Updated to v1.1.0

Author: Joshua Leaverton

CHANGELOG.md

@@ -4,6 +4,11 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.1.0] - 2020-11-15
+### Changed
+- Added support for AWS partitions other than 'aws' (aws-us-gov, aws-cn)
+- Updated CDK support to 1.68.0
+
 ## [1.0.1] - 2020-09-18
 ### Changed
 - Added info-level messages indicating action (CREATE/UPDATE) from the CreateCustomAction lambda

deployment/build-s3-dist.sh

@@ -17,7 +17,7 @@
 #  - version-code: version of the package
 
 # Important: CDK global version number
-required_cdk_version=1.60.0
+required_cdk_version=1.68.0
 
 # Functions to reduce repetitive code
 # do_cmd will exit if the command has a non-zero return code.
@@ -204,10 +204,8 @@ do_cmd npm install -s
 do_cmd npm run build
 
 # Create the template for the compliance pack
-cdk synth CisStack -c solutionId=$SOLUTION_ID > $template_dist_dir/playbooks/CIS.template 
-echo -e "AWSTemplateFormatVersion: \"2010-09-09\"\n$(cat ${template_dist_dir}/playbooks/CIS.template)" > $template_dist_dir/playbooks/CIS.template
-cdk synth CisPermissionsStack -c solutionId=$SOLUTION_ID > $template_dist_dir/playbooks/CISPermissions.template 
-echo -e "AWSTemplateFormatVersion: \"2010-09-09\"\n$(cat ${template_dist_dir}/playbooks/CISPermissions.template)" > $template_dist_dir/playbooks/CISPermissions.template
+cdk --no-version-reporting synth CisStack > $template_dist_dir/playbooks/CIS.template 
+cdk --no-version-reporting synth CisPermissionsStack > $template_dist_dir/playbooks/CISPermissions.template 
 
 if [[ -d ./lambda ]]; then
     do_cmd mkdir -p ${build_dir}/playbooks/CIS/tests  # output directory
@@ -243,18 +241,14 @@ cd $temp_work_dir/source/solution_deploy
 for template in `cdk ls`; do
     echo Create template $template
     # do_cmd npm run build
-    cdk synth $template -c solutionId=$SOLUTION_ID > ${template_dist_dir}/${template}.template
+    cdk --no-version-reporting synth $template -c solutionId=$SOLUTION_ID > ${template_dist_dir}/${template}.template
 done
 cd ${template_dir}
 
 [ -e ${template_dir}/*.template ] && do_cmd cp $template_dir/*.template $template_dist_dir/
 
-for f in ${template_dist_dir}/*.template; do
-    echo Prepending AWSTemplateFormatVersion
-    echo -e "AWSTemplateFormatVersion: \"2010-09-09\"\n$(cat $f)" > $f
-done
-
 # Rename SolutionDeployStack.template
 mv ${template_dist_dir}/SolutionDeployStack.template ${template_dist_dir}/aws-sharr-deploy.template
+mv ${template_dist_dir}/ServiceCatalogStack.template ${template_dist_dir}/aws-sharr-portolio-deploy.template
 
 echo Build Complete

deployment/run-unit-tests.sh

@@ -10,13 +10,20 @@ maxrc=0
 rc=0
 export overrideWarningsEnabled=false
 
+[[ $1 == 'update' ]] && {
+    update="true" 
+    echo "UPDATE MODE: CDK Snapshots will be updated. CDK UNIT TESTS WILL BE SKIPPED"
+} || update="false"
+
 #!/bin/bash
 echo 'Installing required Python testing modules'
 pip install -r ./testing_requirements.txt
 
 # Get reference for all important folders
 template_dir="$PWD"
-source_dir="$template_dir/temp/source"
+source_dir="$template_dir/../source"
+temp_source_dir="$template_dir/temp/source"
+
 if [[ -e './solution_env.sh' ]]; then
     chmod +x ./solution_env.sh
     source ./solution_env.sh
@@ -50,18 +57,23 @@ fi
 echo "------------------------------------------------------------------------------"
 echo "[Test] CDK Unit Tests - playbook CIS"
 echo "------------------------------------------------------------------------------"
-cd $source_dir/playbooks/CIS
-npm run test
-rc=$?
-echo CDK Unit Tests RC=$rc
-if [ "$rc" -gt "$maxrc" ]; then
-	maxrc=$rc
-fi
+cd $temp_source_dir/playbooks/CIS
+[[ $update == "true" ]] && {
+    npm run test -- -u
+    cp -f test/__snapshots__/* $source_dir/playbooks/CIS/test/__snapshots__/
+} || {
+    npm run test
+    rc=$?
+    echo CDK Unit Tests RC=$rc
+    if [ "$rc" -gt "$maxrc" ]; then
+        maxrc=$rc
+    fi
+}
 
 echo "------------------------------------------------------------------------------"
 echo "[Test] CDK Unit Tests - core"
 echo "------------------------------------------------------------------------------"
-cd $source_dir/playbooks/core
+cd $temp_source_dir/playbooks/core
 npm run test
 rc=$?
 echo CDK Unit Tests RC=$rc
@@ -73,13 +85,18 @@ fi
 echo "------------------------------------------------------------------------------"
 echo "[Test] CDK Unit Tests - solution_deploy"
 echo "------------------------------------------------------------------------------"
-cd $source_dir/solution_deploy
-npm run test
-rc=$?
-echo CDK Unit Tests RC=$rc
-if [ "$rc" -gt "$maxrc" ]; then
-	maxrc=$rc
-fi
+cd $temp_source_dir/solution_deploy
+[[ $update == "true" ]] && {
+    npm run test -- -u
+    cp -f test/__snapshots__/* $source_dir/solution_deploy/test/__snapshots__/
+} || {
+    npm run test
+    rc=$?
+    echo CDK Unit Tests RC=$rc
+    if [ "$rc" -gt "$maxrc" ]; then
+    	maxrc=$rc
+    fi
+}
 
 echo "------------------------------------------------------------------------------"
 echo "[Test] Python Unit Tests"

source/playbooks/CIS/lambda/cis1314.py

@@ -40,6 +40,8 @@
 # Get AWS region from Lambda environment. If not present then we're not
 # running under lambda, so defaulting to us-east-1
 AWS_REGION = os.getenv('AWS_DEFAULT_REGION', 'us-east-1')
+AWS_PARTITION = os.getenv('AWS_PARTITION', 'aws')
+
 # Append region name to LAMBDA_ROLE
 LAMBDA_ROLE += '_' + AWS_REGION
 BOTO_CONFIG = Config(
@@ -48,7 +50,7 @@
     },
     region_name=AWS_REGION
 )
-AWS = AWSClient()
+AWS = AWSClient(AWS_PARTITION, AWS_REGION)
 
 #------------------------------------------------------------------------------
 # HANDLER

source/playbooks/CIS/lambda/cis15111.py

@@ -40,6 +40,8 @@
 # Get AWS region from Lambda environment. If not present then we're not
 # running under lambda, so defaulting to us-east-1
 AWS_REGION = os.getenv('AWS_DEFAULT_REGION', 'us-east-1')
+AWS_PARTITION = os.getenv('AWS_PARTITION', 'aws')
+
 # Append region name to LAMBDA_ROLE
 LAMBDA_ROLE += '_' + AWS_REGION
 BOTO_CONFIG = Config(
@@ -48,7 +50,7 @@
     },
     region_name=AWS_REGION
 )
-AWS = AWSClient()
+AWS = AWSClient(AWS_PARTITION, AWS_REGION)
 
 #------------------------------------------------------------------------------
 # HANDLER

source/playbooks/CIS/lambda/cis22.py

@@ -39,6 +39,8 @@
 # Get AWS region from Lambda environment. If not present then we're not
 # running under lambda, so defaulting to us-east-1
 AWS_REGION = os.getenv('AWS_DEFAULT_REGION', 'us-east-1')
+AWS_PARTITION = os.getenv('AWS_PARTITION', 'aws')
+
 # Append region name to LAMBDA_ROLE
 LAMBDA_ROLE += '_' + AWS_REGION
 BOTO_CONFIG = Config(
@@ -47,7 +49,7 @@
     },
     region_name=AWS_REGION
 )
-AWS = AWSClient()
+AWS = AWSClient(AWS_PARTITION, AWS_REGION)
 
 #------------------------------------------------------------------------------
 # HANDLER

source/playbooks/CIS/lambda/cis23.py

@@ -23,6 +23,7 @@
 from lib.awsapi_helpers import AWSClient, BotoSession
 from lib.applogger import LogHandler
 from lib.metrics import Metrics
+from lib.aws_utils import remove_arn_prefix
 
 #------------------------------
 # Remediation-Specific
@@ -40,6 +41,8 @@
 # Get AWS region from Lambda environment. If not present then we're not
 # running under lambda, so defaulting to us-east-1
 AWS_REGION = os.getenv('AWS_DEFAULT_REGION', 'us-east-1')
+AWS_PARTITION = os.getenv('AWS_PARTITION', 'aws')
+
 # Append region name to LAMBDA_ROLE
 LAMBDA_ROLE += '_' + AWS_REGION
 BOTO_CONFIG = Config(
@@ -48,7 +51,7 @@
     },
     region_name=AWS_REGION
 )
-AWS = AWSClient()
+AWS = AWSClient(AWS_PARTITION, AWS_REGION)
 
 #------------------------------------------------------------------------------
 # HANDLER
@@ -126,7 +129,7 @@ def failed():
         raw_bucket_info = str(finding.details['Resources'][0]['Id'])
 
         # Remove ARN string, create new variable
-        noncompliant_bucket = raw_bucket_info.replace("arn:aws:s3:::", "")
+        noncompliant_bucket = remove_arn_prefix(raw_bucket_info)
 
     except Exception as e:
         message['Note'] = str(e) + ' - Finding format is not as expected.'
@@ -153,11 +156,11 @@ def failed():
         remove_public = s3.put_public_access_block(
             Bucket=noncompliant_bucket,
             PublicAccessBlockConfiguration={
-                    'BlockPublicAcls': True,
-                    'IgnorePublicAcls': True,
-                    'BlockPublicPolicy': True,
-                    'RestrictPublicBuckets': True
-                }
+                'BlockPublicAcls': True,
+                'IgnorePublicAcls': True,
+                'BlockPublicPolicy': True,
+                'RestrictPublicBuckets': True
+            }
         )
 
         LOGGER.debug(remove_public)

source/playbooks/CIS/lambda/cis24.py

@@ -43,6 +43,8 @@
 # Get AWS region from Lambda environment. If not present then we're not
 # running under lambda, so defaulting to us-east-1
 AWS_REGION = os.getenv('AWS_DEFAULT_REGION', 'us-east-1')
+AWS_PARTITION = os.getenv('AWS_PARTITION', 'aws')
+
 # Append region name to LAMBDA_ROLE
 LAMBDA_ROLE += '_' + AWS_REGION
 BOTO_CONFIG = Config(
@@ -51,7 +53,7 @@
     },
     region_name=AWS_REGION
 )
-AWS = AWSClient()
+AWS = AWSClient(AWS_PARTITION, AWS_REGION)
 
 #------------------------------------------------------------------------------
 # HANDLER
@@ -140,7 +142,8 @@ def failed():
     # Set name for Cloudwatch logs group
     cloudwatchLogGroup = 'CloudTrail/CIS2-4-' + non_compliant_trail
     # CloudTrail to CloudWatch logging IAM Role on for each account
-    cloudtrailLoggingArn = 'arn:aws:iam::' + finding.account_id + ':role/SO0111_CIS24_remediationRole_' + AWS_REGION
+    cloudtrailLoggingArn = 'arn:' + AWS_PARTITION + ':iam::' + \
+        finding.account_id + ':role/SO0111_CIS24_remediationRole_' + AWS_REGION
 
     # Connect to APIs
     try:

source/playbooks/CIS/lambda/cis26.py

@@ -23,6 +23,7 @@
 from lib.awsapi_helpers import AWSClient, BotoSession
 from lib.applogger import LogHandler
 from lib.metrics import Metrics
+from lib.aws_utils import remove_arn_prefix
 
 #------------------------------
 # Remediation-Specific
@@ -43,6 +44,8 @@
 # Get AWS region from Lambda environment. If not present then we're not
 # running under lambda, so defaulting to us-east-1
 AWS_REGION = os.getenv('AWS_DEFAULT_REGION', 'us-east-1')
+AWS_PARTITION = os.getenv('AWS_PARTITION', 'aws')
+
 # Append region name to LAMBDA_ROLE
 LAMBDA_ROLE += '_' + AWS_REGION
 BOTO_CONFIG = Config(
@@ -51,7 +54,7 @@
     },
     region_name=AWS_REGION
 )
-AWS = AWSClient()
+AWS = AWSClient(AWS_PARTITION, AWS_REGION)
 
 #------------------------------------------------------------------------------
 # HANDLER
@@ -127,7 +130,7 @@ def failed():
     try:
         ctBucket = str(finding.details['Resources'][0]['Id'])
         # Remove ARN string, create new variable
-        formattedCTBucket = ctBucket.replace("arn:aws:s3:::", "")
+        formattedCTBucket = remove_arn_prefix(ctBucket)
     except Exception as e:
         message['Note'] = str(e) + ' - Finding format is not as expected.'
         message['State'] = 'FAILED'
@@ -205,7 +208,8 @@ def failed():
                 'GranteeUri': ['http://acs.amazonaws.com/groups/s3/LogDelivery'], ## Must Use URI, fails with Canonical Group Id
                 'TargetPrefix' : [formattedCTBucket + '/'],
                 'TargetBucket': [accessLoggingBucket],
-                'AutomationAssumeRole': ['arn:aws:iam::' + finding.account_id + ':role/' + LAMBDA_ROLE]
+                'AutomationAssumeRole': ['arn:' + AWS_PARTITION + ':iam::' + \
+                    finding.account_id + ':role/' + LAMBDA_ROLE]
             }
         )
         LOGGER.debug(response)

source/playbooks/CIS/lambda/cis28.py

@@ -38,10 +38,11 @@
 LOGGER = Logger(loglevel=LOG_LEVEL)
 APPLOGGER = LogHandler(PLAYBOOK) # application LOGGER for CW Logs
 
-
 # Get AWS region from Lambda environment. If not present then we're not
 # running under lambda, so defaulting to us-east-1
 AWS_REGION = os.getenv('AWS_DEFAULT_REGION', 'us-east-1')
+AWS_PARTITION = os.getenv('AWS_PARTITION', 'aws')
+
 # Append region name to LAMBDA_ROLE
 LAMBDA_ROLE += '_' + AWS_REGION
 BOTO_CONFIG = Config(
@@ -50,7 +51,7 @@
     },
     region_name=AWS_REGION
 )
-AWS = AWSClient()
+AWS = AWSClient(AWS_PARTITION, AWS_REGION)
 
 #------------------------------------------------------------------------------
 # HANDLER