GithubHelp home page GithubHelp logo

aws-solutions / automated-security-response-on-aws Goto Github PK

View Code? Open in Web Editor NEW
366.0 34.0 103.0 2.71 MB

Automated Security Response on AWS is an add-on solution that works with AWS Security Hub to provide a ready-to-deploy architecture and a library of automated playbooks. The solution makes it easier for AWS Security Hub customers to resolve common security findings and to improve their security posture in AWS.

Home Page: https://aws.amazon.com/solutions/implementations/aws-security-hub-automated-response-and-remediation/

License: Apache License 2.0

Shell 1.32% JavaScript 2.49% Python 53.79% TypeScript 42.39%
aws aws-security-automation aws-security-hub

automated-security-response-on-aws's Introduction

Automated Security Response on AWS

πŸš€ Solution Landing Page | 🚧 Feature request | πŸ› Bug Report

Automated Security Response (ASR) on AWS is a solution that enables AWS Security Hub customers to remediate findings with a single click using sets of predefined response and remediation actions called Playbooks. The remediations are implemented as AWS Systems Manager automation documents. The solution includes remediations for issues such as unused access keys, open security groups, weak account password policies, VPC flow logging configurations, and public S3 buckets. Remediations can also be configured to trigger automatically when findings appear in AWS Security Hub.

The solution includes the playbook remediations for some of the security controls defined as part of the following standards:

  • AWS Foundational Security Best Practices (FSBP) v1.0.0
  • Center for Internet Security (CIS) AWS Foundations Benchmark v1.2.0
  • Center for Internet Security (CIS) AWS Foundations Benchmark v1.4.0
  • Payment Card Industry (PCI) Data Security Standard (DSS) v3.2.1
  • National Institute of Standards and Technology (NIST) Special Publication 800-53 Revision 5

A Playbook called Security Control is included that allows operation with AWS Security Hub's Consolidated Control Findings feature.

Note: To deploy the solution without building from the source code, use the CloudFormation templates linked from the Solution Landing Page.

Architecture Diagram

Customizing the Solution

Detailed instructions for creating a new automated remediation in an existing Playbook can be found in the Implementation Guide. Instructions for creating an entirely new Playbook are below.

Note: If you choose to continue, please be aware that reading and adjusting the source code will be necessary.

Prerequisites for Customization

  • a Linux client with the following software
    • AWS CLI v2
    • Python 3.7+ with pip
    • AWS CDK 1.155.0+
    • Node.js with npm
  • source code downloaded from GitHub
  • two S3 buckets (minimum): 1 global and 1 for each region where you will deploy
    • An Amazon S3 Bucket for solution templates - accessed globally via https.
    • An Amazon S3 Bucket for source code - regional.

Obtaining Source Code

Building from GitHub source will allow you to modify the solution to suit your specific needs. The process consists of downloading the source from GitHub, creating buckets to be used for deployment, building the solution, and uploading the artifacts needed for deployment.

Clone or download the repository to a local directory on your linux client. Note: if you intend to modify the solution you may wish to create your own fork of the GitHub repo and work from that. This allows you to check in any changes you make to your private copy of the solution.

Git Clone example:

git clone https://github.com/aws-solutions/automated-security-response-on-aws.git

Download Zip example:

wget https://github.com/aws-solutions/automated-security-response-on-aws/archive/main.zip

Custom Playbooks

Go to source/playbooks in the solution source downloaded above. In this folder is a Playbook skeleton, NEWPLAYBOOK. Copy this entire folder and its contents as a new folder under source/playbooks. The naming convention is the security standard abbreviation followed by the version number, as they appear in the StandardsControlArn in the AWS Standard Finding Format for the security control.

Example

For PCI-DSS, we used "PCI" for the standard abbreviation. The version is 321: PCI321

"StandardsControlArn": "arn:aws:securityhub:us-east-1:111111111111:control/pci-dss/v/3.2.1/PCI.IAM.7"

For CIS AWS Foundations Benchmark, we use "CIS". The version is 120: CIS120

"StandardsControlArn": "arn:aws:securityhub:us-east-1:111111111111:control/cis-aws-foundations-benchmark/v/1.2.0/2.4"

Unless noted, all of the following changes are within the folder you just created for your new playbook.

  1. Rename the typescript file in bin to match the (lower case) name of your new playbook. Ex. pci321.ts
  2. Update cdk.json with the new file name
  3. Rename the test typescript in the test subfolder similarly. Ex. pci321_stack.test.ts
  4. Update the description.txt, README.md, and support.txt, following the example within.
  5. Rename ssmdocs/scripts/newplaybook_parse_input.py as desired. This script parses the finding data. You will likely not need to modify it, as it's fairly robust. See other Playbooks for examples of its use.

Configure the Playbook

Edit bin/<standard>.ts. The following 3 lines are critical to definition of the Playbook. These values enable ASR to map from the StandardsControlArn in a finding to your remediations.

const standardShortName = "NPB";
const standardLongName = "New Playbook";
const standardVersion = "1.1.1"; // DO NOT INCLUDE 'V'

standardShortName can be as you wish. General recommendation is to make it short and meaningful. Ex. PCI, CIS, FSBP. This is the name used in many labels throughout the solution. standardLongName must match the StandardsControlArn, as pci-dss in the above example. standardVersion must match the StandardsControlArn version, as .../v/3.2.1/... in the above example.

Having established these values, your runbooks in /ssmdocs will be named: -.yaml

As you write your SSM runbooks, you will add them to the stack in the following code, where control must match the field from the StandardsControlArn:

const remediations: IControl[] = [{ control: "RDS.6" }];

Add your playbook as a new nested stack in the solution template

Edit playbooks/playbook-index.ts to include the new playbook.

Add the new playbook to the end of the standardPlaybookProps array.

Important Do not change the order of the items in this array. Doing so will change the App Registry logical IDs for the nested stacks. This will cause an error when updating the solution.

Interface:

export interface PlaybookProps {
  name: string; // Playbook short name
  useAppRegistry: boolean; // Add this playbook's nested stack to app registry for the solution
  defaultParameterValue?: 'yes' | 'no'; // Default value for enabling this playbook in CloudFormation. Will default to 'no' if not provided.
  description?: string; // Description for the CloudFormation parameter. Solution will provide a generated description if left blank.
}

Create the Remediations

Remediations are executed using SSM Automation Runbooks. Each control has a specific runbook. ASR Runbooks must follow the naming convention in the /ssmdocs folder:

-.yaml

Follow examples from other Playbooks. Your ASR runbook must parse the finding data, extract the fields needed for remediation, and execute a remediation runbook, passing the role name.

Remediation runbooks are defined in the /source/remediation_runbooks and /source/solution_deploy/remediation_runbooks-stack.ts. The remediation examples provided with the solution are fairly robust and self-documenting. Each definition creates an IAM role and an SSM runbook that is called by the ASR runbook.

Build and Deploy

AWS Solutions use two buckets: a bucket for global access to templates, which is accessed via HTTPS, and regional buckets for access to assets within the region, such as Lambda code. You will need:

  • One global bucket that is access via the http end point. AWS CloudFormation templates are stored here. It must end with "-reference. Ex. "mybucket-reference"
  • One regional bucket for each region where you plan to deploy using the name of the global bucket as the root, and suffixed with the region name. Ex. "mybucket-us-east-1"
  • Your buckets should be encrypted and disallow public access

Note: When creating your buckets, ensure they are not publicly accessible. Use random bucket names. Disable public access. Use KMS encryption. And verify bucket ownership before uploading.

Build the solution

First ensure that you've run npm install in the source folder.

Next from the deployment folder in your cloned repo, run build-s3-dist.sh, passing the root name of your bucket (ex. mybucket) and the version you are building (ex. v1.0.0). We recommend using a semver version based on the version downloaded from GitHub (ex. GitHub: v1.0.0, your build: v1.0.0.mybuild)

chmod +x build-s3-dist.sh
build-s3-dist.sh -b <bucketname> -v <version>

Run Unit Tests

Some Python unit tests execute AWS API calls. The calls that create, read, or modify resources are stubbed, but some calls to APIs that do not require any permissions execute against the real AWS APIs (e.g. STS GetCallerIdentity). The recommended way to run the unit tests is to configure your credentials for a no-access console role.

cd ./deployment
chmod +x ./run-unit-tests.sh
./run-unit-tests.sh

Confirm that all unit tests pass.

Upload to your buckets

Note: Verify bucket ownership before uploading.

By default, the templates created by build-s3-dist.sh expect the software to be stored in automated-security-response-on-aws/v<version>. If in doubt, view the template.

Use a tool such as the AWS S3 CLI "sync" command to upload your templates to the reference bucket and code to the regional bucket.

Deploy

See the Automated Security Response on AWS Implementation Guide for deployment instructions, using the link to the SolutionDeployStack.template from your bucket, rather than the one for AWS Solutions. Ex. https://mybucket-reference.s3.amazonaws.com/automated-security-response-on-aws/v1.3.0.mybuild/aws-sharr-deploy.template

Directory structure

|-.github/                [ GitHub pull request template, issue templates, and workflows ]
|-deployment/             [ Scripts used to build, test, and upload templates for the solution ]
|-simtest/                [ Tool and sample data used to simulate findings for testing ]
|-source/                 [ Solution source code and tests ]
  |-layer/                [ Common functions used by the Orchestrator and custom resource providers ]
  |-lib/                  [ Solution CDK ]
    |-appregistry/        [ Resources for integration with Service Catalog AppRegistry ]
    |-cdk-helper/         [ CDK helper functions ]
    |-member/             [ Member stack helper functions ]
    |-tags/               [ Resource tagging helper functions ]
  |-Orchestrator/         [ Orchestrator Step Function Lambda Functions ]
  |-playbooks/            [ Playbooks ]
    |-AFSBP/              [ AWS FSBP v1.0.0 playbook ]
    |-CIS120/             [ CIS v1.2.0 playbook ]
    |-CIS140/             [ CIS v1.4.0 playbook ]
    |-common/             [ Common scripts used by multiple playbooks ]
    |-NEWPLAYBOOK/        [ Example playbook ]
      |-bin/              [ Playbook CDK App ]
      |-ssmdocs/          [ Control runbooks ]
    |-PCI321/             [ PCI-DSS v3.2.1 playbook ]
    |-SC/                 [ Security Control playbook ]
  |-remediation_runbooks/ [ Shared remediation runbooks ]
    |-scripts/            [ Scripts used by remediation runbooks ]
  |-solution_deploy/      [ Solution CDK App and custom resource providers ]
    |-bin/                [ Solution CDK App ]
    |-source/             [ Custom resource providers ]
  |-test/                 [ CDK and SSM document unit tests ]

Collection of operational metrics

This solution collects anonymized operational metrics to help AWS improve the quality of features of the solution. For more information, including how to disable this capability, please see the Implementation Guide

License

Distributed under the Apache License Version 2.0. For more information, see LICENSE.txt.

automated-security-response-on-aws's People

Contributors

aaronschuetter avatar aijunpeng avatar amazon-auto avatar aws-solutions-github-bot avatar dscpinheiro avatar groverlalit avatar gsingh04 avatar hayesry avatar hearde avatar jangidms avatar maykays avatar mobri2a avatar tbelmega avatar tmekari avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

rckasa tolidano spuds51 sunjeewa gillisda stmag abuleledinga austindimmer chandinipenmetsa binglu895 codcloud splamondon confickerp adriankierman sekharmandava poeblu iops jmatthews-sans nikolabravo iyksam20 fuellbie fortiwatch jkasarherou a-j-b-uk maheel mklee786 ottolam-nl gergnz kanmigbajobi satish5555555 nitish-ti dreamz1974 arvindmits cybernewbies udemyhoangit86 cybersecops syllogy j-erickson ollionorg tahmid0412 michaelwahl jingood2 chhajershrenik sybeck2k 5pillars hecg119 marlysekouassi itsgsurya jbonner7 sarada-mohanty nickksun 01at miguel-arana musa-abraham rgtech3 isabella232 andesorg oodog0126 abraham-musa osadeyemo gtmnagalla brijesh-infra sridharsahoo cit-ops cm-kajiwara-taishi dekoder vinodhv87 cf-ops-team klapcsik sergiopatino flying-ferris-wheel binhrenova hsalazr aws-wwso-cloudops aws-cloud-foundations-sme outrun207 aws-control-tower-ambassador arun-cloudsec awsnetadmin cit-ops trivedisorabh carlaabanes suttonsp0 yudukinakajima jusharra maru3ka9 thesuavehog whoiscnu matsalla f1digitalmedia james-cadena jessedye fabidick22 l0ris raviiai pizzahutau hungvlq91 k-paulius darder michellehlcn

automated-security-response-on-aws's Issues

StackSets documentation needs clarification

What were you initially searching for in the docs?

Information on how to deploy the solution using stack sets

Is this related to an existing part of the documentation? Please share a link

https://docs.aws.amazon.com/solutions/latest/aws-security-hub-automated-response-and-remediation/deployment-stackset.html

Describe how we could make it clearer

It was unclear which templates to use i.e. the templates are linked on the standard automated deployment page (https://docs.aws.amazon.com/solutions/latest/aws-security-hub-automated-response-and-remediation/deployment.html) but not on the StackSets page. I was unsure as to whether I should use the standard templates (on the standard templates page), or the templates linked on the CloudFormation templates page (https://docs.aws.amazon.com/solutions/latest/aws-security-hub-automated-response-and-remediation/templates.html). I think it doesn't matter either way, but having them linked like the standard page would be an improvement (like Step 3 option 2).

It also didn't mention anywhere that the service-managed StackSets would NOT deploy the templates into the 'Organization Management account'. I did eventually find it in the service-managed StackSet documentation (after deploying the solution), but it might be worth clearly calling that out for users who are deciding between self-managed and service-managed options.

If you have a proposed update, please share it here

Make the changes as suggested above

Support specifying a KMS Key to be used when remediating AFSBP EC2.7 (EBS Volume Encryption)

Is your feature request related to a problem? Please describe.

While working with the auto-remediations, I discovered a requirement to be able to specify a KMS key to be used for
performing EBS Volume encryption. There is no parameter or input setting to specify this in the
auto-remediation settings.

Describe the feature you'd like

Please enable a way to specify which KMS key to use for EBS volume encryption when auto-remediation is performed.

Additional context

The specification of the KMS key can, admittedly, get complex when considering multiple-accounts and multiple AWS regions over which the auto-remediation needs to be performed.

Error when triggering CIS 1.4 remediation with '@' character in username

Describe the bug

When CIS 1.4 remediation is triggered on a IAM principal with the '@' character in the username, I get the following error:

Traceback (most recent call last):
File "/tmp/e0034708-8dff-4cd9-841c-d31ea816b4c6-2022-03-29-11-18-35/customer_script.py", line 97, in unrotated_key_handler
user_name = get_user_name(event.get("IAMResourceId"))
File "/tmp/e0034708-8dff-4cd9-841c-d31ea816b4c6-2022-03-29-11-18-35/customer_script.py", line 46, in get_user_name
resource_name = list_discovered_resources_response.get("resourceIdentifiers")[0].get("resourceName")
IndexError: list index out of range

IndexError - list index out of range

To Reproduce

  1. Create a user with a username containing the '@' character
  2. Trigger CIS 1.4 remediation

Expected behavior

The remediation should work without errors.

Please complete the following information about the solution:

  • Version: v1.4.2
  • Region: eu-west-1
  • Was the solution modified from the version published on this repository? No

"Requests" build error: No such file or directory 

------ EXEC cp -R /home/ssm-user/aws-security-hub-automated-response-and-remediation/deployment/temp/source/solution_deploy/lambdalayer/python/requests /home/ssm-user/aws-security-hub-automated-response-and-remediation/deployment/build/playbooks/CIS/
cp: cannot stat β€˜/home/ssm-user/aws-security-hub-automated-response-and-remediation/deployment/temp/source/solution_deploy/lambdalayer/python/requests’: No such file or directory

This was performed on an Amazon Linux2 EC2 instance. Same error on Ubuntu subsystem in Windows.

AccessDeniedException in all Queued Notification steps

Remediations run with a clean install of v1.4.0 to a virgin account fails with the below stack trace due to overly restrictive IAM policy.

The SO0111-SHARR-sendNotifications lambda function requires access to the ssm:PutParameter action, adding this to the notifyRole's policy makes everything work smoothly.

[ERROR] ClientError: An error occurred (AccessDeniedException) when calling the PutParameter operation: User: arn:aws:sts::000000000000:assumed-role/aws-sharr-deploy-notifyRole00000000-000000000000/SO0111-SHARR-sendNotifications is not authorized to perform: ssm:PutParameter on resource: arn:aws:ssm:eu-west-1:000000000000:parameter/Solutions/SO0111/anonymous_metrics_uuid because no identity-based policy allows the ssm:PutParameter action
Traceback (most recent call last):
  File "/var/task/send_notifications.py", line 101, in lambda_handler
    metrics = Metrics(event['EventType'])
  File "/opt/python/metrics.py", line 51, in __init__
    self.__get_solution_uuid()
  File "/opt/python/metrics.py", line 114, in __get_solution_uuid
    self.__update_solution_uuid(self.solution_uuid)
  File "/opt/python/metrics.py", line 97, in __update_solution_uuid
    self.ssm_client.put_parameter(
  File "/var/runtime/botocore/client.py", line 386, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/var/runtime/botocore/client.py", line 705, in _make_api_call
    raise error_class(parsed_response, operation_name

FSBP Remediations - Medium Severity

[CloudTrail.2] CloudTrail should have encryption at-rest enabled
[Config.1] AWS Config should be enabled
[EC2.7] EBS default encryption should be enabled
[EC2.2] The VPC default security group should not allow inbound and outbound traffic

AFSBP EC2.2 Not Authorized to StartAutomation

Hello,

Deployed the SHARR v1.2.0 solution into an administrator account by following the "AWS Solutions Implementations Guide". The member accounts' template is deployed through StackSets.

When attempting to remediate AFSBP EC2.2 in a member account, either through selecting "action >AFSBP EC2.2" in SecurityHub or waiting for the resource to be reevaluated. I receive the below error:

Fail to start automation, errorMessage: User: arn:aws:sts::111111111111:assumed-role/SO0111-SHARR-Remediation-AFSBP-EC2.2_us-east-1/474f72fd-f6b3-4fae-b275-dfeaa54f374e is not authorized to perform: ssm:StartAutomationExecution on resource: arn:aws:ssm:us-east-1::automation-definition/AWSConfigRemediation-RemoveVPCDefaultSecurityGroupRules:$DEFAULT.

Unit Tests failed and detected as "botocore.exceptions.ParamValidationError"

I tried to install v1.2.0, but the error was detected as "botocore.exceptions.ParamValidationError" in Unit Test on Build stage.
Here is the part of details in generated logs, can you please advise me any workarounds?

test/test_metrics.py:131: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 
/Users/aaaaa/.pyenv/versions/3.7.5/lib/python3.7/site-packages/botocore/stub.py:227: in add_response
    self._add_response(method, service_response, expected_params)
/Users/aaaaa/.pyenv/versions/3.7.5/lib/python3.7/site-packages/botocore/stub.py:239: in _add_response
    self._validate_response(operation_name, service_response)
/Users/aaaaa/.pyenv/versions/3.7.5/lib/python3.7/site-packages/botocore/stub.py:388: in _validate_response
    validate_parameters(response, output_shape)
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

params = {'Parameter': {'ARN': 'arn:aws:ssm:us-east-1:1111111111111111:parameter/Solutions/SO0111/anonymous_metrics_uuid', 'Dat...ext', 'LastModifiedDate': '2021-02-25T12:58:50.591000-05:00', 'Name': '/Solutions/SO0111/anonymous_metrics_uuid', ...}}
shape = <StructureShape(GetParameterResult)>

    def validate_parameters(params, shape):
        """Validates input parameters against a schema.
    
        This is a convenience function that validates parameters against a schema.
        You can also instantiate and use the ParamValidator class directly if you
        want more control.
    
        If there are any validation errors then a ParamValidationError
        will be raised.  If there are no validation errors than no exception
        is raised and a value of None is returned.
    
        :param params: The user provided input parameters.
    
        :type shape: botocore.model.Shape
        :param shape: The schema which the input parameters should
            adhere to.
    
        :raise: ParamValidationError
    
        """
        validator = ParamValidator()
        report = validator.validate(params, shape)
        if report.has_errors():
>           raise ParamValidationError(report=report.generate_report())
E           botocore.exceptions.ParamValidationError: Parameter validation failed:
E           Unknown parameter in Parameter: "DataType", must be one of: Name, Type, Value, Version, Selector, SourceResult, LastModifiedDate, ARN

/Users/aaaaa/.pyenv/versions/3.7.5/lib/python3.7/site-packages/botocore/validate.py:49: ParamValidationError

---------- coverage: platform darwin, python 3.7.5-final-0 -----------
Name                             Stmts   Miss  Cover   Missing
--------------------------------------------------------------
applogger.py                        80     31    61%   55, 59-67, 77-87, 94, 97, 110, 129-143, 149-150
awsapi_cached_client.py             58     21    64%   82-97, 105-120, 124-125, 129-130
logger.py                           42     19    55%   23-26, 41, 51-58, 62, 67, 71, 75, 79, 83
metrics.py                          84     58    31%   39-40, 48-74, 77-80, 83, 91-106, 110-124, 128-143, 146-149
sechub_findings.py                  79     28    65%   60, 65, 71, 80, 87-108, 183-192, 195, 202-213
test/file_utilities.py               8      0   100%
test/test_api_cached_client.py      16      0   100%
test/test_applogger.py              32      0   100%
test/test_metrics.py                48     19    60%   64-75, 95-105, 133-148
test/test_sechub_findings.py        47      0   100%
test/test_utils.py                  37      0   100%
utils.py                            72     26    64%   34-37, 40, 43, 47, 51, 55, 59, 63, 67, 70-81, 112-113
--------------------------------------------------------------
TOTAL                              603    202    67%
Coverage XML written to file /Users/hisnakad/git/aws-security-hub-automated-response-and-remediation/deployment/test/coverage-reports/LambdaLayers.coverage.xml

======================================================================== short test summary info =========================================================================
FAILED test/test_metrics.py::test_metrics_construction - botocore.exceptions.ParamValidationError: Parameter validation failed:
FAILED test/test_metrics.py::test_get_metrics_from_finding - botocore.exceptions.ParamValidationError: Parameter validation failed:
FAILED test/test_metrics.py::test_send_metrics - botocore.exceptions.ParamValidationError: Parameter validation failed:
====================================================================== 3 failed, 13 passed in 3.65s ======================================================================
** UNIT TESTS FAILED **

Cross Account Authorization Error - AccessDeniedException

Hi,

I deployed the aws-sharr-deploy.template in "Main" account and also deployed the CISPermissions.template in the "member" account. I made sure to provide the correct account number of the main account when deploying to member account.

I'm getting the following error when running a cross account remediation and I really can't figure out why. I checked the cross-account roles and the permissions seems to be correct.

ERROR "An error occurred (AccessDeniedException) when calling the StartAutomationExecution operation: User: arn:aws:sts::111111111111:assumed-role/SO0111_CIS4142_memberRole_us-west-2/sechub_master is not authorized to perform: ssm:StartAutomationExecution on resource: arn:aws:ssm:us-west-2::automation-definition/AWS-DisablePublicAccessForSecurityGroup:1"

The metric filter created in "CIS.3.1" is incorrect.

The automatic remediation "CIS.3.1" creates a metric filter as shown below.
image

The metric filter name does not match the alarm name.
Isn't the correct metric filter name "SHARR_Alarm_CIS_1_2_Finding_3_1_UnauthorizedAPICalls"?

And I think the filter pattern is also wrong.
Isn't the filter pattern "{($.errorCode="UnauthorizedOperation") || ($.errorCode="AccessDenied")}" instead of "{$.errorCode = "AccessDenied" || $.errorCode = "UnauthorizedOperation"}"?

Please tell me where to fix the SSM documentation.

Not able to build with the given dependencies atm.Please add package-lock.json in the repo for dependency resolutipon.

Currently it's not possible to build using the script (./build-s3-dist.sh)as npm breaks with following:
npm ERR! code ERESOLVE
npm ERR! ERESOLVE unable to resolve dependency tree
npm ERR!
npm ERR! Found: [email protected]
npm ERR! node_modules/jest
npm ERR! dev jest@"^25.5.4" from the root project
npm ERR! peer jest@">=25 <26" from [email protected]
npm ERR! node_modules/ts-jest
npm ERR! ts-jest@"^25.4.0" from the root project
npm ERR!
npm ERR! Could not resolve dependency:
npm ERR! peer jest@"^26.4.2" from @aws-cdk/[email protected]
npm ERR! node_modules/@aws-cdk/assert
npm ERR! dev @aws-cdk/assert@"1.68.0" from the root project
npm ERR!
npm ERR! Fix the upstream dependency conflict, or retry
npm ERR! this command with --force, or --legacy-peer-deps
npm ERR! to accept an incorrect (and potentially broken) dependency resolution.

Deploy member-stacks as ServiceManaged stacksets

Is your feature request related to a problem? Please describe.

I tried to deploy the member stacks using an organization stackset. Organization stacksets using the ServiceManaged model do not work with nested stacks, therefore this failed.

See also:
StackSet Considerations

Describe the feature you'd like

Please provide a single member stack to ease deployment and management of stacks in an organization.

FSBP Remediations - Low Severity

[RDS.6] Enhanced monitoring should be configured for RDS DB instances and clusters
[RDS.7] RDS clusters should have deletion protection enabled
[AutoScaling.1] Auto Scaling groups associated with a load balancer should use load balancer health checks

SNS Topic Does Not Exist Error Message

Describe the bug

After deploying v1.3.1 and running the remediation for CIS 3.x findings, I am receiving an error in the SO0111-SHARR-Orchestrator logs pointing out that a "Topic does not exist". The error references line 264, "publish_to_sns('SO0111-SHARR_Topic', self.severity + ':' + self.message, self.__region)" from sechub_findings.py. Is this the correct topic name or does this need to be adjusted to "SO0111-SHARR-LocalAlarmNotification"?

To Reproduce

Deploy the 1.3.1 solution
Create a subscription for the newly created SO0111-SHARR-LocalAlarmNotification SNS topic
Remediate any one or more of the CIS 3.x Security Hub findings using SHARR
Check the log entry in the SO0111-SHARR-Orchestrator logs

Expected behavior

I would expect to not see any errors in the SO0111-SHARR-Orchestrator logs after a remediation attempt. I would also expect to see a successful remediation message in the SO0111-SHARR log group.

  • [ ]Version: v1.3.1
  • Region: us-east-1
  • Was the solution modified from the version published on this repository? No
  • Have you checked your service quotas for the sevices this solution uses? Yes
  • Were there any errors in the CloudWatch Logs? How to enable debug mode? Yes

Screenshots
Screen Shot 2021-10-04 at 3 59 37 PM

Additional context
Despite the execution failed message in the log, the remediation did end up setting up the metric and the alarm as expected. Also, the Security Hub finding did resolve at least for 3.2. 3.1 is still not resolving but that is due to the metric being switched around as mentioned here: #38

Stack creation fails in some environments

Hi there,

I have one question.

Just tried, security hub automated response-and remediation.
but,doesnt complete successfully on creating stack.
got the following error(s).

XXX ROLLBACK_COMPLETE
The following resource(s) failed to create:
[orchestratorNestedLogStackXXX, notifyPolicyXXXC, SHARRkeyAliasXXX]. Rollback requested by user.

orchestratorNestedLogStackXXX
orchestratorNestedLogStackXXX-XXX/XXX-XXXX-XXXX-XXXX-XXXXXXXXX
was not successfully created:
The following resource(s) failed to create: [OrchestratorLogsEncryptedXXXXX].

and tried it in several different environments,
stack will be created successfully the first time,
but will fail with the same error the second and third times...

are there any settings to check?

sorry for poor English language.
THX

  • [v1.4.2] Version: [e.g. v1.0.0]
  • [ap-northeast-1] Region: [e.g. us-east-1]
  • [no] Was the solution modified from the version published on this repository?
  • [-] If the answer to the previous question was yes, are the changes available on GitHub?
  • [yes] Have you checked your service quotas for the sevices this solution uses?
  • [no] Were there any errors in the CloudWatch Logs? Troubleshooting

Update README now that upload_s3_dist.sh has been deleted

What were you initially searching for in the docs?

The README states to upload to s3:

https://github.com/awslabs/aws-security-hub-automated-response-and-remediation/blame/master/README.md#L103-L109

**Upload to your buckets**

Run upload_s3_dist.sh, passing the name of the region where you want to deploy the solution (ex. us-east-1). Note that this prepares your templates for deployment, but does not do the actual deployment in your account.
```
cd ./deployment
./upload_s3_dist.sh <region>
```

But this file has now been deleted: 3cb099d

https://github.com/awslabs/aws-security-hub-automated-response-and-remediation/blame/master/README.md#L103-L109

Describe how we could make it clearer

Either delete this section if uploading is no longer required, or update with what the new procedure should be.

If you have a proposed update, please share it here
N/A

AFSBP - EC2.7 - verification step fails

After manually fixing the issue described in #26, I ran into following error:

Step fails when it is Execution complete: verified. Failed to run automation with executionId: 68da3877-74a7-4d17-bc92-e995c79abc0c Failed : {Status=[Failed], Output=[{"EbsEncryptionByDefault":true,"ResponseMetadata":{"RequestId":"2abe7ed2-0403-4104-9427-665f2ff35179","HTTPStatusCode":200,"HTTPHeaders":{"x-amzn-requestid":"2abe7ed2-0403-4104-9427-665f2ff35179","cache-control":"no-cache, no-store","strict-transport-security":"max-age\u003d31536000; includeSubDomains","content-type":"text/xml;charset\u003dUTF-8","transfer-encoding":"chunked","vary":"accept-encoding","date":"Mon, 03 May 2021 11:54:50 GMT","server":"AmazonEC2"},"RetryAttempts":0}}], ExecutionId=[68da3877-74a7-4d17-bc92-e995c79abc0c]}. Please refer to Automation Service Troubleshooting Guide for more diagnosis details.

In the Execution detail I could see, that the ModifyAccount step processed successfully, but the VerifyEbsEncryptionByDefault step failed with following error message:

Step fails when it is Execute/Cancelling action. Property value 'False' from the API output is not in the desired values. Desired values: ['True'].. Please refer to Automation Service Troubleshooting Guide for more diagnosis details.

However, after checking the setting manually in the EC2 console, I saw that it actually got remediated.

Auto-repair fails with "CIS.2.8" rule.

I have deployed the template version "1.3.0".
As shown in the screen below.
Auto-repair fails with "CIS.2.8" rule.
Is there a flaw in the SSM document for "CIS.2.8"?(SHARR-CIS_1.2.0_2.8 or SHARR-CIS_1.2.0_2.8)

Please tell me how to improve.
image

AssumeRole error 1.4.2 running single account remediation

Recently installed1.4.2 in single account. Attempting manual remediation gives this error

An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:sts::111111111111:assumed-role/SO0111-SHARR-Orchestrator-Admin/SO0111-SHARR-checkSSMDocState is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::111111111111:role/SO0111-SHARR-Orchestrator-Member

All nested CloudFormation completed successfully, but in IAM while the SO0111-SHARR-Orchestrator-Admin role looks fine, no IAM role SO0111-SHARR-Orchestrator-Member exists. Exact same issue and message, two different AWS accounts, Admin privileges on deployment.

CIS 2.9 Remediation role error

The remediation role created for CIS 2.9 "SO0111_CIS29_remediationRole__region_" seems to have the wrong trusted entities. From the template it looks as though the trusted entity is "cloudtrail.amazonaws.com" (a copy and paste from 2.4 maybe?) but it should be "vpc-flow-logs.amazonaws.com".

This will not stop the remediation from logging as successful as per the remediation log, but it will cause the flow log status on the VPC itself to be "Access error" with a status of "The log destination is not accessible."

Changing the trusted entity to vpc-flow-logs.amazonaws.com resolved the issue for me

Reference: https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-cwl.html

AFSBP "EC2.1"

When applying automatic repair with "EC2.1", the following error appears.

image

I suspect there is something wrong with the SSM document.
Please tell me how to improve it.

3.x Findings compliance status in Security Hub not passing

The compliance status within Security Hub for my 3.x findings are still reporting as "FAILED" despite the remediations to create metric filters and alarms. Looking within Cloudwatch, I do see the metrics and alarms are created against the log group specified. The execution logs in Systems Manager do not report any errors but rather show success for the automation run. The only error I've been able to pinpoint is from within Security Hub on the finding itself I get a message stating, "The multi-region CloudTrail does not have a valid metric filter".

Any assistance is greatly appreciated. I have created these metrics and alarms manually within a different account against the same multi-region CloudTrail log group and Security Hub did pass the findings in that account but I would really like to use SHARR for these.

  • Version: 1.3.0
  • Region: us-east-1
    Screen Shot 2021-09-20 at 11 01 28 AM
    Screen Shot 2021-09-20 at 11 01 36 AM

AFSBP Auto Remediation Doesnt Kick Off

Describe the bug

After enabling AFSBP_EC2.6_AutoTrigger within EventBridge. No remediation of the finding is performed.

To Reproduce

Deploy the solution.
Enable AFSBP_EC2.6_AutoTrigger within EventBridge
Create a VPC without VPC Flow Logs enabled.
A Security Hub finding will be generated but will not be remediated.

Expected behavior

Once a new finding is generated by Security Hub. It is automatically remediated within the target environment.

Please complete the following information about the solution:

  • Version: v1.3.0
  • Region: us-west-2
  • Was the solution modified from the version published on this repository? No
  • Have you checked your service quotas for the sevices this solution uses? No
  • Were there any errors in the CloudWatch Logs? No

Screenshots
AFSBP_EC2.6_AutoTrigger EventBridge Rule:
image

EC2.6 Security Hub Finding:
image

CIS Finding:
image

Additional context
I think the reason is within the Findings event for Security Hub. The generator ID field does not include /rule/ for AFSBP whereas PCI and CIS Findings do.

Whenever you manually activate the Security Hub Custom Action "Remediate with SHARR" it works fine.

ERROR: Invalid resource Id - CIS 1.3 - failed to parse input for IAM users with slash "/"

While it's not supported in the console, the SDK and CLI allow you to create IAM users with paths (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html). I seem to be getting failures for any CIS 1.3 remediation that has a user with a path (eg. arn:aws:iam::12345678910:user/path/build/internal-plugin-user)

Step fails at step 1 - ParseInput:
Step fails when it is Poll action status for completion. Traceback (most recent call last): File "/tmp/e89a2bf3-4ede-4a59-ab23-b96efcbf8cfb-2022-03-04-06-38-54/customer_script.py", line 77, in parse_event exit(f'ERROR: Invalid resource Id {identifier_raw}') File "/var/lang/lib/python3.7/_sitebuiltins.py", line 26, in call raise SystemExit(code) SystemExit: ERROR: Invalid resource Id arn:aws:iam::12345678910:user/path/build/internal-plugin-user SystemExit - ERROR: Invalid resource Id arn:aws:iam::12345678910:user/path/build/internal-plugin-user. Please refer to Automation Service Troubleshooting Guide for more diagnosis details.

CF deployments from custom buckets failed for aws-sharr-deploy.template .

I had build the code from a clone and uploaded the templates to my account's buckets but the cfn deployment for aws-sharr-deploy.template fails.Seems like the template referes to a specific bucket not the bucket where my code/template exist.
Here is the the code snippet from template which seems to be accessed by the template .
PlaybookServiceCatalog: Type: AWS::CloudFormation::Stack Properties: TemplateURL: Fn::Join: - "" - - https:// - Fn::FindInMap: - SourceCode - General - S3Bucket - -reference.s3.amazonaws.com/ - Fn::FindInMap: - SourceCode - General - KeyPrefix - /aws-sharr-portolio-deploy.template Parameters: CreateCustomActionArn: Fn::GetAtt: - CreateCustomActionE7A973F5 - Arn Metadata: aws:cdk:path: SolutionDeployStack/PlaybookServiceCatalog Condition: UseServiceCatalog Conditions: UseServiceCatalog: Fn::Not: - Fn::Equals: - Ref: AWS::Partition - aws-cn
Error :
Screenshot 2021-04-20 at 12 02 35

CIS 3.x CloudWatch Alarm Notifications Not Working as Expected

Describe the bug

Alerts are not being sent out from CloudWatch after setting up a subscription to the topic SO0111-SHARR-LocalAlarmNotification.

To Reproduce

  • Deploy the latest 1.3.1 version of the aws-security-hub-automated-response-and-remediation project
  • Perform the CIS 3.x remediations to have a metric filter and alarm setup within CloudWatch
  • Add a subscription to the SO0111-SHARR-LocalAlarmNotification SNS topic
  • Adjust the SHARR_Alarm_CIS_1_2_Finding_3_2_ConsoleSigninWithoutMFA CloudWatch alarm so that the "Datapoints to alarm" is set to "1 out of 1" instead of "240" (This will make the alarm trigger after first event instead of needing 240)
  • Log out of account and then back in and navigate to CloudWatch and see the alarm state for consolelogin.
  • The alarm state should be "In alarm" however no notification is received. If you click on the "History" tab within the alarm you should see an error: "Failed to execute action arn:aws:sns:us-east-1:xxxxxxxxx:SO0111-SHARR-LocalAlarmNotification. Received error: "Resource: arn:aws:cloudwatch:us-east-1:xxxxxxxxx:alarm:SHARR_Alarm_CIS_1_2_Finding_3_2_ConsoleSigninWithoutMFA is not authorized to perform: SNS:Publish on resource: arn:aws:sns:us-east-1:xxxxxxxxx:SO0111-SHARR-LocalAlarmNotification because no resource-based policy allows the SNS:Publish action"
  • Navigate to SNS and edit the SO0111-SHARR-LocalAlarmNotification topic's access to policy. Change the services included in the access policy to include "cloudwatch.amazonaws.com"
  • After a new alarm is triggered, you should now see an error in the CloudWatch alarm about access denied to the KMS key: "Failed to execute action arn:aws:sns:us-east-1:xxxxxx:SO0111-SHARR-LocalAlarmNotification. Received error: "null (Service: AWSKMS; Status Code: 400; Error Code: AccessDeniedException; Request ID: xxxxxxx; Proxy: null)"
  • Navigate to KMS and modify the key policy for the SO0111-SHARR-Remediation-Key. Add "cloudwatch.amazonaws.com" to list of services in the key policy.
  • You should now see a successful notification one the alarm is triggered.

Expected behavior

  • I would expect for a notification to be sent and received to the subscription on the SO0111-SHARRLocalAlarmNotification SNS topic once an alarm in CloudWatch is in alarm state.

  • Version: 1.3.1

  • Region: us-east-1

  • Was the solution modified from the version published on this repository? No

  • Have you checked your service quotas for the sevices this solution uses? Yes

  • Were there any errors in the CloudWatch Logs? Yes, included in screenshots

Screenshots
Screen Shot 2021-11-02 at 2 27 42 PM

CDK application files are missing

In both the solution_deploy and the playbooks directories, the bin directory is not present with the CDK application file. Therefore, when the build_s3_dist.sh script is ran the templates do not get generated and the various .template files are empty. Are end users expected to generate these files? If so, can examples be provided?

The cdk.json files reference apps files that do not exist.

Service-managed StackSet deployment (Step 3 option 2) missing parameter

Describe the bug

Service-managed StackSet deployment (step 3 option 2) doesn't ask for 'LogGroup Configuration' like step 3 option 1 does.

To Reproduce

Follow steps for automated StackSet deployment (https://docs.aws.amazon.com/solutions/latest/aws-security-hub-automated-response-and-remediation/deployment-stackset.html). Make sure service-managed StackSet option (option 2) is chosen for step 3.

Expected behavior

Either the template deployment would ask for the LogGroup Configuration (like is asked in step 3, option 1). Systems Manager – Parameter Store parameter could also be modified after deployment (but it is not set)

Please complete the following information about the solution:

  • Version: v1.4.1

To get the version of the solution, you can look at the description of the created CloudFormation stack. For example, "(SO0111) AWS Security Hub Automated Response & Remediation Administrator Stack, v1.4.0". You can also find the version from releases

  • Region: ap-southeast-2
  • Was the solution modified from the version published on this repository? No
  • If the answer to the previous question was yes, are the changes available on GitHub?
  • Have you checked your service quotas for the services this solution uses? n/a
  • Were there any errors in the CloudWatch Logs? Troubleshooting n/a

Screenshots
Don't think a "lack of a parameter" screenshot is going to help

Additional context
n/a

Support remediation of GuardDuty findings

Is your feature request related to a problem? Please describe.

GuardDuty findings can be high-confidence and actionable, but are not part of the current solution.

Describe the feature you'd like

Add a playbook and runbooks to remediate GuardDuty findings: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html

Additional context

There is an existing project that could be leveraged:

Blog post: https://aws.amazon.com/blogs/security/how-to-perform-automated-incident-response-multi-account-environment/
Code: https://github.com/aws-samples/automated-incident-response-with-ssm

ERROR:CIS 1.4 remediation fails and is not remediate.

Describe the bug

When the automatic remediation is executed, the following error will be output and it will not be repaired.
What's wrong with the document "SHARR-CIS_1.2.0_1.4"or"SHARR-RevokeUnrotatedKeys"?

β– error messages

Traceback (most recent call last):
File "/tmp/6ce44d50-6967-4b73-a949-5019b5ab9ee4-2022-05-21-20-08-25/customer_script.py", line 97, in unrotated_key_handler
user_name = get_user_name(event.get("IAMResourceId"))
File "/tmp/6ce44d50-6967-4b73-a949-5019b5ab9ee4-2022-05-21-20-08-25/customer_script.py", line 46, in get_user_name
resource_name = list_discovered_resources_response.get("resourceIdentifiers")[0].get("resourceName")
IndexError: list index out of range

IndexError - list index out of range

Region Support for AWS GovCloud (US)

Note AWS Security Hub service is available in GovCloud as of April 2020.

Please up-vote if you want this feature. Do not submit a new feature request.

FSBP Remediations - Critical Severity

[RDS.1] RDS snapshots should be private
[Lambda.1] Lambda function policies should prohibit public access
[EC2.1] Amazon EBS snapshots should not be public, determined by the ability to be restorable by anyone

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    πŸ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. πŸ“ŠπŸ“ˆπŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❀️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.