Skip to content

Commit

Permalink
Switch to NIST 800-53 r5 standard in SecurityHub (#6203, PR #6322)
Browse files Browse the repository at this point in the history
  • Loading branch information
@dsotirho-ucsc
dsotirho-ucsc committed Aug 21, 2024
2 parents d769f27 + 734769a commit 5c4b4eb
Show file tree
Hide file tree
Showing 2 changed files with 61 additions and 33 deletions.
6 changes: 3 additions & 3 deletions scripts/rename_resources.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,10 +18,10 @@

log = logging.getLogger(__name__)

resource = 'aws_securityhub_standards_control'
renamed: dict[str, Optional[str]] = {
# FIXME: Remove the following entry
# https://github.com/DataBiosphere/azul/pull/6285
'opensearch_cluster_settings.index': None
f'{resource}.best_practices_macie_{num}': f'{resource}.nist_control_macie_{num}'
for num in [1, 2]
}


Expand Down
88 changes: 58 additions & 30 deletions terraform/shared/shared.tf.json.template.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,25 +39,29 @@ def conformance_pack(name: str) -> str:
return body


cis_alarms = [
# https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-3.1
trail_alarms = [
# [CloudWatch.2] Ensure a log metric filter and alarm exist for unauthorized API calls
# https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-2
CloudTrailAlarm(name='api_unauthorized',
statistic='Sum',
filter_pattern='{($.errorCode="*UnauthorizedOperation") || ($.errorCode="AccessDenied*")}',
threshold=12,
period=24 * 60 * 60),
# https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-3.2
# [CloudWatch.3] Ensure a log metric filter and alarm exist for Management Console sign-in without MFA
# https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-3
CloudTrailAlarm(name='console_no_mfa',
statistic='Sum',
filter_pattern='{ ($.eventName = "ConsoleLogin") && ($.additionalEventData.MFAUsed != "Yes") && '
'($.userIdentity.type = "IAMUser") && '
'($.responseElements.ConsoleLogin = "Success") }'),
# https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-3.3
# [CloudWatch.1] A log metric filter and alarm should exist for usage of the "root" user
# https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-1
CloudTrailAlarm(name='root_usage',
statistic='Sum',
filter_pattern='{$.userIdentity.type="Root" && $.userIdentity.invokedBy NOT EXISTS && $.eventType '
'!="AwsServiceEvent"}'),
# https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-3.4
# [CloudWatch.4] Ensure a log metric filter and alarm exist for IAM policy changes
# https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-4
CloudTrailAlarm(name='iam_policy_change',
statistic='Sum',
filter_pattern='{($.eventName=DeleteGroupPolicy) || ($.eventName=DeleteRolePolicy) || '
Expand All @@ -68,34 +72,39 @@ def conformance_pack(name: str) -> str:
'($.eventName=AttachRolePolicy) || ($.eventName=DetachRolePolicy) || '
'($.eventName=AttachUserPolicy) || ($.eventName=DetachUserPolicy) || '
'($.eventName=AttachGroupPolicy) || ($.eventName=DetachGroupPolicy)}'),
# https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-3.5
# [CloudWatch.5] Ensure a log metric filter and alarm exist for CloudTrail AWS Configuration changes
# https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-5
CloudTrailAlarm(name='cloudtrail_config_change',
statistic='Sum',
filter_pattern='{($.eventName=CreateTrail) || ($.eventName=UpdateTrail) || '
'($.eventName=DeleteTrail) || ($.eventName=StartLogging) || '
'($.eventName=StopLogging)}'),
# https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-3.8
# [CloudWatch.8] Ensure a log metric filter and alarm exist for S3 bucket policy changes
# https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-8
CloudTrailAlarm(name='s3_policy_change',
statistic='Sum',
filter_pattern='{($.eventSource=s3.amazonaws.com) && (($.eventName=PutBucketAcl) || '
'($.eventName=PutBucketPolicy) || ($.eventName=PutBucketCors) || '
'($.eventName=PutBucketLifecycle) || ($.eventName=PutBucketReplication) || '
'($.eventName=DeleteBucketPolicy) || ($.eventName=DeleteBucketCors) || '
'($.eventName=DeleteBucketLifecycle) || ($.eventName=DeleteBucketReplication))}'),
# https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-3.12
# [CloudWatch.12] Ensure a log metric filter and alarm exist for changes to network gateways
# https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-12
CloudTrailAlarm(name='network_gateway_change',
statistic='Sum',
filter_pattern='{($.eventName=CreateCustomerGateway) || ($.eventName=DeleteCustomerGateway) || '
'($.eventName=AttachInternetGateway) || ($.eventName=CreateInternetGateway) || '
'($.eventName=DeleteInternetGateway) || ($.eventName=DetachInternetGateway)}'),
# https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-3.13
# [CloudWatch.13] Ensure a log metric filter and alarm exist for route table changes
# https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-13
CloudTrailAlarm(name='route_table_change',
statistic='Sum',
filter_pattern='{($.eventName=CreateRoute) || ($.eventName=CreateRouteTable) || '
'($.eventName=ReplaceRoute) || ($.eventName=ReplaceRouteTableAssociation) || '
'($.eventName=DeleteRouteTable) || ($.eventName=DeleteRoute) || '
'($.eventName=DisassociateRouteTable)}'),
# https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-3.14
# [CloudWatch.14] Ensure a log metric filter and alarm exist for VPC changes
# https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-14
CloudTrailAlarm(name='vpc_change',
statistic='Sum',
filter_pattern='{($.eventName=CreateVpc) || ($.eventName=DeleteVpc) || '
Expand All @@ -105,11 +114,6 @@ def conformance_pack(name: str) -> str:
'($.eventName=RejectVpcPeeringConnection) || ($.eventName=AttachClassicLinkVpc) || '
'($.eventName=DetachClassicLinkVpc) || ($.eventName=DisableVpcClassicLink) || '
'($.eventName=EnableVpcClassicLink)}'),
# https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.1
CloudTrailAlarm(name='root_user',
statistic='Sum',
filter_pattern='{$.userIdentity.type="Root" && $.userIdentity.invokedBy NOT EXISTS && '
'$.eventType !="AwsServiceEvent"}')
]

# The deployment and/or backup of the GitLab instance requires a reboot, which
Expand Down Expand Up @@ -482,7 +486,7 @@ def conformance_pack(name: str) -> str:
'value': 1
}
}
for a in cis_alarms
for a in trail_alarms
},
'trail_logs': {
'name': config.qualified_resource_name('trail_logs', suffix='.filter'),
Expand Down Expand Up @@ -543,7 +547,7 @@ def conformance_pack(name: str) -> str:
'alarm_actions': ['${aws_sns_topic.monitoring.arn}'],
'ok_actions': ['${aws_sns_topic.monitoring.arn}']
}
for a in cis_alarms
for a in trail_alarms
},
'clam_fail': {
'alarm_name': config.qualified_resource_name('clam_fail', suffix='.alarm'),
Expand Down Expand Up @@ -891,16 +895,9 @@ def conformance_pack(name: str) -> str:
}
},
'aws_securityhub_standards_subscription': {
'best_practices': {
'nist_800_53': {
'standards_arn': 'arn:aws:securityhub:us-east-1::standards'
'/aws-foundational-security-best-practices/v/1.0.0',
'depends_on': [
'aws_securityhub_account.shared'
]
},
'cis': {
'standards_arn': 'arn:aws:securityhub:::ruleset'
'/cis-aws-foundations-benchmark/v/1.2.0',
'/nist-800-53/v/5.0.0',
'depends_on': [
'aws_securityhub_account.shared'
]
Expand All @@ -910,16 +907,47 @@ def conformance_pack(name: str) -> str:
# https://github.com/DataBiosphere/azul/issues/5890
'aws_securityhub_standards_control': {
**{
f'best_practices_macie_{num}': {
'nist_control_' + control.lower().replace('.', '_'): {
'standards_control_arn': f'arn:aws:securityhub:{aws.region_name}:{aws.account}:control'
f'/aws-foundational-security-best-practices/v/1.0.0/Macie.{num}',
f'/nist-800-53/v/5.0.0/{control}',
'control_status': 'DISABLED',
'disabled_reason': 'Generates alarm noise; tracked independently as follow-up work',
'depends_on': [
'aws_securityhub_standards_subscription.best_practices'
'aws_securityhub_standards_subscription.nist_800_53'
]
}
for num in [1, 2]
for control in ['Macie.1', 'Macie.2']
},
**{
'nist_control_' + control.lower().replace('.', '_'): {
'standards_control_arn': f'arn:aws:securityhub:{aws.region_name}:{aws.account}:control'
f'/nist-800-53/v/5.0.0/{control}',
'control_status': 'DISABLED',
'disabled_reason': 'Not a moderate level control',
'depends_on': [
'aws_securityhub_standards_subscription.nist_800_53'
]
}
for control in [
'ACM.1',
'CloudFront.1',
'S3.15',
#
# We don't disable EFS.6 since despite it being listed as a
# control applicable to NIST SP 800-53 Rev. 5 …
#
# https://docs.aws.amazon.com/securityhub/latest/userguide/nist-standard.html
#
# … but it is not. Other AWS documentation backs up this
# claim:
#
# https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-controls-reference.html
#
# We don't disable ElasticCache.4 to .7 since these controls
# are not available in our AWS Region:
#
# https://docs.aws.amazon.com/securityhub/latest/userguide/regions-controls.html
]
}
},
'aws_iam_account_password_policy': {
Expand Down

0 comments on commit 5c4b4eb

Please sign in to comment.