search

aws-samples / aws-security-hub-summary-email

Solution and deployment for recurring Security Hub Summary email to provide recipients with a proactive communication summarizing the security posture and improvement within their AWS Accounts.
MIT No Attribution
38 stars 23 forks source link

CreateInsights fails due to invalid formatting #10

Open FritjofH opened 3 months ago

FritjofH commented 3 months ago 
ERROR   CreateInsight call failed InvalidInputException: Invalid Filters in the input: data.CreatedAt[0].DateRange.Value should be number
    at de_InvalidInputExceptionRes (/var/runtime/node_modules/@aws-sdk/client-securityhub/dist-cjs/index.js:3063:21)
    at de_CommandError (/var/runtime/node_modules/@aws-sdk/client-securityhub/dist-cjs/index.js:2987:19)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async /var/runtime/node_modules/@aws-sdk/node_modules/@smithy/middleware-serde/dist-cjs/index.js:35:20
    at async /var/runtime/node_modules/@aws-sdk/node_modules/@smithy/core/dist-cjs/index.js:165:18
    at async /var/runtime/node_modules/@aws-sdk/node_modules/@smithy/middleware-retry/dist-cjs/index.js:320:38
    at async /var/runtime/node_modules/@aws-sdk/middleware-logger/dist-cjs/index.js:33:22
    at async exports.handler (/var/task/index.js:66:33) {
  '$fault': 'client',
  '$metadata': {
    httpStatusCode: 400,
    requestId: 'ec1556fa-19c0-4918-a57b-22a95bc07f92',
    extendedRequestId: undefined,
    cfId: undefined,
    attempts: 1,
    totalRetryDelay: 0
  },
  Code: 'InvalidInputException',
  Type: 'InvalidInputException',
  RequestId: '395e25a6-ca25-43dc-b09d-52f7f1ec5b0c'
}

Should be changed from '7'to 7 I guess.

https://github.com/aws-samples/aws-security-hub-summary-email/blob/3522d09249d01885b98fb96223dfed24902b3b33/security-hub-email-summary-cf-template.json#L211

jcriswell commented 3 months ago

Thank you for opening an issue on this. Were you able to make that change after you had downloaded the template and get successfully deployed? Security Hub now has native cloudformation support for custom insights, so my current plan is to refactor this design to not use a cloudformation custom resource (lambda) for the creation of the insights.

FritjofH commented 3 months ago

Yes, got things working after some tweaking. Had some issues with the cdk version 2 not being found in the lambda which was solved by an upgrade to 3 and this issue. The lambda I deployed looks like this:

var response = require('cfn-response');
const { SecurityHubClient, CreateInsightCommand } = require('@aws-sdk/client-securityhub');

exports.handler = function (event, context) {
  if (event.RequestType == 'Delete') {
    response.send(event, context, response.SUCCESS);
    return;
  }
  const securityhub = new SecurityHubClient();
  var responseData = {};
  var index = event.ResourceProperties.insightID
  var params = [];
  params['0'] = {
    Name: 'Summary Email - 01 - AWS Foundational Security Best practices findings by compliance status',
    GroupByAttribute: 'ComplianceStatus',
    Filters: {
      Type: [{ Value: 'Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices', Comparison: 'EQUALS' }]
      , WorkflowStatus: [{ Value: 'SUPPRESSED', Comparison: 'NOT_EQUALS' }], RecordState: [{ Value: 'ACTIVE', Comparison: 'EQUALS' }]
    }
  };
  params['1'] = {
    Name: 'Summary Email - 02 - Failed AWS Foundational Security Best practices findings by severity',
    GroupByAttribute: 'SeverityLabel',
    Filters: {
      Type: [{ Value: 'Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices', Comparison: 'EQUALS' }]
      , WorkflowStatus: [{ Value: 'SUPPRESSED', Comparison: 'NOT_EQUALS' }], ComplianceStatus: [{ Value: 'FAILED', Comparison: 'EQUALS' }], RecordState: [{ Value: 'ACTIVE', Comparison: 'EQUALS' }]
    }
  };
  params['2'] = {
    Name: 'Summary Email - 03 - Count of Amazon GuardDuty findings by severity',
    GroupByAttribute: 'SeverityLabel',
    Filters: {
      ProductName: [{ Value: 'GuardDuty', Comparison: 'EQUALS' }]
      , WorkflowStatus: [{ Value: 'SUPPRESSED', Comparison: 'NOT_EQUALS' }], RecordState: [{ Value: 'ACTIVE', Comparison: 'EQUALS' }]
    }
  };
  params['3'] = {
    Name: 'Summary Email - 04 - Count of IAM Access Analyzer findings by severity',
    GroupByAttribute: 'SeverityLabel',
    Filters: {
      ProductName: [{ Value: 'IAM Access Analyzer', Comparison: 'EQUALS' }]
      , WorkflowStatus: [{ Value: 'SUPPRESSED', Comparison: 'NOT_EQUALS' }], RecordState: [{ Value: 'ACTIVE', Comparison: 'EQUALS' }]
    }
  };
  params['4'] = {
    Name: 'Summary Email - 05 - Count of all unresolved findings by severity',
    GroupByAttribute: 'SeverityLabel',
    Filters: {
      WorkflowStatus: [{ Value: 'RESOLVED', Comparison: 'NOT_EQUALS' }, { Value: 'SUPPRESSED', Comparison: 'NOT_EQUALS' }]
      , RecordState: [{ Value: 'ACTIVE', Comparison: 'EQUALS' }]
    }
  };
  params['5'] = {
    Name: 'Summary Email - 06 - new findings in the last 7 days',
    GroupByAttribute: 'ProductName',
    Filters: {
      WorkflowStatus: [{ Value: 'RESOLVED', Comparison: 'NOT_EQUALS' }, { Value: 'SUPPRESSED', Comparison: 'NOT_EQUALS' }], CreatedAt: [{ DateRange: { Value: 7, Unit: 'DAYS' } }]
      , RecordState: [{ Value: 'ACTIVE', Comparison: 'EQUALS' }]
    }
  };
  params['6'] = {
    Name: 'Summary Email - 07 - Top Resource Types with findings by count',
    GroupByAttribute: 'ResourceType',
    Filters: { WorkflowStatus: [{ Value: 'SUPPRESSED', Comparison: 'NOT_EQUALS' }], RecordState: [{ Value: 'ACTIVE', Comparison: 'EQUALS' }] }
  };
  try {
    securityhub.send(new CreateInsightCommand(params[index])).then(result => {
      responseData['ARN'] = result.InsightArn;
      response.send(event, context, 'SUCCESS', responseData);
    });
  } catch (err) {
    responseData.Error = 'CreateInsight call failed';
    console.error(responseData.Error, err);
    response.send(event, context, 'FAILED', responseData);
  }
}