Merge pull request #46 from aws-solutions/release/v1.4.0

Release v1.4.0

.github/ISSUE_TEMPLATE/bug_report.md

@@ -22,16 +22,16 @@ assignees: ""
 
 - [ ] Version: [e.g. v1.0.0]
 
-To get the version of the solution, you can look at the description of the created CloudFormation stack. For example, "_(SO0158) - The AWS CloudFormation template for deployment of the Amazon CloudWatch Monitoring Framework. Version **v1.0.0**_". You can also find the version from [releases](https://github.com/awslabs/amazon-cloudwatch-monitoring-framework/releases)
+To get the version of the solution, you can look at the description of the created CloudFormation stack. For example, *"(SO0111) AWS Security Hub Automated Response & Remediation Administrator Stack, v1.4.0"*. You can also find the version from [releases](https://github.com/aws-solutions/aws-security-hub-automated-response-and-remediation/releases)
 
 - [ ] Region: [e.g. us-east-1]
 - [ ] Was the solution modified from the version published on this repository?
 - [ ] If the answer to the previous question was yes, are the changes available on GitHub?
 - [ ] Have you checked your [service quotas](https://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html) for the sevices this solution uses?
-- [ ] Were there any errors in the CloudWatch Logs? [How to enable debug mode?](https://docs.aws.amazon.com/solutions/latest/amazon-cloudwatch-monitoring-framework/troubleshooting.html)
+- [ ] Were there any errors in the CloudWatch Logs? [Troubleshooting](https://docs.aws.amazon.com/solutions/latest/aws-security-hub-automated-response-and-remediation/troubleshooting.html)
 
 **Screenshots**
 If applicable, add screenshots to help explain your problem (please **DO NOT include sensitive information**).
 
 **Additional context**
-Add any other context about the problem here.
+Add any other context about the problem here.

.github/ISSUE_TEMPLATE/documentation-improvements.md

@@ -14,4 +14,4 @@ assignees: ""
 
 **Describe how we could make it clearer**
 
-**If you have a proposed update, please share it here**
+**If you have a proposed update, please share it here**

.github/ISSUE_TEMPLATE/feature_request.md

@@ -16,4 +16,4 @@ assignees: ""
 
 **Additional context**
 
-<!--- Add any other context or screenshots about the feature request here -->
+<!--- Add any other context or screenshots about the feature request here -->

.github/PULL_REQUEST_TEMPLATE.md

@@ -3,4 +3,4 @@
 *Description of changes:*
 
 
-By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.
+By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

CHANGELOG.md

@@ -4,6 +4,21 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.4.0] - 2021-12-13
+
+### Changed
+- Bug fixes for AFSBP EC2.1, CIS 3.x
+- Separated Member roles from the remediations so that roles can be deployed once per account
+- Roles are now global
+- Cross-region remediation is now supported
+- Deployment using stacksets is documented in the IG and supported by the templates
+- Member account roles for remediation runbooks are now retained when the stack is deleted so that remediations that use these roles continue to function if the solution is removed
+
+### Added
+- Added a get_approval_requirement lambda that customers can use to implement custom business logic
+- Added the ability for customers to route findings to an alterate runbook when the finding meets criteria. For example, potentially destructive remediations can be sent to a runbook that sends the finding data to Incident Manager.
+- New remediation for AFSBP & PCI S3.5
+
 ## [1.3.2] - 2021-11-09
 - Corrected CIS 3.1 filter pattern
 - Corrected SNS Access Policy for SO0111-SHARR-LocalAlarmNotification

CONTRIBUTING.md

@@ -11,7 +11,7 @@ information to effectively respond to your bug report or contribution.
 
 We welcome you to use the GitHub issue tracker to report bugs or suggest features.
 
-When filing an issue, please check [existing open](https://github.com/awslabs/%%SOLUTION_NAME%%/issues), or [recently closed](https://github.com/awslabs/%%SOLUTION_NAME%%/issues?utf8=%E2%9C%93&q=is%3Aissue%20is%3Aclosed%20), issues to make sure somebody else hasn't already
+When filing an issue, please check [existing open](https://github.com/aws-solutions/aws-security-hub-automated-response-and-remediation/issues), or [recently closed](https://github.com/aws-solutions/aws-security-hub-automated-response-and-remediation/issues?utf8=%E2%9C%93&q=is%3Aissue%20is%3Aclosed%20), issues to make sure somebody else hasn't already
 reported the issue. Please try to include as much information as you can. Details like these are incredibly useful:
 
 * A reproducible test case or series of steps
@@ -41,7 +41,7 @@ GitHub provides additional document on [forking a repository](https://help.githu
 
 
 ## Finding contributions to work on
-Looking at the existing issues is a great way to find something to contribute on. As our projects, by default, use the default GitHub issue labels ((enhancement/bug/duplicate/help wanted/invalid/question/wontfix), looking at any ['help wanted'](https://github.com/awslabs/%%SOLUTION_NAME%%/labels/help%20wanted) issues is a great place to start.
+Looking at the existing issues is a great way to find something to contribute on. As our projects, by default, use the default GitHub issue labels ((enhancement/bug/duplicate/help wanted/invalid/question/wontfix), looking at any ['help wanted'](https://github.com/aws-solutions/aws-security-hub-automated-response-and-remediation/labels/help%20wanted) issues is a great place to start.
 
 
 ## Code of Conduct
@@ -56,6 +56,6 @@ If you discover a potential security issue in this project we ask that you notif
 
 ## Licensing
 
-See the [LICENSE](https://github.com/awslabs/aws-security-hub-automated-response-and-remediation/blob/main/LICENSE.txt) file for our project's licensing. We will ask you to confirm the licensing of your contribution.
+See the [LICENSE](https://github.com/aws-solutions/aws-security-hub-automated-response-and-remediation/blob/main/LICENSE.txt) file for our project's licensing. We will ask you to confirm the licensing of your contribution.
 
 We may ask you to sign a [Contributor License Agreement (CLA)](http://en.wikipedia.org/wiki/Contributor_License_Agreement) for larger changes.

README.md

@@ -3,9 +3,9 @@
 [🚀 Solution Landing
 Page](https://aws.amazon.com/solutions/implementations/aws-security-hub-automated-response-and-remediation/)
 \| [🚧 Feature
-request](https://github.com/awslabs/aws-security-hub-automated-response-and-remediation/issues/new?assignees=&labels=feature-request%2C+enhancement&template=feature_request.md&title=)
+request](https://github.com/aws-solutions/aws-security-hub-automated-response-and-remediation/issues/new?assignees=&labels=feature-request%2C+enhancement&template=feature_request.md&title=)
 \| [🐛 Bug
-Report](https://github.com/awslabs/aws-security-hub-automated-response-and-remediation%3E/issues/new?assignees=&labels=bug%2C+triage&template=bug_report.md&title=)
+Report](https://github.com/aws-solutions/aws-security-hub-automated-response-and-remediation%3E/issues/new?assignees=&labels=bug%2C+triage&template=bug_report.md&title=)
 
 Note: If you want to use the solution without building from source, navigate to
 Solution Landing Page
@@ -89,13 +89,13 @@ Clone or download the repository to a local directory on your linux client. Note
 **Git Clone example:**
 
 ```bash
-git clone https://github.com/awslabs/aws-security-hub-automated-response-and-remediation.git
+git clone https://github.com/aws-solutions/aws-security-hub-automated-response-and-remediation.git
 ```
 
 **Download Zip example:**
 
 ```bash
-wget https://github.com/awslabs/aws-security-hub-automated-response-and-remediation/archive/main.zip
+wget https://github.com/aws-solutions/aws-security-hub-automated-response-and-remediation/archive/main.zip
 ```
 
 ### Custom Playbooks
@@ -230,4 +230,4 @@ this capability, please see the
 # License
 
 See license
-[here](https://github.com/awslabs/aws-security-hub-automated-response-and-remediation/blob/main/LICENSE.txt)
+[here](https://github.com/aws-solutions/aws-security-hub-automated-response-and-remediation/blob/main/LICENSE.txt)

deployment/build-s3-dist.sh

@@ -22,6 +22,13 @@
 # choose the latest AWS Solutions Constructs version.
 required_cdk_version=1.132.0
 
+# Get reference for all important folders
+template_dir="$PWD"
+template_dist_dir="$template_dir/global-s3-assets"
+build_dist_dir="$template_dir/regional-s3-assets"
+source_dir="../source"
+temp_work_dir="${template_dir}/temp"
+
 # Functions to reduce repetitive code
 # do_cmd will exit if the command has a non-zero return code.
 do_cmd () {
@@ -40,25 +47,43 @@ do_replace() {
     do_cmd sed -i '' -e $replace $file
 }
 
+clean() {
+    echo "------------------------------------------------------------------------------"
+    echo "[Init] Clean old dist, node_modules and bower_components folders"
+    echo "------------------------------------------------------------------------------"
+    do_cmd rm -rf $template_dist_dir
+    do_cmd rm -rf $build_dist_dir
+    do_cmd rm -rf $temp_work_dir
+    do_cmd rm -rf ${template_dir}/${source_dir}/node_modules
+    cd $source_dir
+    # remove node_modules
+    find . -name node_modules | while read file;do rm -rf $file; done
+    cd $template_dir
+}
+
 #------------------------------------------------------------------------------
 # Validate command line parameters
 #------------------------------------------------------------------------------
 # Validate command line input - must provide bucket
 # Command line from the buildspec is, by convention:
 # chmod +x ./build-s3-dist.sh && ./build-s3-dist.sh $DIST_OUTPUT_BUCKET $SOLUTION_NAME $VERSION $DEVBUILD
 
-while getopts ":b:v:t:h" opt;
+while getopts ":b:v:tch" opt;
 do
     case "${opt}" in
         b ) bucket=${OPTARG};;
         v ) version=${OPTARG};;
-        t ) devtest=${OPTARG};;
-        h )
-            echo "Usage: $0 -b <bucket> [-v <version>] [-t DEVTEST]"
+        t ) devtest=1;;
+        c) 
+            clean
+            exit 0
+            ;;
+        *)
+            echo "Usage: $0 -b <bucket> [-v <version>] [-t]"
             echo "Version must be provided via a parameter or ../version.txt. Others are optional." 
-            echo "-t DEVTEST indicates this is a pre-prod build and instructs the build to use a non-prod Solution ID, DEV-SOxxxx"
+            echo "-t indicates this is a pre-prod build and instructs the build to use a non-prod Solution ID, DEV-SOxxxx"
             echo "Production example: ./build-s3-dist.sh -b solutions -v v1.0.0"
-            echo "Dev example: ./build-s3-dist.sh -b solutions -v v1.0.0 -t DEVTEST"  
+            echo "Dev example: ./build-s3-dist.sh -b solutions -v v1.0.0 -t"  
             exit 1 
             ;;
     esac
@@ -77,6 +102,8 @@ echo "export DIST_OUTPUT_BUCKET=$bucket" > ./setenv.sh
 # Version from the command line is definitive. Otherwise, use version.txt
 if [[ ! -z "$version" ]]; then
     echo Version is $version from the command line
+elif ( command -v jq ) && [[ -f ${template_dir}/${source_dir}/package.json ]]; then
+    version=`cat ${template_dir}/${source_dir}/package.json | jq -r .version`
 elif [[ -e ../source/version.txt ]]; then
     version=`cat ../source/version.txt`
     echo Version is $version from ../source/version.txt
@@ -146,51 +173,23 @@ echo "==========================================================================
 echo "Building $SOLUTION_NAME ($SOLUTION_ID) version $version for bucket $bucket"
 echo "=========================================================================="
 
-# Get reference for all important folders
-template_dir="$PWD"
-template_dist_dir="$template_dir/global-s3-assets"
-build_dist_dir="$template_dir/regional-s3-assets"
-source_dir="$template_dir/../source"
-temp_work_dir="${template_dir}/temp"
+clean
 
 echo "------------------------------------------------------------------------------"
-echo "[Init] Clean old dist, node_modules and bower_components folders"
+echo "[Init] Create folders"
 echo "------------------------------------------------------------------------------"
-do_cmd rm -rf $template_dist_dir
 do_cmd mkdir -p $template_dist_dir
-do_cmd rm -rf $build_dist_dir
 do_cmd mkdir -p $build_dist_dir
-do_cmd rm -rf $temp_work_dir
 do_cmd mkdir -p $temp_work_dir
-
-echo "------------------------------------------------------------------------------"
-echo "[Init] Create folders"
-echo "------------------------------------------------------------------------------"
-mkdir ${build_dist_dir}/lambda
-mkdir -p ${template_dist_dir}/playbooks
-
-echo "------------------------------------------------------------------------------"
-echo "[Copy] Copy source to temp, remove unwanted files"
-echo "------------------------------------------------------------------------------"
-do_cmd cp -r $source_dir $temp_work_dir # make a copy to work from
-cd $temp_work_dir
-# remove node_modules
-find . -name node_modules | while read file;do rm -rf $file; done
-# remove package-lock.json
-find . -name package-lock.json | while read file;do rm $file; done
-
-# Propagate the $required_cdk_version to all of the package.json files.
-# This makes it very simple to update the version by changing the value above.
-cd $temp_work_dir/source
-find . -name package.json | while read package; do
-    do_replace $package "###CDK###" $required_cdk_version
-done
+do_cmd mkdir ${build_dist_dir}/lambda
+do_cmd mkdir -p ${template_dist_dir}/playbooks
 
 echo "------------------------------------------------------------------------------"
 echo "[Install] CDK"
 echo "------------------------------------------------------------------------------"
 
-cd $temp_work_dir/source
+# cd $temp_work_dir/source
+cd $source_dir
 do_cmd npm install      # local install per package.json
 do_cmd npm install aws-cdk@$required_cdk_version
 export PATH=$(npm bin):$PATH
@@ -207,9 +206,16 @@ echo "--------------------------------------------------------------------------
 echo "[Pack] Lambda Layer (used by playbooks)"
 echo "------------------------------------------------------------------------------"
 cd $template_dir
+do_cmd cp -r $source_dir $temp_work_dir # make a copy to work from
+cd $temp_work_dir
+# remove node_modules
+find . -name node_modules | while read file;do rm -rf $file; done
+# remove package-lock.json
+find . -name package-lock.json | while read file;do rm $file; done
+
 mkdir -p $temp_work_dir/source/solution_deploy/lambdalayer/python
-cp $source_dir/LambdaLayers/*.py $temp_work_dir/source/solution_deploy/lambdalayer/python
-pip install -r ./requirements.txt -t $temp_work_dir/source/solution_deploy/lambdalayer/python
+cp ${template_dir}/${source_dir}/LambdaLayers/*.py $temp_work_dir/source/solution_deploy/lambdalayer/python
+pip install -r $template_dir/requirements.txt -t $temp_work_dir/source/solution_deploy/lambdalayer/python
 cd $temp_work_dir/source/solution_deploy/lambdalayer
 zip --recurse-paths ${build_dist_dir}/lambda/layer.zip python
 
@@ -226,7 +232,7 @@ do_cmd cp ../../LambdaLayers/*.py .
 echo "------------------------------------------------------------------------------"
 echo "[Pack] Orchestrator Lambdas"
 echo "------------------------------------------------------------------------------"
-cd $template_dir
+# cd $template_dir
 cd $temp_work_dir/source/Orchestrator
 ls | while read file; do 
     if [ ! -d $file ]; then
@@ -240,12 +246,12 @@ do_cmd cp ../LambdaLayers/*.py .
 echo "------------------------------------------------------------------------------"
 echo "[Create] Playbooks"
 echo "------------------------------------------------------------------------------"
-for playbook in `ls ${temp_work_dir}/source/playbooks`; do
-    if [ $playbook == 'NEWPLAYBOOK' ]; then
+for playbook in `ls ${template_dir}/${source_dir}/playbooks`; do
+    if [ $playbook == 'NEWPLAYBOOK' ] || [ $playbook == '.coverage' ]; then
         continue
     fi
     echo Create $playbook playbook
-    do_cmd cd $temp_work_dir/source/playbooks/${playbook}
+    do_cmd cd ${template_dir}/${source_dir}/playbooks/${playbook}
         for template in `cdk list`; do
         echo Create $playbook template $template
         # do_cmd npm run build
@@ -257,7 +263,7 @@ echo "--------------------------------------------------------------------------
 echo "[Create] Deployment Templates"
 echo "------------------------------------------------------------------------------"
 # Don't build the deployment template until AFTER the playbooks
-cd $temp_work_dir/source/solution_deploy
+cd ${template_dir}/${source_dir}/solution_deploy
 
 # Output YAML - this is currently the only way to do this for multiple templates
 for template in `cdk ls`; do
@@ -273,5 +279,6 @@ mv ${template_dist_dir}/SolutionDeployStack.template ${template_dist_dir}/aws-sh
 mv ${template_dist_dir}/MemberStack.template ${template_dist_dir}/aws-sharr-member.template
 mv ${template_dist_dir}/RunbookStack.template ${template_dist_dir}/aws-sharr-remediations.template
 mv ${template_dist_dir}/OrchestratorLogStack.template ${template_dist_dir}/aws-sharr-orchestrator-log.template
+mv ${template_dist_dir}/MemberRoleStack.template ${template_dist_dir}/aws-sharr-member-roles.template
 
 echo Build Complete