feature: Refactor AWS Security Hub configuration

schubergphilis · Jul 24, 2023 · 844c71a · 844c71a
1 parent 83739a8
commit 844c71a
Show file tree

Hide file tree

Showing 6 changed files with 134 additions and 52 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -483,9 +483,9 @@ ENHANCEMENTS
 BUG FIXES
 
 - Add `endpoint_auto_confirms` variable to the AWS Config SNS topic ([#62](https://github.com/schubergphilis/terraform-aws-mcaf-landing-zone/pull/62)) ([#64](https://github.com/schubergphilis/terraform-aws-mcaf-landing-zone/pull/64))
-- 
+-
 - Modify accountID of the AWS Config SNS topic ([#65](https://github.com/schubergphilis/terraform-aws-mcaf-landing-zone/pull/65))
-- 
+-
 
 ## v0.4.4 - 2021-01-05
 

diff --git a/README.md b/README.md
@@ -153,6 +153,20 @@ The module creates 3 AWS KMS keys, one for the master account, one for the audit
 
 Note that you have to add additional policies allowing for example access to the pipeline user or role. Only applying this policy will result in a `The new key policy will not allow you to update the key policy in the future` exception.
 
+### AWS Security Hub
+
+This module supports enabling Security Hub at the organization level which means that all new accounts that are created in, or added to, the organization are added as member accounts to the `audit` account Security Hub delegated administrator.
+
+The feature can be controlled via the `aws_security_hub` variable and is enabled by default.
+
+Note: by default `auto-enable default standards` has been turned off since the default standards are not updated regularly enough. At time of writing only the `AWS Foundational Security Best Practices v1.0.0 standard` and the `CIS AWS Foundations Benchmark v1.2.0` are enabled by [by default](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-enable-disable.html) while this module enables the following standards:
+
+- `AAS Foundational Security Best Practices v1.0.0`
+- `CIS AWS Foundations Benchmark v1.4.0`
+- `PCI DSS v3.2.1`
+
+The enabling of the standards in all member account is controlled via [mcaf-account-baseline](https://github.com/schubergphilis/terraform-aws-mcaf-account-baseline).
+
 ### AWS SSO
 
 This module supports managing AWS SSO resources to control user access to all accounts belonging to the AWS Organization.

diff --git a/UPGRADING.md b/UPGRADING.md
@@ -1,31 +1,61 @@
-# Upgrading to 0.25.x
+# Upgrading Notes
+
+This document captures breaking changes.
+
+## Upgrading to v1.0.0
+
+### Behaviour
+
+#### auto-enable default standards
+
+ Before v1.0.0 `auto-enable default standards` was enabled by default. This version modifies this behaviour to disabled by default (controlled via `var.aws_security_hub.auto_enable_default_standards`) since the default standards are not updated regularly enough. At time of writing only the `AWS Foundational Security Best Practices v1.0.0 standard` and the `CIS AWS Foundations Benchmark v1.2.0` are enabled by [by default](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-enable-disable.html) while this module enables the following standards:
+
+- `AAS Foundational Security Best Practices v1.0.0`
+- `CIS AWS Foundations Benchmark v1.4.0`
+- `PCI DSS v3.2.1`
+
+The enabling of the standards in all member account is now controlled via [mcaf-account-baseline](https://github.com/schubergphilis/terraform-aws-mcaf-account-baseline).
+
+#### control finding generator
+
+Before v1.0.0 the AWS Security Hub control finding generator was not managed, which meant that the default `SECURITY_CONTROL` is used. This setting generates a single finding for a control check even when the check applies to multiple enabled standards. Since [terraform-aws-mcaf-securityhub-findings-manager](https://github.com/schubergphilis/terraform-aws-mcaf-securityhub-findings-manager) requires separates findings, the default (controlled via `var.aws_security_hub.control_finding_generator`) has been set to `STANDARD_CONTROL` to ensure compatibility.
+
+### Variables
+
+The following variables have been replaced by a new variable `aws_security_hub`:
+
+- `aws_security_hub_product_arns` -> `aws_security_hub.product_arns`
+- `security_hub_standards_arns` -> `aws_security_hub.override_standards_arns`
+- `security_hub_create_cis_metric_filters` -> `aws_security_hub.create_cis_metric_filters`
+
+## Upgrading to v0.25.x
 
 Version `0.25.x` has added support for specifying a kms_key_id in the `var.additional_auditing_trail`. This variable is mandatory, if you already have additional cloudtrail configurations created using this variable encryption is now mandatory.
 
 ```hcl
 module "landing_zone"
-...        
+...
   additional_auditing_trail = {
     name       = "audit-trail-name"
     bucket     = "audit-trail-s3-bucket-name"
-    kms_key_id = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"   
+    kms_key_id = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
   }
 ...
 }
 ```
 
-# Upgrading to 0.24.x
+## Upgrading to v0.24.x
 
 Version `0.24.x` changes the AWS nested providers to provider aliases. Define the providers outside the module and reference them when calling this module. For an example, see `examples/basic`.
 
-# Upgrading to 0.23.x
+## Upgrading to v0.23.x
 
 Version `0.23.x` introduces a change in behaviour of AWS Config:
 
 - By default the `aggregator_regions` were set to eu-west-1 and eu-central-1, this has been changed to only enable the current region. Provide a list of regions to `var.aws_config.aggregator_regions` if you want to enable AWS Config in multiple regions.
 - Previously the `aws-controltower-logs` bucket was used to store CloudTrail and AWS Config logs, this version introduces a separate bucket for AWS Config. You are able to override the bucket name by setting `var.aws_config.delivery_channel_s3_bucket_name`.
 
-# Upgrading to 0.21.x
+## Upgrading to v0.21.x
 
 Version `0.21.x` introduces exceptions for IAM entities on the `DenyDisablingSecurityHub` and `DenyLeavingOrg` SCP. The following variables have been merged into a new variable `aws_service_control_policies`:
 
@@ -35,7 +65,7 @@ Version `0.21.x` introduces exceptions for IAM entities on the `DenyDisablingSec
 - `aws_region_restrictions`
 - `aws_require_imdsv2`
 
-# Upgrading to 0.20.x
+## Upgrading to v0.20.x
 
 Resources managing permission sets in AWS IAM Identity Center have been moved to a sub-module, meaning you will need to create `moved` blocks to update the state. The user interface remains unchanged.
 
@@ -89,11 +119,11 @@ Repeat adding these `moved` blocks until `terraform plan` doesn't report any pla
 
 This version requires Terraform 1.3 or newer.
 
-# Upgrading to 0.19.x
+## Upgrading to v0.19.x
 
 Be aware that all tag policies will be recreated since they are now created per tag policy instead of per OU.
 
-# Upgrading to 0.18.x
+## Upgrading to v0.18.x
 
 Version 0.18.x allows Tag Policies on nested Organizational units. Therefore the variable `aws_required_tags` needs the Organizational unit paths including 'Root', e.g.:
 
@@ -116,7 +146,7 @@ module "landing_zone" {
   }
 ```
 
-# Upgrading to 0.17.x
+## Upgrading to v0.17.x
 
 The following variables are now typed from string to list(string):
 
@@ -143,7 +173,7 @@ The following default key policy has been removed from the audit KMS key and a m
 
 If this new key policy is too restrictive for your deployment add extra key policies statements using the `kms_key_policy_audit` variable.
 
-# Upgrading to 0.16.x
+## Upgrading to v0.16.x
 
 Version `0.16` adds support for [AWS provider version 4](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/guides/version-4-upgrade)
 
@@ -164,19 +194,19 @@ terraform import 'module.landing_zone.module.ses-root-accounts-mail-forward[0].m
 
 ```
 
-# Upgrading to 0.15.x
+## Upgrading to v0.15.x
 
 Version `0.15` adds an optional mail forwarder using Amazon SES. Adding the `ses_root_accounts_mail_forward` variable creates the necessary resources to accept mail sent to a verified email address and forward it to an external recipient or recipients. Due to the usage of `configuration_aliases` in the provider configurations of some submodules, this module now requires to use Terraform version 1.0.0 or higher.
 
-# Upgrading to 0.14.x
+## Upgrading to v0.14.x
 
 Version `0.14.x` introduces an account level S3 public access policy that blocks public access to all S3 buckets in the landing zone core accounts. Please make sure you have no S3 buckets that require public access in any of the landing zone core accounts before upgrading.
 
-# Upgrading to 0.13.x
+## Upgrading to v0.13.x
 
 Version `0.13.x` adds support for managed policies. This required changing the variable `aws_sso_permission_sets` where each permission set now requires an additional field called `managed_policy_arns` which must be a list of strings or can be an empty list.
 
-# Upgrading to 0.12.x
+## Upgrading to v0.12.x
 
 Version `0.12.x` automatically sets the audit account as security hub administrator account for the organization and automatically enables Security Hub for new accounts in the organization. In case you already configured this manually please import these resources:
 
@@ -185,17 +215,17 @@ terraform import aws_securityhub_organization_admin_account.default <account id
 terraform import aws_securityhub_organization_configuration.default <account id of the audit account>
 ```
 
-# Upgrading to 0.11.x
+## Upgrading to v0.11.x
 
 Version `0.11.x` adds additional IAM activity monitors, these will be created automatically if you have the cis-aws-foundations-benchmark standard enabled. To disable the creation of these monitors set the variable `security_hub_create_cis_metric_filters` to false.
 
-# Upgrading to 0.10.x
+## Upgrading to v0.10.x
 
 Version `0.10.x` adds the possibility of assigning the same SSO Permission Set to different groups of accounts and SSO Groups. For example, the permission set `Administrator` can be assigned to group A for account 123 and for group B for account 456.
 
 This required changing the variable `aws_sso_permission_sets` where the `accounts` attribute was renamed to `assignments` and changed to a list.
 
-# Upgrading to 0.9.x
+## Upgrading to v0.9.x
 
 Removal of the local AVM module. Modify the source to the new [MCAF Account Vending Machine (AVM) module](https://github.com/schubergphilis/terraform-aws-mcaf-avm).
 
@@ -233,19 +263,19 @@ terraform state mv -state-out=baseline-sandbox.tfstate 'module.sandbox.aws_iam_a
 terraform state mv -state-out=baseline-sandbox.tfstate 'module.sandbox.aws_ebs_encryption_by_default.default' 'module.account_baseline.aws_ebs_encryption_by_default.default'
 ```
 
-# Upgrading to 0.8.x
+## Upgrading to v0.8.x
 
 Version `0.8.x` introduces the possibility of managing AWS SSO resources using this module. To avoid a race condition between Okta pushing groups to AWS SSO and Terraform trying to read them using data sources, the `okta_app_saml` resource has been removed from the module.
 
 With this change, all Okta configuration can be managed in the way that best suits the user. It also makes it possible to use this module with any other identity provider that is able to create groups on AWS SSO.
 
-# Upgrading to 0.7.x
+## Upgrading to v0.7.x
 
 From version `0.7.0`, the monitoring of IAM entities has changed from Event Bridge Rules to CloudWatch Alarms. This means that passing a list of IAM identities to the variable `monitor_iam_access` is no longer supported.
 
 The name of the SNS Topic used for notifications has also changed from `LandingZone-MonitorIAMAccess` to `LandingZone-IAMActivity`. Since this is a new Topic, all pre-existing SNS Subscriptions should be configured again using the variable `sns_monitor_iam_activity_subscription`.
 
-# Upgrading to 0.5.x
+## Upgrading to v0.5.x
 
 Since the `create_workspace` variable was added to the AVM module, resources in the included [terraform-aws-mcaf-workspace](https://github.com/schubergphilis/terraform-aws-mcaf-workspace) module are now stored under `module.workspace[0]`, resulting in a plan wanting to destroy and recreate the existing Terraform Cloud workspace and IAM user used by the workspace which is undesirable.
 
@@ -255,20 +285,20 @@ To prevent this happening, simply move the resources in the state to their new l
 terraform state mv 'module.sandbox.module.workspace' 'module.sandbox.module.workspace[0]'
 ```
 
-# Upgrading from v0.1.x to v0.2.x
+## Upgrading from v0.1.x to v0.2.x
 
 This section describes changes to be aware of when upgrading from v0.1.x to v0.2.x.
 
-## Enhancements
+### Enhancements
 
-### AWS Config Aggregator Accounts
+#### AWS Config Aggregator Accounts
 
 Since version `0.2.x` supports multiple account IDs when configuring AWS Config Aggregator accounts, the identifier given to the multiple `aws_config_aggregate_authorization` resources had to change from `region_name` to `account_id-region_name`. This causes the authorizations created by version `0.1.x` to be destroyed and recreated with the new identifiers.
 
-### AWS GuardDuty
+#### AWS GuardDuty
 
 In order to enable GuardDuty for the entire organization, all existing accounts except for the `master` and `logging` accounts have to be add as members in the `audit` account like explained [here](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_organizations.html#guardduty_add_orgs_accounts). If this step is not taken, only the core accounts will have GuardDuty enabled.
 
-### TFE Workspaces
+#### TFE Workspaces
 
 TFE Workspaces use version [0.3.0 of the terraform-aws-mcaf-workspace](https://github.com/schubergphilis/terraform-aws-mcaf-workspace/tree/v0.3.0) module which by default creates a Terraform backend file in the repository associated with the workspace.
diff --git a/locals.tf b/locals.tf
@@ -3,7 +3,7 @@ locals {
   iam_activity = {
     SSO = "{$.readOnly IS FALSE && $.userIdentity.sessionContext.sessionIssuer.userName = \"AWSReservedSSO_*\" && $.eventName != \"ConsoleLogin\"}"
   }
-  cloudtrail_activity_cis_aws_foundations = (local.security_hub_has_cis_aws_foundations_enabled && var.security_hub_create_cis_metric_filters) ? {
+  cloudtrail_activity_cis_aws_foundations = (local.security_hub_has_cis_aws_foundations_enabled && var.aws_security_hub.create_cis_metric_filters) ? {
     RootActivity                 = "{$.userIdentity.type=\"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\"}"
     UnauthorizedApiCalls         = "{($.errorCode=\"*UnauthorizedOperation\") || ($.errorCode=\"AccessDenied*\")}"
     IamPolicyChanges             = "{($.eventName=DeleteGroupPolicy) || ($.eventName=DeleteRolePolicy) || ($.eventName=DeleteUserPolicy) || ($.eventName=PutGroupPolicy) || ($.eventName=PutRolePolicy) || ($.eventName=PutUserPolicy) || ($.eventName=CreatePolicy) || ($.eventName=DeletePolicy) || ($.eventName=CreatePolicyVersion) || ($.eventName=DeletePolicyVersion) || ($.eventName=AttachRolePolicy) || ($.eventName=DetachRolePolicy) || ($.eventName=AttachUserPolicy) || ($.eventName=DetachUserPolicy) || ($.eventName=AttachGroupPolicy) || ($.eventName=DetachGroupPolicy)}"
@@ -18,7 +18,7 @@ locals {
     RouteTableChange             = "{($.eventName=CreateRoute) || ($.eventName=CreateRouteTable) || ($.eventName=ReplaceRoute) || ($.eventName=ReplaceRouteTableAssociation) || ($.eventName=DeleteRouteTable) || ($.eventName=DeleteRoute) || ($.eventName=DisassociateRouteTable)}"
     VpcChange                    = "{($.eventName=CreateVpc) || ($.eventName=DeleteVpc) || ($.eventName=ModifyVpcAttribute) || ($.eventName=AcceptVpcPeeringConnection) || ($.eventName=CreateVpcPeeringConnection) || ($.eventName=DeleteVpcPeeringConnection) || ($.eventName=RejectVpcPeeringConnection) || ($.eventName=AttachClassicLinkVpc) || ($.eventName=DetachClassicLinkVpc) || ($.eventName=DisableVpcClassicLink) || ($.eventName=EnableVpcClassicLink)}"
   } : {}
-  security_hub_standards_arns = var.security_hub_standards_arns != null ? var.security_hub_standards_arns : [
+  security_hub_standards_arns = var.aws_security_hub.override_standards_arns != null ? var.aws_security_hub.override_standards_arns : [
     "arn:aws:securityhub:${data.aws_region.current.name}::standards/aws-foundational-security-best-practices/v/1.0.0",
     "arn:aws:securityhub:${data.aws_region.current.name}::standards/cis-aws-foundations-benchmark/v/1.4.0",
     "arn:aws:securityhub:${data.aws_region.current.name}::standards/pci-dss/v/3.2.1"

diff --git a/security_hub.tf b/security_hub.tf
@@ -1,10 +1,15 @@
 // AWS Security Hub - Management account configuration and enrollment
 resource "aws_securityhub_organization_admin_account" "default" {
   admin_account_id = data.aws_caller_identity.audit.account_id
-  depends_on       = [aws_securityhub_account.default]
+
+  depends_on = [aws_securityhub_account.default]
 }
 
 resource "aws_securityhub_account" "management" {
+  auto_enable_controls      = var.aws_security_hub.auto_enable_controls
+  control_finding_generator = var.aws_security_hub.control_finding_generator
+  enable_default_standards  = var.aws_security_hub.auto_enable_default_standards
+
   depends_on = [aws_securityhub_organization_configuration.default]
 }
 
@@ -20,32 +25,48 @@ resource "aws_securityhub_member" "management" {
   }
 }
 
+resource "aws_securityhub_standards_subscription" "management" {
+  for_each = toset(local.security_hub_standards_arns)
+
+  standards_arn = each.value
+
+  depends_on = [aws_securityhub_account.default]
+}
+
 // AWS Security Hub - Audit account configuration and enrollment
 resource "aws_securityhub_account" "default" {
   provider = aws.audit
+
+  auto_enable_controls      = var.aws_security_hub.auto_enable_controls
+  control_finding_generator = var.aws_security_hub.control_finding_generator
+  enable_default_standards  = var.aws_security_hub.auto_enable_default_standards
 }
 
 resource "aws_securityhub_organization_configuration" "default" {
   provider = aws.audit
 
-  auto_enable = true
-  depends_on  = [aws_securityhub_organization_admin_account.default]
+  auto_enable           = true
+  auto_enable_standards = var.aws_security_hub.auto_enable_default_standards ? "DEFAULT" : "NONE"
+
+  depends_on = [aws_securityhub_organization_admin_account.default]
 }
 
 resource "aws_securityhub_product_subscription" "default" {
-  for_each = toset(var.aws_security_hub_product_arns)
+  for_each = toset(var.aws_security_hub.product_arns)
   provider = aws.audit
 
   product_arn = each.value
-  depends_on  = [aws_securityhub_account.default]
+
+  depends_on = [aws_securityhub_account.default]
 }
 
 resource "aws_securityhub_standards_subscription" "default" {
   for_each = toset(local.security_hub_standards_arns)
   provider = aws.audit
 
   standards_arn = each.value
-  depends_on    = [aws_securityhub_account.default]
+
+  depends_on = [aws_securityhub_account.default]
 }
 
 resource "aws_cloudwatch_event_rule" "security_hub_findings" {
@@ -108,3 +129,11 @@ resource "aws_securityhub_member" "logging" {
 
   depends_on = [aws_securityhub_organization_configuration.default]
 }
+
+resource "aws_securityhub_standards_subscription" "logging" {
+  for_each = toset(local.security_hub_standards_arns)
+  provider = aws.logging
+
+  standards_arn = each.value
+  depends_on    = [aws_securityhub_account.default]
+}