Skip to content

Commit

Permalink
Merge branch 'v4-updates' into 'main'
Browse files Browse the repository at this point in the history 
Updated Prowler to v4, updated Glue table schema, added permissions for...

See merge request wwps-security-developer/aws-security-assessment-solution!12
  • Loading branch information
@js37
js37 committed Jun 11, 2024
2 parents aaa02be + 99b6932 commit 18c4fc6
Show file tree
Hide file tree
Showing 7 changed files with 699 additions and 85 deletions.
174 changes: 97 additions & 77 deletions 2-sat2-codebuild-prowler.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -377,7 +377,7 @@ Resources:
python: 3.11
commands:
- echo "Installing Prowler and dependencies..."
- pip3 install 'prowler<4.0'
- pip3 install prowler
- prowler -v
build:
commands:
Expand Down Expand Up @@ -528,82 +528,88 @@ Resources:
}
StorageDescriptor:
Columns:
- Name: assessment_start_time
Type: string
- Name: finding_unique_id
Type: string
- Name: provider
Type: string
- Name: check_id
Type: string
- Name: check_title
Type: string
- Name: check_type
Type: string
- Name: status
Type: string
- Name: status_extended
Type: string
- Name: service_name
Type: string
- Name: subservice_name
Type: string
- Name: severity
Type: string
- Name: resource_type
Type: string
- Name: resource_details
Type: string
- Name: resource_tags
Type: string
- Name: description
Type: string
- Name: risk
Type: string
- Name: related_url
Type: string
- Name: remediation_recommendation_text
Type: string
- Name: remediation_recommendation_url
Type: string
- Name: remediation_recommendation_code_nativeiac
Type: string
- Name: remediation_recommendation_code_terraform
Type: string
- Name: remediation_recommendation_code_cli
Type: string
- Name: remediation_recommendation_code_other
Type: string
- Name: compliance
Type: string
- Name: categories
Type: string
- Name: depends_on
Type: string
- Name: related_to
Type: string
- Name: notes
Type: string
- Name: profile
Type: string
- Name: account_id
Type: string
- Name: account_name
Type: string
- Name: account_email
Type: string
- Name: account_arn
Type: string
- Name: account_org
Type: string
- Name: account_tags
Type: string
- Name: region
Type: string
- Name: resource_id
Type: string
- Name: resource_arn
Type: string
- Name: auth_method
Type: string
- Name: timestamp
Type: string
- Name: account_uid
Type: string
- Name: account_namse
Type: string
- Name: account_email
Type: string
- Name: account_organization_uid
Type: string
- Name: account_organization_name
Type: string
- Name: account_tags
Type: string
- Name: finding_uid
Type: string
- Name: provider
Type: string
- Name: check_id
Type: string
- Name: check_title
Type: string
- Name: check_type
Type: string
- Name: status
Type: string
- Name: status_extended
Type: string
- Name: muted
Type: boolean
- Name: service_name
Type: string
- Name: subservice_name
Type: string
- Name: severity
Type: string
- Name: resource_type
Type: string
- Name: resource_uid
Type: string
- Name: resource_name
Type: string
- Name: resource_details
Type: string
- Name: resource_tags
Type: string
- Name: partition
Type: string
- Name: region
Type: string
- Name: description
Type: string
- Name: risk
Type: string
- Name: related_url
Type: string
- Name: remediation_recommendation_text
Type: string
- Name: remediation_recommendation_url
Type: string
- Name: remediation_code_nativeiac
Type: string
- Name: remediation_code_terraform
Type: string
- Name: remediation_code_cli
Type: string
- Name: remediation_code_other
Type: string
- Name: compliance
Type: string
- Name: categories
Type: string
- Name: depends_on
Type: string
- Name: related_to
Type: string
- Name: notes
Type: string
- Name: prowler_version
Type: string
Location: !Sub s3://${ProwlerFindingsBucket}/csv
InputFormat: org.apache.hadoop.mapred.TextInputFormat
OutputFormat: org.apache.hadoop.hive.ql.io.HiveIgnoreKeyTextOutputFormat
Expand All @@ -618,6 +624,19 @@ Resources:
}
Retention: 0

LakeFormationPermissionsLambda:
Condition: EnableReporting
Type: AWS::LakeFormation::Permissions
Properties:
DataLakePrincipal:
DataLakePrincipalIdentifier: !Sub ${AthenaStartQueryLambdaRole.Arn}
Permissions:
- SELECT
Resource:
TableResource:
DatabaseName: !Ref GlueDatabaseSATv2Findings
Name: !Ref GlueTableProwlerResults

SATv2Reporting:
Condition: EnableReporting
Type: AWS::Athena::WorkGroup
Expand Down Expand Up @@ -691,6 +710,7 @@ Resources:
- Effect: Allow
Action:
- 'glue:GetTable'
- 'glue:GetDatabase'
Resource:
- !Sub arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:catalog
- !Sub arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:database/${GlueDatabaseSATv2Findings}
Expand Down
73 changes: 65 additions & 8 deletions README.md
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,39 @@
## Self-Service Security Assessment Solutions (v2.0)
## Self-Service Security Assessment Solutions (v2.0)<!-- omit from toc -->

Cybersecurity remains a very important topic and point of concern for many CIOs, CISOs, and their customers. To meet these important concerns, AWS has developed a primary set of services customers should use to aid in protecting their accounts. [Amazon GuardDuty](https://aws.amazon.com/guardduty/), [AWS Security Hub](https://aws.amazon.com/security-hub/), [AWS Config](https://aws.amazon.com/config/), and [AWS Well-Architected](https://aws.amazon.com/architecture/well-architected/?wa-lens-whitepapers.sort-by=item.additionalFields.sortDate&wa-lens-whitepapers.sort-order=desc&wa-guidance-whitepapers.sort-by=item.additionalFields.sortDate&wa-guidance-whitepapers.sort-order=desc) reviews help customers maintain a strong security posture over their AWS accounts. As more organizations deploy to the cloud, especially if they are doing so quickly, and they have not yet implemented the recommended AWS Services, there may be a need to conduct a rapid security assessment of the cloud environment.

We have developed an inexpensive, easy to deploy, secure, and fast solution to provide our customers with a security assessment report. These reports are generated using the open source project [Prowler](https://github.com/toniblyx/prowler). Prowler performs point in time security assessment based on AWS best practices and can help quickly identify any potential risk areas in a customer’s deployed environment. If you are interested in conducting these assessments on a continuous basis, AWS recommends enabling Security Hub’s [Foundational Security Best Practices standard](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp.html). If you are interested in integrating your Prowler assessment results with Security Hub, you can follow the instructions in the [Prowler Documentation](https://docs.prowler.cloud/en/latest/tutorials/aws/securityhub/).

>Note: Prowler is not an AWS owned solution. Customers should independently review Prowler before running this solution. Any dependencies associated with Prowler should be kept up to date. This solution installs the latest version available from pip package installer.
## Table of Contents<!-- omit from toc -->
- [Overview](#overview)
- [Deployment](#deployment)
- [Single account scan](#single-account-scan)
- [AWS CloudShell](#aws-cloudshell)
- [Deploy the solution](#deploy-the-solution)
- [AWS Console](#aws-console)
- [Deploy the solution](#deploy-the-solution-1)
- [Multi-account scan](#multi-account-scan)
- [AWS CloudShell](#aws-cloudshell-1)
- [Step 1: Deploy prerequisite role](#step-1-deploy-prerequisite-role)
- [Step 2: Deploy the SATv2 solution](#step-2-deploy-the-satv2-solution)
- [AWS Console](#aws-console-1)
- [Step 1: Deploy prerequisite role](#step-1-deploy-prerequisite-role-1)
- [Step 2: Enable delegated administrator for AWS Organizations](#step-2-enable-delegated-administrator-for-aws-organizations)
- [Step 3: Deploy the SATv2 solution](#step-3-deploy-the-satv2-solution)
- [Review the results](#review-the-results)
- [Scan types](#scan-types)
- [Basic Scan](#basic-scan)
- [Intermediate scan](#intermediate-scan)
- [Full scan](#full-scan)
- [Notifications](#notifications)
- [Reporting Summary](#reporting-summary)
- [Frequently Asked Questions (FAQ)](#frequently-asked-questions-faq)
- [Clean Up](#clean-up)
- [Security](#security)
- [License](#license)

## Overview
The solution is deployed with [AWS CloudFormation](https://aws.amazon.com/cloudformation/). When deployed, an [AWS CodeBuild](https://aws.amazon.com/codebuild/) project and an [Amazon S3](https://aws.amazon.com/s3/) bucket to store the Prowler generated reports are created. An [AWS Lambda](https://aws.amazon.com/lambda/) function is then used to start the AWS CodeBuild project.

Expand All @@ -27,7 +55,7 @@ You can use this project to run Prowler across multiple accounts in an AWS Organ
## Single account scan
To run the Self-Service Security Assessment solution (SATv2) against a single account, follow the instructions below. You can choose to use the AWS CLI or the AWS Console.

#### AWS CloudShell
### AWS CloudShell

<details>
<summary>Show steps</summary>
Expand All @@ -52,7 +80,7 @@ To run the Self-Service Security Assessment solution (SATv2) against a single ac
</details>


#### AWS Console
### AWS Console

<details>
<summary>Show steps</summary>
Expand Down Expand Up @@ -81,7 +109,7 @@ These instructions assume you already have the prerequisites for stack set opera

>Note: StackSets don't apply to the management account. To assess the management account, deploy the 1-sat2-member-role as a CloudFormation Stack.
#### AWS CloudShell
### AWS CloudShell
<details>
<summary>Show steps</summary>
Expand Down Expand Up @@ -194,7 +222,7 @@ These instructions assume you already have the prerequisites for stack set opera
</details>
#### AWS Console
### AWS Console
<details>
<summary>Show steps</summary>
Expand Down Expand Up @@ -240,7 +268,31 @@ These instructions assume you already have the prerequisites for stack set opera
16. On the **Review** page, select the box **I acknowledge that AWS CloudFormation might create IAM resources.** and choose **Submit**.
#### Step 2: Deploy the SATv2 solution
#### Step 2: Enable delegated administrator for AWS Organizations
Determine if you have delegated administrator or a resource policy that already exists for the account you wish to deploy Prowler in. It is recommended that you run Prowler from your security tooling (Audit) account. To update or verify that the audit account has permissions to ListAccounts, follow these steps.
1. Navigate to the [AWS Organization console](https://console.aws.amazon.com/organizations).
2. In the navigation pane, choose **Settings**.
3. For Delegated administrator for AWS Organizations, include the following statement.
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<aws-account-id>:root"
},
"Action": "organizations:ListAccounts",
"Resource": "*"
}
]
}
```
#### Step 3: Deploy the SATv2 solution
1. Navigate to the [AWS CloudFormation console](https://console.aws.amazon.com/cloudformation) in the account you will run the tool from (ProwlerAccountID).
Expand Down Expand Up @@ -306,7 +358,10 @@ aws cloudformation deploy --template-file 2-sat2-codebuild-prowler.yaml \
--parameter-overrides ProwlerScanType=Intermediate
```

Checks are frequently added, to see the latest checks, run `prowler aws --list-checks` command. An example has been provided below for each check level.

### Basic Scan
To see a list of checks, review [basic checks](./checks/basic_checks.txt).

- Manual check - Maintain current contact details.
- Find obsolete Lambda runtimes.
Expand All @@ -323,12 +378,14 @@ aws cloudformation deploy --template-file 2-sat2-codebuild-prowler.yaml \
- Ensure there are no S3 buckets open to Everyone or Any AWS user.

### Intermediate scan
To see a list of checks, review [intermediate checks](./checks/intermediate_checks.txt).

This scan will add `--severity critical high` to the Prowler scan options. With this selected Prowler will run all security checks that result in critical or high severity.

### Full scan
To see a list of checks, review [full checks](./checks/full_checks.txt).

This option doesn't add any additional parameters to the Prowler scan. It will result in Prowler running the full 283 checks.
This option doesn't add any additional parameters to the Prowler scan. It will result in Prowler running 359+ checks.
You can also use the full scan to customize the scan however you would like.
Expand All @@ -354,7 +411,7 @@ aws cloudformation deploy --template-file 2-sat2-codebuild-prowler.yaml \
```
With or without the optional EmailAddress parameter set, you can view the progress in the CodeBuild console.
1. Navigate to the [CodeSuite console](https://console.aws.amazon.com/codesuite/).
1. Navigate to the [CodeBuild console](https://console.aws.amazon.com/codesuite/).
2. In the navigation pane, under **Build**, choose **Build projects**.
Expand Down
25 changes: 25 additions & 0 deletions checks/basic_checks.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
_
_ __ _ __ _____ _| | ___ _ __
| '_ \| '__/ _ \ \ /\ / / |/ _ \ '__|
| |_) | | | (_) \ V V /| | __/ |
| .__/|_| \___/ \_/\_/ |_|\___|_|v4.2.4
|_| the handy multi-cloud security tool

Date: 2024-06-11 10:54:00

[account_maintain_current_contact_details] Maintain current contact details. - account [medium]
[awslambda_function_using_supported_runtimes] Find obsolete Lambda runtimes. - lambda [medium]
[cloudtrail_multi_region_enabled] Ensure CloudTrail is enabled in all regions - cloudtrail [high]
[config_recorder_all_regions_enabled] Ensure AWS Config is enabled in all regions. - config [medium]
[ec2_securitygroup_allow_ingress_from_internet_to_any_port] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to any port. - ec2 [high]
[guardduty_is_enabled] Check if GuardDuty is enabled - guardduty [medium]
[iam_password_policy_lowercase] Ensure IAM password policy require at least one lowercase letter - iam [medium]
[iam_password_policy_number] Ensure IAM password policy require at least one number - iam [medium]
[iam_password_policy_symbol] Ensure IAM password policy require at least one symbol - iam [medium]
[iam_password_policy_uppercase] Ensure IAM password policy requires at least one uppercase letter - iam [medium]
[iam_root_mfa_enabled] Ensure MFA is enabled for the root account - iam [critical]
[iam_rotate_access_key_90_days] Ensure access keys are rotated every 90 days or less - iam [medium]
[s3_bucket_public_access] Ensure there are no S3 buckets open to Everyone or Any AWS user. - s3 [critical]

There are 13 available checks.

Loading

0 comments on commit 18c4fc6

Please sign in to comment.