Update to version v1.3.1

Author: groverlalit

CHANGELOG.md

@@ -4,6 +4,12 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.3.1] - 2021-09-10
+
+### Changed
+- CreateLogMetricFilterAndAlarm.py changed to make Actions active, add SNS notification to SO0111-SHARR-LocalAlarmNotification
+- Change CIS 2.8 remediation to match new finding data format
+
 ## [1.3.0] - 2021-08-30
 
 ### Added

README.md

@@ -52,7 +52,7 @@ v1.0.0.
 
 ### Architecture Diagram
 
-![](SHARR_v1.2.jpg)
+![](./SHARR_v1.2.jpg)
 
 <a name="aws-solutions-constructs"></a>
 

source/package.json

@@ -1,6 +1,6 @@
 {
   "name": "aws-security-hub-automated-response-and-remediation",
-  "version": "1.3.0",
+  "version": "1.3.1",
   "description": "Automated remediation for AWS Security Hub (SO0111)",
   "bin": {
     "solution_deploy": "bin/solution_deploy.js"

source/playbooks/CIS120/ssmdocs/CIS_2.8.yaml

@@ -33,7 +33,7 @@ mainSteps:
     action: 'aws:executeScript'
     outputs:
       - Name: KMSKeyId
-        Selector: $.Payload.resource_id
+        Selector: $.Payload.details.AwsKmsKey.KeyId
         Type: String
       - Name: FindingId
         Selector: $.Payload.finding_id
@@ -47,7 +47,7 @@ mainSteps:
     inputs:
       InputPayload:
         Finding: '{{Finding}}'
-        parse_id_pattern: '^AWS::KMS::Key:([a-f0-9-]{8}-[a-f0-9-]{4}-[a-f0-9-]{4}-[a-f0-9-]{4}-[a-f0-9-]{12})$'
+        parse_id_pattern: ''
         expected_control_id: '2.8'
       Runtime: python3.7
       Handler: parse_event

source/playbooks/CIS120/ssmdocs/CIS_3.1.yaml

@@ -66,6 +66,13 @@ parameters:
     type: String
     default: 'LogMetrics'
     description: The name of the metric namespace where the metrics will be logged
+  KMSKeyArn:
+    type: String
+    default: >-
+      {{ssm:/Solutions/SO0111/CMK_REMEDIATION_ARN}}
+    description: The ARN of the KMS key created by SHARR for remediations
+    allowedPattern: '^arn:(?:aws|aws-us-gov|aws-cn):kms:(?:[a-z]{2}(?:-gov)?-[a-z]+-\d):\d{12}:(?:(?:alias/[A-Za-z0-9/-_])|(?:key/(?i:[0-9a-f]{8}-(?:[0-9a-f]{4}-){3}[0-9a-f]{12})))$'
+
 mainSteps:
   - name: ParseInput
     action: 'aws:executeScript'
@@ -144,6 +151,8 @@ mainSteps:
         AlarmDesc: '{{ GetMetricFilterAndAlarmInputValue.AlarmDesc }}'
         AlarmThreshold: '{{ GetMetricFilterAndAlarmInputValue.AlarmThreshold }}'
         LogGroupName: '{{ LogGroupName }}'
+        SNSTopicName: 'SO0111-SHARR-LocalAlarmNotification'
+        KMSKeyArn: '{{KMSKeyArn}}'
 
   - name: UpdateFinding
     action: 'aws:executeAwsApi'
@@ -154,7 +163,7 @@ mainSteps:
       - Id: '{{ParseInput.FindingId}}'
         ProductArn: '{{ParseInput.ProductArn}}'
       Note:
-        Text: 'Added metric filter to the log group to monitor unauthorized API calls.'
+        Text: 'Added metric filter to the log group and notifications to SNS topic SO0111-SHARR-LocalAlarmNotification.'
         UpdatedBy: 'SHARR-CIS_1.2.0_3.1'
       Workflow:
         Status: RESOLVED

source/remediation_runbooks/CreateLogMetricFilterAndAlarm.yaml

@@ -44,8 +44,33 @@ parameters:
   AlarmThreshold:
     type: Integer
     description: Threshold value for the alarm
+  KMSKeyArn:
+    type: String
+    description: The ARN of a KMS key to use for encryption of the SNS Topic and Config bucket
+    allowedPattern: '^arn:(?:aws|aws-us-gov|aws-cn):kms:(?:[a-z]{2}(?:-gov)?-[a-z]+-\d):\d{12}:(?:(?:alias/[A-Za-z0-9/-_])|(?:key/(?i:[0-9a-f]{8}-(?:[0-9a-f]{4}-){3}[0-9a-f]{12})))$'
+  SNSTopicName:
+    type: String
+    allowedPattern: ^[a-zA-Z0-9][a-zA-Z0-9-_]{0,255}$
+
 mainSteps:
-  - name: CreateMetricFilerAndAlarm
+  - 
+    name: CreateTopic
+    action: 'aws:executeScript'
+    outputs:
+      - Name: TopicArn
+        Selector: $.Payload.topic_arn
+        Type: String
+    inputs:
+      InputPayload: 
+        kms_key_arn: '{{KMSKeyArn}}'
+        topic_name: '{{SNSTopicName}}'
+      Runtime: python3.7
+      Handler: create_encrypted_topic
+      Script: |-
+        %%SCRIPT=CreateLogMetricFilterAndAlarm_createtopic.py%%
+        
+  - 
+    name: CreateMetricFilerAndAlarm
     action: 'aws:executeScript'
     outputs:
       - Name: Output
@@ -62,6 +87,7 @@ mainSteps:
         AlarmName: '{{AlarmName}}'
         AlarmDesc: '{{AlarmDesc}}'
         AlarmThreshold: '{{AlarmThreshold}}'
+        TopicArn: '{{CreateTopic.TopicArn}}'    
       Runtime: python3.7
       Handler: verify
       Script: |-

source/remediation_runbooks/scripts/CreateLogMetricFilterAndAlarm.py

@@ -72,7 +72,7 @@ def put_metric_filter(cw_log_group, filter_name, filter_pattern, metric_name, me
     log.debug("Successfully added the metric filter.")
 
 
-def put_metric_alarm(alarm_name, alarm_desc, alarm_threshold, metric_name, metric_namespace):
+def put_metric_alarm(alarm_name, alarm_desc, alarm_threshold, metric_name, metric_namespace, topic_arn):
     """
     Puts the metric alarm for the metric name with provided values
     :param alarm_name: Name for the alarm
@@ -88,7 +88,13 @@ def put_metric_alarm(alarm_name, alarm_desc, alarm_threshold, metric_name, metri
         cw_client.put_metric_alarm(
             AlarmName=alarm_name,
             AlarmDescription=alarm_desc,
-            ActionsEnabled=False,
+            ActionsEnabled=True,
+            OKActions=[
+                topic_arn
+            ],
+            AlarmActions=[
+                topic_arn
+            ],
             MetricName=metric_name,
             Namespace=metric_namespace,
             Statistic='Sum',
@@ -117,9 +123,10 @@ def verify(event, context):
     alarm_desc = event['AlarmDesc']
     alarm_threshold = event['AlarmThreshold']
     cw_log_group = event['LogGroupName']
+    topic_arn = event['TopicArn']
 
     put_metric_filter(cw_log_group, filter_name, filter_pattern, metric_name, metric_namespace, metric_value)
-    put_metric_alarm(alarm_name, alarm_desc, alarm_threshold, metric_name, metric_namespace)
+    put_metric_alarm(alarm_name, alarm_desc, alarm_threshold, metric_name, metric_namespace, topic_arn)
     return {
         "response": {
             "message": f'Created filter {event["FilterName"]} for metric {event["MetricName"]}, and alarm {event["AlarmName"]}',

source/remediation_runbooks/scripts/test/test_createlogmetricfilterandalarm.py

@@ -38,7 +38,8 @@ def test_verify(mocker):
         'AlarmName': 'test_alarm',
         'AlarmDesc': 'alarm_desc',
         'AlarmThreshold': 'alarm_threshold',
-        'LogGroupName': 'test_log'
+        'LogGroupName': 'test_log',
+        'TopicArn': 'arn:aws:sns:us-east-1:111111111111:test-topic-name'
     }
     context = {}
     mocker.patch('CreateLogMetricFilterAndAlarm.put_metric_filter')
@@ -47,7 +48,7 @@ def test_verify(mocker):
     metric_alarm_spy = mocker.spy(logMetricAlarm, 'put_metric_alarm')
     logMetricAlarm.verify(event, context)
     metric_filter_spy.assert_called_once_with('test_log', 'test_filter', 'test_pattern', 'test_metric', 'test_metricnamespace', 'test_metric_value')
-    metric_alarm_spy.assert_called_once_with('test_alarm', 'alarm_desc', 'alarm_threshold', 'test_metric', 'test_metricnamespace')
+    metric_alarm_spy.assert_called_once_with('test_alarm', 'alarm_desc', 'alarm_threshold', 'test_metric', 'test_metricnamespace', 'arn:aws:sns:us-east-1:111111111111:test-topic-name')
 
 
 def test_put_metric_filter_pass(mocker):
@@ -60,7 +61,8 @@ def test_put_metric_filter_pass(mocker):
         'AlarmName': 'test_alarm',
         'AlarmDesc': 'alarm_desc',
         'AlarmThreshold': 'alarm_threshold',
-        'LogGroupName': 'test_log'
+        'LogGroupName': 'test_log',
+        'TopicArn': 'arn:aws:sns:us-east-1:111111111111:test-topic-name'
     }
 
     BOTO_CONFIG = Config(
@@ -109,7 +111,8 @@ def test_put_metric_filter_error(mocker):
         'AlarmName': 'test_alarm',
         'AlarmDesc': 'alarm_desc',
         'AlarmThreshold': 'alarm_threshold',
-        'LogGroupName': 'test_log'
+        'LogGroupName': 'test_log',
+        'TopicArn': 'arn:aws:sns:us-east-1:111111111111:test-topic-name'
     }
 
     BOTO_CONFIG = Config(
@@ -146,7 +149,8 @@ def test_put_metric_alarm(mocker):
         'AlarmName': 'test_alarm',
         'AlarmDesc': 'alarm_desc',
         'AlarmThreshold': 1,
-        'LogGroupName': 'test_log'
+        'LogGroupName': 'test_log',
+        'TopicArn': 'arn:aws:sns:us-east-1:111111111111:test-topic-name'
     }
 
     BOTO_CONFIG = Config(
@@ -164,7 +168,13 @@ def test_put_metric_alarm(mocker):
         {
             'AlarmName': event['AlarmName'],
             'AlarmDescription': event['AlarmDesc'],
-            'ActionsEnabled': False,
+            'ActionsEnabled': True,
+            'OKActions': [
+                'arn:aws:sns:us-east-1:111111111111:test-topic-name'
+            ],
+            'AlarmActions': [
+                'arn:aws:sns:us-east-1:111111111111:test-topic-name'
+            ],
             'MetricName': event['MetricName'],
             'Namespace': event['MetricNamespace'],
             'Statistic': 'Sum',
@@ -179,7 +189,7 @@ def test_put_metric_alarm(mocker):
     mocker.patch('CreateLogMetricFilterAndAlarm.get_service_client', return_value=cloudwatch)
     logMetricAlarm.put_metric_alarm(
         event['AlarmName'], event['AlarmDesc'], event['AlarmThreshold'],
-        event['MetricName'], event['MetricNamespace']
+        event['MetricName'], event['MetricNamespace'], event['TopicArn']
     )
     assert cloudwatch_stubber.assert_no_pending_responses() is None
     cloudwatch_stubber.deactivate()
@@ -195,7 +205,8 @@ def test_put_metric_alarm_error(mocker):
         'AlarmName': 'test_alarm',
         'AlarmDesc': 'alarm_desc',
         'AlarmThreshold': 1,
-        'LogGroupName': 'test_log'
+        'LogGroupName': 'test_log',
+        'TopicArn': 'arn:aws:sns:us-east-1:111111111111:test-topic-name'
     }
 
     BOTO_CONFIG = Config(
@@ -217,7 +228,7 @@ def test_put_metric_alarm_error(mocker):
     with pytest.raises(SystemExit) as pytest_wrapped_exception:
         logMetricAlarm.put_metric_alarm(
             event['AlarmName'], event['AlarmDesc'], event['AlarmThreshold'],
-            event['MetricName'], event['MetricNamespace']
+            event['MetricName'], event['MetricNamespace'], event['TopicArn']
         )
     assert pytest_wrapped_exception.type == SystemExit
     cloudwatch_stubber.deactivate()

source/solution_deploy/lib/remediation_runbook-stack.ts

@@ -127,6 +127,54 @@ export class RemediationRunbookStack extends cdk.Stack {
         }
     }
     //-----------------------
+    // CreateLogMetricAndAlarm
+    //
+    {
+        const remediationName = 'CreateLogMetricFilterAndAlarm'
+        const inlinePolicy = new Policy(this, `SHARR-Remediation-Policy-${remediationName}`);
+        
+        const remediationPolicy = new PolicyStatement();
+        remediationPolicy.addActions(
+            "logs:PutMetricFilter",
+            "cloudwatch:PutMetricAlarm"
+            )
+        remediationPolicy.effect = Effect.ALLOW
+        remediationPolicy.addResources(`arn:${this.partition}:logs:*:${this.account}:log-group:*`);
+        remediationPolicy.addResources(`arn:${this.partition}:cloudwatch:*:${this.account}:alarm:*`);
+
+        inlinePolicy.addStatements(remediationPolicy)
+
+        {
+            var snsPerms = new PolicyStatement();
+            snsPerms.addActions(
+                "sns:CreateTopic",
+                "sns:SetTopicAttributes"
+            )
+            snsPerms.effect = Effect.ALLOW
+            snsPerms.addResources(
+                `arn:${this.partition}:sns:${this.region}:${this.account}:SO0111-SHARR-LocalAlarmNotification`
+            );
+            inlinePolicy.addStatements(snsPerms)
+        }
+
+        new SsmRole(this, 'RemediationRole ' + remediationName, {
+            solutionId: props.solutionId,
+            ssmDocName: remediationName,
+            adminAccountNumber: adminAccount.adminAccountNumber.valueAsString,
+            remediationPolicy: inlinePolicy,
+            remediationRoleName: `${remediationRoleNameBase}${remediationName}_${this.region}`
+        })
+
+        new SsmRemediationRunbook(this, 'SHARR '+ remediationName, {
+            ssmDocName: remediationName,
+            ssmDocPath: ssmdocs,
+            ssmDocFileName: `${remediationName}.yaml`,
+            scriptPath: `${ssmdocs}/scripts`,
+            solutionVersion: props.solutionVersion,
+            solutionDistBucket: props.solutionDistBucket
+        })
+    }
+    //-----------------------
     // EnableAutoScalingGroupELBHealthCheck
     //
     {
@@ -1298,42 +1346,5 @@ export class RemediationRunbookStack extends cdk.Stack {
         }
     }
 
-    //****
-    //Create remediation books for CIS findings 3.1 through 3.14
-    //
-
-    {
-        const remediationName = 'CreateLogMetricFilterAndAlarm'
-        const inlinePolicy = new Policy(this, `SHARR-Remediation-Policy-${remediationName}`);
-        
-        const remediationPolicy = new PolicyStatement();
-        remediationPolicy.addActions(
-            "logs:PutMetricFilter",
-            "cloudwatch:PutMetricAlarm"
-            )
-        remediationPolicy.effect = Effect.ALLOW
-        remediationPolicy.addResources(`arn:${this.partition}:logs:*:${this.account}:log-group:*`);
-        remediationPolicy.addResources(`arn:${this.partition}:cloudwatch:*:${this.account}:alarm:*`);
-
-        inlinePolicy.addStatements(remediationPolicy)
-
-        new SsmRole(this, 'RemediationRole ' + remediationName, {
-            solutionId: props.solutionId,
-            ssmDocName: remediationName,
-            adminAccountNumber: adminAccount.adminAccountNumber.valueAsString,
-            remediationPolicy: inlinePolicy,
-            remediationRoleName: `${remediationRoleNameBase}${remediationName}_${this.region}`
-        })
-
-        new SsmRemediationRunbook(this, 'SHARR '+ remediationName, {
-            ssmDocName: remediationName,
-            ssmDocPath: ssmdocs,
-            ssmDocFileName: `${remediationName}.yaml`,
-            scriptPath: `${ssmdocs}/scripts`,
-            solutionVersion: props.solutionVersion,
-            solutionDistBucket: props.solutionDistBucket
-        })
-    }
-
   }
 }

source/solution_deploy/lib/sharr_member-stack.ts

@@ -218,7 +218,7 @@ export class MemberStack extends cdk.Stack {
     const logGroupName = new cdk.CfnParameter(this, "LogGroupName",
     {
         type: "String",
-        description: "Name of the log group to be used to create metric filters and cloudwatch alarms"
+        description: "Name of the log group to be used to create metric filters and cloudwatch alarms. You must use a Log Group that is the the logging destination of a multi-region CloudTrail"
     });
 
     /********************