Update to v1.5.1

.gitignore

@@ -0,0 +1,69 @@
+
+.DS_Store
+inputs.md/*
+source/example*
+**/__pycache__/*
+source/playbooks/**/_description.txt
+deployment/temp/*
+deployment/test/*
+
+**/build
+**/package
+**/global-s3-assets
+**/regional-s3-assets
+**/open-source
+**/.zip
+**/tmp
+**/out-tsc
+
+# dependencies
+**/node_modules
+
+# coverage
+**/coverage
+**/package
+**/.coverage
+
+# misc
+**/npm-debug.log
+**/testem.log
+**/.vscode/settings.json
+**/*.zip
+**/*local-runner*
+**/*create-stack.sh
+
+
+# System Files
+**/.DS_Store
+**/.vscode
+
+# CDK files
+*.js
+!jest.config.js
+*.d.ts
+node_modules
+
+# CDK asset staging directory
+.cdk.staging
+cdk.out
+
+# Python modules
+*.dist-info
+source/solution_deploy/source/certifi
+source/solution_deploy/source/chardet
+source/solution_deploy/source/idna
+source/solution_deploy/source/requests
+source/solution_deploy/source/urllib3
+
+# Parcel build directories
+.cache
+.build
+
+*.idea
+
+# Build files
+source/playbooks/*/template
+deployment/setenv.sh
+source/solution_deploy/source/bin
+source/playbooks/*/source/lib/*
+deployment/temp

CHANGELOG.md

@@ -4,6 +4,18 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.5.1] - 2022-12-22
+
+### Changed
+
+- Changed SSM document name prefixes from SHARR to ASR to support stack update
+- Upgraded Lambda Python runtimes to 3.9
+
+### Fixed
+
+- Reverted SSM document custom resource provider to resolve intermittent deployment errors
+- Fixed bug in AFSBP AutoScaling.1 and PCI.AutoScaling.1 remediation regexes
+
 ## [1.5.0] - 2022-05-31
 
 ### Added

NOTICE.txt

@@ -1,7 +1,7 @@
-AWS Security Hub Automated Response and Remediation Solution
+Automated Security Response on AWS
 Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 Licensed under the Apache License Version 2.0 (the "License"). You may not use this file except
-in compliance with the License. A copy of the License is located at http://www.apache.org/licenses/LICENSE-2.0/
+in compliance with the License. A copy of the License is located at http://www.apache.org/licenses/
 or in the "license" file accompanying this file. This file is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, express or implied. See the License for the
 specific language governing permissions and limitations under the License.
@@ -11,15 +11,44 @@ THIRD PARTY COMPONENTS
 **********************
 This software includes third party software subject to the following copyrights:
 
-aws-cdk under the Apache License Version 2.0
-aws-sdk under the Apache License Version 2.0
-bandit under the Apache License Version 2.0
-pytest under the MIT License (MIT)
-request under the Apache License Version 2.0
-@types/jest under the Massachusetts Institute of Technology (MIT) license
-@types/node under the Massachusetts Institute of Technology (MIT) license
-@typescript-eslint/eslint-plugin under the Massachusetts Institute of Technology (MIT) license
-@typescript-eslint/parser under the BSD-2-Clause license
-jest under the Massachusetts Institute of Technology (MIT) license
-typescript under the Apache License Version 2.0
+aws-cdk under the Apache License 2.0
+cdk under the Apache License 2.0
+jest under the MIT License
+js-yaml under the MIT License
+source-map-support under the MIT License
+ts-jest under the MIT License
+ts-node under the MIT License
+typescript under the Apache License 2.0
 
+attrs under the MIT License
+bandit under the Apache License 2.0
+boto3 under the Apache License 2.0
+botocore under the Apache License 2.0
+certifi under the Mozilla Public License 2.0
+charset-normalizer under the MIT License
+coverage under the Apache License 2.0
+exceptiongroup under the MIT License
+gitdb under the BSD 3-Clause "New" or "Revised" License
+GitPython under the BSD 3-Clause "New" or "Revised" License
+idna under the BSD 3-Clause "New" or "Revised" License
+iniconfig under the MIT License
+jmespath under the MIT License
+packaging under the Apache License 2.0
+pbr under the Apache License 2.0
+pip under the MIT License
+pluggy under the MIT License
+pytest under the MIT License
+pytest-cov under the MIT License
+pytest-env under the MIT License
+pytest-mock under the MIT License
+python-dateutil under the Apache License 2.0 and the BSD 3-Clause "New" or "Revised" License
+PyYAML under the MIT License
+requests under the Apache License 2.0
+s3transfer under the Apache License 2.0
+setuptools under the MIT License
+six under the MIT License
+smmap under the BSD 3-Clause "New" or "Revised" License
+stevedore under the Apache License 2.0
+tomli under the MIT License
+urllib3 under the MIT License
+virtualenv under the MIT License

README.md

@@ -130,7 +130,7 @@ Unless noted, all of the following changes are within the folder you just create
 
 #### Configure the Playbook
 
-Edit **bin/\<standard\>.ts**. The following 3 lines are critical to definition of the Playbook. These values enable SHARR to map from the StandardsControlArn in a finding to your remediations.
+Edit **bin/\<standard\>.ts**. The following 3 lines are critical to definition of the Playbook. These values enable ASR to map from the StandardsControlArn in a finding to your remediations.
 
 ```typescript
 const standardShortName = 'NPB'
@@ -154,13 +154,13 @@ const remediations: IControl[] = [
 
 #### Create the Remediations
 
-Remediations are executed using SSM Automation Runbooks. Each control has a specific runbook. SHARR Runbooks must follow the naming convention in the **/ssmdocs** folder:
+Remediations are executed using SSM Automation Runbooks. Each control has a specific runbook. ASR Runbooks must follow the naming convention in the **/ssmdocs** folder:
 
 <standardShortName>-<control>.yaml
 
-Follow examples from other Playbooks. Your SHARR runbook must parse the finding data, extract the fields needed for remediation, and execute a remediation runbook, passing the role name.
+Follow examples from other Playbooks. Your ASR runbook must parse the finding data, extract the fields needed for remediation, and execute a remediation runbook, passing the role name.
 
-Remediation runbooks are defined in the /source/remediation_runbooks and /source/solution_deploy/remediation_runbooks-stack.ts. The remediation examples provided with the solution are fairly robust and self-documenting. Each definition creates an IAM role and an SSM runbook that is called by the SHARR runbook.
+Remediation runbooks are defined in the /source/remediation_runbooks and /source/solution_deploy/remediation_runbooks-stack.ts. The remediation examples provided with the solution are fairly robust and self-documenting. Each definition creates an IAM role and an SSM runbook that is called by the ASR runbook.
 
 ### Build and Deploy
 

deployment/build-s3-dist.sh

@@ -20,7 +20,7 @@
 # This controls the CDK and AWS Solutions Constructs version. Solutions
 # Constructs versions map 1:1 to CDK versions. When setting this value,
 # choose the latest AWS Solutions Constructs version.
-required_cdk_version=1.155.0
+required_cdk_version=1.183.0
 
 # Get reference for all important folders
 template_dir="$PWD"

deployment/requirements.txt

@@ -1 +1,7 @@
-requests>=2.25.0
+requests==2.28.1
+## urllib3 should match Lambda runtime
+urllib3==1.26.6
+## The following requirements were added by pip freeze:
+certifi==2022.12.7
+charset-normalizer==2.1.1
+idna==3.4

deployment/testing_requirements.txt

@@ -1,7 +1,32 @@
-pytest-mock>=3.1.0
-pytest>=4.2.1
-pytest-cov
-pytest-env
-bandit
-boto3==1.23.9
-requests==2.27.1
+bandit==1.7.4
+## boto3 and botocore should match Lambda runtime: https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html
+boto3==1.20.32
+botocore==1.23.32
+pytest==7.2.0
+pytest-cov==4.0.0
+pytest-env==0.8.1
+pytest-mock==3.10.0
+requests==2.28.1
+## urllib3 and six should match Lambda runtime
+urllib3==1.26.13
+six==1.16.0
+## The following requirements were added by pip freeze:
+attrs==22.1.0
+certifi==2022.12.7
+charset-normalizer==2.1.1
+coverage==6.5.0
+exceptiongroup==1.0.4
+gitdb==4.0.10
+GitPython==3.1.29
+idna==3.4
+iniconfig==1.1.1
+jmespath==0.10.0
+packaging==22.0
+pbr==5.11.0
+pluggy==1.0.0
+python-dateutil==2.8.2
+PyYAML==6.0
+s3transfer==0.5.2
+smmap==5.0.0
+stevedore==4.1.1
+tomli==2.0.1

source/Orchestrator/check_ssm_doc_state.py

@@ -47,8 +47,8 @@ def _get_ssm_client(account, role, region=''):
 def _add_doc_state_to_answer(doc, account, region, answer):
     # Connect to APIs
     ssm = _get_ssm_client(
-        account, 
-        ORCH_ROLE_NAME, 
+        account,
+        ORCH_ROLE_NAME,
         region
     )
     # Validate input
@@ -122,7 +122,7 @@ def lambda_handler(event, context):
         'standardsupported': finding.standard_version_supported,
         'accountid': finding.account_id,
         'resourceregion': finding.resource_region
-    })  
+    })
 
     if finding.standard_version_supported != 'True':
         answer.update({
@@ -133,10 +133,10 @@ def lambda_handler(event, context):
 
     # Is there alt workflow configuration?
     alt_workflow_doc = event.get('Workflow',{}).get('WorkflowDocument', None)
-    
-    automation_docid = f'SHARR-{finding.standard_shortname}_{finding.standard_version}_{finding.remediation_control}'
+
+    automation_docid = f'ASR-{finding.standard_shortname}_{finding.standard_version}_{finding.remediation_control}'
     remediation_role = f'SO0111-Remediate-{finding.standard_shortname}-{finding.standard_version}-{finding.remediation_control}'
-    
+
     answer.update({
         'automationdocid': automation_docid,
         'remediationrole': remediation_role
@@ -150,9 +150,9 @@ def lambda_handler(event, context):
         })
     else:
         _add_doc_state_to_answer(
-            automation_docid, 
-            finding.account_id, 
-            finding.resource_region, 
+            automation_docid,
+            finding.account_id,
+            finding.resource_region,
             answer
         )