/
aws-servicecatalog-prescriptivecompliance.yml
803 lines (752 loc) · 29 KB
/
aws-servicecatalog-prescriptivecompliance.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
# -------------------------------------------------------------------------------------------------
#
# REINFORCE Service Catalog remediations -
# Provisions all pre-reqs for AWS Systems Manager Remediations
# Provisions Misconfigured Resources to trigger attack for Reinforce scenario
# Provisions On Demand Evaluations for AWS Config
# Provisions Custom AWS Systems Manager Automation Documents to provide Automated Remediations for AWS Config
# Provisions a AWS Service Catalog Portfolio with an AWS Config Remediations Product.
# - The AWS Config Remediations Product provides automated detection with AWS Config and Remediations with AWS Systems Manager
# - The AWS Config Remediations Product is to be launched by the Team Member from the Service Catalog Console during the workshop
#
# @kmmahaj
# ---------------------------------------------------------------------------------------------------
AWSTemplateFormatVersion: 2010-09-09
Description: REINFORCE Service Catalog remediations(qs-1t0eilb5g)
Parameters:
S3StagingBucketURL:
Type: String
Description: S3 Staging Bucket Prefix that contains the Config Remediations Compliance template
Default: 'https://s3-configremediations-<accountid>-<region>.s3.amazonaws.com/'
Outputs:
SCAutomationAssumeRoleArn:
Description: Arn for SC AutomationAssumeRole
Value:
Fn::Join:
- ''
- - 'arn:aws:iam::'
- Ref: AWS::AccountId
- ':role/'
- !Ref SCAutomationAssumeRole
Export: # added to export
Name: SCAutomationAssumeRoleArn
SCCloudTrailLogGroupArn:
Description: Arn for SC CloudTrail CloudWatch Logs
Value:
Fn::Join:
- ''
- - 'arn:aws:logs:'
- Ref: AWS::Region
- ':'
- Ref: AWS::AccountId
- !Sub ':log-group:${SCCloudTrailLogGroup}:*'
Export: # added to export
Name: SCCloudTrailLogGroupArn
SCS3CloudTrailBucket:
Description: SC S3 CloudTrail Bucket
Value: !Ref SCS3CloudTrailBucket
Export: # added to export
Name: SCS3CloudTrailBucket
SCCloudTrailLogGroup:
Description: SC CloudTrail CloudWatch Log Group
Value: !Ref SCCloudTrailLogGroup
Export: # added to export
Name: SCCloudTrailLogGroup
SCCloudTrail:
Description: SC CloudTrail
Value: 'remediation-sc-trail'
Export: # added to export
Name: SCCloudTrail
SCCloudWatchRoleArn:
Description: Arn for CloudTrail CloudWatch IAM Role
Value:
Fn::Join:
- ''
- - 'arn:aws:iam::'
- Ref: AWS::AccountId
- ':role/'
- !Ref SCCloudWatchRole
Export: # added to export
Name: SCCloudWatchRoleArn
MisconfiguredTrail:
Description: CloudTrail with Log File Validation and CW Logs Disabled
Value: !Ref MisconfiguredTrail
Export: # added to export
Name: MisconfiguredTrail
MisconfiguredKmsKey:
Description: KMS Key with
Value: !Ref MisconfiguredKmsKey
Export: # added to export
Name: MisconfiguredKmsKey
MisconfiguredEIP:
Description: CIS CloudTrail CloudWatch Log Group
Value: !Ref MisconfiguredEIP
Export: # added to export
Name: MisconfiguredEIP
Resources:
# ------------------------------------------------------------------------------------------
# Pre-requisites
# Provisions all pre-req AWS Services for AWS Config Remediations via Systems Manager Automations
#
# ---------------------------------------------------------------------------------------------
# Bucket Policy for CloudTrail S3 Bucket. Restrict to allow access to only SSL transport.
SCBucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref SCS3CloudTrailBucket
PolicyDocument:
Statement:
-
Action:
- "s3:*"
Effect: "Allow"
Resource:
- !Sub arn:aws:s3:::${SCS3CloudTrailBucket}
- !Sub arn:aws:s3:::${SCS3CloudTrailBucket}/*
Principal:
AWS:
- !Ref AWS::AccountId
-
Action:
- "s3:*"
Effect: "Allow"
Resource:
- !Sub arn:aws:s3:::${SCS3CloudTrailBucket}
- !Sub arn:aws:s3:::${SCS3CloudTrailBucket}/*
Principal:
Service:
- cloudtrail.amazonaws.com
-
Effect: Deny
Principal: "*"
Action: "*"
Resource:
- !Sub arn:aws:s3:::${SCS3CloudTrailBucket}
- !Sub arn:aws:s3:::${SCS3CloudTrailBucket}/*
Condition:
Bool:
aws:SecureTransport: 'false'
# S3 Bucket to store CloudTrail logs
SCS3CloudTrailBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: !Sub "s3-sc-${AWS::AccountId}-${AWS::Region}"
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
AccessControl: BucketOwnerFullControl
LifecycleConfiguration:
Rules:
-
AbortIncompleteMultipartUpload:
DaysAfterInitiation: 3
NoncurrentVersionExpirationInDays: 3
Status: Enabled
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true
Tags:
-
Key: Description
Value: S3 Bucket for CloudTrail Logs
VersioningConfiguration:
Status: Enabled
# SSM Automation Role
SCAutomationAssumeRole:
Type: 'AWS::IAM::Role'
Properties:
RoleName: !Sub servicecatalog-automationassumerole-${AWS::Region}
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- ssm.amazonaws.com
- events.amazonaws.com
- ec2.amazonaws.com
Action:
- 'sts:AssumeRole'
Path: /
ManagedPolicyArns:
- !Sub "arn:${AWS::Partition}:iam::aws:policy/AdministratorAccess"
#CloudTrail CW Log Group
SCCloudTrailLogGroup:
Type: AWS::Logs::LogGroup
Properties:
LogGroupName: !Sub ServiceCatalogLogGroup-${AWS::Region}
RetentionInDays: 1827
# Cloud Watch Role
SCCloudWatchRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub ServiceCatalog_CloudWatchLogs_Role-${AWS::Region}
Policies:
- PolicyName: SCCloudWatchLogsRolePolicy
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- cloudwatch:PutMetricData
Resource: '*'
- Effect: Allow
Action:
- ssm:StartAutomationExecution
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
- logs:DescribeLogGroups
- logs:DescribeLogStreams
- iam:PassRole
- ec2:*
Resource: '*'
- Effect: Allow
Action:
- cloudtrail:UpdateTrail
- securityhub:UpdateFindings
Resource: '*'
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- cloudtrail.amazonaws.com
Action:
- sts:AssumeRole
#------------------------------------------------------------------------------------------
# Misconfigured Resources:
# -- KMS Key with Key Rotation Disabled
# -- CloudTrail with Log File Validation Disabled and CloudWatch Logs Disabled
# -- Unused Elastic IP
#-------------------------------------------------------------------------------------------
# Misconfigured KMS CMK
MisconfiguredKmsKey:
Type: 'AWS::KMS::Key'
Properties:
EnableKeyRotation: false
Description: 'Test Key Rotation'
Enabled: true
KeyUsage: ENCRYPT_DECRYPT
KeyPolicy:
Version: '2012-10-17'
Statement:
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS:
'Fn::Join':
- ''
- - 'arn:aws:iam::'
- Ref: 'AWS::AccountId'
- ':root'
Action: 'kms:*'
Resource: '*'
# S3 Bucket for Misconfigured CloudTrail
SCS3MisconfiguredCloudTrailBucket:
DeletionPolicy: Retain
Type: AWS::S3::Bucket
Properties:
BucketName: !Sub "s3-misconfigbucket-${AWS::AccountId}-${AWS::Region}"
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
MisconfiguredBucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket:
Ref: SCS3MisconfiguredCloudTrailBucket
PolicyDocument:
Version: "2012-10-17"
Statement:
-
Sid: "AWSCloudTrailAclCheck"
Effect: "Allow"
Principal:
Service: "cloudtrail.amazonaws.com"
Action: "s3:GetBucketAcl"
Resource:
!Sub |-
arn:aws:s3:::${SCS3MisconfiguredCloudTrailBucket}
-
Sid: "AWSHTTPSAccess"
Effect: Deny
Principal: '*'
Action: 's3:*'
Resource:
!Sub |-
arn:aws:s3:::${SCS3MisconfiguredCloudTrailBucket}
Condition:
Bool:
'aws:SecureTransport': false
-
Sid: "AWSCloudTrailWrite"
Effect: "Allow"
Principal:
Service: "cloudtrail.amazonaws.com"
Action: "s3:PutObject"
Resource:
!Sub |-
arn:aws:s3:::${SCS3MisconfiguredCloudTrailBucket}/AWSLogs/${AWS::AccountId}/*
Condition:
StringEquals:
s3:x-amz-acl: "bucket-owner-full-control"
MisconfiguredTrail:
DependsOn:
- MisconfiguredBucketPolicy
Type: AWS::CloudTrail::Trail
Properties:
TrailName: 'ReinforceTrail'
EnableLogFileValidation: false
S3BucketName:
Ref: SCS3MisconfiguredCloudTrailBucket
IsLogging: true
IsMultiRegionTrail: false
MisconfiguredEIP:
Type: AWS::EC2::EIP
Properties:
Domain: vpc
#------------------------------------------------------------------------------------------
# On Demand Config Evaluation Lambda for AWS Config Rules:
# -- Provides a live game experience to the user
# -- Triggers Detection at 2 min intervals of misconfigured resources via AWS Config
#-------------------------------------------------------------------------------------------
OnDemandConfigEvalEventRule:
Type: AWS::Events::Rule
Properties:
Name: OnDemandConfigEvalEventRule
Description: "Trigger On Demand Evaluation of Config Rules for Game Day"
State: "ENABLED"
ScheduleExpression: "rate(2 minutes)"
Targets:
-
Arn:
Fn::GetAtt:
- "OnDemandConfigEvalLambda"
- "Arn"
Id: "OnDemandConfigEval"
PermissionForEventsToInvokeConfigLambda:
Type: AWS::Lambda::Permission
Properties:
Action: lambda:InvokeFunction
FunctionName: !GetAtt "OnDemandConfigEvalLambda.Arn"
Principal: events.amazonaws.com
SourceArn: !GetAtt "OnDemandConfigEvalEventRule.Arn"
OnDemandConfigEvalLambda:
Type: AWS::Lambda::Function
Properties:
Code:
ZipFile: |
import json
import os
import boto3
import logging
LOGGER = logging.getLogger()
LOGGER.setLevel(logging.INFO)
def lambda_handler(event, context):
try:
ruleName1 = os.environ['ruleName1']
ruleName2 = os.environ['ruleName2']
ruleName3 = os.environ['ruleName3']
ruleName4 = os.environ['ruleName4']
ruleName5 = os.environ['ruleName5']
ruleName6 = os.environ['ruleName6']
client = boto3.client('config')
response = client.start_config_rules_evaluation(
ConfigRuleNames=[
ruleName1,
ruleName2,
ruleName3,
ruleName4,
ruleName5,
ruleName6
]
)
except Exception as e:
print(e)
print("AWS Config Evaluation execution error")
raise
Handler: index.lambda_handler
MemorySize: 128
Role: !GetAtt "OnDemandConfigEvalLambdaRole.Arn"
Runtime: python3.7
Timeout: 60
Environment:
Variables:
ruleName1: 'cloud_trail_cloud_watch_logs_enabled'
ruleName2: 'cloud-trail-log-file-validation-enabled'
ruleName3: 'ReleaseElasticIP'
ruleName4: 'cis-iam-password-policy'
ruleName5: 'cmk-backing-key-rotation-enabled'
ruleName6: 'RestrictDefaultSecurityGroup'
# On Demand Config Eval Role
OnDemandConfigEvalLambdaRole:
Type: 'AWS::IAM::Role'
Properties:
RoleName: !Sub reinforce-OnDemandConfigEvalLambdaRole-${AWS::Region}
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- 'sts:AssumeRole'
Path: /
ManagedPolicyArns:
- !Sub "arn:${AWS::Partition}:iam::aws:policy/AdministratorAccess"
#------------------------------------------------------------------------------------------
# Service Catalog Portfolio that contains the ConfigRemediations Conformance Pack Product
#
#-------------------------------------------------------------------------------------------
ConfigRemediationsPortfolio:
Type: 'AWS::ServiceCatalog::Portfolio'
Properties:
AcceptLanguage: en
Description: AWS ConfigRemediations Compliance Portfolio
DisplayName: AWS ConfigRemediations Compliance Portfolio
ProviderName: AWS
ConfigRemediationsCompliance:
Type: 'AWS::ServiceCatalog::CloudFormationProduct'
Properties:
AcceptLanguage: en
Description: This product deploys AWS Config Remediations as a Service Catalog Product
Distributor: AWS
Name: AWS ConfigRemediations Compliance Product
Owner: AWS
SupportEmail: email@mycompany.com
SupportUrl: 'https://www.mycompany.com'
SupportDescription: >-
AWS ConfigRemediations Compliance Product
ProvisioningArtifactParameters:
- Description: This is version 1.0 of the AWS ConfigRemediations Compliance Product
Name: Version - 1.0
Info:
LoadTemplateFromURL: !Sub "${S3StagingBucketURL}compliance/aws-servicecatalog-configremediations-v1.yml"
ConfigRemediationsConfPackPortfolioAssociation:
Type: 'AWS::ServiceCatalog::PortfolioProductAssociation'
Properties:
PortfolioId: !Ref ConfigRemediationsPortfolio
ProductId: !Ref ConfigRemediationsCompliance
TeamMemberEnduserRole:
Type: AWS::IAM::Role
Properties:
RoleName: TeamMemberEnduserRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AWSServiceCatalogEndUserFullAccess
Path: /
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:root'
Action:
- 'sts:AssumeRole'
TeamMemberEnduserRolePortfolioAssociation:
Type: 'AWS::ServiceCatalog::PortfolioPrincipalAssociation'
Properties:
PrincipalARN: !Sub 'arn:aws:iam::${AWS::AccountId}:role/TeamRole'
PortfolioId: !Ref ConfigRemediationsPortfolio
PrincipalType: IAM
#------------------------------------------------------------------------------------------
# Custom Systems Manager Automation Documents for AWS Config Remediation:
# -- Small sampling of PCI and CIS violations
#-------------------------------------------------------------------------------------------
# -------------------------------------------------------------------------------------------------------------------------------------------------------
# [PCI.KMS.1] Customer master key (CMK) rotation should be enabled
# -------------------------------------------------------------------------------------------------------------------------------------------------------
SCCustomCMKBackingKeyRotationCF:
Type: AWS::SSM::Document
Properties:
DocumentType: Automation
Name: Custom-SCCMKBackingKeyRotationCF
Content:
schemaVersion: '0.3'
assumeRole:
Fn::Join:
- ''
- - 'arn:aws:iam::'
- Ref: AWS::AccountId
- ':role/'
- !Ref SCAutomationAssumeRole
parameters:
KMSKeyArn:
type: String
AutomationAssumeRole:
type: String
default:
Fn::Join:
- ''
- - 'arn:aws:iam::'
- Ref: AWS::AccountId
- ':role/'
- !Ref SCAutomationAssumeRole
mainSteps:
- name: rotatebackingkey
action: 'aws:executeScript'
inputs:
Runtime: python3.6
Handler: rotatebackingkey_handler
Script: "def rotatebackingkey_handler(events, context):\r\n import boto3\r\n client = boto3.client('kms')\r\n\r\n KMSKeyArn = events['KMSKeyArn']\r\n\r\n response = client.enable_key_rotation(\r\n KeyId=KMSKeyArn\r\n )"
InputPayload:
AutomationAssumeRole: '{{AutomationAssumeRole}}'
KMSKeyArn: '{{KMSKeyArn}}'
# -------------------------------------------------------------------------------------------------------------------------------------------------------
# [PCI.CloudTrail.4] CloudTrail trails should be integrated with CloudWatch Logs
# -------------------------------------------------------------------------------------------------------------------------------------------------------
SCCustomCloudTrailUpdateCF:
Type: AWS::SSM::Document
Properties:
DocumentType: Automation
Name: Custom-SCCloudTrailUpdateCF
Content:
description: CIS 2.4 – Ensure CloudTrail trails are integrated with Amazon CloudWatch Logs
schemaVersion: '0.3'
assumeRole:
Fn::Join:
- ''
- - 'arn:aws:iam::'
- Ref: AWS::AccountId
- ':role/'
- !Ref SCAutomationAssumeRole
parameters:
AutomationAssumeRole:
type: String
default:
Fn::Join:
- ''
- - 'arn:aws:iam::'
- Ref: AWS::AccountId
- ':role/'
- !Ref SCAutomationAssumeRole
SCCloudTrailLogGroupArn:
type: String
default:
Fn::Join:
- ''
- - 'arn:aws:logs:'
- Ref: AWS::Region
- ':'
- Ref: AWS::AccountId
- !Sub ':log-group:${SCCloudTrailLogGroup}:*'
SCCloudWatchRoleArn:
type: String
default:
Fn::Join:
- ''
- - 'arn:aws:iam::'
- Ref: AWS::AccountId
- ':role/'
- !Ref SCCloudWatchRole
TrailName:
type: String
mainSteps:
- name: UpdateCloudTrail
action: 'aws:executeScript'
inputs:
Runtime: python3.6
Handler: updatetrail_handler
Script: "def updatetrail_handler(events, context):\r\n import boto3\r\n cloudtrail = boto3.client('cloudtrail')\r\n\r\n CloudTrailLogGroupArn = events['SCCloudTrailLogGroupArn']\r\n CloudWatchRoleArn = events['SCCloudWatchRoleArn']\r\n TrailName = events['TrailName']\r\n\r\n response = cloudtrail.update_trail(\r\n Name=TrailName,\r\n IncludeGlobalServiceEvents=True,\r\n IsMultiRegionTrail=True,\r\n EnableLogFileValidation=True,\r\n CloudWatchLogsLogGroupArn=CloudTrailLogGroupArn,\r\n CloudWatchLogsRoleArn=CloudWatchRoleArn\r\n )\r\n"
InputPayload:
AutomationAssumeRole: '{{AutomationAssumeRole}}'
SCCloudTrailLogGroupArn: '{{SCCloudTrailLogGroupArn}}'
SCCloudWatchRoleArn: '{{SCCloudWatchRoleArn}}'
TrailName: '{{TrailName}}'
# -------------------------------------------------------------------------------------------------------------------------------------------------------
# PCI IAM 4– Updates IAM Account Settings Password Policy
# -------------------------------------------------------------------------------------------------------------------------------------------------------
SCCustomIAMPasswordUpdateCF:
Type: AWS::SSM::Document
Properties:
DocumentType: Automation
Name: Custom-SCIAMPasswordUpdateCF
Content:
schemaVersion: '0.3'
assumeRole:
Fn::Join:
- ''
- - 'arn:aws:iam::'
- Ref: AWS::AccountId
- ':role/'
- !Ref SCAutomationAssumeRole
parameters:
AutomationAssumeRole:
type: String
default:
Fn::Join:
- ''
- - 'arn:aws:iam::'
- Ref: AWS::AccountId
- ':role/'
- !Ref SCAutomationAssumeRole
mainSteps:
- name: updatepasswordpolicy
action: 'aws:executeScript'
inputs:
Runtime: python3.6
Handler: updateiampolicy_handler
Script: |
def updateiampolicy_handler(events, context):
import boto3
iam = boto3.client('iam')
response = iam.update_account_password_policy(
AllowUsersToChangePassword=True,
HardExpiry=True,
MaxPasswordAge=90 ,
MinimumPasswordLength=14,
PasswordReusePrevention=24,
RequireLowercaseCharacters=True,
RequireNumbers=True,
RequireSymbols=True,
RequireUppercaseCharacters=True)
InputPayload:
AutomationAssumeRole: '{{AutomationAssumeRole}}'
# -------------------------------------------------------------------------------------------------------------------------------------------------------
# [PCI.CloudTrail.3] CloudTrail log file validation should be enabled
# -------------------------------------------------------------------------------------------------------------------------------------------------------
SCCustomLogFileValidationCF:
Type: AWS::SSM::Document
Properties:
DocumentType: Automation
Name: Custom-SCLogFileValidationCF
Content:
schemaVersion: '0.3'
assumeRole:
Fn::Join:
- ''
- - 'arn:aws:iam::'
- Ref: AWS::AccountId
- ':role/'
- !Ref SCAutomationAssumeRole
parameters:
AutomationAssumeRole:
type: String
default:
Fn::Join:
- ''
- - 'arn:aws:iam::'
- Ref: AWS::AccountId
- ':role/'
- !Ref SCAutomationAssumeRole
SCCloudTrailLogGroupArn:
type: String
default:
Fn::Join:
- ''
- - 'arn:aws:logs:'
- Ref: AWS::Region
- ':'
- Ref: AWS::AccountId
- !Sub ':log-group:${SCCloudTrailLogGroup}:*'
SCCloudWatchRoleArn:
type: String
default:
Fn::Join:
- ''
- - 'arn:aws:iam::'
- Ref: AWS::AccountId
- ':role/'
- !Ref SCCloudWatchRole
TrailName:
type: String
mainSteps:
- name: EnableLogFileValidation
action: 'aws:executeScript'
inputs:
Runtime: python3.6
Handler: updatetrail_handler
Script: "def updatetrail_handler(events, context):\r\n import boto3\r\n cloudtrail = boto3.client('cloudtrail')\r\n\r\n CloudTrailLogGroupArn = events['SCCloudTrailLogGroupArn']\r\n CloudWatchRoleArn = events['SCCloudWatchRoleArn']\r\n TrailName = events['TrailName']\r\n\r\n response = cloudtrail.update_trail(\r\n Name=TrailName,\r\n IncludeGlobalServiceEvents=True,\r\n IsMultiRegionTrail=True,\r\n EnableLogFileValidation=True,\r\n CloudWatchLogsLogGroupArn=CloudTrailLogGroupArn,\r\n CloudWatchLogsRoleArn=CloudWatchRoleArn\r\n ) "
InputPayload:
AutomationAssumeRole: '{{AutomationAssumeRole}}'
SCCloudTrailLogGroupArn: '{{SCCloudTrailLogGroupArn}}'
SCCloudWatchRoleArn: '{{SCCloudWatchRoleArn}}'
TrailName: '{{TrailName}}'
# -------------------------------------------------------------------------------------------------------------------------------------------------------
# [PCI.EC2.2] VPC default security group should prohibit inbound and outbound traffic
# -------------------------------------------------------------------------------------------------------------------------------------------------------
SCRestrictSecurityGroupPublicAccess:
Type: AWS::SSM::Document
Properties:
DocumentType: Automation
Name: Custom-SCRestrictSecurityGroup
Content:
schemaVersion: '0.3'
assumeRole:
Fn::Join:
- ''
- - 'arn:aws:iam::'
- Ref: AWS::AccountId
- ':role/'
- !Ref SCAutomationAssumeRole
parameters:
groupId:
type: String
IpAddressToBlock:
type: String
default: '0.0.0.0/0'
AutomationAssumeRole:
type: String
default:
Fn::Join:
- ''
- - 'arn:aws:iam::'
- Ref: AWS::AccountId
- ':role/'
- !Ref SCAutomationAssumeRole
mainSteps:
- name: RestrictSecurityGroup
action: 'aws:executeScript'
inputs:
Runtime: python3.6
Handler: restrict_sg
Script: "def restrict_sg(events, context):\r\n import boto3\r\n import json\r\n import os\r\n ec2 = boto3.resource('ec2')\r\n defaultSecGroupId = events['groupId']\r\n try:\r\n defaultSG = ec2.SecurityGroup(defaultSecGroupId)\r\n defaultIngress = defaultSG.ip_permissions\r\n defaultEgress = defaultSG.ip_permissions_egress\r\n revokeIngress = defaultSG.revoke_ingress(IpPermissions=defaultIngress)\r\n revokeEgress = defaultSG.revoke_egress(IpPermissions=defaultEgress)\r\n except Exception as e:\r\n print(e)"
InputPayload:
AutomationAssumeRole: '{{AutomationAssumeRole}}'
groupId: '{{groupId}}'
IpAddressToBlock: '{{IpAddressToBlock}}'
# -------------------------------------------------------------------------------------------------------------------------------------------------------
# [PCI.EC2.4] Unused EC2 EIPs should be removed
# -------------------------------------------------------------------------------------------------------------------------------------------------------
SCReleaseEIP:
Type: AWS::SSM::Document
Properties:
DocumentType: Automation
Name: Custom-SCReleaseEIP
Content:
schemaVersion: '0.3'
assumeRole:
Fn::Join:
- ''
- - 'arn:aws:iam::'
- Ref: AWS::AccountId
- ':role/'
- !Ref SCAutomationAssumeRole
parameters:
AutomationAssumeRole:
type: String
default:
Fn::Join:
- ''
- - 'arn:aws:iam::'
- Ref: AWS::AccountId
- ':role/'
- !Ref SCAutomationAssumeRole
allocationId:
type: String
mainSteps:
- name: ReleaseEIP
action: 'aws:executeScript'
inputs:
Runtime: python3.6
Handler: script_handler
Script: "def script_handler(events, context):\r\n import boto3\r\n client = boto3.client('ec2')\r\n\r\n allocationId = events['allocationId']\r\n\r\n response = client.release_address(\r\n AllocationId= allocationId\r\n )"
InputPayload:
AutomationAssumeRole: '{{AutomationAssumeRole}}'
allocationId: '{{allocationId}}'