Skip to content

Doesn't notice failures due to not waiting for config to enable #54

Open
Open
Doesn't notice failures due to not waiting for config to enable#54

Description

@max-allan-surevine
max-allan-surevine
opened on Aug 27, 2020

After running the script I was find a lot of Critical findings in status "Warning".
Attempting to view the rule related to the finding in the console took me to an empty rule definition page and/or errors in Config. Further investigation shows the rules don't even exist in Config.

I suspect this is because the script does not wait for Config to be enabled before enabling Security Hub. So SH thinks it has created the rule for the finding but the rule does not exist.
The only way to fix this is to disable/enable the standards.
eg :

MaAl00350:~ max $ aws configservice describe-config-rules --query ConfigRules[].ConfigRuleName
[
    "securityhub-cloud-trail-encryption-enabled-b61f8eaf",
    "securityhub-codebuild-project-source-repo-url-check-bc429527",
    "securityhub-dms-replication-not-public-fd0e6f54",
    "securityhub-efs-encrypted-check-e5244c06",
    "securityhub-vpc-default-security-group-closed-2a891050",
    "securityhub-vpc-flow-logs-enabled-3042d788"
]
MaAl00350:~ max $ aws securityhub get-enabled-standards
{
    "StandardsSubscriptions": [
        {
            "StandardsSubscriptionArn": "arn:aws:securityhub:eu-west-1:034563818582:subscription/aws-foundational-security-best-practices/v/1.0.0",
            "StandardsArn": "arn:aws:securityhub:eu-west-1::standards/aws-foundational-security-best-practices/v/1.0.0",
            "StandardsInput": {},
            "StandardsStatus": "READY"
        }
    ]
}

AWS foundation should have a lot more rules than that!
So, lets disable and wait for it ....

MaAl00350:~ max $ aws securityhub batch-disable-standards  --standards-subscription-arns  "arn:aws:securityhub:eu-west-1:034563818582:subscription/aws-foundational-security-best-practices/v/1.0.0"
{
    "StandardsSubscriptions": [
        {
            "StandardsSubscriptionArn": "arn:aws:securityhub:eu-west-1:034563818582:subscription/aws-foundational-security-best-practices/v/1.0.0",
            "StandardsArn": "arn:aws:securityhub:eu-west-1::standards/aws-foundational-security-best-practices/v/1.0.0",
            "StandardsInput": {},
            "StandardsStatus": "DELETING"
        }
    ]
}
MaAl00350:~ max $ aws securityhub get-enabled-standards
{
    "StandardsSubscriptions": []
}

Wait a few minutes and then another minute :

MaAl00350:~ max $ aws configservice describe-config-rules --query ConfigRules[].ConfigRuleName
[
    "securityhub-vpc-default-security-group-closed-2a891050",
    "securityhub-vpc-flow-logs-enabled-3042d788"
]
MaAl00350:~ max $ aws configservice describe-config-rules --query ConfigRules[].ConfigRuleName
[]

Finally all the rules are gone. Re-enable the standard :

MaAl00350:~ max $ aws securityhub batch-enable-standards --standards-subscription-requests '{"StandardsArn":"arn:aws:securityhub:eu-west-1::standards/aws-foundational-security-best-practices/v/1.0.0"}'
{
    "StandardsSubscriptions": [
        {
            "StandardsSubscriptionArn": "arn:aws:securityhub:eu-west-1:034563818582:subscription/aws-foundational-security-best-practices/v/1.0.0",
            "StandardsArn": "arn:aws:securityhub:eu-west-1::standards/aws-foundational-security-best-practices/v/1.0.0",
            "StandardsInput": {},
            "StandardsStatus": "PENDING"
        }
    ]
}
MaAl00350:~ max $ aws securityhub get-enabled-standards
{
    "StandardsSubscriptions": [
        {
            "StandardsSubscriptionArn": "arn:aws:securityhub:eu-west-1:034563818582:subscription/aws-foundational-security-best-practices/v/1.0.0",
            "StandardsArn": "arn:aws:securityhub:eu-west-1::standards/aws-foundational-security-best-practices/v/1.0.0",
            "StandardsInput": {},
            "StandardsStatus": "READY"
        }
    ]
}
MaAl00350:~ max $ aws configservice describe-config-rules --query ConfigRules[].ConfigRuleName
[
    "securityhub-access-keys-rotated-4338bdd1",
    "securityhub-acm-certificate-expiration-check-a9c4abea",
    "securityhub-alb-http-to-https-redirection-check-48339d98",
    "securityhub-autoscaling-group-elb-healthcheck-required-a8d0729f",
    "securityhub-cloud-trail-encryption-enabled-348ac493",
    "securityhub-codebuild-project-envvar-awscred-check-bd1bccda",
    "securityhub-codebuild-project-source-repo-url-check-55df4d3f",
    "securityhub-dms-replication-not-public-9aba3179",
    "securityhub-ebs-snapshot-public-restorable-check-6169ceb8",
    "securityhub-ec2-instance-managed-by-ssm-599c6972",
    "securityhub-ec2-managedinstance-association-compliance-status-check-b69a86ef",
    "securityhub-ec2-managedinstance-patch-compliance-00bf694d",
    "securityhub-ec2-stopped-instance-38153549",
    "securityhub-efs-encrypted-check-82f1aaa9",
    "securityhub-elasticsearch-encrypted-at-rest-58658303",
    "securityhub-encrypted-volumes-fc3a8ba4",
    "securityhub-guardduty-enabled-centralized-b514c146",
    "securityhub-iam-password-policy-recommended-defaults-64365480",
    "securityhub-iam-policy-no-statements-with-admin-access-bce4701f",
    "securityhub-iam-root-access-key-check-a7c95be2",
    "securityhub-iam-user-no-policies-check-34076ae3",
    "securityhub-lambda-function-public-access-prohibited-ad1f8609",
    "securityhub-lambda-function-settings-check-a569e4c9",
    "securityhub-mfa-enabled-for-iam-console-access-e80a849c",
    "securityhub-multi-region-cloud-trail-enabled-049fa6e6",
    "securityhub-rds-instance-public-access-check-1c0f0f3e",
    "securityhub-rds-snapshots-public-prohibited-6c85734e",
    "securityhub-rds-storage-encrypted-ccdb6b6e",
    "securityhub-root-account-hardware-mfa-enabled-7751db16",
    "securityhub-s3-account-level-public-access-blocks-c9fe23a1",
    "securityhub-s3-bucket-public-read-prohibited-66251a8f",
    "securityhub-s3-bucket-public-write-prohibited-71d10c81",
    "securityhub-s3-bucket-server-side-encryption-enabled-93f8c50f",
    "securityhub-s3-bucket-ssl-requests-only-0feab26a",
    "securityhub-sagemaker-notebook-no-direct-internet-access-21638603",
    "securityhub-vpc-default-security-group-closed-10798b7d",
    "securityhub-vpc-flow-logs-enabled-ff14d6e9"
]

If you don't do this, some of your findings will be forever in the broken state and you will never get a pass/fail.

I think the script needs to handle enabling config better by waiting for it.

Perhaps at the end of check_config a loop checking config.describe_configuration_recorder_status()['ConfigurationRecordersStatus'][0]['recording'] before exiting the function.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions