# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. # SPDX-License-Identifier: Apache-2.0 --- description: | ### Document Name - ASR-CIS_1.2.0_3.x ## What does this document do? Remediates the following CIS findings: 3.1 - Creates a log metric filter and alarm for unauthorized API calls 3.2 - Creates a log metric filter and alarm for AWS Management Console sign-in without MFA 3.3 - Creates a log metric filter and alarm for usage of "root" account 3.4 - Creates a log metric filter and alarm for for IAM policy changes 3.5 - Creates a log metric filter and alarm for CloudTrail configuration changes 3.6 - Creates a log metric filter and alarm for AWS Management Console authentication failures 3.7 - Creates a log metric filter and alarm for disabling or scheduled deletion of customer created CMKs 3.8 - Creates a log metric filter and alarm for S3 bucket policy changes 3.9 - Creates a log metric filter and alarm for AWS Config configuration changes 3.10 - Creates a log metric filter and alarm for security group changes 3.11 - Creates a log metric filter and alarm for changes to Network Access Control Lists (NACL) 3.12 - Creates a log metric filter and alarm for changes to network gateways 3.13 - Creates a log metric filter and alarm for route table changes 3.14 - Creates a log metric filter and alarm for VPC changes ## Input Parameters * Finding: (Required) Security Hub finding details JSON * AutomationAssumeRole: (Required) The ARN of the role that allows Automation to perform the actions on your behalf. ## Output Parameters * Remediation.Output - Output of remediation runbook. ## Documentation Links [CIS v1.2.0 3.1](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-3.1) [CIS v1.2.0 3.2](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-3.2) [CIS v1.2.0 3.3](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-3.3) [CIS v1.2.0 3.4](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-3.4) [CIS v1.2.0 3.5](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-3.5) [CIS v1.2.0 3.6](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-3.6) [CIS v1.2.0 3.7](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-3.7) [CIS v1.2.0 3.8](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-3.8) [CIS v1.2.0 3.9](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-3.9) [CIS v1.2.0 3.10](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-3.10) [CIS v1.2.0 3.11](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-3.11) [CIS v1.2.0 3.12](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-3.12) [CIS v1.2.0 3.13](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-3.13) [CIS v1.2.0 3.14](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-3.14) schemaVersion: '0.3' assumeRole: '{{ AutomationAssumeRole }}' outputs: - ParseInput.AffectedObject - Remediation.Output parameters: Finding: type: StringMap description: The input from the Orchestrator Step function for the 3.1 finding AutomationAssumeRole: type: String description: (Required) The ARN of the role that allows Automation to perform the actions on your behalf. allowedPattern: '^arn:(?:aws|aws-us-gov|aws-cn):iam::\d{12}:role/[\w+=,.@-]+$' LogGroupName: type: String default: >- {{ssm:/Solutions/SO0111/Metrics_LogGroupName}} description: The name of the Log group to be used to create filters and metric alarms allowedPattern: '.*' MetricNamespace: type: String default: 'LogMetrics' description: The name of the metric namespace where the metrics will be logged allowedPattern: '.*' KMSKeyArn: type: String default: >- {{ssm:/Solutions/SO0111/CMK_REMEDIATION_ARN}} description: The ARN of the KMS key created by ASR for remediations allowedPattern: '^arn:(?:aws|aws-us-gov|aws-cn):kms:(?:[a-z]{2}(?:-gov)?-[a-z]+-\d):\d{12}:(?:(?:alias/[A-Za-z0-9/-_])|(?:key/(?i:[0-9a-f]{8}-(?:[0-9a-f]{4}-){3}[0-9a-f]{12})))$' mainSteps: - name: ParseInput action: 'aws:executeScript' outputs: - Name: GroupId Selector: $.Payload.resource_id Type: String - Name: FindingId Selector: $.Payload.finding_id Type: String - Name: ProductArn Selector: $.Payload.product_arn Type: String - Name: AffectedObject Selector: $.Payload.object Type: StringMap - Name: ControlId Selector: $.Payload.control_id Type: String inputs: InputPayload: parse_id_pattern: '' Finding: '{{Finding}}' expected_control_id: [ '3.1', '3.2', '3.3', '3.4', '3.5', '3.6', '3.7', '3.8', '3.9', '3.10', '3.11', '3.12', '3.13','3.14'] Runtime: python3.8 Handler: parse_event Script: |- %%SCRIPT=common/parse_input.py%% isEnd: false - name: GetMetricFilterAndAlarmInputValue action: 'aws:executeScript' outputs: - Name: FilterName Selector: $.Payload.filter_name Type: String - Name: FilterPattern Selector: $.Payload.filter_pattern Type: String - Name: MetricName Selector: $.Payload.metric_name Type: String - Name: MetricValue Selector: $.Payload.metric_value Type: Integer - Name: AlarmName Selector: $.Payload.alarm_name Type: String - Name: AlarmDesc Selector: $.Payload.alarm_desc Type: String - Name: AlarmThreshold Selector: $.Payload.alarm_threshold Type: Integer inputs: InputPayload: ControlId: '{{ParseInput.ControlId}}' StandardLongName: 'cis-aws-foundations-benchmark' StandardVersion: '1.2.0' Runtime: python3.8 Handler: verify Script: |- %%SCRIPT=common/cloudwatch_get_input_values.py%% - name: Remediation action: 'aws:executeAutomation' isEnd: false inputs: DocumentName: ASR-CreateLogMetricFilterAndAlarm RuntimeParameters: AutomationAssumeRole: 'arn:{{global:AWS_PARTITION}}:iam::{{global:ACCOUNT_ID}}:role/SO0111-CreateLogMetricFilterAndAlarm' FilterName: '{{ GetMetricFilterAndAlarmInputValue.FilterName }}' FilterPattern: '{{ GetMetricFilterAndAlarmInputValue.FilterPattern }}' MetricName: '{{ GetMetricFilterAndAlarmInputValue.MetricName }}' MetricValue: '{{ GetMetricFilterAndAlarmInputValue.MetricValue }}' MetricNamespace: '{{ MetricNamespace }}' AlarmName: '{{ GetMetricFilterAndAlarmInputValue.AlarmName }}' AlarmDesc: '{{ GetMetricFilterAndAlarmInputValue.AlarmDesc }}' AlarmThreshold: '{{ GetMetricFilterAndAlarmInputValue.AlarmThreshold }}' LogGroupName: '{{ LogGroupName }}' SNSTopicName: 'SO0111-SHARR-LocalAlarmNotification' KMSKeyArn: '{{KMSKeyArn}}' - name: UpdateFinding action: 'aws:executeAwsApi' inputs: Service: securityhub Api: BatchUpdateFindings FindingIdentifiers: - Id: '{{ParseInput.FindingId}}' ProductArn: '{{ParseInput.ProductArn}}' Note: Text: 'Added metric filter to the log group and notifications to SNS topic SO0111-SHARR-LocalAlarmNotification.' UpdatedBy: 'ASR-CIS_1.2.0_3.1' Workflow: Status: RESOLVED description: Update finding isEnd: true