Merge pull request #18 from RavenEsc/security-secrets

Security secrets
RavenEsc · Jan 10, 2025 · 8504cd9 · 8504cd9
2 parents 9ab8b6b + 01bcde2
commit 8504cd9
Show file tree

Hide file tree

Showing 7 changed files with 28 additions and 7 deletions.
diff --git a/.gitignore b/.gitignore
@@ -4,4 +4,6 @@ config/
 .vscode
 #tf
 .terraform
-.terraform.lock.hcl
+.terraform.lock.hcl
+#pip
+pip*
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,6 +1,20 @@
 # Change Log
 All notable changes to this project will be documented in this file.
 
+### [1.1.5]
+
+Fixed vulnerability - exposed value in Python script. Added default tagging to all resources. Updated Provider.
+
+### Added
+
+- [AWS-Secrets-Manager-Functionality](https://github.com/RavenEsc/AWS_Security_Automation_Tool/blob/main/code/discordlambda/discordnote.py)
+  Takes advantage of the boto3 library to access the secret value held in AWS Secrets Manager
+
+- [AWS-Secrets-Manager-Access](https://github.com/RavenEsc/AWS_Security_Automation_Tool/blob/main/tf/DiscordLambdaFunction.tf)
+  Gives the Discord Notification Lambda script permission to access the specific secret needed via policy.
+
+<center><img src="docs/v1.1.5.png" alt="v1.1.5" width="70%"/></center>
+
 ### [1.1.1] - 2024-7-26
 
 Fixed Issue - Updated AWS Provider from 5.18.0 > 5.60.0
@@ -10,7 +24,7 @@ Fixed Issue - Updated AWS Provider from 5.18.0 > 5.60.0
 
 Utilization of ECR to containerize a controlled environment
 
-<center><img src="docs/v1.1.0.png" alt="v1.0.0" width="70%"/></center>
+<center><img src="docs/v1.1.0.png" alt="v1.1.0" width="70%"/></center>
 
 ### Added
 - [Docker-YAML-GitActions](https://github.com/RavenEsc/AWS_Security_Automation_Tool/blob/e204e13e41e8c6f4a474d13a1fbfee50a7f0849c/.github/workflows/docker.yml)

diff --git a/README.md b/README.md
@@ -1,11 +1,11 @@
 # AWS_Security_Automation_Tool (Project SAT)
 
-This tool will automate the workflow of security checks for EC2 instances and IAM entity policies. It will accomplish this task by utilizing the serverless infrastructure of Lambda and perform periodic checks backed by python and driven with Amazon EventBridge.
+This tool will automate the workflow of security checks for EC2 instances and IAM entity policies. It will accomplish this task by utilizing the serverless infrastructure of Lambda and perform periodic checks backed by python and driven with Amazon EventBridge. Secrets Manager is also utilized for sensitive values in the Python scripts.
 
 After it has performed a check, if any test has failed it will log the event and notify the event to the admin account.
 
 It will also be able to handle an influx of issues by using the SNS and SQS Queue Fan-Out Method and send a notification via Discord and the log of the event to an Amazon S3 bucket.
 
 Updates to the code are logged in the [Change Log](https://github.com/RavenEsc/AWS_Security_Automation_Tool/blob/7a5221d1bafd2a4b6fc40a0dbf974fed54f4ba75/CHANGELOG.md) !
 
-<center><img src="security_automation_tool.png" alt="v1.0.0" width="100%"/></center>
+<center><img src="security_automation_tool.png" alt="Official Image" width="100%"/></center>
diff --git a/code/Dac/Diagrams.py b/code/Dac/Diagrams.py
@@ -6,6 +6,7 @@
 from diagrams.aws.integration import Eventbridge
 from diagrams.onprem.compute import Server
 from diagrams.aws.compute import ElasticContainerService
+from diagrams.aws.security import SecretsManager
 
 with Diagram("Security Automation Tool", show=False):
 
@@ -14,7 +15,9 @@
         SNS = SimpleNotificationServiceSnsTopic("SNS")
         SQSa = SimpleQueueServiceSqsQueue("SQS Queue: S3")
         SQSb = SimpleQueueServiceSqsQueue("SQS Queue: Dcord")
+        Secrets = SecretsManager('SecretsManager')
         SNS >> [SQSa, SQSb]
+
 
         with Cluster("Trigger-Lambda"):
             eveb = Eventbridge("EventBLambTrigger")
@@ -31,4 +34,6 @@
             ECR = ElasticContainerService('LambdaContainerImage')
             SQSa >> functionS3 >> s3_bucket
             SQSb >> functionD >> Discord
-            ECR >> Discord
+            ECR >> Discord
+
+        Secrets >> functionD
diff --git a/code/discordlambda/discordnote.py b/code/discordlambda/discordnote.py
@@ -32,8 +32,8 @@ def lambda_handler(event, context):
                     SecretId=secret_name
                 )
 
-                secret = get_secret_value_response['SecretString']
-                webhook = DiscordWebhook(url=secret)
+                secret = json.loads(get_secret_value_response['SecretString'])
+                webhook = DiscordWebhook(url=secret["DiscordWebhook"])
             # EC2 Public Instance
                 if alert == 'EC2_Public_Instance':
                     # EC2 values set as variables

diff --git a/docs/v1.1.5.png b/docs/v1.1.5.png
diff --git a/security_automation_tool.png b/security_automation_tool.png