search

aws-solutions / automated-security-response-on-aws

Automated Security Response on AWS is an add-on solution that works with AWS Security Hub to provide a ready-to-deploy architecture and a library of automated playbooks. The solution makes it easier for AWS Security Hub customers to resolve common security findings and to improve their security posture in AWS.
https://aws.amazon.com/solutions/implementations/aws-security-hub-automated-response-and-remediation/
Apache License 2.0
359 stars 102 forks source link

RDS.4 remediation failing to remediate #152

Closed jacobtb23 closed 3 months ago

jacobtb23 commented 1 year ago

Issue #, if available:

BUG: The control RDS.4 for the AFSBP standards contains an SSM document uses a line of Regex to find matched ARN's for RDS backups to encrypt, however the existing regex does not properly match arn's that follow the format arn:aws:rds:::snapshot:awsbackup:job- (See screenshot below).

ORIGINAL REGEX:

Screenshot 2023-03-27 at 1 27 47 PM

However, the following regex does match. I would imagine that these snapshot arn's, despite their format, would be supported by this remediation, however even after making these regex changes it seems that the remediation still fails to execute correctly. This is the only control that I have been having trouble getting to work. When the snapshots follow the ARN naming convention above they fail 100% of the time.

MODIFIED REGEX: (With added ':')

Screenshot 2023-03-27 at 1 35 44 PM

ERROR:

message:Step fails when it is Poll action status for completion. Traceback (most recent call last):
  File "/tmp/98790b39-8f69-43d0-8897-18816cb22546-2023-03-27-18-38-59/customer_script.py", line 178, in parse_event
    finding_event = FindingEvent(event['Finding'], event['parse_id_pattern'], event['expected_control_id'], event.get('resource_index', 1))
  File "/tmp/98790b39-8f69-43d0-8897-18816cb22546-2023-03-27-18-38-59/customer_script.py", line 126, in __init__
    self._get_resource_id(parse_id_pattern, resource_index)     # self.resource_id, self.resource_id_matches
  File "/tmp/98790b39-8f69-43d0-8897-18816cb22546-2023-03-27-18-38-59/customer_script.py", line 85, in _get_resource_id
    exit(f'ERROR: Invalid resource Id {identifier_raw}')
  File "/var/lang/lib/python3.8/_sitebuiltins.py", line 26, in __call__
    raise SystemExit(code)
SystemExit: ERROR: Invalid resource Id arn:aws:rds:us-west-2:11111111111111:snapshot:awsbackup:job-656bc5ad-b20e-9b9e-43c8-bcd5643f7d0a

SystemExit - ERROR: Invalid resource Id ...

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

AaronSchuetter commented 6 months ago

We will fix this in the next release.

AaronSchuetter commented 3 months ago

Fixed in v2.1.0