awslabs / landing-zone-accelerator-on-aws

Deploy a multi-account cloud foundation to support highly-regulated workloads and complex compliance requirements.
https://aws.amazon.com/solutions/implementations/landing-zone-accelerator-on-aws/
Apache License 2.0
566 stars 453 forks source link

Some SecurityHub Controls failed after LZA update #309

Open bakharzy opened 1 year ago

bakharzy commented 1 year ago

Is your feature request related to a problem? Please describe. I updated the LZA from version 1.3.2 to 1.5.1. After the update, there are some failed controls in SecurityHub related to LZA.

  1. [S3 permissions granted to other AWS accounts in bucket policies should be restricted] Control ID: S3.6 Failed on S3 buckets related to LZA. In my case, there are 3 buckets with this naming: accel-assets-111111111111-regionName

  2. [CloudWatch Alarms should have an action configured for the alarm state] Control ID: CloudWatch.15 Failed CloudWatch Alarm: AWSAcceleratorFailedAlarm This item was also failing in v1.3.2 of LZA. I manually added an action and it passed. However, after the update, the action is removed and the control is failing again.

Describe the feature you'd like The changes to the LZA should be aligned with SecurityHub Controls and best practices. For the least, the above failed controls should be addressed.

Additional context Unfortunately, it is not possible to disable controls on ControlTower via LZA. There is an existing bug in LZA which was not fixed in the latest update. Here is the report of the bug: https://github.com/awslabs/landing-zone-accelerator-on-aws/issues/147

erwaxler commented 1 year ago

Hi @bakharzy , thanks for bringing this to our attention. Can you please share the standards configuration used in your environment so we can attempt to reproduce the issue? I only need this section:

standards:
- name: PCI DSS v3.2.1
  deploymentTargets:
   organizationalUnits:
    -  Root
  enable: true
  controlsToDisable:
    - Control1
    - Control2
bakharzy commented 1 year ago

Sure:

    standards:
      - name: AWS Foundational Security Best Practices v1.0.0
        enable: true
        controlsToDisable:
          - IAM.1
          - EC2.10
          - Lambda.4
          - IAM.6
          - ECR.1
      - name: CIS AWS Foundations Benchmark v1.4.0
        enable: true
        controlsToDisable:
          - CIS.1.17
          - CIS.1.16
          - IAM.6
          - IAM.9
      - name: NIST Special Publication 800-53 Revision 5
        enable: true
        controlsToDisable:
          - IAM.6
          - IAM.9 
          - ECR.1
erwaxler commented 1 year ago

Thanks for adding that, I can confirm not all controls listed were disabled in my environment. I've created a ticket in the team's backlog to investigate this behavior further, I'll update this ticket accordingly.

bakharzy commented 1 year ago

@erwaxler Thanks for investigating the issue. Please note that the issue I reported is two folded. One: The LZA should support disabling some controls by adding the control IDs to the controlsToDisable:. You replicated this issue and already added it to backlog. This bug was also discussed here: https://github.com/awslabs/landing-zone-accelerator-on-aws/issues/147 Two: The changes in LZA update, triggered some controls in SecurityHub. The controls are listed in my first comment. The controls are complaining about some deviation from best practices. This should be considered to resolve in the LZA development.

bo1984 commented 1 year ago

Hi Mohammad, with your config I was able to replicate the issue that you were having, primarily with the CIS v1.4.0 security standard controls. For the CIS controls, we need to map the controls you specified to the correct control definition . So for your use case, I had to do the following:

This is the correct configuration:

- name: CIS AWS Foundations Benchmark v1.4.0
        enable: true
        controlsToDisable:
          - CIS.1.17
          - CIS.1.16
          - CIS.1.14
          - CIS.1.13

However, when the Security stack ran, it looks like the controls are still enabled by the describe-security-standards output:

{
            "StandardsControlArn": "arn:aws:securityhub:us-east-1:[REDACTED]:control/cis-aws-foundations-benchmark/v/1.4.0/1.17",
            "ControlStatus": "ENABLED",
            "ControlStatusUpdatedAt": "2023-10-04T20:39:19.975000+00:00",
            "ControlId": "1.17",
            "Title": "Ensure a support role has been created to manage incidents with AWS Support",
            "Description": "AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services. Create an IAM Role to allow authorized users to manage incidents with AWS Support.",
            "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/IAM.18/remediation",
            "SeverityRating": "LOW",
            "RelatedRequirements": [
                "CIS AWS Foundations Benchmark v1.4.0/1.17"
    ]
},
{
            "StandardsControlArn": "arn:aws:securityhub:us-east-1:[REDACTED]:control/cis-aws-fo
undations-benchmark/v/1.4.0/1.17",
            "ControlStatus": "ENABLED",
            "ControlStatusUpdatedAt": "2023-10-04T20:39:19.975000+00:00",
            "ControlId": "1.17",
            "Title": "Ensure a support role has been created to manage incidents with AWS Support
",
            "Description": "AWS provides a support center that can be used for incident notificat
ion and response, as well as technical support and customer services. Create an IAM Role to allow
 authorized users to manage incidents with AWS Support.",
            "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/IAM.18/remediation
",
            "SeverityRating": "LOW",
            "RelatedRequirements": [
                "CIS AWS Foundations Benchmark v1.4.0/1.17"
    ]
},
{
            "StandardsControlArn": "arn:aws:securityhub:us-east-1:[REDACTED]:control/cis-aws-fo
undations-benchmark/v/1.4.0/1.14",
            "ControlStatus": "ENABLED",
            "ControlStatusUpdatedAt": "2023-10-04T20:39:19.970000+00:00",
            "ControlId": "1.14",
            "Title": "Ensure access keys are rotated every 90 days or less",
            "Description": "Access keys consist of an access key ID and secret access key, which 
are used to sign programmatic requests that you make to AWS. AWS users need their own access keys
 to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windo
ws PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. It 
is recommended that all access keys be regularly rotated.",
            "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/IAM.3/remediation"
,
            "SeverityRating": "MEDIUM",
            "RelatedRequirements": [
                "CIS AWS Foundations Benchmark v1.4.0/1.14"
    ]
},

Looking at the ControlId property, I see that the "CIS" prefix was not included, so I updated my config to the following:

- name: CIS AWS Foundations Benchmark v1.4.0
        enable: true
        controlsToDisable:
          - "1.17"
          - "1.16"
          - "1.14"
          - "1.13"

If you look at the same output as earlier, it now shows that the controls are disabled:

{
            "StandardsControlArn": "arn:aws:securityhub:us-east-1:[REDACTED]:control/cis-aws-foundations-benchmark/v/1.4.0/1.14",
            "ControlStatus": "DISABLED",
            "DisabledReason": "Control disabled by Accelerator",
            "ControlStatusUpdatedAt": "2023-11-13T19:59:38.607000+00:00",
            "ControlId": "1.14",
            "Title": "Ensure access keys are rotated every 90 days or less",
            "Description": "Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to ma
ke programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. It is recommend
ed that all access keys be regularly rotated.",
            "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/IAM.3/remediation",
            "SeverityRating": "MEDIUM",
            "RelatedRequirements": [
                "CIS AWS Foundations Benchmark v1.4.0/1.14"
    ]
},
{
    "StandardsControlArn": "arn:aws:securityhub:us-east-1:[REDACTED]:control/cis-aws-foundations-benchmark/v/1.4.0/1.16",
    "ControlStatus": "DISABLED",
    "DisabledReason": "Control disabled by Accelerator",
    "ControlStatusUpdatedAt": "2023-11-13T19:59:39.066000+00:00",
    "ControlId": "1.16",
    "Title": "Ensure IAM policies that allow full \"*:*\" administrative privileges are not attached",
    "Description": "IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended and considered a standard security advice to grant least privilege 
-that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform only those tasks, instead of allowing fu
ll administrative privileges.",
    "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/IAM.1/remediation",
    "SeverityRating": "HIGH",
    "RelatedRequirements": [
        "CIS AWS Foundations Benchmark v1.4.0/1.16"
    ]
},
{
    "StandardsControlArn": "arn:aws:securityhub:us-east-1:[REDACTED]:control/cis-aws-foundations-benchmark/v/1.4.0/1.17",
    "ControlStatus": "DISABLED",
    "DisabledReason": "Control disabled by Accelerator",
    "ControlStatusUpdatedAt": "2023-11-13T19:59:41.013000+00:00",
    "ControlId": "1.17",
    "Title": "Ensure a support role has been created to manage incidents with AWS Support",
    "Description": "AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services. Create an IAM Role to allow autho
rized users to manage incidents with AWS Support.",
    "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/IAM.18/remediation",
    "SeverityRating": "LOW",
    "RelatedRequirements": [
        "CIS AWS Foundations Benchmark v1.4.0/1.17"
    ]
},

For the CIS 1.4.0 controls, can you try removing the "CIS" prefix. Please encapsulate the value in quotes as the accelerator will assume you're trying to pass in an integer instead of a string.

bakharzy commented 1 year ago

Thanks @bo1984 for investigating this issue. Before modifying the configurations, I have some questions:

Screenshot 2023-11-14 at 15 42 33 Screenshot 2023-11-14 at 15 42 40

bo1984 commented 1 year ago

Hi Mohammad, thanks for the correction, but yes in this case for IAM.6 and IAM.9, these controls would map to 1.6 and 1.5 in v1.4.0 of the CIS AWS Foundations Benchmark, respectively.

For your 2nd inquiry, say that you decide to disable IAM.6 in the Foundational Best Practices and CIS AWS Foundations Benchmark v.1.4.0, but don't disable the controls in the NIST 800-53 framework, you shouldn't see this control disabled for the latter. Please keep in mind that it takes roughly 24 hours for the control to show disabled in the Security Hub console. You'd be able to check if the control is enabled through the CLI via:

aws securityhub describe-standards-controls --standards-subscription-arn arn:aws:securityhub:us-east-1:[ACCOUNT ID HERE]:subscription/nist-800-53/v/5.0.0
bakharzy commented 11 months ago

Hi @bo1984 I make the changes as the following: Screenshot 2023-12-22 at 11 08 41

Results: Using the command aws securityhub describe-standards-controls --standards-subscription-arn shows that all those 4 controls are disabled. I ran the command for all three standards and in two different accounts (security account and another account). So far so good.

Observation in securityHub UI:

Additional observation: I ran another command in both accounts: aws securityhub batch-get-security-controls --region [REGION] --security-control-ids '["IAM.9", "IAM.6", "IAM.1", "IAM.18"]'. The output shows that IAM.1 is enabled and other 3 are disabled.

Expected:

snemir2 commented 3 months ago

have very similar issue. As i am upgrading from lza 1.7.1 to 1.9.1, i am getting the following in the cloudtrail image

My config is

 standards:
      - name: AWS Foundational Security Best Practices v1.0.0
        enable: true
        controlsToDisable:
          - IAM.1
          - EC2.10
          - Lambda.4
      - name: PCI DSS v3.2.1
        enable: false
        controlsToDisable:
          - PCI.IAM.3
          - PCI.S3.3
          - PCI.EC2.3
          - PCI.Lambda.2
      - name: CIS AWS Foundations Benchmark v1.2.0
        enable: false
        controlsToDisable:
          - CIS.1.20
          - CIS.1.22
          - CIS.2.6

cloudtrail error

{
    "eventVersion": "1.09",
    "userIdentity": {
        "type": "AssumedRole",
        "principalId": "AROAUEV2XZ72YUEJ4NYY7:AWSAccelerator-SecurityAu-CustomSecurityHubCreateM-WLpGYiZCDYyg",
        "arn": "arn:aws:sts::XXX:assumed-role/AWSAccelerator-SecurityAu-CustomSecurityHubCreateM-12RO2J1JYR7PY/AWSAccelerator-SecurityAu-CustomSecurityHubCreateM-WLpGYiZCDYyg",
        "accountId": "XXX",
        "accessKeyId": "ASIAUEV2XZ7276GMIQFV",
        "sessionContext": {
            "sessionIssuer": {
                "type": "Role",
                "principalId": "AROAUEV2XZ72YUEJ4NYY7",
                "arn": "arn:aws:iam::XXXX:role/AWSAccelerator-SecurityAu-CustomSecurityHubCreateM-12RO2J1JYR7PY",
                "accountId": "XXXX",
                "userName": "AWSAccelerator-SecurityAu-CustomSecurityHubCreateM-12RO2J1JYR7PY"
            },
            "attributes": {
                "creationDate": "2024-08-15T21:27:36Z",
                "mfaAuthenticated": "false"
            }
        }
    },
    "eventTime": "2024-08-15T21:27:43Z",
    "eventSource": "securityhub.amazonaws.com",
    "eventName": "UpdateOrganizationConfiguration",
    "awsRegion": "us-east-2",
    "sourceIPAddress": "3.137.167.98",
    "userAgent": "aws-sdk-nodejs/2.1379.0 linux/v18.20.4 exec-env/AWS_Lambda_nodejs18.x AwsSolution/SO0199/1.7.1 promise",
    "errorCode": "InvalidInputException",
    "requestParameters": {
        "AutoEnable": true
    },
    "responseElements": {
        "Type": "InvalidInputException",
        "RequestId": "9e288a01-f33c-4335-9cb9-ae9e6e01ab7e",
        "Message": "Auto Enable and AutoEnableStandards can not be enabled for Central Configuration",
        "Code": "InvalidInputException"
    },
    "requestID": "1fdb33e9-0164-4bf3-9c19-92bc3f618a14",
    "eventID": "4a267697-c696-43d3-b81d-ca8e3d89c8cd",
    "readOnly": false,
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "XXXX",
    "eventCategory": "Management"
}
richardkeit commented 3 months ago

FYI @snemir2 , given the central config is NOT yet supported - may find the fix would have to wait for it

https://github.com/awslabs/landing-zone-accelerator-on-aws/issues/505#issuecomment-2203180978

Hopefully the feature is expedited