-
Notifications
You must be signed in to change notification settings - Fork 4
/
csv_manager_sechub.yaml
478 lines (478 loc) · 14.8 KB
/
csv_manager_sechub.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
Parameters:
S3AccessIAMRole:
Type: String
Description: IAM Role to access the CSV objects in S3.
Frequency:
Type: String
Default: cron(0 8 ? * SUN *)
Description: A cron or rate expression for how often the export occurs.
Partition:
Type: String
Default: aws
Description: The partition in which CSV Manager for Security Hub will operate.
Regions:
Type: String
Default: us-east-1
Description: The comma-delimeted list of regions in which CSV Manager for Security Hub will operate.
PrimaryRegion:
Type: String
Default: us-east-1
Description: The region in which the S3 bucket and SSM parameters are stored.
FindingsFolder:
Type: String
Default: Findings
Description: Folder that will contain Lambda code & CloudFormation templates.
S3BucketCode:
Type: String
Default: "awsiammedia"
Description: S3 Bucket that will contain Lambda code.
S3KeyExporter:
Type: String
Default: "public/sample/1280-export-sh-findings-to-csv-format/csvExporter.zip"
Description: S3 Bucket prefix that will contain Lambda code for Exporter.
S3KeyUpdater:
Type: String
Default: "public/sample/1280-export-sh-findings-to-csv-format/csvUpdater.zip"
Description: S3 Bucket prefix that will contain Lambda code for Updater.
ExpirationPeriod:
Type: Number
Default: 365
Description: Maximum days to retain exported findings.
GlacierTransitionPeriod:
Type: Number
Default: 31
Description: Maximum days before exported findings are moved to AWS Glacier.
Resources:
s3kmskeyA0E45BCB:
Type: AWS::KMS::Key
Properties:
KeyPolicy:
Version: "2012-10-17"
Statement:
- Action: kms:*
Effect: Allow
Principal:
AWS:
Fn::Join:
- ""
- - "arn:"
- Ref: AWS::Partition
- ":iam::"
- Ref: AWS::AccountId
- :root
Resource: "*"
Description: KMS key for security hub findings in S3.
EnableKeyRotation: false
PendingWindowInDays: 7
UpdateReplacePolicy: Delete
DeletionPolicy: Delete
s3kmskeyAlias2C7CE359:
Type: AWS::KMS::Alias
Properties:
AliasName: alias/sh_export_key
TargetKeyId:
Fn::GetAtt:
- s3kmskeyA0E45BCB
- Arn
securityhubexportbucket0BDF3430:
Type: AWS::S3::Bucket
Properties:
BucketEncryption:
ServerSideEncryptionConfiguration:
- BucketKeyEnabled: true
ServerSideEncryptionByDefault:
KMSMasterKeyID:
Fn::GetAtt:
- s3kmskeyA0E45BCB
- Arn
SSEAlgorithm: aws:kms
LifecycleConfiguration:
Rules:
- ExpirationInDays:
Ref: ExpirationPeriod
Status: Enabled
Transitions:
- StorageClass: GLACIER
TransitionInDays:
Ref: GlacierTransitionPeriod
OwnershipControls:
Rules:
- ObjectOwnership: BucketOwnerEnforced
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true
VersioningConfiguration:
Status: Enabled
UpdateReplacePolicy: Retain
DeletionPolicy: Retain
securityhubexportbucketPolicy5AE68C6C:
Type: AWS::S3::BucketPolicy
Properties:
Bucket:
Ref: securityhubexportbucket0BDF3430
PolicyDocument:
Version: "2012-10-17"
Statement:
- Action: s3:*
Condition:
Bool:
aws:SecureTransport: "false"
Effect: Deny
Principal:
AWS: "*"
Resource:
- Fn::GetAtt:
- securityhubexportbucket0BDF3430
- Arn
- Fn::Join:
- ""
- - Fn::GetAtt:
- securityhubexportbucket0BDF3430
- Arn
- /*
- Action:
- s3:GetObject*
- s3:ListBucket
- s3:PutObject*
Effect: Allow
Principal:
AWS:
- Ref: S3AccessIAMRole
- Fn::GetAtt:
- secubcsvmanagerrole6674D6A1
- Arn
Resource:
- Fn::GetAtt:
- securityhubexportbucket0BDF3430
- Arn
- Fn::Join:
- ""
- - Fn::GetAtt:
- securityhubexportbucket0BDF3430
- Arn
- /*
secubcsvmanagerrole6674D6A1:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
- lambda.amazonaws.com
- ssm.amazonaws.com
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
RoleName: SecurityHub_CSV_Exporter
secubcsvexporterfunction0B1F1A8E:
Type: AWS::Lambda::Function
Properties:
Code:
S3Bucket:
Ref: S3BucketCode
S3Key:
Ref: S3KeyExporter
Role:
Fn::GetAtt:
- secubcsvmanagerrole6674D6A1
- Arn
Description: Export SecurityHub findings to CSV in S3 bucket.
Environment:
Variables:
CSV_PRIMARY_REGION:
Ref: PrimaryRegion
FunctionName: SecHubExportStack_545171356966_sh_csv_exporter
Handler: csvExporter.lambdaHandler
MemorySize: 512
ReservedConcurrentExecutions: 100
Runtime: python3.9
Timeout: 900
DependsOn:
- secubcsvmanagerrole6674D6A1
secubcsvupdaterfunction199A043C:
Type: AWS::Lambda::Function
Properties:
Code:
S3Bucket:
Ref: S3BucketCode
S3Key:
Ref: S3KeyUpdater
Role:
Fn::GetAtt:
- secubcsvmanagerrole6674D6A1
- Arn
Description: Update SecurityHub findings to CSV in S3 bucket.
Environment:
Variables:
CSV_PRIMARY_REGION:
Ref: PrimaryRegion
FunctionName: SecHubExportStack_545171356966_sh_csv_updater
Handler: csvUpdater.lambdaHandler
MemorySize: 512
ReservedConcurrentExecutions: 100
Runtime: python3.9
Timeout: 900
DependsOn:
- secubcsvmanagerrole6674D6A1
sechubcsvmanagedpolicy49025002:
Type: AWS::IAM::ManagedPolicy
Properties:
PolicyDocument:
Version: "2012-10-17"
Statement:
- Action:
- iam:CreateServiceLinkedRole
- iam:PassRole
Effect: Allow
Resource:
Fn::Join:
- ""
- - "arn:"
- Ref: AWS::Partition
- ":iam::"
- Ref: AWS::AccountId
- :role/*
Sid: IAMAllow
- Action:
- sts:AssumeRole
- sts:GetCallerIdentity
Effect: Allow
Resource: "*"
Sid: STSAllow
- Action:
- securityhub:BatchUpdateFindings
- securityhub:GetFindings
Effect: Allow
Resource: "*"
Sid: SecurityHubAllow
- Action:
- s3:GetObject
- s3:PutObject
Effect: Allow
Resource:
- Fn::GetAtt:
- securityhubexportbucket0BDF3430
- Arn
- Fn::Join:
- ""
- - Fn::GetAtt:
- securityhubexportbucket0BDF3430
- Arn
- /*
Sid: S3Allow
- Action:
- kms:Decrypt
- kms:Describe*
- kms:Encrypt
- kms:GenerateDataKey
Effect: Allow
Resource:
Fn::GetAtt:
- s3kmskeyA0E45BCB
- Arn
Sid: KMSAllow
- Action: lambda:InvokeFunction
Effect: Allow
Resource:
- Fn::GetAtt:
- secubcsvexporterfunction0B1F1A8E
- Arn
- Fn::GetAtt:
- secubcsvupdaterfunction199A043C
- Arn
Sid: InvokeLambdaAllow
- Action:
- ssm:GetParameters
- ssm:PutParameter
Effect: Allow
Resource:
Fn::Join:
- ""
- - "arn:"
- Ref: AWS::Partition
- ":ssm:"
- Ref: PrimaryRegion
- ":"
- Ref: AWS::AccountId
- :parameter/csvManager/*
Sid: SSMAllow
Description: ""
ManagedPolicyName: sechub_csv_manager
Path: /
Roles:
- Ref: secubcsvmanagerrole6674D6A1
Rule4C995B7F:
Type: AWS::Events::Rule
Properties:
Description: Invoke Security Hub findings exporter periodically.
ScheduleExpression:
Ref: Frequency
State: DISABLED
Targets:
- Arn:
Fn::GetAtt:
- secubcsvexporterfunction0B1F1A8E
- Arn
Id: Target0
InputTransformer:
InputPathsMap:
event: $.event
InputTemplate: '{"event":<event>}'
RuleAllowEventRuleSecHubExportStacksecubcsvexporterfunction16C4F2B1D42AAC42:
Type: AWS::Lambda::Permission
Properties:
Action: lambda:InvokeFunction
FunctionName:
Fn::GetAtt:
- secubcsvexporterfunction0B1F1A8E
- Arn
Principal: events.amazonaws.com
SourceArn:
Fn::GetAtt:
- Rule4C995B7F
- Arn
createshexportdocument:
Type: AWS::SSM::Document
Properties:
Content:
schemaVersion: "0.3"
assumeRole:
Fn::GetAtt:
- secubcsvmanagerrole6674D6A1
- Arn
description: Generate a Security Hub Findings Export (CSV Manager for Security Hub) outside of the normal export.
parameters:
Filters:
type: String
description: The canned filter "HighActive" or a JSON-formatted string for the GetFindings API filter.
default: HighActive
Partition:
type: String
description: The partition in which CSV Manager for Security Hub will operate.
default:
Ref: AWS::Partition
Regions:
type: String
description: The comma-separated list of regions in which CSV Manager for Security Hub will operate.
default:
Ref: PrimaryRegion
mainSteps:
- action: aws:invokeLambdaFunction
name: InvokeLambdaforSHFindingExport
inputs:
InvocationType: RequestResponse
FunctionName:
Ref: secubcsvexporterfunction0B1F1A8E
Payload: '{ "filters" : "{{Filters}}" , "partition" : "{{Partition}}", "regions" : "[ {{Regions}} ]"}'
description: Invoke the CSV Manager for Security Hub lambda function.
outputs:
- Name: resultCode
Selector: $.Payload.resultCode
Type: Integer
- Name: bucket
Selector: $.Payload.bucket
Type: String
- Name: exportKey
Selector: $.Payload.exportKey
Type: String
isEnd: true
DocumentType: Automation
Name: start_sh_finding_export
updateshexportdocument:
Type: AWS::SSM::Document
Properties:
Content:
schemaVersion: "0.3"
assumeRole:
Fn::GetAtt:
- secubcsvmanagerrole6674D6A1
- Arn
description: Update a Security Hub Findings Update (CSV Manager for Security Hub) outside of the normal Update.
parameters:
Source:
type: String
description: An S3 URI containing the CSV file to update. i.e. s3://<bucket_name>/Findings/SecurityHub-20220415-115112.csv
default: ""
PrimaryRegion:
type: String
description: Region to pull the CSV file from.
default:
Ref: PrimaryRegion
mainSteps:
- action: aws:invokeLambdaFunction
name: InvokeLambdaforSHFindingUpdate
inputs:
InvocationType: RequestResponse
FunctionName:
Ref: secubcsvupdaterfunction199A043C
Payload: '{ "input" : "{{Source}}" , "primaryRegion" : "{{PrimaryRegion}}"}'
description: Invoke the CSV Manager Update for Security Hub lambda function.
outputs:
- Name: resultCode
Selector: $.Payload.resultCode
Type: Integer
isEnd: true
DocumentType: Automation
Name: start_sechub_csv_update
BucketNameParameterBB904042:
Type: AWS::SSM::Parameter
Properties:
Type: String
Value:
Ref: securityhubexportbucket0BDF3430
Description: The S3 bucket where Security Hub are exported.
Name: /csvManager/bucket
KMSKeyParameter0B3310DD:
Type: AWS::SSM::Parameter
Properties:
Type: String
Value:
Fn::GetAtt:
- s3kmskeyA0E45BCB
- Arn
Description: The KMS key encrypting the S3 bucket objects.
Name: /csvManager/key
CodeFolderParameter82BE4E3A:
Type: AWS::SSM::Parameter
Properties:
Type: String
Value:
Ref: S3BucketCode
Description: The folder where CSV Manager for Security Hub code is stored.
Name: /csvManager/folder/code
FindingsFolderParameter017314BA:
Type: AWS::SSM::Parameter
Properties:
Type: String
Value:
Ref: FindingsFolder
Description: The folder where CSV Manager for Security Hub findings are exported.
Name: /csvManager/folder/findings
ArchiveKeyParameter8BD59A44:
Type: AWS::SSM::Parameter
Properties:
Type: String
Value: Not Initialized
Description: The name of the ZIP archive containing CSV Manager for Security Hub Lambda code.
Name: /csvManager/object/codeArchive
PartitionParameter82B291B4:
Type: AWS::SSM::Parameter
Properties:
Type: String
Value:
Ref: Partition
Description: The partition in which CSV Manager for Security Hub will operate.
Name: /csvManager/partition
RegionParameterA71AF3D0:
Type: AWS::SSM::Parameter
Properties:
Type: String
Value:
Ref: Regions
Description: The list of regions in which CSV Manager for Security Hub will operate.
Name: /csvManager/regionList