-
Notifications
You must be signed in to change notification settings - Fork 6
/
findings_manager.tf
220 lines (193 loc) · 8.72 KB
/
findings_manager.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
locals {
workflow_status_filter = var.jira_integration.autoclose_enabled ? ["NEW", "NOTIFIED", "RESOLVED"] : ["NEW", "NOTIFIED"]
}
data "aws_iam_policy_document" "findings_manager_lambda_iam_role" {
statement {
sid = "TrustEventsToStoreLogEvent"
actions = [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:DescribeLogStreams",
"logs:PutLogEvents"
]
resources = [
"arn:aws:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:*"
]
}
statement {
sid = "S3GetObjectAccess"
actions = ["s3:GetObject"]
resources = ["${module.findings_manager_bucket.arn}/*"]
}
statement {
sid = "EC2DescribeRegionsAccess"
actions = ["ec2:DescribeRegions"]
resources = ["*"]
}
statement {
sid = "SecurityHubAccess"
actions = [
"securityhub:BatchUpdateFindings",
"securityhub:GetFindings"
]
resources = [
"arn:aws:securityhub:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:hub/default"
]
}
statement {
sid = "LambdaKMSAccess"
actions = [
"kms:Decrypt",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:ReEncrypt*"
]
effect = "Allow"
resources = [
var.kms_key_arn
]
}
}
# Push the Lambda code zip deployment package to s3
resource "aws_s3_object" "findings_manager_lambdas_deployment_package" {
bucket = module.findings_manager_bucket.id
key = "lambda_securityhub-findings-manager_${var.lambda_runtime}.zip"
kms_key_id = var.kms_key_arn
source = "${path.module}/files/pkg/lambda_securityhub-findings-manager_${var.lambda_runtime}.zip"
source_hash = filemd5("${path.module}/files/pkg/lambda_securityhub-findings-manager_${var.lambda_runtime}.zip")
tags = var.tags
}
################################################################################
# Events Lambda
################################################################################
# Lambda function to manage Security Hub findings in response to an EventBridge event
module "findings_manager_events_lambda" {
#checkov:skip=CKV_AWS_272:Code signing not used for now
source = "schubergphilis/mcaf-lambda/aws"
version = "~> 1.4.1"
name = var.findings_manager_events_lambda.name
create_policy = true
create_s3_dummy_object = false
description = "Lambda to manage Security Hub findings in response to an EventBridge event"
handler = "securityhub_events.lambda_handler"
kms_key_arn = var.kms_key_arn
layers = ["arn:aws:lambda:${data.aws_region.current.name}:017000801446:layer:AWSLambdaPowertoolsPythonV2:79"]
log_retention = 365
memory_size = var.findings_manager_events_lambda.memory_size
policy = data.aws_iam_policy_document.findings_manager_lambda_iam_role.json
runtime = var.lambda_runtime
s3_bucket = var.s3_bucket_name
s3_key = aws_s3_object.findings_manager_lambdas_deployment_package.key
s3_object_version = aws_s3_object.findings_manager_lambdas_deployment_package.version_id
security_group_egress_rules = var.findings_manager_events_lambda.security_group_egress_rules
source_code_hash = aws_s3_object.findings_manager_lambdas_deployment_package.checksum_sha256
subnet_ids = var.subnet_ids
tags = var.tags
timeout = var.findings_manager_events_lambda.timeout
environment = {
S3_BUCKET_NAME = var.s3_bucket_name
S3_OBJECT_NAME = var.rules_s3_object_name
LOG_LEVEL = var.findings_manager_events_lambda.log_level
POWERTOOLS_LOGGER_LOG_EVENT = "false"
POWERTOOLS_SERVICE_NAME = "securityhub-findings-manager-events"
}
}
# EventBridge Rule that detect Security Hub events
resource "aws_cloudwatch_event_rule" "securityhub_findings_events" {
name = "rule-${var.findings_manager_events_lambda.name}"
description = "EventBridge rule for detecting Security Hub findings events, triggering the findings manager events lambda."
tags = var.tags
event_pattern = <<EOF
{
"source": ["aws.securityhub"],
"detail-type": ["Security Hub Findings - Imported"],
"detail": {
"findings": {
"Workflow": {
"Status": ${jsonencode(local.workflow_status_filter)}
}
}
}
}
EOF
}
# Allow Eventbridge to invoke Security Hub Events Lambda function
resource "aws_lambda_permission" "eventbridge_invoke_findings_manager_events_lambda" {
count = var.jira_integration.enabled ? 0 : 1
action = "lambda:InvokeFunction"
function_name = var.findings_manager_events_lambda.name
principal = "events.amazonaws.com"
source_arn = aws_cloudwatch_event_rule.securityhub_findings_events.arn
}
# Add Security Hub Events Lambda function as a target to the EventBridge rule
resource "aws_cloudwatch_event_target" "findings_manager_events_lambda" {
count = var.jira_integration.enabled ? 0 : 1
arn = module.findings_manager_events_lambda.arn
rule = aws_cloudwatch_event_rule.securityhub_findings_events.name
}
################################################################################
# Trigger Lambda
################################################################################
# Lambda to manage Security Hub findings in response to S3 rules file uploads
module "findings_manager_trigger_lambda" {
#checkov:skip=CKV_AWS_272:Code signing not used for now
source = "schubergphilis/mcaf-lambda/aws"
version = "~> 1.4.1"
name = var.findings_manager_trigger_lambda.name
create_policy = true
create_s3_dummy_object = false
description = "Lambda to manage Security Hub findings in response to S3 rules file uploads"
handler = "securityhub_trigger.lambda_handler"
kms_key_arn = var.kms_key_arn
layers = ["arn:aws:lambda:${data.aws_region.current.name}:017000801446:layer:AWSLambdaPowertoolsPythonV2:79"]
log_retention = 365
memory_size = var.findings_manager_trigger_lambda.memory_size
policy = data.aws_iam_policy_document.findings_manager_lambda_iam_role.json
runtime = var.lambda_runtime
s3_bucket = var.s3_bucket_name
s3_key = aws_s3_object.findings_manager_lambdas_deployment_package.key
s3_object_version = aws_s3_object.findings_manager_lambdas_deployment_package.version_id
security_group_egress_rules = var.findings_manager_trigger_lambda.security_group_egress_rules
source_code_hash = aws_s3_object.findings_manager_lambdas_deployment_package.checksum_sha256
subnet_ids = var.subnet_ids
tags = var.tags
timeout = var.findings_manager_trigger_lambda.timeout
environment = {
S3_BUCKET_NAME = var.s3_bucket_name
S3_OBJECT_NAME = var.rules_s3_object_name
LOG_LEVEL = var.findings_manager_trigger_lambda.log_level
POWERTOOLS_LOGGER_LOG_EVENT = "false"
POWERTOOLS_SERVICE_NAME = "securityhub-findings-manager-trigger"
}
}
# Allow S3 to invoke S3 Trigger Lambda function
resource "aws_lambda_permission" "s3_invoke_findings_manager_trigger_lambda" {
action = "lambda:InvokeFunction"
function_name = var.findings_manager_trigger_lambda.name
principal = "s3.amazonaws.com"
source_account = data.aws_caller_identity.current.account_id
source_arn = module.findings_manager_bucket.arn
}
# Add Security Hub Trigger Lambda function as a target to rules S3 Object Creation Trigger Events
resource "aws_s3_bucket_notification" "findings_manager_trigger" {
bucket = module.findings_manager_bucket.name
lambda_function {
lambda_function_arn = module.findings_manager_trigger_lambda.arn
events = ["s3:ObjectCreated:*"]
filter_prefix = var.rules_s3_object_name
filter_suffix = var.rules_s3_object_name
}
depends_on = [aws_lambda_permission.s3_invoke_findings_manager_trigger_lambda]
}
# Upload rules list to S3
resource "aws_s3_object" "rules" {
count = var.rules_filepath == "" ? 0 : 1
bucket = module.findings_manager_bucket.name
key = var.rules_s3_object_name
content_type = "application/x-yaml"
content = file(var.rules_filepath)
source_hash = filemd5(var.rules_filepath)
tags = var.tags
# Even with this in place, the creation sometimes doesn't get picked up on a first deploy
depends_on = [aws_s3_bucket_notification.findings_manager_trigger]
}