Upcoming Features
     

Overview

A configuration package to enable compliance monitoring for a subset of the PCI DSS 3.2.1 controls using AWS Security Hub in an AWS account. The configuration package also includes enabling service prerequisites and configuring notifications for Security Hub findings. AWS Security Hub also turns on CIS AWS Foundations Compliance Standards by default. This package includes:

  • AWS Config which is required to enable Compliance Standards in Security Hub (CIS AWS Foundations and PCI DSS)
  • Configure findings notifications using a CloudWatch Event Rule to match on Security Hub findings and send notifications to an SNS topic (make sure to update the email address from email@example.com).

Configure & Deploy

Configuration Presets

  • Presumes that AWS Config is already enabled in the AWS account
  • Creates an SNS Topic to configure destination for Security Hub notifications. Default email address is email@example.com
  • Creates a CloudWatch Event Rule which forwards findings to SNS
EDIT
EDIT
EDIT
EDIT
Items
7
Size
4.6 KB
AWSTemplateFormatVersion: '2010-09-09'
Description: ''
Resources:
  SecurityHub:
    Type: 'AWS::SecurityHub::Hub'
    Properties: {}
  SecurityHubStandards:
    Type: 'Custom::SecurityHubStandards'
    Properties:
      ServiceToken:
        'Fn::GetAtt':
          - SecurityHubStandardsResourceLambda
          - Arn
    DependsOn: SecurityHub
  SecurityHubStandardsResourceLambdaRole:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service: lambda.amazonaws.com
            Action:
              - 'sts:AssumeRole'
      Path: /
      ManagedPolicyArns:
        - 'arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole'
      Policies:
        - PolicyName: scp-access
          PolicyDocument:
            Statement:
              - Effect: Allow
                Action:
                  - 'securityhub:GetEnabledStandards'
                  - 'securityhub:BatchDisableStandards'
                  - 'securityhub:BatchEnableStandards'
                Resource: '*'
  SecurityHubStandardsResourceLambda:
    Type: 'AWS::Lambda::Function'
    Properties:
      Code:
        ZipFile: |
          'use strict';
          const AWS = require('aws-sdk');
          const response = require('./cfn-response');
          const securityhub = new AWS.SecurityHub();

          exports.handler = (event, context, cb) => {

            let region = process.env.AWS_REGION
            let accountId = context.invokedFunctionArn.split(":")[4]
            console.log('Invoke:', JSON.stringify(event));
            const done = (err, data) => {
              if (err) {
                console.log('Error: ', err);
                response.send(event, context, response.FAILED, {}, 'CustomResourcePhysicalID');
              } else {
                console.log('Data: ', data)
                response.send(event, context, response.SUCCESS, {}, 'CustomResourcePhysicalID');
              }
            };

            if (event.RequestType === 'Create' || event.RequestType === 'Update') {
              securityhub.batchEnableStandards({
                StandardsSubscriptionRequests: [
                  {StandardsArn: `arn:aws:securityhub:${region}::standards/pci-dss/v/3.2.1`}
                ]
              }, done)
            }
            else if (event.RequestType === 'Delete'){
              securityhub.batchDisableStandards({
                StandardsSubscriptionArns: [
                  `arn:aws:securityhub:${region}:${accountId}:subscription/pci-dss/v/3.2.1`
                ]
              }, done)
            }
            else {
              cb(new Error('unsupported RequestType: ', event.RequestType));
            }
          };
      Handler: index.handler
      MemorySize: 128
      Role:
        'Fn::GetAtt':
          - SecurityHubStandardsResourceLambdaRole
          - Arn
      Runtime: nodejs12.x
      Timeout: 120
  SnsTopic1:
    Type: 'AWS::SNS::Topic'
    Properties:
      Subscription:
        - Endpoint: email@example.com
          Protocol: email
      TopicName: sns-topic
  CwEvent1:
    Type: 'AWS::Events::Rule'
    Properties:
      Name: detect-securityhub-finding
      Description: >-
        A CloudWatch Event Rule that triggers on AWS Security Hub findings. The
        Event Rule can be used to trigger notifications or remediative actions
        using AWS Lambda.
      State: ENABLED
      Targets:
        - Arn:
            Ref: SnsTopic1
          Id: target-id1
      EventPattern:
        detail-type:
          - Security Hub Findings - Imported
        source:
          - aws.securityhub
  SnsTopicPolicy:
    Type: 'AWS::SNS::TopicPolicy'
    Properties:
      PolicyDocument:
        Statement:
          - Sid: __default_statement_ID
            Effect: Allow
            Principal:
              AWS: '*'
            Action:
              - 'SNS:GetTopicAttributes'
              - 'SNS:SetTopicAttributes'
              - 'SNS:AddPermission'
              - 'SNS:RemovePermission'
              - 'SNS:DeleteTopic'
              - 'SNS:Subscribe'
              - 'SNS:ListSubscriptionsByTopic'
              - 'SNS:Publish'
              - 'SNS:Receive'
            Resource:
              Ref: SnsTopic1
            Condition:
              StringEquals:
                'AWS:SourceOwner':
                  Ref: 'AWS::AccountId'
          - Sid: TrustCWEToPublishEventsToMyTopic
            Effect: Allow
            Principal:
              Service: events.amazonaws.com
            Action: 'sns:Publish'
            Resource:
              Ref: SnsTopic1
      Topics:
        - Ref: SnsTopic1
Parameters: {}
Metadata: {}
Conditions: {}