# Step 1: Evidence Details

|System|Source of data|Frameworks|Purpose|
|---|---|---|---|
|aws|compliancecow||Filter the AWS Security hub finding details and produce compliance data based on the provided control configuration file.|

```
RecomendedEvidenceName: Evidence name is provided in the control configuration file.
```

# Step 2: Define the System Specific Data (a.k.a Extended Data Schema)


In [None]:
# ControlConfig Sample

  {
        "ControlName": "EC2.13",
        "EvidenceName": "RestrictedSSH",
        "COMPLIANT": {
            "ComplianceStatusReason": "Record compliant as incoming ssh traffic disabled",
            "ValidationStatusCode": "IPv4_INCOMING_SSH_DISABLED",
            "ValidationStatusNotes": "Incoming ssh traffic disabled"
        },
        "NON_COMPLIANT": {
            "ComplianceStatusReason": "Record is non-compliant because incoming SSH traffic is enabled.",
            "ValidationStatusCode": "IPv4_INCOMING_SSH_ENABLED",
            "ValidationStatusNotes": "Incoming ssh traffic enabled"
        },
        "NOT_DETERMINED": {
            "ComplianceStatusReason": "Incoming ssh traffic status could not be determined",
            "ValidationStatusCode": "ComplianceStatusReasons.[0].ReasonCode",  #  Value fetched from aws security hub response - ComplianceStatusReasons.[0]
            "ValidationStatusNotes": "ComplianceStatusReasons.[0].Description"
        }
    }



# AWS Security hub finding sample

   {
		"Action": null,
		"AwsAccountId": "0667123456",
		"CompanyName": "AWS",
		"Compliance": {
			"AssociatedStandards": [
				{
					"StandardsId": "ruleset/cis-aws-foundations-benchmark/v/1.2.0"
				}
			],
			"RelatedRequirements": [
				"CIS AWS Foundations 3.2"
			],
			"SecurityControlId": "CloudWatch.3",
			"Status": "PASSED",
			"StatusReasons": null
		},
		"Confidence": null,
		"CreatedAt": "2023-11-28T14:05:13.102Z",
		"Criticality": null,
		"Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for console logins that are not protected by multi-factor authentication (MFA).",
		"FindingProviderFields": {
			"Confidence": null,
			"Criticality": null,
			"RelatedFindings": null,
			"Severity": {
				"Label": "INFORMATIONAL",
				"Original": "INFORMATIONAL"
			},
			"Types": [
				"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
			]
		},
		"FirstObservedAt": "2023-11-28T14:05:13.102Z",
		"GeneratorDetails": null,
		"GeneratorId": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.2",
		"Id": "arn:aws:securityhub:us-east-1:0667123456:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.2/finding/74eee69a-5961-44df-9663-beeb6def0c30",
		"LastObservedAt": "2024-07-31T03:55:32.688Z",
		"Malware": null,
		"Network": null,
		"NetworkPath": null,
		"Note": null,
		"PatchSummary": null,
		"Process": null,
		"ProductArn": "arn:aws:securityhub:us-east-1::product/aws/securityhub",
		"ProductFields": {
			"RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/CloudWatch.3/remediation",
			"Resources:0/Id": "arn:aws:iam::0667123456:root",
			"RuleId": "3.2",
			"StandardsControlArn": "arn:aws:securityhub:us-east-1:0667123456:control/cis-aws-foundations-benchmark/v/1.2.0/3.2",
			"StandardsGuideArn": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0",
			"StandardsGuideSubscriptionArn": "arn:aws:securityhub:us-east-1:0667123456:subscription/cis-aws-foundations-benchmark/v/1.2.0",
			"aws/securityhub/CompanyName": "AWS",
			"aws/securityhub/FindingId": "arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:0667123456:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.2/finding/74eee69a-5961-44df-9663-beeb6def0c30",
			"aws/securityhub/ProductName": "Security Hub"
		},
		"ProductName": "Security Hub",
		"RecordState": "ACTIVE",
		"Region": "us-east-1",
		"RelatedFindings": null,
		"Remediation": {
			"Recommendation": {
				"Text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.",
				"Url": "https://docs.aws.amazon.com/console/securityhub/CloudWatch.3/remediation"
			}
		},
		"Resources": [
			{
				"DataClassification": null,
				"Details": null,
				"Id": "AWS::::Account:0667123456",
				"Partition": "aws",
				"Region": "us-east-1",
				"ResourceRole": null,
				"Tags": null,
				"Type": "AwsAccount"
			}
		],
		"Sample": null,
		"SchemaVersion": "2018-10-08",
		"Severity": {
			"Label": "INFORMATIONAL",
			"Normalized": 0,
			"Original": "INFORMATIONAL",
			"Product": 0
		},
		"SourceUrl": null,
		"ThreatIntelIndicators": null,
		"Threats": null,
		"Title": "3.2 Ensure a log metric filter and alarm exist for Management Console sign-in without MFA",
		"Types": [
			"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
		],
		"UpdatedAt": "2024-07-31T03:55:17.626Z",
		"UserDefinedFields": null,
		"VerificationState": null,
		"Vulnerabilities": null,
		"Workflow": {
			"Status": "RESOLVED"
		},
		"WorkflowState": "NEW"
	}

# Step 3: Define the Standard Schema
  


In [None]:
{
        "System": "aws",
        "Source": "aws_security_hub",
        "ResourceID": "arn:aws:ec2:us-east-1:0667123456:security-group/sg-0f5b752a450298hgb",
        "ResourceName": "sg-0f5b752a450298hgb",
        "ResourceType": "AwsEc2SecurityGroup",
        "ResourceLocation": "us-east-1",
        "ResourceTags": null,
        "ValidationStatusCode": "IPv4_INCOMING_SSH_ENABLED",
        "ValidationStatusNotes": "Incoming ssh traffic enabled",
        "ComplianceStatus": "NON_COMPLIANT",
        "ComplianceStatusReason": "Record is non-compliant because incoming SSH traffic is enabled.",
        "EvaluatedTime": "2024-07-31T01:27:45.546Z",
        "UserAction": "",
        "ActionStatus": "",
        "ActionResponseURL": "",
        "ResourceUrl": "https://us-east-1.console.aws.amazon.com/ec2/home?region=us-east-1#SecurityGroup:groupId=sg-0f5b752a450298hgb"
}

 |System | Source         | ResourceID                                                                                     | ResourceName          | ResourceType         | ResourceLocation | ResourceTags | ValidationStatusCode    | ValidationStatusNotes         | ComplianceStatus | ComplianceStatusReason                                     | EvaluatedTime               | UserAction | ActionStatus | ActionResponseURL | ResourceUrl                                                                                                      |
|--------|----------------|------------------------------------------------------------------------------------------------|-----------------------|----------------------|------------------|--------------|-------------------------|-------------------------------|------------------|-------------------------------------------------------------|-----------------------------|------------|--------------|-------------------|------------------------------------------------------------------------------------------------------------------|
| aws    | aws_security_hub | arn:aws:ec2:us-east-1:0667123456:security-group/sg-0f5b752a450298hgb | sg-0f5b752a450298hgb | AwsEc2SecurityGroup | us-east-1        | None         | IPv4_INCOMING_SSH_ENABLED | Incoming ssh traffic enabled  | NON_COMPLIANT   | Record is non-compliant because incoming SSH traffic is enabled. | 2024-07-31T01:27:45.546Z    |            |              |                   | https://us-east-1.console.aws.amazon.com/ec2/home?region=us-east-1#SecurityGroup:groupId=sg-0f5b752a450298hgb |


# Step 4: Describe the Compliance Taxonomy

ValidationStatusCode, ValidationStatusNotes, ComplianceStatus, and ComplianceStatusReason will be reflected based on the rule configuration file. Please see the example below.



| **ValidationStatusCode**      | **ValidationStatusNotes**       | **ComplianceStatus** | **ComplianceStatusReason**                                      |
|-------------------------------|---------------------------------|----------------------|------------------------------------------------------------------|
| IPv4_INCOMING_SSH_ENABLED    | Incoming ssh traffic enabled    | NON_COMPLIANT        | Record is non-compliant because incoming SSH traffic is enabled.           |
| IPv4_INCOMING_SSH_DISABLED    | Incoming ssh traffic disabled    | COMPLIANT        | Record is compliant as incoming ssh traffic disabled           |

# Step 5: Calculation for Compliance Percentage and Status




In [None]:
# Calculation of Compliance Percentage

TotalRecordCount = Count of 'COMPLIANT' and 'NON_COMPLIANT' records
FailedRecordCount = Count of 'NON_COMPLIANT' records

CompliancePCT = int(100 - ((FailedRecordCount * 100) / TotalRecordCount))

Compliance Status
COMPLIANT - 100%
NON_COMPLIANT - 0% to less than 100%

# Step 6: Describe (in words) the Remediation Steps for Non-Compliance

# Step 7: Control Setup Details

| Control Details            |                               |
|----------------------------|-------------------------------|
| **RuleName**               | ProcessFindingsFromSecurityHub                  |
| **PreRequisiteRuleNames**  | FetchSecurityHubFindings           |
| **ApplicationClassName**   | AWSAppConnector               |