Merge pull request #192 from aws-solutions/release/v2.1.0

Update to version v2.1.0
aws-solutions · Mar 28, 2024 · 362b0ac · 362b0ac
2 parents 5244c64 + 994bcc1
commit 362b0ac
Show file tree

Hide file tree

Showing 506 changed files with 66,789 additions and 15,819 deletions.
diff --git a/.gitignore b/.gitignore
@@ -28,6 +28,7 @@ coverage/
 # Python
 .venv/
 __pycache__/
+*.egg-info/
 
 # pytest
 .coverage

diff --git a/.viperlightignore b/.viperlightignore
@@ -1,24 +1,5 @@
-# CDK files - files produced/installed by CDK
-# js files produced by npm
-.*.js
-# jest.config
-.*.d.ts
-.*/node_modules/
-.cdk.staging
-.*/package-lock.json
-# Developer work files - not present in pipeline
-deployment/build/
-deployment/temp/
-deployment/global-s3-assets/
-deployment/regional-s3-assets/
-deployment/open-source/
-deployment/test/
-# ignore own scan file
-vlscan.json
-# Ignore repo Config
-Config
-.venv
+node_modules/
+.venv/
 
 [python-pipoutdated]
 boto3=1.20.32 # Should match Lambda runtime: https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html
-py-partiql-parser=0.1.0 # trust moto to resolve its own dependencies
diff --git a/.viperlightrc b/.viperlightrc
@@ -1,4 +1 @@
-{
-  "failOn": "medium",
-  "all": true
-}
+{"failOn":"low","all":true}
diff --git a/.viperlightrc_global b/.viperlightrc_global
@@ -0,0 +1,15 @@
+{
+  "all": true,
+  "failOn": "high",
+  "safeAccounts": [
+    "297356227824",
+    "193023089310",
+    "023102451235",
+    "797873946194",
+    "017000801446"
+  ],
+  "safeEmails": [
+    "[email protected]",
+    "[email protected]"
+  ]
+}
diff --git a/AWSSD-DevNotes.md b/AWSSD-DevNotes.md
@@ -8,10 +8,10 @@
 
 ### SSM Parameters
 There are N parameters that control processing under /Solutions/SO0111:
-CMK_ARN - encryption key for the AFSBP runbooks
+CMK_ARN - encryption key for the AWS FSBP runbooks
 CMK_ARN - Admin account only, KMS key for solution encryption
 SNS_Topic_Arn - arn of the SHARR topic
-sendAnonymousMetrics - controls whether the solution sends metrics
+sendAnonymizedMetrics - controls whether the solution sends metrics
 version - solution version
 
 The following are set by each Security Standard's playbook, enabling remediation mapping in the step function:

diff --git a/AWSSD-README.md b/AWSSD-README.md
@@ -78,8 +78,8 @@ Security is **Job 0**. SHARR Runbooks must be tightly secured, validate inputs,
 
 **Remediation Runbooks** are AWS-owned or SHARR-owned runbooks that perform a single remediation or remediation step for a specific resource. For example, creating a logging bucket, enabling an AWS Service, or setting a parameter on an AWS Service. The permissions to the service APIs are within the definition of the Remediation Runbook; SHARR Runbooks must be allowed to assume the remediation role.
 
-A playbook is a set of remediations within a Security Standard (ex. "CIS", "AFSBP"). Each Playbook has a standard-specific Step Function ("Orchestrator") that "understands" the JSON format of that standard's Finding data. The Orchestrator does the following:
-1. Verify the finding data matches the Standard (ex. CIS, PCI, AFSBP)
+A playbook is a set of remediations within a Security Standard (ex. "CIS", "FSBP"). Each Playbook has a standard-specific Step Function ("Orchestrator") that "understands" the JSON format of that standard's Finding data. The Orchestrator does the following:
+1. Verify the finding data matches the Standard (ex. CIS, PCI, FSBP)
 2. Identify the control id and target account in the JSON data
 3. Derive the runbook name (SHARR-\<standard\>-\<version\>-\<controlid\>)
 4. Check the status of the runbook in the target account
@@ -104,7 +104,7 @@ A sample Playbook is provided as a starting point. The estimated time to create
 
 	* **StandardControlArn**: arn:aws:securityhub:us-east-1:111111111111:control/aws-foundational-security-best-practices/v/1.0.0/RDS.1
 	* **securityStandardLongName**: aws-foundational-security-best-practices
-	* **securityStandardShortName**: AFSBP (can be any value you choose)
+	* **securityStandardShortName**: FSBP (can be any value you choose)
 	* **version**: 1.0.0
 
 	For the following example, we will create a PCI DSS v3.2.1 Playbook:
@@ -172,7 +172,7 @@ A sample Playbook is provided as a starting point. The estimated time to create
 	const DIST_OUTPUT_BUCKET = process.env['DIST_OUTPUT_BUCKET'] || '%%BUCKET%%';
 	const DIST_SOLUTION_NAME = process.env['DIST_SOLUTION_NAME'] || '%%SOLUTION%%';
 
-	const standardShortName = 'AFSBP'
+	const standardShortName = 'FSBP'
 	const standardLongName = 'aws-foundational-security-best-practices'
 	const standardVersion = '1.0.0' // DO NOT INCLUDE 'V'
 	const RESOURCE_PREFIX = SOLUTION_ID.replace(/^DEV-/,''); // prefix on every resource name
@@ -195,11 +195,11 @@ A sample Playbook is provided as a starting point. The estimated time to create
 		'Lambda.1',
 		'RDS.1',
 		'RDS.6',
-		'RDS.7'
-		// 'S3.1'
+		'RDS.7',
+    'S3.9'
 	]
 
-	const adminStack = new PlaybookPrimaryStack(app, 'AFSBPStack', {
+	const adminStack = new PlaybookPrimaryStack(app, 'FSBPStack', {
 		description: `(${SOLUTION_ID}P) ${SOLUTION_NAME} ${standardShortName} ${standardVersion} Compliance Pack - Admin Account, ${DIST_VERSION}`,
 		solutionId: SOLUTION_ID,
 		solutionVersion: DIST_VERSION,
@@ -211,7 +211,7 @@ A sample Playbook is provided as a starting point. The estimated time to create
 		securityStandardVersion: standardVersion
 	});
 
-	const memberStack = new PlaybookMemberStack(app, 'AFSBPMemberStack', {
+	const memberStack = new PlaybookMemberStack(app, 'FSBPMemberStack', {
 		description: `(${SOLUTION_ID}C) ${SOLUTION_NAME} ${standardShortName} ${standardVersion} Compliance Pack - Member Account, ${DIST_VERSION}`,
 		solutionId: SOLUTION_ID,
 		solutionVersion: DIST_VERSION,
@@ -229,7 +229,7 @@ A sample Playbook is provided as a starting point. The estimated time to create
 5. Update test/pci321_stack.test.ts
 6. Update cdk.json to point to the new bin/\*.ts name
 7. ssmdocs/scripts parse script: the example should work for most Standards. Review what it does and make any adjustments.
-8. Update the test script for the parse script. Copy finding json for the Security Standard to use in the test. See AFSBP, CIS for examples.
+8. Update the test script for the parse script. Copy finding json for the Security Standard to use in the test. See FSBP, CIS for examples.
 10. Create the ssmdocs for each control in the ssmdocs folder. This is the runbook that is invoked directly by the Orchestrator.
 11. Update support.txt, README.md, description.txt
 12. Add the Playbook to source/jest.config.js
@@ -532,12 +532,12 @@ The Markdown in the Description for each SSM Document is displayed in the consol
 SHARR-<standard>_<version>_<control>
 ```
 
-* **standard**: abbreviation for the Security Standard. The abbreviation is set in an SSM Parameter, /**/Solutions/SO0111/<name>/<version/shortname**. For example, **/Solutions/SO0111/aws-foundational-security-best-practices/1.0.0/shortname** = **AFSBP**
+* **standard**: abbreviation for the Security Standard. The abbreviation is set in an SSM Parameter, /**/Solutions/SO0111/<name>/<version/shortname**. For example, **/Solutions/SO0111/aws-foundational-security-best-practices/1.0.0/shortname** = **FSBP**
 * **version**: *v*.*r*.*m* - semver format version of the *Security Standard*. Some standards have multiple versions and may not be compatible with other versions.
-* **control**: control Id within the standard. Ex. **2.1** (CIS), **CloudTrail.1** (AFSBP)
+* **control**: control Id within the standard. Ex. **2.1** (CIS), **CloudTrail.1** (FSBP)
 
 ### Example Document Names
-* **SHARR-AFSBP-v1.0.0-CloudTrail.1**
+* **SHARR-FSBP-v1.0.0-CloudTrail.1**
 * **SHARR-CIS-v1.2.0-2.1**
 
 ### Header Template
@@ -619,7 +619,7 @@ Remediation runbooks often support more than one Control. They are called by the
   * Remediation.Output - stdout messages from the remediation
 
   ## Security Standards / Controls
-  * AFSBP v1.0.0: Autoscaling.1
+  * FSBP v1.0.0:  Autoscaling.1
   * CIS v1.2.0:   2.1
   * PCI:          Autoscaling.1
 ```

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,44 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [2.1.0] - 2024-03-28
+
+### Added
+
+- CloudWatch Dashboard for monitoring solution metrics
+- Remediations will be scheduled in the future to prevent throttling if many remediations are triggered in a short period of time
+- New support for NIST 800-53 standard
+- New remediations for CloudFront.1, CloudFront.12, Codebuild.5, EC2.4, EC2.8, EC2.18, EC2.19, EC2.23, ECR.1, GuardDuty.1 IAM.3, S3.9, S3.11, S3.13, SecretsManager.1, SecretsManager.3, SecretsManager.4, SSM.4
+- Support for customizable input parameters to remediations
+
+### Changed
+
+- Updated AFBSP to FBSP in docs
+- Add HttpEndpoint parameter as enabled for EC2.8 remediation
+- Updated imports for moto 5.0.0
+
+### Fixed
+
+- Disabled AppRegistry functionality in China regions. AppRegistry is not available in those regions.
+- Added missing EventBridge rules for CloudFormation.1, EC2.15, SNS.1, SNS.2, and SQS.1
+- Fixed SC_SNS.2 Not executing due to wrong automation document
+- Fixed RDS.4 remediation failing to remediate due to incorrect regex
+- RDS.4 regex now includes snapshots created by Backup
+- Enable CloudTrail encryption remediation is now a regional remediation
+- Fixed SC_SQS.2 incorrect parameter
+- Fixed SC_EC2.6 message on finding note
+- Added AddTagsToResource to EncryptRDSSnapshot remediation role
+- SNS.2 now works in regions other than where the roles are deployed
+- Updated SNS.1 parameter to TopicArn instead of SNSTopicArn
+- SC_RDS.1 regex now includes snapshots
+- Fixed certain remediations failing in opt-in regions due to STS token endpoint
+- Rules for CIS 1.4.0 no longer match on CIS 1.2.0 generator ID
+- Fixed S3.6 creating malformed policy when all principals are "*"
+
+### Security
+
+- Upgraded urllib3
+
 ## [2.0.2] - 2023-10-24
 
 ### Security
@@ -25,7 +63,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Added
 
 - New remediations contributed by 6Pillars: CIS v1.2.0 1.20
-- New AFSBP remediations for CloudFormation.1, EC2.15, SNS.1, SNS.2, SQS.1
+- New AWS FSBP remediations for CloudFormation.1, EC2.15, SNS.1, SNS.2, SQS.1
 - Service Catalog AppRegistry integration
 - New support for Security Controls, finding deduplication
 - New support for CIS v1.4.0 standard
@@ -44,7 +82,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Fixed
 
 - Reverted SSM document custom resource provider to resolve intermittent deployment errors
-- Fixed bug in AFSBP AutoScaling.1 and PCI.AutoScaling.1 remediation regexes
+- Fixed bug in AWS FSBP AutoScaling.1 and PCI.AutoScaling.1 remediation regexes
 
 ## [1.5.0] - 2022-05-31
 
@@ -74,7 +112,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Changed
 
-- Bug fixes for AFSBP EC2.1, CIS 3.x
+- Bug fixes for AWS FSBP EC2.1, CIS 3.x
 - Separated Member roles from the remediations so that roles can be deployed once per account
 - Roles are now global
 - Cross-region remediation is now supported
@@ -87,7 +125,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Added a get_approval_requirement lambda that customers can use to implement custom business logic
 - Added the ability for customers to route findings to an alterate runbook when the finding meets criteria. For example,
   potentially destructive remediations can be sent to a runbook that sends the finding data to Incident Manager.
-- New remediation for AFSBP & PCI S3.5
+- New remediation for AWS FSBP & PCI S3.5
 
 ## [1.3.2] - 2021-11-09
 
@@ -108,7 +146,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Added
 
-- New AWS Foundational Best Practices (AFSBP) support: EC2.6, IAM.7-8, S3.1-3
+- New AWS Foundational Best Practices (FSBP) support: EC2.6, IAM.7-8, S3.1-3
 - New CIS v1.2.0 support: 2.1, 2.7, 3.1-14
 - New PCI-DSS v3.2.1 Playbook support for 17 controls (see IG for details)
 - Library of remediation SSM Automation runbooks
@@ -136,13 +174,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Added
 
-- New AFSBP playbook with 12 new remediations
+- New FSBP playbook with 12 new remediations
 - New Lambda Layer for use by solution lambdas
 - New Playbook architecture: Step Function, microservice Lambdas, Systems Manager runbooks
 - Corrected anonymous metrics to log only on final state (FAILED or RESOLVED)
 - Added logging to put anonymous metrics in solution logs as an audit trail
 - Corrected the anonymous metrics UUID to use standard 8-4-4-4-12 format
-- Encrypted CloudWatch logs for AFSBP state machine
+- Encrypted CloudWatch logs for FSBP state machine
 
 ### Changed
 

diff --git a/NOTICE.txt b/NOTICE.txt
@@ -35,22 +35,47 @@ ts-jest under the MIT License
 ts-node under the MIT License
 typescript under the Apache License 2.0
 
+attrs under the MIT License
 aws-lambda-powertools under the MIT License
+awscli under the Apache License 2.0
 boto3 under the Apache License 2.0
 boto3-stubs-lite under the MIT License
 botocore under the Apache License 2.0
+botocore-stubs under the MIT License
+cffi under the MIT License
+colorama under the BSD 3-Clause "New" or "Revised" License
+coverage under the Apache License 2.0
+cryptography under the Apache License 2.0
+docutils under the Creative Commons Public Domain Dedication
+exceptiongroup under the MIT License
+iniconfig under the MIT License
+Jinja2 under the BSD 3-Clause "New" or "Revised" License
 jmespath under the MIT License
+MarkupSafe under the BSD 3-Clause "New" or "Revised" License
 moto under the Apache License 2.0
+mypy-boto3-s3 under the MIT License
 pip under the MIT License
+pluggy under the MIT License
+py-partiql-parser under the MIT License
+pyasn1 under the BSD 2-Clause "Simplified" License
+pycparser under the BSD 3-Clause "New" or "Revised" License
 pytest under the MIT License
 pytest-cov under the MIT License
 pytest-env under the MIT License
 pytest-mock under the MIT License
-python-dateutil under the Apache License 2.0 and the BSD 3-Clause
+python-dateutil under the Apache License 2.0 and the BSD 3-Clause "New" or "Revised" License
+responses under the Apache License 2.0
+rsa under the Apache License 2.0
 s3transfer under the Apache License 2.0
 setuptools under the MIT License
 six under the MIT License
+tomli under the MIT License
+types-PyYAML under the Apache License 2.0
+types-awscrt under the MIT License
+types-s3transfer under the MIT License
+typing_extensions under the Python Software Foundation License 2.0
 urllib3 under the MIT License
+Werkzeug under the BSD 3-Clause "New" or "Revised" License
 virtualenv under the MIT License
 Jinja2 under the BSD 3-Clause
 MarkupSafe under the BSD 3-Clause
@@ -73,4 +98,33 @@ types-PyYAML under the Apache License 2.0
 types-awscrt under the MIT License
 types-s3transfer under the MIT License
 typing_extensions under the  Python Software Foundation License
-xmltodict under the MIT License
+xmltodict under the MIT License
+aiohttp under the Apache License 2.0
+aiosignal under the Apache License 2.0
+async-timeout under the Apache License 2.0
+black under the MIT License
+cachetools under the MIT License
+click under the BSD 3-Clause
+distlib under the Python Software Foundation License
+docker under the Apache License 2.0
+flake8 under the MIT License
+frozenlist under the Apache License 2.0
+isort under the MIT License
+mccabe under the MIT License
+multidict under the Apache License 2.0
+mypy-boto3-cloudformation under the MIT License
+mypy-boto3-cloudfront under the MIT License
+mypy-boto3-cloudwatch under the MIT License
+mypy-boto3-ec2 under the MIT License
+mypy-boto3-iam under the MIT License
+mypy-boto3-sns under the MIT License
+mypy-boto3-ssm under the MIT License
+mypy-boto3-sts under the MIT License
+mypy-extensions under the MIT License
+platformdirs under the MIT License
+pycodestyle under the MIT License
+pyflakes under the MIT License
+pyproject-api under the MIT License
+tox under the MIT License
+types-urllib3 under the Apache License 2.0
+yarl under the Apache License 2.0
diff --git a/README.md b/README.md
@@ -4,7 +4,7 @@
 Feature
 request](https://github.com/aws-solutions/aws-security-hub-automated-response-and-remediation/issues/new?assignees=&labels=feature-request%2C+enhancement&template=feature_request.md&title=)
 \| [🐛 Bug
-Report](https://github.com/aws-solutions/aws-security-hub-automated-response-and-remediation%3E/issues/new?assignees=&labels=bug%2C+triage&template=bug_report.md&title=)
+Report](https://github.com/aws-solutions/aws-security-hub-automated-response-and-remediation/issues/new?assignees=&labels=bug%2C+triage&template=bug_report.md&title=)
 
 Automated Security Response (ASR) on AWS is a solution that enables AWS Security Hub customers to remediate findings
 with a single click using sets of predefined response and remediation actions called Playbooks. The remediations are
@@ -19,6 +19,7 @@ standards:
 - Center for Internet Security (CIS) AWS Foundations Benchmark v1.2.0
 - Center for Internet Security (CIS) AWS Foundations Benchmark v1.4.0
 - Payment Card Industry (PCI) Data Security Standard (DSS) v3.2.1
+- National Institute of Standards and Technology (NIST) Special Publication 800-53 Revision 5
 
 A Playbook called Security Control is included that allows operation with AWS Security Hub's Consolidated Control
 Findings feature.
@@ -113,7 +114,7 @@ const standardVersion = "1.1.1"; // DO NOT INCLUDE 'V'
 ```
 
 **standardShortName** can be as you wish. General recommendation is to make it short and meaningful. Ex. PCI, CIS,
-AFSBP. This is the name used in many labels throughout the solution. **standardLongName** must match the
+FSBP. This is the name used in many labels throughout the solution. **standardLongName** must match the
 StandardsControlArn, as _pci-dss_ in the above example. **standardVersion** must match the StandardsControlArn version,
 as _.../v/3.2.1/..._ in the above example.
 
@@ -206,7 +207,7 @@ https://mybucket-reference.s3.amazonaws.com/aws-security-hub-automated-response-
 |-deployment/             [ Scripts used to build, test, and upload templates for the solution ]
 |-simtest/                [ Tool and sample data used to simulate findings for testing ]
 |-source/                 [ Solution source code and tests ]
-  |-LambdaLayers/         [ Common functions used by the Orchestrator and custom resource providers ]
+  |-layer/                [ Common functions used by the Orchestrator and custom resource providers ]
   |-lib/                  [ Solution CDK ]
     |-appregistry/        [ Resources for integration with Service Catalog AppRegistry ]
     |-cdk-helper/         [ CDK helper functions ]
@@ -233,7 +234,7 @@ https://mybucket-reference.s3.amazonaws.com/aws-security-hub-automated-response-
 
 ## Collection of operational metrics
 
-This solution collects anonymous operational metrics to help AWS improve the quality of features of the solution. For
+This solution collects anonymized operational metrics to help AWS improve the quality of features of the solution. For
 more information, including how to disable this capability, please see the [Implementation
 Guide](https://docs.aws.amazon.com/solutions/latest/automated-security-response-on-aws/collection-of-operational-metrics.html)