https://github.com/conijnio/aws-security-posture
Keep a historic overview of your compliance scores per workload
https://github.com/conijnio/aws-security-posture
compliance security
Last synced: 4 months ago
JSON representation
Keep a historic overview of your compliance scores per workload
- Host: GitHub
- URL: https://github.com/conijnio/aws-security-posture
- Owner: conijnio
- License: apache-2.0
- Created: 2023-10-02T12:58:33.000Z (almost 3 years ago)
- Default Branch: main
- Last Pushed: 2024-12-18T10:33:42.000Z (over 1 year ago)
- Last Synced: 2024-12-18T11:36:53.628Z (over 1 year ago)
- Topics: compliance, security
- Language: Go
- Homepage: https://conijn.io
- Size: 1.31 MB
- Stars: 4
- Watchers: 0
- Forks: 0
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# AWS Security Posture - Solution
[AWS Security Posture](http://github.com/conijnio/aws-security-posture) collects security hub findings on a configurable interval, and extracts meaningful metrics. These metrics are stored in CloudWatch Metrics and can be visualized using CloudWatch DashBoards.

This solution was designed to be hosted in the account where you have your Security Hub aggregation configured. This way
you do not need to deploy it in every account individually. It also ensures that all accounts do get a security score.
When there are findings a score is being calculated.
You will be able to create dashboards like you see here. The sample above has been created using [`compliance-dashboard.yaml`](./compliance-dashboard.yaml).
It assumes that you will have 5 AWS accounts per workload: `build`, `development`, `test`, `acceptance` and `production`.
You can easily change this to your own setup.
## Implementation

1. Use the given filter to retrieve all findings, we are fetching 100 findings per invocation.
2. When there is a `NextToken` we need to collect the rest of the findings.
3. Check if the fetched findings need to be aggregated. (repeat this until we have all findings)
4. Split the findings per AWS Account ID.
5. In parallel, we will now:
1. Fetch the account name and extract the workload name and environment.
2. Calculate the score based on the findings.
6. Publish the results to CloudWatch metrics.
## Filters
The state machine accepts a filter, the format of this filter is the [SecurityHub filter](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_AwsSecurityFindingFilters.html)
itself. So to get all `CIS AWS Foundations benchmark` findings you can use the following filter:
```yaml
Bucket: !Ref FindingsBucket
Report: cis-aws-foundations-benchmark-v1.2.0
SubscriptionArn: !Sub arn:aws:securityhub:${AWS::Region}:${AWS::AccountId}:subscription/cis-aws-foundations-benchmark/v/1.2.0
Filter:
GeneratorId:
- Comparison: PREFIX
Value: arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0
RecordState:
- Comparison: EQUALS
Value: ACTIVE
WorkflowStatus:
- Comparison: EQUALS
Value: NEW
- Comparison: EQUALS
Value: NOTIFIED
```
By default, the following generators are used to generate the compliance scores:
- `arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0`
- `aws-foundational-security-best-practices/v/1.0.0`
### Using conformance packs
You can also generate compliance scores based on a conformance pack. You need to supply the conformance pack name.
And you need to use a common prefix in all of your config rules.
```yaml
Bucket: !Ref FindingsBucket
Report: lz-standard
ConformancePack: !Ref ConformancePack
Filter:
Title:
- Comparison: PREFIX
Value: lz-
RecordState:
- Comparison: EQUALS
Value: ACTIVE
WorkflowStatus:
- Comparison: EQUALS
Value: NEW
- Comparison: EQUALS
Value: NOTIFIED
```
The name of the conformance pack is used to query all rules in the pack. SecurityHub will only display failed config rules.
We need to total number of controls to calculate the actual compliance score.
### Using custom rules
You can also generate compliance scores based on a custom rules. You need to supply the list of rules that are part of your report.
And you need to use a common prefix in all of your config rules.
```yaml
Bucket: !Ref FindingsBucket
Report: lz-standard
CustomRules:
- lz-my-rule-1
- lz-my-rule-2
- lz-my-rule-3
- lz-my-rule-4
Filter:
Title:
- Comparison: PREFIX
Value: lz-
RecordState:
- Comparison: EQUALS
Value: ACTIVE
WorkflowStatus:
- Comparison: EQUALS
Value: NEW
- Comparison: EQUALS
Value: NOTIFIED
```
The name of the conformance pack is used to query all rules in the pack. SecurityHub will only display failed config rules.
We need to total number of controls to calculate the actual compliance score.
## Getting started
This solution uses [SAM (AWS Serverless Application Model)](https://aws.amazon.com/serverless/sam/) to deploy the resources.
One of the reasons to choice SAM is that it comes with an easy way to build and package AWS Lambda functions.
You can use the supplied `buildspec.yml` to build the solution via [AWS CodePipeline](https://docs.aws.amazon.com/codepipeline/latest/userguide/welcome.html) & [AWS CodeBuild](https://docs.aws.amazon.com/codebuild/latest/userguide/welcome.html). Afterward, you can deploy the solution using the generated `packaged-template.yaml` and `configuration.json` using [AWS CloudFormation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html) in the same pipeline.
Building and deploying the solution:
```shell
# Builds the solution
make build
# Deploys the solution
make deploy
```
## Running golang environment locally
You can run this project in a local container with the following command:
```shell
docker run --rm -it -v $(pwd):/go/aws-security-posture public.ecr.aws/docker/library/golang:latest
cd /go/aws-security-posture
```