-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathProwlerToSecurityHub_CloudFormation.yml
243 lines (243 loc) · 9.34 KB
/
ProwlerToSecurityHub_CloudFormation.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
AWSTemplateFormatVersion: 2010-09-09
Description: 'This Template will create the supporting infrastructure for the Prowler Fargate - Antoine Cichowicz | Github: Yris Ops'
Parameters:
ProwlerClusterName:
Type: String
Description: Name of the ECS Cluster that the Prowler Fargate Task will run in
Default: prowler-ecs
ProwlerContainerName:
Type: String
Description: Name of the Prowler Container Definition within the ECS Task
Default: prowler
ProwlerContainerInfo:
Type: String
Description: ECR URI of the Prowler container
ProwlerExecutionRole:
Type: String
Description: ARN of the IAM Task Execution Role ECS uses to pull images from ECR and send logs to CloudWatch
ProwlerTaskRole:
Type: String
Description: ARN of the Task IAM Role that gives Prowler permissions to perform its checks
ProwlerSecurityGroup:
Type: String
Description: Security Group that allows at least HTTPS 443 inbound/outbound
ProwlerScheduledSubnet1:
Type: String
Description: Subnet Id in which Prowler can be scheduled to Run
ProwlerScheduledSubnet2:
Type: String
Description: A secondary Subnet Id in which Prowler can be scheduled to Run
Resources:
ProwlerReportDynamoDBTable:
Type: AWS::DynamoDB::Table
Properties:
AttributeDefinitions:
-
AttributeName: "Notes"
AttributeType: "S"
KeySchema:
-
AttributeName: "Notes"
KeyType: "HASH"
ProvisionedThroughput:
ReadCapacityUnits: "50"
WriteCapacityUnits: "50"
TableName: !Sub 'prowler-report-table-${AWS::AccountId}'
StreamSpecification:
StreamViewType: NEW_IMAGE
ProwlerECSCloudWatchLogsGroup:
Type: AWS::Logs::LogGroup
Properties:
LogGroupName: !Join [ "-", [ !Ref ProwlerContainerName, !Ref 'AWS::StackName' ] ]
RetentionInDays: 90
ProwlerECSCluster:
Type: AWS::ECS::Cluster
Properties:
ClusterName: !Ref ProwlerClusterName
ProwlerECSTaskDefinition:
Type: AWS::ECS::TaskDefinition
Properties:
ContainerDefinitions:
-
Image: !Ref ProwlerContainerInfo
Name: !Ref ProwlerContainerName
Environment:
- Name: MY_DYANMODB_TABLE
Value: !Ref ProwlerReportDynamoDBTable
LogConfiguration:
LogDriver: awslogs
Options:
awslogs-group: !Ref ProwlerECSCloudWatchLogsGroup
awslogs-region: !Ref 'AWS::Region'
awslogs-stream-prefix: ecs
Cpu: 2048
ExecutionRoleArn: !Ref ProwlerExecutionRole
Memory: 4096
NetworkMode: awsvpc
TaskRoleArn: !Ref ProwlerTaskRole
Family: Prowler2SecurityHubTask
RequiresCompatibilities:
- FARGATE
ProwlerTaskScheduler:
Type: AWS::Events::Rule
Properties:
ScheduleExpression: "rate(7 days)"
State: ENABLED
Targets:
- Arn: !GetAtt ProwlerECSCluster.Arn
RoleArn: !Ref ProwlerTaskRole
Id: prowlerTaskScheduler
EcsParameters:
TaskDefinitionArn: !Ref ProwlerECSTaskDefinition
TaskCount: 1
LaunchType: FARGATE
PlatformVersion: 'LATEST'
NetworkConfiguration:
AwsVpcConfiguration:
AssignPublicIp: ENABLED
SecurityGroups:
- !Ref ProwlerSecurityGroup
Subnets:
- !Ref ProwlerScheduledSubnet1
- !Ref ProwlerScheduledSubnet2
DynamoStreamLambdaMapping:
Type: AWS::Lambda::EventSourceMapping
Properties:
BatchSize: 1
Enabled: True
EventSourceArn:
Fn::GetAtt: [ ProwlerReportDynamoDBTable , StreamArn ]
FunctionName:
Fn::GetAtt: [ ProwlertoSecHubLambdaFunction , Arn ]
StartingPosition: LATEST #always start at the tail of the stream
ProwlertoSecHubLambdaFunction:
Type: AWS::Lambda::Function
Properties:
FunctionName: Prowler2SecurityHub
Description: Maps Prowler findings sent from ECS to DynamoDB into the ASFF via DynamoDB Streams before importing to Security Hub
Handler: index.lambda_handler
MemorySize: 384
Role: !GetAtt ProwlertoSecHubLambdaRole.Arn
Runtime: python3.9
Timeout: 70
Environment:
Variables:
account_num: !Ref 'AWS::AccountId'
region: !Ref 'AWS::Region'
Code:
ZipFile: |
import json
import boto3
import datetime
import uuid
import os
def lambda_handler(event, context):
# import Lambda ENV VARs
accountId = os.environ['account_num']
awsRegion = os.environ['region']
# Use Prowler finding notes for ASFF Description
prowlerDescription = str(event['Records'][0]['dynamodb']['NewImage']['Notes']['S'])
# Use Prowler finding title text for ASFF Title
prowlerTitle = str(event['Records'][0]['dynamodb']['NewImage']['CheckTitle']['S'])
# looping through Prowler score result, set severity & compliance based on finding
prowlerResult = str(event['Records'][0]['dynamodb']['NewImage']['Status']['S'])
if prowlerResult == 'PASS':
prowlerComplianceRating = 'PASSED'
prowlerProductSev = int(0)
prowlerProductNorm = int(0)
elif prowlerResult == 'INFO':
prowlerComplianceRating = 'NOT_AVAILABLE'
prowlerProductSev = int(1)
prowlerProductNorm = int(1)
elif prowlerResult == 'FAIL':
prowlerComplianceRating = 'FAILED'
prowlerProductSev = int(8)
prowlerProductNorm = int(80)
else:
print("No Compliance Info Found!")
# ISO Time
iso8061Time = datetime.datetime.utcnow().replace(tzinfo=datetime.timezone.utc).isoformat()
# ASFF BIF Id
asffID = str(uuid.uuid4())
# import security hub boto3 client
sechub = boto3.client('securityhub')
# call BIF
try:
response = sechub.batch_import_findings(
Findings=[
{
'SchemaVersion': '2018-10-08',
'Id': asffID,
'ProductArn': 'arn:aws:securityhub:' + awsRegion + ':' + accountId + ':product/' + accountId + '/default',
'ProductFields': {
'ProviderName': 'Prowler',
'ProviderVersion': 'v2.1.0',
},
'GeneratorId': asffID,
'AwsAccountId': accountId,
'Types': [ 'Software and Configuration Checks' ],
'FirstObservedAt': iso8061Time,
'UpdatedAt': iso8061Time,
'CreatedAt': iso8061Time,
'Severity': {
'Product': prowlerProductSev,
'Normalized': prowlerProductNorm
},
'Title': prowlerTitle,
'Description': prowlerDescription,
'Resources': [
{
'Type': 'AwsAccount',
'Id': 'AWS::::Account:' + accountId,
'Partition': 'aws',
'Region': awsRegion,
}
],
'WorkflowState': 'NEW',
'Compliance': {'Status': prowlerComplianceRating},
'RecordState': 'ACTIVE'
}
]
)
print(response)
except Exception as e:
print(e)
print("Submitting finding to Security Hub failed, please troubleshoot further")
raise
ProwlertoSecHubLambdaRole:
Type: AWS::IAM::Role
Properties:
Policies:
- PolicyName: Prowler2SecurityHub-Policy
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- cloudwatch:PutMetricData
- securityhub:BatchImportFindings
Resource: '*'
- Effect: Allow
Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
Resource: '*'
- Effect: Allow
Action:
- dynamodb:GetRecords
- dynamodb:GetShardIterator
- dynamodb:DescribeStream
- dynamodb:ListStreams
Resource: !GetAtt ProwlerReportDynamoDBTable.StreamArn
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal: { Service: lambda.amazonaws.com }
Action:
- sts:AssumeRole
Outputs:
ProwlerReportDynamoDBTable:
Description: DynamoDB Table to upload ETLed Prowler findings
Value: !Ref ProwlerReportDynamoDBTable