7 | * Finding: (Required) Security Hub finding details JSON
8 | * AutomationAssumeRole: (Required) The ARN of the role that allows Automation to perform the actions on your behalf.
9 |
10 | ## Output Parameters
11 | * Remediation.Output - Output from the remediation
12 |
13 | ## Documentation Links
14 | * [APIGateway.1](https://docs.aws.amazon.com/securityhub/latest/userguide/apigateway-controls.html#apigateway-1)
--------------------------------------------------------------------------------
/source/playbooks/SC/ssmdocs/descriptions/RDS.16.md:
--------------------------------------------------------------------------------
1 | ### Document Name - ASR-AFSBP_1.0.0_RDS.16
2 |
3 | ## What does this document do?
4 | This document enables `Copy tags to snapshots` on a given Amazon RDS cluster by calling another SSM document.
5 |
6 | ## Input Parameters
7 | * Finding: (Required) Security Hub finding details JSON
8 | * AutomationAssumeRole: (Required) The ARN of the role that allows Automation to perform the actions on your behalf.
9 |
10 | ## Output Parameters
11 | * Remediation.Output - The standard HTTP response from the ModifyDBCluster API.
12 |
13 | ## Documentation Links
14 | * [AWS FSBP RDS.16](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-rds-16)
15 |
--------------------------------------------------------------------------------
/source/playbooks/SC/ssmdocs/descriptions/RDS.5.md:
--------------------------------------------------------------------------------
1 | ### Document Name - ASR-AFSBP_1.0.RDS.5
2 |
3 | ## What does this document do?
4 | This document configures an RDS DB instance for multiple Availability Zones by calling another SSM document.
5 |
6 | ## Input Parameters
7 | * Finding: (Required) Security Hub finding details JSON
8 | * AutomationAssumeRole: (Optional) The ARN of the role that allows Automation to perform the actions on your behalf.
9 | * RemediationRoleName: (Optional) The name of the role that allows Automation to remediate the finding on your behalf.
10 |
11 | ## Documentation Links
12 | * [AWS FSBP RDS.5](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-rds-5)
13 |
--------------------------------------------------------------------------------
/source/playbooks/SC/ssmdocs/descriptions/RDS.6.md:
--------------------------------------------------------------------------------
1 | ### Document Name - ASR-AFSBP_1.0.0_RDS.6
2 |
3 | ## What does this document do?
4 | This document enables `Enhanced Monitoring` on a given Amazon RDS instance by calling another SSM document.
5 |
6 | ## Input Parameters
7 | * Finding: (Required) Security Hub finding details JSON
8 | * AutomationAssumeRole: (Required) The ARN of the role that allows Automation to perform the actions on your behalf.
9 |
10 | ## Output Parameters
11 | * VerifyRemediation.Output - The standard HTTP response from the ModifyDBInstance API.
12 | ## Documentation Links
13 |
14 | * [AWS FSBP RDS.6](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-rds-6)
15 |
--------------------------------------------------------------------------------
/source/playbooks/SC/ssmdocs/descriptions/RDS.8.md:
--------------------------------------------------------------------------------
1 | ### Document Name - ASR-AFSBP_1.0.RDS.8
2 |
3 | ## What does this document do?
4 | This document enables `Deletion Protection` on a given Amazon RDS cluster by calling another SSM document.
5 |
6 | ## Input Parameters
7 | * Finding: (Required) Security Hub finding details JSON
8 | * AutomationAssumeRole: (Optional) The ARN of the role that allows Automation to perform the actions on your behalf.
9 | * RemediationRoleName: (Optional) The name of the role that allows Automation to remediate the finding on your behalf.
10 |
11 | ## Documentation Links
12 | * [AWS FSBP RDS.8](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-rds-8)
13 |
--------------------------------------------------------------------------------
/source/playbooks/NIST80053/README.md:
--------------------------------------------------------------------------------
1 | # National Institute of Standards and Technology 800-53 v5.0.0 Playbook
2 |
3 | The National Institute of Standards and Technology (NIST) 800-53 v5.0.0 playbook creates the necessary AWS resources for remediating the controls listed in `NIST80053/lib/nist80053_remediations.ts`.
4 |
5 | See the [Automated Security Response on AWS Implementation Guide](https://docs.aws.amazon.com/solutions/latest/automated-security-response-on-aws/welcome.html) for more information on this Playbook.
6 |
7 | See [NIST 800-53 v5.0.0 controls](https://docs.aws.amazon.com/securityhub/latest/userguide/nist-standard.html) for more information on controls and remediations in [AWS Security Hub](https://aws.amazon.com/security-hub)
8 |
9 |
--------------------------------------------------------------------------------
/source/playbooks/SC/ssmdocs/descriptions/RDS.13.md:
--------------------------------------------------------------------------------
1 | ### Document Name - ASR-AFSBP_1.0.0_RDS.13
2 |
3 | ## What does this document do?
4 | This document enables `Auto minor version upgrade` on a given Amazon RDS instance by calling another SSM document.
5 |
6 | ## Input Parameters
7 | * Finding: (Required) Security Hub finding details JSON
8 | * AutomationAssumeRole: (Required) The ARN of the role that allows Automation to perform the actions on your behalf.
9 |
10 | ## Output Parameters
11 | * Remediation.Output - The standard HTTP response from the ModifyDBInstance API.
12 |
13 | ## Documentation Links
14 | * [AWS FSBP RDS.13](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-rds-13)
15 |
--------------------------------------------------------------------------------
/source/playbooks/SC/ssmdocs/descriptions/Redshift.1.md:
--------------------------------------------------------------------------------
1 | ### Document Name - ASR-AFSBP_1.0.0_Redshift.1
2 |
3 | ## What does this document do?
4 | This document disables public access to a Redshift cluster by calling another SSM document
5 |
6 | ## Input Parameters
7 | * Finding: (Required) Security Hub finding details JSON
8 | * AutomationAssumeRole: (Optional) The ARN of the role that allows Automation to perform the actions on your behalf.
9 | * RemediationRoleName: (Optional) The name of the role that allows Automation to remediate the finding on your behalf.
10 |
11 | ## Documentation Links
12 | * [AWS FSBP Redshift.4](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-redshift-1)
13 |
--------------------------------------------------------------------------------
/source/playbooks/SC/ssmdocs/descriptions/Redshift.4.md:
--------------------------------------------------------------------------------
1 | ### Document Name - ASR-AFSBP_1.0.0_Redshift.4
2 |
3 | ## What does this document do?
4 | This document disables public access to a Redshift cluster by calling another SSM document
5 |
6 | ## Input Parameters
7 | * Finding: (Required) Security Hub finding details JSON
8 | * AutomationAssumeRole: (Optional) The ARN of the role that allows Automation to perform the actions on your behalf.
9 | * RemediationRoleName: (Optional) The name of the role that allows Automation to remediate the finding on your behalf.
10 |
11 | ## Documentation Links
12 | * [AWS FSBP Redshift.4](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-redshift-1)
13 |
--------------------------------------------------------------------------------
/source/playbooks/AFSBP/README.md:
--------------------------------------------------------------------------------
1 | # AWS Foundational Security Best Practices v1.0.0 Playbook
2 |
3 | The AWS Foundational Security Best Practices (AFSBP) playbook creates the necessary AWS resources for remediating the all controls listed under AFSBP/lib/afsbp_remediations.ts.
4 |
5 | See the [Automated Security Response on AWS Implementation Guide](https://docs.aws.amazon.com/solutions/latest/automated-security-response-on-aws/welcome.html) for more information on this Playbook.
6 |
7 | See [AWS Foundational Security Best Practices controls](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html) for more information on controls and remediations in [AWS Security Hub](https://aws.amazon.com/security-hub)
8 |
--------------------------------------------------------------------------------
/source/playbooks/SC/ssmdocs/descriptions/EC2.18.md:
--------------------------------------------------------------------------------
1 | ### Document Name - ASR-AFSBP_1.0.0_EC2.18
2 |
3 | ## What does this document do?
4 | This document revokes inbound security group rules that allow unrestricted access to ports that are not authorized.
5 | Authorized ports are listed in authorizedTcpPorts and authorizedUdpPorts parameters.
6 |
7 | ## Input Parameters
8 | * Finding: (Required) Security Hub finding details JSON
9 | * AutomationAssumeRole: (Required) The ARN of the role that allows Automation to perform the actions on your behalf.
10 |
11 | ## Output Parameters
12 | * Remediation.Output
13 |
14 | ## Documentation Links
15 | * [AFSBP v1.0.0 EC2.18](https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-18)
--------------------------------------------------------------------------------
/source/playbooks/SC/ssmdocs/descriptions/IAM.8.md:
--------------------------------------------------------------------------------
1 | ### Document Name - ASR-AFSBP_1.0.0_IAM.8
2 |
3 | ## What does this document do?
4 | This document ensures that credentials unused for 90 days or greater are disabled.
5 |
6 | ## Input Parameters
7 | * Finding: (Required) Security Hub finding details JSON
8 | * AutomationAssumeRole: (Required) The ARN of the role that allows Automation to perform the actions on your behalf.
9 |
10 | ## Output Parameters
11 | * Remediation.Output - Output of remediation runbook
12 |
13 | SEE AWSConfigRemediation-RevokeUnusedIAMUserCredentials
14 |
15 | ## Documentation Links
16 | * [AWS FSBP IAM.8](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-iam-8)
17 |
--------------------------------------------------------------------------------
/source/playbooks/SC/ssmdocs/descriptions/Lambda.1.md:
--------------------------------------------------------------------------------
1 | ### Document Name - ASR-AFSBP_1.0.0_Lambda.1
2 |
3 | ## What does this document do?
4 | This document removes the public resource policy. A public resource policy
5 | contains a principal "*" or AWS: "*", which allows public access to the
6 | function. The remediation is to remove the SID of the public policy.
7 |
8 | ## Input Parameters
9 | * Finding: (Required) Security Hub finding details JSON
10 | * AutomationAssumeRole: (Required) The ARN of the role that allows Automation to perform the actions on your behalf.
11 |
12 | ## Documentation Links
13 | * [AWS FSBP Lambda.1](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-lambda-1)
14 |
--------------------------------------------------------------------------------
/source/playbooks/SC/ssmdocs/descriptions/Redshift.3.md:
--------------------------------------------------------------------------------
1 | ### Document Name - ASR-AFSBP_1.0.0_Redshift.3
2 |
3 | ## What does this document do?
4 | This document enables automatic snapshots on a Redshift cluster by calling another SSM document
5 |
6 | ## Input Parameters
7 | * Finding: (Required) Security Hub finding details JSON
8 | * AutomationAssumeRole: (Optional) The ARN of the role that allows Automation to perform the actions on your behalf.
9 | * RemediationRoleName: (Optional) The name of the role that allows Automation to remediate the finding on your behalf.
10 |
11 | ## Documentation Links
12 | * [AWS FSBP Redshift.1](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-redshift-3)
13 |
--------------------------------------------------------------------------------
/source/playbooks/SC/ssmdocs/descriptions/CodeBuild.2.md:
--------------------------------------------------------------------------------
1 | ### Document Name - ASR-AFSBP_1.0.0_CodeBuild.2
2 |
3 | ## What does this document do?
4 | This document removes CodeBuild project environment variables containing clear text credentials and replaces them with Amazon EC2 Systems Manager Parameters.
5 |
6 | ## Input Parameters
7 | * Finding: (Required) Security Hub finding details JSON
8 | * AutomationAssumeRole: (Required) The ARN of the role that allows Automation to perform the actions on your behalf.
9 |
10 | ## Output Parameters
11 | * Remediation.Output
12 |
13 | ## Documentation Links
14 | * [AWS FSBP v1.0.0 CodeBuild.2](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-codebuild-2)
15 |
--------------------------------------------------------------------------------
/source/playbooks/SC/ssmdocs/descriptions/Redshift.6.md:
--------------------------------------------------------------------------------
1 | ### Document Name - ASR-AFSBP_1.0.0_Redshift.6
2 |
3 | ## What does this document do?
4 | This document enables automatic version upgrade on a Redshift cluster by calling another SSM document
5 |
6 | ## Input Parameters
7 | * Finding: (Required) Security Hub finding details JSON
8 | * AutomationAssumeRole: (Optional) The ARN of the role that allows Automation to perform the actions on your behalf.
9 | * RemediationRoleName: (Optional) The name of the role that allows Automation to remediate the finding on your behalf.
10 |
11 | ## Documentation Links
12 | * [AWS FSBP Redshift.6](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-redshift-6)
13 |
--------------------------------------------------------------------------------
/source/test/snapshot-serializer.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 |
4 | /**
5 | * Jest snapshot serializer to normalize Lambda S3 keys
6 | * Removes content hashes from Lambda zip filenames to prevent snapshot changes
7 | * when Lambda code changes but infrastructure doesn't
8 | */
9 | // Use CommonJS module syntax for compatibility with Jest
10 | module.exports = {
11 | test(val: unknown): boolean {
12 | return typeof val === 'string' && /\/lambda\/.*\.zip$/.test(val);
13 | },
14 | serialize(val: string): string {
15 | // Replace 8-character hash with original filename
16 | return val.replace(/-[a-f0-9]{8}\.zip$/, '.zip');
17 | },
18 | };
19 |
--------------------------------------------------------------------------------
/source/playbooks/NIST80053/ssmdocs/NIST80053_EC2.13.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { DisablePublicAccessForSecurityGroupDocument } from '../../SC/ssmdocs/SC_EC2.13';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new DisablePublicAccessForSecurityGroupDocument(stage, id, {
10 | ...props,
11 | controlId: 'EC2.13',
12 | otherControlIds: ['EC2.14'],
13 | });
14 | }
15 |
--------------------------------------------------------------------------------
/source/playbooks/NIST80053/ssmdocs/NIST80053_S3.2.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { ConfigureS3BucketPublicAccessBlockDocument } from '../../SC/ssmdocs/SC_S3.2';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new ConfigureS3BucketPublicAccessBlockDocument(stage, id, {
10 | ...props,
11 | controlId: 'S3.2',
12 | otherControlIds: ['S3.3', 'S3.8'],
13 | });
14 | }
15 |
--------------------------------------------------------------------------------
/source/playbooks/SC/ssmdocs/descriptions/KMS.4.md:
--------------------------------------------------------------------------------
1 | ### Document Name - ASR-CIS_1.2.0_2.8
2 |
3 | ## What does this document do?
4 | Enables rotation for customer-managed KMS keys.
5 |
6 | ## Input Parameters
7 | * Finding: (Required) Security Hub finding details JSON
8 | * AutomationAssumeRole: (Required) The ARN of the role that allows Automation to perform the actions on your behalf.
9 |
10 | ## Output Parameters
11 | * Remediation.Output - Remediation results
12 |
13 | ## Documentation Links
14 | * [CIS v1.2.0 2.8](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-2.8)
15 | * [PCI v3.2.1 PCI.KMS.1](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-pci-controls.html#pcidss-kms-1)
16 |
--------------------------------------------------------------------------------
/source/remediation_runbooks/scripts/ConfigureAutoScalingLaunchConfigurationToDisablePublicIP.py:
--------------------------------------------------------------------------------
1 | # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | # SPDX-License-Identifier: Apache-2.0
3 | from typing import Dict, TypedDict
4 |
5 |
6 | class Event(TypedDict):
7 | LaunchConfiguration: Dict
8 | LaunchConfigurationName: str
9 |
10 |
11 | def event_handler(event: Event, _):
12 | launch_configuration = event["LaunchConfiguration"]
13 | launch_configuration["LaunchConfigurationName"] = event["LaunchConfigurationName"]
14 | launch_configuration["AssociatePublicIpAddress"] = False
15 | del launch_configuration["LaunchConfigurationARN"]
16 | del launch_configuration["CreatedTime"]
17 | return launch_configuration
18 |
--------------------------------------------------------------------------------
/source/playbooks/SC/ssmdocs/descriptions/S3.13.md:
--------------------------------------------------------------------------------
1 | ### Document Name - ASR-AFSBP_1.0.0_S3.13
2 |
3 | ## What does this document do?
4 | This document sets an example lifecycle policy that transfers objects greater than 10 GB to S3 Intelligent Tiering after 90 days.
5 | It is recommended to set lifecycle policies appropriate for the objects stored in your S3 bucket.
6 |
7 | ## Input Parameters
8 | * AutomationAssumeRole: (Required) The ARN of the role that allows Automation to perform the actions on your behalf.
9 | * BucketName: (Required) Name of the S3 bucket.
10 |
11 | ## Output Parameters
12 | * Remediation.Output
13 |
14 | ## Documentation Links
15 | * [AWS FSBP v1.0.0 S3.11](https://docs.aws.amazon.com/securityhub/latest/userguide/s3-controls.html#s3-13)
16 |
--------------------------------------------------------------------------------
/source/lambdas/api/README.md:
--------------------------------------------------------------------------------
1 | # API Lambda Functions
2 |
3 | Each Lambda function backing ASR's API is using this code bundle. Each individual lambda function has a separate entry
4 | point in the /handlers directory.
5 |
6 | ## Structure
7 |
8 | ```
9 | ├── clients/ # Client classes to communicate with external systems, e.g. S3
10 | │ └── s3.ts
11 | ├── handlers/ # Entry points for the different Lambda functiuns that use this code bundle
12 | │ ├── findings.ts # handler for all /findings API endpoints
13 | │ └── deployWebui.ts # CustomResource to deploy the WebUI
14 | ├── models/ # Data models. Need to be in sync with the corresponding models in the webio.
15 | │ └── finding.ts
16 | ```
17 |
--------------------------------------------------------------------------------
/source/playbooks/CIS300/README.md:
--------------------------------------------------------------------------------
1 | # Center for Internet Security AWS Foundations Benchmark v3.0.0 Playbook
2 |
3 | The Center for Internet Security AWS Foundations Benchmark v3.0.0 (CIS) playbook creates the necessary AWS resources for remediating the controls listed in `CIS300/lib/cis300_remediations.ts`.
4 |
5 | See the [AWS Security Hub Automated Response and Remediation Implementation Guide](https://docs.aws.amazon.com/solutions/latest/automated-security-response-on-aws/welcome.html) for more information on this Playbook.
6 |
7 | See [CIS v3.0.0 controls](https://docs.aws.amazon.com/securityhub/latest/userguide/cis-aws-foundations-benchmark.html#cis3v0-standard) for more information on controls and remediations in [AWS Security Hub](https://aws.amazon.com/security-hub)
8 |
9 |
--------------------------------------------------------------------------------
/source/playbooks/NIST80053/ssmdocs/NIST80053_CloudTrail.1.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { CreateCloudTrailMultiRegionTrailDocument } from '../../SC/ssmdocs/SC_CloudTrail.1';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new CreateCloudTrailMultiRegionTrailDocument(stage, id, {
10 | ...props,
11 | controlId: 'CloudTrail.1',
12 | otherControlIds: ['CloudTrail.3'],
13 | });
14 | }
15 |
--------------------------------------------------------------------------------
/source/playbooks/SC/ssmdocs/descriptions/DynamoDB.1.md:
--------------------------------------------------------------------------------
1 | ### Document Name - ASR-SC_2_0_0_DynamoDB.1
2 |
3 | ## What does this document do?
4 | This document registers a DynamoDB table in provisioned mode with Application Auto Scaling and creates a new scaling policy based on the
5 | parameters provided by the DynamoDB.1 control in Security Hub.
6 |
7 | ## Input Parameters
8 | * Finding: (Required) Security Hub finding details JSON
9 | * AutomationAssumeRole: (Required) The ARN of the role that allows Automation to perform the actions on your behalf.
10 |
11 | ## Output Parameters
12 | * Remediation.Output - Output from the remediation
13 |
14 | ## Documentation Links
15 | * [DynamoDB.1](https://docs.aws.amazon.com/securityhub/latest/userguide/dynamodb-controls.html#dynamodb-1)
--------------------------------------------------------------------------------
/source/webui/src/components/EmptyTableState.tsx:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 |
4 | import { ReactNode } from 'react';
5 | import Box from '@cloudscape-design/components/box';
6 |
7 | export const EmptyTableState = ({
8 | title,
9 | subtitle,
10 | action,
11 | }: {
12 | title: string;
13 | subtitle: string;
14 | action?: ReactNode;
15 | }) => {
16 | return (
17 |
18 |
19 | {title}
20 |
21 |
22 | {subtitle}
23 |
24 | {action}
25 |
26 | );
27 | };
28 |
--------------------------------------------------------------------------------
/source/playbooks/AFSBP/ssmdocs/scripts/deserializeApiList.py:
--------------------------------------------------------------------------------
1 | # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | # SPDX-License-Identifier: Apache-2.0
3 | import json
4 |
5 |
6 | def runbook_handler(event, _):
7 | try:
8 | deserialized = json.loads(event["SerializedList"])
9 | if "blacklistedActionPattern" in deserialized:
10 | return deserialized[
11 | "blacklistedActionPattern"
12 | ] # Returns comma-delimited list in a string
13 | else:
14 | exit("Missing blacklistedActionPattern in AWS Config data")
15 | except Exception as e:
16 | print(e)
17 | exit(
18 | "Failed getting comma-delimited string list of sensitive API calls input data"
19 | )
20 |
--------------------------------------------------------------------------------
/source/playbooks/SC/ssmdocs/descriptions/Config.1.md:
--------------------------------------------------------------------------------
1 | ### Document Name - ASR-AFSBP_1.0.0_Config.1
2 | ## What does this document do?
3 | Enables AWS Config:
4 | * Turns on recording for all resources.
5 | * Creates an encrypted bucket for Config logging.
6 | * Creates a logging bucket for access logs for the config bucket
7 | * Creates an SNS topic for Config notifications
8 | * Creates a service-linked role
9 |
10 | ## Input Parameters
11 | * Finding: (Required) Security Hub finding details JSON
12 | * AutomationAssumeRole: (Required) The ARN of the role that allows Automation to perform the actions on your behalf.
13 |
14 | ## Documentation Links
15 | * [AWS FSBP Config.1](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-config-1)
16 |
--------------------------------------------------------------------------------
/source/playbooks/SC/ssmdocs/descriptions/SSM.1.md:
--------------------------------------------------------------------------------
1 | ### Document Name - ASR-SC_SSM.1
2 |
3 | ## What does this document do?
4 | This document adds the necessary permissions for SSM to begin managing the EC2 Instance.
5 |
6 | ## Input Parameters
7 | * InstanceArn: (Required) EC2 Instance ARN
8 | * AutomationAssumeRole: (Required) The ARN of the role that allows Automation to perform the actions on your behalf.
9 | * RemediationRole: (Required) The ARN of the role that with SSM managed permissions for EC2.
10 | * InstanceProfile: (Required) The name of the Instance profile with SSM managed permissions for EC2.
11 |
12 | ## Output Parameters
13 | * Remediation.Output
14 |
15 | ## Documentation Links
16 | * [SSM.1](https://docs.aws.amazon.com/securityhub/latest/userguide/ssm-controls.html#ssm-1)
--------------------------------------------------------------------------------
/source/playbooks/SC/ssmdocs/descriptions/SecretsManager.3.md:
--------------------------------------------------------------------------------
1 | ### Document Name - ASR-AFSBP_1.0.0_SecretsManager.3
2 |
3 | ## What does this document do?
4 | This document deletes a secret that has been unused for the number of days specified in the unusedForDays parameter (Default: 90 days).
5 |
6 | ## Input Parameters
7 | * Finding: (Required) Security Hub finding details JSON
8 | * AutomationAssumeRole: (Required) The ARN of the role that allows Automation to perform the actions on your behalf.
9 | * SecretARN: (Required) The ARN of the Secrets Manager secret.
10 |
11 | ## Output Parameters
12 | * Remediation.Output
13 |
14 | ## Documentation Links
15 | * [AFSBP v1.0.0 SecretsManager.3](https://docs.aws.amazon.com/securityhub/latest/userguide/secretsmanager-controls.html#secretsmanager-3)
--------------------------------------------------------------------------------
/source/remediation_runbooks/scripts/test/test_AppendSuffix.py:
--------------------------------------------------------------------------------
1 | # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | # SPDX-License-Identifier: Apache-2.0
3 | from AppendSuffix import append_suffix
4 |
5 |
6 | def test_append_suffix():
7 | event = {
8 | "OriginalString": "original_string",
9 | "MaxLen": 255,
10 | "Suffix": "suffix",
11 | }
12 |
13 | new_string = append_suffix(event, None)
14 |
15 | assert new_string == "original_stringsuffix"
16 |
17 |
18 | def test_append_string_longer_than_max():
19 | event = {
20 | "OriginalString": "1234567890",
21 | "MaxLen": 10,
22 | "Suffix": "suffix",
23 | }
24 |
25 | new_string = append_suffix(event, None)
26 |
27 | assert new_string == "1234suffix"
28 |
--------------------------------------------------------------------------------
/source/playbooks/SC/ssmdocs/descriptions/EC2.2.md:
--------------------------------------------------------------------------------
1 | ### Document Name - ASR-AFSBP_1.0.0_EC2.2
2 |
3 | ## What does this document do?
4 | This document deletes ingress and egress rules from default security
5 | group using the AWS SSM Runbook AWSConfigRemediation-RemoveVPCDefaultSecurityGroupRules
6 |
7 | ## Input Parameters
8 | * Finding: (Required) Security Hub finding details JSON
9 | * AutomationAssumeRole: (Required) The ARN of the role that allows Automation to perform the actions on your behalf.
10 |
11 | ## Output Parameters
12 | * Remediation.Output - Output from AWSConfigRemediation-RemoveVPCDefaultSecurityGroupRules SSM doc
13 |
14 | ## Documentation Links
15 | * [AWS FSBP EC2.2](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-ec2-2)
16 |
--------------------------------------------------------------------------------
/source/data-models/package.json:
--------------------------------------------------------------------------------
1 | {
2 | "name": "@asr/data-models",
3 | "version": "3.0.1",
4 | "private": true,
5 | "description": "Shared data models and schemas for Automated Security Response on AWS solution",
6 | "main": "cjs/index.js",
7 | "exports": {
8 | ".": {
9 | "import": "./esm/index.js",
10 | "require": "./cjs/index.js",
11 | "types": "./esm/index.d.ts"
12 | }
13 | },
14 | "scripts": {
15 | "build": "npm run clean && npm run build:cjs && npm run build:esm",
16 | "build:cjs": "tsc -p tsconfig.cjs.json",
17 | "build:esm": "tsc -p tsconfig.esm.json",
18 | "clean": "rm -rf cjs esm *.js *.d.ts *.js.map"
19 | },
20 | "dependencies": {
21 | "zod": "3.25.76"
22 | },
23 | "devDependencies": {
24 | "typescript": "^5.0.0"
25 | }
26 | }
27 |
--------------------------------------------------------------------------------
/source/playbooks/NEWPLAYBOOK/README.md:
--------------------------------------------------------------------------------
1 | # NEWPLAYBOOK v1.0.0 Playbook
2 |
3 | The NEWPLAYBOOK (NEWPB) playbook is part of the AWS Security Hub Automated Response and Remediation solution. It is an example and starting point for creating a custom automated remdiation playbook.
4 |
5 | * Example.1
6 | * Example.2
7 |
8 | Note that in the example remediation, ssmdocs/AFSBP_RDS.6.yaml, the line:
9 | ```
10 | %%SCRIPT=common/parse_input.py%%
11 | ```
12 | ...loads parse_input.py from playbooks/common. This same parse code is used in all the the current playbooks.
13 |
14 | See the README.md in the root of this archive and the [AWS Security Hub Automated Response and Remediation Implementation Guide](https://docs.aws.amazon.com/solutions/latest/automated-security-response-on-aws/welcome.html) for more information.
15 |
--------------------------------------------------------------------------------
/source/playbooks/CIS140/ssmdocs/CIS140_4.1.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import { Construct } from 'constructs';
4 | import { PlaybookProps } from '../../SC/lib/control_runbooks-construct';
5 | import { ControlRunbookDocument } from '../../SC/ssmdocs/control_runbook';
6 | import { CreateLogMetricFilterAndAlarmDocument } from '../../SC/ssmdocs/SC_CloudWatch.1';
7 |
8 | export function createControlRunbook(stage: Construct, id: string, props: PlaybookProps): ControlRunbookDocument {
9 | return new CreateLogMetricFilterAndAlarmDocument(stage, id, {
10 | ...props,
11 | controlId: '4.1',
12 | otherControlIds: ['4.2', '4.3', '4.4', '4.5', '4.6', '4.7', '4.8', '4.9', '4.10', '4.11', '4.12', '4.13', '4.14'],
13 | });
14 | }
15 |
--------------------------------------------------------------------------------
/source/webui/src/components/ProtectedRoute.tsx:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 |
4 | import React, { useContext } from 'react';
5 | import { Navigate } from 'react-router-dom';
6 | import { UserContext } from '../contexts/UserContext.tsx';
7 | import { canAccessUsers } from '../utils/userPermissions.ts';
8 |
9 | interface ProtectedRouteProps {
10 | children: React.ReactNode;
11 | requireUsersAccess?: boolean;
12 | }
13 |
14 | export const ProtectedRoute = ({ children, requireUsersAccess = false }: ProtectedRouteProps) => {
15 | const { groups } = useContext(UserContext);
16 |
17 | if (requireUsersAccess && !canAccessUsers(groups)) {
18 | return ;
19 | }
20 |
21 | return <>{children};
22 | };
23 |
--------------------------------------------------------------------------------
/source/playbooks/SC/ssmdocs/descriptions/AutoScaling.1.md:
--------------------------------------------------------------------------------
1 | ### Document Name - ASR-AFSBP_1.0.0_AutoScaling.1
2 |
3 | ## What does this document do?
4 | This document enables ELB healthcheck on a given AutoScaling Group using the [UpdateAutoScalingGroup] API.
5 |
6 | ## Input Parameters
7 | * Finding: (Required) Security Hub finding details JSON
8 | * HealthCheckGracePeriod: (Optional) Health check grace period when ELB health check is Enabled
9 | Default: 30 seconds
10 | * AutomationAssumeRole: (Required) The ARN of the role that allows Automation to perform the actions on your behalf.
11 |
12 | ## Output Parameters
13 | * Remediation.Output
14 |
15 | ## Documentation Links
16 | * [AWS FSBP AutoScaling.1](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-autoscaling-1)
17 |
--------------------------------------------------------------------------------
/source/playbooks/SC/ssmdocs/descriptions/RDS.4.md:
--------------------------------------------------------------------------------
1 | ### Document Name - ASR-AFSBP_1.0.0_RDS.4
2 |
3 | ## What does this document do?
4 | This document encrypts an unencrypted RDS snapshot by calling another SSM document
5 |
6 | ## Input Parameters
7 | * Finding: (Required) Security Hub finding details JSON
8 | * AutomationAssumeRole: (Optional) The ARN of the role that allows Automation to perform the actions on your behalf.
9 | * RemediationRoleName: (Optional) The name of the role that allows Automation to remediate the finding on your behalf.
10 | * KMSKeyId: (Optional) ID, ARN or Alias for the AWS KMS Customer-Managed Key (CMK) to use to encrypt the snapshot.
11 |
12 | ## Documentation Links
13 | * [AWS FSBP RDS.4](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-rds-4)
14 |
--------------------------------------------------------------------------------
/source/playbooks/SC/ssmdocs/descriptions/S3.11.md:
--------------------------------------------------------------------------------
1 | ### Document Name - ASR-AFSBP_1.0.0_S3.11
2 |
3 | ## What does this document do?
4 | This document configures event notification to a S3 bucket.
5 |
6 | ## Input Parameters
7 | * AccountId: (Required) Account ID of the account for the finding
8 | * AutomationAssumeRole: (Required) The ARN of the role that allows Automation to perform the actions on your behalf.
9 | * BucketName: (Required) Name of bucket that event notifications will be triggered on.
10 | * TopicName: (Required) The name of the SNS topic to create and configure for notifications.
11 |
12 | ## Output Parameters
13 | * Remediation.Output
14 |
15 | ## Documentation Links
16 | * [AWS FSBP v1.0.0 S3.11](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-s3-11)
17 |
--------------------------------------------------------------------------------
/source/playbooks/PCI321/ssmdocs/scripts/pci_get_input_values.py:
--------------------------------------------------------------------------------
1 | # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | # SPDX-License-Identifier: Apache-2.0
3 |
4 | PCI_mappings = {
5 | "PCI.CW.1": {
6 | "filter_name": "ASR_Filter_PCI_321_Finding_CW1_RootAccountUsage",
7 | "filter_pattern": '{$.userIdentity.type="Root" && $.userIdentity.invokedBy NOT EXISTS && $.eventType !="AwsServiceEvent"}',
8 | "metric_name": "ASR_PCI_321_Finding_CW1_RootAccountUsage",
9 | "metric_value": 1,
10 | "alarm_name": "ASR_Alarm_PCI_321_Finding_CW1_RootAccountUsage",
11 | "alarm_desc": "Alarm for PCI finding CW.1 RootAccountUsage",
12 | "alarm_threshold": 1,
13 | }
14 | }
15 |
16 |
17 | def verify(event, _):
18 | return PCI_mappings.get(event["ControlId"], None)
19 |
--------------------------------------------------------------------------------
/source/playbooks/SC/ssmdocs/descriptions/RDS.2.md:
--------------------------------------------------------------------------------
1 | ### Document Name - ASR-AFSBP_1.0.0_RDS.2
2 | ## What does this document do?
3 | This document disables public access to RDS instances by calling another SSM document
4 |
5 | ## Input Parameters
6 | * Finding: (Required) Security Hub finding details JSON
7 | * AutomationAssumeRole: (Required) The ARN of the role that allows Automation to perform the actions on your behalf.
8 |
9 | ## Documentation Links
10 | * [AWS FSBP RDS.2](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-rds-2)
11 |
12 | ## Troubleshooting
13 | * ModifyDBInstance isn't supported for a DB instance in a Multi-AZ DB Cluster.
14 | - This remediation will not work on an instance within a MySQL or PostgreSQL Multi-AZ Cluster due to limitations with the RDS API.
15 |
--------------------------------------------------------------------------------
/source/test/orchestrator_logs.test.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 | import * as cdk from 'aws-cdk-lib';
4 | import { OrchLogStack } from '../lib/orchestrator-log-stack';
5 | import { DefaultStackSynthesizer } from 'aws-cdk-lib';
6 | import { Template } from 'aws-cdk-lib/assertions';
7 |
8 | function getTestStack(): cdk.Stack {
9 | const app = new cdk.App();
10 | const stack = new OrchLogStack(app, 'roles', {
11 | synthesizer: new DefaultStackSynthesizer({ generateBootstrapVersionRule: false }),
12 | description: 'test;',
13 | solutionId: 'SO0111',
14 | logGroupName: 'TestLogGroup',
15 | });
16 | return stack;
17 | }
18 | test('Global Roles Stack', () => {
19 | expect(Template.fromStack(getTestStack())).toMatchSnapshot();
20 | });
21 |
--------------------------------------------------------------------------------
/source/data-models/searchCriteria.ts:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 |
4 | import { ComparisonOperator } from './finding';
5 |
6 | export type PaginationAttributeValue = string | number | boolean | null | Uint8Array;
7 |
8 | export interface SearchFilter {
9 | fieldName: string;
10 | value: string;
11 | comparison: ComparisonOperator;
12 | }
13 |
14 | export interface SearchCriteria {
15 | filters: SearchFilter[];
16 | sortField?: string;
17 | sortOrder?: 'asc' | 'desc';
18 | pageSize: number;
19 | nextToken?: string;
20 | }
21 |
22 | export interface SearchResult {
23 | items: T[];
24 | nextToken?: string;
25 | totalCount?: number;
26 | }
27 |
28 | export interface PaginationToken {
29 | [key: string]: PaginationAttributeValue;
30 | }
31 |
--------------------------------------------------------------------------------
/source/webui/src/components/navigation/Breadcrumbs.tsx:
--------------------------------------------------------------------------------
1 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | // SPDX-License-Identifier: Apache-2.0
3 |
4 | import { BreadcrumbGroup, BreadcrumbGroupProps } from '@cloudscape-design/components';
5 | import { useLocation, useNavigate } from 'react-router-dom';
6 | import { createBreadcrumbs } from './create-breadcrumbs.ts';
7 |
8 | export const Breadcrumbs = () => {
9 | const location = useLocation();
10 | const navigate = useNavigate();
11 | const path = location.pathname;
12 |
13 | const breadCrumbItems = createBreadcrumbs(path);
14 |
15 | return (
16 |
23 | );
24 | };
25 |
--------------------------------------------------------------------------------
/source/remediation_runbooks/scripts/test/test_CastToString.py:
--------------------------------------------------------------------------------
1 | # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | # SPDX-License-Identifier: Apache-2.0
3 | import pytest
4 | from CastToString import cast_to_string
5 |
6 |
7 | def test_cast_to_string():
8 | event = {"DesiredParameter": "StringValue", "StringValue": "hello"}
9 | response = cast_to_string(event, None)
10 | assert response == "hello"
11 |
12 | event = {"DesiredParameter": "IntValue", "IntValue": 42}
13 | response = cast_to_string(event, None)
14 | assert response == "42"
15 |
16 | event = {"DesiredParameter": "FloatValue", "FloatValue": 3.14}
17 | response = cast_to_string(event, None)
18 | assert response == "3.14"
19 |
20 | with pytest.raises(KeyError):
21 | cast_to_string({"DesiredParameter": "MissingValue"}, None)
22 |
--------------------------------------------------------------------------------
/source/playbooks/SC/README.md:
--------------------------------------------------------------------------------
1 | # Security Controls Playbook
2 |
3 | The Security Controls (SC) playbook creates the necessary AWS resources for remediating the controls listed in `SC/lib/sc_remediations.ts`.
4 |
5 | This playbook consolidates all remediations from all playbooks in ASR, and supports the use of "Consolidated Control Findings" in Security Hub.
6 | See the [Automated Security Response on AWS Implementation Guide](https://docs.aws.amazon.com/solutions/latest/automated-security-response-on-aws/welcome.html) for more information on this Playbook.
7 |
8 | See [How consolidation impacts control IDs and titles](https://docs.aws.amazon.com/securityhub/latest/userguide/asff-changes-consolidation.html#securityhub-findings-format-changes-ids-titles) for more information on consolidated control findings in [AWS Security Hub](https://aws.amazon.com/security-hub)
9 |
10 |
--------------------------------------------------------------------------------