generated from appvia/terraform-aws-module-template
-
Notifications
You must be signed in to change notification settings - Fork 0
/
securityhub.tf
198 lines (163 loc) · 6.45 KB
/
securityhub.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
## Craft an IAM policy document to allow the lambda function to assume the role
data "aws_iam_policy_document" "lambda_assume_role_policy" {
statement {
sid = "AllowLambdaAssumeRole"
effect = "Allow"
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["lambda.amazonaws.com"]
}
}
}
## Craft an IAM polciy to push logs to cloudwatch log group
# See also the following AWS managed policy: AWSLambdaBasicExecutionRole
# tfsec:ignore:aws-iam-no-policy-wildcards
data "aws_iam_policy_document" "securityhub_lambda_cloudwatch_logs_policy" {
statement {
sid = "AllowLogging"
effect = "Allow"
actions = [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
]
resources = ["arn:aws:logs:*:*:*"]
}
}
## Craft an IAM polciy perform access to publish messages to the SNS topic
data "aws_iam_policy_document" "securityhub_notifications_policy" {
count = var.enable_securityhub_alarms ? 1 : 0
statement {
sid = "AllowPublish"
actions = ["sns:Publish"]
effect = "Allow"
resources = [module.securityhub_notifications[0].sns_topic_arn]
}
}
## Create the lambda function package from the source code
data "archive_file" "securityhub_lambda_package" {
count = var.enable_securityhub_alarms ? 1 : 0
type = "zip"
source_file = "${path.module}/assets/functions/lambda_function.py"
output_path = "./builds/securityhub-findings-forwarder.zip"
}
## Provision the notifications to forward the security hub findings to the messaging channel
module "securityhub_notifications" {
count = var.enable_securityhub_alarms ? 1 : 0
source = "appvia/notifications/aws"
version = "1.0.7"
accounts_id_to_name = var.accounts_id_to_name
allowed_aws_services = ["events.amazonaws.com", "lambda.amazonaws.com"]
cloudwatch_log_group_retention = 3
create_sns_topic = true
email = local.email
enable_slack = true
identity_center_role = var.security_hub_identity_center_role
identity_center_start_url = var.identity_center_start_url
slack = local.slack
sns_topic_name = var.securityhub_sns_topic_name
tags = var.tags
providers = {
aws = aws.audit
}
}
## Provision an IAM role for the lambda function to run under
resource "aws_iam_role" "securityhub_lambda_role" {
count = var.enable_securityhub_alarms ? 1 : 0
name = var.securityhub_lambda_role_name
tags = var.tags
assume_role_policy = data.aws_iam_policy_document.lambda_assume_role_policy.json
provider = aws.audit
}
## Assign the inline policy to the lambda role
resource "aws_iam_role_policy" "securityhub_lambda_role_policy" {
count = var.enable_securityhub_alarms ? 1 : 0
name = "lza-securityhub-lambda-policy"
policy = data.aws_iam_policy_document.securityhub_notifications_policy[0].json
role = aws_iam_role.securityhub_lambda_role[0].name
provider = aws.audit
}
## Assign the inline policy to the lambda role
resource "aws_iam_role_policy" "securityhub_lambda_logs_policy" {
count = var.enable_securityhub_alarms ? 1 : 0
name = "lza-securityhub-lambda-logs-policy"
policy = data.aws_iam_policy_document.securityhub_lambda_cloudwatch_logs_policy.json
role = aws_iam_role.securityhub_lambda_role[0].name
provider = aws.audit
}
## Provision a cloudwatch log group to capture the logs from the lambda function
resource "aws_cloudwatch_log_group" "securityhub_lambda_log_group" {
kms_key_id = local.enable_log_group_encryption ? data.aws_kms_alias.securityhub_kms_key[0].id : null
log_group_class = "STANDARD"
name = "/aws/lambda/${var.securityhub_lambda_function_name}"
retention_in_days = 3
tags = var.tags
provider = aws.audit
}
## Provision the lamda function to forward the security hub findings to the messaging channel
# tfsec:ignore:aws-lambda-enable-tracing
resource "aws_lambda_function" "securityhub_lambda_function" {
count = var.enable_securityhub_alarms ? 1 : 0
filename = "./builds/securityhub-findings-forwarder.zip"
function_name = var.securityhub_lambda_function_name
handler = "lambda_function.lambda_handler"
role = aws_iam_role.securityhub_lambda_role[0].arn
runtime = var.securityhub_lambda_runtime
source_code_hash = data.archive_file.securityhub_lambda_package[0].output_base64sha256
tags = var.tags
timeout = 5
environment {
variables = {
"SNS_TOPIC_ARN" = module.securityhub_notifications[0].sns_topic_arn
}
}
depends_on = [
data.archive_file.securityhub_lambda_package,
aws_cloudwatch_log_group.securityhub_lambda_log_group,
]
provider = aws.audit
}
## Allow eventbridge to invoke the lambda function
resource "aws_lambda_permission" "securityhub_event_bridge" {
action = "lambda:InvokeFunction"
function_name = aws_lambda_function.securityhub_lambda_function[0].function_name
principal = "events.amazonaws.com"
source_arn = aws_cloudwatch_event_rule.securityhub_findings[0].arn
statement_id = "AllowExecutionFromEventBridge"
provider = aws.audit
}
## Provision the event bridge rule to capture security hub findings, of a specific severities
resource "aws_cloudwatch_event_rule" "securityhub_findings" {
count = var.enable_securityhub_alarms ? 1 : 0
name = var.securityhub_event_bridge_rule_name
description = "Capture Security Hub findings of a specific severities and publish to the SNS topic (LZA)"
tags = var.tags
event_pattern = jsonencode({
detail = {
findings = {
Compliance = {
Status = ["FAILED"]
},
RecordState = ["ACTIVE"],
Severity = {
Label = var.securityhub_severity_filter
},
Workflow = {
Status = ["NEW"]
}
}
},
detail-type = ["Security Hub Findings - Imported"],
source = ["aws.securityhub"]
})
provider = aws.audit
}
## Provision a target to the event bridge rule, to publish messages to the SNS topic
resource "aws_cloudwatch_event_target" "security_hub_findings_target" {
count = var.enable_securityhub_alarms ? 1 : 0
arn = aws_lambda_function.securityhub_lambda_function[0].arn
rule = aws_cloudwatch_event_rule.securityhub_findings[0].name
target_id = "security_hub_findings_target"
provider = aws.audit
}