Initial commit for aws 3 jobs: ebs_private_snapshot, rds_enable_versi…

README.md

@@ -134,7 +134,7 @@ The table below lists all the supported jobs with their links.
 |   21.  	| 688d093c-3b8d-11eb-adc1-0242ac120002 	|                     S3 bucket should allow only HTTPS requests                    	|             [aws-s3-bucket-policy-allow-https](remediation_worker/jobs/aws_s3_bucket_policy_allow_https)             	|
 |   22.  	| 09639b9d-98e8-493b-b8a4-916775a7dea9 	|            SQS queue policy should restricted access to required users            	|            [aws-sqs-queue-publicly-accessible](remediation_worker/jobs/aws_sqs_queue_publicly_accessible)            	|
 |   23.  	| 1ec4a1f2-3e08-11eb-b378-0242ac130002 	| Network ACL should restrict administration ports (3389 and 22) from public access 	| [aws-ec2-administration-ports-ingress-allowed](remediation_worker/jobs/aws_ec2_administration_ports_ingress_allowed) 	|
-|   24.  	| ce603728-d631-4bae-8657-c22da6e5944e | Kinesis data stream should be encrypted                                          	| [kinesis-encrypt-stream](remediation_worker/jobs/kinesis_encrypt_stream) 	|
+|   24.  	| ce603728-d631-4bae-8657-c22da6e5944e | Kinesis data stream should be encrypted  
 |   25.   	|       5c8c263d7a550e1fb6560c39        |            EC2 instance should restrict public access to FTP data port (20)           |                            [ec2-close-port-20](remediation_worker/jobs/ec2_close_port_20)                            	|
 |   26.   	| 4823ede0-7bed-4af0-a182-81c2ada80203  |            EC2 instance should restrict public access to Kibana (5601)            	|                            [ec2-close-port-5601](remediation_worker/jobs/ec2_close_port_5601)                            |
 |   27.   	|       5c8c26427a550e1fb6560c41     |               EC2 instance should restrict public access to MySQL server port (3306)     |                            [ec2-close-port-3306](remediation_worker/jobs/ec2_close_port_3306)                            |
@@ -146,6 +146,9 @@ The table below lists all the supported jobs with their links.
 |   33.   	|       5c8c26427a550e1fb6560c40     |               EC2 instance should restrict public access to MongoDB port (27017)         |                            [ec2-close-port-27017](remediation_worker/jobs/ec2_close_port_27017)                          |
 |   34.   	|       5c8c26407a550e1fb6560c3c     |               EC2 instance should restrict public access to TCP port (8080)            	|                            [ec2-close-port-8080](remediation_worker/jobs/ec2_close_port_8080)                            |
 |   35.   	|       5c8c26447a550e1fb6560c44     |               EC2 instance should restrict public access to Redshift port (5439)         |                            [ec2-close-port-5439](remediation_worker/jobs/ec2_close_port_5439)                            	|
+|   36.  	| 2cdb8877-7ac3-4483-9ed0-1e792171d125 	| EBS volume snapshot should be private                                                 | [ebs-private-snapshot](remediation_worker/jobs/ebs_private_snapshot) 	|
+|   37.  	| 5c8c26467a550e1fb6560c48              | RDS instance should restrict public access                                            | [rds-remove-public-endpoint](remediation_worker/jobs/rds_remove_public_endpoint) 	|
+|   38.  	| 5c8c264a7a550e1fb6560c4c              | RDS should have automatic minor version upgrades enabled                              | [rds-enable-version-update](remediation_worker/jobs/rds_enable_version_update) 	|
 
 ## Contributing
 The Secure State team welcomes welcomes contributions from the community. If you wish to contribute code and you have not signed our contributor license agreement (CLA), our bot will update the issue when you open a Pull Request. For any questions about the CLA process, please refer to our [FAQ](https://cla.vmware.com/faq).

remediation_worker/jobs/ebs_private_snapshot/README.md

@@ -0,0 +1,75 @@
+# Configure the EBS volume snapshot as private.
+
+This job makes an EBS snapshot private by removing the keyword 'all' from GroupNames. 
+
+## Getting Started
+
+##### Rule ID:
+2cdb8877-7ac3-4483-9ed0-1e792171d125
+
+##### Rule Name:
+EBS volume snapshot should be private
+
+### Prerequisites
+
+The provided AWS credential must have permissions that listed in the policy file [here](minimum_policy.json)
+
+### Running the script
+
+You may run this script using following commands:
+```shell script
+  pip install -r ../../requirements.txt
+  python3 ebs_private_snapshot.py "`cat finding.json`"
+```
+  where finding.json has volume id and region info:
+  ```json
+  {
+    "notificationInfo": {
+        "FindingInfo": {
+            "ObjectId": "snap-047ed496ef688a585",
+            "Region": "us-west-2"
+        }
+    }
+}
+```
+
+## Running the tests
+You may run test using following command under vss-remediation-worker-job-code-python directory:
+```shell script
+    python3 -m pytest test
+```
+
+## Deployment
+1. Provision a Virtual Machine
+Create an EC2 instance to use for the worker. The minimum required specifications are 128 MB memory and 1/2 Core CPU.
+2. Setup Docker
+Install Docker on the newly provisioned EC2 instance. You can refer to the [docs here](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/docker-basics.html) for more information.
+3. Deploy the worker image
+SSH into the EC2 instance and run the command below to deploy the worker image:
+```shell script
+  docker run --rm -it --name worker \
+  -e VSS_CLIENT_ID={ENTER CLIENT ID}
+  -e VSS_CLIENT_SECRET={ENTER CLIENT SECRET} \
+  vmware/vss-remediation-worker:latest-python
+```
+
+
+## Contributing
+The Secure State team welcomes welcomes contributions from the community. If you wish to contribute code and you have not signed our contributor license agreement (CLA), our bot will update the issue when you open a Pull Request. For any questions about the CLA process, please refer to our [FAQ](https://cla.vmware.com/faq).
+All contributions to this repository must be signed as described on that page. Your signature certifies that you wrote the patch or have the right to pass it on as an open-source patch.
+
+For more detailed information, refer to [CONTRIBUTING.md](../../../CONTRIBUTING.md).
+
+## Versioning
+
+We use [SemVer](http://semver.org/) for versioning. For the versions available, see the [tags on this repository](https://github.com/vmware-samples/secure-state-remediation-jobs/tags).
+
+## Authors
+
+* **VMware Secure State** - *Initial work*
+
+See also the list of [contributors](https://github.com/vmware-samples/secure-state-remediation-jobs/contributors) who participated in this project.
+
+## License
+
+This project is licensed under the Apache License - see the [LICENSE](https://github.com/vmware-samples/secure-state-remediation-jobs/blob/master/LICENSE.txt) file for details

remediation_worker/jobs/ebs_private_snapshot/constraints.txt

@@ -0,0 +1,43 @@
+docutils==0.15.2 \
+    --hash=sha256:6c4f696463b79f1fb8ba0c594b63840ebd41f059e92b31957c46b74a4599b6d0 \
+    --hash=sha256:9e4d7ecfc600058e07ba661411a2b7de2fd0fafa17d1a7f7361cd47b1175c827 \
+    --hash=sha256:a2aeea129088da402665e92e0b25b04b073c04b2dce4ab65caaa38b7ce2e1a99
+jmespath==0.10.0 \
+    --hash=sha256:b85d0567b8666149a93172712e68920734333c0ce7e89b78b3e987f71e5ed4f9 \
+    --hash=sha256:cdf6525904cc597730141d61b36f2e4b8ecc257c420fa2f4549bac2c2d0cb72f
+python-dateutil==2.8.1 \
+    --hash=sha256:73ebfe9dbf22e832286dafa60473e4cd239f8592f699aa5adaf10050e6e1823c \
+    --hash=sha256:75bb3f31ea686f1197762692a9ee6a7550b59fc6ca3a1f4b5d7e32fb98e2da2a
+s3transfer==0.3.3 \
+    --hash=sha256:2482b4259524933a022d59da830f51bd746db62f047d6eb213f2f8855dcb8a13 \
+    --hash=sha256:921a37e2aefc64145e7b73d50c71bb4f26f46e4c9f414dc648c6245ff92cf7db
+urllib3==1.25.9 \
+    --hash=sha256:3018294ebefce6572a474f0604c2021e33b3fd8006ecd11d62107a5d2a963527 \
+    --hash=sha256:88206b0eb87e6d677d424843ac5209e3fb9d0190d0ee169599165ec25e9d9115
+six==1.15.0 \
+    --hash=sha256:30639c035cdb23534cd4aa2dd52c3bf48f06e5f4a941509c8bafd8ce11080259 \
+    --hash=sha256:8b74bedcbbbaca38ff6d7491d76f2b06b3592611af620f8426e82dddb04a5ced
+packaging==20.4 \
+    --hash=sha256:4357f74f47b9c12db93624a82154e9b120fa8293699949152b22065d556079f8 \
+    --hash=sha256:998416ba6962ae7fbd6596850b80e17859a5753ba17c32284f67bfff33784181
+attrs==19.3.0 \
+    --hash=sha256:08a96c641c3a74e44eb59afb61a24f2cb9f4d7188748e76ba4bb5edfa3cb7d1c \
+    --hash=sha256:f7b7ce16570fe9965acd6d30101a28f62fb4a7f9e926b3bbc9b61f8b04247e72
+more-itertools==8.4.0 \
+    --hash=sha256:68c70cc7167bdf5c7c9d8f6954a7837089c6a36bf565383919bb595efb8a17e5 \
+    --hash=sha256:b78134b2063dd214000685165d81c154522c3ee0a1c0d4d113c80361c234c5a2
+pluggy==0.13.1 \
+    --hash=sha256:15b2acde666561e1298d71b523007ed7364de07029219b604cf808bfa1c765b0 \
+    --hash=sha256:966c145cd83c96502c3c3868f50408687b38434af77734af1e9ca461a4081d2d
+py==1.9.0 \
+    --hash=sha256:366389d1db726cd2fcfc79732e75410e5fe4d31db13692115529d34069a043c2 \
+    --hash=sha256:9ca6883ce56b4e8da7e79ac18787889fa5206c79dcc67fb065376cd2fe03f342
+toml==0.10.1 \
+    --hash=sha256:926b612be1e5ce0634a2ca03470f95169cf16f939018233a670519cb4ac58b0f \
+    --hash=sha256:bda89d5935c2eac546d648028b9901107a595863cb36bae0c73ac804a9b4ce88
+iniconfig==1.0.1 \
+    --hash=sha256:80cf40c597eb564e86346103f609d74efce0f6b4d4f30ec8ce9e2c26411ba437 \
+    --hash=sha256:e5f92f89355a67de0595932a6c6c02ab4afddc6fcdc0bfc5becd0d60884d3f69
+pyparsing==2.4.7 \
+    --hash=sha256:c203ec8783bf771a155b207279b9bccb8dea02d8f0c9e5f8ead507bc3246ecc1 \
+    --hash=sha256:ef9d7589ef3c200abe66653d3f1ab1033c3c419ae9b9bdb1240a85b024efc88b

remediation_worker/jobs/ebs_private_snapshot/ebs_private_snapshot.py

@@ -0,0 +1,132 @@
+# Copyright (c) 2021 VMware Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import json
+import logging
+import sys
+
+import boto3
+from botocore.exceptions import ClientError
+
+logging.basicConfig(level=logging.INFO)
+
+
+class EBSPrivateSnapshot:
+    def parse(self, payload):
+        """Parse payload received from Remediation Service.
+        :param payload: JSON string containing parameters sent to the remediation job.
+        :type payload: str.
+        :returns: Dictionary of parsed parameters
+        :rtype: dict
+        :raises: Exception, JSONDecodeError
+        """
+        logging.debug(payload)
+        remediation_entry = json.loads(payload)
+        notification_info = remediation_entry.get("notificationInfo", None)
+        finding_info = notification_info.get("FindingInfo", None)
+
+        snapshot_id = finding_info.get("ObjectId", None)
+        region = finding_info.get("Region", None)
+
+        if snapshot_id is None:
+            logging.error("Missing parameters for 'SNAPSHOT_ID'.")
+            raise Exception("Missing parameters for 'SNAPSHOT_ID'.")
+
+        if region is None:
+            logging.error("Missing parameters for 'REGION'.")
+            raise Exception("Missing parameters for 'REGION'.")
+
+        logging.debug("parsed params")
+        logging.debug(f"  snapshot_id: {snapshot_id}")
+        logging.info(f"  region: {region}")
+
+        return {
+            "snapshot_id": snapshot_id,
+            "region": region
+        }
+
+    def remediate(self, client, snapshot_id, region):
+
+        """Set snapshots to private.
+        :param client: Instance of the AWS boto3 client.
+        :param snapshot_id: The id of the EBS snapshot.
+        :param region: The region of the EBS snapshot.
+        :type snapshot_id: str.
+        :returns: Bool signaling success or failure
+        :rtype: bool
+        """
+        logging.info("Removing Public access by executing client.describe_snapshot_attribute")
+        logging.info("Attribute = createVolumePermission")
+        logging.info(f"SnapshotId={snapshot_id}")
+
+        try:
+        # Get the permissions of the snapshot, no exeption expected
+           snapshot_permissions = client.describe_snapshot_attribute(
+            Attribute='createVolumePermission',
+            SnapshotId=snapshot_id
+           ).get('CreateVolumePermissions')
+
+           logging.info(f"permission={snapshot_permissions}")
+
+           # if createVolumePermission has "Group":"all", remove it
+           if snapshot_permissions:
+               for permission in snapshot_permissions:
+                   if 'all' in permission['Group']:
+                       logging.info(f"Found Public Snapshot: {snapshot_id}")
+
+                       # remove all from the groupname, no exception expected
+                       client.modify_snapshot_attribute(
+                           Attribute='createVolumePermission',
+                           GroupNames=[
+                            'all',
+                           ],
+                           OperationType='remove',
+                           SnapshotId=snapshot_id,
+                       )
+                       logging.info(f"Public access removed from {snapshot_id}")
+               return 0
+           else:
+               logging.info(f"Snapshot {snapshot_id} is not public, exiting")
+               return 1
+
+        except ClientError as state_err:
+                error = state_err.response["Error"]["Code"]
+                logging.error(f"Got Exception={error}")
+                return 1
+        except Exception as e:
+               error = "Receiving other exceptions {0}".format(str(e))
+               logging.error(error) 
+               return 1
+
+
+    def run(self, args):
+        """Run the remediation job.
+        :param args: List of arguments provided to the job.
+        :type args: list.
+        :returns: int
+        """
+        params = self.parse(args[1])
+        client = boto3.client("ec2", region_name=params['region'])
+
+        logging.debug(
+            "acquired ec2 client and parsed params - starting remediation."
+        )
+
+        return self.remediate(client=client, **params)
+
+
+if __name__ == "__main__":
+    logging.info("ebs_private_snapshot.py called - running now")
+    obj = EBSPrivateSnapshot()
+    obj.run(sys.argv)

remediation_worker/jobs/ebs_private_snapshot/minimum_policy.json

@@ -0,0 +1,14 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "ModifyPrivateSnapShot",
+            "Effect": "Allow",
+            "Action": [
+                "ec2:DescribeSnapshotAttribute",
+                "ec2:ModifySnapshotAttribute"
+            ],
+            "Resource": "*"
+        }
+    ]
+}

remediation_worker/jobs/ebs_private_snapshot/requirements-dev.txt

@@ -0,0 +1,6 @@
+-r requirements.txt
+-c constraints.txt
+
+pytest==6.0.1 \
+    --hash=sha256:85228d75db9f45e06e57ef9bf4429267f81ac7c0d742cc9ed63d09886a9fe6f4 \
+    --hash=sha256:8b6007800c53fdacd5a5c192203f4e531eb2a1540ad9c752e052ec0f7143dbad

remediation_worker/jobs/ebs_private_snapshot/requirements.txt

@@ -0,0 +1,6 @@
+boto3==1.14.9 \
+  --hash=sha256:185f7b36c16f76e501d8dfc5cd209113426e078e4968dd13cc355c916bc99597 \
+  --hash=sha256:51243ba0e976343ca0b98bb4a15fc3d588526220f6ba45bfed7ea45472b1e033
+botocore==1.17.9 \
+  --hash=sha256:7dd59bc766d567ca83bc6113aa139d92ba447738ccdfcd40788848553d329a52 \
+  --hash=sha256:cd4bb2d96ff2ec6bf4fbcdb2f241d0fb6ba1e7955b4721cf1d81f13db02768b6

remediation_worker/jobs/rds_enable_version_update/README.md

@@ -0,0 +1,75 @@
+# Enable automatic minor version upgrade for RDS DBInstance
+
+This job enables automatic minor version upgrade RDS DBInstance.
+
+## Getting Started
+
+##### Rule ID:
+5c8c264a7a550e1fb6560c4c
+
+##### Rule Name:
+RDS should have automatic minor version upgrades enabled
+
+### Prerequisites
+
+The provided AWS credential must have permissions that listed in the policy file [here](minimum_policy.json)
+
+### Running the script
+
+You may run this script using following commands:
+```shell script
+  pip install -r ../../requirements.txt
+  python3 rds_enable_version_upgrade.py "`cat finding.json`"
+```
+  where finding.json has launch config name and region info:
+```json
+  {
+    "notificationInfo": {
+        "FindingInfo": {
+            "ObjectId": "rds-name",
+            "Region": "us-west-1"
+        }
+    }
+}
+```
+
+## Running the tests
+You may run test using following command under vss-remediation-worker-job-code-python directory:
+```shell script
+    python3 -m pytest test
+```
+
+## Deployment
+1. Provision a Virtual Machine
+Create an EC2 instance to use for the worker. The minimum required specifications are 128 MB memory and 1/2 Core CPU.
+2. Setup Docker
+Install Docker on the newly provisioned EC2 instance. You can refer to the [docs here](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/docker-basics.html) for more information.
+3. Deploy the worker image
+SSH into the EC2 instance and run the command below to deploy the worker image:
+```shell script
+  docker run --rm -it --name worker \
+  -e VSS_CLIENT_ID={ENTER CLIENT ID}
+  -e VSS_CLIENT_SECRET={ENTER CLIENT SECRET} \
+  vmware/vss-remediation-worker:latest-python
+```
+
+
+## Contributing
+The Secure State team welcomes welcomes contributions from the community. If you wish to contribute code and you have not signed our contributor license agreement (CLA), our bot will update the issue when you open a Pull Request. For any questions about the CLA process, please refer to our [FAQ](https://cla.vmware.com/faq).
+All contributions to this repository must be signed as described on that page. Your signature certifies that you wrote the patch or have the right to pass it on as an open-source patch.
+
+For more detailed information, refer to [CONTRIBUTING.md](../../../CONTRIBUTING.md).
+
+## Versioning
+
+We use [SemVer](http://semver.org/) for versioning. For the versions available, see the [tags on this repository](https://github.com/vmware-samples/secure-state-remediation-jobs/tags).
+
+## Authors
+
+* **VMware Secure State** - *Initial work*
+
+See also the list of [contributors](https://github.com/vmware-samples/secure-state-remediation-jobs/contributors) who participated in this project.
+
+## License
+
+This project is licensed under the Apache License - see the [LICENSE](https://github.com/vmware-samples/secure-state-remediation-jobs/blob/master/LICENSE.txt) file for details