search

aws-solutions / automated-security-response-on-aws

Automated Security Response on AWS is an add-on solution that works with AWS Security Hub to provide a ready-to-deploy architecture and a library of automated playbooks. The solution makes it easier for AWS Security Hub customers to resolve common security findings and to improve their security posture in AWS.
https://aws.amazon.com/solutions/implementations/aws-security-hub-automated-response-and-remediation/
Apache License 2.0
359 stars 102 forks source link

The status of the checkSSMDocState response is NOTENABLED for all controls. #190

Closed freakssy closed 4 months ago

freakssy commented 4 months ago

I installed the solution following the documentation to test between two accounts in the same region. When I initiate a remediation on a supported control and for a finding located in the same region, I receive the following response:

{ "status": "NOTENABLED", "message": "Security Standard is not enabled\": \"security-control version 2.0.0\" ; "remediation_status": "", "logdata": [], "securitystandard": "error", "securitystandardversion": "2.0.0", "controlid": "EC2.2", "standardsupported": "False", "accountid": "xxxxxxxxxxxxx", "resourceregion": "eu-west-1" }

Upon reviewing the code, I observe that it relies on the value of standard_name to fetch a parameter in the SSM parameter store, and it sets standard_version_supported to true or false. This is how it determines the status.

Below you will find the event, I have removed the names of the resources and the account.:

{
    "EventType": "Security Hub Findings - Custom Action",
    "Finding": {
        "ProductArn": "arn:aws:securityhub:eu-west-1::product/aws/securityhub",
        "Types": [
            "Software and Configuration Checks/Industry and Regulatory Standards"
        ],
        "Description": "This AWS control checks that the default security group of a VPC does not allow inbound or outbound traffic.",
        "Compliance": {
            "Status": "FAILED",
            "SecurityControlId": "EC2.2",
            "RelatedRequirements": [
                "CIS AWS Foundations Benchmark v1.2.0/4.3"
            ],
            "AssociatedStandards": [
                {
                    "StandardsId": "ruleset/cis-aws-foundations-benchmark/v/1.2.0"
                },
                {
                    "StandardsId": "standards/aws-foundational-security-best-practices/v/1.0.0"
                }
            ]
        },
        "ProductName": "Security Hub",
        "FirstObservedAt": "2023-10-05T01:08:45.178Z",
        "CreatedAt": "2023-10-05T01:08:45.178Z",
        "LastObservedAt": "2024-03-11T07:08:51.217Z",
        "CompanyName": "AWS",
        "FindingProviderFields": {
            "Types": [
                "Software and Configuration Checks/Industry and Regulatory Standards"
            ],
            "Severity": {
                "Normalized": 70,
                "Label": "HIGH",
                "Original": "HIGH"
            }
        },
        "ProductFields": {
            "RelatedAWSResources:0/name": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
            "RelatedAWSResources:0/type": "AWS::Config::ConfigRule",
            "aws/securityhub/ProductName": "Security Hub",
            "aws/securityhub/CompanyName": "AWS",
            "Resources:0/Id": "arn:aws:ec2:eu-west-1:xxxxxxxxxxxx:security-group/sg-xxxxxxxxxxxxxxxxx",
            "aws/securityhub/FindingId": "arn:aws:securityhub:eu-west-1::product/aws/securityhub/arn:aws:securityhub:eu-west-1:xxxxxxxxxxxxxxxxx:security-control/EC2.2/finding/ea4e86b8-de19-4f3e-88e7-092ee7dcf3b9"
        },
        "Remediation": {
            "Recommendation": {
                "Text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.",
                "Url": "https://docs.aws.amazon.com/console/securityhub/EC2.2/remediation"
            }
        },
        "SchemaVersion": "2018-10-08",
        "GeneratorId": "security-control/EC2.2",
        "RecordState": "ACTIVE",
        "Title": "VPC default security groups should not allow inbound or outbound traffic",
        "Workflow": {
            "Status": "NEW"
        },
        "Severity": {
            "Normalized": 70,
            "Label": "HIGH",
            "Original": "HIGH"
        },
        "UpdatedAt": "2024-03-11T07:08:41.069Z",
        "WorkflowState": "NEW",
        "AwsAccountName": "xxxxxxxxxxxxxxxxxxx",
        "AwsAccountId": "xxxxxxxxxxxxxxxx",
        "Region": "eu-west-1",
        "Id": "arn:aws:securityhub:eu-west-1:xxxxxxxxxxxxxxxxxxxxx:security-control/EC2.2/finding/ea4e86b8-de19-4f3e-88e7-092ee7dcf3b9",
        "Resources": [
            {
                "Partition": "aws",
                "Type": "AwsEc2SecurityGroup",
                "Details": {
                    "AwsEc2SecurityGroup": {
                        "GroupName": "default",
                        "OwnerId": "xxxxxxxxxxxxxxxxxx",
                        "VpcId": "vpc-xxxxxxxxxxxxxxxxxx",
                        "IpPermissions": [
                            {
                                "IpProtocol": "-1",
                                "UserIdGroupPairs": [
                                    {
                                        "UserId": "xxxxxxxxxxxxxxxxxxxxx",
                                        "GroupId": "sg-xxxxxxxxxxxxxxxxxxxxxx"
                                    }
                                ]
                            }
                        ],
                        "IpPermissionsEgress": [
                            {
                                "IpProtocol": "-1",
                                "IpRanges": [
                                    {
                                        "CidrIp": "0.0.0.0/0"
                                    }
                                ]
                            }
                        ],
                        "GroupId": "sg-xxxxxxxxxxxxxxxxxxxxx"
                    }
                },
                "Region": "eu-west-1",
                "Id": "arn:aws:ec2:eu-west-1:xxxxxxxxxxxxxxxxxxx:security-group/sg-xxxxxxxxxxxxxxxxxxxxxx"
            }
        ],
        "ProcessedAt": "2024-03-11T07:08:55.644Z"
    },
    "Workflow": {
        "WorkflowConfig": {
            "impact": "nondestructive",
            "approvalrequired": "false"
        },
        "WorkflowDocument": "",
        "WorkflowRole": "",
        "WorkflowAccount": ""
    }
}
freakssy commented 4 months ago

I understood where the problem was coming from. The solution deploys runbooks based on the standard name. At my place, I have activated two standards, FSBP and CIS, so I have deployed only the corresponding runbooks without the 'security control,' yet it is needed.

AaronSchuetter commented 4 months ago

When the "standard_name" is set to "security-control", this should indicate that consolidated findings are enabled within Security Hub.

When this is the case, for this solution you should have enabled the "Security Control" playbook during deployment. Implementation Guide

You should have selected yes for the parameter "LoadSCMemberStack"