Bug fixes25 02 15 (#121)

* gr02-issues-#16

* GR06-GR12-bug-fixes-conformance-force-update

* GR-03-06-07-12

* GR03

* 1.6 and 2

* reverting1.6-adding5.1

* cloudbrokerring role input update

* reverting cb lookup lambda code

* added empty file check

* gr07 permission

* updates

* fixes

* gr17

* 1.6-bugfixes and fine tuning

* 4.6-lookup fix

* 4.2-mngmt account fix

* confromence-force-update

* conformence update

* revert

* test for conformence update

* conformence pack fix validation

* indentation-client.py

* indentation

* indentation zip

* cloudshell

* cshell

* conformence dummy resource

* conformence pack deployment fix

* gr12 and compile report fixes

* zip shel cloud

* gr1.6-create role delete comments

* GR1.6 updates

* gr1.6

* create role

* 3.3 removal

* removed cloudshell.zip

---------

Co-authored-by: EC2 Default User <[email protected]>

arch/lza_extensions/customizations/GCGuardrailsRoles.yaml

@@ -53,7 +53,6 @@ Resources:
                             "arn:aws:sts::${AuditAccountID}:assumed-role/${RolePrefix}default_assessment_role/${OrganizationName}gc02_check_password_protection_mechanisms",
                             "arn:aws:sts::${AuditAccountID}:assumed-role/${RolePrefix}default_assessment_role/${OrganizationName}gc02_check_privileged_roles_review",
                             "arn:aws:sts::${AuditAccountID}:assumed-role/${RolePrefix}default_assessment_role/${OrganizationName}gc03_check_endpoint_access_config",
-                            "arn:aws:sts::${AuditAccountID}:assumed-role/${RolePrefix}default_assessment_role/${OrganizationName}gc03_check_iam_cloudwatch_alarms",
                             "arn:aws:sts::${AuditAccountID}:assumed-role/${RolePrefix}default_assessment_role/${OrganizationName}gc03_check_trusted_devices_admin_access",
                             "arn:aws:sts::${AuditAccountID}:assumed-role/${RolePrefix}default_assessment_role/${OrganizationName}gc04_check_alerts_flag_misuse",
                             "arn:aws:sts::${AuditAccountID}:assumed-role/${RolePrefix}default_assessment_role/${OrganizationName}gc04_check_enterprise_monitoring",

arch/templates/AuditAccountPreRequisitesPart4.yaml

@@ -269,24 +269,6 @@ Resources:
         Variables:
           DEFAULT_CLOUD_PROFILE: !Ref DefaultCloudProfile
 
-  GC03CheckIAMCloudWatchAlarmsLambda:
-    Condition: IsAuditAccount
-    Type: AWS::Lambda::Function
-    Properties:
-      FunctionName: !Sub "${OrganizationName}gc03_check_iam_cloudwatch_alarms"
-      Code: "../../src/lambda/gc03_check_iam_cloudwatch_alarms/build/GC03CheckIAMCloudWatchAlarmsLambda/"
-      Handler: app.lambda_handler
-      Role: !Sub "arn:aws:iam::${AuditAccountID}:role/${RolePrefix}default_assessment_role"
-      Runtime: !Ref PythonRuntime
-      Timeout: 180
-      Layers:
-        - !Ref CloudGuardrailsCommonLayer
-      LoggingConfig:
-        LogGroup: !Sub "${OrganizationName}gc_guardrails"
-        LogFormat: "JSON"
-      Environment:
-        Variables:
-          DEFAULT_CLOUD_PROFILE: !Ref DefaultCloudProfile
 
   GC03CheckTrustedDevicesAdminAccessLambda:
     Condition: IsAuditAccount

arch/templates/ConformancePack.yaml

@@ -7,7 +7,7 @@ Parameters:
   # Common
   UpdateTriggerVersion:
     Type: String
-    Default: "v1"
+    Default: "v1.1"
   GCLambdaExecutionRoleName:
     Type: String
   GCLambdaExecutionRoleName2:
@@ -111,13 +111,14 @@ Parameters:
     Type: String
   S3EmergencyAccountAlertsRuleNamesPath:
     Type: String
+
 Resources:
   # GC01
   GC01CheckAttestationLetterConfigRule:
     Type: "AWS::Config::ConfigRule"
     Properties:
       ConfigRuleName: gc01_check_attestation_letter
-      Description: Checks S3 bucket for the attestation letter
+      Description: Checks S3 bucket for the attestation letter.
       InputParameters:
         s3ObjectPath:
           Fn::If:
@@ -690,38 +691,6 @@ Resources:
         SourceDetails:
           - EventSource: "aws.config"
             MessageType: "ScheduledNotification"
-  GC03CheckIAMCloudWatchAlarmsConfigRule:
-    Type: "AWS::Config::ConfigRule"
-    Properties:
-      ConfigRuleName: gc03_check_iam_cloudwatch_alarms
-      Description: Confirms if the ASEA CloudWatch Alarms for Unauthorized IPs and Sign-in without MFA are enabled
-      InputParameters:
-        ExecutionRoleName:
-          Fn::If:
-            - GCLambdaExecutionRoleName
-            - Ref: GCLambdaExecutionRoleName
-            - Ref: AWS::NoValue
-        AuditAccountID:
-          Fn::If:
-            - auditAccountID
-            - Ref: AuditAccountID
-            - Ref: AWS::NoValue
-        AlarmList: !Ref GC03AlarmList
-      Scope:
-        ComplianceResourceTypes:
-          - AWS::Account
-      MaximumExecutionFrequency: TwentyFour_Hours
-      Source:
-        Owner: CUSTOM_LAMBDA
-        SourceIdentifier:
-          Fn::Join:
-            - ""
-            - - "arn:aws:lambda:ca-central-1:"
-              - Ref: AuditAccountID
-              - !Sub ":function:${OrganizationName}gc03_check_iam_cloudwatch_alarms"
-        SourceDetails:
-          - EventSource: "aws.config"
-            MessageType: "ScheduledNotification"
   GC03CheckTrustedDevicesAdminAccessConfigRule:
     Type: "AWS::Config::ConfigRule"
     Properties:

arch/templates/config-aggregator.yaml

@@ -29,4 +29,4 @@ Resources:
                 - 'sts:AssumeRole'
         Tags:
           - Key: "Source"
-            Value: "ProServe Delivery Kit"
+            Value: "ProServe Delivery Kit"

arch/templates/main.yaml

@@ -302,6 +302,8 @@ Resources:
                     "organizations:ListTagsForResource",
                     "organizations:Describe*",
                     "organizations:List*",
+                    "iam:Simulate*",
+                    "iam:GetContextKeysForPrincipalPolicy",
                     "qldb:DescribeLedger",
                     "qldb:ListLedgers",
                     "rds:Describe*",
@@ -318,7 +320,20 @@ Resources:
                     "sns:List*",
                     "tag:GetResources",
                     "timestream:DescribeEndpoints",
-                    "timestream:List*"
+                    "timestream:List*",
+                    "iam:Simulate*",
+                    "timestream:DescribeEndpoints",
+                    "timestream:List*",
+                    "iam:GetContextKeysForPrincipalPolicy",
+                    "iam:SimulatePrincipalPolicy",
+                    "aws-marketplace:Li*",
+                    "aws-marketplace:D*",
+                    "s3:GetBucket*",
+                    "aws-marketplace:GetResourcePolicy",
+                    "aws-marketplace:ListTagsForResource",
+                    "identitystore:List*",
+                    "es:Describe*",
+                    "es:ListDomainNames"
                   ],
                   "Resource": [
                     "*"
@@ -393,6 +408,7 @@ Resources:
             "Statement": [{
               "Action": [
                 "acm:Describe*",
+                "iam:Simulate*",
                 "acm:Get*",
                 "acm:List*",
                 "apigateway:GET",
@@ -441,7 +457,16 @@ Resources:
                 "sns:ListTopics",
                 "tag:GetResources",
                 "timestream:DescribeEndpoints",
-                "timestream:List*"
+                "timestream:List*",
+                "iam:GetContextKeysForPrincipalPolicy",
+                "iam:SimulatePrincipalPolicy",
+                "aws-marketplace:Li*",
+                "aws-marketplace:D*",
+                "s3:GetBucket*",
+                "aws-marketplace:GetResourcePolicy",
+                "aws-marketplace:ListTagsForResource",
+                "identitystore:List*"
+
               ],
               "Resource": [
                 "*"
@@ -481,6 +506,9 @@ Resources:
               - "logs:CreateLogGroup"
               - "logs:CreateLogStream"
               - "logs:PutLogEvents"
+              - "es:Describe*"
+              - "identitystore:List*"
+
             Resource:
               - !Sub "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/${OrganizationName}gc*"
             Effect: Allow
@@ -490,6 +518,8 @@ Resources:
               - "organizations:RegisterDelegatedAdministrator"
               - "organizations:Describe*"
               - "organizations:List*"
+              - "iam:Simulate*"
+              - "iam:GetContextKeysForPrincipalPolicy"
             Resource: "*"
             Effect: Allow
       PolicyName: gc_setup_config_lambda_execution_role_policy
@@ -565,6 +595,8 @@ Resources:
               - "organizations:RegisterDelegatedAdministrator"
               - "organizations:Describe*"
               - "organizations:List*"
+              - "iam:Simulate*"
+              - "iam:GetContextKeysForPrincipalPolicy"
             Resource: "*"
             Effect: Allow
       PolicyName: !Sub "${OrganizationName}setup_auditmanager_lambda_execution_role_policy"
@@ -1160,7 +1192,8 @@ Resources:
           - Sid: AllowES
             Action:
               - "es:ListDomainNames"
-              - "es:DescribeElasticsearchDomains"
+              - "es:DescribeDomain"
+              - "es:DescribeElasticsearchDomain"
             Resource: "*"
             Effect: Allow
           - Sid: AllowReadTags
@@ -1346,6 +1379,7 @@ Resources:
               - "s3:ListAllMyBuckets"
               - "s3:ListBucket"
               - "s3:GetBucketPublicAccessBlock"
+              - "s3:GetBucketTagging"
               - "sso:ListInstances"
               - "identitystore:ListUsers"
               - "identitystore:ListGroups"
@@ -1473,7 +1507,7 @@ Resources:
         - !Ref GCLambdaExecutionRole
         - !Ref GCLambdaExecutionRole2
 
-  # ACM Access
+  # ACM Accessdescribe_domain
   GCLambdaExecutionRoleAcmPolicy:
     Condition: DeployRoles
     Type: AWS::IAM::Policy
@@ -1513,7 +1547,7 @@ Resources:
     Properties:
       ConformancePackInputParameters:
         - ParameterName: UpdateTriggerVersion
-          ParameterValue: "v3"
+          ParameterValue: !Ref InvokeUpdate
         - ParameterName: GCLambdaExecutionRoleName
           ParameterValue: !Sub "${AccelRolePrefix}GCLambdaExecutionRole"
         - ParameterName: GCLambdaExecutionRoleName2
@@ -1898,4 +1932,4 @@ Outputs:
         GenerateEvidenceBucketName,
         !GetAtt GenerateEvidenceBucketName.EvidenceBucketName,
         !Ref EvidenceBucketName,
-      ]
+      ]

doc/NOTES.md

@@ -129,7 +129,6 @@ Note: since both buckets are generated by the same lambda function, ensure to pr
         f"{organization_name}gc02_check_account_mgmt_plan": ["GC02CheckAccountManagementPlanLambda"],
         f"{organization_name}gc02_check_iam_password_policy": ["GC02CheckIAMPasswordPolicyLambda"],
         f"{organization_name}gc03_check_endpoint_access_config": ["GC03CheckEndpointAccessConfigLambda"],
-        f"{organization_name}gc03_check_iam_cloudwatch_alarms": ["GC03CheckIAMCloudWatchAlarmsLambda"],
         f"{organization_name}gc03_check_trusted_devices_admin_access": ["GC03CheckTrustedDevicesAdminAccessLambda"],
         f"{organization_name}gc04_check_enterprise_monitoring": ["GC04CheckEnterpriseMonitoringLambda"],
         f"{organization_name}gc05_check_data_location": ["GC05CheckDataLocationLambda"],
@@ -277,28 +276,6 @@ The following lambdas (starting with gc(n)\_ prefix) are used as part of AWS Con
 - Testing Status: SUCCESS ✅
   - Note: evaluation not recorded in AWS Config when there are no IAM users
 
-## gc03_check_iam_cloudwatch_alarms
-
-- Hardcoded values (defaults) 🔥
-
-  ```py
-  def check_cloudwatch_alarms(
-      alarm_names=[
-          "ASEA-AWS-IAM-Authentication-From-Unapproved-IP",
-          "ASEA-AWS-SSO-Authentication-From-Unapproved-IP",
-          "ASEA-AWS-Console-SignIn-Without-MFA",
-      ]
-  ):
-  ```
-
-- Linting info
-  - Score 9.15/10 💡
-  - Line Length >100 (mainly loggers)
-  - Unused arguments
-  - Global variables (from main handler method)
-- Check against the Management Account
-- Testing Status: SUCCESS ✅
-
 ## gc04_check_enterprise_monitoring
 
 - No hardcoding ✅

src/lambda/aws_auditmanager_resources_config_setup/audit_manager_custom_framework.py

@@ -337,27 +337,6 @@
                         ],
                         "tags": {},
                     },
-                    {
-                        "type": "Custom",
-                        "name": "gc03_check_iam_cloudwatch_alarms",
-                        "description": "Confirm ASEA CloudWatch Alarms are configured for access from Unauthorized IP addresses and sign-in without MFA..Source: https://github.com/canada-ca/cloud-guardrails/blob/master/EN/03_Secure-Endpoints.md",
-                        "testingInformation": "",
-                        "actionPlanTitle": "Review CloudWatch Alarms",
-                        "actionPlanInstructions": "Go to AWS CloudWatch Alarms, and ensure alarms have been configured as required.",
-                        "controlSources": "AWS Config",
-                        "controlMappingSources": [
-                            {
-                                "sourceName": "CW-check",
-                                "sourceSetUpOption": "System_Controls_Mapping",
-                                "sourceType": "AWS_Config",
-                                "sourceKeyword": {
-                                    "keywordInputType": "SELECT_FROM_LIST",
-                                    "keywordValue": "Custom_gc03_check_iam_cloudwatch_alarms-conformance-pack",
-                                },
-                            }
-                        ],
-                        "tags": {},
-                    },
                     {
                         "type": "Custom",
                         "name": "gc03_check_trusted_devices_admin_access",