This is the corresponding repository of AWS Blog post "Automated Security and Compliance Remediation at HDI".
This repository act as a blueprint. HDI will maintain the solution.
This is architecture which will be deployed via all clases residing within securityhub/auto_ops.py file.
This is the architecture of the deplyoed CICD pipeline. Stages can be added as needed. A general description about the CDK pipelines comstruct can be found here. The programrrtic implementation can be found here securityhub/pipeline.py
The CDK app will deploy all remediation as well as the Prowler integration as CloudFormation nested stack. This brings the advantage of holding a consistent state of all CDK app parts. Also, it will be easy to work with CloudFormation imports and exports to make use of resources across CloudFormation stacks.
Realy make use of the the programmatic capabillities of the CDK, we use functions from securityhub/helper.py to avoid iterative declaration of AWS resources. The create_remediation_lambdas function from this file, will be used within securityhub/auto_ops.py of the class RemediationStack to process arrays with Lambda configurations objects within class AutoSecOps.
# Snippet
prowler_740_lambda = {
"name": "Prowler 7.40",
"id": "prowler740",
"description": "Remediates Prowler 7.40 by deleting unencrypted Snapshots",
"policies": [
_iam.PolicyStatement(
effect=_iam.Effect.ALLOW,
actions=["ec2:DeleteSnapshot",],
resources=["*"],
)
],
"path": "delete_unencrypted_snapshots",
"environment_variables": [
{"key": "ACCOUNT_ID", "value": core.Aws.ACCOUNT_ID}
],
"filter_id": ["prowler-extra740"],
}
prowler_list = [
prowler_729_lambda,
prowler_740_lambda,
]
# ...
print("Lambdas in Prowler Stack", len(cis_list))
prowler_1 = RemediationStack(
self, id="prowler-remediation}", remediation_list=prowler_list,
)
prowler_1.add_dependency(cis_1)
core.Tags.of(prowler_1).add("Name", "Security Hub App")- Install the CDK and bootstrap your AWS account
- Clone this repository
- Create and activate the Python environment
- Install all required packages by
pip install -r requirements.txt - Change Account IDs
# app.py
# TODO: Insert your AWS account id
cicd = Pipeline(
app,
id="cicd-4-securityhub",
env= core.Environment(account="12345678910", region="eu-central-1"),
)- Run
cdk deploy cicd-4-securityhubto create the CICD. - Change the origin of this Git repository to CodeCommitand push your file to CodeCommit.
- To deploy the Prowler Docker image, us the following commands with your repository.
# ./src/docker/
aws ecr get-login-password --region eu-central-1 | \
docker login --username AWS --password-stdin \
ACCOUTN_ID.dkr.ecr.eu-central-1.amazonaws.com # Your Auto Account ID
docker build -t ECR_REPO_NAME:latest .
docker tag ECR_REPO_NAME:latest \
ACCOUTN_ID.dkr.ecr.eu-central-1.amazonaws.com/ECR_REPO_NAME:latest
docker push \
ACCOUTN_ID.dkr.ecr.eu-central-1.amazonaws.com/ECR_REPO_NAME:latest