search

aws-solutions / automated-security-response-on-aws

Automated Security Response on AWS is an add-on solution that works with AWS Security Hub to provide a ready-to-deploy architecture and a library of automated playbooks. The solution makes it easier for AWS Security Hub customers to resolve common security findings and to improve their security posture in AWS.
https://aws.amazon.com/solutions/implementations/aws-security-hub-automated-response-and-remediation/
Apache License 2.0
382 stars 108 forks source link

Deploy single (per-region) CMK KMS keys and share to all accounts in the AWS Organization #204

Open julian-price opened 3 days ago

julian-price commented 3 days ago

Following on from my comment in https://github.com/aws-solutions/automated-security-response-on-aws/issues/178#issuecomment-2363130018, this enhancement request centres on provisioning a single CMK KMS key per region, shared to an AWS Organization to remediate findings with. For obvious reasons, this type of deployment would only be applicable where the sharr solution was deployed in an AWS Organization, but it would greatly reduce the costs of running the solution (in my case about 90% of the costs would be saved by deploying in this manner).

I have implemented a version of the solution locally that creates shared keys.

Changes Made

  1. A DEPLOY_TO_AWS_ORG environment variable was added to the SolutionDeployStack which, if set via the -o switch in the build-s3-dist.sh script will generate a version of the sharr solution that uses KMS kets shared to the Organization.
  2. The MemberStack was changed to take an optional sharedKeyAccount parameter along with a boolean property (deployToOrg) denoting whether the solution is to be deployed to an Org. If true, then the MemberRemediationKey construct just looks up the key from its alias ARN; if false, the key is created by the MemberRemediationKey construct. The key ARN, whether shared or not still gets stored in an SSM parameter in each member account.
  3. A new OrganizationSharedKeyStack was created that takes an OrganizationIdParam parameter and creates a key (using the same key creation method as the MemberRemediationKey construct).
  4. The SolutionDeployStack was modified to create the OrganizationSharedKeyStack and add tagging (https://github.com/aws-solutions/automated-security-response-on-aws/issues/202)
julian-price commented 3 days ago

I have attached an archive of the code changes - archive.zip.

The code has purposefully been written as additive; that is to say, it will generate the Org shared keys only if an environment variable is set at build time, but by default the solution will not be changed from the original.