automated-security-response-on-aws

automated-security-response-on-aws copied to clipboard

Describe the bug

I enabled SNS.1 auto-remediation as a way to try and resolve all the ControlTower SNS topics (aws-controltower-SecurityNotifications) that are not currently encrypted at rest, however, when running the automation I encountered the following error:

Failure message
Step fails when it is validating and resolving the step inputs. com.amazonaws.amiaservice.InvalidAutomationExecutionParametersException: Parameter "KmsKeyArn" has value "arn:aws:kms:us-west-1:123456789012:alias/SO0111-SHARR-Remediation-Key" not matching "^arn:(?:aws|aws-us-gov|aws-cn):kms:(?:[a-z]{2}(?:-gov)?-[a-z]+-\d):\d{12}:(?:(?:alias\/[A-Za-z0-9/-_])|(?:key\/(?:[0-9a-fA-F]{8}-(?:[0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12})))$".. Please refer to Automation Service Troubleshooting Guide for more diagnosis details.

The reason for this stems from the alias capture group - (?:alias\/[A-Za-z0-9/-_]) - which only captures a single character after the alias/ text. While an alias with only one character will create a match, the default SHARR key alias - SO0111-SHARR-Remediation-Key - will not match.

To Reproduce

1. Enable the SNS.1 control in SecurityHub
2. Find and select an SNS topic that is failing for the control
3. Click the Action button, then Remediate with ASR
4. Navigate to SSM in the account where the remediation was actioned in
5. Select Automation from left menu
6. Find and open the failed execution for runbook ASR-SC_2.0.0_SNS.1

Expected behavior

The parameter (the KMS key alias) is correctly matched.

Please complete the following information about the solution:

• [x] Version: v1.0.2, but issue still present in latest release
• [x] Region: all are impacted
• [x] Was the solution modified from the version published on this repository? Yes - the solution is customised to use a shared per-region key, rather than creating a key per account
• [x] If the answer to the previous question was yes, are the changes available on GitHub? No, but documented in #206
• [ ] Have you checked your service quotas for the sevices this solution uses? N/A
• [ ] Were there any errors in the CloudWatch Logs? No

Screenshots None - see error message above.

Additional context The fix I applied locally to test this out is quite simple - it just adds a + quantifier to match the token in square brackets between one and unlimited times - e.g. (?:alias\/[A-Za-z0-9-_/]+). I also modified the position of the slash to the end of the token as placing it before the dash led to a different error. I believe this is because the regex parser is treating the /- as a sequence. It may also be possible to correct this by escaping the slash - e.g. / though ideally that would not be required because it is within a token (possibly a difference in the flavour or regex used).

Failure message
Step fails when it is validating and resolving the step inputs. com.amazonaws.amiaservice.InvalidAutomationExecutionParametersException: Parameter "KmsKeyArn" has value "arn:aws:kms:us-west-1:123456789012:alias/SO0111-SHARR-Remediation-Key" not matching "^arn:(?:aws|aws-us-gov|aws-cn):kms:(?:[a-z]{2}(?:-gov)?-[a-z]+-\d):\d{12}:(?:(?:alias\/[A-Za-z0-9/-_]+)|(?:key\/(?:[0-9a-fA-F]{8}-(?:[0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12})))$".. Please refer to Automation Service Troubleshooting Guide for more diagnosis details.