# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: Apache-2.0
---
description: |
  ### Document Name - ASR-CIS_1.2.0_2.6

  ## What does this document do?
  Configures access logging for a CloudTrail S3 bucket.

  ## Input Parameters
  * Finding: (Required) Security Hub finding details JSON
  * AutomationAssumeRole: (Required) The ARN of the role that allows Automation to perform the actions on your behalf.

  ## Output Parameters
  * Remediation.Output - Remediation results

  ## Documentation Links
  * [CIS v1.2.0 2.6](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-2.6)

schemaVersion: '0.3'
assumeRole: '{{ AutomationAssumeRole }}'
outputs:
  - ParseInput.AffectedObject
  - Remediation.Output
parameters:
  Finding:
    type: StringMap
    description: The input from the Orchestrator Step function for the 2.6 finding
  AutomationAssumeRole:
    type: String
    description: (Required) The ARN of the role that allows Automation to perform the actions on your behalf.
    allowedPattern: '^arn:(?:aws|aws-us-gov|aws-cn):iam::\d{12}:role/[\w+=,.@-]+$'

mainSteps:
  - name: ParseInput
    action: 'aws:executeScript'
    outputs:
      - Name: CloudTrailBucket
        Selector: $.Payload.resource_id
        Type: String
      - Name: FindingId
        Selector: $.Payload.finding_id
        Type: String
      - Name: ProductArn
        Selector: $.Payload.product_arn
        Type: String
      - Name: AffectedObject
        Selector: $.Payload.object
        Type: StringMap
    inputs:
      InputPayload:
        Finding: '{{Finding}}'
        parse_id_pattern: '^arn:(?:aws|aws-cn|aws-us-gov):s3:::([a-z0-9.-]{3,63})$'
        expected_control_id:
        - '2.6'
      Runtime: python3.8
      Handler: parse_event
      Script: |-
        %%SCRIPT=common/parse_input.py%%
    isEnd: false

  - name: CreateAccessLoggingBucket
    action: 'aws:executeAutomation'
    isEnd: false
    inputs:
      DocumentName: ASR-CreateAccessLoggingBucket
      RuntimeParameters:
        BucketName: 'so0111-cloudtrailaccesslogs-{{global:ACCOUNT_ID}}-{{global:REGION}}'
        AutomationAssumeRole: 'arn:{{global:AWS_PARTITION}}:iam::{{global:ACCOUNT_ID}}:role/SO0111-CreateAccessLoggingBucket'

  - name: Remediation
    action: 'aws:executeAutomation'
    isEnd: false
    inputs:
      DocumentName: AWS-ConfigureS3BucketLogging
      RuntimeParameters:
        BucketName: '{{ParseInput.CloudTrailBucket}}'
        GrantedPermission: ['READ']
        GranteeType: ['Group']
        GranteeUri: ['http://acs.amazonaws.com/groups/s3/LogDelivery']
        TargetPrefix: ['{{ParseInput.CloudTrailBucket}}/']
        TargetBucket: ['so0111-cloudtrailaccesslogs-{{global:ACCOUNT_ID}}-{{global:REGION}}']
        AutomationAssumeRole: 'arn:{{global:AWS_PARTITION}}:iam::{{global:ACCOUNT_ID}}:role/SO0111-ConfigureS3BucketLogging'

  - name: UpdateFinding
    action: 'aws:executeAwsApi'
    inputs:
      Service: securityhub
      Api: BatchUpdateFindings
      FindingIdentifiers:
      - Id: '{{ParseInput.FindingId}}'
        ProductArn: '{{ParseInput.ProductArn}}'
      Note:
        Text: 'Created S3 bucket so0111-cloudtrailaccesslogs-{{global:ACCOUNT_ID}}-{{global:REGION}}
          for logging access to {{ParseInput.CloudTrailBucket}}'
        UpdatedBy: 'ASR-CIS_1.2.0_2.6'
      Workflow:
        Status: RESOLVED
    description: Update finding
    isEnd: true