Merge pull request #4 from DefendableDesign/Slack-Integration

Slack Integration

Author: glennbolton

main.tf

@@ -27,7 +27,6 @@ module "config" {
 module "remediation" {
   source               = "./modules/aws_config/remediation_coordinator"
   enable_auto_response = "${var.enable_auto_response}"
-  region               = "${var.region}"
 }
 
 module "rules" {
@@ -36,4 +35,15 @@ module "rules" {
   remediation_queue_url              = "${module.remediation.remediation_queue_url}"
   remediation_queue_arn              = "${module.remediation.remediation_queue_arn}"
   remediation_coordinator_lambda_arn = "${module.remediation.remediation_coordinator_lambda_arn}"
+  notifier_enabled                   = "${var.slack_webhook_url == "" ? "false" : "true"}"
+}
+
+module "notifier" {
+  source             = "./modules/notifier"
+  slack_webhook_url  = "${var.slack_webhook_url}"
+  slack_channel      = "${var.slack_channel}"
+  kms_key_id         = "${module.kms.kms_key_id}"
+  kms_arn            = "${module.kms.kms_arn}"
+  monitoring_sns_arn = "${module.best_practice.sns_topic_arn}"
+  config_sns_arn     = "${module.config.sns_topic_arn}"
 }

modules/aws_config/remediation_coordinator/create_lambda.tf

@@ -19,6 +19,7 @@ POLICY
 }
 
 data "aws_caller_identity" "current" {}
+data "aws_region" "current" {}
 
 resource "aws_iam_role_policy" "p_remediation_coordinator" {
   name = "DD_Config_Policy_Remediation"
@@ -42,7 +43,7 @@ resource "aws_iam_role_policy" "p_remediation_coordinator" {
                 "lambda:Get*"
             ],
             "Effect": "Allow",
-            "Resource": "arn:aws:lambda:${var.region}:${data.aws_caller_identity.current.account_id}:function:DD_Config_Lambda_*_Remediation"
+            "Resource": "arn:aws:lambda:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:function:DD_Config_Lambda_*_Remediation"
         },
         {
             "Effect": "Allow",

modules/aws_config/remediation_coordinator/variables.tf

@@ -5,5 +5,3 @@ variable "enable_auto_response" {
 variable "temp_dir" {
   default = "/tmp"
 }
-
-variable "region" {}

modules/aws_config/rules/main.tf

@@ -22,6 +22,7 @@ module "restricted_ports_remediation" {
   remediation_queue_url              = "${var.remediation_queue_url}"
   remediation_queue_arn              = "${var.remediation_queue_arn}"
   remediation_coordinator_lambda_arn = "${var.remediation_coordinator_lambda_arn}"
+  notifier_enabled                   = "${var.notifier_enabled}"
 }
 
 module "s3_public_access" {
@@ -37,4 +38,5 @@ module "s3_public_access_remediation" {
   remediation_queue_url              = "${var.remediation_queue_url}"
   remediation_queue_arn              = "${var.remediation_queue_arn}"
   remediation_coordinator_lambda_arn = "${var.remediation_coordinator_lambda_arn}"
+  notifier_enabled                   = "${var.notifier_enabled}"
 }

modules/aws_config/rules/restricted_ports_remediation/create_lambda.tf

@@ -1,7 +1,10 @@
+data "aws_caller_identity" "current" {}
+data "aws_region" "current" {}
+
 resource "aws_iam_role" "r_remediation" {
-    name = "DD_Config_Role_EC2_OpenPorts_Remediation"
+  name = "DD_Config_Role_EC2_OpenPorts_Remediation"
 
-    assume_role_policy = <<POLICY
+  assume_role_policy = <<POLICY
 {
   "Version": "2012-10-17",
   "Statement": [
@@ -19,10 +22,10 @@ POLICY
 }
 
 resource "aws_iam_role_policy" "p_remediation" {
-    name = "DD_Config_Policy_EC2_OpenPorts_Remediation"
-    role = "${aws_iam_role.r_remediation.id}"
-    
-    policy = <<POLICY
+  name = "DD_Config_Policy_EC2_OpenPorts_Remediation"
+  role = "${aws_iam_role.r_remediation.id}"
+
+  policy = <<POLICY
 {
     "Version": "2012-10-17",
     "Statement": [
@@ -51,26 +54,32 @@ resource "aws_iam_role_policy" "p_remediation" {
             "Resource": [
                 "*"
             ]
+        },
+        {
+            "Action": [
+                "lambda:InvokeFunction"
+            ],
+            "Effect": "Allow",
+            "Resource": "arn:aws:lambda:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:function:DD_Config_Lambda_Notifier"
         }
     ]
 }
 POLICY
 }
 
 resource "aws_lambda_function" "lf_remediation" {
-    filename         = "${data.archive_file.lambda_remediation.output_path}"
-    function_name    = "DD_Config_Lambda_EC2_OpenPorts_Remediation"
-    role             = "${aws_iam_role.r_remediation.arn}"
-    handler          = "dd_config_lambda_ec2_openports_remediation.lambda_handler"
-    source_code_hash = "${base64sha256(file("${data.archive_file.lambda_remediation.output_path}"))}"
-    runtime          = "python2.7"
-    timeout          = "60"
-}
+  filename         = "${data.archive_file.lambda_remediation.output_path}"
+  function_name    = "DD_Config_Lambda_EC2_OpenPorts_Remediation"
+  role             = "${aws_iam_role.r_remediation.arn}"
+  handler          = "dd_config_lambda_ec2_openports_remediation.lambda_handler"
+  source_code_hash = "${base64sha256(file("${data.archive_file.lambda_remediation.output_path}"))}"
+  runtime          = "python2.7"
+  timeout          = "60"
 
-/*resource "aws_lambda_permission" "coordinator_invoke_permission" {
-    statement_id  = "DD_Config_LambdaPermission_EC2_OpenPorts_Remediation"
-    action        = "lambda:InvokeFunction"
-    function_name = "${aws_lambda_function.lf_remediation.function_name}"
-    principal     = "lambda.amazonaws.com"
-    source_arn    = "${var.remediation_coordinator_lambda_arn}"
-}*/
+  environment {
+    variables = {
+      notifierFnName  = "DD_Config_Lambda_Notifier"
+      notifierEnabled = "${var.notifier_enabled}"
+    }
+  }
+}

modules/aws_config/rules/restricted_ports_remediation/lambda_remediation/dd_config_lambda_ec2_openports_remediation.py

@@ -9,6 +9,11 @@
 import json
 import boto3
 import botocore
+import os
+import datetime
+
+NOTIFIER_ENABLED = os.environ["notifierEnabled"]
+NOTIFIER_FUNCTION = os.environ["notifierFnName"]
 
 def remediate_violation(group_id, ip_permission):
     """
@@ -46,9 +51,37 @@ def remediate_violation(group_id, ip_permission):
                 "groupId": group_id, 
                 "accessControlPolicy": "Unexpected error: {0}".format(client_error)}
             print json.dumps(log_message)
-            return False
-    return True
+            return False, log_message
+    return True, log_message
 
+def notify(log_message, source, account_id):
+    """
+    Calls the Notifier Lambda function to notify slack that action has been taken.
+    :param log_message: The log message string
+    """
+    #pylint: disable=unused-variable
+    print("Running notifier: {0}".format(NOTIFIER_FUNCTION))
+    lambda_client = boto3.client('lambda')
+
+    payload = {
+        "remediationSource" : source,
+        "resourceId" : log_message["groupId"],
+        "resourceType" : "AWS::EC2::SecurityGroup",
+        "action" : log_message["action"],
+        "actionCompleteTime" : datetime.datetime.utcnow().isoformat() + "+00:00",
+        "awsAccountId" : account_id,
+        "message" : "The following entry was removed from {0}:\n```\n{1}\n```".format(log_message["groupId"], json.dumps(log_message["ipPermission"], indent=4, sort_keys=True))
+    }
+
+    payload_bytes = json.dumps(payload).encode('utf-8')
+
+    invoke_response = lambda_client.invoke(
+        FunctionName=NOTIFIER_FUNCTION,
+        InvocationType='Event',
+        Payload=payload_bytes
+    )
+    
+    return True
 
 def dequeue_message(sqs_url, receipt_handle):
     """
@@ -115,9 +148,16 @@ def lambda_handler(event, context):
     ip_permission = body["violationDetails"]
 
     success = False
-    success = remediate_violation(group_id, ip_permission)
+    result = remediate_violation(group_id, ip_permission)
+    success = result[0]
+    message = result[1]
 
     if success:
         dequeue_message(sqs_url, receipt_handle)
+        if NOTIFIER_ENABLED == "true":
+            if message["action"] == "RevokeSecurityGroupIngress":
+                fn_name = context.function_name
+                account_id = context.invoked_function_arn.split(":")[4]
+                notify(message, fn_name, account_id)
 
     return True

modules/aws_config/rules/restricted_ports_remediation/variables.tf

@@ -6,7 +6,7 @@ variable "temp_dir" {
   default = "/tmp"
 }
 
+variable "notifier_enabled" {}
 variable "remediation_queue_url" {}
 variable "remediation_queue_arn" {}
-
-variable "remediation_coordinator_lambda_arn" {}
+variable "remediation_coordinator_lambda_arn" {}

modules/aws_config/rules/s3_public_access_remediation/create_lambda.tf

@@ -1,3 +1,6 @@
+data "aws_caller_identity" "current" {}
+data "aws_region" "current" {}
+
 resource "aws_iam_role" "r_remediation" {
   name = "DD_Config_Role_S3_PublicAccess_Remediation"
 
@@ -52,6 +55,13 @@ resource "aws_iam_role_policy" "p_remediation" {
             "Resource": [
                 "*"
             ]
+        },
+        {
+            "Action": [
+                "lambda:InvokeFunction"
+            ],
+            "Effect": "Allow",
+            "Resource": "arn:aws:lambda:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:function:DD_Config_Lambda_Notifier"
         }
     ]
 }
@@ -66,13 +76,11 @@ resource "aws_lambda_function" "lf_remediation" {
   source_code_hash = "${base64sha256(file("${data.archive_file.lambda_remediation.output_path}"))}"
   runtime          = "python2.7"
   timeout          = "60"
-}
-
-/*resource "aws_lambda_permission" "coordinator_invoke_permission" {
-    statement_id  = "DD_Config_LambdaPermission_S3_PublicAccess_Remediation"
-    action        = "lambda:InvokeFunction"
-    function_name = "${aws_lambda_function.lf_remediation.function_name}"
-    principal     = "lambda.amazonaws.com"
-    source_arn    = "${var.remediation_coordinator_lambda_arn}"
-}*/
 
+  environment {
+    variables = {
+      notifierFnName  = "DD_Config_Lambda_Notifier"
+      notifierEnabled = "${var.notifier_enabled}"
+    }
+  }
+}

modules/aws_config/rules/s3_public_access_remediation/lambda_remediation/dd_config_lambda_s3_publicaccess_remediation.py

@@ -9,6 +9,11 @@
 import json
 import boto3
 import botocore
+import os
+import datetime
+
+NOTIFIER_ENABLED = os.environ["notifierEnabled"]
+NOTIFIER_FUNCTION = os.environ["notifierFnName"]
 
 def remediate_violation_acl(bucket_name):
     """
@@ -37,7 +42,6 @@ def remediate_violation_acl(bucket_name):
         )
         log_message = {"action": "PutBucketAcl", "bucketName": bucket_name, "accessControlPolicy": json.dumps(acp)}
         print json.dumps(log_message)
-        return True
     except botocore.exceptions.ClientError as client_error:
         if client_error.response['Error']['Code'] == 'OperationAborted':
             log_message = {
@@ -53,7 +57,8 @@ def remediate_violation_acl(bucket_name):
                 "bucketName": bucket_name, 
                 "accessControlPolicy": "Unexpected error: {0}".format(client_error)}
             print json.dumps(log_message)
-        return False
+        return False, log_message
+    return True, log_message
 
 
 def remediate_violation_policy(bucket_name):
@@ -94,7 +99,47 @@ def remediate_violation_policy(bucket_name):
                 "bucketName": bucket_name, 
                 "accessControlPolicy": "Unexpected error: {0}".format(client_error)}
             print json.dumps(log_message)
-        return False
+        return False, log_message
+    return True, log_message
+
+
+def notify(log_message, source, account_id):
+    """
+    Calls the Notifier Lambda function to notify slack that action has been taken.
+    :param log_message: The log message string
+    """
+    #pylint: disable=unused-variable
+    lambda_client = boto3.client('lambda')
+
+    message = ""
+    if log_message["action"] == "PutBucketPolicy":
+        template = "A \"*\" Principal in an Allow policy statement was fixed by applying an updated bucket policy to {0}:\n```\n{1}\n```"
+        bucket_policy = json.loads(log_message["bucketPolicy"])
+        bucket_policy = json.dumps(bucket_policy, indent=4, sort_keys=True)
+        message = template.format(log_message["bucketName"], bucket_policy)
+    elif log_message["action"] == "PutBucketAcl":
+        template = "An AllUsers or AllAuthenticatedUsers grant was fixed by applying an updated access control policy to {0}:\n```\n{1}\n```"
+        acp = json.loads(log_message["accessControlPolicy"])
+        acp = json.dumps(acp, indent=4, sort_keys=True)
+        message = template.format(log_message["bucketName"], acp)
+
+    payload = {
+        "remediationSource" : source,
+        "resourceId" : log_message["bucketName"],
+        "resourceType" : "AWS::S3::Bucket",
+        "action" : log_message["action"],
+        "actionCompleteTime" : datetime.datetime.utcnow().isoformat() + "+00:00",
+        "awsAccountId" : account_id,
+        "message" : message
+    }
+
+    payload_bytes = json.dumps(payload).encode('utf-8')
+
+    invoke_response = lambda_client.invoke(
+        FunctionName=NOTIFIER_FUNCTION,
+        InvocationType='Event',
+        Payload=payload_bytes
+    )
     return True
 
 
@@ -126,11 +171,19 @@ def lambda_handler(event, context):
 
     success = False
     if violation_type == "S3_BUCKET_PUBLIC_ACL":
-        success = remediate_violation_acl(bucket_name)
+        result = remediate_violation_acl(bucket_name)
     elif violation_type == "S3_BUCKET_PUBLIC_POLICY":
-        success = remediate_violation_policy(bucket_name)
+        result = remediate_violation_policy(bucket_name)
+
+    success = result[0]
+    message = result[1]
 
     if success:
         dequeue_message(sqs_url, receipt_handle)
-    
+        if NOTIFIER_ENABLED == "true":
+            if (message["action"] == "PutBucketPolicy" or message["action"] == "PutBucketAcl"):
+                fn_name = context.function_name
+                account_id = context.invoked_function_arn.split(":")[4]
+                notify(message, fn_name, account_id)
+
     return True

modules/aws_config/rules/s3_public_access_remediation/variables.tf

@@ -6,7 +6,7 @@ variable "temp_dir" {
   default = "/tmp"
 }
 
+variable "notifier_enabled" {}
 variable "remediation_queue_url" {}
 variable "remediation_queue_arn" {}
-
-variable "remediation_coordinator_lambda_arn" {}
+variable "remediation_coordinator_lambda_arn" {}