diff --git a/CHANGELOG.md b/CHANGELOG.md index 93e73d574..8edb6c5d3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,7 @@ ## Table of Contents - [Introduction](#introduction) +- [2024-12-18](#2024-12-18) - [2024-09-18](#2024-09-18) - [2024-08-22](#2024-08-22) - [2024-07-17](#2024-07-17) @@ -57,6 +58,13 @@ All notable changes to this project will be documented in this file. --- + +## 2024-12-18 + +### Added + +- Updated [Inspector](https://github.com/aws-samples/aws-security-reference-architecture-examples/tree/main/aws_sra_examples/solutions/inspector/inspector_org) solution to configure ec2 scan mode + ## 2024-09-18 ### Added @@ -169,7 +177,7 @@ Updated [Firewall Manager](https://github.com/aws-samples/aws-security-reference ### Changed - Added GuardDuty EKS, Malware, RDS, and Lambda protections [GuardDuty Organization](aws_sra_examples/solutions/guardduty/guardduty_org) -- Added fix to support deploying to more than 50 accounts. https://github.com/aws-samples/aws-security-reference-architecture-examples/issues/139. UpdateMemberDetectors and CreateMembers parameters accountIds and accountDetails support a max number +- Added fix to support deploying to more than 50 accounts. . UpdateMemberDetectors and CreateMembers parameters accountIds and accountDetails support a max number of 50 items ## 2023-05-12 diff --git a/aws_sra_examples/easy_setup/customizations_for_aws_control_tower/manifest.yaml b/aws_sra_examples/easy_setup/customizations_for_aws_control_tower/manifest.yaml index 9318afddc..dfa96c992 100644 --- a/aws_sra_examples/easy_setup/customizations_for_aws_control_tower/manifest.yaml +++ b/aws_sra_examples/easy_setup/customizations_for_aws_control_tower/manifest.yaml @@ -207,6 +207,8 @@ resources: parameter_value: "EC2, ECR, LAMBDA, LAMBDA_CODE" - parameter_key: pEcrRescanDuration parameter_value: "LIFETIME" + - parameter_key: pEcrRescanDuration + parameter_value: "EC2_SSM_AGENT_BASED" # Macie Solution - parameter_key: pDisableMacie diff --git a/aws_sra_examples/easy_setup/templates/sra-easy-setup.yaml b/aws_sra_examples/easy_setup/templates/sra-easy-setup.yaml index 103be4851..b728c2a69 100644 --- a/aws_sra_examples/easy_setup/templates/sra-easy-setup.yaml +++ b/aws_sra_examples/easy_setup/templates/sra-easy-setup.yaml @@ -257,6 +257,7 @@ Metadata: Parameters: - pScanComponents - pEcrRescanDuration + - pEc2ScanMode - Label: default: Patch Manager Solution @@ -332,6 +333,8 @@ Metadata: default: Comma separated list of scan components (EC2, ECR, LAMBDA, LAMBDA_CODE) pEcrRescanDuration: default: ECR Rescan Duration + pEc2ScanMode: + default: EC2 Scan Mode pDeployInspectorSolution: default: Deploy the Inspector Solution @@ -798,6 +801,11 @@ Parameters: Default: LIFETIME Description: ECR Rescan Duration Type: String + pEc2ScanMode: + AllowedValues: [EC2_SSM_AGENT_BASED, EC2_HYBRID] + Default: EC2_SSM_AGENT_BASED + Description: EC2 Scan Mode + Type: String pDeployInspectorSolution: AllowedValues: ["Yes", "No"] Default: "No" @@ -2941,6 +2949,7 @@ Resources: - "," - !Ref pScanComponents pEcrRescanDuration: !Ref pEcrRescanDuration + pEc2ScanMode: !Ref pEc2ScanMode pLambdaLogGroupKmsKey: !Ref pLambdaLogGroupKmsKey pLambdaLogGroupRetention: !Ref pLambdaLogGroupRetention pLambdaLogLevel: !Ref pLambdaLogLevel diff --git a/aws_sra_examples/solutions/inspector/inspector_org/README.md b/aws_sra_examples/solutions/inspector/inspector_org/README.md index 53cc571b1..2f7c00ed3 100644 --- a/aws_sra_examples/solutions/inspector/inspector_org/README.md +++ b/aws_sra_examples/solutions/inspector/inspector_org/README.md @@ -91,7 +91,7 @@ The Inspector Organization solution will automate enabling Amazon Inspector by d - The python boto3 SDK lambda layer to enable capability for lambda to enable all elements of the inspector service. - This is downloaded during the deployment process and packaged into a layer that is used by the lambda function in this solution. -- The inspector API available in the current lambda environment (as of 01/19/2023) is boto3-1.20.32, however, enhanced functionality of the inspector API used in this solution requires at least 1.26.18 (see references below). +- The inspector API available in the current lambda environment (as of 01/19/2023) is boto3-1.20.32, however, enhanced functionality of the inspector API used in this solution requires at least 1.35.83 (see references below). - Note: Future revisions to this solution will remove this layer when boto3 is updated within the lambda environment. --- diff --git a/aws_sra_examples/solutions/inspector/inspector_org/customizations_for_aws_control_tower/manifest.yaml b/aws_sra_examples/solutions/inspector/inspector_org/customizations_for_aws_control_tower/manifest.yaml index dee25919c..1ccaaf79a 100644 --- a/aws_sra_examples/solutions/inspector/inspector_org/customizations_for_aws_control_tower/manifest.yaml +++ b/aws_sra_examples/solutions/inspector/inspector_org/customizations_for_aws_control_tower/manifest.yaml @@ -33,6 +33,8 @@ resources: parameter_value: EC2, ECR, LAMBDA, LAMBDA_CODE - parameter_key: pEcrRescanDuration parameter_value: 'LIFETIME' + - parameter_key: pEc2ScanMode + parameter_value: 'EC2_SSM_AGENT_BASED' deploy_method: stack_set deployment_targets: accounts: diff --git a/aws_sra_examples/solutions/inspector/inspector_org/customizations_for_aws_control_tower/parameters/sra-inspector-org-main-ssm.json b/aws_sra_examples/solutions/inspector/inspector_org/customizations_for_aws_control_tower/parameters/sra-inspector-org-main-ssm.json index 120034dde..37433065f 100644 --- a/aws_sra_examples/solutions/inspector/inspector_org/customizations_for_aws_control_tower/parameters/sra-inspector-org-main-ssm.json +++ b/aws_sra_examples/solutions/inspector/inspector_org/customizations_for_aws_control_tower/parameters/sra-inspector-org-main-ssm.json @@ -42,6 +42,10 @@ { "ParameterKey": "pEcrRescanDuration", "ParameterValue": "LIFETIME" + }, + { + "ParameterKey": "pEc2ScanMode", + "ParameterValue": "EC2_SSM_AGENT_BASED" } ] \ No newline at end of file diff --git a/aws_sra_examples/solutions/inspector/inspector_org/lambda/src/app.py b/aws_sra_examples/solutions/inspector/inspector_org/lambda/src/app.py index d12107af6..b79262063 100644 --- a/aws_sra_examples/solutions/inspector/inspector_org/lambda/src/app.py +++ b/aws_sra_examples/solutions/inspector/inspector_org/lambda/src/app.py @@ -184,6 +184,7 @@ def get_validated_parameters(event: Dict[str, Any]) -> dict: ) ) params.update(parameter_pattern_validator("ECR_SCAN_DURATION", os.environ.get("ECR_SCAN_DURATION"), pattern=r"^(LIFETIME|DAYS_30|DAYS_180){1}$")) + params.update(parameter_pattern_validator("EC2_SCAN_MODE", os.environ.get("EC2_SCAN_MODE"), pattern=r"^(EC2_SSM_AGENT_BASED|EC2_HYBRID){1}$")) # Optional Parameters params.update( @@ -375,6 +376,7 @@ def setup_inspector_in_region( configuration_role_name: str, scan_components: list, ecr_scan_duration: Literal["DAYS_180", "DAYS_30", "LIFETIME"], + ec2_scan_mode: Literal["EC2_SSM_AGENT_BASED", "EC2_HYBRID"], ) -> None: """Regional setup process of the inspector feature. @@ -386,6 +388,7 @@ def setup_inspector_in_region( configuration_role_name: name of the configuration role scan_components: list of components to scan ecr_scan_duration: ecr scan duration + ec2_scan_mode: ec2 scan mode """ scan_component_dict: AutoEnableTypeDef = {"ec2": False, "ecr": False, "lambda": False, "lambdaCode": False} for scan_component in scan_components: @@ -412,7 +415,8 @@ def setup_inspector_in_region( inspector.set_auto_enable_inspector_in_org(region, configuration_role_name, delegated_admin_account, scan_component_dict) LOGGER.info(f"setup_inspector_in_region: ECR_SCAN_DURATION - {ecr_scan_duration}") - inspector.set_ecr_scan_duration(region, configuration_role_name, delegated_admin_account, ecr_scan_duration) + LOGGER.info(f"setup_inspector_in_region: EC2_SCAN_MODE - {ec2_scan_mode}") + inspector.set_inspector2_configuration(region, configuration_role_name, delegated_admin_account, ecr_scan_duration, ec2_scan_mode) inspector.associate_inspector_member_accounts(configuration_role_name, delegated_admin_account, accounts, region) @@ -540,6 +544,7 @@ def process_event_sns(event: dict) -> None: params["CONFIGURATION_ROLE_NAME"], scan_components, params["ECR_SCAN_DURATION"], + params["EC2_SCAN_MODE"], ) diff --git a/aws_sra_examples/solutions/inspector/inspector_org/lambda/src/inspector.py b/aws_sra_examples/solutions/inspector/inspector_org/lambda/src/inspector.py index 3bd16520c..912737574 100644 --- a/aws_sra_examples/solutions/inspector/inspector_org/lambda/src/inspector.py +++ b/aws_sra_examples/solutions/inspector/inspector_org/lambda/src/inspector.py @@ -420,15 +420,20 @@ def enable_inspector2_in_member_accounts( enable_inspector2(inspector_delegated_admin_region_client, account["AccountId"], region, scan_components) -def set_ecr_scan_duration( - region: str, configuration_role_name: str, delegated_admin_account_id: str, ecr_scan_duration: Literal["DAYS_180", "DAYS_30", "LIFETIME"] +def set_inspector2_configuration( + region: str, + configuration_role_name: str, + delegated_admin_account_id: str, + ecr_scan_duration: Literal["DAYS_180", "DAYS_30", "LIFETIME"], + ec2_scan_mode: Literal["EC2_SSM_AGENT_BASED", "EC2_HYBRID"] ) -> None: - """Set the ECR scan duration in the delegated administrator account. + """Set the ECR scan duration and EC2 scan mode in the delegated administrator account. Args: configuration_role_name: configuration role name delegated_admin_account_id: delegated admin account id ecr_scan_duration: ecr scan duration + ec2_scan_mode: ec2 scan mode region: AWS region Returns: @@ -440,11 +445,13 @@ def set_ecr_scan_duration( ) inspector_delegated_admin_region_client: Inspector2Client = delegated_admin_session.client("inspector2", region) LOGGER.info(f"Setting ECR scan duration in delegated admin account to {ecr_scan_duration} in {region}") + LOGGER.info(f"Setting EC2 scan mode in delegated admin account to {ec2_scan_mode} in {region}") LOGGER.info(f"delegated admin client region: {inspector_delegated_admin_region_client.meta.region_name}") LOGGER.info(f"Region: {delegated_admin_session.region_name}") sts_client = delegated_admin_session.client("sts", region_name=region) LOGGER.info(f"caller identity: {sts_client.get_caller_identity()}") configuration_response: dict = inspector_delegated_admin_region_client.update_configuration( + ec2Configuration={"scanMode": ec2_scan_mode}, ecrConfiguration={"rescanDuration": ecr_scan_duration} ) api_call_details = {"API_Call": "inspector:UpdateConfiguration", "API_Response": configuration_response} diff --git a/aws_sra_examples/solutions/inspector/inspector_org/templates/sra-inspector-org-configuration.yaml b/aws_sra_examples/solutions/inspector/inspector_org/templates/sra-inspector-org-configuration.yaml index e6bd65335..00718f35a 100644 --- a/aws_sra_examples/solutions/inspector/inspector_org/templates/sra-inspector-org-configuration.yaml +++ b/aws_sra_examples/solutions/inspector/inspector_org/templates/sra-inspector-org-configuration.yaml @@ -36,6 +36,7 @@ Metadata: - pEnabledRegions - pScanComponents - pEcrRescanDuration + - pEc2ScanMode - Label: default: General Lambda Function Properties @@ -91,6 +92,8 @@ Metadata: default: Comma separated list of scan components (EC2, ECR, LAMBDA, LAMBDA_CODE) pEcrRescanDuration: default: ECR Rescan Duration + pEc2ScanMode: + default: EC2 Scan Mode Parameters: pComplianceFrequency: @@ -204,6 +207,11 @@ Parameters: Default: LIFETIME Description: ECR Rescan Duration Type: String + pEc2ScanMode: + AllowedValues: [EC2_SSM_AGENT_BASED, EC2_HYBRID] + Default: EC2_SSM_AGENT_BASED + Description: EC2 Scan Mode + Type: String Conditions: cComplianceFrequencySingleDay: !Equals [!Ref pComplianceFrequency, 1] @@ -472,6 +480,7 @@ Resources: - ',' - !Ref pScanComponents ECR_SCAN_DURATION: !Ref pEcrRescanDuration + EC2_SCAN_MODE: !Ref pEc2ScanMode Tags: - Key: sra-solution Value: !Ref pSRASolutionName @@ -482,7 +491,7 @@ Resources: Content: S3Bucket: !Ref pSRAStagingS3BucketName S3Key: !Sub ${pSRASolutionName}/layer_code/${pSRASolutionName}-layer.zip - Description: Boto3 version 1.26.24 layer to enable newer API of inspector2 + Description: Boto3 version 1.35.83 layer to enable newer API of inspector2 LayerName: !Sub ${pInspectorOrgLambdaFunctionName}-updated-boto3-layer rInspectorOrgLambdaCustomResource: @@ -498,6 +507,7 @@ Resources: - ',' - !Ref pScanComponents ECR_SCAN_DURATION: !Ref pEcrRescanDuration + EC2_SCAN_MODE: !Ref pEc2ScanMode rInspectorOrgTopic: Type: AWS::SNS::Topic diff --git a/aws_sra_examples/solutions/inspector/inspector_org/templates/sra-inspector-org-main-ssm.yaml b/aws_sra_examples/solutions/inspector/inspector_org/templates/sra-inspector-org-main-ssm.yaml index edcb67625..bd89d8407 100644 --- a/aws_sra_examples/solutions/inspector/inspector_org/templates/sra-inspector-org-main-ssm.yaml +++ b/aws_sra_examples/solutions/inspector/inspector_org/templates/sra-inspector-org-main-ssm.yaml @@ -38,6 +38,7 @@ Metadata: - pEnabledRegions - pScanComponents - pEcrRescanDuration + - pEc2ScanMode - Label: default: General Lambda Function Properties @@ -92,6 +93,8 @@ Metadata: default: Comma separated list of scan components (EC2, ECR, LAMBDA, LAMBDA_CODE) pEcrRescanDuration: default: ECR Rescan Duration + pEc2ScanMode: + default: EC2 Scan Mode Parameters: pStackSetAdminRole: @@ -211,6 +214,11 @@ Parameters: Default: LIFETIME Description: ECR Rescan Duration Type: String + pEc2ScanMode: + AllowedValues: [EC2_SSM_AGENT_BASED, EC2_HYBRID] + Default: EC2_SSM_AGENT_BASED + Description: EC2 Scan Mode + Type: String Conditions: cNotGlobalRegionUsEast1: !Not [!Equals [!Ref 'AWS::Region', us-east-1]] @@ -282,6 +290,7 @@ Resources: - ',' - !Ref pScanComponents pEcrRescanDuration: !Ref pEcrRescanDuration + pEc2ScanMode: !Ref pEc2ScanMode Tags: - Key: sra-solution Value: !Ref pSRASolutionName