git clone https://github.com/aws-samples/detect-public-security-groups.git| App developer, App owner | | Validate the Python version. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/audit-security-groups-access-public-ip.html) | AWS administrator, App developer | ### Deploy the CloudFormation template | Task | Description | Skills required | | --- | --- | --- | | Deploy the CloudFormation template. | Deploy the CloudFormation template into your AWS environment. Do one of the following:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/audit-security-groups-access-public-ip.html) | App developer, AWS administrator, General AWS | | Verify the deployment. | In the [CloudFormation console](https://console.aws.amazon.com/cloudformation/), verify that the stack or stack set has deployed successfully. | AWS administrator, App owner | ### Review the findings | Task | Description | Skills required | | --- | --- | --- | | View the AWS Config rule findings. | In Security Hub CSPM, do the following to view a list of individual findings:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/audit-security-groups-access-public-ip.html)In Security Hub CSPM, do the following to view a list of total findings grouped by AWS account:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/audit-security-groups-access-public-ip.html)In AWS Config, to view a list of findings, follow the instructions in [Viewing Compliance Information and Evaluation Results](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_view-compliance.html) in the AWS Config documentation. | AWS administrator, AWS systems administrator, Cloud administrator | ## Troubleshooting | Issue | Solution | | --- | --- | | The CloudFormation stack set creation or deletion fails. | When AWS Control Tower is deployed, it enforces necessary guardrails and assumes control over AWS Config aggregators and rules. This includes preventing any direct alterations through CloudFormation. To properly deploy or remove this CloudFormation template, including all associated resources, you must use CfCT. | | CfCT fails to delete the CloudFormation template. | If the CloudFormation template persists even after making necessary changes in the manifest file and removing the template files, confirm that the manifest file contains the `enable_stack_set_deletion` parameter and that the value is set to `false`. For more information, see [Delete a stack set](https://docs.aws.amazon.com/controltower/latest/userguide/cfct-delete-stack.html) in the CfCT documentation. | ## Related resources + [AWS Config Custom Rules](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_develop-rules.html) (AWS Config documentation) # Automatically remediate unencrypted Amazon RDS DB instances and clusters *Ajay Rawat and Josh Joy, Amazon Web Services* ## Summary This pattern describes how to automatically remediate unencrypted Amazon Relational Database Service (Amazon RDS) DB instances and clusters on Amazon Web Services (AWS) by using AWS Config, AWS Systems Manager runbooks, and AWS Key Management Service (AWS KMS) keys. Encrypted RDS DB instances provide an additional layer of data protection by securing your data from unauthorized access to the underlying storage. You can use Amazon RDS encryption to increase data protection of your applications deployed in the AWS Cloud, and to fulfill compliance requirements for encryption at rest. You can enable encryption for an RDS DB instance when you create it, but not after it's created. However, you can add encryption to an unencrypted RDS DB instance by creating a snapshot of your DB instance, and then creating an encrypted copy of that snapshot. You can then restore a DB instance from the encrypted snapshot to get an encrypted copy of your original DB instance. This pattern uses AWS Config Rules to evaluate RDS DB instances and clusters. It applies remediation by using AWS Systems Manager runbooks, which define the actions to be performed on noncompliant Amazon RDS resources, and AWS KMS keys to encrypt the DB snapshots. It then enforces service control policies (SCPs) to prevent the creation of new DB instances and clusters without encryption. The code for this pattern is provided in [GitHub](https://github.com/aws-samples/aws-system-manager-automation-unencrypted-to-encrypted-resources). ## Prerequisites and limitations **Prerequisites** + An active AWS account + Files from the [GitHub source code repository](https://github.com/aws-samples/aws-system-manager-automation-unencrypted-to-encrypted-resources) for this pattern downloaded to your computer + An unencrypted RDS DB instance or cluster + An existing AWS KMS key for encrypting RDS DB instances and clusters + Access to update the KMS key resource policy + AWS Config enabled in your AWS account (see [Getting Started with AWS Config](https://docs.aws.amazon.com/config/latest/developerguide/getting-started.html) in the AWS documentation) **Limitations** + You can enable encryption for an RDS DB instance only when you create it, not after it has been created. + You can't have an encrypted read replica of an unencrypted DB instance or an unencrypted read replica of an encrypted DB instance. + You can't restore an unencrypted backup or snapshot to an encrypted DB instance. + Amazon RDS encryption is available for most DB instance classes. For a list of exceptions, see [Encrypting Amazon RDS resources](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html) in the Amazon RDS documentation. + To copy an encrypted snapshot from one AWS Region to another, you must specify the KMS key in the destination AWS Region. This is because KMS keys are specific to the AWS Region that they are created in. + The source snapshot remains encrypted throughout the copy process. Amazon RDS uses envelope encryption to protect data during the copy process. For more information, see [Envelope encryption](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#enveloping) in the AWS KMS documentation. + You can't unencrypt an encrypted DB instance. However, you can export data from an encrypted DB instance and import the data into an unencrypted DB instance. + You should delete a KMS key only when you are sure that you don't need to use it any longer. If you aren't sure, consider [disabling the KMS key](https://docs.aws.amazon.com/kms/latest/developerguide/enabling-keys.html) instead of deleting it. You can reenable a disabled KMS key if you need to use it again later, but you cannot recover a deleted KMS key. + If you don't choose to retain automated backups, your automated backups that are in the same AWS Region as the DB instance are deleted. They can't be recovered after you delete the DB instance. + Your automated backups are retained for the retention period that is set on the DB instance at the time you delete it. This set retention period occurs whether or not you choose to create a final DB snapshot. + If automatic remediation is enabled, this solution encrypts all databases that have the same KMS key. ## Architecture The following diagram illustrates the architecture for the CloudFormation implementation. Note that you can also implement this pattern by using the AWS Cloud Development Kit (AWS CDK). ![\[AWS CloudFormation implementation for remediating unencrypted Amazon RDS instances.\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/images/pattern-img/7f7195e3-98c4-4b18-9192-c0400ac5b891/images/8c1466fa-15b3-44ef-aa7e-7958f80cb699.png) ## Tools **Tools** + [CloudFormation](https://aws.amazon.com/cloudformation/) helps you automatically set up your AWS resources. It enables you to use a template file to create and delete a collection of resources together as a single unit (a stack). + [AWS Cloud Development Kit (AWS CDK)](https://aws.amazon.com/cdk/) is a software development framework for defining your cloud infrastructure in code and provisioning it by using familiar programming languages. **AWS services and features** + [AWS Config](https://aws.amazon.com/config/) keeps track of the configuration of your AWS resources and their relationships to your other resources. It can also evaluate those AWS resources for compliance. This service uses rules that can be configured to evaluate AWS resources against desired configurations. You can use a set of AWS Config managed rules for common compliance scenarios, or you can create your own rules for custom scenarios. When an AWS resource is found to be noncompliant, you can specify a remediation action through an AWS Systems Manager runbook and optionally send an alert through an Amazon Simple Notification Service (Amazon SNS) topic. In other words, you can associate remediation actions with AWS Config Rules and choose to run them automatically to address noncompliant resources without manual intervention. If a resource is still noncompliant after automatic remediation, you can set the rule to try automatic remediation again. + [Amazon Relational Database Service (Amazon RDS)](https://aws.amazon.com/rds/) makes it easier to set up, operate, and scale a relational database in the cloud. The basic building block of Amazon RDS is the DB instance, which is an isolated database environment in the AWS Cloud. Amazon RDS provides a [selection of instance types](https://aws.amazon.com/rds/instance-types/) that are optimized to fit different relational database use cases. Instance types comprise various combinations of CPU, memory, storage, and networking capacity and give you the flexibility to choose the appropriate mix of resources for your database. Each instance type includes several instance sizes, allowing you to scale your database to the requirements of your target workload. + [AWS Key Management Service (AWS KMS)](https://aws.amazon.com/kms/) is a managed service that makes it easy for you to create and control AWS KMS keys, which encrypt your data. A KMS key is a logical representation of a root key. The KMS key includes metadata, such as the key ID, creation date, description, and key state. + [AWS Identity and Access Management (IAM)](https://aws.amazon.com/iam/) helps you securely manage access to your AWS resources by controlling who is authenticated and authorized to use them. + [Service control policies (SCPs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html) offer central control over the maximum available permissions for all accounts in your organization. SCPs help you ensure that your accounts stay within your organization’s access control guidelines. SCPs don't affect users or roles in the management account. They affect only the member accounts in your organization. We strongly recommend that you don't attach SCPs to the root of your organization without thoroughly testing the impact that the policy has on accounts. Instead, create an organizational unit (OU) that you can move your accounts into one at a time, or at least in small numbers, to ensure that you don't inadvertently lock users out of key services. **Code** The source code and templates for this pattern are available in a [GitHub repository](https://github.com/aws-samples/aws-system-manager-automation-unencrypted-to-encrypted-resources/). The pattern provides two implementation options: You can deploy an CloudFormation template to create the remediation role that encrypts RDS DB instances and clusters, or use the AWS CDK. The repository has separate folders for these two options. The [Epics](#automatically-remediate-unencrypted-amazon-rds-db-instances-and-clusters-epics) section provides step-by-step instructions for deploying the CloudFormation template. If you want to use the AWS CDK, follow the instructions in the `README.md` file in the GitHub repository. ## Best practices + Enable data encryption both at rest and in transit. + Enable AWS Config in all accounts and AWS Regions. + Record configuration changes to all resource types. + Rotate your IAM credentials regularly. + Leverage tagging for AWS Config, which makes is easier to manage, search for, and filter resources. ## Epics ### Create the IAM remediation role and Systems Manager runbook | Task | Description | Skills required | | --- | --- | --- | | Download the CloudFormation template. | Download the `unencrypted-to-encrypted-rds.template.json` file from the [GitHub repository](https://github.com/aws-samples/aws-system-manager-automation-unencrypted-to-encrypted-resources/tree/main/rds/CloudFormation). | DevOps engineer | | Create the CloudFormation stack. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/automatically-remediate-unencrypted-amazon-rds-db-instances-and-clusters.html)For more information about deploying templates, see the [CloudFormation documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-console-create-stack.html). | DevOps engineer | | Review CloudFormation parameters and values. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/automatically-remediate-unencrypted-amazon-rds-db-instances-and-clusters.html) | DevOps engineer | | Review the resources. | When the stack has been created, its status changes to **CREATE\$1COMPLETE**. Review the created resources (IAM role, Systems Manager runbook) in the CloudFormation console. | DevOps engineer | ### Update the AWS KMS key policy | Task | Description | Skills required | | --- | --- | --- | | Update your KMS key policy. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/automatically-remediate-unencrypted-amazon-rds-db-instances-and-clusters.html)
{
"Sid": "Allow access through RDS for all principals in the account that are authorized to use RDS",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam:: ":role/"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:CreateGrant",
"kms:ListGrants",
"kms:DescribeKey"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:ViaService": "rds.us-east-1.amazonaws.com",
"kms:CallerAccount": ""
}
}
} | DevOps engineer |
### Find and remediate noncompliant resources
| Task | Description | Skills required |
| --- | --- | --- |
| View noncompliant resources. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/automatically-remediate-unencrypted-amazon-rds-db-instances-and-clusters.html)The noncompliant resources listed in the AWS Config console will be instances, not clusters. The remediation automation encrypts instances and clusters, and creates either a newly encrypted instance or a newly created cluster. However, be sure not to simultaneously remediate multiple instances that belong to the same cluster.Before you remediate any RDS DB instances or volumes, make sure that the RDS DB instance is not in use. Confirm that there are no write operations occurring while the snapshot is being created, to ensure that the snapshot contains the original data. Consider enforcing a maintenance window during which the remediation will run. | DevOps engineer |
| Remediate noncompliant resources. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/automatically-remediate-unencrypted-amazon-rds-db-instances-and-clusters.html) | DevOps engineer |
| Verify that the RDS DB instance is available. | After the automation completes, the newly encrypted RDS DB instance will become available. The encrypted RDS DB instance will have the prefix `encrypted` followed by the original name. For example, if the unencrypted RDS DB instance name was `database-1`, the newly encrypted RDS DB instance would be `encrypted-database-1`. | DevOps engineer |
| Terminate the unencrypted instance. | After remediation is complete and the newly encrypted resource has been validated, you can terminate the unencrypted instance. Make sure to confirm that the newly encrypted resource matches the unencrypted resource before you terminate any resources. | DevOps engineer |
### Enforce SCPs
| Task | Description | Skills required |
| --- | --- | --- |
| Enforce SCPs. | Enforce SCPs to prevent DB instances and clusters from being created without encryption in the future. Use the `rds_encrypted.json` file that’s provided in the [GitHub repository](https://github.com/aws-samples/aws-system-manager-automation-unencrypted-to-encrypted-resources/tree/main/rds/SCP) for this purpose, and follow the instructions in the [AWS documentation](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_create.html). | Security engineer |
## Related resources
**References**
+ [Setting up AWS Config](https://docs.aws.amazon.com/config/latest/developerguide/gs-console.html)
+ [AWS Config custom rules](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_develop-rules.html)
+ [AWS KMS concepts](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html)
+ [AWS Systems Manager documents](https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-ssm-docs.html)
+ [Service control policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html)
**Tools**
+ [CloudFormation](https://aws.amazon.com/cloudformation/)
+ [AWS Cloud Development Kit (AWS CDK)](https://aws.amazon.com/cdk/)
**Guides and patterns**
+ [Automatically re-enable AWS CloudTrail by using a custom remediation rule in AWS Config](https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/automatically-re-enable-aws-cloudtrail-by-using-a-custom-remediation-rule-in-aws-config.html)
## Additional information
**How does AWS Config work?**
When you use AWS Config, it first discovers the supported AWS resources that exist in your account and generates a [configuration item](https://docs.aws.amazon.com/config/latest/developerguide/config-concepts.html#config-items) for each resource. AWS Config also generates configuration items when the configuration of a resource changes, and it maintains historical records of the configuration items of your resources from the time you start the configuration recorder. By default, AWS Config creates configuration items for every supported resource in the AWS Region. If you don't want AWS Config to create configuration items for all supported resources, you can specify the resource types that you want it to track.
**How are AWS Config and AWS Config Rules related to AWS Security Hub CSPM?**
AWS Security Hub CSPM is a security and compliance service that provides security and compliance posture management as a service. It uses AWS Config and AWS Config Rules as its primary mechanism to evaluate the configuration of AWS resources. AWS Config Rules can also be used to evaluate resource configuration directly. Other AWS services, such AWS Control Tower and AWS Firewall Manager, also use AWS Config Rules.
# Automatically validate and deploy IAM policies and roles by using CodePipeline, IAM Access Analyzer, and AWS CloudFormation macros
*Helton Ribeiro and Guilherme Simoes, Amazon Web Services*
## Summary
This pattern describes the steps and provides code to create a deployment pipeline that allows your development teams to create AWS Identity and Access Management (IAM) policies and roles in your Amazon Web Services (AWS) accounts. This approach helps your organization reduce overhead for your operational teams and speed up the deployment process. It also helps your developers to create IAM roles and policies that are compatible with your existing governance and security controls.
This pattern’s approach uses [AWS Identity and Access Management Access Analyzer](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html) to validate the IAM policies that you want to attach to IAM roles and uses AWS CloudFormation to deploy the IAM roles. However, instead of directly editing the AWS CloudFormation template file, your development team creates JSON-formatted IAM policies and roles. An AWS CloudFormation macro transforms these JSON-formatted policy files into AWS CloudFormation IAM resource types before beginning the deployment.
The deployment pipeline (`RolesPipeline`) has source, validation, and deployment stages. During the source stage, your development team pushes the JSON files that contain the definition of the IAM roles and policies to an AWS CodeCommit repository. AWS CodeBuild then runs a script to validate those files and copies them to an Amazon Simple Storage Service (Amazon S3) bucket. Because your development teams don’t have direct access to the AWS CloudFormation template file stored in a separate S3 bucket, they must follow the JSON file creation and validation process.
Finally, during the deployment phase, AWS CodeDeploy uses an AWS CloudFormation stack to update or delete the IAM policies and roles in an account.
**Important**
This pattern’s workflow is a proof of concept (POC) and we recommend that you only use it in a test environment. If you want to use this pattern’s approach in a production environment, see [Security best practices in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) in the IAM documentation and make the required changes to your IAM roles and AWS services.
## Prerequisites and limitations
**Prerequisites **
+ An active AWS account.
+ A new or existing S3 bucket for the `RolesPipeline` pipeline. Make sure that the access credentials you’re using have permissions to upload objects to this bucket.
+ AWS Command Line Interface (AWS CLI), installed and configured. For more information about this, see [Installing, updating, and uninstalling the AWS CLI ](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-install.html) in the AWS CLI documentation.
+ AWS Serverless Application Model (AWS SAM) CLI, installed and configured. For more information about this, see [Installing the AWS SAM CLI](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-sam-cli-install.html) in the AWS SAM documentation.
+ Python 3, installed on your local machine. For more information about this, see the [Python documentation](https://www.python.org/).
+ A Git client, installed and configured.
+ The GitHub `IAM roles pipeline` repository, cloned to your local machine.
+ Existing JSON-formatted IAM policies and roles. For more information about this, see the [ReadMe](https://github.com/aws-samples/iam-roles-pipeline/blob/main/README.md) file in the Github `IAM roles pipeline` repository.
+ Your developer team must not have permissions to edit this solution’s AWS CodePipeline, CodeBuild, and CodeDeploy resources.
**Limitations **
+ This pattern’s workflow is a proof of concept (POC) and we recommend that you only use it in a test environment. If you want to use this pattern’s approach in a production environment, see [Security best practices in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) in the IAM documentation and make the required changes to your IAM roles and AWS services.
## Architecture
The following diagram shows you how to automatically validate and deploy IAM roles and policies to an account by using CodePipeline, IAM Access Analyzer, and AWS CloudFormation macros.
![\[Steps for validating and deploying IAM policies and roles in an AWS account.\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/images/pattern-img/df1add4d-f211-43e3-8976-5314da75f627/images/832bebaf-27a0-4949-9c30-99fc4c9982b8.png)
The diagram shows the following workflow:
1. A developer writes JSON files that contain the definitions for the IAM policies and roles. The developer pushes the code to a CodeCommit repository and CodePipeline then initiates the `RolesPipeline` pipeline.
1. CodeBuild validates the JSON files by using IAM Access Analyzer. If there are any security or error-related findings, the deployment process is stopped.
1. If there are no security or error-related findings, the JSON files are sent to the `RolesBucket` S3 bucket.
1. An AWS CloudFormation macro implemented as an AWS Lambda function then reads the JSON files from the `RolesBucket` bucket and transforms them into AWS CloudFormation IAM resources types.
1. A predefined AWS CloudFormation stack installs, updates, or deletes the IAM policies and roles in the account.
**Automation and scale**
AWS CloudFormation templates that automatically deploy this pattern are provided in the GitHub [IAM roles pipeline](https://github.com/aws-samples/iam-roles-pipeline) repository.
## Tools
+ [AWS Command Line Interface (AWS CLI)](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-welcome.html) is an open-source tool that helps you interact with AWS services through commands in your command-line shell.
+ [AWS Identity and Access Management (IAM)](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html) helps you securely manage access to your AWS resources by controlling who is authenticated and authorized to use them.
+ [IAM Access Analyzer](https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html) helps you identify the resources in your organization and accounts, such as S3 buckets or IAM roles, that are shared with an external entity. This helps you to identify unintended access to your resources and data.
+ [AWS Serverless Application Model (AWS SAM)](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/what-is-sam.html) is an open-source framework that helps you build serverless applications in the AWS Cloud.
**Code **
The source code and templates for this pattern are available in the GitHub [IAM roles pipeline](https://github.com/aws-samples/iam-roles-pipeline) repository.
## Epics
### Clone the repository
| Task | Description | Skills required |
| --- | --- | --- |
| Clone the sample repository. | Clone the GitHub [IAM roles pipeline](https://github.com/aws-samples/iam-roles-pipeline) repository to your local machine. | App developer, General AWS |
### Deploy the RolesPipeline pipeline
| Task | Description | Skills required |
| --- | --- | --- |
| Deploy the pipeline. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/automatically-validate-and-deploy-iam-policies-and-roles-in-an-aws-account-by-using-codepipeline-iam-access-analyzer-and-aws-cloudformation-macros.html) | App developer, General AWS |
| Clone the pipeline’s repository. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/automatically-validate-and-deploy-iam-policies-and-roles-in-an-aws-account-by-using-codepipeline-iam-access-analyzer-and-aws-cloudformation-macros.html) | App developer, General AWS |
### Test the RolesPipeline pipeline
| Task | Description | Skills required |
| --- | --- | --- |
| Test the RolesPipeline pipeline with valid IAM policies and roles. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/automatically-validate-and-deploy-iam-policies-and-roles-in-an-aws-account-by-using-codepipeline-iam-access-analyzer-and-aws-cloudformation-macros.html) | App developer, General AWS |
| Test the RolesPipeline pipeline with invalid IAM policies and roles. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/automatically-validate-and-deploy-iam-policies-and-roles-in-an-aws-account-by-using-codepipeline-iam-access-analyzer-and-aws-cloudformation-macros.html) | App developer, General AWS |
### Clean up your resources
| Task | Description | Skills required |
| --- | --- | --- |
| Prepare for cleanup. | Empty the S3 buckets and then run the `destroy` command. | App developer, General AWS |
| Delete the RolesStack stack. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/automatically-validate-and-deploy-iam-policies-and-roles-in-an-aws-account-by-using-codepipeline-iam-access-analyzer-and-aws-cloudformation-macros.html) | App developer, General AWS |
| Delete the RolesPipeline stack. | To delete the `RolesPipeline` AWS CloudFormation stack, follow the instructions from the [ReadMe](https://github.com/aws-samples/iam-roles-pipeline/blob/main/README.md) file in the Github `IAM roles pipeline` repository. | App developer, General AWS |
## Related resources
+ [IAM Access Analyzer - Policy validation](https://aws.amazon.com/blogs/aws/iam-access-analyzer-update-policy-validation/) (AWS News Blog)
+ [Using AWS CloudFormation macros to perform custom processing on templates](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/template-macros.html) (AWS CloudFormation documentation)
+ [Building Lambda functions with Python](https://docs.aws.amazon.com/lambda/latest/dg/lambda-python.html) (AWS Lambda documentation)
# Bidirectionally integrate AWS Security Hub CSPM with Jira software
*Joaquin Rinaudo, Amazon Web Services*
## Summary
This solution supports a bidirectional integration between AWS Security Hub CSPM and Jira. Using this solution, you can automatically and manually create and update Jira tickets from Security Hub CSPM findings. Security teams can use this integration to notify developer teams of severe security findings that require action.
The solution allows you to:
+ Select which Security Hub CSPM controls automatically create or update tickets in Jira.
+ In the Security Hub CSPM console, use Security Hub CSPM custom actions to manually escalate tickets in Jira.
+ Automatically assign tickets in Jira based on the AWS account tags defined in AWS Organizations. If this tag is not defined, a default assignee is used.
+ Automatically suppress Security Hub CSPM findings that are marked as false positive or accepted risk in Jira.
+ Automatically close a Jira ticket when its related finding is archived in Security Hub CSPM.
+ Reopen Jira tickets when Security Hub CSPM findings reoccur.
**Jira workflow**
The solution uses a custom Jira workflow that allows developers to manage and document risks. As the issue moves through the workflow, bidirectional integration ensures that the status of the Jira ticket and Security Hub CSPM finding is synchronized across the workflows in both services. This workflow is a derivative of *SecDevOps Risk Workflow* by Dinis Cruz, licensed licensed under [Apache License version 2.0](https://www.apache.org/licenses/LICENSE-2.0). We recommend adding a Jira workflow condition so that only members of your security team can change the ticket status.
![\[A workflow diagram of a Jira issue. You can fix the issue, accept the risk, or mark it as a false positive.\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/images/pattern-img/206b9907-c2a3-4142-90bf-d4eabee534c0/images/10b08232-437e-4b0a-b6a5-b5ef4d415ac5.png)
For an example of a Jira ticket automatically generated by this solution, see the [Additional information](#bidirectionally-integrate-aws-security-hub-with-jira-software-additional) section of this pattern.
## Prerequisites and limitations
**Prerequisites**
+ If you want to deploy this solution across a multi-account AWS environment:
+ Your multi-account environment is active and managed by AWS Organizations.
+ Security Hub CSPM is enabled on your AWS accounts.
+ In AWS Organizations, you have designated a Security Hub CSPM administrator account.
+ You have a cross-account AWS Identity and Access Management (IAM) role that has `AWSOrganizationsReadOnlyAccess` permissions to the AWS Organizations management account.
+ (Optional) You have tagged your AWS accounts with `SecurityContactID`. This tag is used to assign Jira tickets to the defined security contacts.
+ If you want to deploy this solution within a single AWS account:
+ You have an active AWS account.
+ Security Hub CSPM is enabled on your AWS account.
+ A Jira Data Center instance
**Important**
This solution supports use of Jira Cloud. However, Jira Cloud does not support importing XML workflows, so you need to manually re-create the workflow in Jira. You can find of the transitions and status in the GitHub repository.
+ Administrator permissions in Jira
+ One of the following Jira tokens:
+ For Jira Enterprise, a personal access token (PAT). For more information, see [Using Personal Access Tokens](https://confluence.atlassian.com/enterprise/using-personal-access-tokens-1026032365.html) (Atlassian support).
+ For Jira Cloud, a Jira API token. For more information, see [Manage API tokens](https://support.atlassian.com/atlassian-account/docs/manage-api-tokens-for-your-atlassian-account/) (Atlassian support).
## Architecture
This section illustrates the architecture of the solution in various scenarios, such as when the developer and security engineer decide to accept the risk or decide to fix the issue.
*Scenario 1: Developer addresses the issue*
1. Security Hub CSPM generates a finding against a specified security control, such as those in the [AWS Foundational Security Best Practices standard](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp.html).
1. An Amazon CloudWatch event associated with the finding and the `CreateJIRA` action initiates an AWS Lambda function.
1. The Lambda function uses its configuration file and the finding's `GeneratorId` field to evaluate whether it should escalate the finding.
1. The Lambda function determines the finding should be escalated, it obtains the `SecurityContactID` account tag from AWS Organizations in the AWS management account. This ID is associated with the developer and is used as the assignee ID for the Jira ticket.
1. The Lambda function uses the credentials stored in AWS Secrets Manager to create a ticket in Jira. Jira notifies the developer.
1. The developer addresses the underlying security finding and, in Jira, changes the status of the ticket to `TEST FIX`.
1. Security Hub CSPM updates the finding as `ARCHIVED`, and a new event is generated. This event causes the Lambda function to automatically close the Jira ticket.
![\[An architecture diagram showing Jira and Security Hub integration when a developer fixes an issue.\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/images/pattern-img/206b9907-c2a3-4142-90bf-d4eabee534c0/images/18d9a6ce-dd38-4d36-a95d-270fce776c30.png)
*Scenario 2: Developer decides to accept the risk*
1. Security Hub CSPM generates a finding against a specified security control, such as those in the [AWS Foundational Security Best Practices standard](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp.html).
1. A CloudWatch event associated with the finding and the `CreateJIRA` action initiates a Lambda function.
1. The Lambda function uses its configuration file and the finding's `GeneratorId` field to evaluate whether it should escalate the finding.
1. The Lambda function determines the finding should be escalated, it obtains the `SecurityContactID` account tag from AWS Organizations in the AWS management account. This ID is associated with the developer and is used as the assignee ID for the Jira ticket.
1. The Lambda function uses the credentials stored in Secrets Manager to create a ticket in Jira. Jira notifies the developer.
1. The developer decides to accept the risk and, in Jira, changes the status of the ticket to `AWAITING RISK ACCEPTANCE`.
1. The security engineer reviews the request and finds the business justification appropriate. The security engineer changes the status of the Jira ticket to `ACCEPTED RISK`. This closes the Jira ticket.
1. A CloudWatch daily event initiates the refresh Lambda function, which identifies closed Jira tickets and updates their related Security Hub CSPM findings as `SUPPRESSED`.
![\[An architecture diagram showing Jira and Security Hub integration when a developer accepts the risk of a finding.\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/images/pattern-img/206b9907-c2a3-4142-90bf-d4eabee534c0/images/d5a2f946-9c79-4661-96c1-74c813cbf406.png)
## Tools
**AWS services**
+ [AWS CloudFormation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html) helps you set up AWS resources, provision them quickly and consistently, and manage them throughout their lifecycle across AWS accounts and Regions.
+ [Amazon CloudWatch Events](https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/WhatIsCloudWatchEvents.html) helps you monitor system events for your AWS resources by using rules to match events and route them to functions or streams.
+ [AWS Lambda](https://docs.aws.amazon.com/lambda/latest/dg/welcome.html) is a compute service that helps you run code without needing to provision or manage servers. It runs your code only when needed and scales automatically, so you pay only for the compute time that you use.
+ [AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html) is an account management service that helps you consolidate multiple AWS accounts into an organization that you create and centrally manage.
+ [AWS Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html) helps you replace hardcoded credentials in your code, including passwords, with an API call to Secrets Manager to retrieve the secret programmatically.
+ [AWS Security Hub CSPM](https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html) provides a comprehensive view of your security state in AWS. It also helps you check your AWS environment against security industry standards and best practices.
**Code repository**
The code for this pattern is available on GitHub, in the [aws-securityhub-jira-software-integration](https://github.com/aws-samples/aws-securityhub-jira-software-integration/) repository. It includes the sample code and Jira workflow for this solution.
## Epics
### Configure Jira
| Task | Description | Skills required |
| --- | --- | --- |
| Import the workflow. | As an administrator in Jira, import the `issue-workflow.xml` file to your Jira Data Center instance. If you use Jira Cloud, you need to create the workflow according to the `assets/jira-cloud-transitions.png` and `assets/jira-cloud-status.png` files. Files can be found in the [aws-securityhub-jira-software-integration](https://github.com/aws-samples/aws-securityhub-jira-software-integration/) repository in GitHub. For instructions, see [Using XML to create a workflow](https://confluence.atlassian.com/adminjiraserver/using-xml-to-create-a-workflow-938847525.html) (Jira documentation). | Jira administrator |
| Activate and assign the workflow. | Workflows are inactive until you assign them to a workflow scheme. You then assign the workflow scheme to a project.[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/bidirectionally-integrate-aws-security-hub-with-jira-software.html) | Jira administrator |
### Set up the solution parameters
| Task | Description | Skills required |
| --- | --- | --- |
| Configure the solution parameters. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/bidirectionally-integrate-aws-security-hub-with-jira-software.html) | AWS systems administrator |
| Identify the findings you want to automate. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/bidirectionally-integrate-aws-security-hub-with-jira-software.html) | |
| Add the findings to the configuration file. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/bidirectionally-integrate-aws-security-hub-with-jira-software.html)The following code example shows automating the `aws-foundational-security-best-practices/v/1.0.0/SNS.1` and `aws-foundational-security-best-practices/v/1.0.0/S3.1` findings.{
"Controls" : {
"eu-west-1": [
"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/1.22"
],
"default": [
aws-foundational-security-best-practices/v/1.0.0/SNS.1,
aws-foundational-security-best-practices/v/1.0.0/S3.1
]
}
}You can choose to automate different findings for each AWS Region. A good practice to help prevent duplicated findings is to select a single Region to automate creation of controls related to IAM. | AWS systems administrator |
### Deploy the integration
| Task | Description | Skills required |
| --- | --- | --- |
| Deploy the integration. | In a command line terminal, enter the following command:./deploy.sh prod| AWS systems administrator | | Upload Jira credentials to Secrets Manager. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/bidirectionally-integrate-aws-security-hub-with-jira-software.html) | AWS systems administrator | | Create the Security Hub CSPM custom action. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/bidirectionally-integrate-aws-security-hub-with-jira-software.html) | AWS systems administrator | ## Related resources + [AWS Service Management Connector for Jira Service Management](https://docs.aws.amazon.com/servicecatalog/latest/adminguide/integrations-jiraservicedesk.html) + [AWS Foundational Security Best Practices standard](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp.html) ## Additional information **Example of a Jira ticket** When a specified Security Hub CSPM finding occurs, this solution automatically creates a Jira ticket. The ticket includes the following information: + **Title** – The title identifies the security issue in the following format: ``` AWS Security Issue ::
account_id = "Here’s a description of each variable:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/build-a-pipeline-for-hardened-container-images-using-ec2-image-builder-and-terraform.html) | AWS DevOps | | Initialize Terraform. | After you update your variable values, you can initialize the Terraform configuration directory. Initializing a configuration directory downloads and installs the AWS provider, which is defined in the configuration."
aws_region = "us-east-1"
vpc_name = "example-hardening-pipeline-vpc"
kms_key_alias = "image-builder-container-key"
ec2_iam_role_name = "example-hardening-instance-role"
hardening_pipeline_role_name = "example-hardening-pipeline-role"
aws_s3_ami_resources_bucket = "example-hardening-ami-resources-bucket-0123"
image_name = "example-hardening-al2-container-image"
ecr_name = "example-hardening-container-repo"
recipe_version = "1.0.0"
ebs_root_vol_size = 10
terraform initYou should see a message that says Terraform has been successfully initialized and identifies the version of the provider that was installed. | AWS DevOps | | Deploy the infrastructure and create a container image. | Use the following command to initialize, validate, and apply the Terraform modules to the environment by using the variables defined in your `.tfvars` file:
terraform init && terraform validate && terraform apply -var-file *.tfvars -auto-approve| AWS DevOps | | Customize the container. | You can create a new version of a container recipe after EC2 Image Builder deploys the pipeline and initial recipe.You can add any of the 31\$1 components available within EC2 Image Builder to customize the container build. For more information, see the *Components* section of [Create a new version of a container recipe](https://docs.aws.amazon.com/imagebuilder/latest/userguide/create-container-recipes.html) in the EC2 Image Builder documentation. | AWS administrator | ### Validate resources | Task | Description | Skills required | | --- | --- | --- | | Validate AWS infrastructure provisioning. | After you have successfully completed your first Terraform `apply` command, if you’re provisioning locally, you should see this snippet in your local machine’s terminal:
Apply complete! Resources: 43 added, 0 changed, 0 destroyed.| AWS DevOps | | Validate individual AWS infrastructure resources. | To validate the individual resources that were deployed, if you’re provisioning locally, you can run the following command:
terraform state listThis command returns a list of 43 resources. | AWS DevOps | ### Remove resources | Task | Description | Skills required | | --- | --- | --- | | Remove the infrastructure and container image. | When you’ve finished working with your Terraform configuration, you can run the following command to remove resources:
terraform init && terraform validate && terraform destroy -var-file *.tfvars -auto-approve| AWS DevOps | ## Troubleshooting | Issue | Solution | | --- | --- | | Error validating provider credentials | When you run the Terraform `apply` or `destroy` command from your local machine, you might encounter an error similar to the following:
Error: configuring Terraform AWS Provider: error validating providerThis error is caused by the expiration of the security token for the credentials used in your local machine’s configuration.To resolve the error, see [Set and view configuration settings](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html#cli-configure-files-methods) in the AWS CLI documentation. | ## Related resources + [Terraform EC2 Image Builder Container Hardening Pipeline](https://github.com/aws-samples/terraform-ec2-image-builder-container-hardening-pipeline) (GitHub repository) + [EC2 Image Builder documentation](https://docs.aws.amazon.com/imagebuilder/latest/userguide/what-is-image-builder.html) + [AWS Control Tower Account Factory for Terraform](https://aws.amazon.com/blogs/aws/new-aws-control-tower-account-factory-for-terraform/) (AWS blog post) + [Backend state S3 bucket](https://developer.hashicorp.com/terraform/language/settings/backends/s3) (Terraform documentation) + [Installing or updating the latest version of the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) (AWS CLI documentation) + [Download Terraform](https://developer.hashicorp.com/terraform/downloads) # Centralize IAM access key management in AWS Organizations by using Terraform *Aarti Rajput, Chintamani Aphale, T.V.R.L.Phani Kumar Dadi, Pratap Kumar Nanda, Pradip kumar Pandey, and Mayuri Shinde, Amazon Web Services* ## Summary Enforcing security rules for keys and passwords is an** **essential task for every organization. One important rule is to rotate AWS Identity and Access Management (IAM) keys at regular intervals to enforce security. AWS access keys are generally created and configured locally whenever teams want to access AWS from the AWS Command Line Interface** **(AWS CLI) or from applications outside AWS. To maintain strong security across the organization, old security keys must be changed or deleted after the requirement has been met or at regular intervals. The process of managing key rotations across multiple accounts in an organization is time-consuming and tedious. This pattern helps you automate the rotation process by using Account Factory for Terraform (AFT) and AWS services. The pattern provides these benefits: + Manages your access key IDs and secret access keys across all the accounts in your organization from a central location. + Automatically rotates the `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` environment variables. + Enforces renewal if user credentials are compromised. The pattern uses Terraform to deploy AWS Lambda functions, Amazon EventBridge rules, and IAM roles. An EventBridge rule runs at regular intervals and calls a Lambda function that lists all user access keys based on when they were created. Additional Lambda functions create a new access key ID and secret access key, if the previous key is older than the rotation period you define (for example, 45 days), and notify a security administrator by using Amazon Simple Notification Service (Amazon SNS) and Amazon Simple Email Service (Amazon SES). Secrets are created in AWS Secrets Manager for that user, the old secret access key is stored in Secrets Manager, and permissions for accessing the old key are configured. To ensure that the old access key is no longer used, it is disabled after an inactive period (for example, 60 days, which would be 15 days after the keys were rotated in our example). After an inactive buffer period (for example, 90 days, or 45 days after the keys were rotated in our example), the old access keys are deleted from AWS Secrets Manager. For a detailed architecture and workflow, see the [Architecture](#centralize-iam-access-key-management-in-aws-organizations-by-using-terraform-architecture) section. ## Prerequisites and limitations + A landing zone for your organization that’s built by using [AWS Control Tower ](https://docs.aws.amazon.com/controltower/latest/userguide/what-is-control-tower.html)(version 3.1 or later) + [Account Factory for Terraform (AFT)](https://catalog.workshops.aws/control-tower/en-US/customization/aft) configured with three accounts: + [Organization management account](https://catalog.workshops.aws/control-tower/en-US/customization/aft/repositories/global-customizations) manages the entire organization from a central location. + [AFT management account](https://catalog.workshops.aws/control-tower/en-US/customization/aft/repositories/account-customizations) hosts the Terraform pipeline and deploys the infrastructure into the deployment account. + [Deployment account](https://catalog.workshops.aws/control-tower/en-US/customization/aft/repositories/provisioning-customizations) deploys this complete solution and manages IAM keys from a central location. + Terraform version 0.15.0 or later for provisioning the infrastructure in the deployment account. + An email address that’s configured in [Amazon Simple Email Service (Amazon SES)](https://aws.amazon.com/ses/). + (Recommended) To enhance security, deploy this solution inside a [private subnet](https://docs.aws.amazon.com/vpc/latest/userguide/create-subnets.html) (deployment account) within a [virtual private cloud (VPC)](https://registry.terraform.io/modules/terraform-aws-modules/vpc/aws/latest). You can provide the details of the VPC and subnet when you customize the variables (see *Customize parameters for the code pipeline* in the [Epics](#centralize-iam-access-key-management-in-aws-organizations-by-using-terraform-epics) section). ## Architecture **AFT repositories** This pattern uses Account Factory for Terraform (AFT) to create all required AWS resources and the code pipeline to deploy the resources in a deployment account. The code pipeline runs in two repositories: + **Global customization** contains Terraform code that will run across all accounts registered with AFT. + **Account customizations** contains Terraform code that will run in the deployment account. **Resource details** AWS CodePipeline jobs create the following resources in the deployment account: + AWS EventBridge rule and configured rule + `account-inventory` Lambda function + `IAM-access-key-rotation` Lambda function + `Notification` Lambda function + Amazon Simple Storage Service (Amazon S3) bucket that contains an email template + Required IAM policy **Architecture** ![\[Architecture for centralizing IAM access key management in AWS Organizations\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/images/pattern-img/0217275c-cb4c-4bdf-b105-ad9abfd4fded/images/844512f0-67b3-4d41-aaaa-fbd9e341c438.png) The diagram illustrates the following: 1. An EventBridge rule calls the `account-inventory` Lambda function every 24 hours. 1. The `account-inventory` Lambda function queries AWS Organizations for a list of all AWS account IDs, account names, and account emails. 1. The `account-inventory` Lambda function initiates an `IAM-access-key-auto-rotation` Lambda function for each AWS account and passes the metadata to it for additional processing. 1. The `IAM-access-key-auto-rotation` Lambda function uses an assumed IAM role to access the AWS account. The Lambda script runs an audit against all users and their IAM access keys in the account. 1. The IAM key rotation threshold (rotation period) is configured as an environment variable when the `IAM-access-key-auto-rotation` Lambda function is deployed. If the rotation period is modified, the `IAM-access-key-auto-rotation` Lambda function is redeployed with an updated environment variable. You can configure parameters to set the rotation period, the inactive period for old keys, and the inactive buffer after which old keys will be deleted (see *Customize parameters for the code pipeline* in the [Epics](#centralize-iam-access-key-management-in-aws-organizations-by-using-terraform-epics) section). 1. The `IAM-access-key-auto-rotation` Lambda function validates the age of the access key based on its configuration. If the IAM access key's age hasn’t exceeded the rotation period you defined, the Lambda function takes no further action. 1. If the IAM access key's age has exceeded the rotation period you defined, the `IAM-access-key-auto-rotation` Lambda function creates a new key and rotates the existing key. 1. The Lambda function saves the old key in Secrets Manager and limits permissions to the user whose access keys deviated from security standards. The Lambda function also creates a resource-based policy that allows only the specified IAM principal to access and retrieve the secret. 1. The `IAM-access-key-rotation` Lambda function calls the `Notification` Lambda function. 1. The `Notification` Lambda function queries the S3 bucket for an email template and dynamically generates email messages with the relevant activity metadata. 1. The `Notification` Lambda function calls Amazon SES for further action. 1. Amazon SES sends email to the account owner's email address with the relevant information. ## Tools **AWS services** + [AWS Identity and Access Management (IAM)](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html) helps you securely manage access to your AWS resources by controlling who is authenticated and authorized to use them. This patern requires IAM roles and permissions. + [AWS Lambda](https://docs.aws.amazon.com/lambda/latest/dg/welcome.html) is a compute service that helps you run code without needing to provision or manage servers. It runs your code only when needed and scales automatically, so you pay only for the compute time that you use. + [AWS Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html) helps you replace hardcoded credentials in your code, including passwords, with an API call to Secrets Manager to retrieve the secret programmatically. + [Amazon Simple Email Service (Amazon SES)](https://docs.aws.amazon.com/ses/latest/dg/Welcome.html) helps you send and receive emails by using your own email addresses and domains. **Other tools** + [Terraform](https://www.terraform.io/) is an infrastructure as code (IaC) tool from HashiCorp that helps you create and manage cloud and on-premises resources. **Code repository** The instructions and code for this pattern are available in the GitHub [IAM access key rotation](https://github.com/aws-samples/centralized-iam-key-management-aws-organizations-terraform.git) repository. You can deploy the code in the AWS Control Tower central deployment account to manage key rotation from a central location. ## Best practices + For IAM, see [security best practices](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) in the IAM documentation. + For key rotation, see [guidelines for updating access keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#rotate-credentials) in the IAM documentation. ## Epics ### Set up source files | Task | Description | Skills required | | --- | --- | --- | | Clone the repository. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/centralize-iam-access-key-management-in-aws-organizations-by-using-terraform.html) | DevOps engineer | ### Configure accounts | Task | Description | Skills required | | --- | --- | --- | | Configure the bootstrapping account. | As part of the [AFT bootstrapping](https://catalog.workshops.aws/control-tower/en-US/customization/aft/deploy) process, you should have a folder called `aft-bootstrap` on your local machine.[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/centralize-iam-access-key-management-in-aws-organizations-by-using-terraform.html) | DevOps engineer | | Configure global customizations. | As part of the [AFT folder](https://catalog.workshops.aws/control-tower/en-US/customization/aft/repositories/global-customizations) setup, you should have a folder called `aft-global-customizations` on your local machine.[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/centralize-iam-access-key-management-in-aws-organizations-by-using-terraform.html) | DevOps engineer | | Configure account customizations. | As part of the [AFT folder setup](https://catalog.workshops.aws/control-tower/en-US/customization/aft/repositories/account-customizations), you have be a folder called `aft-account-customizations` on your local machine.[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/centralize-iam-access-key-management-in-aws-organizations-by-using-terraform.html) | DevOps engineer | ### Customize parameters for the code pipeline | Task | Description | Skills required | | --- | --- | --- | | Customize non-Terraform code pipeline parameters for all accounts. | Create a file called `input.auto.tfvars` in the `aft-global-customizations/terraform/` folder and provide the required input data. See [the file in the GitHub repository](https://github.com/aws-samples/centralized-iam-key-management-aws-organizations-terraform/blob/main/global-account-customization/input.auto.tfvars) for default values. | DevOps engineer | | Customize code pipeline parameters for the deployment account. | Create a file called `input.auto.tfvars` in the `aft-account-customizations/
credentials: error calling sts:GetCallerIdentity: operation error STS:
GetCallerIdentity, https response error StatusCode: 403, RequestID:
123456a9-fbc1-40ed-b8d8-513d0133ba7f, api error InvalidClientTokenId:
The security token included in the request is invalid.
git clone https://github.com/aws-samples/aws-control-tower-controls-cdk.git| DevOps engineer, General AWS | | Edit the AWS CDK configuration file. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/deploy-and-manage-aws-control-tower-controls-by-using-aws-cdk-and-aws-cloudformation.html) | DevOps engineer, General AWS | ### Enable controls in the management account | Task | Description | Skills required | | --- | --- | --- | | Assume the IAM role in the deployment account. | In the deployment account, assume the IAM role that has permissions to deploy the AWS CDK stacks in the management account. For more information about assuming an IAM role in the AWS CLI, see [Use an IAM role in the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html). | DevOps engineer, General AWS | | Activate the environment. | If you are using Linux or MacOS:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/deploy-and-manage-aws-control-tower-controls-by-using-aws-cdk-and-aws-cloudformation.html)If you are using Windows:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/deploy-and-manage-aws-control-tower-controls-by-using-aws-cdk-and-aws-cloudformation.html) | DevOps engineer, General AWS | | Install the dependencies. | After the virtual environment is activated, enter the following command to run the **install\$1deps.sh** script. This script installs the required dependencies.
$ ./scripts/install_deps.sh| DevOps engineer, General AWS, Python | | Deploy the stack. | Enter the following commands to synthesize and deploy the CloudFormation stack.
$ npx cdk synth| DevOps engineer, General AWS, Python | ## Related resources **AWS documentation** + [About controls](https://docs.aws.amazon.com/controltower/latest/controlreference/controls.html) (AWS Control Tower documentation) + [Controls library](https://docs.aws.amazon.com/controltower/latest/controlreference/controls-reference.html) (AWS Control Tower documentation) + [AWS CDK Toolkit commands](https://docs.aws.amazon.com/cdk/v2/guide/cli.html#cli-commands) (AWS CDK documentation) + [Deploy and manage AWS Control Tower controls by using Terraform](https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/deploy-and-manage-aws-control-tower-controls-by-using-terraform.html) (AWS Prescriptive Guidance) **Other resources** + [Python](https://www.python.org/) ## Additional information **Example constants.py file** The following is an example of an updated **constants.py** file. This sample enables the **AWS-GR\$1DISALLOW\$1CROSS\$1REGION\$1NETWORKING** control (global ID: `dvuaav61i5cnfazfelmvn9m6k`) and the **AWS-GR\$1SUBNET\$1AUTO\$1ASSIGN\$1PUBLIC\$1IP\$1DISABLED** control (global ID: `50z1ot237wl8u1lv5ufau6qqo`). For a list of global IDs, see [All global identifiers](https://docs.aws.amazon.com/controltower/latest/controlreference/all-global-identifiers.html) in the AWS Control Tower documentation. ``` ACCOUNT_ID = 111122223333 AWS_CONTROL_TOWER_REGION = us-east-2 ROLE_ARN = "arn:aws:iam::111122223333:role/CT-Controls-Role" GUARDRAILS_CONFIGURATION = [ { "Enable-Control": { "dvuaav61i5cnfazfelmvn9m6k": { # AWS-GR_DISALLOW_CROSS_REGION_NETWORKING "Parameters": { "ExemptedPrincipalArns": ["arn:aws:iam::111122223333:role/RoleName"] }, "Tags": [{"key": "Environment", "value": "Production"}] }, ... }, "OrganizationalUnitIds": ["ou-1111-11111111", "ou-2222-22222222"...], }, { "Enable-Control": { "50z1ot237wl8u1lv5ufau6qqo", # AWS-GR_SUBNET_AUTO_ASSIGN_PUBLIC_IP_DISABLED ... }, "OrganizationalUnitIds": ["ou-2222-22222222"...], }, ] ``` **IAM policy** The following sample policy allows the minimum actions required to enable or disable AWS Control Tower controls when deploying AWS CDK stacks from a deployment account to the management account. ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "controltower:EnableControl", "controltower:DisableControl", "controltower:GetControlOperation", "controltower:ListEnabledControls", "organizations:AttachPolicy", "organizations:CreatePolicy", "organizations:DeletePolicy", "organizations:DescribeOrganization", "organizations:DescribeOrganizationalUnit", "organizations:DetachPolicy", "organizations:ListAccounts", "organizations:ListAWSServiceAccessForOrganization", "organizations:ListChildren", "organizations:ListOrganizationalUnitsForParent", "organizations:ListParents", "organizations:ListPoliciesForTarget", "organizations:ListRoots", "organizations:UpdatePolicy", "ssm:GetParameters" ], "Resource": "*" } ] } ``` **Trust policy** The following custom trust policy allows a specific IAM role in the deployment account to assume the IAM role in the management account. Replace the following: + `
$ npx cdk deploy
git clone https://github.com/aws-samples/aws-control-tower-controls-terraform.git| DevOps engineer | | Edit the Terraform backend configuration file. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/deploy-and-manage-aws-control-tower-controls-by-using-terraform.html) | DevOps engineer, Terraform | | Edit the Terraform provider configuration file. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/deploy-and-manage-aws-control-tower-controls-by-using-terraform.html) | DevOps engineer, Terraform | | Edit the configuration file. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/deploy-and-manage-aws-control-tower-controls-by-using-terraform.html) | DevOps engineer, General AWS, Terraform | | Assume the IAM role in the management account. | In the management account, assume the IAM role that has permissions to deploy the Terraform configuration file. For more information about the permissions required and a sample policy, see *Least privilege permissions for the IAM role* in the [Additional information](#deploy-and-manage-aws-control-tower-controls-by-using-terraform-additional) section. For more information about assuming an IAM role in the AWS CLI, see [Use an IAM role in the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html). | DevOps engineer, General AWS | | Deploy the configuration file. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/deploy-and-manage-aws-control-tower-controls-by-using-terraform.html) | DevOps engineer, General AWS, Terraform | ### (Optional) Disable controls in the AWS Control Tower management account | Task | Description | Skills required | | --- | --- | --- | | Run the `destroy` command. | Enter the following command to remove the resources deployed by this pattern.
$ terraform destroy -var-file="variables.tfvars"| DevOps engineer, General AWS, Terraform | ## Troubleshooting | Issue | Solution | | --- | --- | | `Error: creating ControlTower Control ValidationException: Guardrail
git clone https://github.com/aws-samples/aws-waf-automation-terraform-samples.git| DevOps engineer | | Update the variables. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/deploy-the-security-automations-for-aws-waf-solution-by-using-terraform.html) | DevOps engineer | ### Provision the target architecture using Terraform | Task | Description | Skills required | | --- | --- | --- | | Initialize the Terraform configuration. | Enter the following command to initialize your working directory that contains the Terraform configuration files:
terraform init| DevOps engineer | | Preview the Terraform plan. | Enter the following command. Terraform evaluates the configuration files to determine the target state for the declared resources. It then compares the target state against the current state and creates a plan:
terraform plan -var-file="testing.tfvars"| DevOps engineer | | Verify the plan. | Review the plan and confirm that it configures the required architecture in your target AWS account. | DevOps engineer | | Deploy the solution. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/deploy-the-security-automations-for-aws-waf-solution-by-using-terraform.html) | DevOps engineer | ### Validate and clean up | Task | Description | Skills required | | --- | --- | --- | | Verify the changes. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/deploy-the-security-automations-for-aws-waf-solution-by-using-terraform.html) | DevOps engineer | | (Optional) Clean up the infrastructure. | If you want to remove all resources and configuration changes made by this solution, do the following:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/deploy-the-security-automations-for-aws-waf-solution-by-using-terraform.html) | DevOps engineer | ## Troubleshooting | Issue | Solution | | --- | --- | | `WAFV2 IPSet: WAFOptimisticLockException` error | If you** **receive this error when you run the `terraform destroy` command, you must manually delete the IP sets. For instructions, see [Deleting an IP set](https://docs.aws.amazon.com/waf/latest/developerguide/waf-ip-set-deleting.html) (AWS WAF documentation). | ## Related resources **AWS references** + [Security Automations for AWS WAF Implementation Guide](https://docs.aws.amazon.com/solutions/latest/security-automations-for-aws-waf/welcome.html) + [Security Automations for AWS WAF](https://aws.amazon.com/solutions/implementations/security-automations-for-aws-waf/) (AWS Solutions Library) + [Security Automations for AWS WAF FAQ](https://aws.amazon.com/solutions/implementations/security-automations-for-aws-waf/resources/#FAQ) **Terraform references** + [Terraform backend configuration](https://developer.hashicorp.com/terraform/language/backend) + [Terraform AWS Provider - Documentation and Usage](https://registry.terraform.io/providers/hashicorp/aws/latest/docs) + [Terraform AWS Provider](https://github.com/hashicorp/terraform-provider-aws) (GitHub repository) # Deploy a pipeline that simultaneously detects security issues in multiple code deliverables *Benjamin Morris, Tim Hahn, Sapeksh Madan, Dina Odum, and Isaiah Schisler, Amazon Web Services* ## Summary The [Simple Code Scanning Pipeline (SCSP)](https://github.com/awslabs/simple-code-scanning-pipeline) provides two-click creation of a code analysis pipeline that runs industry-standard open-source security tools in parallel. This enables developers to check the quality and security of their code without having to install tools or even understand how to run them. This helps you reduce vulnerabilities and misconfigurations in code deliverables. It also reduces the amount of time your organization spends installing, researching, and configuring security tools. Before SCSP, scanning code using this particular suite of tools required developers to locate, manually install, and configure the software analysis tools. Even locally installed, all-in-one tools, such as Automated Security Helper (ASH), require configuring a Docker container in order to run. However, with SCSP, a suite of industry-standard code analysis tools runs automatically in the AWS Cloud. With this solution, you use Git to push your code deliverables, and then you receive a visual output with at-a-glance insights into which security checks failed. ## Prerequisites and limitations + An active AWS account + One or more code deliverables that you want to scan for security issues + AWS Command Line Interface (AWS CLI), [installed](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) and [configured](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html) + Python version 3.0 or later and pip version 9.0.3 or later, [installed](https://www.python.org/downloads/windows/) + Git, [installed](https://github.com/git-guides/install-git) + Install [git-remote-codecommit](https://docs.aws.amazon.com/codecommit/latest/userguide/setting-up-git-remote-codecommit.html#setting-up-git-remote-codecommit-install) on your local workstation ## Architecture **Target technology stack** + AWS CodeCommit repository + AWS CodeBuild project + AWS CodePipeline pipeline + Amazon Simple Storage Service (Amazon S3) bucket + AWS CloudFormation template **Target architecture** The SCSP for static code analysis is a DevOps project designed to give security feedback on deliverable code. ![\[The SCSP performing code analysis in an AWS Region.\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/images/pattern-img/61fe4f99-7dfc-48a8-90e4-a25253cc140d/images/fbc13150-0970-48d6-87bc-84dfaed90d4b.png) 1. In the AWS Management Console, log into the target AWS account. Confirm that you are in the AWS Region where you want to deploy the pipeline. 1. Use the CloudFormation template in the code repository to deploy the SCSP stack. This creates a new CodeCommit repository and CodeBuild project. **Note** As an alternative deployment option, you can use an existing CodeCommit repo by providing the Amazon Resource Name (ARN) of the repository as a parameter during stack deployment. 1. Clone the repository to your local workstation, and then add any files to their respective folders in the cloned repository. 1. Use Git to add, commit, and push the files to the CodeCommit repository. 1. Pushing to the CodeCommit repository initiates a CodeBuild job. The CodeBuild project uses the security tools to scan the code deliverables. 1. Review the output of the pipeline. Security tools that found error-level issues will result in failed actions in the pipeline. Fix these errors or suppress them as false positives. Review details of the tool output in the **Action details** in CodePipeline or in the pipeline’s S3 bucket. ## Tools **AWS services** + [AWS CloudFormation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html) helps you set up AWS resources, provision them quickly and consistently, and manage them throughout their lifecycle across AWS accounts and Regions. + [AWS CodeBuild](https://docs.aws.amazon.com/codebuild/latest/userguide/welcome.html) is a fully managed build service that helps you compile source code, run unit tests, and produce artifacts that are ready to deploy. + [AWS CodeCommit](https://docs.aws.amazon.com/codecommit/latest/userguide/welcome.html) is a version control service that helps you privately store and manage Git repositories, without needing to manage your own source control system. **Other tools** For a complete list of tools that SCSP uses to scan code deliverables, see the [SCSP readme](https://github.com/awslabs/simple-code-scanning-pipeline/blob/main/README.md) in GitHub. **Code repository** The code for this pattern is available in the [Simple Code Scanning Pipeline (SCSP)](https://github.com/awslabs/simple-code-scanning-pipeline) repository in GitHub. ## Epics ### Deploy the SCSP | Task | Description | Skills required | | --- | --- | --- | | Create the CloudFormation stack. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/deploy-a-pipeline-that-simultaneously-detects-security-issues-in-multiple-code-deliverables.html)This creates a CodeCommit repository, a CodePipeline pipeline, several CodeBuild job definitions, and an S3 bucket. Build runs and scanning results are copied into this bucket. After the CloudFormation stack has been completely deployed, SCSP is ready to use. | AWS DevOps, AWS administrator | ### Use the pipeline | Task | Description | Skills required | | --- | --- | --- | | Examine the results of the scan. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/deploy-a-pipeline-that-simultaneously-detects-security-issues-in-multiple-code-deliverables.html) | App developer, AWS DevOps | ## Troubleshooting | Issue | Solution | | --- | --- | | HashiCorp Terraform or AWS CloudFormation files aren’t being scanned. | Make sure that Terraform (.tf) and CloudFormation (.yml, .yaml, or .json) files are placed in the appropriate folders in the cloned CodeCommit repository. | | The `git clone` command is failing. | Make sure that you have installed `git-remote-codecommit` and that your CLI has access to AWS credentials that have permissions to read the CodeCommit repository. | | A concurrency error, such as `Project-level concurrent build limit cannot exceed the account-level concurrent build limit of 1`. | Rerun the pipeline by choosing the **Release Change** button in the [CodePipeline console](https://console.aws.amazon.com/codesuite/codepipeline/home). This is a known issue that seems to be most common during the first few times that the pipeline runs. | ## Related resources [Provide feedback](https://github.com/awslabs/simple-code-scanning-pipeline/issues) on the SCSP project. ## Additional information **FAQ** *Is the SCSP project the same as Automated Security Helper (ASH)?* No. Use ASH when you want a CLI tool that runs code-scanning tools by using containers. [Automated Security Helper (ASH)](https://github.com/awslabs/automated-security-helper) is a tool that is designed to reduce the probability of a security violation in new code, infrastructure, or IAM resource configuration. ASH is a command-line utility that can be run locally. Local use requires a container environment be installed and operational on the system. Use SCSP when you want an easier setup pipeline than ASH. SCSP requires no local installations. SCSP is designed to run checks individually in a pipeline and display results by tool. SCSP also avoids a lot of the overhead with setting up Docker, and it is operating system (OS) agnostic. *Is SCSP just for security teams?* No, anyone can deploy the pipeline to determine which parts of their code are failing security checks. For example, non-security users can use SCSP to check their code before reviewing with their security teams. *Can I use SCSP if I’m working with another type of repository, such as GitLab, GitHub, or Bitbucket?* You can configure a local git repository to point to two different remote repositories. For example, you could clone an existing GitLab repository, create a SCSP instance (specifying CloudFormation, Terraform, and AWS Config Rules Development Kit (AWS RDK) folders, if needed), and then use `git remote add upstream
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111122223333:root"
]
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
} | AWS administrator |
| Create and attach the SCP. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/deploy-preventative-attribute-based-access-controls-for-public-subnets.html) | AWS administrator |
### Test the SCP
| Task | Description | Skills required |
| --- | --- | --- |
| Create a VPC or subnet. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/deploy-preventative-attribute-based-access-controls-for-public-subnets.html) | AWS administrator |
| Manage tags. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/deploy-preventative-attribute-based-access-controls-for-public-subnets.html) | AWS administrator |
| Deploy resources in the target subnets. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/deploy-preventative-attribute-based-access-controls-for-public-subnets.html) | AWS administrator |
| Manage the AutomationAdminRole role. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/deploy-preventative-attribute-based-access-controls-for-public-subnets.html) | AWS administrator |
### Clean up
| Task | Description | Skills required |
| --- | --- | --- |
| Clean up deployed resources. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/deploy-preventative-attribute-based-access-controls-for-public-subnets.html) | AWS administrator |
## Related resources
**AWS documentation**
+ [Attaching and detaching SCPs](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_attach.html)
+ [Creating, updating, and deleting SCPs](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_create.html)
+ [Deploy detective attribute-based access controls for public subnets by using AWS Config](https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/deploy-detective-attribute-based-access-controls-for-public-subnets-by-using-aws-config.html)
+ [Detective controls](https://docs.aws.amazon.com/prescriptive-guidance/latest/aws-security-controls/detective-controls.html)
+ [Service authorization reference](https://docs.aws.amazon.com/service-authorization/latest/reference/reference.html)
+ [Tagging AWS resources](https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html)
+ [What is ABAC for AWS?](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction_attribute-based-access-control.html)
**Additional AWS references**
+ [Securing resource tags used for authorization using a Service Control Policy in AWS Organizations](https://aws.amazon.com/es/blogs/security/securing-resource-tags-used-for-authorization-using-service-control-policy-in-aws-organizations/) (AWS blog post)
## Additional information
The following service control policy is an example that you can use to test this approach in your organization.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyVPCActions",
"Effect": "Deny",
"Action": [
"ec2:CreateVPC",
"ec2:CreateRoute",
"ec2:CreateSubnet",
"ec2:CreateInternetGateway",
"ec2:DeleteVPC",
"ec2:DeleteRoute",
"ec2:DeleteSubnet",
"ec2:DeleteInternetGateway"
],
"Resource": [
"arn:aws:ec2:*:*:*"
],
"Condition": {
"StringNotLike": {
"aws:PrincipalARN": ["arn:aws:iam::*:role/AutomationAdminRole"]
}
}
},
{
"Sid": "AllowNATGWOnIFASubnet",
"Effect": "Deny",
"NotAction": [
"ec2:CreateNatGateway",
"ec2:DeleteNatGateway"
],
"Resource": [
"arn:aws:ec2:*:*:subnet/*"
],
"Condition": {
"ForAnyValue:StringEqualsIfExists": {
"aws:ResourceTag/SubnetType": "IFA"
},
"StringNotLike": {
"aws:PrincipalARN": ["arn:aws:iam::*:role/AutomationAdminRole"]
}
}
},
{
"Sid": "DenyChangesToAdminRole",
"Effect": "Deny",
"NotAction": [
"iam:GetContextKeysForPrincipalPolicy",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:ListInstanceProfilesForRole",
"iam:ListRolePolicies",
"iam:ListRoleTags"
],
"Resource": [
"arn:aws:iam::*:role/AutomationAdminRole"
],
"Condition": {
"StringNotLike": {
"aws:PrincipalARN": ["arn:aws:iam::*:role/AutomationAdminRole"]
}
}
}
]
}
```
# Detect Amazon RDS and Aurora database instances that have expiring CA certificates
*Stephen DiCato and Eugene Shifer, Amazon Web Services*
## Summary
As a security best practice, it is recommended that you encrypt data in transit between application servers and relational databases. You can use SSL or TLS to encrypt a connection to a database (DB) instance or cluster. These protocols help provide confidentiality, integrity, and authenticity between an application and database. The database uses a server certificate, which is issued by a [certificate authority (CA)](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html#UsingWithRDS.SSL.RegionCertificateAuthorities) and is used to perform server identity verification. SSL or TLS verifies the authenticity of the certificate by validating its digital signature and ensuring it is not expired.
In the AWS Management Console, [Amazon Relational Database Service (Amazon RDS)](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html) and [Amazon Aurora](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/CHAP_AuroraOverview.html) provide notifications about DB instances that require certificate updates. However, to check for these notifications, you must log into each AWS account and navigate to the service console in each AWS Region. This task becomes more complex if you need to assess certificate validity across many AWS accounts that are managed as an organization in [AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html).
By provisioning the infrastructure as code (IaC) provided in this pattern, you can detect expiring CA certificates for all Amazon RDS and Aurora DB instances in your AWS account or AWS organization. The [AWS CloudFormation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html) template provisions an AWS Config rule, an AWS Lambda function, and the necessary permissions. You can deploy it into a single account as a [stack](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacks.html), or you can deploy it across the entire AWS organization as a [stack set](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/what-is-cfnstacksets.html).
## Prerequisites and limitations
**Prerequisites**
+ An active AWS account
+ If you're deploying into a single AWS account:
+ Ensure that you have [permissions](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html) to create CloudFormation stacks.
+ [Enable](https://docs.aws.amazon.com/config/latest/developerguide/getting-started.html) AWS Config in the target account.
+ (Optional) [Enable](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-settingup.html#securityhub-manual-setup-overview) AWS Security Hub CSPM in the target account.
+ If you're deploying into an AWS organization:
+ Ensure that you have [permissions](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html) to create CloudFormation stack sets.
+ [Enable](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-settingup.html#securityhub-orgs-setup-overview) Security Hub CSPM with AWS Organizations integration.
+ [Enable](https://docs.aws.amazon.com/config/latest/developerguide/getting-started.html) AWS Config in the accounts where you are deploying this solution.
+ Designate an AWS account to be the delegated administrator for AWS Config and Security Hub CSPM.
**Limitations**
+ If you're deploying to an individual account that doesn't have Security Hub CSPM enabled, you can use AWS Config to evaluate the findings.
+ If you're deploying to an organization that doesn't have a delegated administrator for AWS Config and Security Hub CSPM, you must log into the individual member accounts to view the findings.
+ If you use AWS Control Tower to manage and govern the accounts in your organization, deploy the IaC in this pattern by using [Customizations for AWS Control Tower (CfCT)](https://docs.aws.amazon.com/controltower/latest/userguide/cfct-overview.html). Using the CloudFormation console will create configuration drift from AWS Control Tower guardrails and require that you re-enroll the organizational units (OUs) or managed accounts.
+ Some AWS services aren’t available in all AWS Regions. For Region availability, see the [Service endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/aws-service-information.html) page, and choose the link for the service.
## Architecture
**Deploying into an individual AWS account**
The following architecture diagram shows the deployment of the AWS resources within a single AWS account. It's implemented by using a CloudFormation template directly through the CloudFormation console. If Security Hub CSPM is enabled, you can view the results in either AWS Config or Security Hub CSPM. If Security Hub CSPM is not enabled, you can view the results only in the AWS Config console.
![\[Deployment of the provided CloudFormation template in a single account.\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/images/pattern-img/d34fe1f1-6764-4485-b7a7-04e5861f1e9b/images/0b07133a-d4f8-4d87-8d00-2b5e2c453ece.png)
The diagram shows the following steps:
1. You create a CloudFormation stack. This deploys a Lambda function and an AWS Config rule. Both the rule and function are set up with the AWS Identity and Access Management (IAM) permissions required to publish resource evaluations in AWS Config and logs.
1. The AWS Config rule operates in [detective evaluation mode](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config-rules.html#aws-config-rules-evaluation-modes) and runs every 24 hours.
1. Security Hub CSPM receives all AWS Config findings.
1. You can view the findings in Security Hub CSPM or in AWS Config, depending on the account's configuration.
**Deploying into an AWS organization**
The following diagram shows the assessment of certificate expiration across multiple accounts that are managed through AWS Organizations and AWS Control Tower. You deploy the CloudFormation template through CfCT. The assessment outcomes are centralized in Security Hub CSPM in the delegated administrator account. The AWS CodePipeline workflow depicted in the diagram shows the background steps that occur during CfCT deployment.
![\[Deployment of the provided CloudFormation template to multiple accounts in an AWS Organization.\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/images/pattern-img/d34fe1f1-6764-4485-b7a7-04e5861f1e9b/images/8d870cbb-54cf-43ec-96f2-00730e0134af.png)
The diagram shows the following steps:
1. Depending on the configuration for CfCT, in the management account, you push the IaC to an AWS CodeCommit repository or you upload a compressed (ZIP) file of the IaC to an Amazon Simple Storage Service (Amazon S3) bucket.
1. The CfCT pipeline unzips the file, runs [cfn-nag](https://github.com/stelligent/cfn_nag) (GitHub) checks, and deploys it as a CloudFormation stack set.
1. Depending on the configuration specified in the CfCT manifest file, CloudFormation StackSets deploys stacks into individual accounts or specified OUs. This deploys a Lambda function and an AWS Config rule in the target accounts. Both the rule and function are set up with the IAM permissions required to publish resource evaluations in AWS Config and logs.
1. The AWS Config rule operates in [detective evaluation mode](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config-rules.html#aws-config-rules-evaluation-modes) and runs every 24 hours.
1. AWS Config forwards all findings to Security Hub CSPM.
1. Security Hub CSPM findings are aggregated in the delegated administrator account.
1. You can view the findings in Security Hub CSPM in the delegated administrator account.
## Tools
**AWS services**
+ [AWS CloudFormation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html) helps you set up AWS resources, provision them quickly and consistently, and manage them throughout their lifecycle across AWS accounts and Regions.
+ [AWS Config](https://docs.aws.amazon.com/config/latest/developerguide/WhatIsConfig.html) provides a detailed view of the resources in your AWS account and how they’re configured. It helps you identify how resources are related to one another and how their configurations have changed over time. An AWS Config [rule](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config.html) defines your ideal configuration settings for a resource, and AWS Config can evaluate whether your AWS resources comply with the conditions in your rules.
+ [AWS Control Tower](https://docs.aws.amazon.com/controltower/latest/userguide/what-is-control-tower.html) helps you set up and govern an AWS multi-account environment, following prescriptive best practices. [Customizations for AWS Control Tower (CfCT)](https://docs.aws.amazon.com/controltower/latest/userguide/cfct-overview.html) helps you customize your AWS Control Tower landing zone and stay aligned with AWS best practices. Customizations are implemented with CloudFormation templates and service control policies (SCPs).
+ [AWS Lambda](https://docs.aws.amazon.com/lambda/latest/dg/welcome.html) is a compute service that helps you run code without needing to provision or manage servers. It runs your code only when needed and scales automatically, so you pay only for the compute time that you use.
+ [AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html) is an account management service that helps you consolidate multiple AWS accounts into an organization that you create and centrally manage.
+ [AWS Security Hub CSPM](https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html) provides a comprehensive view of your security state in AWS. It also helps you check your AWS environment against security industry standards and best practices.
**Other tools**
+ [Python](https://www.python.org/) is a general-purpose computer programming language.
**Code repository**
The code for this pattern is available in the GitHub [Detect Amazon RDS instances with expiring CA certificates](https://github.com/aws-samples/config-rds-ca-expiry) repository.
## Best practices
We recommend that you adhere to the best practices in the following resources:
+ [Best Practices for Organizational Units with AWS Organizations](https://aws.amazon.com/blogs/mt/best-practices-for-organizational-units-with-aws-organizations/) (AWS Cloud Operations & Migrations Blog)
+ [Guidance for Establishing an Initial Foundation using AWS Control Tower on AWS](https://aws.amazon.com/solutions/guidance/establishing-an-initial-foundation-using-control-tower-on-aws/) (AWS Solutions Library)
+ [Guidance for creating and modifying AWS Control Tower resources](https://docs.aws.amazon.com/controltower/latest/userguide/getting-started-guidance.html) (AWS Control Tower documentation)
+ [CfCT deployment considerations ](https://docs.aws.amazon.com/controltower/latest/userguide/cfct-considerations.html)(AWS Control Tower documentation)
## Epics
### Review the solution and code
| Task | Description | Skills required |
| --- | --- | --- |
| Determine your deployment strategy. | Review the solution and code to determine how you will deploy it into your AWS environment. Determine if you will be deploying into a single account or an AWS organization. | App owner, General AWS |
| Clone the repository. | Enter the following command to clone the [Detect Amazon RDS instances with expiring CA certificates](https://github.com/aws-samples/config-rds-ca-expiry) repository.git clone https://github.com/aws-samples/config-rds-ca-expiry.git| App developer, App owner | | Validate the Python version. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/detect-rds-instances-expiring-certificates.html) | App developer, App owner | ### Deploy the solution | Task | Description | Skills required | | --- | --- | --- | | Deploy the CloudFormation template. | Deploy the CloudFormation template to your AWS environment. Do one of the following:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/detect-rds-instances-expiring-certificates.html) | App developer, AWS administrator, General AWS | | Verify the deployment. | In the [CloudFormation console](https://console.aws.amazon.com/cloudformation/), verify that the stack or stack set has deployed successfully. | AWS administrator, App owner | ### Review the findings | Task | Description | Skills required | | --- | --- | --- | | View the AWS Config rule findings. | In Security Hub CSPM, do the following to view a list of individual findings:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/detect-rds-instances-expiring-certificates.html)In Security Hub CSPM, do the following to view a list of total findings grouped by AWS account:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/detect-rds-instances-expiring-certificates.html)In AWS Config, to view a list of findings, follow the instructions in [Viewing Compliance Information and Evaluation Results](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_view-compliance.html#evaluate-config_view-compliance-console) in the AWS Config documentation. | AWS administrator, AWS systems administrator, Cloud administrator | ## Troubleshooting | Issue | Solution | | --- | --- | | CloudFormation stack set creation or deletion fails | When AWS Control Tower is deployed, it enforces necessary guardrails and assumes control over AWS Config aggregators and rules. This includes preventing any direct alterations through CloudFormation. To properly deploy or remove this CloudFormation template, including all associated resources, you must use CfCT. | | CfCT fails to delete the CloudFormation template | If the CloudFormation template persists even after making necessary changes in the manifest file and removing the template files, confirm that the manifest file contains the `enable_stack_set_deletion` parameter and that the value is set to `false`. For more information, see [Delete a stack set](https://docs.aws.amazon.com/controltower/latest/userguide/cfct-delete-stack.html) in the CfCT documentation. | ## Related resources + [Using SSL/TLS to encrypt a connection to a DB instance or cluster](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html) (Amazon RDS documentation) + [AWS Config Custom Rules](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_develop-rules.html) (AWS Config documentation) # Dynamically generate an IAM policy with IAM Access Analyzer by using Step Functions *Thomas Scott, Koen van Blijderveen, Adil El Kanabi, and Rafal Pawlaszek, Amazon Web Services* ## Summary *Least-privilege* is the security best practice of granting the minimum permissions required to perform a task. Implementing least-privilege access in an already active Amazon Web Services (AWS) account can be challenging because you don’t want to unintentionally block users from performing their job duties by changing their permissions. Before you can implement AWS Identity and Access Management (IAM) policy changes, you need to understand the actions and resources the account users are performing. This pattern is designed to help you apply the principle of least-privilege access, without blocking or slowing down team productivity. It describes how to use IAM Access Analyzer and AWS Step Functions to dynamically generate an up-to-date IAM policy for your role, based on the actions that are currently being performed in the account. The new policy is designed to permit the current activity but remove any unnecessary, elevated privileges. You can customize the generated policy by defining allow and deny rules, and the solution integrates your custom rules. This pattern includes options for implementing the solution with AWS Cloud Development Kit (AWS CDK) or HashiCorp CDK for Terraform (CDKTF). You can then associate the new policy to the role by using a continuous integration and continuous delivery (CI/CD) pipeline. If you have a multi-account architecture, you can deploy this solution in any account where you want to generate updated IAM policies for the roles, increasing the security of your entire AWS Cloud environment. ## Prerequisites and limitations **Prerequisites** + An active AWS account with a AWS CloudTrail trail enabled. + IAM permissions for the following: + Create and deploy Step Functions workflows. For more information, see [Actions, resources, and condition keys for AWS Step Functions](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsstepfunctions.html) (Step Functions documentation). + Create AWS Lambda functions. For more information, see [Execution role and user permissions](https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc.html#vpc-permissions) (Lambda documentation). + Create IAM roles. For more information, see [Creating a role to delegate permissions to an IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html) (IAM documentation). + npm installed. For more information, see [Downloading and installing Node.js and npm](https://docs.npmjs.com/downloading-and-installing-node-js-and-npm) (npm documentation). + If you are deploying this solution with AWS CDK (Option 1): + AWS CDK Toolkit, installed and configured. For more information, see [Install the AWS CDK](https://docs.aws.amazon.com/cdk/v2/guide/getting_started.html#getting_started_install) (AWS CDK documentation). + If you are deploying this solution with CDKTF (Option 2): + CDKTF, installed and configured. For more information, see [Install CDK for Terraform](https://learn.hashicorp.com/tutorials/terraform/cdktf-install?in=terraform/cdktf) (CDKTF documentation). + Terraform, installed and configured. For more information, see [Get Started](https://learn.hashicorp.com/collections/terraform/aws-get-started?utm_source=WEBSITE&utm_medium=WEB_IO&utm_offer=ARTICLE_PAGE&utm_content=DOCS) (Terraform documentation). + AWS Command Line Interface (AWS CLI) locally installed and configured for your AWS account. For more information, see [Installing or updating the latest version of the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) (AWS CLI documentation). **Limitations** + This pattern does not apply the new IAM policy to the role. At the end of this solution, the new IAM policy is stored in an AWS CodeCommit repository. You can use a CI/CD pipeline to apply policies to the roles in your account. ## Architecture **Target architecture ** ![\[The Step Functions workflow generating a new policy and storing it in CodeCommit.\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/images/pattern-img/cb9ee0c9-3fe0-43d9-9dd2-1aedb705c78f/images/eb13a5db-f803-40b1-9a8c-4ef13d584cd4.png) 1. A regularly scheduled Amazon EventBridge event rule starts a Step Functions workflow. You define this regeneration schedule as part of setting up this solution. 1. In the Step Functions workflow, a Lambda function generates the date ranges to use when analyzing account activity in the CloudTrail logs. 1. The next workflow step calls the IAM Access Analyzer API to start generating the policy. 1. Using the Amazon Resource Name (ARN) of the role you specify during set up, IAM Access Analyzer analyzes the CloudTrail logs for activity within the specified date rate. Based on the activity, IAM Access Analyzer generates an IAM policy that permits only the actions and services used by the role during the specified date range. When this step is complete, this step generates a job ID. 1. The next workflow step checks for the job ID every 30 seconds. When the job ID is detected, this step uses the job ID to call the IAM Access Analyzer API and retrieve the new IAM policy. IAM Access Analyzer returns the policy as a JSON file. 1. The next workflow step puts the **
git clone https://github.com/aws-samples/automated-iam-access-analyzer.git| App developer | | Install Lerna. | The following command installs Lerna.
npm i -g lerna| App developer | | Set up the dependencies. | The following command installs the dependencies for the repository.
cd automated-iam-access-analyzer/| App developer | | Build the code. | The following command tests, builds, and prepares the zip packages of the Lambda functions.
npm install && npm run bootstrap
npm run test:code| App developer | | Build the constructs. | The following command builds the infrastructure synthesizing applications, for both AWS CDK and CDKTF.
npm run build:code
npm run pack:code
npm run build:infra| | | Configure any custom permissions. | In the **repo** folder of the cloned repository, edit the **allow.json** and **deny.json** files to define any custom permissions for the role. If the **allow.json** and **deny.json** files contain the same permission, the deny permission is applied. | AWS administrator, App developer | ### Option 1 – Deploy the solution using AWS CDK | Task | Description | Skills required | | --- | --- | --- | | Deploy the AWS CDK stack. | The following command deploys the infrastructure through AWS CloudFormation. Define the following parameters:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/dynamically-generate-an-iam-policy-with-iam-access-analyzer-by-using-step-functions.html)
cd infra/cdkThe square brackets denote optional parameters. | App developer | | (Optional) Wait for the new policy. | If the trail does not contain a reasonable amount of historical activity for the role, wait until you are confident that there is enough logged activity for IAM Access Analyzer to generate an accurate policy. If the role has been active in the account for a sufficient period of time, this waiting period might not be necessary. | AWS administrator | | Manually review the generated policy. | In your CodeCommit repository, review the generated **
cdk deploy —-parameters roleArn=\
—-parameters trailArn=\
--parameters schedule=\
[ --parameters trailLookBack=]
lerna exec cdktf synth --scope @aiaa/tfm| App developer | | Deploy the Terraform template. | The following command navigates to the directory that contains the CDKTF-defined infrastructure.
cd infra/cdktfThe following command deploys the infrastructure in the target AWS account. Define the following parameters:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/dynamically-generate-an-iam-policy-with-iam-access-analyzer-by-using-step-functions.html)
TF_VAR_accountId=The square brackets denote optional parameters. | App developer | | (Optional) Wait for the new policy. | If the trail does not contain a reasonable amount of historical activity for the role, wait until you are confident that there is enough logged activity for IAM Access Analyzer to generate an accurate policy. If the role has been active in the account for a sufficient period of time, this waiting period might not be necessary. | AWS administrator | | Manually review the generated policy. | In your CodeCommit repository, review the generated **\
TF_VAR_region=\
TF_VAR_roleArns=\
TF_VAR_trailArn=\
TF_VAR_schedule=\
[ TF_VAR_trailLookBack=] \ cdktf deploy
USE [master]| Developer, DBA | ### Create the database encryption key | Task | Description | Skills required | | --- | --- | --- | | Connect to the Amazon RDS for SQL Server DB instance using SSMS. | For instructions, see [Using SSMS](https://docs.microsoft.com/en-us/sql/ssms/sql-server-management-studio-ssms) in the Microsoft documentation. | Developer, DBA | | Create the database encryption key by using the default certificate. | Create a database encryption key by using the default certificate name you got earlier. Use the following T-SQL query to create a database encryption key. You can specify the AES\$1256 algorithm instead of AES\$1128.
GO
SELECT name FROM sys.certificates WHERE name LIKE 'RDSTDECertificate%'
GO
USE [Databasename]| Developer, DBA | | Enable the encryption on the database. | Use the following T-SQL query to enable database encryption.
GO
CREATE DATABASE ENCRYPTION KEY
WITH ALGORITHM = AES_128
ENCRYPTION BY SERVER CERTIFICATE [certificatename]
GO
ALTER DATABASE [Database Name]| Developer, DBA | | Check the status of encryption. | Use the following T-SQL query to check the status of encryption.
SET ENCRYPTION ON
GO
SELECT DB_NAME(database_id) AS DatabaseName, encryption_state, percent_complete FROM sys.dm_database_encryption_keys| Developer, DBA | ## Related resources + [Support for Transparent Data Encryption in SQL Server](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Appendix.SQLServer.Options.TDE.html) (Amazon RDS documentation) + [Working with Option Groups](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithOptionGroups.html) (Amazon RDS documentation) + [Modifying an Amazon RDS DB Instance](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html) (Amazon RDS documentation) + [Transparent Data Encryption for SQL Server](https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption) (Microsoft documentation) + [Using SSMS](https://docs.microsoft.com/en-us/sql/ssms/sql-server-management-studio-ssms) (Microsoft documentation) # Monitor and remediate scheduled deletion of AWS KMS keys *Mikesh Khanal and Ramya Pulipaka, Amazon Web Services* ## Summary On the Amazon Web Services (AWS) Cloud, deleting an AWS Key Management Services (AWS KMS) key can result in data loss. Deletion removes the key material and all metadata associated with the AWS KMS key, and it is irreversible. After an AWS KMS key is deleted, you can no longer decrypt the data that were encrypted under that AWS KMS key, so that data cannot be recovered. This pattern sets up monitoring, with notifications when an application or a user schedules an AWS KMS key for deletion. If you receive a notification, you might want to cancel deletion of the AWS KMS key and reconsider your decision to delete it. The pattern uses the AWS Systems Manager automation runbook [AWSConfigRemediation-CancelKeyDeletion](https://docs.aws.amazon.com/systems-manager-automation-runbooks/latest/userguide/automation-aws-cancel-key-deletion.html) to facilitate canceling the deletion of an AWS KMS key. **Note** The pattern's CloudFormation template must be deployed in all AWS Regions where you want to monitor deletion of AWS KMS keys. ## Prerequisites and limitations **Prerequisites ** + An active AWS account + Understanding of the following AWS services: + Amazon EventBridge + AWS KMS + Amazon Simple Notification Service (Amazon SNS) + AWS Systems Manager **Limitations ** + Any customization of the solution requires knowledge of AWS CloudFormation templates and the AWS services used in this pattern. + Currently, this solution uses the default event bus, and it can be customized according to the requirements. For more information about the custom event bus, see the [AWS documentation](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-event-bus.html). ## Architecture **Target technology stack ** + Amazon EventBridge + AWS KMS + Amazon SNS + AWS Systems Manager + Automation using the following: + AWS Command Line Interface (AWS CLI) or AWS SDK + AWS CloudFormation stack **Target architecture ** ![\[Diagram of the five steps of the monitoring, alerting, and remediation process.\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/images/pattern-img/56927ebc-bbf7-49cc-9ad2-b2e0dff1201c/images/32537a66-037a-45a1-af19-3bc7bc26eaa6.png) 1. Deletion of an AWS KMS key is scheduled. 1. The scheduled-deletion event is evaluated by an EventBridge rule. 1. The EventBridge rule engages the Amazon SNS topic. 1. The EventBridge rule initiates the Systems Manager automation and runbooks. 1. The runbooks cancel the deletion. **Automation and scale** The CloudFormation stack deploys all the necessary resources and services for this solution to work. The pattern can be run independently in a single account or run using AWS CloudFormation StackSets for multiple independent accounts or an organization. ``` aws cloudformation create-stack --stack-name
aws cloudformation create-stack --stack-nameIn the next step, enter values for the template parameters. | Developer, Security engineer | | Complete the template parameters. | Enter the required values for the parameters.[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/monitor-and-remediate-scheduled-deletion-of-aws-kms-keys.html) | Developer, Security engineer | ### Confirm the subscription | Task | Description | Skills required | | --- | --- | --- | | Confirm the subscription. | Check your email inbox and choose **Confirm subscription** in the email message that you receive from Amazon SNS. A web browser window will open and display a subscription confirmation and your subscription ID. | Developer, Security engineer | ## Related resources **References** + [Creating a rule for an AWS service](https://docs.aws.amazon.com/eventbridge/latest/userguide/create-eventbridge-rule.html) + [Creating an Amazon CloudWatch alarm to detect usage of an AWS KMS key that is pending deletion](https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys-creating-cloudwatch-alarm.html) **Tutorials and videos ** + [How to get started with Amazon EventBridge](https://www.youtube.com/watch?v=ea9SCYDJIm4) + [Deep dive on Amazon EventBridge](https://www.youtube.com/watch?v=28B4L1fnnGM) (AWS Online Tech Talks) **AWS workshop ** + [Working with EventBridge rules](https://event-driven-architecture.workshop.aws/2-event-bridge/2-rules/rules.html) ## Additional information The following code provides examples for extending the solution to monitor and notify you of any changes in any AWS service. The examples include predefined patterns and custom patterns. For more information, see [Events and event patterns in EventBridge](https://docs.aws.amazon.com/eventbridge/latest/userguide/eventbridge-and-event-patterns.html). ``` EventPattern: source: - aws.kms detail-type: - AWS API Call via CloudTrail detail: eventSource: - kms.amazonaws.com eventName: - ScheduleKeyDeletion ``` ## Attachments To access additional content that is associated with this document, unzip the following file: [attachment.zip](samples/p-attach/56927ebc-bbf7-49cc-9ad2-b2e0dff1201c/attachments/attachment.zip) # Identify public Amazon S3 buckets in AWS Organizations by using Security Hub CSPM *Mourad Cherfaoui, Arun Chandapillai, and Parag Nagwekar, Amazon Web Services* ## Summary This pattern shows you how to build a mechanism for identifying public Amazon Simple Storage Service (Amazon S3) buckets in your AWS Organizations accounts. The mechanism works by using controls from the [AWS Foundational Security Best Practices (FSBP) standard](https://docs.aws.amazon.com/securityhub/latest/userguide/fsbp-standard.html) in AWS Security Hub CSPM to monitor Amazon S3 buckets. You can use Amazon EventBridge to process Security Hub CSPM [findings](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings.html), and then post these findings to an Amazon Simple Notification Service (Amazon SNS) topic. Stakeholders in your organization can subscribe to the topic and get immediate email notifications about the findings. New Amazon S3 buckets and their objects don't allow public access by default. You can use this pattern in scenarios where you must modify default Amazon S3 configurations based on your organization's requirements. For example, this could be a scenario where you have an Amazon S3 bucket that hosts a public-facing website or files that everyone on the internet must be able to read from your Amazon S3 bucket. Security Hub CSPM is often deployed as a central service to consolidate all security findings, including those related to security standards and compliance requirements. There are other AWS services that you can use to detect public Amazon S3 buckets, but this pattern uses an existing Security Hub CSPM deployment with minimal configuration. ## Prerequisites and limitations **Prerequisites** + An AWS multi-account setup with a dedicated [Security Hub CSPM administrator account](https://docs.aws.amazon.com/securityhub/latest/userguide/designate-orgs-admin-account.html) + Security Hub CSPM and AWS Config, enabled in the AWS Region that you want to monitor **Note** You must enable [cross-Region aggregation](https://docs.aws.amazon.com/securityhub/latest/userguide/finding-aggregation-enable.html) in Security Hub CSPM if you want to monitor multiple Regions from a single aggregation Region. + User permissions for accessing and updating the Security Hub CSPM administrator account, read access to all the Amazon S3 buckets in the organization, and permissions for turning off public access (if required) ## Architecture The following diagram shows an architecture for using Security Hub CSPM to identify public Amazon S3 buckets. ![\[Diagram showing cross-account replication workflow\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/images/pattern-img/7e365290-e3e9-460a-b69f-669ba459cf4c/images/381d66ac-ec03-4458-9793-9d125cebdba6.png) The diagram show the following workflow: 1. Security Hub CSPM monitors the configuration of Amazon S3 buckets in all AWS Organizations accounts (including the administrator account) by using the S3.2 and S3.3 controls from the FSBP security standard, and detects a finding if a bucket is configured as public. 1. The Security Hub CSPM administrator account accesses the findings (including those for S3.2 and S3.3) from all member accounts. 1. Security Hub CSPM automatically sends all new findings and all updates to existing findings to EventBridge as **Security Hub CSPM Findings - Imported** events. This includes events for findings from both the administrator and member accounts. 1. An EventBridge rule filters on findings from S3.2 and S3.3 that have a `ComplianceStatus` of `FAILED`, a workflow status of `NEW`, and a `RecordState` of `ACTIVE`. 1. Rules use the event patterns to identify events and send them to an Amazon SNS topic once matched. 1. An Amazon SNS topic sends the events to its subscribers (through email, for example). 1. Security analysts designated to receive the email notifications review the Amazon S3 bucket in question. 1. If the bucket is approved for public access, the security analyst sets the workflow status of the corresponding finding in Security Hub CSPM to `SUPPRESSED`. Otherwise, the analyst sets the status to `NOTIFIED`. This eliminates future notifications for the Amazon S3 bucket and reduces notification noise. 1. If the workflow status is set to `NOTIFIED`, the security analyst reviews the finding with the bucket owner to determine if public access is justified and complies with privacy and data protection requirements. The investigation results in either removing public access to the bucket or approving public access. In the latter case, the security analyst sets the workflow status to `SUPPRESSED`. **Note** The architecture diagram applies to both single Region and cross-Region aggregation deployments. In accounts A, B, and C in the diagram, Security Hub CSPM can belong to the same Region as the administrator account or belong to different Regions if cross-Region aggregation is enabled. ## Tools + [Amazon EventBridge](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-what-is.html) is a serverless event bus service that helps you connect your applications with real-time data from a variety of sources. EventBridge delivers a stream of real-time data from your own applications, software as a service (SaaS) applications, and AWS services. EventBridge routes that data to targets such as Amazon SNS topics and AWS Lambda functions if the data matches user-defined rules. + [Amazon Simple Notification Service (Amazon SNS)](https://docs.aws.amazon.com/sns/latest/dg/welcome.html) helps you coordinate and manage the exchange of messages between publishers and clients, including web servers and email addresses. Subscribers receive all messages published to the topics to which they subscribe, and all subscribers to a topic receive the same messages. + [Amazon Simple Storage Service (Amazon S3)](https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html) is a cloud-based object storage service that helps you store, protect, and retrieve any amount of data. + [AWS Security Hub CSPM](https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html) provides a comprehensive view of your security state in AWS. Security Hub CSPM also helps you check your AWS environment against security industry standards and best practices. Security Hub CSPM collects security data from across AWS accounts, services, and supported third-party partner products, and then helps to analyze security trends and identify the highest priority security issues. ## Epics ### Configure Security Hub CSPM accounts | Task | Description | Skills required | | --- | --- | --- | | Enable Security Hub CSPM in AWS Organizations accounts. | To enable Security Hub CSPM in the organization accounts where you want to monitor Amazon S3 buckets, see the guidelines from [Designating a Security Hub CSPM administrator account (console)](https://docs.aws.amazon.com/securityhub/latest/userguide/designate-orgs-admin-account.html#:~:text=AWSSecurityHubOrganizationsAccess-,Designating%20a%20Security%20Hub%20administrator%20account%20(console),-The%20organization%20management) and [Managing member accounts that belong to an organization](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-accounts-orgs.html) in the Security Hub CSPM documentation. | AWS administrator | | (Optional) Enable cross-Region aggregation. | If you want to monitor Amazon S3 buckets in multiple Regions from a single Region, set up [cross-Region aggregation](https://docs.aws.amazon.com/securityhub/latest/userguide/finding-aggregation.html). | AWS administrator | | Enable the S3.2 and S3.3 controls for the FSBP security standard. | You must enable S3.2 and S3.3 controls for the FSBP security standard.[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/identify-public-s3-buckets-in-aws-organizations-using-security-hub.html) | AWS administrator | ### Set up the environment | Task | Description | Skills required | | --- | --- | --- | | Configure the Amazon SNS topic and email subscription. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/identify-public-s3-buckets-in-aws-organizations-using-security-hub.html) | AWS administrator | | Configure the EventBridge rule. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/identify-public-s3-buckets-in-aws-organizations-using-security-hub.html) | AWS administrator | ## Troubleshooting | Issue | Solution | | --- | --- | | I have an Amazon S3 bucket with public access enabled, but I'm not getting email notifications for it. | This could be because the bucket was created in another Region and cross-Region aggregation is not enabled in the Security Hub CSPM administrator account. To resolve this issue, enable cross-Region aggregation or implement this pattern's solution in the Region where your Amazon S3 bucket currently resides. | ## Related resources + [What is AWS Security Hub CSPM?](https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html) (Security Hub CSPM documentation) + [AWS Foundational Security Best Practices (FSBP) standard](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp.html) (Security Hub CSPM documentation) + [AWS Security Hub CSPM multi-account enable scripts](https://github.com/awslabs/aws-securityhub-multiaccount-scripts/tree/master/multiaccount-enable) (AWS Labs) + [Security best practices for Amazon S3](https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html) (Amazon S3 documentation) ## Additional information *Workflow for monitoring public Amazon S3 buckets* The following workflow illustrates how you can monitor the public Amazon S3 buckets in your organization. The workflow assumes that you completed the steps in the *Configure the Amazon SNS topic and email subscription *story of this pattern*.* 1. You receive an email notification when an Amazon S3 bucket is configured with public access. + If the bucket is approved for public access, set the workflow status of the corresponding finding to `SUPPRESSED` in the Security Hub CSPM administrator account. This prevents Security Hub CSPM from issuing further notifications for this bucket and can eliminate duplicate alerts. + If the bucket isn't approved for public access, set the workflow status of the corresponding finding in the Security Hub CSPM administrator account to `NOTIFIED`. This prevents Security Hub CSPM from issuing further notifications for this bucket from Security Hub CSPM and can eliminate noise. 1. If the bucket might contain sensitive data, turn off public access immediately until the review is completed. If you turn off public access, then Security Hub CSPM changes the workflow status to `RESOLVED`. Then, email notifications for the bucket stop. 1. Find the user who configured the bucket as public (for example, by using AWS CloudTrail) and start a review. The review results in either removing public access to the bucket or approving public access. If public access is approved, then set the workflow status of the corresponding finding to `SUPPRESSED`. # Ingest and analyze AWS security logs in Microsoft Sentinel *Ivan Girardi and Sebastian Wenzel, Amazon Web Services* ## Summary This pattern describes how to automate the ingestion of AWS security logs, such as AWS CloudTrail logs, Amazon CloudWatch Logs data, Amazon VPC Flow Logs data, and Amazon GuardDuty findings, into Microsoft Sentinel. If your organization uses Microsoft Sentinel as a security information and event management (SIEM) system, this helps you centrally monitor and analyze logs in order to detect security-related events. As soon as the logs are available, they are automatically delivered to an Amazon Simple Storage Service (Amazon S3) bucket in less than 5 minutes. This can help you quickly detect security events in your AWS environment. Microsoft Sentinel ingests CloudTrail logs in a tabular format that includes the original timestamp for when the event was recorded. The structure of the ingested logs enables query capabilities by using [Kusto Query Language](https://learn.microsoft.com/en-us/azure/sentinel/kusto-overview) in Microsoft Sentinel. The pattern deploys a monitoring and alerting solution that detects ingestion failures in less than 1 minute. It also includes a notification system that the external SIEM can monitor. You use AWS CloudFormation to deploy the required resources in the logging account. **Target audience** This pattern is recommended for users who have experience with AWS Control Tower, AWS Organizations, CloudFormation, AWS Identity and Access Management (IAM), and AWS Key Management Service (AWS KMS). ## Prerequisites and limitations **Prerequisites** The following are the prerequisites for deploying this solution: + Active AWS accounts that are managed as an organization in AWS Organizations and are part of an AWS Control Tower landing zone. The organization should include a dedicated account for logging. For instructions, see [Creating and configuring an organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_tutorials_basic.html) in the AWS Organizations documentation. + A CloudTrail trail that logs events for the entire organization and stores logs in an Amazon S3 bucket in the logging account. For instructions, see [Creating a trail for an organization](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-trail-organization.html). + In the logging account, permissions to assume an existing IAM role that has the following permissions: + Deploy the resources defined in the provided CloudFormation template. + Deploy the provided CloudFormation template. + Modify the AWS KMS key policy if the logs are encrypted with a customer managed key. + AWS Command Line Interface (AWS CLI), [installed](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) and [configured](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html). + A Microsoft Azure account with a subscription to use Microsoft Sentinel. + Enable and set up Microsoft Sentinel. For instructions, see [Enable Microsoft Sentinel and initial features and content](https://learn.microsoft.com/en-us/azure/sentinel/enable-sentinel-features-content) in the Microsoft Sentinel documentation. + Meet the prerequisites for setting up the Microsoft Sentinel S3 connector. **Limitations** + This solution forwards the security logs from an Amazon S3 bucket in the logging account to Microsoft Sentinel. Instructions for how to send the logs to Amazon S3 are not explicitly provided. + This pattern provides instructions for deployment in an AWS Control Tower landing zone. However, use of AWS Control Tower is not required. + This solution is compatible with an environment where the Amazon S3 logging bucket is restricted with [service control policies (SCPs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html), such as [Disallow Changes to Bucket Policy for AWS Control Tower Created Amazon S3 Buckets in Log Archive](https://docs.aws.amazon.com/controltower/latest/controlreference/mandatory-controls.html#disallow-policy-changes-s3-buckets-created). + This pattern provides instructions for forwarding CloudTrail logs, but you can adapt this solution to send other logs that Microsoft Sentinel supports, such as logs from CloudWatch Logs, Amazon VPC Flow Logs, and GuardDuty. + The instructions use the AWS CLI to deploy the CloudFormation template, but you could also use the AWS Management Console. For instructions, see [Using the AWS CloudFormation console](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-using-console.html). If you use the console to deploy the stack, deploy the stack in the same AWS Region as the logging bucket. + This solution deploys an Amazon Simple Queue Service (Amazon SQS) queue to deliver Amazon S3 notifications. The queue contains messages with the paths of objects uploaded in the Amazon S3 bucket, not actual data. The queue uses SSE-SQS encryption to help protect the content of the messages. If you want to encrypt the SQS queue with SSE-KMS, you can use a customer managed KMS key. For more information, see [Encryption at rest in Amazon SQS](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-server-side-encryption.html). ## Architecture This section provides a high-level overview of the architecture that the sample code establishes. The following diagram shows the resources deployed in the logging account in order to ingest logs from an existing Amazon S3 bucket into Microsoft Sentinel. ![\[Microsoft Sentinel using an Amazon SNS queue to ingest logs from an S3 bucket\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/images/pattern-img/e8438b44-6bce-4863-8657-1d0a843ffb6f/images/38108d9d-88ad-4306-8ad2-01b66a6bf00f.png) The architecture diagram shows the following resource interactions: 1. In the logging account, Microsoft Sentinel assumes an IAM role through OpenID Connect (OIDC) to access logs in a specific Amazon S3 bucket and Amazon SQS queue. 1. Amazon Simple Notification Service (Amazon SNS) and Amazon S3 use AWS KMS for encryption. 1. Amazon S3 sends notification messages to the Amazon SQS queue whenever it receives new logs. 1. Microsoft Sentinel checks Amazon SQS for new messages. The Amazon SQS queue uses SSE-SQS encryption. The message retention period is set to 14 days. 1. Microsoft Sentinel pulls messages from the Amazon SQS queue. The messages contain the path of the uploaded Amazon S3 objects. Microsoft Sentinel ingests those objects from the Amazon S3 bucket into the Microsoft Azure account. 1. A CloudWatch alarm monitors the Amazon SQS queue. If messages are not received and deleted from the Amazon SQS queue within 5 minutes, then it initiates an Amazon SNS notification that sends an email. AWS Control Tower helps you set up the foundational organization unit (OU) structure and centralizes CloudTrail logs in the logging account. It also implements mandatory SCPs to protect the logging bucket. We have provided the target architecture in an AWS Control Tower landing zone, but this is not strictly required. In this diagram, the resources in the management account reflect an AWS Control Tower deployment and a CloudTrail trail that logs events for the entire organization. This pattern focuses on the deployment of resources in the logging account. If the logs stored in Amazon S3 in your AWS Control Tower landing zone are encrypted with a customer managed KMS key, then you must update the key policy to allow Microsoft Sentinel to decrypt the logs. In an AWS Control Tower landing zone, you manage the key policy from the management account, which is where the key was created. ## Tools **AWS services** + [AWS CloudFormation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html) helps you set up AWS resources, provision them quickly and consistently, and manage them throughout their lifecycle across AWS accounts and Regions. + [Amazon CloudWatch](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/WhatIsCloudWatch.html) helps you monitor the metrics of your AWS resources and the applications you run on AWS in real time. + [AWS Control Tower](https://docs.aws.amazon.com/controltower/latest/userguide/what-is-control-tower.html) helps you set up and govern an AWS multi-account environment, following best practices. + [AWS Key Management Service (AWS KMS)](https://docs.aws.amazon.com/kms/latest/developerguide/overview.html) helps you create and control cryptographic keys to help protect your data. + [AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html) is an account management service that helps you consolidate multiple AWS accounts into an organization that you create and centrally manage. + [Amazon Simple Queue Service (Amazon SQS)](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/welcome.html) provides a secure, durable, and available hosted queue that helps you integrate and decouple distributed software systems and components. + [Amazon Simple Storage Service (Amazon S3)](https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html) is a cloud-based object storage service that helps you store, protect, and retrieve any amount of data. **Other tools** + [Microsoft Sentinel](https://learn.microsoft.com/en-us/azure/sentinel/overview) is a cloud-native SIEM system that provides security orchestration, automation, and response (SOAR). **Code repository** The code for this pattern is available in the GitHub [Ingest and analyze AWS security logs in Microsoft Sentinel](https://github.com/aws-samples/ingest-and-analyze-aws-security-logs-in-microsoft-sentinel) repository. ## Best practices + Follow the [principle of least-privilege](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege) (IAM documentation). + Follow the [Best practices for AWS Control Tower administrators](https://docs.aws.amazon.com/controltower/latest/userguide/best-practices.html) (AWS Control Tower documentation). + Follow the [AWS CloudFormation best practices](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/best-practices.html) (CloudFormation documentation). + Use code analysis tools, such as [cfn\$1nag](https://github.com/stelligent/cfn_nag), to scan the generated CloudFormation templates. The cfn\$1nag tool identifies potential security issues in CloudFormation templates by searching for patterns. ## Epics ### Connect Microsoft Sentinel to Amazon S3 | Task | Description | Skills required | | --- | --- | --- | | Prepare the Microsoft Sentinel S3 connector. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/ingest-analyze-aws-security-logs-sentinel.html) | DevOps engineer, General AWS | ### Deploy the CloudFormation stack | Task | Description | Skills required | | --- | --- | --- | | Clone the repository. | In a bash shell, enter the following command. This clones the [Ingest and analyze AWS Security Logs in Microsoft Sentinel](https://github.com/aws-samples/ingest-and-analyze-aws-security-logs-in-microsoft-sentinel) repository.`git clone https://github.com/aws-samples/ingest-and-analyze-aws-security-logs-in-microsoft-sentinel.git` | DevOps engineer, General AWS | | Assume the IAM role in the logging account. | In the logging account, assume the IAM role that has permissions to deploy the CloudFormation stack. For more information about assuming an IAM role in the AWS CLI, see [Use an IAM role in the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html). | DevOps engineer, General AWS | | Deploy the stack. | To deploy the CloudFormation stack enter the following command, where:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/ingest-analyze-aws-security-logs-sentinel.html)\
--capabilities\
--template-body file://\
--parameters ParameterKey=DestinationEmailAddress,ParameterValue=\
ParameterKey=SNSTopicName,ParameterValue=\
ParameterKey=EnableRemediation ,ParameterValue=\
ParameterKey=AutomationAssumeRole,ParameterValue=
aws cloudformation deploy --stack-name cloudtrail-sentinel-integration \| DevOps engineer, General AWS | | Copy outputs. | From the output of the CloudFormation stack, copy the values for `SentinelRoleArn` and `SentinelSQS`. You use these values later to complete the configuration in Microsoft Sentinel. | DevOps engineer, General AWS | | Modify the key policy. | If you aren't using a customer managed KMS key to encrypt the logs in the Amazon S3 bucket, you can skip this step.If the logs are encrypted with a customer managed KMS key, modify the key policy to grant Microsoft Sentinel permission to decrypt the logs. The following is an example key policy. This example policy allows cross-account access if the KMS key is in another AWS account.
--no-fail-on-empty-changeset \
--template-file template.yml \
--capabilities CAPABILITY_IAM CAPABILITY_NAMED_IAM CAPABILITY_AUTO_EXPAND \
--parameter-overrides \
ControlTowerS3BucketName="" \
AzureWorkspaceID="" \
EmailAddress="" \
KMSKeyArn="" \
Suffix="" \
OIDCProviderArn=""
{
"Version": "2012-10-17",
"Id": "key-policy",
"Statement": [
...
{
"Sid": "Grant access to decrypt",
"Effect": "Allow",
"Principal": {
"AWS": ""
},
"Action": "kms:Decrypt",
"Resource": ""
}
]
} | DevOps engineer, General AWS |
### Configure the connector in Microsoft Sentinel
| Task | Description | Skills required |
| --- | --- | --- |
| Complete the configuration in Microsoft Sentinel. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/ingest-analyze-aws-security-logs-sentinel.html) | DevOps engineer |
| Send Amazon S3 event notifications to Amazon SQS. | Follow the instructions in [Enabling and configuring event notifications using the Amazon S3 console](https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-event-notifications.html) to configure the Amazon S3 logging bucket to send event notifications to the Amazon SQS queue. If CloudTrail has been configured for the whole organization, logs in the this bucket have the prefix `git clone https://github.com/aws-samples/aws-iam-identity-center-pipeline.git| DevOps engineer | | Define the permission sets. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/manage-aws-iam-identity-center-permission-sets-as-code-by-using-aws-codepipeline.html) | DevOps engineer | | Define the assignments. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/manage-aws-iam-identity-center-permission-sets-as-code-by-using-aws-codepipeline.html) | DevOps engineer | ### Deploy the permission sets and assignments | Task | Description | Skills required | | --- | --- | --- | | Deploy resources in the IAM Identity Center delegated administrator account. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/manage-aws-iam-identity-center-permission-sets-as-code-by-using-aws-codepipeline.html) | DevOps engineer | | Deploy resources in the AWS Organizations management account. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/manage-aws-iam-identity-center-permission-sets-as-code-by-using-aws-codepipeline.html) | DevOps engineer | | Finish the remote repository setup. | Change the status of the AWS CodeConnections connection from `PENDING` to `AVAILABLE`. This connection was created when you deployed the CloudFormation stack. For instructions, see [Update a pending connection](https://docs.aws.amazon.com/dtconsole/latest/userguide/connections-update.html) in the CodeConnections documentation. | DevOps engineer | | Upload files to the remote repository. | Upload all of files you have downloaded from the `aws-samples` repository and edited in previous steps to the remote repository. Changes to the `main` branch start the pipeline, which creates or updates the permission sets and assignments. | DevOps engineer | ### Updating the permission sets and assignments | Task | Description | Skills required | | --- | --- | --- | | Update the permission sets and assignments. | When the `MoveAccount` Amazon EventBridge rule detects modifications to the accounts in the organization, the CI/CD pipeline automatically starts and updates the permission sets. For example, if you add an account to an OU specified in the assignments JSON file, then the CI/CD pipeline will apply the permission set to the new account.If you want to modify the deployed permission sets and assignments, update the JSON files and then commit them to the remote repository. Note the following when using the CI/CD pipeline to manage previously deployed permission sets and associations:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/manage-aws-iam-identity-center-permission-sets-as-code-by-using-aws-codepipeline.html) | DevOps engineer | ## Troubleshooting | Issue | Solution | | --- | --- | | Access denied errors | Confirm that you have the permissions required to deploy the CloudFormation templates and the resources defined within them. For more information, see [Controlling access](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html) in the CloudFormation documentation. | | Pipeline errors in the validation phase | This error appears if there are any errors in the permission set or assignment templates.[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/manage-aws-iam-identity-center-permission-sets-as-code-by-using-aws-codepipeline.html) | ## Related resources + [Permission sets](https://docs.aws.amazon.com/singlesignon/latest/userguide/permissionsetsconcept.html) (IAM Identity Center documentation) # Manage credentials using AWS Secrets Manager *Durga Prasad Cheepuri, Amazon Web Services* ## Summary This pattern walks you through using AWS Secrets Manager to dynamically fetch database credentials for a Java Spring application. In the past, when you created a custom application that retrieves information from a database, you typically had to embed the credentials (the secret) for accessing the database directly in the application. When it was time to rotate the credentials, you had to invest time to update the application to use the new credentials, and then distribute the updated application. If you had multiple applications that shared credentials and you missed updating one of them, the application would fail. Because of this risk, many users chose not to regularly rotate their credentials, which effectively substituted one risk for another. Secrets Manager enables you to replace hard-coded credentials in your code (including passwords) with an API call to retrieve the secret programmatically. This helps ensure that the secret can't be compromised by someone who is examining your code, because the secret simply isn't there. You can also configure Secrets Manager to automatically rotate the secret according to a schedule that you specify. This enables you to replace long-term secrets with short-term ones, which helps significantly reduce the risk of compromise. For more information, see the [AWS Secrets Manager documentation](https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html). ## Prerequisites and limitations **Prerequisites** + An AWS account with access to Secrets Manager + A Java Spring application ## Architecture **Source technology stack** + A Java Spring application with code that accesses a database, with DB credentials managed from the application.properties file. **Target technology stack ** + A Java Spring application with code that accesses a database, with DB credentials managed in Secrets Manager. The application.properties file holds the secrets to Secrets Manager. **Secrets Manager integration with an application** ![\[Diagram showing AWS Secrets Manager interaction with an admin, custom app, and personnel database.\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/images/pattern-img/44d359f5-47d9-4228-ac14-a64b5dfa7972/images/fc4b44fd-d1bd-4564-9bc1-c42c896e305b.png) ## Tools + **Secrets Manager** – [AWS Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html) is an AWS service that makes it easier for you to manage secrets. Secrets can be database credentials, passwords, third-party API keys, and even arbitrary text. You can store and control access to these secrets centrally by using the Secrets Manager console, the Secrets Manager command-line interface (CLI), or the Secrets Manager API and SDKs. ## Epics ### Store secret in Secrets Manager | Task | Description | Skills required | | --- | --- | --- | | Store the DB credentials as a secret in Secrets Manager. | Store Amazon Relational Database Service (Amazon RDS) or other DB credentials as a secret in Secrets Manager by following the steps in [Creating a secret](https://docs.aws.amazon.com/secretsmanager/latest/userguide/manage_create-basic-secret.html) in the Secrets Manager documentation. | Sys Admin | | Set permissions for the Spring application to access Secrets Manager. | Set the appropriate permissions based on how the Java Spring application uses Secrets Manager. To control access to the secret, create a policy based on the information provided in the Secrets Manager documentation, in the sections [Using identity-based policies (IAM Policies) and ABAC for Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_identity-based-policies.html) and [Using resource-based policies for Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_resource-based-policies.html). Follow the steps in the section [Retrieving the secret value](https://docs.aws.amazon.com/secretsmanager/latest/userguide/manage_retrieve-secret.html) in the Secrets Manager documentation. | Sys Admin | ### Update the Spring application | Task | Description | Skills required | | --- | --- | --- | | Add JAR dependencies to use Secrets Manager. | See the *Additional information* section for details. | Java developer | | Add the details of the secret to the Spring application. | Update the application.properties file with the secret name, endpoints, and AWS Region. For an example, see the *Additional information* section. | Java developer | | Update the DB credentials retrieval code in Java. | In the application, update the Java code that fetches the DB credentials to fetch those details from Secrets Manager. For example code, see the *Additional information* section. | Java developer | ## Related resources + [AWS Secrets Manager documentation](https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html) + [Using identity-based policies (IAM Policies) and ABAC for Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_identity-based-policies.html) + [Using resource-based policies for Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_resource-based-policies.html) + [Sample code](https://github.com/durgachamz/Spring-secrets-manager) ## Additional information **Adding JAR dependencies for using Secrets Manager** *Maven:* ```
.\SSO-Report.ps1Alternatively, you can run the script from another shell by entering the following command.
pwsh .\SSO-Report.ps1The script generates a CSV file in the same directory as the script file. | Cloud administrator | | Analyze report data. | The output CSV file has the headers **AccountName**, **PermissionSet**, **Principal**, and **Type**. Open this file in your preferred spreadsheet application. You can create a data table to filter and sort the output. | Cloud administrator | ## Troubleshooting | Issue | Solution | | --- | --- | | `The term ‘Get-
Install-Module AWS.Tools.Installer| | `No credentials specified or obtained from persisted/shell defaults` error | In *Prepare the script* in the [Epics](#export-a-report-of-aws-iam-identity-center-identities-and-their-assignments-by-using-powershell-epics) section, confirm that you have correctly entered the `ProfileName` and `Region` variables. Make sure that the settings and credentials in the named profile have sufficient permissions to administer IAM Identity Center. | | `Authenticode Issuer …` error when installing the AWS.Tools modules | Add the `-SkipPublisherCheck` parameter to the end of the `Install-AWSToolsModule` command. | | `Get-ORGAccountList : Assembly AWSSDK.SSO could not be found or loaded.` error | This error can occur when named AWS CLI profiles are specified, AWS CLI is configured to authenticate users with IAM Identity Center, and AWS CLI is configured to automatically retrieve refreshed authentication tokens. To resolve this error, do the following:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/export-a-report-of-aws-iam-identity-center-identities-and-their-assignments-by-using-powershell.html) | ## Related resources + [Where are configuration settings stored?](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html#cli-configure-files-where) (AWS CLI documentation) + [Configuring the AWS CLI to use AWS IAM Identity Center](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html) (AWS CLI documentation) + [Using named profiles](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html#cli-configure-files-using-profiles) (AWS CLI documentation) ## Additional information In the following script, determine whether you need to update the values for the following parameters: + If you’re using a named profile in AWS CLI to access the account in which IAM Identity Center is configured, update the `$ProfileName` value. + If IAM Identity Center is deployed in a different AWS Region than the default Region for your AWS CLI or AWS SDK configuration, update the `$Region` value to use the Region where IAM Identity Center is deployed. + If neither of these situations apply, then no script update is required. ``` param ( # The name of the output CSV file [String] $OutputFile = "SSO-Assignments.csv", # The AWS CLI named profile [String] $ProfileName = "", # The AWS Region in which IAM Identity Center is configured [String] $Region = "" ) $Start = Get-Date; $OrgParams = @{} If ($Region){ $OrgParams.Region = $Region} if ($ProfileName){$OrgParams.ProfileName = $ProfileName} $SSOParams = $OrgParams.Clone(); $IdsParams = $OrgParams.Clone() $AccountList = Get-ORGAccountList @OrgParams | Select-Object Id, Name $SSOinstance = Get-SSOADMNInstanceList @OrgParams $SSOParams['InstanceArn'] = $SSOinstance.InstanceArn $IdsParams['IdentityStoreId'] = $SSOinstance.IdentityStoreId $PSsets = @{}; $Principals = @{} $Assignments = @(); $AccountCount = 1; Write-Host "" foreach ($Account in $AccountList) { $Duration = New-Timespan -Start $Start -End (Get-Date) | ForEach-Object {[Timespan]::New($_.Days, $_.Hours, $_.Minutes, $_.Seconds)} Write-Host "`r$Duration - Account $AccountCount of $($AccountList.Count) (Assignments:$($Assignments.Count)) " -NoNewline $AccountCount++ foreach ($PS in Get-SSOADMNPermissionSetsProvisionedToAccountList -AccountId $Account.Id @SSOParams) { if (-not $PSsets[$PS]) {$PSsets[$PS] = (Get-SSOADMNPermissionSet @SSOParams -PermissionSetArn $PS).Name;$APICalls++} $AssignmentsResponse = Get-SSOADMNAccountAssignmentList @SSOParams -PermissionSetArn $PS -AccountId $Account.Id if ($AssignmentsResponse.NextToken) {$AccountAssignments = $AssignmentsResponse.AccountAssignments} else {$AccountAssignments = $AssignmentsResponse} While ($AssignmentsResponse.NextToken) { $AssignmentsResponse = Get-SSOADMNAccountAssignmentList @SSOParams -PermissionSetArn $PS -AccountId $Account.Id -NextToken $AssignmentsResponse.NextToken $AccountAssignments += $AssignmentsResponse.AccountAssignments} foreach ($Assignment in $AccountAssignments) { if (-not $Principals[$Assignment.PrincipalId]) { $AssignmentType = $Assignment.PrincipalType.Value $Expression = "Get-IDS"+$AssignmentType+" @IdsParams -"+$AssignmentType+"Id "+$Assignment.PrincipalId $Principal = Invoke-Expression $Expression if ($Assignment.PrincipalType.Value -eq "GROUP") { $Principals[$Assignment.PrincipalId] = $Principal.DisplayName } else { $Principals[$Assignment.PrincipalId] = $Principal.UserName } } $Assignments += [PSCustomObject]@{ AccountName = $Account.Name PermissionSet = $PSsets[$PS] Principal = $Principals[$Assignment.PrincipalId] Type = $Assignment.PrincipalType.Value} } } } $Duration = New-Timespan -Start $Start -End (Get-Date) | ForEach-Object {[Timespan]::New($_.Days, $_.Hours, $_.Minutes, $_.Seconds)} Write-Host "`r$($AccountList.Count) accounts done in $Duration. Outputting result to $OutputFile" $Assignments | Sort-Object Account | Export-CSV -Path $OutputFile -Force ``` # Restrict access based on IP address or geolocation by using AWS WAF *Louis Hourcade, Amazon Web Services* ## Summary [AWS WAF](https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html) is a web application firewall that helps protect web applications and APIs against common web exploits and bots that can affect availability, compromise security, or consume excessive resources. [Web access control lists (web ACLs)](https://docs.aws.amazon.com/waf/latest/developerguide/web-acl.html) in AWS WAF give you control over how traffic reaches your applications. In a web ACL, you add rules or rule groups that are designed to permit legitimate traffic, control bot traffic, and block common attack patterns. For more information, see [How AWS WAF works](https://docs.aws.amazon.com/waf/latest/developerguide/how-aws-waf-works.html). You can associate the following types of rules to your AWS WAF web ACLs: + [Managed rule groups](https://docs.aws.amazon.com/waf/latest/developerguide/waf-managed-rule-groups.html) – AWS Managed Rules teams and AWS Marketplace sellers offer preconfigured sets of rules. Some managed rule groups are designed to help protect specific types of web applications. Others offer broad protection against known threats or common vulnerabilities. + [Custom rules](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rules.html) and [custom rule groups](https://docs.aws.amazon.com/waf/latest/developerguide/waf-user-created-rule-groups.html) – You can also create rules and rule groups that customize access to your web applications and APIs. For example, you can restrict traffic based on a specific list of IP addresses or on a list of countries. By using this pattern and the associated code repository, you can use the [AWS Cloud Development Kit (AWS CDK)](https://docs.aws.amazon.com/cdk/v2/guide/home.html) to deploy AWS WAF web ACLs with custom rules. These rules restrict access to web application resources based on the end user's IP address or geolocation. You can also optionally attach several managed rule groups. ## Prerequisites and limitations **Prerequisites** + An active AWS account + [Permissions](https://docs.aws.amazon.com/waf/latest/developerguide/security-iam.html) to deploy AWS WAF resources + AWS CDK, [installed and configured](https://docs.aws.amazon.com/cdk/latest/guide/getting_started.html) in your account + Git, [installed](https://github.com/git-guides/install-git) **Limitations** + You can use this pattern only in AWS Regions where AWS WAF is available. For Region availability, see [AWS services by Region](https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/). ## Tools **AWS services** + [AWS Cloud Development Kit (AWS CDK)](https://docs.aws.amazon.com/cdk/v2/guide/home.html) is a software development framework that helps you define and provision AWS Cloud infrastructure in code. + [AWS WAF](https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html) is a web application firewall that helps you monitor HTTP and HTTPS requests that are forwarded to your protected web application resources. **Code repository** The code for this pattern is available in the GitHub [IP and geolocation restriction with AWS WAF](https://github.com/aws-samples/ip-and-geolocation-restriction-with-waf-cdk) repository. The code deploys two AWS WAF web ACLs. The first is a regional web ACL that is intended for [Amazon API Gateway](https://docs.aws.amazon.com/apigateway/latest/developerguide/welcome.html) resources. The second is global web ACL for [Amazon CloudFront](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/Introduction.html) resources. Both web ACLs contain the following custom rules: + `IPMatch` blocks requests from non-allowed IP addresses. + `GeoMatch` blocks requests from non-allowed countries. During deployment, you can optionally attach all of the following managed rule groups to your web ACLs: + [Core rule set (CRS)](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-baseline.html#aws-managed-rule-groups-baseline-crs) – This rule group contains rules that are generally applicable to web applications. It helps protect against exploitation of a wide range of vulnerabilities, including some of the high risk and commonly occurring vulnerabilities described in OWASP publications, such as [OWASP Top 10](https://owasp.org/www-project-top-ten/). + [Admin protection](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-baseline.html#aws-managed-rule-groups-baseline-admin) – This rule group contains rules that help you block external access to exposed administrative pages. + [Known bad inputs](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-baseline.html#aws-managed-rule-groups-baseline-known-bad-inputs) – This rule group helps block request patterns that are known to be invalid and are associated with the exploitation or discovery of vulnerabilities. + [Amazon IP reputation list](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-ip-rep.html#aws-managed-rule-groups-ip-rep-amazon) – This rule group contains rules that are based on Amazon internal threat intelligence. It helps you block IP addresses that are typically associated with bots or other threats. + [Linux operating system managed rule group](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-use-case.html#aws-managed-rule-groups-use-case-linux-os) – This rule group helps block request patterns that are associated with the exploitation of Linux vulnerabilities, including Linux-specific Local File Inclusion (LFI) attacks. + [SQL database managed rule group](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-use-case.html#aws-managed-rule-groups-use-case-sql-db) – This rule group helps block request patterns that are associated with the exploitation of SQL databases, such as SQL injection attacks. ## Epics ### Configure the AWS WAF web ACLs | Task | Description | Skills required | | --- | --- | --- | | Clone the repository. | Enter the following command to clone the [IP and geolocation restriction with AWS WAF](https://github.com/aws-samples/ip-and-geolocation-restriction-with-waf-cdk) repository to your local workstation:
Install-AWSToolsModule -Name Organizations, SSOAdmin, IdentityStore
git clone https://github.com/aws-samples/ip-and-geolocation-restriction-with-waf-cdk.git| Git | | Configure the rules. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/aws-waf-restrict-access-geolocation.html) | General AWS, Python | ### Bootstrap and deploy the code | Task | Description | Skills required | | --- | --- | --- | | Bootstrap your AWS environment. | If not already done, you need to [bootstrap](https://docs.aws.amazon.com/cdk/v2/guide/bootstrapping-env.html) your AWS environment before you can deploy the AWS CDK application.[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/aws-waf-restrict-access-geolocation.html) | General AWS | | Deploy the AWS CDK application. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/aws-waf-restrict-access-geolocation.html) | General AWS | ### Validate the deployment | Task | Description | Skills required | | --- | --- | --- | | Confirm that the web ACLs successfully deployed. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/aws-waf-restrict-access-geolocation.html) | General AWS | | (Optional) Associate the web ACLs to your resources. | Associate the AWS WAF web ACLs with your AWS resources, such as an Application Load Balancer, API Gateway, or CloudFront distribution. For instructions, see [Associating or disassociating a web ACL with an ](https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-associating-aws-resource.html)AWS[ resource](https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-associating-aws-resource.html). For an example, see [class CfnWebACLAssociation (construct)](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_wafv2.CfnWebACLAssociation.html) in the AWS CDK documentation. | General AWS | ### Clean up resources | Task | Description | Skills required | | --- | --- | --- | | Delete the stacks. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/aws-waf-restrict-access-geolocation.html) | General AWS | ## Related resources + [API Reference](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-construct-library.html) (AWS CDK documentation) + [aws-cdk-lib.aws\$1wafv2 module](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_wafv2-readme.html) (AWS CDK documentation) + [Working with web ACLs](https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-working-with.html) (AWS WAF documentation) + [Managing your own rule groups](https://docs.aws.amazon.com/waf/latest/developerguide/waf-user-created-rule-groups.html) (AWS WAF documentation) + [Rules](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rules.html) (AWS WAF documentation) # Scan Git repositories for sensitive information and security issues by using git-secrets *Saurabh Singh, Amazon Web Services* ## Summary This pattern describes how to use the open-source [git-secrets](https://github.com/awslabs/git-secrets) tool from AWS Labs to scan Git source repositories and find code that might potentially include sensitive information, such as user passwords or AWS access keys, or that has any other security issues. `git-secrets` scans commits, commit messages, and merges to prevent sensitive information such as secrets from being added to your Git repositories. For example, if a commit, commit message, or any commit in a merge history matches one of your configured, prohibited regular expression patterns, the commit is rejected. ## Prerequisites and limitations **Prerequisites ** + An active AWS account + A Git repository that requires a security scan + A Git client (version 2.37.1 and later) installed ## Architecture **Target architecture ** + Git + `git-secrets` ![\[Using the git-secrets tool to scan Git source repositories for sensitive information.\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/images/pattern-img/4a18e0c8-0935-4ee2-86bf-c1dfcfbc1bcb/images/e4813a76-83c2-4254-b5f4-aafe2b8f2127.png) ## Tools + [git-secrets](https://github.com/awslabs/git-secrets) is a tool that prevents you from committing sensitive information into Git repositories. + [Git](https://git-scm.com/) is an open-source distributed version control system. ## Best practices + Always scan a Git repository by including all revisions: ``` git secrets --scan-history ``` ## Epics ### Connect to an EC2 instance | Task | Description | Skills required | | --- | --- | --- | | Connect to an EC2 instance by using SSH. | Connect to an Amazon Elastic Compute Cloud (Amazon EC2) instance by using SSH and a key pair file. You can skip this step if you are scanning a repository on your local machine. | General AWS | ### Install Git | Task | Description | Skills required | | --- | --- | --- | | Install Git. | Install Git by using the command:
yum install git -yIf you are using your local machine, you can install a Git client for a specific OS version. For more information, see the [Git website](https://git-scm.com/downloads/guis). | General AWS | ### Clone the source repository and install git-secrets | Task | Description | Skills required | | --- | --- | --- | | Clone the Git source repository. | To clone the Git repository that you want to scan, choose the **Git clone** command from your home directory. | General AWS | | Clone git-secrets. | Clone the `git-secrets` Git repository.
git clone https://github.com/awslabs/git-secrets.gitPlace `git-secrets` somewhere in your `PATH `so that Git picks it up when you run `git-secrets`. | General AWS | | Install git-secrets. | **For Unix and variants (Linux/macOS):**You can use the `install` target of the `Makefile` (provided in the `git-secrets` repository) to install the tool. You can customize the installation path by using the `PREFIX` and `MANPREFIX` variables.
make install**For Windows:**Run the PowerShell `install.ps1` script provided in the `git-secrets` repository. This script copies the installation files to an installation directory (`%USERPROFILE%/.git-secrets` by default) and adds the directory to the current user `PATH`.
PS > ./install.ps1**For Homebrew (macOS users):**Run:
brew install git-secrets| General AWS | ### Scan git code repository | Task | Description | Skills required | | --- | --- | --- | | Go to the source repository. | Switch to the directory for the Git repository that you want to scan:
cd my-git-repository| General AWS | | Register the AWS rule set (Git hooks). | To configure `git-secrets` to scan your Git repository on each commit, run the command:
git secrets --register-aws| General AWS | | Scan the repository. | Run the following command to start scanning your repository:
git secrets -–scan| General AWS | | Review the output file. | The tool generates an output file if it finds a vulnerability in your Git repository. For example:
example.sh:4:AWS_SECRET_ACCESS_KEY = *********| General AWS | ## Related resources + [git-secrets tool](https://github.com/awslabs/git-secrets) # Secure file transfers by using Transfer Family, Amazon Cognito, and GuardDuty *Manoj Kumar, Amazon Web Services* ## Summary This solution helps you securely transfer files through an SFTP server by using AWS Transfer Family. It includes automated malware scanning capabilities through [Malware Protection for S3](https://docs.aws.amazon.com/guardduty/latest/ug/gdu-malware-protection-s3.html), a feature of Amazon GuardDuty. It is designed for organizations that need to securely exchange files with external parties and validate that all incoming files are scanned for malware before being processed. The infrastructure as code (IaC) templates provided with this pattern help you deploy the following: + A secure SFTP server with Amazon Cognito authentication through AWS Lambda + Amazon Simple Storage Service (Amazon S3) buckets for uploads and incoming files that have been scanned for malware + A virtual private cloud (VPC)-based architecture with public and private subnets across multiple Availability Zones + IP-based access control for both ingress and egress traffic, with configurable allow and deny lists + Automated malware scanning through GuardDuty + Intelligent file routing based on scan results through Amazon EventBridge and Lambda + Real-time notifications for security incidents through Amazon Simple Notification Service (Amazon SNS) + Encryption for Amazon S3 buckets and Lambda environment variables through AWS Key Management Service (AWS KMS) + Amazon Virtual Private Cloud (Amazon VPC) endpoints for access without internet exposure + Comprehensive logging through Amazon CloudWatch integration ## Prerequisites and limitations **Prerequisites ** + An active AWS account + Permissions in AWS Identity and Access Management (IAM) to perform the actions described in this pattern, including deploying AWS CloudFormation templates that provision IAM roles + GuardDuty, [enabled](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_settingup.html) in the target account + Malware Protection for S3, [enabled](https://docs.aws.amazon.com/guardduty/latest/ug/malware-protection-s3-get-started-independent.html) in the target account + Service quotas allow you to create the following in the target account: + One VPC + One private subnet + One public subnet + Three elastic IP addresses + Sufficient Lambda concurrency limits + A valid email address for security-related notifications + (Optional) A list of IP addresses or CIDR ranges that you want to allow or deny + (Optional) AWS Command Line Interface (AWS CLI), [installed](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html) and [configured](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html) **Limitations ** + Malware Protection for S3 is subject to quotas, such as maximum file sizes. For more information, see [Quotas in Malware Protection for S3](https://docs.aws.amazon.com/guardduty/latest/ug/malware-protection-s3-quotas-guardduty.html) and [Supportability of Amazon S3 features](https://docs.aws.amazon.com/guardduty/latest/ug/supported-s3-features-malware-protection-s3.html) in the GuardDuty documentation. + This solution uses Amazon Cognito username and password authentication only. Certificate-based or other authentication methods are not supported in this template. By default, this solution does not configure multi-factor authentication (MFA). + The solution implements IP-based access control through security groups only. ## Architecture The following architecture diagram shows the resources that are deployed in this pattern. This solution uses Amazon Cognito for user authentication and authorization. An AWS Transfer Family SFTP server is used for file uploads. Files are stored in Amazon S3 buckets, and Amazon GuardDuty scans the files for malware. Amazon SNS sends an email notification if malware is detected. ![\[Using GuardDuty and Cognito to securely transfer files to Amazon S3 buckets.\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/images/pattern-img/39d98ebe-2844-4ccd-a497-9b796b7da5e8/images/05567010-e189-40e7-acab-74e77c4f8525.png) The diagram shows the following workflow: 1. A user connects to the SFTP server endpoint in AWS Transfer Family. This initiates the authentication process with the Amazon Cognito user pool. 1. A Lambda function initiates the authentication and authorization process and validates the user’s credentials with Amazon Cognito. 1. The Lambda function returns the `UploadBucket` Amazon S3 bucket as the home directory. The user assumes the IAM role for the Transfer Family server, and the Lambda function notifies the user that they have been successfully authenticated. 1. The user uploads a file to the Transfer Family SFTP server. The file is stored in the `UploadBucket` Amazon S3 bucket. 1. GuardDuty scans the file for malware. The potential scan results are `NO_THREATS_FOUND`, `THREATS_FOUND`, `UNSUPPORTED`, `ACCESS_DENIED`, and `FAILED`. For sample results, see [S3 object scan result](https://docs.aws.amazon.com/guardduty/latest/ug/monitor-with-eventbridge-s3-malware-protection.html#s3-object-scan-status-malware-protection-s3-ev) in the GuardDuty documentation. 1. An EventBridge rule detects the scan result event. 1. EventBridge initiates the file-routing Lambda function. 1. The Lambda function processes the event and filters the files based on the scan results as follows: + Files that have a `NO_THREATS_FOUND` scan result are sent to the `CleanBucket` Amazon S3 bucket. + Files that have a `THREATS_FOUND` scan result are sent to the `MalwareBucket` Amazon S3 bucket. + Files that have an `UNSUPPORTED` scan result are sent to the `ErrorBucket` Amazon S3 bucket. + Files that have an `ACCESS_DENIED` scan result are sent to the `ErrorBucket` Amazon S3 bucket. + Files that have a `FAILED` scan result are sent to the `ErrorBucket` Amazon S3 bucket. All files are encrypted with an AWS KMS key. 1. If a file was sent to the `MalwareBucket` Amazon S3 bucket, the Lambda function initiates an Amazon SNS topic. The Amazon SNS topic sends an email notification to an email address that you configure. ## Tools **AWS services** + [Amazon CloudWatch](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/WhatIsCloudWatch.html) helps you monitor the metrics of your AWS resources and the applications you run on AWS in real time. + [Amazon Cognito](https://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html) provides authentication, authorization, and user management for web and mobile apps. + [Amazon EventBridge](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-what-is.html) is a serverless event bus service that helps you connect your applications with real-time data from a variety of sources. For example, AWS Lambda functions, HTTP invocation endpoints using API destinations, or event buses in other AWS accounts. + [Amazon GuardDuty](https://docs.aws.amazon.com/guardduty/latest/ug/what-is-guardduty.html) is a continuous security monitoring service that analyzes and processes logs to identify unexpected and potentially unauthorized activity in your AWS environment. + [AWS Key Management Service (AWS KMS)](https://docs.aws.amazon.com/kms/latest/developerguide/overview.html) helps you create and control cryptographic keys to help protect your data. + [AWS Lambda](https://docs.aws.amazon.com/lambda/latest/dg/welcome.html) is a compute service that helps you run code without needing to provision or manage servers. It runs your code only when needed and scales automatically, so you pay only for the compute time that you use. + [Amazon Simple Notification Service (Amazon SNS)](https://docs.aws.amazon.com/sns/latest/dg/welcome.html) helps you coordinate and manage the exchange of messages between publishers and clients, including web servers and email addresses. + [Amazon Simple Storage Service (Amazon S3)](https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html) is a cloud-based object storage service that helps you store, protect, and retrieve any amount of data. + [AWS Transfer Family](https://docs.aws.amazon.com/transfer/latest/userguide/what-is-aws-transfer-family.html) helps you transfer files into and out of AWS storage services over the SFTP, FTPS, or FTP protocols. + [Amazon Virtual Private Cloud (Amazon VPC)](https://docs.aws.amazon.com/vpc/latest/userguide/what-is-amazon-vpc.html) helps you launch AWS resources into a virtual network that you’ve defined. This virtual network resembles a traditional network that you’d operate in your own data center, with the benefits of using the scalable infrastructure of AWS. **Code repository** The code for this pattern is available in the GitHub [AWS Transfer Family and GuardDuty Malware Scanning Solution](https://github.com/aws-samples/sample-secure-transfer-family-code) repository. ## Best practices The CloudFormation template provided is designed to incorporate many AWS best practices, such as least-privilege permissions for IAM roles and policies, encryption at rest and in transit, and automatic key rotation. For production environments, consider implementing the following additional recommendations: + Enable [MFA](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-mfa.html) for Amazon Cognito users + Implement [AWS Shield](https://docs.aws.amazon.com/waf/latest/developerguide/shield-chapter.html) for distributed denial of service (DDoS) protection + Configure [AWS Config](https://docs.aws.amazon.com/config/latest/developerguide/WhatIsConfig.html) for continuous compliance monitoring + Implement [AWS CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html) for comprehensive API logging + Set up [Amazon GuardDuty](https://docs.aws.amazon.com/guardduty/latest/ug/what-is-guardduty.html) for threat detection beyond malware scanning + Implement [AWS Security Hub CSPM](https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub-v2.html) for centralized security management + Use [AWS Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html) for credential management + Implement network traffic monitoring with [Traffic Mirroring](https://docs.aws.amazon.com/vpc/latest/mirroring/what-is-traffic-mirroring.html) + Configure [Amazon Macie](https://docs.aws.amazon.com/macie/latest/user/what-is-macie.html) for sensitive data discovery and protection in Amazon S3 + Implement regular security assessments and penetration testing + Establish a formal incident response plan + Implement automated patching for all components + Conduct regular security training for administrators + Set up [AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html) for multi-account security management ## Epics ### Deploy the resources | Task | Description | Skills required | | --- | --- | --- | | Clone the repository. | Enter the following command to clone the [AWS Transfer Family and GuardDuty malware scanning solution](https://github.com/aws-samples/sample-secure-transfer-family-code) repository to your local workstation:
[ERROR] Matched one or more prohibited patterns
Possible mitigations:
- Mark false positives as allowed using: git config --add secrets.allowed ...
- Mark false positives as allowed by adding regular expressions to .gitallowed at repository's root directory
- List your configured patterns: git config --get-all secrets.patterns
- List your configured allowed patterns: git config --get-all secrets.allowed
- List your configured allowed patterns in .gitallowed at repository's root directory
- Use --no-verify if this is a one-time false positive
git clone https://github.com/aws-samples/sample-secure-transfer-family-code.git| App developer, DevOps engineer | | Create the CloudFormation stack. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/secure-file-transfers.html) | Cloud administrator, DevOps engineer | ### Configure the resources | Task | Description | Skills required | | --- | --- | --- | | Turn on malware protection. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/secure-file-transfers.html) | Cloud administrator, AWS administrator | | Add users to the user pool. | Add one or more users to the Amazon Cognito user pool. For instructions, see [Managing users in your user pool](https://docs.aws.amazon.com/cognito/latest/developerguide/managing-users.html) in the Amazon Cognito documentation. | Cloud administrator, AWS administrator | ### Test the SFTP server | Task | Description | Skills required | | --- | --- | --- | | Connect to the SFTP server endpoint. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/secure-file-transfers.html) | App developer, Cloud administrator, Cloud architect, DevOps engineer | ## Troubleshooting | Issue | Solution | | --- | --- | | User authentication fails | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/secure-file-transfers.html)For a list of AWS CLI commands that can help you perform these troubleshooting steps, see *Useful commands for troubleshooting* in the [Additional information](#secure-file-transfers-additional) section. | | SFTP authentication fails | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/secure-file-transfers.html)For a list of AWS CLI commands that can help you perform these troubleshooting steps, see *Useful commands for troubleshooting* in the [Additional information](#secure-file-transfers-additional) section. | | File upload access denied | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/secure-file-transfers.html)For a list of AWS CLI commands that can help you perform these troubleshooting steps, see *Useful commands for troubleshooting* in the [Additional information](#secure-file-transfers-additional) section. | | No malware scanning | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/secure-file-transfers.html)For a list of AWS CLI commands that can help you perform these troubleshooting steps, see *Useful commands for troubleshooting* in the [Additional information](#secure-file-transfers-additional) section. | | Lambda function errors | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/secure-file-transfers.html)For a list of AWS CLI commands that can help you perform these troubleshooting steps, see *Useful commands for troubleshooting* in the [Additional information](#secure-file-transfers-additional) section. | ## Related resources + [Transfer Family web apps](https://docs.aws.amazon.com/transfer/latest/userguide/web-app.html) (Transfer Family documentation) ## Additional information **Useful commands for troubleshooting** Check the status of a CloudFormation stack: ``` aws cloudformation describe-stacks \ --stack-name
git clone https://github.com/aws-samples/sample-macie-for-securing-cloudwatch-logs| App developer | | (Optional) Edit the CloudFormation template. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/secure-cloudwatch-logs-using-macie.html) | App developer | | Option 1 – Deploy using script with command-line parameters. | Enter the following command to deploy the solution by using command line parameters, where the value for `enable-macie` is `true` only if Amazon Macie is not already enabled:
./scripts/test-macie-solution.sh --deploy-stack \| General AWS | | Option 2 – Deploy using script with environment variables. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/secure-cloudwatch-logs-using-macie.html) | General AWS | | Option 3 – Deploy using the AWS CLI. | Enter the following command to deploy the solution by using the AWS CLI, where the value for `EnableMacie` is `true` only if Amazon Macie is not already enabled:
--stack-name\ \
--enable-macie\
--region\
--resource-name\
--bucket-name
aws cloudformation create-stack \| | | Option 4 – Deploy through the AWS Management Console. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/secure-cloudwatch-logs-using-macie.html) | General AWS | | Monitor the deployment status and confirm deployment. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/secure-cloudwatch-logs-using-macie.html) | General AWS | | Confirm the Amazon SNS subscription. | Follow the instructions in [Confirm your Amazon SNS subscription](https://docs.aws.amazon.com/sns/latest/dg/SendMessageToHttp.confirm.html) in the Amazon SNS documentation to confirm your Amazon SNS subscription. | App developer | ### Test the solution | Task | Description | Skills required | | --- | --- | --- | | Option 1 – Test with automated reporting. | If you used the default stack name, enter the following command to test the solution:
--region us-east-1 \
--stack-name macie-for-securing-cloudwatch-logs \
--template-body file://app/main.yml \
--capabilities CAPABILITY_IAM \
--parameters \
ParameterKey=ResourceName,ParameterValue=\
ParameterKey=BucketName,ParameterValue=\
ParameterKey=LogGroupName,ParameterValue=\
ParameterKey=SNSTopicEndpointEmail,ParameterValue=\
ParameterKey=EnableMacie,ParameterValue=
./scripts/test-macie-solution.sh \If you used a custom stack name, enter the following command to test the solution:
--full-test
./scripts/test-macie-solution.sh \If you used a custom stack name and custom parameters, enter the following command to test the solution:
--full-test \
--stack-name
./scripts/test-macie-solution.sh --full-test \| General AWS | | Option 2 – Test with targeted validation. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/secure-cloudwatch-logs-using-macie.html) | General AWS | ### Clean up | Task | Description | Skills required | | --- | --- | --- | | Option 1 – Perform automated cleanup. | If you used the default stack name, enter the following command to delete the stack:
--stack-name\
--region\
--log-group
./scripts/cleanup-macie-solution.sh \If you used a custom stack name, enter the following command to delete the stack:
--full-cleanup
./scripts/cleanup-macie-solution.sh \If you used a custom stack name and custom parameters, enter the following command to delete the stack:
--full-cleanup \
--stack-name
./scripts/cleanup-macie-solution.sh \| General AWS | | Option 2 – Perform step-by-step cleanup. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/secure-cloudwatch-logs-using-macie.html) | General AWS | | Verify clean up. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/secure-cloudwatch-logs-using-macie.html) | General AWS | ## Troubleshooting | Issue | Solution | | --- | --- | | CloudFormation stack status shows **CREATE\$1FAILED**. | The CloudFormation template is configured to publish logs to CloudWatch Logs. You can view the logs in the AWS Management Console so that you don't have to connect to your Amazon EC2 instance. For more information, see [View CloudFormation logs in the console](https://aws.amazon.com/blogs/devops/view-cloudformation-logs-in-the-console/) (AWS blog post). | | CloudFormation `delete-stack` command fails. | Some resources must be empty before they can be deleted. For example, you must delete all objects in an Amazon S3 bucket or remove all instances in an Amazon EC2 security group before you can delete the bucket or security group. For more information, see [Delete stack fails](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/troubleshooting.html#troubleshooting-errors-delete-stack-fails) in the Amazon S3 documentation. | | Error when parsing a parameter. | When you use the AWS CLI or the CloudFormation console to pass in a value, add the quotation marks. | ## Related resources + [Architecture best practices for storage](https://aws.amazon.com/architecture/storage/?docs3_bp1&cards-all.sort-by=item.additionalFields.sortDate&cards-all.sort-order=desc&awsf.content-type=*all&awsf.methodology=*all) (AWS website) + [Filter pattern syntax for metric filters, subscription filters, filter log events, and Live Tail](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/FilterAndPatternSyntax.html) (CloudWatch Logs documentation) + [Designing and implementing logging and monitoring with Amazon CloudWatch](https://docs.aws.amazon.com/prescriptive-guidance/latest/implementing-logging-monitoring-cloudwatch/welcome.html) (AWS Prescriptive Guidance) + [Troubleshooting CloudFormation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/troubleshooting.html) (CloudFormation documentation) # Send alerts from AWS Network Firewall to a Slack channel *Venki Srivatsav and Aromal Raj Jayarajan, Amazon Web Services* ## Summary This pattern describes how to deploy a firewall by using Amazon Web Services (AWS) Network Firewall with the distributed deployment model and how to propagate the alerts generated by AWS Network Firewall to a configurable Slack channel. Compliance standards such as Payment Card Industry Data Security Standard (PCI DSS) require that you install and maintain a firewall to protect customer data. In the AWS Cloud, a virtual private cloud (VPC) is considered the same as a physical network in the context of these compliance requirements. You can use Network Firewall to monitor network traffic between VPCs and to protect your workloads that run in VPCs governed by a compliance standard. Network Firewall blocks access or generates alerts when it detects unauthorized access from other VPCs in the same account. However, Network Firewall supports a limited number of destinations for delivering the alerts. These destinations include Amazon Simple Storage Service (Amazon S3) buckets, Amazon CloudWatch log groups, and Amazon Data Firehose delivery streams. Any further action on these notifications requires offline analysis by using either Amazon Athena or Amazon Kinesis. This pattern provides a method for propagating alerts that are generated by Network Firewall to a configurable Slack channel for further action in near real time. You can also extend the functionality to other alerting mechanisms such as PagerDuty, Jira, and email. (Those customizations are outside the scope of this pattern.) ## Prerequisites and limitations **Prerequisites ** + Slack channel (see [Getting started](https://slack.com/help/articles/206845317-Create-a-Slack-workspace) in the Slack help center) + Required privileges to send a message to the channel + The Slack endpoint URL with an API token ([select your app](https://api.slack.com/apps) and choose an incoming webhook to see its URL; for more information, see [Creating an Incoming Webhook](https://api.slack.com/messaging/webhooks#create_a_webhook) in the Slack API documentation) + An Amazon Elastic Compute Cloud (Amazon EC2) test instance in the workload subnets + Test rules in Network Firewall + Actual or simulated traffic to trigger the test rules + An S3 bucket to hold the source files to be deployed **Limitations ** + Currently this solution supports only a single Classless Inter-Domain Routing (CIDR) range as a filter for source and destination IPs. ## Architecture **Target technology stack** + One VPC + Four subnets (two for the firewall and two for workloads) + Internet gateway + Four route tables with rules + S3 bucket used as an alert destination, configured with a bucket policy and event settings to run a Lambda function + Lambda function with an execution role, to send Slack notifications + AWS Secrets Manager secret for storing the Slack URL + Network firewall with alert configuration + Slack channel All components except for the Slack channel are provisioned by the CloudFormation templates and the Lambda function that are provided with this pattern (see the [Code ](#send-alerts-from-aws-network-firewall-to-a-slack-channel-tools)section). **Target architecture ** This pattern sets up a decentralized network firewall with Slack integration. This architecture consists of a VPC with two Availability Zones. The VPC includes two protected subnets and two firewall subnets with network firewall endpoints. All traffic going into and out of the protected subnets can be monitored by [creating firewall policies](https://docs.aws.amazon.com/waf/latest/developerguide/network-firewall-policies.html) and rules. The network firewall is configured to place all alerts in an S3 bucket. This S3 bucket is configured to call a Lambda function when it receives a `put` event. The Lambda function fetches the configured Slack URL from Secrets Manager and sends the notification message to the Slack workspace. ![\[Target architecture for a decentralized network firewall with Slack integration.\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/images/pattern-img/7207fd56-094e-4af4-9ecd-75b122b82275/images/b1320776-c010-49b9-96bf-15e97ebe09ba.png) For more information about this architecture, see the AWS blog post [Deployment models for AWS Network Firewall](https://aws.amazon.com/blogs/networking-and-content-delivery/deployment-models-for-aws-network-firewall/). ## Tools **AWS services** + [AWS Network Firewall](https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html) is a stateful, managed, network firewall and intrusion detection and prevention service for VPCs in the AWS Cloud. You can use Network Firewall to filter traffic at the perimeter of your VPC and protect your workloads on AWS. + [AWS Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html) is a service for credential storage and retrieval. Using Secrets Manager, you can replace hardcoded credentials in your code, including passwords, with an API call to Secrets Manager to retrieve the secret programmatically. This pattern uses Secrets Manager to store the Slack URL. + [Amazon Simple Storage Service (Amazon S3)](https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html) is an object storage service. You can use Amazon S3 to store and retrieve any amount of data at any time, from anywhere on the web. This pattern uses Amazon S3 to store the CloudFormation templates and Python script for the Lambda function. It also uses an S3 bucket as the network firewall alert destination. + [AWS CloudFormation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html) helps you model and set up your AWS resources, provision them quickly and consistently, and manage them throughout their lifecycle. You can use a template to describe your resources and their dependencies, and launch and configure them together as a stack, instead of managing resources individually. This pattern uses AWS CloudFormation to automatically deploy a distributed architecture for Firewall Manager. **Code ** The code for this pattern is available on GitHub, in the [Network Firewall Slack Integration](https://github.com/aws-samples/aws-network-firewall-automation-examples/tree/main/NfwSlackIntegration/src) repository. In the `src `folder of the repository, you’ll find: + A set of CloudFormation files in YAML format. You use these templates to provision the components for this pattern. + A Python source file (`slack-lambda.py`) to create the Lambda function. + A .zip archive deployment package (`slack-lambda.py.zip`) to upload your Lambda function code. To use these files, follow the instructions in the next section. ## Epics ### Set up the S3 bucket | Task | Description | Skills required | | --- | --- | --- | | Create an S3 bucket. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/send-alerts-from-aws-network-firewall-to-a-slack-channel.html)For more information, see [Creating a bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-bucket-overview.html) in the Amazon S3 documentation. | App developer, App owner, Cloud administrator | | Upload the CloudFormation templates and Lambda code. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/send-alerts-from-aws-network-firewall-to-a-slack-channel.html) | App developer, App owner, Cloud administrator | ### Deploy the CloudFormation template | Task | Description | Skills required | | --- | --- | --- | | Launch the CloudFormation template. | Open the [AWS CloudFormation console](https://console.aws.amazon.com/cloudformation/) in the same AWS Region as your S3 bucket and deploy the template `base.yml`. This template creates the required AWS resources and Lambda functions for the alerts to be transmitted to the Slack channel.For more information about deploying CloudFormation templates, see [Creating a stack on the AWS CloudFormation console](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-console-create-stack.html) in the CloudFormation documentation. | App developer, App owner, Cloud administrator | | Complete the parameters in the template. | Specify the stack name and configure the parameter values. For a list of parameters, their descriptions, and default values, see *CloudFormation parameters* in the [Additional information](#send-alerts-from-aws-network-firewall-to-a-slack-channel-additional) section. | App developer, App owner, Cloud administrator | | Create the stack. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/send-alerts-from-aws-network-firewall-to-a-slack-channel.html) | App developer, App owner, Cloud administrator | ### Verify the solution | Task | Description | Skills required | | --- | --- | --- | | Test the deployment. | Use the AWS CloudFormation console or the AWS Command Line Interface (AWS CLI) to verify that the resources listed in the [Target technology stack](#send-alerts-from-aws-network-firewall-to-a-slack-channel-architecture) section have been created. If the CloudFormation template fails to deploy successfully, check the values you provided for the `pAvailabilityZone1 `and `pAvailabilityZone2 `parameters. These should be appropriate for the AWS Region you’re deploying the solution in. For a list of Availability Zones for each Region, see [Regions and Zones](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-availability-zones) in the Amazon EC2 documentation. | App developer, App owner, Cloud administrator | | Test functionality. | 1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).2. Create an EC2 instance in one of the protected subnets. Choose an Amazon Linux 2 AMI (HVM) to use as an HTTPS server. For instructions, see [Launch an instance](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EC2_GetStarted.html#ec2-launch-instance) in the Amazon EC2 documentation.Amazon Linux 2 is nearing end of support. For more information, see the [Amazon Linux 2 FAQs](http://aws.amazon.com/amazon-linux-2/faqs/).3. Use the following user data to install a web server on the EC2 instance:
--full-cleanup \
--stack-name\
--region\
--disable-macie
#!/bin/bash4. Create the following network firewall rules:*Stateless rule:*
yum install httpd -y
systemctl start httpd
systemctl stop firewalld
cd /var/www/html
echo "Hello!! this is a NFW alert test page, 200 OK" > index.html
Source: 0.0.0.0/0*Stateful rule:*
Destination 10.0.3.65/32 (private IP of the EC2 instance)
Action: Forward
Protocol: HTTP5. Get the public IP of the web server you created in step 3.6. Access the public IP in a browser. You should see the following message in the browser:
Source ip/port: Any / Any
Destination ip/port: Any /Any
Hello!! this is a NFW alert test page, 200 OKYou will also get a notification in the Slack channel. The notification might be delayed, depending on the size of the message. For testing purposes, consider providing a CIDR filter that is not too narrow (for example, a CIDR value with /32 would be considered too narrow, and /8 would be too broad). For more information, see the *Filter behavior* section in [Additional information](#send-alerts-from-aws-network-firewall-to-a-slack-channel-additional). | App developer, App owner, Cloud administrator | ## Related resources + [Deployment models for AWS Network Firewall](https://aws.amazon.com/blogs/networking-and-content-delivery/deployment-models-for-aws-network-firewall/) (AWS blog post) + [AWS Network Firewall policies](https://docs.aws.amazon.com/waf/latest/developerguide/network-firewall-policies.html) (AWS documentation) + [Network Firewall Slack Integration](https://github.com/aws-samples/aws-network-firewall-automation-examples/tree/main/NfwSlackIntegration/src) (GitHub repository) + [Create a Slack workspace](https://slack.com/help/articles/206845317-Create-a-Slack-workspace) (Slack help center) ## Additional information **CloudFormation parameters** | | | Parameter | Description | Default or sample value | | --- |--- |--- | | `pVpcName` | The name of the VPC to create. | Inspection | | `pVpcCidr` | The CIDR range for the VPC to create. | 10.0.0.0/16 | | `pVpcInstanceTenancy` | How EC2 instances are distributed across physical hardware. Options are `default `(shared tenancy) or `dedicated `(single tenancy). | default | | `pAvailabilityZone1` | The first Availability Zone for the infrastructure. | us-east-2a | | `pAvailabilityZone2` | The second Availability Zone for the infrastructure. | us-east-2b | | `pNetworkFirewallSubnet1Cidr` | The CIDR range for the first firewall subnet (minimum /28). | 10.0.1.0/24 | | `pNetworkFirewallSubnet2Cidr` | The CIDR range for the second firewall subnet (minimum /28). | 10.0.2.0/24 | | `pProtectedSubnet1Cidr` | The CIDR range for the first protected (workload) subnet. | 10.0.3.0/24 | | `pProtectedSubnet2Cidr` | The CIDR range for the second protected (workload) subnet. | 10.0.4.0/24 | | `pS3BucketName` | The name of the existing S3 bucket where you uploaded the Lambda source code. | us-w2-yourname-lambda-functions | | `pS3KeyPrefix` | The prefix of the S3 bucket where you uploaded the Lambda source code. | aod-test | | `pAWSSecretName4Slack` | The name of the secret that holds the Slack URL. | SlackEnpoint-Cfn | | `pSlackChannelName` | The name of the Slack channel you created. | somename-notifications | | `pSlackUserName` | Slack user name. | Slack User | | `pSecretKey` | This can be any key. We recommend that you use the default. | webhookUrl | | `pWebHookUrl` | The value of the Slack URL. | https://hooks.slack.com/services/T???9T??/A031885JRM7/9D4Y?????? | | `pAlertS3Bucket` | The name of the S3 bucket to be used as the network firewall alert destination. This bucket will be created for you. | us-w2-yourname-security-aod-alerts | | `pSecretTagName` | The tag name for the secret. | AppName | | `pSecretTagValue` | The tag value for the specified tag name. | LambdaSlackIntegration | | `pdestCidr` | The filter for the destination CIDR range. For more information, see the next section, *Filter behavior*. | 10.0.0.0/16 | | `pdestCondition` | A flag to indicate whether to exclude or include the destination match. For more information, see the next section. Valid values are `include `and `exclude`. | include | | `psrcCidr` | The filter for the source CIDR range to alert. For more information, see the next section. | 118.2.0.0/16 | | `psrcCondition` | The flag to exclude or include the source match. For more information, see the next section. | include | **Filter behavior** If you haven’t configured any filters in AWS Lambda, all generated alerts are sent to your Slack channel. The source and destination IPs of the generated alerts are matched against the CIDR ranges you configured when you deployed the CloudFormation template. If a match is found, the condition is applied. If either the source or the destination falls within the configured CIDR range and at least one of them is configured with the condition `include`, an alert is generated. The following tables provide examples of CIDR values, conditions, and results. | | | | Configured CIDR | Alert IP | Configured | Alert | | --- |--- |--- |--- |--- | | **Source** | 10.0.0.0/16 | 10.0.0.25 | include | Yes | | **Destination** | 100.0.0.0/16 | 202.0.0.13 | include | | | | | Configured CIDR | Alert IP | Configured | Alert | | --- |--- |--- |--- |--- | | **Source** | 10.0.0.0/16 | 10.0.0.25 | exclude | No | | **Destination** | 100.0.0.0/16 | 202.0.0.13 | include | | | | | Configured CIDR | Alert IP | Configured | Alert | | --- |--- |--- |--- |--- | | **Source** | 10.0.0.0/16 | 10.0.0.25 | include | Yes | | **Destination** | 100.0.0.0/16 | 100.0.0.13 | include | | | | | Configured CIDR | Alert IP | Configured | Alert | | --- |--- |--- |--- |--- | | **Source** | 10.0.0.0/16 | 90.0.0.25 | include | Yes | | **Destination** | Null | 202.0.0.13 | include | | | | | Configured CIDR | Alert IP | Configured | Alert | | --- |--- |--- |--- |--- | | **Source** | 10.0.0.0/16 | 90.0.0.25 | include | No | | **Destination** | 100.0.0.0/16 | 202.0.0.13 | include | # Send custom attributes to Amazon Cognito and inject them into tokens *Carlos Alessandro Ribeiro and Mauricio Mendoza, Amazon Web Services* ## Summary Sending custom attributes to an Amazon Cognito authentication process can provide additional context to an application, enable more granular access controls, and make it easier to manage user profiles and authentication requirements. These features are useful in a wide range of applications and scenarios, and they can help you improve the overall security and functionality of an application. This pattern shows how to send custom attributes to an Amazon Cognito authentication process when an application needs to provide additional context to the [access token](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-the-access-token.html) or [identity (ID) token](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-the-id-token.html). You use the Node.js as the backend application. The application authenticates a user from an Amazon Cognito [user pool](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools.html) and passes custom attributes that are needed for token generation. You can use [AWS Lambda triggers](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-working-with-lambda-triggers.html) for Amazon Cognito to customize your authentication process without major code customization or significant effort. **Important** The code and samples in this pattern are not recommended for production workloads because they are intended for demonstration purposes only. For production workloads, additional configuration is required on the client side. Use this pattern as a reference for pilot or proof-of-concept purposes only. ## Prerequisites and limitations **Prerequisites** + An active AWS account + Permissions to create and manage Amazon Cognito user pools and AWS Lambda functions + AWS Command Line Interface (AWS CLI), [installed](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) and [configured](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html) + An integrated development environment (IDE) that supports Node.js + Node.js version 18 or later, [installed](https://nodejs.org/en/download/) + npm version 8 or later, [installed](https://docs.npmjs.com/getting-started) + TypeScript, [installed](https://www.typescriptlang.org/download/) **Limitations** + This pattern is not applicable for application integration through the Client Credentials authentication flow. + The pre-token generation trigger can add or change only some attributes of the access token and identity token. For more information, see [Pre token generation Lambda trigger](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-token-generation.html) in the Amazon Cognito documentation. ## Architecture **Target architecture** The following diagram shows the target architecture for this pattern. It also shows how the Node.js application might work with a backend to update databases. However, the backend database updates are outside the scope of this pattern. ![\[A Node.js application issuing an access token with custom attributes to an Amazon Cognito user pool.\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/images/pattern-img/9f0855e6-77f9-48c2-846e-f9c317127e1f/images/8c52c88b-8954-4b4c-aed3-fd8c22f84c1d.png) The diagram shows the following workflow: 1. The Node.js application issues an access token with custom attributes to the Amazon Cognito user pool. 1. The Amazon Cognito user pool initiates the pre-token generation Lambda function, which customizes the access and ID tokens. 1. The Node.js application makes an API call through Amazon API Gateway. **Note** The other architectural components shown in this architecture are for example only and are out of scope for this pattern. **Automation and scale** You can automate the provisioning of Amazon Cognito user pools, AWS Lambda functions, database instances, and other resources by using [AWS CloudFormation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html), the [AWS Cloud Development Kit (AWS CDK)](https://docs.aws.amazon.com/cdk/v2/guide/home.html), [HashiCorp Terraform](https://www.terraform.io/docs), or any supported infrastructure as code (IaC) tool. If you want to scale your deployments, use continuous integration and continuous delivery (CI/CD) pipelines, which help prevent errors associated with manual deployments. ## Tools **AWS services** + [Amazon API Gateway](https://docs.aws.amazon.com/apigateway/latest/developerguide/welcome.html) helps you create, publish, maintain, monitor, and secure REST, HTTP, and WebSocket APIs at any scale. + [Amazon Cognito](https://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html) provides authentication, authorization, and user management for web and mobile apps. + [Amazon Elastic Container Service (Amazon ECS)](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/Welcome.html) is a fast and scalable container management service that helps you run, stop, and manage containers on a cluster. + [AWS Lambda](https://docs.aws.amazon.com/lambda/latest/dg/welcome.html) is a compute service that helps you run code without needing to provision or manage servers. It runs your code only when needed and scales automatically, so you pay only for the compute time that you use. + [AWS SDK for JavaScript](https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/welcome.html) provides a JavaScript API for AWS services. You can use it to build libraries or applications for Node.js or the browser. **Other tools** + [Node.js](https://nodejs.org/en/docs/) is an event-driven JavaScript runtime environment that is designed for building scalable network applications. + [npm](https://docs.npmjs.com/about-npm) is a software registry that runs in a Node.js environment and is used to share or borrow packages and manage deployment of private packages. ## Best practices We recommend that you implement the following best practices: + **Secrets and sensitive data** – Do not store secrets or sensitive data within the application. Use an external system that the application can pull the data from, such as [AWS AppConfig](https://docs.aws.amazon.com/appconfig/latest/userguide/what-is-appconfig.html), [AWS Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html), or [AWS Systems Manager Parameter Store](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html). + **Standardized deployment** – Use CI/CD pipelines to deploy your applications. You can use services such as [AWS CodeBuild](https://docs.aws.amazon.com/codebuild/latest/userguide/welcome.html) and [AWS CodePipeline](https://docs.aws.amazon.com/codepipeline/latest/userguide/welcome.html). + **Token expiration** – Set a short expiration date for the access token. + **Use a secure connection** – All communication between the client application and the backend should be encrypted by using SSL/TLS. Use [AWS Certificate Manager (ACM)](https://docs.aws.amazon.com/acm/latest/userguide/acm-overview.html) to generate and manage SSL/TLS certificates, and use [Amazon CloudFront](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/Introduction.html) or [Elastic Load Balancing ](https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/what-is-load-balancing.html)to handle SSL/TLS termination. + **Validate user input** – Make sure that all user input is validated to prevent injection attacks and other security vulnerabilities. Use input validation libraries and services such as Amazon API Gateway and [AWS WAF](https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html#waf-intro) to prevent common attack vectors. + **Use IAM roles** – Use [AWS Identity and Access Management (IAM)](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html) roles to control access to AWS resources and make sure that only authorized users have access. Follow the principle of least privilege and make sure that each user has only the necessary permissions to perform their role. + **Use a password policy** – Configure a password policy that meets your security requirements, such as minimum length, complexity, and expiration. Use Secrets Manager or AWS Systems Manager Parameter Store to store and manage passwords securely. + **Enable multi-factor authentication (MFA)** – Enable MFA for all users to provide an additional layer of security and reduce the risk of unauthorized access. Use [AWS IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html) or Amazon Cognito to enable MFA and other authentication methods. + **Store sensitive information securely** – Store sensitive information, such as passwords and access tokens, securely by using [AWS Key Management Service (AWS KMS)](https://docs.aws.amazon.com/kms/latest/developerguide/overview.html) or other encryption services. + **Use strong authentication methods** – To increase the security of the authentication process, use strong authentication methods, such as biometric authentication or multi-factor authentication. + **Monitor for suspicious activity** – Use [AWS CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html) and other monitoring tools to monitor for suspicious activity and potential security threats. Set up automated alerts for unusual activity, and use [Amazon GuardDuty](https://docs.aws.amazon.com/guardduty/latest/ug/what-is-guardduty.html) or [AWS Security Hub CSPM](https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html) to detect potential threats. + **Regularly review and update security policies** – Regularly review and update your security policies and procedures to make sure that they meet your changing security requirements and best practices. Use AWS Config to track and audit changes to your security policies and procedures. + **Automated sign-up** – Do not enable automated sign-up to an Amazon Cognito user pool. For more information, see [Reduce risks of user sign-up fraud and SMS pumping with Amazon Cognito user pools](https://aws.amazon.com/blogs/security/reduce-risks-of-user-sign-up-fraud-and-sms-pumping-with-amazon-cognito-user-pools/) (AWS blog post). For additional best practices, see [Security best practices for Amazon Cognito user pools](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-security-best-practices.html) in the Amazon Cognito documentation. ## Epics ### Set up the AWS resources | Task | Description | Skills required | | --- | --- | --- | | Create a user pool. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/send-custom-attributes-cognito.html)For more information and instructions for how to set up a user pool in the AWS Management Console, see [Getting started with user pools](https://docs.aws.amazon.com/cognito/latest/developerguide/getting-started-user-pools.html) and [Add more features and security options to your user pool](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-next-steps.html).To reduce costs, use the Essentials plan or Lite plan to test this pattern. For more information, see [Amazon Cognito pricing](https://aws.amazon.com/cognito/pricing/). | App developer, AWS DevOps | | Add a user to the user pool. | Enter the following command to create one user in the Amazon Cognito user pool: