automated-security-response-on-aws
automated-security-response-on-aws copied to clipboard
Published
20 hours ago •
aws-solutions
aws-solutions
fix: Improve the SHARR notification messages to include more relevant info for administrators receiving the events #185
trafficstars
*Issue #185 *
Description of changes:
Added additional properties to the Notification that is sent by SHARR on the SNS Topic when a Remediation is initiated and it's state changes.
re: Testing ...This patch was pulled from a custom branch that I have been running in production for months now.
Added Properties:
account_alias- the alias of theaccount_idas returned from theorganizations.list_accountsAPIlink- andhttplink in the formhttps://console.aws.amazon.com/securityhub/home?region={finding.region}#/findings?search={finding.id}'that provides a quick link to the full finding details.- Clicking the link takes you to whatever AWS Account you are logged in with but if you login first to the right Account and then click the link it's still much faster than copy-pasting and searching the Finding ID/ARN
note- theNotefield from the Finding. This is found by looking up the Finding by it's ARN in Security Hub (securityhub.get_findings) and then reading theNote.Textvalue from it.resource- either theAffectedObjectfrom the the Notification payload, or the Resource Id from the Finding. This is very helpful when a batch of remediations are run to identify quickly which resource the remediation was for.
Permissions Changes
securityhub:GetFindings: required to lookup the Findings in Security Hub to get the Note off of it.- There is a graceful fallback if the permission is not enabled which will log an INFO level message and leave the
note = ''if there is any error in reading the finding. - The permission is added in the
SolutionDeployStackspecifically for theSHARR_Orchestrator_Notifierpolicy.
- There is a graceful fallback if the permission is not enabled which will log an INFO level message and leave the
organizations:ListAccounts: required to look up the Account Alias for the Account Id which is the target of the remediation.- There is a graceful fallback if the permission is not enabled which will log a WARN level message and set the
account_aliasto theaccount_idvalue so it is never empty. - The permission is added in the
SolutionDeployStackspecifically for theSHARR_Orchestrator_Notifierpolicy.
- There is a graceful fallback if the permission is not enabled which will log a WARN level message and set the
Example Notifications: Account Id changed to a dummy value for this comment
{
"severity": "INFO",
"message": "Remediation queued for SC control EC2.7 in account 123456789001",
"finding": {
"finding_id": "04f78bbd-e10f-4a3e-b473-63a561c7b002",
"finding_description": "This control checks whether Amazon Elastic Block Store (EBS) encryption is enabled by default. The control fails if EBS default encryption is not enabled.",
"standard_name": "security-control",
"standard_version": "2.0.0",
"standard_control": "EC2.7",
"title": "EBS default encryption should be enabled",
"region": "us-east-1",
"account": "123456789001",
"finding_arn": "arn:aws:securityhub:us-east-1:123456789001:security-control/EC2.7/finding/04f78bbd-e10f-4a3e-b473-63a561c7b002",
"account_alias": "qcex-cloudformation-admin",
"link": "https://console.aws.amazon.com/securityhub/home?region=us-east-1#/findings?search=Id%3D%255Coperator%255C%253AEQUALS%255C%253Aarn%253Aaws%253Asecurityhub%253Aus-east-1%253A123456789001%253Asecurity-control%252FEC2.7%252Ffinding%252F04f78bbd-e10f-4a3e-b473-63a561c7b002",
"note": "",
"resource": "123456789001"
},
"state": "QUEUED",
"execution_id": "836c1d27-d8ca-44b2-8af0-11481cc2695c"
}
{
"severity": "INFO",
"message": "Remediation succeeded for SC control EC2.7 in account 123456789001: Remediation status: Success - please verify remediation (AwsAccount AWS::::Account:123456789001)",
"finding": {
"finding_id": "04f78bbd-e10f-4a3e-b473-63a561c7b002",
"finding_description": "This control checks whether Amazon Elastic Block Store (EBS) encryption is enabled by default. The control fails if EBS default encryption is not enabled.",
"standard_name": "security-control",
"standard_version": "2.0.0",
"standard_control": "EC2.7",
"title": "EBS default encryption should be enabled",
"region": "us-east-1",
"account": "123456789001",
"finding_arn": "arn:aws:securityhub:us-east-1:123456789001:security-control/EC2.7/finding/04f78bbd-e10f-4a3e-b473-63a561c7b002",
"account_alias": "qcex-cloudformation-admin",
"link": "https://console.aws.amazon.com/securityhub/home?region=us-east-1#/findings?search=Id%3D%255Coperator%255C%253AEQUALS%255C%253Aarn%253Aaws%253Asecurityhub%253Aus-east-1%253A123456789001%253Asecurity-control%252FEC2.7%252Ffinding%252F04f78bbd-e10f-4a3e-b473-63a561c7b002",
"note": "",
"resource": "AWS::::Account:123456789001"
},
"state": "SUCCESS",
"execution_id": "836c1d27-d8ca-44b2-8af0-11481cc2695c"
}
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.
