aws-solutions
diff --git a/‎CHANGELOG.md‎
Lines changed: 14 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 79 additions & 34 deletions b/‎README.md‎
Lines changed: 79 additions & 34 deletions
diff --git a/‎SHARR v1.2.jpg‎
99.9 KB b/‎SHARR v1.2.jpg‎
99.9 KB
diff --git a/‎deployment/build-s3-dist.sh‎
Lines changed: 70 additions & 30 deletions b/‎deployment/build-s3-dist.sh‎
Lines changed: 70 additions & 30 deletions
@@ -4,6 +4,20 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.2.0] - 2021-03-22
+### Added
+- New AFSBP playbook with 12 new remediations
+- New Lambda Layer for use by solution lambdas
+- New Playbook architecture: Step Function, microservice Lambdas, Systems Manager runbooks
+- Corrected anonymous metrics to log only on final state (FAILED or RESOLVED)
+- Added logging to put anonymous metrics in solution logs as an audit trail
+- Corrected the anonymous metrics UUID to use standard 8-4-4-4-12 format
+- Encrypted CloudWatch logs for AFSBP state machine
+
+### Changed
+- Consolidated CDK to a single installation
+- Moved common/core CDK modules to source/lib
+
 ## [1.1.0] - 2020-11-15
 ### Changed
 - Added support for AWS partitions other than 'aws' (aws-us-gov, aws-cn)
 
@@ -1,23 +1,66 @@
-# AWS Security Hub Automated Response and Remediation (ID SO0111)
-
-AWS Security Hub Automated Response and Remediation is an add-on solution that enables AWS Security Hub customers to remediate security findings with a single click using predefined response and remediation actions called “Playbooks”. Alternately the playbooks can also be configured to remediate findings in AWS Security Hub automatically. The remediation is performed using AWS Lambda and in some cases using AWS Systems Manager, the playbooks execute steps to remediate security issues, such as unused keys, open security groups, password policies, VPC configurations and public S3 buckets. The solution contains the playbook remediations for some of the security standards defined as part of CIS AWS Foundations Benchmark v1.2.0.
-
-## Getting Started
-To get started with the AWS Security Hub Automated Response and Remediation, please review the solution documentation. [AWS Security Hub Automated Response and Remediation](https://aws.amazon.com/solutions/implementations/aws-security-hub-automated-response-and-remediation/)
-
-## Building from GitHub
-
-### Overview of the Process
-
-Building from GitHub source will allow you to modify the solution, such as adding custom actions or upgrading to a new release. The process consists of downloading the source from GitHub, creating buckets to be used for deployment, building the solution, and uploading the artifacts needed for deployment.
-
-#### You will need:
+[🚀 Solution Landing
+Page](https://aws.amazon.com/solutions/implementations/aws-security-hub-automated-response-and-remediation/)
+\| [🚧 Feature
+request](https://github.com/awslabs/aws-security-hub-automated-response-and-remediation/issues/new?assignees=&labels=feature-request%2C+enhancement&template=feature_request.md&title=)
+\| [🐛 Bug
+Report](https://github.com/awslabs/aws-security-hub-automated-response-and-remediation%3E/issues/new?assignees=&labels=bug%2C+triage&template=bug_report.md&title=)
+
+Note: If you want to use the solution without building from source, navigate to
+Solution Landing Page
+
+## Table of contents
+
+- [Solution Overview](#solution-overview)
+- [Architecture Diagram](#architecture-diagram)
+- [AWS CDK Constructs](#aws-solutions-constructs)
+- [Customizing the Solution](#customizing-the-solution)
+    - [Prerequisites for Customization](#prerequisites-for-customization)
+    - [Build](#build)
+    - [Unit Test](#unit-test)
+    - [Deploy](#deploy)
+- [File Structure](#file-structure)
+- [License](#license)
+
+<a name="solution-overview"></a>
+# Solution Overview
+
+AWS Security Hub Automated Response and Remediation is an add-on solution that
+enables AWS Security Hub customers to remediate security findings with a single
+click using predefined response and remediation actions called “Playbooks”.
+Alternately the playbooks can also be configured to remediate findings in AWS
+Security Hub automatically. The remediation is performed using AWS Lambda and in
+some cases using AWS Systems Manager, the playbooks execute steps to remediate
+security issues, such as unused keys, open security groups, password policies,
+VPC configurations and public S3 buckets. The solution contains the playbook
+remediations for some of the security standards defined as part of CIS AWS
+Foundations Benchmark v1.2.0 and for AWS Foundational Security Best Practices
+v1.0.0.
+
+<a name="architecture-diagram"></a>
+# Architecture Diagram
+
+![](./SHARR v1.2.jpg)
+
+<a name="aws-solutions-constructs"></a>
+# AWS Solutions Constructs
+* aws-events-rule-lambda - creates event rules that trigger the appropriate remediation, as well as any necessary permissions.
+
+<a name="customizing-the-solution"></a>
+# Customizing the Solution
+
+<a name="prerequisites-for-customization"></a>
+## Prerequisites for Customization
 
 * a Linux client with the AWS CLI v2 installed and python 3.7+, AWS CDK
 * source code downloaded from GitHub
 * two S3 buckets (minimum): 1 global and 1 for each region where you will deploy
+  * An Amazon S3 Bucket for solution templates - accessed globally via https.
+  * An Amazon S3 Bucket for source code - regional.
 
-### Download from GitHub
+<a name="build"></a>
+## Build
+
+Building from GitHub source will allow you to modify the solution, such as adding custom actions or upgrading to a new release. The process consists of downloading the source from GitHub, creating buckets to be used for deployment, building the solution, and uploading the artifacts needed for deployment.
 
 Clone or download the repository to a local directory on your linux client. Note: if you intend to modify Ops Automator you may wish to create your own fork of the GitHub repo and work from that. This allows you to check in any changes you make to your private copy of the solution.
 
@@ -32,20 +75,6 @@ git clone https://github.com/awslabs/aws-security-hub-automated-response-and-rem
 wget https://github.com/awslabs/aws-security-hub-automated-response-and-remediation/archive/master.zip
 ```
 
-#### Repository Organization
-aws-security-hub-automated-response-and-remediation uses AWS CDK for generating the cloudformation templates.
-```
-|-source/
-  |-playbooks                    [ Playbooks CloudDevelopment Kit Code and lambda source code]
-    |- core/                     [ Cloud Development Kit common node module ]
-    |- CIS/                      [ CIS playbook code ]
-    |- python_lib/               [ Python libraries used in the lambda source code in CIS playbooks ]
-    |- python_tests/             [ Python unit tests for libraries used in the lambda source code ]
-  |-solution_deploy              [ Solution Cloud Development Kit node module ]
-```
-
-### Build
-
 AWS Solutions use two buckets: a bucket for global access to templates, which is accessed via HTTPS, and regional buckets for access to assets within the region, such as Lambda code. You will need:
 
 * One global bucket that is access via the http end point. AWS CloudFormation templates are stored here. Ex. "mybucket"
@@ -79,14 +108,30 @@ cd ./deployment
 ./upload_s3_dist.sh <region>
 ```
 
+<a name="unit-test"></a>
+## Unit Test
+
+<a name="deploy"></a>
 ## Deploy
 
-See the (AWS Security Hub Automated Response and Remediation Implementation Guide)[http://link] for deployment instructions, using the link to the SolutionDeployStack.template from your bucket, rather than the one for AWS Solutions. Ex. https://mybucket.s3.amazonaws.com/aws-security-hub-automated-response-and-remediation/v1.0.0.mybuild/aws-sharr-deploy.template
+See the (AWS Security Hub Automated Response and Remediation Implementation Guide)[http://link] for deployment instructions, using the link to the SolutionDeployStack.template from your bucket, rather than the one for AWS Solutions. Ex. https://mybucket-reference.s3.amazonaws.com/aws-security-hub-automated-response-and-remediation/v1.0.0.mybuild/aws-sharr-deploy.template
 
-Copyright 2020 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+<a name="file-structure"></a>
+# File structure
 
-Licensed under the Apache License Version 2.0 (the "License"). You may not use this file except in compliance with the License. A copy of the License is located at
+aws-security-hub-automated-response-and-remediation uses AWS CDK for generating the cloudformation templates.
+<pre>
+|-source/
+  |-playbooks                    [ Playbooks CloudDevelopment Kit Code and lambda source code]
+    |- core/                     [ Cloud Development Kit common node module ]
+    |- CIS/                      [ CIS playbook code ]
+    |- python_lib/               [ Python libraries used in the lambda source code in CIS playbooks ]
+    |- python_tests/             [ Python unit tests for libraries used in the lambda source code ]
+  |-solution_deploy              [ Solution Cloud Development Kit node module ]
+</pre>
 
-    http://www.apache.org/licenses/
+<a name="license"></a>
+# License
 
-or in the "license" file accompanying this file. This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, express or implied. See the License for the specific language governing permissions and limitations under the License.
+See license
+[here](https://github.com/awslabs/%3Cinsert-solution-repo-name%3E/blob/master/LICENSE.txt)
@@ -17,7 +17,10 @@
 #  - version-code: version of the package
 
 # Important: CDK global version number
-required_cdk_version=1.68.0
+# This controls the CDK and AWS Solutions Constructs version. Solutions
+# Constructs versions map 1:1 to CDK versions. When setting this value, 
+# choose the latest AWS Solutions Constructs version.
+required_cdk_version=1.85.0
 
 # Functions to reduce repetitive code
 # do_cmd will exit if the command has a non-zero return code.
@@ -148,7 +151,13 @@ do_cmd rm -rf $temp_work_dir
 do_cmd mkdir -p $temp_work_dir
 
 echo "------------------------------------------------------------------------------"
-echo "[Copy] Copy source to temp and remove unwanted files"
+echo "[Init] Create folders"
+echo "------------------------------------------------------------------------------"
+mkdir ${build_dist_dir}/lambda
+mkdir -p ${template_dist_dir}/playbooks
+
+echo "------------------------------------------------------------------------------"
+echo "[Copy] Copy source to temp, remove unwanted files"
 echo "------------------------------------------------------------------------------"
 do_cmd cp -r $source_dir $temp_work_dir # make a copy to work from
 cd $temp_work_dir
@@ -157,16 +166,18 @@ find . -name node_modules | while read file;do rm -rf $file; done
 # remove package-lock.json
 find . -name package-lock.json | while read file;do rm $file; done
 
+# Propagate the $required_cdk_version to all of the package.json files.
+# This makes it very simple to update the version by changing the value above.
+cd $temp_work_dir/source
+find . -name package.json | while read package; do
+    do_replace $package "###CDK###" $required_cdk_version
+done
+
 echo "------------------------------------------------------------------------------"
 echo "[Install] CDK"
 echo "------------------------------------------------------------------------------"
 
-# install typescript once so we can build each of the packages below
-# If this must be done for the pipeline then we need to figure out how to detect
-# command-line (user) build so as not to do global install (requires root/sudo)
-# npm install -g typescript
-# 
-cd $temp_work_dir/source/solution_deploy
+cd $temp_work_dir/source
 do_cmd npm install      # local install per package.json
 do_cmd npm install aws-cdk@$required_cdk_version
 export PATH=$(npm bin):$PATH
@@ -179,48 +190,66 @@ if [[ $cdkver != $required_cdk_version ]]; then
 fi
 do_cmd npm run build       # build javascript from typescript
 
+echo "------------------------------------------------------------------------------"
+echo "[Pack] Lambda Layer (used by playbooks)"
+echo "------------------------------------------------------------------------------"
+cd $template_dir
+mkdir -p $temp_work_dir/source/solution_deploy/lambdalayer/python
+cp $source_dir/LambdaLayers/*.py $temp_work_dir/source/solution_deploy/lambdalayer/python
+pip install -r ./requirements.txt -t $temp_work_dir/source/solution_deploy/lambdalayer/python
+cd $temp_work_dir/source/solution_deploy/lambdalayer
+zip --recurse-paths ${build_dist_dir}/lambda/layer.zip python
+
 echo "------------------------------------------------------------------------------"
 echo "[Pack] Custom Action Lambda"
 echo "------------------------------------------------------------------------------"
 cd $template_dir
-pip install -r ./requirements.txt -t $temp_work_dir/source/solution_deploy/source
 cd $temp_work_dir/source/solution_deploy/source
-mkdir ${build_dist_dir}/lambda
-zip --recurse-paths ${build_dist_dir}/lambda/createCustomAction.py.zip createCustomAction.py lib/* requests/* chardet/* certifi/* idna/* urllib3/*
+zip ${build_dist_dir}/lambda/createCustomAction.py.zip createCustomAction.py
+
+echo "------------------------------------------------------------------------------"
+echo "[Pack] Orchestrator Lambdas"
+echo "------------------------------------------------------------------------------"
+cd $template_dir
+cd $temp_work_dir/source/Orchestrator
+ls | while read file; do 
+    zip ${build_dist_dir}/lambda/${file}.zip ${file}
+done
+# Copy LambdaLayer modules in preparation for running tests
+# These are not packaged with the Lambda
+do_cmd cp ../LambdaLayers/*.py .
 
 echo "------------------------------------------------------------------------------"
 echo "[Create] Playbook Templates - CIS"
 echo "------------------------------------------------------------------------------"
 mkdir -p ${build_dist_dir}/playbooks/CIS
-mkdir -p ${template_dist_dir}/playbooks
-
-# install npm locally in playbooks/core
-cd $temp_work_dir/source/playbooks/core
-npm install -s
 
-# Install npm for the compliance pack:
 do_cmd cd $temp_work_dir/source/playbooks/CIS
-do_cmd npm install -s
-do_cmd npm run build
 
-# Create the template for the compliance pack
-cdk --no-version-reporting synth CisStack > $template_dist_dir/playbooks/CIS.template 
-cdk --no-version-reporting synth CisPermissionsStack > $template_dist_dir/playbooks/CISPermissions.template 
+# Output YAML - this is currently the only way to do this for multiple templates
+for template in `cdk list`; do
+    echo Create CIS template $template
+    cdk --no-version-reporting synth $template > ${template_dist_dir}/playbooks/${template}.template
+done
+
+# To maintain consistency with the original install documentation
+mv $template_dist_dir/playbooks/CISPermissionsStack.template $template_dist_dir/playbooks/CISPermissions.template
 
 if [[ -d ./lambda ]]; then
     do_cmd mkdir -p ${build_dir}/playbooks/CIS/tests  # output directory
     do_cmd mkdir -p ${build_dir}/playbooks/CIS/lib
     do_cmd cp lambda/*.py ${build_dir}/playbooks/CIS
+    do_cmd cp lambda/.coveragerc ${build_dir}/playbooks/CIS
     do_cmd cp -R lambda/tests/* ${build_dir}/playbooks/CIS/tests
     # All playbooks get all libs. This is OK right now, but may need to be
     # more specific later.
     do_cmd cp -R $temp_work_dir/source/playbooks/python_lib/* ${build_dir}/playbooks/CIS/lib
     do_cmd cp -R $temp_work_dir/source/playbooks/python_tests/* ${build_dir}/playbooks/CIS/tests
-    do_cmd cp -R ${temp_work_dir}/source/solution_deploy/source/requests ${build_dir}/playbooks/CIS/
-    do_cmd cp -R ${temp_work_dir}/source/solution_deploy/source/urllib3 ${build_dir}/playbooks/CIS/
-    do_cmd cp -R ${temp_work_dir}/source/solution_deploy/source/chardet ${build_dir}/playbooks/CIS/
-    do_cmd cp -R ${temp_work_dir}/source/solution_deploy/source/certifi ${build_dir}/playbooks/CIS/
-    do_cmd cp -R ${temp_work_dir}/source/solution_deploy/source/idna ${build_dir}/playbooks/CIS/
+    do_cmd cp -R ${temp_work_dir}/source/solution_deploy/lambdalayer/python/requests ${build_dir}/playbooks/CIS/
+    do_cmd cp -R ${temp_work_dir}/source/solution_deploy/lambdalayer/python/urllib3 ${build_dir}/playbooks/CIS/
+    do_cmd cp -R ${temp_work_dir}/source/solution_deploy/lambdalayer/python/chardet ${build_dir}/playbooks/CIS/
+    do_cmd cp -R ${temp_work_dir}/source/solution_deploy/lambdalayer/python/certifi ${build_dir}/playbooks/CIS/
+    do_cmd cp -R ${temp_work_dir}/source/solution_deploy/lambdalayer/python/idna ${build_dir}/playbooks/CIS/
     rm -rf ${build_dir}/playbooks/CIS/lib/__pycache__/
 
     cd ${build_dir}/playbooks/CIS
@@ -229,7 +258,19 @@ if [[ -d ./lambda ]]; then
     done
 fi
 
-cd ${template_dir}
+echo "------------------------------------------------------------------------------"
+echo "[Create] Playbook Templates - AFSBP"
+echo "------------------------------------------------------------------------------"
+mkdir -p ${build_dist_dir}/playbooks/AFSBP
+
+do_cmd cd $temp_work_dir/source/playbooks/AFSBP
+
+# Output YAML - this is currently the only way to do this for multiple templates
+for template in `cdk list`; do
+    echo Create AFSBP template $template
+    # do_cmd npm run build
+    cdk --no-version-reporting synth $template > ${template_dist_dir}/playbooks/${template}.template
+done
 
 echo "------------------------------------------------------------------------------"
 echo "[Create] Deployment Templates"
@@ -240,8 +281,7 @@ cd $temp_work_dir/source/solution_deploy
 # Output YAML - this is currently the only way to do this for multiple templates
 for template in `cdk ls`; do
     echo Create template $template
-    # do_cmd npm run build
-    cdk --no-version-reporting synth $template -c solutionId=$SOLUTION_ID > ${template_dist_dir}/${template}.template
+    cdk --no-version-reporting synth $template > ${template_dist_dir}/${template}.template
 done
 cd ${template_dir}