From f06ecefd1124263370a363337848dd334f0a9820 Mon Sep 17 00:00:00 2001 From: Heinz Haas Date: Thu, 19 Dec 2024 14:02:25 +0100 Subject: [PATCH 1/2] Enable possibility to configure inspector ec2 scan mode --- CHANGELOG.md | 10 +++++- .../manifest.yaml | 2 ++ .../easy_setup/templates/sra-easy-setup.yaml | 9 ++++++ .../inspector/inspector_org/README.md | 2 +- .../manifest.yaml | 2 ++ .../sra-inspector-org-main-ssm.json | 4 +++ .../inspector/inspector_org/lambda/src/app.py | 7 ++++ .../inspector_org/lambda/src/inspector.py | 32 +++++++++++++++++++ .../sra-inspector-org-configuration.yaml | 12 ++++++- .../templates/sra-inspector-org-main-ssm.yaml | 9 ++++++ 10 files changed, 86 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 93e73d574..8edb6c5d3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,7 @@ ## Table of Contents - [Introduction](#introduction) +- [2024-12-18](#2024-12-18) - [2024-09-18](#2024-09-18) - [2024-08-22](#2024-08-22) - [2024-07-17](#2024-07-17) @@ -57,6 +58,13 @@ All notable changes to this project will be documented in this file. --- + +## 2024-12-18 + +### Added + +- Updated [Inspector](https://github.com/aws-samples/aws-security-reference-architecture-examples/tree/main/aws_sra_examples/solutions/inspector/inspector_org) solution to configure ec2 scan mode + ## 2024-09-18 ### Added @@ -169,7 +177,7 @@ Updated [Firewall Manager](https://github.com/aws-samples/aws-security-reference ### Changed - Added GuardDuty EKS, Malware, RDS, and Lambda protections [GuardDuty Organization](aws_sra_examples/solutions/guardduty/guardduty_org) -- Added fix to support deploying to more than 50 accounts. https://github.com/aws-samples/aws-security-reference-architecture-examples/issues/139. UpdateMemberDetectors and CreateMembers parameters accountIds and accountDetails support a max number +- Added fix to support deploying to more than 50 accounts. . UpdateMemberDetectors and CreateMembers parameters accountIds and accountDetails support a max number of 50 items ## 2023-05-12 diff --git a/aws_sra_examples/easy_setup/customizations_for_aws_control_tower/manifest.yaml b/aws_sra_examples/easy_setup/customizations_for_aws_control_tower/manifest.yaml index 9318afddc..dfa96c992 100644 --- a/aws_sra_examples/easy_setup/customizations_for_aws_control_tower/manifest.yaml +++ b/aws_sra_examples/easy_setup/customizations_for_aws_control_tower/manifest.yaml @@ -207,6 +207,8 @@ resources: parameter_value: "EC2, ECR, LAMBDA, LAMBDA_CODE" - parameter_key: pEcrRescanDuration parameter_value: "LIFETIME" + - parameter_key: pEcrRescanDuration + parameter_value: "EC2_SSM_AGENT_BASED" # Macie Solution - parameter_key: pDisableMacie diff --git a/aws_sra_examples/easy_setup/templates/sra-easy-setup.yaml b/aws_sra_examples/easy_setup/templates/sra-easy-setup.yaml index 103be4851..b728c2a69 100644 --- a/aws_sra_examples/easy_setup/templates/sra-easy-setup.yaml +++ b/aws_sra_examples/easy_setup/templates/sra-easy-setup.yaml @@ -257,6 +257,7 @@ Metadata: Parameters: - pScanComponents - pEcrRescanDuration + - pEc2ScanMode - Label: default: Patch Manager Solution @@ -332,6 +333,8 @@ Metadata: default: Comma separated list of scan components (EC2, ECR, LAMBDA, LAMBDA_CODE) pEcrRescanDuration: default: ECR Rescan Duration + pEc2ScanMode: + default: EC2 Scan Mode pDeployInspectorSolution: default: Deploy the Inspector Solution @@ -798,6 +801,11 @@ Parameters: Default: LIFETIME Description: ECR Rescan Duration Type: String + pEc2ScanMode: + AllowedValues: [EC2_SSM_AGENT_BASED, EC2_HYBRID] + Default: EC2_SSM_AGENT_BASED + Description: EC2 Scan Mode + Type: String pDeployInspectorSolution: AllowedValues: ["Yes", "No"] Default: "No" @@ -2941,6 +2949,7 @@ Resources: - "," - !Ref pScanComponents pEcrRescanDuration: !Ref pEcrRescanDuration + pEc2ScanMode: !Ref pEc2ScanMode pLambdaLogGroupKmsKey: !Ref pLambdaLogGroupKmsKey pLambdaLogGroupRetention: !Ref pLambdaLogGroupRetention pLambdaLogLevel: !Ref pLambdaLogLevel diff --git a/aws_sra_examples/solutions/inspector/inspector_org/README.md b/aws_sra_examples/solutions/inspector/inspector_org/README.md index 53cc571b1..2f7c00ed3 100644 --- a/aws_sra_examples/solutions/inspector/inspector_org/README.md +++ b/aws_sra_examples/solutions/inspector/inspector_org/README.md @@ -91,7 +91,7 @@ The Inspector Organization solution will automate enabling Amazon Inspector by d - The python boto3 SDK lambda layer to enable capability for lambda to enable all elements of the inspector service. - This is downloaded during the deployment process and packaged into a layer that is used by the lambda function in this solution. -- The inspector API available in the current lambda environment (as of 01/19/2023) is boto3-1.20.32, however, enhanced functionality of the inspector API used in this solution requires at least 1.26.18 (see references below). +- The inspector API available in the current lambda environment (as of 01/19/2023) is boto3-1.20.32, however, enhanced functionality of the inspector API used in this solution requires at least 1.35.83 (see references below). - Note: Future revisions to this solution will remove this layer when boto3 is updated within the lambda environment. --- diff --git a/aws_sra_examples/solutions/inspector/inspector_org/customizations_for_aws_control_tower/manifest.yaml b/aws_sra_examples/solutions/inspector/inspector_org/customizations_for_aws_control_tower/manifest.yaml index dee25919c..1ccaaf79a 100644 --- a/aws_sra_examples/solutions/inspector/inspector_org/customizations_for_aws_control_tower/manifest.yaml +++ b/aws_sra_examples/solutions/inspector/inspector_org/customizations_for_aws_control_tower/manifest.yaml @@ -33,6 +33,8 @@ resources: parameter_value: EC2, ECR, LAMBDA, LAMBDA_CODE - parameter_key: pEcrRescanDuration parameter_value: 'LIFETIME' + - parameter_key: pEc2ScanMode + parameter_value: 'EC2_SSM_AGENT_BASED' deploy_method: stack_set deployment_targets: accounts: diff --git a/aws_sra_examples/solutions/inspector/inspector_org/customizations_for_aws_control_tower/parameters/sra-inspector-org-main-ssm.json b/aws_sra_examples/solutions/inspector/inspector_org/customizations_for_aws_control_tower/parameters/sra-inspector-org-main-ssm.json index 120034dde..37433065f 100644 --- a/aws_sra_examples/solutions/inspector/inspector_org/customizations_for_aws_control_tower/parameters/sra-inspector-org-main-ssm.json +++ b/aws_sra_examples/solutions/inspector/inspector_org/customizations_for_aws_control_tower/parameters/sra-inspector-org-main-ssm.json @@ -42,6 +42,10 @@ { "ParameterKey": "pEcrRescanDuration", "ParameterValue": "LIFETIME" + }, + { + "ParameterKey": "pEc2ScanMode", + "ParameterValue": "EC2_SSM_AGENT_BASED" } ] \ No newline at end of file diff --git a/aws_sra_examples/solutions/inspector/inspector_org/lambda/src/app.py b/aws_sra_examples/solutions/inspector/inspector_org/lambda/src/app.py index d12107af6..9035cfa19 100644 --- a/aws_sra_examples/solutions/inspector/inspector_org/lambda/src/app.py +++ b/aws_sra_examples/solutions/inspector/inspector_org/lambda/src/app.py @@ -184,6 +184,7 @@ def get_validated_parameters(event: Dict[str, Any]) -> dict: ) ) params.update(parameter_pattern_validator("ECR_SCAN_DURATION", os.environ.get("ECR_SCAN_DURATION"), pattern=r"^(LIFETIME|DAYS_30|DAYS_180){1}$")) + params.update(parameter_pattern_validator("EC2_SCAN_MODE", os.environ.get("EC2_SCAN_MODE"), pattern=r"^(EC2_SSM_AGENT_BASED|EC2_HYBRID){1}$")) # Optional Parameters params.update( @@ -375,6 +376,7 @@ def setup_inspector_in_region( configuration_role_name: str, scan_components: list, ecr_scan_duration: Literal["DAYS_180", "DAYS_30", "LIFETIME"], + ec2_scan_mode: Literal["EC2_SSM_AGENT_BASED", "EC2_HYBRID"], ) -> None: """Regional setup process of the inspector feature. @@ -386,6 +388,7 @@ def setup_inspector_in_region( configuration_role_name: name of the configuration role scan_components: list of components to scan ecr_scan_duration: ecr scan duration + ec2_scan_mode: ec2 scan mode """ scan_component_dict: AutoEnableTypeDef = {"ec2": False, "ecr": False, "lambda": False, "lambdaCode": False} for scan_component in scan_components: @@ -414,6 +417,9 @@ def setup_inspector_in_region( LOGGER.info(f"setup_inspector_in_region: ECR_SCAN_DURATION - {ecr_scan_duration}") inspector.set_ecr_scan_duration(region, configuration_role_name, delegated_admin_account, ecr_scan_duration) + LOGGER.info(f"setup_inspector_in_region: EC2_SCAN_MODE - {ec2_scan_mode}") + inspector.set_ec2_scan_mode(region, configuration_role_name, delegated_admin_account, ec2_scan_mode) + inspector.associate_inspector_member_accounts(configuration_role_name, delegated_admin_account, accounts, region) inspector.enable_inspector2_in_member_accounts(region, configuration_role_name, delegated_admin_account, scan_components, accounts) @@ -540,6 +546,7 @@ def process_event_sns(event: dict) -> None: params["CONFIGURATION_ROLE_NAME"], scan_components, params["ECR_SCAN_DURATION"], + params["EC2_SCAN_MODE"], ) diff --git a/aws_sra_examples/solutions/inspector/inspector_org/lambda/src/inspector.py b/aws_sra_examples/solutions/inspector/inspector_org/lambda/src/inspector.py index 3bd16520c..781b176a8 100644 --- a/aws_sra_examples/solutions/inspector/inspector_org/lambda/src/inspector.py +++ b/aws_sra_examples/solutions/inspector/inspector_org/lambda/src/inspector.py @@ -452,6 +452,38 @@ def set_ecr_scan_duration( return +def set_ec2_scan_mode( + region: str, configuration_role_name: str, delegated_admin_account_id: str, ec2_scan_mode: Literal["EC2_SSM_AGENT_BASED", "EC2_HYBRID"] +) -> None: + """Set the EC2 scan mode in the delegated administrator account. + + Args: + configuration_role_name: configuration role name + delegated_admin_account_id: delegated admin account id + ec2_scan_mode: ec2 scan mode + region: AWS region + + Returns: + dict: API response + """ + delegated_admin_session = common.assume_role(configuration_role_name, "sra-enable-inspector", delegated_admin_account_id) + LOGGER.info( + f"creating delegated admin session with ({configuration_role_name}) in account ({delegated_admin_account_id}) to set ec2 scan mode" + ) + inspector_delegated_admin_region_client: Inspector2Client = delegated_admin_session.client("inspector2", region) + LOGGER.info(f"Setting EC2 scan mode in delegated admin account to {ec2_scan_mode} in {region}") + LOGGER.info(f"delegated admin client region: {inspector_delegated_admin_region_client.meta.region_name}") + LOGGER.info(f"Region: {delegated_admin_session.region_name}") + sts_client = delegated_admin_session.client("sts", region_name=region) + LOGGER.info(f"caller identity: {sts_client.get_caller_identity()}") + configuration_response: dict = inspector_delegated_admin_region_client.update_configuration( + ec2Configuration={"scanMode": ec2_scan_mode} + ) + api_call_details = {"API_Call": "inspector:UpdateConfiguration", "API_Response": configuration_response} + LOGGER.info(api_call_details) + return + + def disable_inspector2_in_mgmt_and_delegated_admin( regions: list, configuration_role_name: str, mgmt_account_id: str, delegated_admin_account_id: str, scan_components: list ) -> None: diff --git a/aws_sra_examples/solutions/inspector/inspector_org/templates/sra-inspector-org-configuration.yaml b/aws_sra_examples/solutions/inspector/inspector_org/templates/sra-inspector-org-configuration.yaml index e6bd65335..00718f35a 100644 --- a/aws_sra_examples/solutions/inspector/inspector_org/templates/sra-inspector-org-configuration.yaml +++ b/aws_sra_examples/solutions/inspector/inspector_org/templates/sra-inspector-org-configuration.yaml @@ -36,6 +36,7 @@ Metadata: - pEnabledRegions - pScanComponents - pEcrRescanDuration + - pEc2ScanMode - Label: default: General Lambda Function Properties @@ -91,6 +92,8 @@ Metadata: default: Comma separated list of scan components (EC2, ECR, LAMBDA, LAMBDA_CODE) pEcrRescanDuration: default: ECR Rescan Duration + pEc2ScanMode: + default: EC2 Scan Mode Parameters: pComplianceFrequency: @@ -204,6 +207,11 @@ Parameters: Default: LIFETIME Description: ECR Rescan Duration Type: String + pEc2ScanMode: + AllowedValues: [EC2_SSM_AGENT_BASED, EC2_HYBRID] + Default: EC2_SSM_AGENT_BASED + Description: EC2 Scan Mode + Type: String Conditions: cComplianceFrequencySingleDay: !Equals [!Ref pComplianceFrequency, 1] @@ -472,6 +480,7 @@ Resources: - ',' - !Ref pScanComponents ECR_SCAN_DURATION: !Ref pEcrRescanDuration + EC2_SCAN_MODE: !Ref pEc2ScanMode Tags: - Key: sra-solution Value: !Ref pSRASolutionName @@ -482,7 +491,7 @@ Resources: Content: S3Bucket: !Ref pSRAStagingS3BucketName S3Key: !Sub ${pSRASolutionName}/layer_code/${pSRASolutionName}-layer.zip - Description: Boto3 version 1.26.24 layer to enable newer API of inspector2 + Description: Boto3 version 1.35.83 layer to enable newer API of inspector2 LayerName: !Sub ${pInspectorOrgLambdaFunctionName}-updated-boto3-layer rInspectorOrgLambdaCustomResource: @@ -498,6 +507,7 @@ Resources: - ',' - !Ref pScanComponents ECR_SCAN_DURATION: !Ref pEcrRescanDuration + EC2_SCAN_MODE: !Ref pEc2ScanMode rInspectorOrgTopic: Type: AWS::SNS::Topic diff --git a/aws_sra_examples/solutions/inspector/inspector_org/templates/sra-inspector-org-main-ssm.yaml b/aws_sra_examples/solutions/inspector/inspector_org/templates/sra-inspector-org-main-ssm.yaml index edcb67625..bd89d8407 100644 --- a/aws_sra_examples/solutions/inspector/inspector_org/templates/sra-inspector-org-main-ssm.yaml +++ b/aws_sra_examples/solutions/inspector/inspector_org/templates/sra-inspector-org-main-ssm.yaml @@ -38,6 +38,7 @@ Metadata: - pEnabledRegions - pScanComponents - pEcrRescanDuration + - pEc2ScanMode - Label: default: General Lambda Function Properties @@ -92,6 +93,8 @@ Metadata: default: Comma separated list of scan components (EC2, ECR, LAMBDA, LAMBDA_CODE) pEcrRescanDuration: default: ECR Rescan Duration + pEc2ScanMode: + default: EC2 Scan Mode Parameters: pStackSetAdminRole: @@ -211,6 +214,11 @@ Parameters: Default: LIFETIME Description: ECR Rescan Duration Type: String + pEc2ScanMode: + AllowedValues: [EC2_SSM_AGENT_BASED, EC2_HYBRID] + Default: EC2_SSM_AGENT_BASED + Description: EC2 Scan Mode + Type: String Conditions: cNotGlobalRegionUsEast1: !Not [!Equals [!Ref 'AWS::Region', us-east-1]] @@ -282,6 +290,7 @@ Resources: - ',' - !Ref pScanComponents pEcrRescanDuration: !Ref pEcrRescanDuration + pEc2ScanMode: !Ref pEc2ScanMode Tags: - Key: sra-solution Value: !Ref pSRASolutionName From 8be0b1ce43c1bb8ed23303325dfedbdb682b2c88 Mon Sep 17 00:00:00 2001 From: Heinz Haas Date: Thu, 19 Dec 2024 15:27:56 +0100 Subject: [PATCH 2/2] Combine both settings in one configuration function --- .../inspector/inspector_org/lambda/src/app.py | 4 +- .../inspector_org/lambda/src/inspector.py | 45 +++++-------------- 2 files changed, 11 insertions(+), 38 deletions(-) diff --git a/aws_sra_examples/solutions/inspector/inspector_org/lambda/src/app.py b/aws_sra_examples/solutions/inspector/inspector_org/lambda/src/app.py index 9035cfa19..b79262063 100644 --- a/aws_sra_examples/solutions/inspector/inspector_org/lambda/src/app.py +++ b/aws_sra_examples/solutions/inspector/inspector_org/lambda/src/app.py @@ -415,10 +415,8 @@ def setup_inspector_in_region( inspector.set_auto_enable_inspector_in_org(region, configuration_role_name, delegated_admin_account, scan_component_dict) LOGGER.info(f"setup_inspector_in_region: ECR_SCAN_DURATION - {ecr_scan_duration}") - inspector.set_ecr_scan_duration(region, configuration_role_name, delegated_admin_account, ecr_scan_duration) - LOGGER.info(f"setup_inspector_in_region: EC2_SCAN_MODE - {ec2_scan_mode}") - inspector.set_ec2_scan_mode(region, configuration_role_name, delegated_admin_account, ec2_scan_mode) + inspector.set_inspector2_configuration(region, configuration_role_name, delegated_admin_account, ecr_scan_duration, ec2_scan_mode) inspector.associate_inspector_member_accounts(configuration_role_name, delegated_admin_account, accounts, region) diff --git a/aws_sra_examples/solutions/inspector/inspector_org/lambda/src/inspector.py b/aws_sra_examples/solutions/inspector/inspector_org/lambda/src/inspector.py index 781b176a8..912737574 100644 --- a/aws_sra_examples/solutions/inspector/inspector_org/lambda/src/inspector.py +++ b/aws_sra_examples/solutions/inspector/inspector_org/lambda/src/inspector.py @@ -420,15 +420,20 @@ def enable_inspector2_in_member_accounts( enable_inspector2(inspector_delegated_admin_region_client, account["AccountId"], region, scan_components) -def set_ecr_scan_duration( - region: str, configuration_role_name: str, delegated_admin_account_id: str, ecr_scan_duration: Literal["DAYS_180", "DAYS_30", "LIFETIME"] +def set_inspector2_configuration( + region: str, + configuration_role_name: str, + delegated_admin_account_id: str, + ecr_scan_duration: Literal["DAYS_180", "DAYS_30", "LIFETIME"], + ec2_scan_mode: Literal["EC2_SSM_AGENT_BASED", "EC2_HYBRID"] ) -> None: - """Set the ECR scan duration in the delegated administrator account. + """Set the ECR scan duration and EC2 scan mode in the delegated administrator account. Args: configuration_role_name: configuration role name delegated_admin_account_id: delegated admin account id ecr_scan_duration: ecr scan duration + ec2_scan_mode: ec2 scan mode region: AWS region Returns: @@ -440,44 +445,14 @@ def set_ecr_scan_duration( ) inspector_delegated_admin_region_client: Inspector2Client = delegated_admin_session.client("inspector2", region) LOGGER.info(f"Setting ECR scan duration in delegated admin account to {ecr_scan_duration} in {region}") - LOGGER.info(f"delegated admin client region: {inspector_delegated_admin_region_client.meta.region_name}") - LOGGER.info(f"Region: {delegated_admin_session.region_name}") - sts_client = delegated_admin_session.client("sts", region_name=region) - LOGGER.info(f"caller identity: {sts_client.get_caller_identity()}") - configuration_response: dict = inspector_delegated_admin_region_client.update_configuration( - ecrConfiguration={"rescanDuration": ecr_scan_duration} - ) - api_call_details = {"API_Call": "inspector:UpdateConfiguration", "API_Response": configuration_response} - LOGGER.info(api_call_details) - return - - -def set_ec2_scan_mode( - region: str, configuration_role_name: str, delegated_admin_account_id: str, ec2_scan_mode: Literal["EC2_SSM_AGENT_BASED", "EC2_HYBRID"] -) -> None: - """Set the EC2 scan mode in the delegated administrator account. - - Args: - configuration_role_name: configuration role name - delegated_admin_account_id: delegated admin account id - ec2_scan_mode: ec2 scan mode - region: AWS region - - Returns: - dict: API response - """ - delegated_admin_session = common.assume_role(configuration_role_name, "sra-enable-inspector", delegated_admin_account_id) - LOGGER.info( - f"creating delegated admin session with ({configuration_role_name}) in account ({delegated_admin_account_id}) to set ec2 scan mode" - ) - inspector_delegated_admin_region_client: Inspector2Client = delegated_admin_session.client("inspector2", region) LOGGER.info(f"Setting EC2 scan mode in delegated admin account to {ec2_scan_mode} in {region}") LOGGER.info(f"delegated admin client region: {inspector_delegated_admin_region_client.meta.region_name}") LOGGER.info(f"Region: {delegated_admin_session.region_name}") sts_client = delegated_admin_session.client("sts", region_name=region) LOGGER.info(f"caller identity: {sts_client.get_caller_identity()}") configuration_response: dict = inspector_delegated_admin_region_client.update_configuration( - ec2Configuration={"scanMode": ec2_scan_mode} + ec2Configuration={"scanMode": ec2_scan_mode}, + ecrConfiguration={"rescanDuration": ecr_scan_duration} ) api_call_details = {"API_Call": "inspector:UpdateConfiguration", "API_Response": configuration_response} LOGGER.info(api_call_details)