search

awslabs / aws-securityhub-multiaccount-scripts

This script automates the process of running the Security Hub multi-account workflow across a group of accounts that are in your control
MIT No Attribution
271 stars 108 forks source link

Doesn't notice failures due to not waiting for config to enable #54

Open max-allan-surevine opened 4 years ago

max-allan-surevine commented 4 years ago

After running the script I was find a lot of Critical findings in status "Warning". Attempting to view the rule related to the finding in the console took me to an empty rule definition page and/or errors in Config. Further investigation shows the rules don't even exist in Config.

I suspect this is because the script does not wait for Config to be enabled before enabling Security Hub. So SH thinks it has created the rule for the finding but the rule does not exist. The only way to fix this is to disable/enable the standards. eg :

MaAl00350:~ max $ aws configservice describe-config-rules --query ConfigRules[].ConfigRuleName
[
    "securityhub-cloud-trail-encryption-enabled-b61f8eaf",
    "securityhub-codebuild-project-source-repo-url-check-bc429527",
    "securityhub-dms-replication-not-public-fd0e6f54",
    "securityhub-efs-encrypted-check-e5244c06",
    "securityhub-vpc-default-security-group-closed-2a891050",
    "securityhub-vpc-flow-logs-enabled-3042d788"
]
MaAl00350:~ max $ aws securityhub get-enabled-standards
{
    "StandardsSubscriptions": [
        {
            "StandardsSubscriptionArn": "arn:aws:securityhub:eu-west-1:034563818582:subscription/aws-foundational-security-best-practices/v/1.0.0",
            "StandardsArn": "arn:aws:securityhub:eu-west-1::standards/aws-foundational-security-best-practices/v/1.0.0",
            "StandardsInput": {},
            "StandardsStatus": "READY"
        }
    ]
}

AWS foundation should have a lot more rules than that! So, lets disable and wait for it ....

MaAl00350:~ max $ aws securityhub batch-disable-standards  --standards-subscription-arns  "arn:aws:securityhub:eu-west-1:034563818582:subscription/aws-foundational-security-best-practices/v/1.0.0"
{
    "StandardsSubscriptions": [
        {
            "StandardsSubscriptionArn": "arn:aws:securityhub:eu-west-1:034563818582:subscription/aws-foundational-security-best-practices/v/1.0.0",
            "StandardsArn": "arn:aws:securityhub:eu-west-1::standards/aws-foundational-security-best-practices/v/1.0.0",
            "StandardsInput": {},
            "StandardsStatus": "DELETING"
        }
    ]
}
MaAl00350:~ max $ aws securityhub get-enabled-standards
{
    "StandardsSubscriptions": []
}

Wait a few minutes and then another minute :

MaAl00350:~ max $ aws configservice describe-config-rules --query ConfigRules[].ConfigRuleName
[
    "securityhub-vpc-default-security-group-closed-2a891050",
    "securityhub-vpc-flow-logs-enabled-3042d788"
]
MaAl00350:~ max $ aws configservice describe-config-rules --query ConfigRules[].ConfigRuleName
[]

Finally all the rules are gone. Re-enable the standard :

MaAl00350:~ max $ aws securityhub batch-enable-standards --standards-subscription-requests '{"StandardsArn":"arn:aws:securityhub:eu-west-1::standards/aws-foundational-security-best-practices/v/1.0.0"}'
{
    "StandardsSubscriptions": [
        {
            "StandardsSubscriptionArn": "arn:aws:securityhub:eu-west-1:034563818582:subscription/aws-foundational-security-best-practices/v/1.0.0",
            "StandardsArn": "arn:aws:securityhub:eu-west-1::standards/aws-foundational-security-best-practices/v/1.0.0",
            "StandardsInput": {},
            "StandardsStatus": "PENDING"
        }
    ]
}
MaAl00350:~ max $ aws securityhub get-enabled-standards
{
    "StandardsSubscriptions": [
        {
            "StandardsSubscriptionArn": "arn:aws:securityhub:eu-west-1:034563818582:subscription/aws-foundational-security-best-practices/v/1.0.0",
            "StandardsArn": "arn:aws:securityhub:eu-west-1::standards/aws-foundational-security-best-practices/v/1.0.0",
            "StandardsInput": {},
            "StandardsStatus": "READY"
        }
    ]
}
MaAl00350:~ max $ aws configservice describe-config-rules --query ConfigRules[].ConfigRuleName
[
    "securityhub-access-keys-rotated-4338bdd1",
    "securityhub-acm-certificate-expiration-check-a9c4abea",
    "securityhub-alb-http-to-https-redirection-check-48339d98",
    "securityhub-autoscaling-group-elb-healthcheck-required-a8d0729f",
    "securityhub-cloud-trail-encryption-enabled-348ac493",
    "securityhub-codebuild-project-envvar-awscred-check-bd1bccda",
    "securityhub-codebuild-project-source-repo-url-check-55df4d3f",
    "securityhub-dms-replication-not-public-9aba3179",
    "securityhub-ebs-snapshot-public-restorable-check-6169ceb8",
    "securityhub-ec2-instance-managed-by-ssm-599c6972",
    "securityhub-ec2-managedinstance-association-compliance-status-check-b69a86ef",
    "securityhub-ec2-managedinstance-patch-compliance-00bf694d",
    "securityhub-ec2-stopped-instance-38153549",
    "securityhub-efs-encrypted-check-82f1aaa9",
    "securityhub-elasticsearch-encrypted-at-rest-58658303",
    "securityhub-encrypted-volumes-fc3a8ba4",
    "securityhub-guardduty-enabled-centralized-b514c146",
    "securityhub-iam-password-policy-recommended-defaults-64365480",
    "securityhub-iam-policy-no-statements-with-admin-access-bce4701f",
    "securityhub-iam-root-access-key-check-a7c95be2",
    "securityhub-iam-user-no-policies-check-34076ae3",
    "securityhub-lambda-function-public-access-prohibited-ad1f8609",
    "securityhub-lambda-function-settings-check-a569e4c9",
    "securityhub-mfa-enabled-for-iam-console-access-e80a849c",
    "securityhub-multi-region-cloud-trail-enabled-049fa6e6",
    "securityhub-rds-instance-public-access-check-1c0f0f3e",
    "securityhub-rds-snapshots-public-prohibited-6c85734e",
    "securityhub-rds-storage-encrypted-ccdb6b6e",
    "securityhub-root-account-hardware-mfa-enabled-7751db16",
    "securityhub-s3-account-level-public-access-blocks-c9fe23a1",
    "securityhub-s3-bucket-public-read-prohibited-66251a8f",
    "securityhub-s3-bucket-public-write-prohibited-71d10c81",
    "securityhub-s3-bucket-server-side-encryption-enabled-93f8c50f",
    "securityhub-s3-bucket-ssl-requests-only-0feab26a",
    "securityhub-sagemaker-notebook-no-direct-internet-access-21638603",
    "securityhub-vpc-default-security-group-closed-10798b7d",
    "securityhub-vpc-flow-logs-enabled-ff14d6e9"
]

If you don't do this, some of your findings will be forever in the broken state and you will never get a pass/fail.

I think the script needs to handle enabling config better by waiting for it.

Perhaps at the end of check_config a loop checking config.describe_configuration_recorder_status()['ConfigurationRecordersStatus'][0]['recording'] before exiting the function.