Release/1.5.4 (#175) (#176)

* upgraded lambda runtime python to 3.9 * changed SSL permissions set * as principal all buckets * added version and manifest * removed action from lambda code bucket policy PutObjectAcl * added update request type Update event to password policy lambda * stack changes for AWSConfigRole to AWS_ConfigRole replacement
digitc1 · May 5, 2022 · e762a15 · e762a15
1 parent 6c6125b
commit e762a15
Show file tree

Hide file tree

Showing 9 changed files with 69 additions and 16 deletions.
diff --git a/AccountBaseline-CFN/AB-SECLZ-LambdaAndTrigger.yml b/AccountBaseline-CFN/AB-SECLZ-LambdaAndTrigger.yml
@@ -118,7 +118,7 @@ Resources:
         Fn::GetAtt:
         - rLambdaRole
         - Arn
-      Runtime: python3.7
+      Runtime: python3.9
       Tags: []
   EventRuleRole:
     Type: AWS::IAM::Role

diff --git a/CFN/EC-lz-Config-SecurityHub-all-regions.yml b/CFN/EC-lz-Config-SecurityHub-all-regions.yml
@@ -105,7 +105,7 @@ Resources:
               - sts:AssumeRole
       Path: /
       ManagedPolicyArns:
-        - arn:aws:iam::aws:policy/service-role/AWSConfigRole
+        - arn:aws:iam::aws:policy/service-role/AWS_ConfigRole
       Policies:
         - PolicyName: root
           PolicyDocument:

diff --git a/CFN/EC-lz-config-cloudtrail-logging.yml b/CFN/EC-lz-config-cloudtrail-logging.yml
@@ -492,7 +492,7 @@ Resources:
             Action:
               - 'sts:AssumeRole'
       ManagedPolicyArns:
-        - 'arn:aws:iam::aws:policy/service-role/AWSConfigRole'
+        - 'arn:aws:iam::aws:policy/service-role/AWS_ConfigRole'
       Policies:
         - PolicyName: root
           PolicyDocument:

diff --git a/CFN/EC-lz-iam-setting_password_policy.yml b/CFN/EC-lz-iam-setting_password_policy.yml
@@ -139,11 +139,10 @@ Resources:
                 raise e
               finally:
                 cfnresponse.send(event, context, response_status, {"Response":response_data}, '')
-            elif 'RequestType' in event and event['RequestType'] == 'Create':
+            elif 'RequestType' in event and (event['RequestType'] == 'Create' or event['RequestType'] == 'Update'):
               try:
                 response = boto3.client('iam').update_account_password_policy(
                         AllowUsersToChangePassword = bool(event['ResourceProperties']['AllowUsersToChangePassword']),
-                      #  HardExpiry=bool(event['ResourceProperties']['HardExpiry']),
                         MaxPasswordAge=int(event['ResourceProperties']['MaxPasswordAge']),
                         MinimumPasswordLength=int(event['ResourceProperties']['MinimumPasswordLength']),
                         RequireLowercaseCharacters=bool(event['ResourceProperties']['RequireLowercaseCharacters']),
@@ -161,7 +160,7 @@ Resources:
       Handler: 'index.lambda_handler'
       MemorySize: 128
       Role: !GetAtt LambdaExecutionRole.Arn
-      Runtime: python3.6
+      Runtime: python3.9
       Timeout: 60
 
   PasswordPolicy:

diff --git a/CFN/EC-lz-logshipper-lambdas.yml b/CFN/EC-lz-logshipper-lambdas.yml
@@ -149,7 +149,7 @@ Resources:
       Handler: 'CloudtrailLogShipper.lambda_handler'
       MemorySize: 128
       Role: !GetAtt LogShipperLambdaExecutionRole.Arn
-      Runtime: python3.8
+      Runtime: python3.9
       Timeout: 900
       Environment:
         Variables:
@@ -196,7 +196,7 @@ Resources:
       Code: ##configCodeURI##
       Handler: 'ConfigLogShipper.lambda_handler'
       Role: !GetAtt LogShipperLambdaExecutionRole.Arn
-      Runtime: python3.8
+      Runtime: python3.9
       Timeout: 900
       Environment:
         Variables:

diff --git a/CFN/EC-lz-s3-bucket-lambda-code.yml b/CFN/EC-lz-s3-bucket-lambda-code.yml
@@ -62,12 +62,30 @@ Resources:
                   - "s3:GetObjectAcl"
                   - "s3:GetObjectVersion"
                   - "s3:PutObject"
-                  - "s3:PutObjectAcl"
                   Resource:
                     Fn::Join:
                       - ""
                       -
                         - !GetAtt LambdaArtefactsBucket.Arn
                         - "/*"
+                -
+                  Sid: "LambdaBucketSSL"
+                  Action: s3:*
+                  Principal: "*"
+                  Effect: Deny
+                  Resource:
+                    - Fn::Join:
+                      - ""
+                      -
+                        - !GetAtt LambdaArtefactsBucket.Arn
+                    - Fn::Join:
+                      - ""
+                      -
+                        - !GetAtt LambdaArtefactsBucket.Arn
+                        - "/*"
+                  Condition:
+                    Bool:
+                      "aws:SecureTransport": "false"
+
 
 
diff --git a/CFN/EC-lz-s3-buckets.yml b/CFN/EC-lz-s3-buckets.yml
@@ -140,8 +140,7 @@ Resources:
                 -
                   Sid: "AWSCloudTrailgBucketSSL"
                   Action: s3:*
-                  Principal:
-                    Service: cloudtrail.amazonaws.com
+                  Principal: "*"
                   Effect: Deny
                   Resource:
                     - Fn::Join:
@@ -248,8 +247,7 @@ Resources:
                 -
                   Sid: "AWSConfigBucketSSL"
                   Action: "s3:*"
-                  Principal:
-                    Service: config.amazonaws.com
+                  Principal: "*"
                   Effect: Deny
                   Resource:
                     - Fn::Join:
@@ -306,8 +304,7 @@ Resources:
                   Sid: "AWSAccessLogsBucketSSL"
                   Action: "s3:*"
                   Effect: Deny
-                  Principal:
-                    Service: cloudwatch.amazonaws.com
+                  Principal: "*"
                   Resource:
                     - Fn::Join:
                       - ""

diff --git a/EC-SLZ-Version.txt b/EC-SLZ-Version.txt
@@ -1 +1 @@
-1.5.3
+1.5.4
diff --git a/Updates/1.5.4/manifest.json b/Updates/1.5.4/manifest.json
@@ -0,0 +1,39 @@
+{   "version" : "1.5.4",
+    "regions" : ["ap-northeast-1","ap-northeast-2","ap-northeast-3","ap-south-1","ap-southeast-1","ap-southeast-2","ca-central-1","eu-central-1","eu-north-1","eu-west-1", "eu-west-2","eu-west-3","sa-east-1","us-east-1","us-east-2","us-west-1","us-west-2"],
+    "tags" : [
+        { "Key": "Organization","Value": "EC" },
+        { "Key": "Owner","Value": "DIGIT.C.1" },
+        { "Key": "Environment","Value": "prod" },
+        { "Key": "Criticity","Value": "high" },
+        { "Key": "Project","Value": "secLZ" },
+        { "Key": "Confidentiality","Value": "confidential" },
+        { "Key": "ApplicationRole","Value": "security" }
+    ],
+    "stacks" : {
+        "SECLZ-Iam-Password-Policy" : {
+            "update" : true
+        },
+        "SECLZ-LogShipper-Lambdas-Bucket" : {
+            "update" : true
+        },
+        "SECLZ-LogShipper-Lambdas" : {
+            "update" : true
+        },
+        "SECLZ-Central-Buckets" : {
+            "update" : true
+        },
+        "SECLZ-config-cloudtrail-SNS" : {
+            "update" : true
+        }
+    },
+    "stacksets" : {
+        "SECLZ-Enable-Config-SecurityHub-Globally" : {
+            "update" : true
+        }
+    },
+    "accounts" : {
+        "exclude" : [],
+        "include" : []
+    }
+
+}