Skip to content

A blog post repository to demonstrate how to implement DevSecOps pipeline for AWS Security Hub via the Cloud Development Kit (CDK)

License

Notifications You must be signed in to change notification settings

hdisysteme/cicd4securityhub

Repository files navigation

Automated Security and Compliance Remediation at HDI

This is the corresponding repository of AWS Blog post "Automated Security and Compliance Remediation at HDI".

Disclaimer

This repository act as a blueprint. HDI will maintain the solution.

Architecturual Diagrams

This is architecture which will be deployed via all clases residing within securityhub/auto_ops.py file.

Overview

This is the architecture of the deplyoed CICD pipeline. Stages can be added as needed. A general description about the CDK pipelines comstruct can be found here. The programrrtic implementation can be found here securityhub/pipeline.py

Continuous delivery for AWS CDK applications

The CDK app will deploy all remediation as well as the Prowler integration as CloudFormation nested stack. This brings the advantage of holding a consistent state of all CDK app parts. Also, it will be easy to work with CloudFormation imports and exports to make use of resources across CloudFormation stacks.

Programmatic Approach of this CDK App

Realy make use of the the programmatic capabillities of the CDK, we use functions from securityhub/helper.py to avoid iterative declaration of AWS resources. The create_remediation_lambdas function from this file, will be used within securityhub/auto_ops.py of the class RemediationStack to process arrays with Lambda configurations objects within class AutoSecOps.

# Snippet

prowler_740_lambda = {
    "name": "Prowler 7.40",
    "id": "prowler740",
    "description": "Remediates Prowler 7.40 by deleting unencrypted Snapshots",
    "policies": [
        _iam.PolicyStatement(
            effect=_iam.Effect.ALLOW,
            actions=["ec2:DeleteSnapshot",],
            resources=["*"],
        )
    ],
    "path": "delete_unencrypted_snapshots",
    "environment_variables": [
        {"key": "ACCOUNT_ID", "value": core.Aws.ACCOUNT_ID}
    ],
    "filter_id": ["prowler-extra740"],
}

prowler_list = [
    prowler_729_lambda,
    prowler_740_lambda,
]

# ...

print("Lambdas in Prowler Stack", len(cis_list))
prowler_1 = RemediationStack(
    self, id="prowler-remediation}", remediation_list=prowler_list,
)
prowler_1.add_dependency(cis_1)
core.Tags.of(prowler_1).add("Name", "Security Hub App")

How to deploy this CDK App?

# app.py
# TODO: Insert your AWS account id
cicd = Pipeline(
    app,
    id="cicd-4-securityhub",
    env= core.Environment(account="12345678910", region="eu-central-1"),
)
  • Run cdk deploy cicd-4-securityhub to create the CICD.
  • Change the origin of this Git repository to CodeCommitand push your file to CodeCommit.

Prowler Deployment

  • To deploy the Prowler Docker image, us the following commands with your repository.
# ./src/docker/
aws ecr get-login-password --region eu-central-1 | \
    docker login --username AWS --password-stdin \
    ACCOUTN_ID.dkr.ecr.eu-central-1.amazonaws.com # Your Auto Account ID
docker build -t ECR_REPO_NAME:latest .
docker tag ECR_REPO_NAME:latest \
    ACCOUTN_ID.dkr.ecr.eu-central-1.amazonaws.com/ECR_REPO_NAME:latest
docker push \
    ACCOUTN_ID.dkr.ecr.eu-central-1.amazonaws.com/ECR_REPO_NAME:latest

SonarQube Results

About

A blog post repository to demonstrate how to implement DevSecOps pipeline for AWS Security Hub via the Cloud Development Kit (CDK)

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages