# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. # SPDX-License-Identifier: Apache-2.0 --- schemaVersion: '0.3' description: | ### Document Name - ASR-AFSBP_1.0.0_RDS.4 ## What does this document do? This document encrypts an unencrypted RDS snapshot by calling another SSM document ## Input Parameters * Finding: (Required) Security Hub finding details JSON * AutomationAssumeRole: (Optional) The ARN of the role that allows Automation to perform the actions on your behalf. * RemediationRoleName: (Optional) The name of the role that allows Automation to remediate the finding on your behalf. * KMSKeyId: (Optional) ID, ARN or Alias for the AWS KMS Customer-Managed Key (CMK) to use to encrypt the snapshot. ## Documentation Links * [AFSBP RDS.4](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-rds-4) assumeRole: '{{AutomationAssumeRole}}' outputs: - 'Remediation.Output' - 'ParseInput.AffectedObject' parameters: Finding: type: 'StringMap' description: 'The input from the Orchestrator Step function for the RDS.4 finding' AutomationAssumeRole: type: 'String' description: '(Required) The ARN of the role that allows Automation to perform the actions on your behalf.' allowedPattern: '^arn:(?:aws|aws-us-gov|aws-cn):iam::\d{12}:role/[\w+=,.@-]+$' RemediationRoleName: type: 'String' default: 'SO0111-EncryptRDSSnapshot' allowedPattern: '^[\w+=,.@-]+$' KMSKeyId: type: 'String' default: 'alias/aws/rds' description: '(Optional) ID, ARN or Alias for the AWS KMS Customer-Managed Key (CMK) to use to encrypt the snapshot.' allowedPattern: '^(?:arn:(?:aws|aws-us-gov|aws-cn):kms:(?:[a-z]{2}(?:-gov)?-[a-z]+-\d):\d{12}:)?(?:(?:alias/[A-Za-z0-9/_-]+)|(?:key/(?i:[0-9a-f]{8}-(?:[0-9a-f]{4}-){3}[0-9a-f]{12})))$' mainSteps: - name: 'ParseInput' action: 'aws:executeScript' outputs: - Name: 'SourceDBSnapshotIdentifier' Selector: '$.Payload.matches[1]' Type: 'String' - Name: 'SourceDBSnapshotIdentifierNoPrefix' Selector: '$.Payload.matches[2]' Type: 'String' - Name: 'DBSnapshotType' Selector: '$.Payload.matches[0]' Type: 'String' - Name: 'AffectedObject' Selector: '$.Payload.object' Type: 'StringMap' - Name: 'FindingId' Selector: '$.Payload.finding.Id' Type: 'String' - Name: 'ProductArn' Selector: '$.Payload.finding.ProductArn' Type: 'String' - Name: 'RemediationRegion' Selector: '$.Payload.resource_region' Type: 'String' - Name: 'RemediationAccount' Selector: '$.Payload.account_id' Type: 'String' inputs: InputPayload: Finding: '{{Finding}}' parse_id_pattern: '^arn:(?:aws|aws-cn|aws-us-gov):rds:(?:[a-z]{2}(?:-gov)?-[a-z]+-\d):\d{12}:((?:cluster-)?snapshot|dbclustersnapshot):((?:rds:)?((?!.*--.*)(?!.*-$)[a-zA-Z][a-zA-Z0-9-]{0,254}))$' resource_index: 2 expected_control_id: - 'RDS.4' Runtime: 'python3.8' Handler: 'parse_event' Script: |- %%SCRIPT=common/parse_input.py%% - name: 'Remediation' action: 'aws:executeAutomation' inputs: DocumentName: 'ASR-EncryptRDSSnapshot' TargetLocations: - Accounts: - '{{ParseInput.RemediationAccount}}' Regions: - '{{ParseInput.RemediationRegion}}' ExecutionRoleName: '{{RemediationRoleName}}' RuntimeParameters: SourceDBSnapshotIdentifier: '{{ParseInput.SourceDBSnapshotIdentifier}}' TargetDBSnapshotIdentifier: '{{ParseInput.SourceDBSnapshotIdentifierNoPrefix}}-encrypted' DBSnapshotType: '{{ParseInput.DBSnapshotType}}' AutomationAssumeRole: 'arn:{{global:AWS_PARTITION}}:iam::{{global:ACCOUNT_ID}}:role/{{RemediationRoleName}}' KmsKeyId: '{{KMSKeyId}}' - name: 'UpdateFinding' action: 'aws:executeAwsApi' inputs: Service: 'securityhub' Api: 'BatchUpdateFindings' FindingIdentifiers: - Id: '{{ParseInput.FindingId}}' ProductArn: '{{ParseInput.ProductArn}}' Note: Text: 'Encrypted RDS snapshot' UpdatedBy: 'ASR-AFSBP_1.0.0_RDS.4' Workflow: Status: 'RESOLVED' description: 'Update finding' isEnd: true