From 3e94a77f84bef7e43f16166e945daea26fd51918 Mon Sep 17 00:00:00 2001 From: Amndeep Singh Mann Date: Tue, 22 Jun 2021 19:51:00 -0400 Subject: [PATCH 01/20] first run at asff_mapper Signed-off-by: Amndeep Singh Mann --- lib/heimdall_tools.rb | 1 + lib/heimdall_tools/asff_mapper.rb | 152 +++++++++++++++++++++++++ lib/heimdall_tools/cli.rb | 11 ++ lib/heimdall_tools/help/asff_mapper.md | 5 + 4 files changed, 169 insertions(+) create mode 100644 lib/heimdall_tools/asff_mapper.rb create mode 100644 lib/heimdall_tools/help/asff_mapper.md diff --git a/lib/heimdall_tools.rb b/lib/heimdall_tools.rb index b907916..44f1d9f 100644 --- a/lib/heimdall_tools.rb +++ b/lib/heimdall_tools.rb @@ -19,4 +19,5 @@ module HeimdallTools autoload :SarifMapper, 'heimdall_tools/sarif_mapper' autoload :ScoutSuiteMapper, 'heimdall_tools/scoutsuite_mapper' autoload :XCCDFResultsMapper, 'heimdall_tools/xccdf_results_mapper' + autoload :ASFFMapper, 'heimdall_tools/asff_mapper' end diff --git a/lib/heimdall_tools/asff_mapper.rb b/lib/heimdall_tools/asff_mapper.rb new file mode 100644 index 0000000..de5fd38 --- /dev/null +++ b/lib/heimdall_tools/asff_mapper.rb @@ -0,0 +1,152 @@ +require 'json' +require 'csv' +require 'heimdall_tools/hdf' + +RESOURCE_DIR = Pathname.new(__FILE__).join('../../data') + +# todo: remove all this nist mapping stuff or figure out alternative +SCOUTSUITE_NIST_MAPPING_FILE = File.join(RESOURCE_DIR, 'scoutsuite-nist-mapping.csv') + +# todo: confirm if these seem like reasonable mappings +IMPACT_MAPPING = { + CRITICAL: 1.0, + HIGH: 0.7, + MEDIUM: 0.5, + LOW: 0.3, + INFORMATIONAL: 0.0 +}.freeze + +DEFAULT_NIST_TAG = %w{SA-11 RA-5}.freeze + +INSPEC_INPUTS_MAPPING = { + string: 'String', + numeric: 'Numeric', + regexp: 'Regexp', + array: 'Array', + hash: 'Hash', + boolean: 'Boolean', + any: 'Any' +}.freeze + +# Loading spinner sign +$spinner = Enumerator.new do |e| + loop do + e.yield '|' + e.yield '/' + e.yield '-' + e.yield '\\' + end +end + +module HeimdallTools + class ASFFMapper + def initialize(asff_json) + begin + @scoutsuite_nist_mapping = parse_mapper + rescue StandardError => e + raise "Invalid Scout Suite to NIST mapping file:\nException: #{e}" + end + + begin + # TODO: support findings wrapper attribute - currently only expects a json object with just one control in it + @report = JSON.parse(asff_json) + rescue StandardError => e + raise "Invalid ASFF file provided:\nException: #{e}" + end + end + + def parse_mapper + csv_data = CSV.read(SCOUTSUITE_NIST_MAPPING_FILE, { encoding: 'UTF-8', headers: true, header_converters: :symbol }) + csv_data.map(&:to_hash) + end + + def create_attribute(name, value, required = nil, sensitive = nil, type = nil) + { name: name, options: { value: value, required: required, sensitive: sensitive, type: type }.compact } + end + + def extract_scaninfo + info = {} + begin + info['name'] = 'AWS Security Finding Format' + info['version'] = @report['SchemaVersion'] + info['title'] = "ASFF finding (#{@report['Id']}) on account #{@report['AwsAccountId']}" + info['target_id'] = "Id: #{@report['Id']} Account: #{@report['AwsAccountId']} Product: #{@report['ProductArn']} Generator: #{@report['GeneratorId']}" + info['summary'] = @report['Types'].join(',') + info['attributes'] = @report.map { |k,v| create_attribute(k, v) } # potential todo: contains duplicate info, so can do like a filter against items like schemaversion that already have a dedicated spot + info + rescue StandardError => e + raise "Error extracting report info from ASFF file:\nException: #{e}" + end + end + + # todo: can't figure out mappings even after looking at aws_config mappings + def nist_tag + # entries = @scoutsuite_nist_mapping.select { |x| rule.eql?(x[:rule].to_s) && !x[:nistid].nil? } + # tags = entries.map { |x| x[:nistid].split('|') } + # tags.empty? ? DEFAULT_NIST_TAG : tags.flatten.uniq + DEFAULT_NIST_TAG + end + + # potential todo: override with criticality if key exists? what about confidence? what about verificationstate? + def impact(severity) + IMPACT_MAPPING[severity.to_sym] + end + + def desc_tags(data, label) + { data: data || NA_STRING, label: label || NA_STRING } + end + + # potential todo: recordstate - is it passing or skipped if the recordstate is archived (other option is active which is obv gonna be failed). what about compliance? + def findings + finding = {} + if (@report['Severity'].key?('Label') ? @report['Severity']['Label'] : @report['Severity']['Normalized']).eql? 'INFORMATIONAL' + finding['status'] = 'skipped' + finding['skip_message'] = 'Skipped because it is only informational' + else + finding['status'] = 'failed' + finding['message'] = "Product #{@report['ProductArn']} created finding #{@report['Id']} based off of generator #{@report['GeneratorId']} for account #{@report['Id']}" + end + finding['code_desc'] = @report['Title'] + finding['start_time'] = @report.key?('LastObservedAt') ? @report['LastObservedAt'] : @report['UpdatedAt'] + [finding] + end + + def to_hdf + controls = [] + printf("\rProcessing: %s", $spinner.next) + + item = {} + item['id'] = @report['Id'] + item['title'] = @report['Title'] + + item['tags'] = { nist: nist_tag } + + item['impact'] = impact(@report['Severity'].key?('Label') ? @report['Severity']['Label'] : @report['Severity']['Normalized']) # severity is required, but can be either 'label' or 'normalized' internally with 'label' being preferred. other values can be in here too such as the original severity rating. + + item['desc'] = @report['Description'] + + item['descriptions'] = [] + item['descriptions'] << desc_tags(@report['Remediation']['Recommendation'].map { |k,v| v }.join("\n"), 'fix') unless @report['Remediation'].nil? || @report['Remediation']['Recommendation'].nil? + + item['refs'] = [] + item['refs'] << @report['SourceUrl'] unless @report['SourceUrl'].nil? + + item['source_location'] = NA_HASH + item['code'] = NA_STRING + + item['results'] = findings + + controls << item + + scaninfo = extract_scaninfo + results = HeimdallDataFormat.new(profile_name: scaninfo['name'], + version: scaninfo['version'], + title: scaninfo['title'], + summary: scaninfo['summary'], + controls: controls, + target_id: scaninfo['target_id'], + attributes: scaninfo['attributes']) + results.to_hdf + end + end +end diff --git a/lib/heimdall_tools/cli.rb b/lib/heimdall_tools/cli.rb index 59957d9..d411d98 100644 --- a/lib/heimdall_tools/cli.rb +++ b/lib/heimdall_tools/cli.rb @@ -155,6 +155,17 @@ def scoutsuite_mapper puts options[:output].to_s end + desc 'asff_mapper', 'asff_mapper translates AWS Security Finding Format results from JSON to HDF-formatted JSON so as to be viewable on Heimdall' + long_desc Help.text(:asff_mapper) + option :json, required: true, banner: 'ASFF-FINDING-JSON', aliases: ['-i', '--input', '-j'] + option :output, required: true, banner: 'HDF-SCAN-RESULTS-JSON', aliases: '-o' + def asff_mapper + hdf = HeimdallTools::ASFFMapper.new(File.read(options[:json])).to_hdf + File.write(options[:output], hdf) + puts "\rHDF Generated:\n" + puts options[:output].to_s + end + desc 'version', 'prints version' def version puts VERSION diff --git a/lib/heimdall_tools/help/asff_mapper.md b/lib/heimdall_tools/help/asff_mapper.md new file mode 100644 index 0000000..3706490 --- /dev/null +++ b/lib/heimdall_tools/help/asff_mapper.md @@ -0,0 +1,5 @@ + asff_mapper translates AWS Security Finding Format results from JSON to HDF-formatted JSON so as to be viewable on Heimdall + +Examples: + + heimdall_tools asff_mapper -i -o From 2a54c48e879a8a59f1784dff025c2534ecc40079 Mon Sep 17 00:00:00 2001 From: Amndeep Singh Mann Date: Thu, 24 Jun 2021 17:56:08 -0400 Subject: [PATCH 02/20] incorporated feedback and also extended compatibility to 'findings' file not just individual finding Signed-off-by: Amndeep Singh Mann --- lib/heimdall_tools/asff_mapper.rb | 115 +++++++++++++++++------------- 1 file changed, 66 insertions(+), 49 deletions(-) diff --git a/lib/heimdall_tools/asff_mapper.rb b/lib/heimdall_tools/asff_mapper.rb index de5fd38..37816b0 100644 --- a/lib/heimdall_tools/asff_mapper.rb +++ b/lib/heimdall_tools/asff_mapper.rb @@ -4,12 +4,10 @@ RESOURCE_DIR = Pathname.new(__FILE__).join('../../data') -# todo: remove all this nist mapping stuff or figure out alternative -SCOUTSUITE_NIST_MAPPING_FILE = File.join(RESOURCE_DIR, 'scoutsuite-nist-mapping.csv') +AWS_CONFIG_MAPPING_FILE = File.join(RESOURCE_DIR, 'aws-config-mapping.csv') -# todo: confirm if these seem like reasonable mappings IMPACT_MAPPING = { - CRITICAL: 1.0, + CRITICAL: 0.9, HIGH: 0.7, MEDIUM: 0.5, LOW: 0.3, @@ -42,21 +40,30 @@ module HeimdallTools class ASFFMapper def initialize(asff_json) begin - @scoutsuite_nist_mapping = parse_mapper + @aws_config_mapping = parse_mapper rescue StandardError => e - raise "Invalid Scout Suite to NIST mapping file:\nException: #{e}" + raise "Invalid AWS Config mapping file:\nException: #{e}" end begin - # TODO: support findings wrapper attribute - currently only expects a json object with just one control in it + asff_required_keys = %w(AwsAccountId CreatedAt Description GeneratorId Id ProductArn Resources SchemaVersion Severity Title Types UpdatedAt) @report = JSON.parse(asff_json) + if @report.length == 1 && @report.member?('Findings') && @report['Findings'].each { |finding| asff_required_keys.difference(finding.keys).none? }.all? + # ideal case that is spec compliant + # might need to ensure that the file is utf-8 encoded and remove a BOM if one exists + elsif asff_required_keys.difference(@report.keys).none? + # individual finding so have to add wrapping array + @report = { 'Findings' => [@report] } + else + raise "Not a findings file nor an individual finding" + end rescue StandardError => e raise "Invalid ASFF file provided:\nException: #{e}" end end def parse_mapper - csv_data = CSV.read(SCOUTSUITE_NIST_MAPPING_FILE, { encoding: 'UTF-8', headers: true, header_converters: :symbol }) + csv_data = CSV.read(AWS_CONFIG_MAPPING_FILE, { encoding: 'UTF-8', headers: true, header_converters: :symbol }) csv_data.map(&:to_hash) end @@ -68,26 +75,21 @@ def extract_scaninfo info = {} begin info['name'] = 'AWS Security Finding Format' - info['version'] = @report['SchemaVersion'] - info['title'] = "ASFF finding (#{@report['Id']}) on account #{@report['AwsAccountId']}" - info['target_id'] = "Id: #{@report['Id']} Account: #{@report['AwsAccountId']} Product: #{@report['ProductArn']} Generator: #{@report['GeneratorId']}" - info['summary'] = @report['Types'].join(',') - info['attributes'] = @report.map { |k,v| create_attribute(k, v) } # potential todo: contains duplicate info, so can do like a filter against items like schemaversion that already have a dedicated spot + info['title'] = "ASFF findings" info rescue StandardError => e raise "Error extracting report info from ASFF file:\nException: #{e}" end end - # todo: can't figure out mappings even after looking at aws_config mappings - def nist_tag - # entries = @scoutsuite_nist_mapping.select { |x| rule.eql?(x[:rule].to_s) && !x[:nistid].nil? } - # tags = entries.map { |x| x[:nistid].split('|') } - # tags.empty? ? DEFAULT_NIST_TAG : tags.flatten.uniq - DEFAULT_NIST_TAG + # default value unless it comes from aws and has a aws config rule + def nist_tag(detail) + entries = detail.member?('ProductFields') && detail['ProductFields'].member?('RelatedAWSResources:0/type') && detail['ProductFields']['RelatedAWSResources:0/type'] == 'AWS::Config::ConfigRule' && detail['ProductFields'].member?('RelatedAWSResources:0/name') ? @aws_config_mapping.select { |rule| detail['ProductFields']['RelatedAWSResources:0/name'].include? rule[:awsconfigrulename] } : {} + tags = entries.map { |rule| rule[:nistid].split('|') } + tags.empty? ? DEFAULT_NIST_TAG : tags.flatten.uniq end - # potential todo: override with criticality if key exists? what about confidence? what about verificationstate? + # potential todo: override with criticality if key exists? def impact(severity) IMPACT_MAPPING[severity.to_sym] end @@ -96,56 +98,71 @@ def desc_tags(data, label) { data: data || NA_STRING, label: label || NA_STRING } end - # potential todo: recordstate - is it passing or skipped if the recordstate is archived (other option is active which is obv gonna be failed). what about compliance? - def findings + # requires compliance->status attribute to be there - spec says it's optional + def findings(detail) finding = {} - if (@report['Severity'].key?('Label') ? @report['Severity']['Label'] : @report['Severity']['Normalized']).eql? 'INFORMATIONAL' - finding['status'] = 'skipped' - finding['skip_message'] = 'Skipped because it is only informational' + if detail.key?('Compliance') && detail['Compliance'].key?('Status') + case detail['Compliance']['Status'] + when 'PASSED' + finding['status'] = 'passed' + finding['message'] = detail['Compliance'].key?('StatusReasons') ? detail['Compliance']['StatusReasons'].map { |reason| reason.flatten }.flatten.join("\n") : detail['Title'] + when 'WARNING' + finding['status'] = 'skipped' + finding['skip_message'] = detail['Compliance'].key?('StatusReasons') ? detail['Compliance']['StatusReasons'].map { |reason| reason.flatten }.flatten.join("\n") : detail['Title'] + when 'FAILED' + finding['status'] = 'failed' + finding['message'] = detail['Compliance'].key?('StatusReasons') ? detail['Compliance']['StatusReasons'].map { |reason| reason.flatten }.flatten.join("\n") : detail['Title'] + when 'NOT_AVAILABLE' + # require 'pry' + # binding.pry + finding['status'] = 'error' # todo: primary meaning is that the check could not be performed due to a service outage or API error, but it's also overloaded to mean NOT_APPLICABLE so 'error' might not be the correct status value at all times + finding['message'] = detail['Compliance'].key?('StatusReasons') ? detail['Compliance']['StatusReasons'].map { |reason| reason.flatten }.flatten.join("\n") : detail['Title'] + else + finding['status'] = 'no_status' + finding['message'] = detail['Compliance'].key?('StatusReasons') ? detail['Compliance']['StatusReasons'].map { |reason| reason.flatten }.flatten.join("\n") : detail['Title'] + end else - finding['status'] = 'failed' - finding['message'] = "Product #{@report['ProductArn']} created finding #{@report['Id']} based off of generator #{@report['GeneratorId']} for account #{@report['Id']}" + finding['status'] = 'no_status' + finding['message'] = detail['Compliance'].key?('StatusReasons') ? detail['Compliance']['StatusReasons'].map { |reason| reason.flatten }.flatten.join("\n") : detail['Title'] end - finding['code_desc'] = @report['Title'] - finding['start_time'] = @report.key?('LastObservedAt') ? @report['LastObservedAt'] : @report['UpdatedAt'] + finding['code_desc'] = detail['Title'] + finding['start_time'] = detail.key?('LastObservedAt') ? detail['LastObservedAt'] : detail['UpdatedAt'] [finding] end def to_hdf controls = [] - printf("\rProcessing: %s", $spinner.next) + @report['Findings'].each do |detail| + printf("\rProcessing: %s", $spinner.next) - item = {} - item['id'] = @report['Id'] - item['title'] = @report['Title'] + item = {} + item['id'] = detail['Id'] + item['title'] = detail['Title'] - item['tags'] = { nist: nist_tag } + item['tags'] = { nist: nist_tag(detail) } - item['impact'] = impact(@report['Severity'].key?('Label') ? @report['Severity']['Label'] : @report['Severity']['Normalized']) # severity is required, but can be either 'label' or 'normalized' internally with 'label' being preferred. other values can be in here too such as the original severity rating. + item['impact'] = impact(detail['Severity'].key?('Label') ? detail['Severity']['Label'] : detail['Severity']['Normalized']) # severity is required, but can be either 'label' or 'normalized' internally with 'label' being preferred. other values can be in here too such as the original severity rating. - item['desc'] = @report['Description'] + item['desc'] = detail['Description'] - item['descriptions'] = [] - item['descriptions'] << desc_tags(@report['Remediation']['Recommendation'].map { |k,v| v }.join("\n"), 'fix') unless @report['Remediation'].nil? || @report['Remediation']['Recommendation'].nil? + item['descriptions'] = [] + item['descriptions'] << desc_tags(detail['Remediation']['Recommendation'].map { |k,v| v }.join("\n"), 'fix') unless detail['Remediation'].nil? || detail['Remediation']['Recommendation'].nil? - item['refs'] = [] - item['refs'] << @report['SourceUrl'] unless @report['SourceUrl'].nil? + item['refs'] = [] + item['refs'] << { url: detail['SourceUrl'] } unless detail['SourceUrl'].nil? - item['source_location'] = NA_HASH - item['code'] = NA_STRING + item['source_location'] = NA_HASH + item['code'] = JSON.pretty_generate(detail) - item['results'] = findings + item['results'] = findings(detail) - controls << item + controls << item + end scaninfo = extract_scaninfo results = HeimdallDataFormat.new(profile_name: scaninfo['name'], - version: scaninfo['version'], title: scaninfo['title'], - summary: scaninfo['summary'], - controls: controls, - target_id: scaninfo['target_id'], - attributes: scaninfo['attributes']) + controls: controls) results.to_hdf end end From 74d238bf9061075e65fb28c8b19fc3b9f1611a09 Mon Sep 17 00:00:00 2001 From: Amndeep Singh Mann Date: Thu, 24 Jun 2021 18:35:10 -0400 Subject: [PATCH 03/20] added prowler mapper as wrapper around the asff one Signed-off-by: Amndeep Singh Mann --- lib/heimdall_tools.rb | 1 + lib/heimdall_tools/cli.rb | 11 +++++++++++ lib/heimdall_tools/help/prowler_mapper.md | 5 +++++ lib/heimdall_tools/prowler_mapper.rb | 7 +++++++ 4 files changed, 24 insertions(+) create mode 100644 lib/heimdall_tools/help/prowler_mapper.md create mode 100644 lib/heimdall_tools/prowler_mapper.rb diff --git a/lib/heimdall_tools.rb b/lib/heimdall_tools.rb index 44f1d9f..028ef8c 100644 --- a/lib/heimdall_tools.rb +++ b/lib/heimdall_tools.rb @@ -20,4 +20,5 @@ module HeimdallTools autoload :ScoutSuiteMapper, 'heimdall_tools/scoutsuite_mapper' autoload :XCCDFResultsMapper, 'heimdall_tools/xccdf_results_mapper' autoload :ASFFMapper, 'heimdall_tools/asff_mapper' + autoload :ProwlerMapper, 'heimdall_tools/prowler_mapper' end diff --git a/lib/heimdall_tools/cli.rb b/lib/heimdall_tools/cli.rb index d411d98..feb6944 100644 --- a/lib/heimdall_tools/cli.rb +++ b/lib/heimdall_tools/cli.rb @@ -166,6 +166,17 @@ def asff_mapper puts options[:output].to_s end + desc 'prowler_mapper', 'prowler_mapper translates Prowler-derived AWS Security Finding Format results from concatenated JSON blobs to HDF-formatted JSON so as to be viewable on Heimdall' + long_desc Help.text(:prowler_mapper) + option :json, required: true, banner: 'PROWLER-ASFF-JSON', aliases: ['-i', '--input', '-j'] + option :output, required: true, banner: 'HDF-SCAN-RESULTS-JSON', aliases: '-o' + def prowler_mapper + hdf = HeimdallTools::ProwlerMapper.new(File.read(options[:json])).to_hdf + File.write(options[:output], hdf) + puts "\rHDF Generated:\n" + puts options[:output].to_s + end + desc 'version', 'prints version' def version puts VERSION diff --git a/lib/heimdall_tools/help/prowler_mapper.md b/lib/heimdall_tools/help/prowler_mapper.md new file mode 100644 index 0000000..aa687e4 --- /dev/null +++ b/lib/heimdall_tools/help/prowler_mapper.md @@ -0,0 +1,5 @@ + prowler_mapper translates Prowler-derived AWS Security Finding Format results from concatenated JSON blobs to HDF-formatted JSON so as to be viewable on Heimdall + +Examples: + + heimdall_tools prowler_mapper -i -o diff --git a/lib/heimdall_tools/prowler_mapper.rb b/lib/heimdall_tools/prowler_mapper.rb new file mode 100644 index 0000000..ef93937 --- /dev/null +++ b/lib/heimdall_tools/prowler_mapper.rb @@ -0,0 +1,7 @@ +module HeimdallTools + class ProwlerMapper < ASFFMapper + def initialize(prowler_asff_json) + super("{ \"Findings\": [#{prowler_asff_json.split("\n").join(',')}]}") + end + end +end From 4f7d76af4598114492445e3c8d9a0f018a81010c Mon Sep 17 00:00:00 2001 From: Amndeep Singh Mann Date: Tue, 29 Jun 2021 20:03:06 -0400 Subject: [PATCH 04/20] modified to group by title tag Signed-off-by: Amndeep Singh Mann --- lib/heimdall_tools/asff_mapper.rb | 43 ++++++++++++++++++++++++++----- 1 file changed, 37 insertions(+), 6 deletions(-) diff --git a/lib/heimdall_tools/asff_mapper.rb b/lib/heimdall_tools/asff_mapper.rb index 37816b0..736b30a 100644 --- a/lib/heimdall_tools/asff_mapper.rb +++ b/lib/heimdall_tools/asff_mapper.rb @@ -113,8 +113,6 @@ def findings(detail) finding['status'] = 'failed' finding['message'] = detail['Compliance'].key?('StatusReasons') ? detail['Compliance']['StatusReasons'].map { |reason| reason.flatten }.flatten.join("\n") : detail['Title'] when 'NOT_AVAILABLE' - # require 'pry' - # binding.pry finding['status'] = 'error' # todo: primary meaning is that the check could not be performed due to a service outage or API error, but it's also overloaded to mean NOT_APPLICABLE so 'error' might not be the correct status value at all times finding['message'] = detail['Compliance'].key?('StatusReasons') ? detail['Compliance']['StatusReasons'].map { |reason| reason.flatten }.flatten.join("\n") : detail['Title'] else @@ -131,13 +129,13 @@ def findings(detail) end def to_hdf - controls = [] + title_groups = {} @report['Findings'].each do |detail| printf("\rProcessing: %s", $spinner.next) item = {} - item['id'] = detail['Id'] - item['title'] = detail['Title'] + item['id'] = detail['Title'] # intentionally swapped in order to group findings by title (with same-title findings becoming subtests) + item['title'] = detail['Id'] item['tags'] = { nist: nist_tag(detail) } @@ -156,7 +154,40 @@ def to_hdf item['results'] = findings(detail) - controls << item + title_groups[detail['Title']] = [] if title_groups[detail['Title']].nil? + title_groups[detail['Title']] << item + end + + controls = [] + title_groups.each do |title, details| + printf("\rProcessing: %s", $spinner.next) + + if details.one? + controls << details[0] + else + item = {} + item['id'] = title # todo: this still looks gigabad + # require 'pry' + # binding.pry + item['title'] = details.map { |d| d['title'] }.uniq.join("\n") + + item['tags'] = { nist: details.map { |d| d['tags'][:nist] }.flatten.uniq } + + item['impact'] = details.map { |d| d['impact'] }.max + + item['desc'] = details.map { |d| d['desc'] }.uniq.join("\n") + + item['descriptions'] = details.map { |d| d['descriptions'] }.flatten.compact.reject(&:empty?).uniq + + item['refs'] = details.map { |d| d['refs'] }.flatten.compact.reject(&:empty?).uniq + + item['source_location'] = NA_HASH + item['code'] = "{ \"Findings\": [\n#{details.map { |d| d['code'] }.uniq.join(",\n")}\n]\n}" # todo: fix up the formatting some more - ex. findings key should be on new line + + item['results'] = details.map { |d| d['results'] }.flatten.uniq + + controls << item + end end scaninfo = extract_scaninfo From ace40616465e0f739ad4d141f719a5be179a4ce9 Mon Sep 17 00:00:00 2001 From: Amndeep Singh Mann Date: Wed, 30 Jun 2021 12:38:31 -0400 Subject: [PATCH 05/20] asff file does not contain accurate severity information. for now setting 'informational' to 'medium'. Signed-off-by: Amndeep Singh Mann --- lib/heimdall_tools/asff_mapper.rb | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/lib/heimdall_tools/asff_mapper.rb b/lib/heimdall_tools/asff_mapper.rb index 736b30a..460add3 100644 --- a/lib/heimdall_tools/asff_mapper.rb +++ b/lib/heimdall_tools/asff_mapper.rb @@ -89,9 +89,13 @@ def nist_tag(detail) tags.empty? ? DEFAULT_NIST_TAG : tags.flatten.uniq end - # potential todo: override with criticality if key exists? + # asff file does not contain accurate severity information. for now setting informational to medium. def impact(severity) - IMPACT_MAPPING[severity.to_sym] + if severity == 'INFORMATIONAL' + IMPACT_MAPPING[:MEDIUM] + else + IMPACT_MAPPING[severity.to_sym] + end end def desc_tags(data, label) From f768f56491e2ae76ead062220c03dc88ab8e4c10 Mon Sep 17 00:00:00 2001 From: Amndeep Singh Mann Date: Wed, 30 Jun 2021 12:38:58 -0400 Subject: [PATCH 06/20] misread spec for severity - normalized is an int so treat accordingly Signed-off-by: Amndeep Singh Mann --- lib/heimdall_tools/asff_mapper.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/heimdall_tools/asff_mapper.rb b/lib/heimdall_tools/asff_mapper.rb index 460add3..095c10c 100644 --- a/lib/heimdall_tools/asff_mapper.rb +++ b/lib/heimdall_tools/asff_mapper.rb @@ -143,7 +143,7 @@ def to_hdf item['tags'] = { nist: nist_tag(detail) } - item['impact'] = impact(detail['Severity'].key?('Label') ? detail['Severity']['Label'] : detail['Severity']['Normalized']) # severity is required, but can be either 'label' or 'normalized' internally with 'label' being preferred. other values can be in here too such as the original severity rating. + item['impact'] = detail['Severity'].key?('Label') ? impact(detail['Severity']['Label']) : detail['Severity']['Normalized']/100.0 # severity is required, but can be either 'label' or 'normalized' internally with 'label' being preferred. other values can be in here too such as the original severity rating. item['desc'] = detail['Description'] From 55a02a74bb6049f0f90873059b30977e59c487e7 Mon Sep 17 00:00:00 2001 From: Amndeep Singh Mann Date: Mon, 12 Jul 2021 00:23:07 -0400 Subject: [PATCH 07/20] initial integration with additional context files for standards Signed-off-by: Amndeep Singh Mann --- lib/heimdall_tools/asff_mapper.rb | 52 ++++++++++++++++++++----------- lib/heimdall_tools/cli.rb | 18 ++++++----- 2 files changed, 44 insertions(+), 26 deletions(-) diff --git a/lib/heimdall_tools/asff_mapper.rb b/lib/heimdall_tools/asff_mapper.rb index 095c10c..2024839 100644 --- a/lib/heimdall_tools/asff_mapper.rb +++ b/lib/heimdall_tools/asff_mapper.rb @@ -38,7 +38,8 @@ module HeimdallTools class ASFFMapper - def initialize(asff_json) + # the optional arguments are derived from AWS cli commands (get-enabled-standards and describe-standards) and probably only work AWS ASFF files + def initialize(asff_json, enabled_standards_json = nil, standards_json_array = nil) begin @aws_config_mapping = parse_mapper rescue StandardError => e @@ -57,6 +58,11 @@ def initialize(asff_json) else raise "Not a findings file nor an individual finding" end + + enabled = JSON.parse(enabled_standards_json) unless enabled_standards_json.nil? + standards_array = standards_json_array.map { |j| JSON.parse(j) } unless standards_json_array.nil? + @standards = enabled['StandardsSubscriptions'].to_h { |s| [s['StandardsSubscriptionArn'], standards_array.find { |st| st['Controls'][0]['StandardsControlArn'].include?(s['StandardsSubscriptionArn'].gsub(':subscription', ':control')) }] }.compact unless enabled.nil? + rescue StandardError => e raise "Invalid ASFF file provided:\nException: #{e}" end @@ -89,12 +95,22 @@ def nist_tag(detail) tags.empty? ? DEFAULT_NIST_TAG : tags.flatten.uniq end - # asff file does not contain accurate severity information. for now setting informational to medium. - def impact(severity) - if severity == 'INFORMATIONAL' - IMPACT_MAPPING[:MEDIUM] + def impact(detail) + if @standards.nil? || !detail.member?('ProductFields') || !(detail['ProductFields'].member?('StandardsSubscriptionArn') || detail['ProductFields'].member?('StandardsGuideSubscriptionArn')) + # severity is required, but can be either 'label' or 'normalized' internally with 'label' being preferred. other values can be in here too such as the original severity rating. + if detail['Severity'].key?('Label') + severity = detail['Severity']['Label'] + # asff file does not contain accurate severity information - when additional context, i.e. standards, is not provided, set informational to medium. + if severity == 'INFORMATIONAL' + IMPACT_MAPPING[:MEDIUM] + else + IMPACT_MAPPING[severity.to_sym] + end + else + detail['Severity']['Normalized']/100.0 + end else - IMPACT_MAPPING[severity.to_sym] + IMPACT_MAPPING[@standards[detail['ProductFields'][detail['ProductFields'].member?('StandardsSubscriptionArn') ? 'StandardsSubscriptionArn' : 'StandardsGuideSubscriptionArn']]['Controls'].find { |c| c['StandardsControlArn'] == detail['ProductFields']['StandardsControlArn'] }['SeverityRating'].to_sym] end end @@ -138,25 +154,25 @@ def to_hdf printf("\rProcessing: %s", $spinner.next) item = {} - item['id'] = detail['Title'] # intentionally swapped in order to group findings by title (with same-title findings becoming subtests) - item['title'] = detail['Id'] + item['id'] = detail['Title'] # intentionally swapped in order to group findings by title (with same-title findings becoming subtests) + item['title'] = detail['Id'] - item['tags'] = { nist: nist_tag(detail) } + item['tags'] = { nist: nist_tag(detail) } - item['impact'] = detail['Severity'].key?('Label') ? impact(detail['Severity']['Label']) : detail['Severity']['Normalized']/100.0 # severity is required, but can be either 'label' or 'normalized' internally with 'label' being preferred. other values can be in here too such as the original severity rating. + item['impact'] = impact(detail) - item['desc'] = detail['Description'] + item['desc'] = detail['Description'] - item['descriptions'] = [] - item['descriptions'] << desc_tags(detail['Remediation']['Recommendation'].map { |k,v| v }.join("\n"), 'fix') unless detail['Remediation'].nil? || detail['Remediation']['Recommendation'].nil? + item['descriptions'] = [] + item['descriptions'] << desc_tags(detail['Remediation']['Recommendation'].map { |k,v| v }.join("\n"), 'fix') unless detail['Remediation'].nil? || detail['Remediation']['Recommendation'].nil? - item['refs'] = [] - item['refs'] << { url: detail['SourceUrl'] } unless detail['SourceUrl'].nil? + item['refs'] = [] + item['refs'] << { url: detail['SourceUrl'] } unless detail['SourceUrl'].nil? - item['source_location'] = NA_HASH - item['code'] = JSON.pretty_generate(detail) + item['source_location'] = NA_HASH + item['code'] = JSON.pretty_generate(detail) - item['results'] = findings(detail) + item['results'] = findings(detail) title_groups[detail['Title']] = [] if title_groups[detail['Title']].nil? title_groups[detail['Title']] << item diff --git a/lib/heimdall_tools/cli.rb b/lib/heimdall_tools/cli.rb index feb6944..b1a502e 100644 --- a/lib/heimdall_tools/cli.rb +++ b/lib/heimdall_tools/cli.rb @@ -70,7 +70,7 @@ def nessus_mapper option :output_prefix, required: true, aliases: '-o' def snyk_mapper hdfs = HeimdallTools::SnykMapper.new(File.read(options[:json]), options[:name]).to_hdf - puts "\r\HDF Generated:\n" + puts "\rHDF Generated:\n" hdfs.each_key do |host| File.write("#{options[:output_prefix]}-#{host}.json", hdfs[host]) puts "#{options[:output_prefix]}-#{host}.json" @@ -84,7 +84,7 @@ def snyk_mapper def nikto_mapper hdf = HeimdallTools::NiktoMapper.new(File.read(options[:json])).to_hdf File.write(options[:output], hdf) - puts "\r\HDF Generated:\n" + puts "\rHDF Generated:\n" puts options[:output].to_s end @@ -95,7 +95,7 @@ def nikto_mapper def jfrog_xray_mapper hdf = HeimdallTools::JfrogXrayMapper.new(File.read(options[:json])).to_hdf File.write(options[:output], hdf) - puts "\r\HDF Generated:\n" + puts "\rHDF Generated:\n" puts options[:output].to_s end @@ -106,7 +106,7 @@ def jfrog_xray_mapper def dbprotect_mapper hdf = HeimdallTools::DBProtectMapper.new(File.read(options[:xml])).to_hdf File.write(options[:output], hdf) - puts "\r\HDF Generated:\n" + puts "\rHDF Generated:\n" puts options[:output].to_s end @@ -117,7 +117,7 @@ def dbprotect_mapper def aws_config_mapper hdf = HeimdallTools::AwsConfigMapper.new(options[:custom_mapping]).to_hdf File.write(options[:output], hdf) - puts "\r\HDF Generated:\n" + puts "\rHDF Generated:\n" puts options[:output].to_s end @@ -128,7 +128,7 @@ def aws_config_mapper def netsparker_mapper hdf = HeimdallTools::NetsparkerMapper.new(File.read(options[:xml])).to_hdf File.write(options[:output], hdf) - puts "\r\HDF Generated:\n" + puts "\rHDF Generated:\n" puts options[:output].to_s end @@ -140,7 +140,7 @@ def netsparker_mapper def sarif_mapper hdf = HeimdallTools::SarifMapper.new(File.read(options[:json])).to_hdf File.write(options[:output], hdf) - puts "\r\HDF Generated:\n" + puts "\rHDF Generated:\n" puts options[:output].to_s end @@ -158,9 +158,11 @@ def scoutsuite_mapper desc 'asff_mapper', 'asff_mapper translates AWS Security Finding Format results from JSON to HDF-formatted JSON so as to be viewable on Heimdall' long_desc Help.text(:asff_mapper) option :json, required: true, banner: 'ASFF-FINDING-JSON', aliases: ['-i', '--input', '-j'] + option :enabled, required: false, banner: 'ASFF-ENABLED-STANDARDS-JSON', aliases: ['-e', '--input-enabled-standards'] + option :standard, required: false, type: :array, banner: 'ASFF-STANDARD-JSON', aliases: ['-s', '--input-standard'] option :output, required: true, banner: 'HDF-SCAN-RESULTS-JSON', aliases: '-o' def asff_mapper - hdf = HeimdallTools::ASFFMapper.new(File.read(options[:json])).to_hdf + hdf = HeimdallTools::ASFFMapper.new(File.read(options[:json]), options[:enabled].nil? ? nil : File.read(options[:enabled]), options[:standard].empty? ? nil : options[:standard].map { |filename| File.read(filename) }).to_hdf File.write(options[:output], hdf) puts "\rHDF Generated:\n" puts options[:output].to_s From 59da3497d48b10c0f462c9d780b0fd7f693d6a0b Mon Sep 17 00:00:00 2001 From: Amndeep Singh Mann Date: Mon, 12 Jul 2021 01:45:25 -0400 Subject: [PATCH 08/20] wip: parity to security hub Signed-off-by: Amndeep Singh Mann --- lib/heimdall_tools/asff_mapper.rb | 51 ++++++++++++++++++++----------- 1 file changed, 33 insertions(+), 18 deletions(-) diff --git a/lib/heimdall_tools/asff_mapper.rb b/lib/heimdall_tools/asff_mapper.rb index 2024839..36c7573 100644 --- a/lib/heimdall_tools/asff_mapper.rb +++ b/lib/heimdall_tools/asff_mapper.rb @@ -96,7 +96,10 @@ def nist_tag(detail) end def impact(detail) - if @standards.nil? || !detail.member?('ProductFields') || !(detail['ProductFields'].member?('StandardsSubscriptionArn') || detail['ProductFields'].member?('StandardsGuideSubscriptionArn')) + # there can be findings listed that are intentionally ignored due to the underlying control being superceded by a control from a different standard + if detail.member?('Workflow') && detail['Workflow'].member?('Status') && detail['Workflow']['Status'] == 'SUPPRESSED' + IMPACT_MAPPING[:INFORMATIONAL] + elsif @standards.nil? || !detail.member?('ProductFields') || !(detail['ProductFields'].member?('StandardsSubscriptionArn') || detail['ProductFields'].member?('StandardsGuideSubscriptionArn')) # severity is required, but can be either 'label' or 'normalized' internally with 'label' being preferred. other values can be in here too such as the original severity rating. if detail['Severity'].key?('Label') severity = detail['Severity']['Label'] @@ -125,37 +128,49 @@ def findings(detail) case detail['Compliance']['Status'] when 'PASSED' finding['status'] = 'passed' - finding['message'] = detail['Compliance'].key?('StatusReasons') ? detail['Compliance']['StatusReasons'].map { |reason| reason.flatten }.flatten.join("\n") : detail['Title'] + finding['message'] = detail['Compliance']['StatusReasons'].map { |reason| reason.flatten }.flatten.join("\n") unless !detail['Compliance'].key?('StatusReasons') when 'WARNING' finding['status'] = 'skipped' - finding['skip_message'] = detail['Compliance'].key?('StatusReasons') ? detail['Compliance']['StatusReasons'].map { |reason| reason.flatten }.flatten.join("\n") : detail['Title'] + finding['skip_message'] = detail['Compliance']['StatusReasons'].map { |reason| reason.flatten }.flatten.join("\n") unless !detail['Compliance'].key?('StatusReasons') when 'FAILED' finding['status'] = 'failed' - finding['message'] = detail['Compliance'].key?('StatusReasons') ? detail['Compliance']['StatusReasons'].map { |reason| reason.flatten }.flatten.join("\n") : detail['Title'] + finding['message'] = detail['Compliance']['StatusReasons'].map { |reason| reason.flatten }.flatten.join("\n") unless !detail['Compliance'].key?('StatusReasons') when 'NOT_AVAILABLE' - finding['status'] = 'error' # todo: primary meaning is that the check could not be performed due to a service outage or API error, but it's also overloaded to mean NOT_APPLICABLE so 'error' might not be the correct status value at all times - finding['message'] = detail['Compliance'].key?('StatusReasons') ? detail['Compliance']['StatusReasons'].map { |reason| reason.flatten }.flatten.join("\n") : detail['Title'] + finding['status'] = 'skipped' # primary meaning is that the check could not be performed due to a service outage or API error, but it's also overloaded to mean NOT_APPLICABLE so technically 'skipped' or 'error' could be applicable, but AWS seems to do the equivalent of skipped + finding['message'] = detail['Compliance']['StatusReasons'].map { |reason| reason.flatten }.flatten.join("\n") unless !detail['Compliance'].key?('StatusReasons') else finding['status'] = 'no_status' - finding['message'] = detail['Compliance'].key?('StatusReasons') ? detail['Compliance']['StatusReasons'].map { |reason| reason.flatten }.flatten.join("\n") : detail['Title'] + finding['message'] = detail['Compliance']['StatusReasons'].map { |reason| reason.flatten }.flatten.join("\n") unless !detail['Compliance'].key?('StatusReasons') end else finding['status'] = 'no_status' - finding['message'] = detail['Compliance'].key?('StatusReasons') ? detail['Compliance']['StatusReasons'].map { |reason| reason.flatten }.flatten.join("\n") : detail['Title'] + finding['message'] = detail['Compliance']['StatusReasons'].map { |reason| reason.flatten }.flatten.join("\n") unless !detail['Compliance'].key?('StatusReasons') end finding['code_desc'] = detail['Title'] finding['start_time'] = detail.key?('LastObservedAt') ? detail['LastObservedAt'] : detail['UpdatedAt'] [finding] end + # todo: create aws submapper like prowler but this one gets the raw data from aws directly + # todo: verify if prowler still works and add the id thing to each finding which is to extract [textNUMBER] from the title text + # todo: finding id + resources->type and id as the subtest title thingy if they exists def to_hdf - title_groups = {} + id_groups = {} @report['Findings'].each do |detail| printf("\rProcessing: %s", $spinner.next) item = {} - item['id'] = detail['Title'] # intentionally swapped in order to group findings by title (with same-title findings becoming subtests) - item['title'] = detail['Id'] + item['id'] = if detail.member?('ProductFields') && detail['ProductFields'].member?('ControlId') + detail['ProductFields']['ControlId'] + elsif detail.member?('ProductFields') && detail['ProductFields'].member?('RuleId') + detail['ProductFields']['RuleId'] + elsif detail.member?('ProductFields') && detail['ProductFields'].member?('MITRESAFHDFId') # for our custom mappers + detail['ProductFields']['MITRESAFHDFId'] + else + detail['Title'] # subfindings are grouped based on id so using the ideal case if it's there otherwise the guaranteed attribute + end + item['title'] = "Finding id: #{detail['Id']}; Resources: [#{detail['Resources'].map { |r| "Type: #{r['Type']}, Id: #{r['Id']}" }.join(', ') }]" + item['Title'] = detail['Title'] item['tags'] = { nist: nist_tag(detail) } @@ -174,22 +189,22 @@ def to_hdf item['results'] = findings(detail) - title_groups[detail['Title']] = [] if title_groups[detail['Title']].nil? - title_groups[detail['Title']] << item + id_groups[item['id']] = [] if id_groups[item['id']].nil? + id_groups[item['id']] << item end controls = [] - title_groups.each do |title, details| + id_groups.each do |id, details| printf("\rProcessing: %s", $spinner.next) if details.one? - controls << details[0] + controls << details[0] # not sure what to do to get the titles working properly cause there's no title attribute for a subfinding so these ones get the finding/resource thing and no actual title whereas the ones with multiple subfindings get a title but no finding/resources else item = {} - item['id'] = title # todo: this still looks gigabad - # require 'pry' + item['id'] = id + # require 'pry' # todo: remove # binding.pry - item['title'] = details.map { |d| d['title'] }.uniq.join("\n") + item['title'] = details.map { |d| d['Title'] }.uniq.join("\n") item['tags'] = { nist: details.map { |d| d['tags'][:nist] }.flatten.uniq } From 63550be3612dfb9ed059b4d101c13f2df8e77f35 Mon Sep 17 00:00:00 2001 From: Amndeep Singh Mann Date: Mon, 12 Jul 2021 14:00:31 -0400 Subject: [PATCH 09/20] fixed title Signed-off-by: Amndeep Singh Mann --- lib/heimdall_tools/asff_mapper.rb | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/lib/heimdall_tools/asff_mapper.rb b/lib/heimdall_tools/asff_mapper.rb index 36c7573..2dc178a 100644 --- a/lib/heimdall_tools/asff_mapper.rb +++ b/lib/heimdall_tools/asff_mapper.rb @@ -146,7 +146,7 @@ def findings(detail) finding['status'] = 'no_status' finding['message'] = detail['Compliance']['StatusReasons'].map { |reason| reason.flatten }.flatten.join("\n") unless !detail['Compliance'].key?('StatusReasons') end - finding['code_desc'] = detail['Title'] + finding['code_desc'] = "Resources: [#{detail['Resources'].map { |r| "Type: #{r['Type']}, Id: #{r['Id']}" }.join(', ') }]" finding['start_time'] = detail.key?('LastObservedAt') ? detail['LastObservedAt'] : detail['UpdatedAt'] [finding] end @@ -169,8 +169,7 @@ def to_hdf else detail['Title'] # subfindings are grouped based on id so using the ideal case if it's there otherwise the guaranteed attribute end - item['title'] = "Finding id: #{detail['Id']}; Resources: [#{detail['Resources'].map { |r| "Type: #{r['Type']}, Id: #{r['Id']}" }.join(', ') }]" - item['Title'] = detail['Title'] + item['title'] = detail['Title'] item['tags'] = { nist: nist_tag(detail) } @@ -204,7 +203,7 @@ def to_hdf item['id'] = id # require 'pry' # todo: remove # binding.pry - item['title'] = details.map { |d| d['Title'] }.uniq.join("\n") + item['title'] = details.map { |d| d['title'] }.uniq.join("\n") item['tags'] = { nist: details.map { |d| d['tags'][:nist] }.flatten.uniq } From a38f0edfa68fe653a14865443c0c1332338e1fd3 Mon Sep 17 00:00:00 2001 From: Amndeep Singh Mann Date: Thu, 5 Aug 2021 00:15:04 -0400 Subject: [PATCH 10/20] pre-review finished prowler and asff mappers Signed-off-by: Amndeep Singh Mann --- .github/workflows/build.yml | 12 + README.md | 142 +++-- heimdall_tools.gemspec | 6 +- .../firewall_manager.rb | 11 + .../asff_compatible_products/prowler.rb | 19 + .../asff_compatible_products/securityhub.rb | 80 +++ lib/heimdall_tools/asff_mapper.rb | 285 +++++---- lib/heimdall_tools/cli.rb | 5 +- lib/heimdall_tools/help/asff_mapper.md | 1 + lib/heimdall_tools/prowler_mapper.rb | 3 +- sample_jsons/asff_mapper/asff_hdf.json | 1 + .../sample_input_jsons/asff_sample.json | 145 +++++ .../sample_input_jsons/aws_cis_standard.json | 563 ++++++++++++++++++ sample_jsons/prowler_mapper/prowler_hdf.json | 1 + .../prowler_sample.asff-json | 10 + 15 files changed, 1083 insertions(+), 201 deletions(-) create mode 100644 lib/heimdall_tools/asff_compatible_products/firewall_manager.rb create mode 100644 lib/heimdall_tools/asff_compatible_products/prowler.rb create mode 100644 lib/heimdall_tools/asff_compatible_products/securityhub.rb create mode 100644 sample_jsons/asff_mapper/asff_hdf.json create mode 100644 sample_jsons/asff_mapper/sample_input_jsons/asff_sample.json create mode 100644 sample_jsons/asff_mapper/sample_input_jsons/aws_cis_standard.json create mode 100644 sample_jsons/prowler_mapper/prowler_hdf.json create mode 100644 sample_jsons/prowler_mapper/sample_input_jsons/prowler_sample.asff-json diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index fea7215..2b3a94a 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -86,3 +86,15 @@ jobs: jq 'del(.version, .platform.release)' scoutsuite_output.json > scoutsuite_output_jq.json jq 'del(.version, .platform.release)' ./sample_jsons/scoutsuite_mapper/scoutsuite_hdf.json > scoutsuite_sample.json diff scoutsuite_sample.json scoutsuite_output_jq.json + - name: Test asff mapper + run: | + heimdall_tools asff_mapper -i ./sample_jsons/asff_mapper/sample_input_jsons/asff_sample.json --sh ./sample_jsons/asff_mapper/sample_input_jsons/aws_cis_standard.json -o asff_output.json + jq 'del(.version, .platform.release)' asff_output.json > asff_output_jq.json + jq 'del(.version, .platform.release)' ./sample_jsons/asff_mapper/asff_hdf.json > asff_sample.json + diff asff_sample.json asff_output_jq.json + - name: Test prowler mapper + run: | + heimdall_tools prowler_mapper -i ./sample_jsons/prowler_mapper/sample_input_jsons/prowler_sample.asff-json -o prowler_output.json + jq 'del(.version, .platform.release)' prowler_output.json > prowler_output_jq.json + jq 'del(.version, .platform.release)' ./sample_jsons/prowler_mapper/prowler_hdf.json > prowler_sample.json + diff prowler_sample.json prowler_output_jq.json diff --git a/README.md b/README.md index feacff2..032791d 100644 --- a/README.md +++ b/README.md @@ -5,20 +5,22 @@ HeimdallTools supplies several methods to convert output from various tools to "Heimdall Data Format"(HDF) format to be viewable in Heimdall. The current converters are: -1. [**aws_config_mapper**](#aws_config_mapper) - assess, audit, and evaluate AWS resources -1. [**burpsuite_mapper**](#burpsuite_mapper) - commercial dynamic analysis tool -1. [**dbprotect_mapper**](#dbprotect_mapper) - database vulnerability scanner -1. [**fortify_mapper**](#fortify_mapper) - commercial static code analysis tool -1. [**jfrog_xray_mapper**](#jfrog_xray_mapper) - package vulnerability scanner -1. [**nessus_mapper**](#nessus_mapper) - commercial security scanner (supports compliance and vulnerability scans from Tenable.sc and Tenable.io) -1. [**netsparker_mapper**](#netsparker_mapper) - web application security scanner -1. [**nikto_mapper**](#nikto_mapper) - open-source web server scanner -1. [**sarif_mapper**](#sarif_mapper) - static analysis results interchange format +1. [**asff_mapper**](#asff_mapper) - custom findings format for AWS Security Hub +1. [**aws_config_mapper**](#aws_config_mapper) - assess, audit, and evaluate AWS resources +1. [**burpsuite_mapper**](#burpsuite_mapper) - commercial dynamic analysis tool +1. [**dbprotect_mapper**](#dbprotect_mapper) - database vulnerability scanner +1. [**fortify_mapper**](#fortify_mapper) - commercial static code analysis tool +1. [**jfrog_xray_mapper**](#jfrog_xray_mapper) - package vulnerability scanner +1. [**nessus_mapper**](#nessus_mapper) - commercial security scanner (supports compliance and vulnerability scans from Tenable.sc and Tenable.io) +1. [**netsparker_mapper**](#netsparker_mapper) - web application security scanner +1. [**nikto_mapper**](#nikto_mapper) - open-source web server scanner +1. [**prowler_mapper**](#prowler_mapper) - assess, audit, harden, and facilitate incidence response for AWS resources +1. [**sarif_mapper**](#sarif_mapper) - static analysis results interchange format 1. [**scoutsuite_mapper**](#scoutsuite_mapper) - multi-cloud security auditing tool 1. [**snyk_mapper**](#snyk_mapper) - commercial package vulnerability scanner 1. [**sonarqube_mapper**](#sonarqube_mapper) - open-source static code analysis tool 1. [**xccdf_results_mapper**](#xccdf_results_mapper) - extensible configuration checklist description results format -1. [*scc_mapper](#xccdf_results_mapper) - scap compliance checker format +1. [**scc_mapper**](#xccdf_results_mapper) - scap compliance checker format 1. [**zap_mapper**](#zap_mapper) - OWASP ZAP - open-source dynamic code analysis tool ## Want to recommend a mapper for another tool? Please use these steps: @@ -84,6 +86,27 @@ For Docker usage, replace the `heimdall_tools` command with the correct Docker c Note that all of the above Docker commands will mount your current directory on the Docker container. Ensure that you have navigated to the directory you intend to convert files in before executing the command. +## asff_mapper + +asff_mapper translates AWS Security Finding Format results from JSON to HDF-formatted JSON so as to be viewable on Heimdall + +Note: The following commands are examples to extract data via the AWS CLI that need to be fed to the mapper: + +Output|Use|Command +---|---|--- +ASFF json|All the findings that will be fed into the mapper|aws securityhub get-findings > asff.json +AWS SecurityHub enabled standards json|Get all the enabled standards so you can get their identifiers|aws securityhub get-enabled-standards > asff_standards.json +AWS SecurityHub standard controls json|Get all the controls for a standard that will be fed into the mapper|aws securityhub describe-standards-controls --standards-subscription-arn "arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0" > asff_cis_standard.json + + USAGE: heimdall_tools asff_mapper -i [--sh ... ] -o + + FLAGS: + -i --input -j --json : path to ASFF findings file. + --sh --securityhub-standards --input-securityhub-standards : array of paths to AWS SecurityHub standard files. + -o --output : path to output scan-results json. + + example: heimdall_tools asff_mapper -i asff_findings.json --sh aws_standard.json cis_standard.json -o asff_hdf.json + ## aws_config_mapper aws_config_mapper pulls Ruby AWS SDK data to translate AWS Config Rule results into HDF format json to be viewable in Heimdall @@ -99,8 +122,8 @@ aws_config_mapper pulls Ruby AWS SDK data to translate AWS Config Rule results i USAGE: heimdall_tools aws_config_mapper [OPTIONS] -o FLAGS: - -o --output : path to output scan-results json. - -V --verbose : verbose run [optional]. + -o --output : path to output scan-results json. + -V --verbose : verbose run [optional]. example: heimdall_tools aws_config_mapper -o aws_config_results_hdf.json @@ -111,9 +134,9 @@ burpsuite_mapper translates an BurpSuite Pro exported XML results file into HDF USAGE: heimdall_tools burpsuite_mapper [OPTIONS] -x -o FLAGS: - -x : path to BurpSuitePro exported XML results file. - -o --output : path to output scan-results json. - -V --verbose : verbose run [optional]. + -x : path to BurpSuitePro exported XML results file. + -o --output : path to output scan-results json. + -V --verbose : verbose run [optional]. example: heimdall_tools burpsuite_mapper -x burpsuite_results.xml -o scan_results.json @@ -124,9 +147,9 @@ dbprotect_mapper translates DBProtect report in `Check Results Details` format X USAGE: heimdall_tools dbprotect_mapper [OPTIONS] -x -o FLAGS: - -x : path to DBProtect report XML file. - -o --output : path to output scan-results json. - -V --verbose : verbose run [optional]. + -x : path to DBProtect report XML file. + -o --output : path to output scan-results json. + -V --verbose : verbose run [optional]. example: heimdall_tools dbprotect_mapper -x check_results_details_report.xml -o db_protect_hdf.json @@ -137,9 +160,9 @@ fortify_mapper translates an Fortify results FVDL file into HDF format json to b USAGE: heimdall_tools fortify_mapper [OPTIONS] -f -o FLAGS: - -f --fvdl : path to Fortify Scan FVDL file. - -o --output : path to output scan-results json. - -V --verbose : verbose run [optional]. + -f --fvdl : path to Fortify Scan FVDL file. + -o --output : path to output scan-results json. + -V --verbose : verbose run [optional]. example: heimdall_tools fortify_mapper -f audit.fvdl -o scan_results.json @@ -150,9 +173,9 @@ jfrog_xray_mapper translates an JFrog Xray results JSON file into HDF format JSO USAGE: heimdall_tools jfrog_xray_mapper [OPTIONS] -j -o FLAGS: - -j : path to xray results JSON file. - -o --output : path to output scan-results json. - -V --verbose : verbose run [optional]. + -j : path to xray results JSON file. + -o --output : path to output scan-results json. + -V --verbose : verbose run [optional]. example: heimdall_tools jfrog_xray_mapper -j xray_results.json -o xray_results_hdf.json @@ -166,9 +189,9 @@ Note: A separate HDF JSON file is generated for each host reported in the Nessus USAGE: heimdall_tools nessus_mapper [OPTIONS] -x -o FLAGS: - -x : path to Nessus-exported XML results file. - -o --output_prefix : path to output scan-results json. - -V --verbose : verbose run [optional]. + -x : path to Nessus-exported XML results file. + -o --output_prefix : path to output scan-results json. + -V --verbose : verbose run [optional]. example: heimdall_tools nessus_mapper -x nessus-results.xml -o test-env @@ -181,9 +204,9 @@ The current iteration only works with Netsparker Enterprise Vulnerabilities Scan USAGE: heimdall_tools netsparker_mapper [OPTIONS] -x -o FLAGS: - -x : path to netsparker results XML file. - -o --output : path to output scan-results json. - -V --verbose : verbose run [optional]. + -x : path to netsparker results XML file. + -o --output : path to output scan-results json. + -V --verbose : verbose run [optional]. example: heimdall_tools netsparker_mapper -x netsparker_results.xml -o netsparker_hdf.json @@ -196,12 +219,26 @@ Note: Current this mapper only support single target Nikto Scans. USAGE: heimdall_tools nikto_mapper [OPTIONS] -x -o FLAGS: - -j : path to Nikto results JSON file. - -o --output_prefix : path to output scan-results json. - -V --verbose : verbose run [optional]. + -j : path to Nikto results JSON file. + -o --output_prefix : path to output scan-results json. + -V --verbose : verbose run [optional]. example: heimdall_tools nikto_mapper -j nikto_results.json -o nikto_results.json +## prowler_mapper + +prowler_mapper translates Prowler-derived AWS Security Finding Format results from concatenated JSON blobs to HDF-formatted JSON so as to be viewable on Heimdall + +Note: Currently this mapper only supports Prowler's ASFF output format. + + USAGE: heimdall_tools prowler_mapper -i -o + + FLAGS: + -i --input -j --json : path to Prowler ASFF findings file. + -o --output : path to output scan-results json. + + example: heimdall_tools prowler_mapper -i prowler_results.js -o prowler_hdf.json + ## sarif_mapper sarif_mapper translates a SARIF JSON file into HDF format JSON to be viewable in Heimdall @@ -209,9 +246,9 @@ sarif_mapper translates a SARIF JSON file into HDF format JSON to be viewable in USAGE: heimdall_tools sarif_mapper [OPTIONS] -j -o FLAGS: - -j : path to SARIF results JSON file. - -o --output_prefix : path to output scan-results json. - -V --verbose : verbose run [optional]. + -j : path to SARIF results JSON file. + -o --output_prefix : path to output scan-results json. + -V --verbose : verbose run [optional]. example: heimdall_tools sarif_mapper -j sarif_results.json -o sarif_results_hdf.json @@ -224,8 +261,8 @@ Note: Currently this mapper only supports AWS. USAGE: heimdall_tools scoutsuite_mapper -i -o FLAGS: - -i --input -j --javascript : path to Scout Suite results Javascript file. - -o --output : path to output scan-results json. + -i --input -j --javascript : path to Scout Suite results Javascript file. + -o --output : path to output scan-results json. example: heimdall_tools scoutsuite_mapper -i scoutsuite_results.js -o scoutsuite_hdf.json @@ -238,9 +275,9 @@ Note: A separate HDF JSON is generated for each project reported in the Snyk Rep USAGE: heimdall_tools snyk_mapper [OPTIONS] -x -o FLAGS: - -j : path to Snyk results JSON file. - -o --output_prefix : path to output scan-results json. - -V --verbose : verbose run [optional]. + -j : path to Snyk results JSON file. + -o --output_prefix : path to output scan-results json. + -V --verbose : verbose run [optional]. example: heimdall_tools snyk_mapper -j snyk_results.json -o output-file-prefix @@ -251,11 +288,11 @@ sonarqube_mapper pulls SonarQube results, for the specified project, from the AP USAGE: heimdall_tools sonarqube_mapper [OPTIONS] -n -u -o FLAGS: - -n --name : Project Key of the project in SonarQube - -u --api_url : url of the SonarQube Server API. Typically ends with /api. - --auth : username:password or token [optional]. - -o --output : path to output scan-results json. - -V --verbose : verbose run [optional]. + -n --name : Project Key of the project in SonarQube + -u --api_url : url of the SonarQube Server API. Typically ends with /api. + --auth : username:password or token [optional]. + -o --output : path to output scan-results json. + -V --verbose : verbose run [optional]. example: @@ -272,8 +309,8 @@ xccdf_results_mapper translates an XCCDF_Results XML scan into HDF format json t USAGE: heimdall_tools xccdf_results_mapper [OPTIONS] -x -o FLAGS: - -x : path to XCCDF-Results XML file. - -o --output : path to output scan-results json. + -x : path to XCCDF-Results XML file. + -o --output : path to output scan-results json. example: heimdall_tools xccdf_results_mapper -x xccdf_results.xml -o scan_results.json @@ -284,10 +321,10 @@ zap_mapper translates OWASP ZAP results Json to HDF format Json be viewed on Hei USAGE: heimdall_tools zap_mapper [OPTIONS] -j -n -o FLAGS: - -j --json : path to OWASP ZAP results JSON file. - -n --name : URL of the site being evaluated. - -o --output : path to output scan-results json. - -V --verbose : verbose run [optional]. + -j --json : path to OWASP ZAP results JSON file. + -n --name : URL of the site being evaluated. + -o --output : path to output scan-results json. + -V --verbose : verbose run [optional]. example: heimdall_tools zap_mapper -j zap_results.json -n site_name -o scan_results.json @@ -355,6 +392,7 @@ To release a new version, update the version number in `version.rb` according to ### Authors +- Author:: Amndeep Singh Mann [Amndeep7](https://github.com/Amndeep7) - Author:: Rony Xavier [rx294](https://github.com/rx294) - Author:: Dan Mirsky [mirskiy](https://github.com/mirskiy) diff --git a/heimdall_tools.gemspec b/heimdall_tools.gemspec index 7eb7fcd..b1b549c 100644 --- a/heimdall_tools.gemspec +++ b/heimdall_tools.gemspec @@ -15,9 +15,9 @@ Gem::Specification.new do |spec| rescue StandardError '0.0.0.1.ENOGVB' end - spec.authors = ['Robert Thew', 'Rony Xavier', 'Aaron Lippold'] + spec.authors = ['Robert Thew', 'Rony Xavier', 'Amndeep Singh Mann', 'Aaron Lippold'] spec.email = ['rxavier@mitre.org'] - spec.summary = 'Convert Forify, Openzap and Sonarqube results to HDF' + spec.summary = 'Convert a variety of security product results to HDF' spec.description = 'Converter utils that can be included as a gem or used from the command line' spec.homepage = 'https://github.com/mitre/heimdall_tools' spec.license = 'Apache-2.0' @@ -28,9 +28,11 @@ Gem::Specification.new do |spec| spec.test_files = spec.files.grep(%r{^(test|spec|features)/}) spec.require_paths = ['lib'] + spec.add_runtime_dependency 'aws-sdk-securityhub', '~> 1' spec.add_runtime_dependency 'aws-sdk-configservice', '~> 1' spec.add_runtime_dependency 'csv', '~> 3.1' spec.add_runtime_dependency 'git-lite-version-bump', '>= 0.17.2' + spec.add_runtime_dependency 'htmlentities', '~> 4.3.4' spec.add_runtime_dependency 'httparty', '~> 0.18.0' spec.add_runtime_dependency 'json', '~> 2.3' spec.add_runtime_dependency 'nokogiri', '~> 1.11' diff --git a/lib/heimdall_tools/asff_compatible_products/firewall_manager.rb b/lib/heimdall_tools/asff_compatible_products/firewall_manager.rb new file mode 100644 index 0000000..1c719db --- /dev/null +++ b/lib/heimdall_tools/asff_compatible_products/firewall_manager.rb @@ -0,0 +1,11 @@ +module HeimdallTools + class FirewallManager + def self.finding_id(finding, *, encode:, **) + encode.call(finding['Title']) + end + + def self.product_name(findings, *, encode:, **) + encode.call("#{findings[0]['ProductFields']['aws/securityhub/CompanyName']} #{findings[0]['ProductFields']['aws/securityhub/ProductName']}") + end + end +end diff --git a/lib/heimdall_tools/asff_compatible_products/prowler.rb b/lib/heimdall_tools/asff_compatible_products/prowler.rb new file mode 100644 index 0000000..bcd0258 --- /dev/null +++ b/lib/heimdall_tools/asff_compatible_products/prowler.rb @@ -0,0 +1,19 @@ +module HeimdallTools + class Prowler + def self.subfindings_code_desc(finding, *, encode:, **) + encode.call(finding['Description']) + end + + def self.finding_id(finding, *, encode:, **) + encode.call(finding['GeneratorId'].partition('-')[-1]) + end + + def self.product_name(findings, *, encode:, **) + encode.call(findings[0]['ProductFields']['ProviderName']) + end + + def self.desc(*, **) + ' ' + end + end +end diff --git a/lib/heimdall_tools/asff_compatible_products/securityhub.rb b/lib/heimdall_tools/asff_compatible_products/securityhub.rb new file mode 100644 index 0000000..2a296b5 --- /dev/null +++ b/lib/heimdall_tools/asff_compatible_products/securityhub.rb @@ -0,0 +1,80 @@ +require 'csv' +require 'json' + +module HeimdallTools + class SecurityHub + private_class_method def self.corresponding_control(controls, finding) + controls.find { |c| c['StandardsControlArn'] == finding['ProductFields']['StandardsControlArn'] } + end + + def self.supporting_docs(standards:) + begin + controls = standards.nil? ? nil : standards.map { |s| JSON.parse(s)['Controls'] }.flatten + rescue StandardError => e + raise "Invalid supporting docs for Security Hub:\nException: #{e}" + end + + begin + resource_dir = Pathname.new(__FILE__).join('../../../data') + aws_config_mapping_file = File.join(resource_dir, 'aws-config-mapping.csv') + aws_config_mapping = CSV.read(aws_config_mapping_file, { encoding: 'UTF-8', headers: true, header_converters: :symbol }).map(&:to_hash) + rescue StandardError => e + raise "Invalid AWS Config mapping file:\nException: #{e}" + end + + { controls: controls, aws_config_mapping: aws_config_mapping } + end + + def self.finding_id(finding, *, controls: nil, encode:, **) + ret = if !controls.nil? && !(control = corresponding_control(controls, finding)).nil? + control['ControlId'] + else + if finding['ProductFields'].member?('ControlId') # check if aws + finding['ProductFields']['ControlId'] + elsif finding['ProductFields'].member?('RuleId') # check if cis + finding['ProductFields']['RuleId'] + else + finding['GeneratorId'].split('/')[-1] + end + end + encode.call(ret) + end + + def self.finding_impact(finding, *, controls: nil, **) + if !controls.nil? && !(control = corresponding_control(controls, finding)).nil? + imp = control['SeverityRating'].to_sym + else + # severity is required, but can be either 'label' or 'normalized' internally with 'label' being preferred. other values can be in here too such as the original severity rating. + imp = finding['Severity'].key?('Label') ? finding['Severity']['Label'].to_sym : finding['Severity']['Normalized']/100.0 + # securityhub asff file does not contain accurate severity information by setting things that shouldn't be informational to informational: when additional context, i.e. standards, is not provided, set informational to medium. + imp = :MEDIUM if imp.is_a?(Symbol) && imp == :INFORMATIONAL + end + imp + end + + def self.finding_nist_tag(finding, *, aws_config_mapping:, **) + return {} unless finding['ProductFields']['RelatedAWSResources:0/type'] == 'AWS::Config::ConfigRule' + aws_config_mapping.select { |rule| finding['ProductFields']['RelatedAWSResources:0/name'].include? rule[:awsconfigrulename] } + end + + def self.finding_title(finding, *, controls: nil, encode:, **) + ret = if !controls.nil? && !(control = corresponding_control(controls, finding)).nil? + control['Title'] + else + finding['Title'] + end + encode.call(ret) + end + + def self.product_name(findings, *, encode:, **) + # "#{findings[0]['ProductFields']['aws/securityhub/CompanyName']} #{findings[0]['ProductFields']['aws/securityhub/ProductName']}" + # not using above due to wanting to provide the standard's name instead + if findings[0]['Types'][0].split('/')[-1].gsub(/-/, ' ').downcase == findings[0]['ProductFields']['StandardsControlArn'].split('/')[-4].gsub(/-/, ' ').downcase + standardname = findings[0]['Types'][0].split('/')[-1].gsub(/-/, ' ') + else + standardname = findings[0]['ProductFields']['StandardsControlArn'].split('/')[-4].gsub(/-/, ' ').split.map(&:capitalize).join(' ') + end + encode.call("#{standardname} v#{findings[0]['ProductFields']['StandardsControlArn'].split('/')[-2]}") + end + end +end diff --git a/lib/heimdall_tools/asff_mapper.rb b/lib/heimdall_tools/asff_mapper.rb index 2dc178a..d15eb73 100644 --- a/lib/heimdall_tools/asff_mapper.rb +++ b/lib/heimdall_tools/asff_mapper.rb @@ -1,50 +1,55 @@ require 'json' -require 'csv' +require 'htmlentities' + require 'heimdall_tools/hdf' +require 'heimdall_tools/asff_compatible_products/firewall_manager' +require 'heimdall_tools/asff_compatible_products/prowler' +require 'heimdall_tools/asff_compatible_products/securityhub' -RESOURCE_DIR = Pathname.new(__FILE__).join('../../data') - -AWS_CONFIG_MAPPING_FILE = File.join(RESOURCE_DIR, 'aws-config-mapping.csv') - -IMPACT_MAPPING = { - CRITICAL: 0.9, - HIGH: 0.7, - MEDIUM: 0.5, - LOW: 0.3, - INFORMATIONAL: 0.0 -}.freeze - -DEFAULT_NIST_TAG = %w{SA-11 RA-5}.freeze - -INSPEC_INPUTS_MAPPING = { - string: 'String', - numeric: 'Numeric', - regexp: 'Regexp', - array: 'Array', - hash: 'Hash', - boolean: 'Boolean', - any: 'Any' -}.freeze - -# Loading spinner sign -$spinner = Enumerator.new do |e| - loop do - e.yield '|' - e.yield '/' - e.yield '-' - e.yield '\\' - end -end module HeimdallTools + DEFAULT_NIST_TAG = %w{SA-11 RA-5}.freeze + + INSPEC_INPUTS_MAPPING = { + string: 'String', + numeric: 'Numeric', + regexp: 'Regexp', + array: 'Array', + hash: 'Hash', + boolean: 'Boolean', + any: 'Any' + }.freeze + + # Loading spinner sign + $spinner = Enumerator.new do |e| + loop do + e.yield '|' + e.yield '/' + e.yield '-' + e.yield '\\' + end + end + class ASFFMapper - # the optional arguments are derived from AWS cli commands (get-enabled-standards and describe-standards) and probably only work AWS ASFF files - def initialize(asff_json, enabled_standards_json = nil, standards_json_array = nil) - begin - @aws_config_mapping = parse_mapper - rescue StandardError => e - raise "Invalid AWS Config mapping file:\nException: #{e}" - end + IMPACT_MAPPING = { + CRITICAL: 0.9, + HIGH: 0.7, + MEDIUM: 0.5, + LOW: 0.3, + INFORMATIONAL: 0.0 + }.freeze + + PRODUCT_ARN_MAPPING = { + /arn:.+:securityhub:.+:.*:product\/aws\/firewall-manager/ => FirewallManager, + /arn:.+:securityhub:.+:.*:product\/aws\/securityhub/ => SecurityHub, + /arn:.+:securityhub:.+:.*:product\/prowler\/prowler/ => Prowler + }.freeze + + def initialize(asff_json, securityhub_standards_json_array: nil, meta: nil) + @meta = meta + + @supporting_docs = {} + @supporting_docs[SecurityHub] = SecurityHub.supporting_docs({standards: securityhub_standards_json_array}) begin asff_required_keys = %w(AwsAccountId CreatedAt Description GeneratorId Id ProductArn Resources SchemaVersion Severity Title Types UpdatedAt) @@ -58,175 +63,169 @@ def initialize(asff_json, enabled_standards_json = nil, standards_json_array = n else raise "Not a findings file nor an individual finding" end - - enabled = JSON.parse(enabled_standards_json) unless enabled_standards_json.nil? - standards_array = standards_json_array.map { |j| JSON.parse(j) } unless standards_json_array.nil? - @standards = enabled['StandardsSubscriptions'].to_h { |s| [s['StandardsSubscriptionArn'], standards_array.find { |st| st['Controls'][0]['StandardsControlArn'].include?(s['StandardsSubscriptionArn'].gsub(':subscription', ':control')) }] }.compact unless enabled.nil? - rescue StandardError => e raise "Invalid ASFF file provided:\nException: #{e}" end - end - def parse_mapper - csv_data = CSV.read(AWS_CONFIG_MAPPING_FILE, { encoding: 'UTF-8', headers: true, header_converters: :symbol }) - csv_data.map(&:to_hash) + @coder = HTMLEntities.new end - def create_attribute(name, value, required = nil, sensitive = nil, type = nil) - { name: name, options: { value: value, required: required, sensitive: sensitive, type: type }.compact } + def encode(string) + @coder.encode(string, :basic, :named, :decimal) end - def extract_scaninfo - info = {} - begin - info['name'] = 'AWS Security Finding Format' - info['title'] = "ASFF findings" - info - rescue StandardError => e - raise "Error extracting report info from ASFF file:\nException: #{e}" + def external_product_handler(product, data, func, default) + if (product.is_a?(Regexp) || (arn = PRODUCT_ARN_MAPPING.keys.find { |a| product.match(a) })) && PRODUCT_ARN_MAPPING.key?(arn || product) && PRODUCT_ARN_MAPPING[arn || product].respond_to?(func) + keywords = { encode: method(:encode) } + keywords = keywords.merge(@supporting_docs[PRODUCT_ARN_MAPPING[arn || product]]) if @supporting_docs.member?(PRODUCT_ARN_MAPPING[arn || product]) + PRODUCT_ARN_MAPPING[arn || product].send(func, data, **keywords) + else + if default.is_a? Proc + default.call + else + default + end end end - # default value unless it comes from aws and has a aws config rule - def nist_tag(detail) - entries = detail.member?('ProductFields') && detail['ProductFields'].member?('RelatedAWSResources:0/type') && detail['ProductFields']['RelatedAWSResources:0/type'] == 'AWS::Config::ConfigRule' && detail['ProductFields'].member?('RelatedAWSResources:0/name') ? @aws_config_mapping.select { |rule| detail['ProductFields']['RelatedAWSResources:0/name'].include? rule[:awsconfigrulename] } : {} + def nist_tag(finding) + entries = external_product_handler(finding['ProductArn'], finding, :finding_nist_tag, {}) tags = entries.map { |rule| rule[:nistid].split('|') } tags.empty? ? DEFAULT_NIST_TAG : tags.flatten.uniq end - def impact(detail) + def impact(finding) # there can be findings listed that are intentionally ignored due to the underlying control being superceded by a control from a different standard - if detail.member?('Workflow') && detail['Workflow'].member?('Status') && detail['Workflow']['Status'] == 'SUPPRESSED' - IMPACT_MAPPING[:INFORMATIONAL] - elsif @standards.nil? || !detail.member?('ProductFields') || !(detail['ProductFields'].member?('StandardsSubscriptionArn') || detail['ProductFields'].member?('StandardsGuideSubscriptionArn')) - # severity is required, but can be either 'label' or 'normalized' internally with 'label' being preferred. other values can be in here too such as the original severity rating. - if detail['Severity'].key?('Label') - severity = detail['Severity']['Label'] - # asff file does not contain accurate severity information - when additional context, i.e. standards, is not provided, set informational to medium. - if severity == 'INFORMATIONAL' - IMPACT_MAPPING[:MEDIUM] - else - IMPACT_MAPPING[severity.to_sym] - end - else - detail['Severity']['Normalized']/100.0 - end + if finding.member?('Workflow') && finding['Workflow'].member?('Status') && finding['Workflow']['Status'] == 'SUPPRESSED' + imp = :INFORMATIONAL else - IMPACT_MAPPING[@standards[detail['ProductFields'][detail['ProductFields'].member?('StandardsSubscriptionArn') ? 'StandardsSubscriptionArn' : 'StandardsGuideSubscriptionArn']]['Controls'].find { |c| c['StandardsControlArn'] == detail['ProductFields']['StandardsControlArn'] }['SeverityRating'].to_sym] + # severity is required, but can be either 'label' or 'normalized' internally with 'label' being preferred. other values can be in here too such as the original severity rating. + default = Proc.new { finding['Severity'].key?('Label') ? finding['Severity']['Label'].to_sym : finding['Severity']['Normalized']/100.0 } + imp = external_product_handler(finding['ProductArn'], finding, :finding_impact, default) end + imp.is_a?(Symbol) ? IMPACT_MAPPING[imp] : imp end def desc_tags(data, label) { data: data || NA_STRING, label: label || NA_STRING } end - # requires compliance->status attribute to be there - spec says it's optional - def findings(detail) - finding = {} - if detail.key?('Compliance') && detail['Compliance'].key?('Status') - case detail['Compliance']['Status'] + def subfindings(finding) + subfinding = {} + + statusreason = finding['Compliance']['StatusReasons'].map { |reason| reason.flatten.map { |string| encode(string) } }.flatten.join("\n") if finding.key?('Compliance') && finding['Compliance'].key?('StatusReasons') + if finding.key?('Compliance') && finding['Compliance'].key?('Status') + case finding['Compliance']['Status'] when 'PASSED' - finding['status'] = 'passed' - finding['message'] = detail['Compliance']['StatusReasons'].map { |reason| reason.flatten }.flatten.join("\n") unless !detail['Compliance'].key?('StatusReasons') + subfinding['status'] = 'passed' + subfinding['message'] = statusreason if statusreason when 'WARNING' - finding['status'] = 'skipped' - finding['skip_message'] = detail['Compliance']['StatusReasons'].map { |reason| reason.flatten }.flatten.join("\n") unless !detail['Compliance'].key?('StatusReasons') + subfinding['status'] = 'skipped' + subfinding['skip_message'] = statusreason if statusreason when 'FAILED' - finding['status'] = 'failed' - finding['message'] = detail['Compliance']['StatusReasons'].map { |reason| reason.flatten }.flatten.join("\n") unless !detail['Compliance'].key?('StatusReasons') + subfinding['status'] = 'failed' + subfinding['message'] = statusreason if statusreason when 'NOT_AVAILABLE' - finding['status'] = 'skipped' # primary meaning is that the check could not be performed due to a service outage or API error, but it's also overloaded to mean NOT_APPLICABLE so technically 'skipped' or 'error' could be applicable, but AWS seems to do the equivalent of skipped - finding['message'] = detail['Compliance']['StatusReasons'].map { |reason| reason.flatten }.flatten.join("\n") unless !detail['Compliance'].key?('StatusReasons') + # primary meaning is that the check could not be performed due to a service outage or API error, but it's also overloaded to mean NOT_APPLICABLE so technically 'skipped' or 'error' could be applicable, but AWS seems to do the equivalent of skipped + subfinding['status'] = 'skipped' + subfinding['message'] = statusreason if statusreason else - finding['status'] = 'no_status' - finding['message'] = detail['Compliance']['StatusReasons'].map { |reason| reason.flatten }.flatten.join("\n") unless !detail['Compliance'].key?('StatusReasons') + subfinding['status'] = 'no_status' + subfinding['message'] = statusreason if statusreason end else - finding['status'] = 'no_status' - finding['message'] = detail['Compliance']['StatusReasons'].map { |reason| reason.flatten }.flatten.join("\n") unless !detail['Compliance'].key?('StatusReasons') + subfinding['status'] = 'no_status' + subfinding['message'] = statusreason if statusreason end - finding['code_desc'] = "Resources: [#{detail['Resources'].map { |r| "Type: #{r['Type']}, Id: #{r['Id']}" }.join(', ') }]" - finding['start_time'] = detail.key?('LastObservedAt') ? detail['LastObservedAt'] : detail['UpdatedAt'] - [finding] + + subfinding['code_desc'] = external_product_handler(finding['ProductArn'], finding, :subfindings_code_desc, '') + subfinding['code_desc'] += '; ' unless subfinding['code_desc'].empty? + subfinding['code_desc'] += "Resources: [#{finding['Resources'].map { |r| "Type: #{encode(r['Type'])}, Id: #{encode(r['Id'])}#{', Partition: ' + encode(r['Partition']) if r.key?('Partition')}#{', Region: ' + encode(r['Region']) if r.key?('Region')}" }.join(', ') }]" + + subfinding['start_time'] = finding.key?('LastObservedAt') ? finding['LastObservedAt'] : finding['UpdatedAt'] + + [subfinding] end - # todo: create aws submapper like prowler but this one gets the raw data from aws directly - # todo: verify if prowler still works and add the id thing to each finding which is to extract [textNUMBER] from the title text - # todo: finding id + resources->type and id as the subtest title thingy if they exists def to_hdf - id_groups = {} - @report['Findings'].each do |detail| + product_groups = {} + @report['Findings'].each do |finding| printf("\rProcessing: %s", $spinner.next) + external = method(:external_product_handler).curry(4)[finding['ProductArn']][finding] + + # group subfindings by asff productarn and then hdf id item = {} - item['id'] = if detail.member?('ProductFields') && detail['ProductFields'].member?('ControlId') - detail['ProductFields']['ControlId'] - elsif detail.member?('ProductFields') && detail['ProductFields'].member?('RuleId') - detail['ProductFields']['RuleId'] - elsif detail.member?('ProductFields') && detail['ProductFields'].member?('MITRESAFHDFId') # for our custom mappers - detail['ProductFields']['MITRESAFHDFId'] - else - detail['Title'] # subfindings are grouped based on id so using the ideal case if it's there otherwise the guaranteed attribute - end - item['title'] = detail['Title'] + item['id'] = external[:finding_id][encode(finding['GeneratorId'])] - item['tags'] = { nist: nist_tag(detail) } + item['title'] = external[:finding_title][encode(finding['Title'])] - item['impact'] = impact(detail) + item['tags'] = { nist: nist_tag(finding) } - item['desc'] = detail['Description'] + item['impact'] = impact(finding) + + item['desc'] = encode(finding['Description']) item['descriptions'] = [] - item['descriptions'] << desc_tags(detail['Remediation']['Recommendation'].map { |k,v| v }.join("\n"), 'fix') unless detail['Remediation'].nil? || detail['Remediation']['Recommendation'].nil? + item['descriptions'] << desc_tags(finding['Remediation']['Recommendation'].map { |k,v| encode(v) }.join("\n"), 'fix') if finding.key?('Remediation') && finding['Remediation'].key?('Recommendation') item['refs'] = [] - item['refs'] << { url: detail['SourceUrl'] } unless detail['SourceUrl'].nil? + item['refs'] << { url: finding['SourceUrl'] } if finding.key?('SourceUrl') item['source_location'] = NA_HASH - item['code'] = JSON.pretty_generate(detail) - item['results'] = findings(detail) + item['results'] = subfindings(finding) - id_groups[item['id']] = [] if id_groups[item['id']].nil? - id_groups[item['id']] << item + arn = PRODUCT_ARN_MAPPING.keys.find { |a| finding['ProductArn'].match(a) } + if arn.nil? + product_info = finding['ProductArn'].split(':')[-1] + arn = Regexp.new "arn:.+:securityhub:.+:.*:product/#{product_info.split('/')[1]}/#{product_info.split('/')[2]}" + end + product_groups[arn] = {} if product_groups[arn].nil? + product_groups[arn][item['id']] = [] if product_groups[arn][item['id']].nil? + product_groups[arn][item['id']] << [item, finding] end controls = [] - id_groups.each do |id, details| - printf("\rProcessing: %s", $spinner.next) + product_groups.each do |product, id_groups| + id_groups.each do |id, data| + printf("\rProcessing: %s", $spinner.next) + + external = method(:external_product_handler).curry(4)[product] + + group = data.map { |d| d[0] } + findings = data.map { |d| d[1] } + + product_info = findings[0]['ProductArn'].split(':')[-1].split('/') + product_name = external[findings][:product_name][encode("#{product_info[1]}/#{product_info[2]}")] - if details.one? - controls << details[0] # not sure what to do to get the titles working properly cause there's no title attribute for a subfinding so these ones get the finding/resource thing and no actual title whereas the ones with multiple subfindings get a title but no finding/resources - else item = {} - item['id'] = id - # require 'pry' # todo: remove - # binding.pry - item['title'] = details.map { |d| d['title'] }.uniq.join("\n") + # add product name to id if any ids are the same across products + item['id'] = product_groups.filter { |pg| pg != product }.values.any? { |ig| ig.keys.include?(id) } ? "[#{product_name}] #{id}" : id + + item['title'] = "#{product_name}: #{group.map { |d| d['title'] }.uniq.join(";")}" - item['tags'] = { nist: details.map { |d| d['tags'][:nist] }.flatten.uniq } + item['tags'] = { nist: group.map { |d| d['tags'][:nist] }.flatten.uniq } - item['impact'] = details.map { |d| d['impact'] }.max + item['impact'] = group.map { |d| d['impact'] }.max - item['desc'] = details.map { |d| d['desc'] }.uniq.join("\n") + item['desc'] = external[group][:desc][group.map { |d| d['desc'] }.uniq.join("\n")] - item['descriptions'] = details.map { |d| d['descriptions'] }.flatten.compact.reject(&:empty?).uniq + item['descriptions'] = group.map { |d| d['descriptions'] }.flatten.compact.reject(&:empty?).uniq - item['refs'] = details.map { |d| d['refs'] }.flatten.compact.reject(&:empty?).uniq + item['refs'] = group.map { |d| d['refs'] }.flatten.compact.reject(&:empty?).uniq item['source_location'] = NA_HASH - item['code'] = "{ \"Findings\": [\n#{details.map { |d| d['code'] }.uniq.join(",\n")}\n]\n}" # todo: fix up the formatting some more - ex. findings key should be on new line + item['code'] = JSON.pretty_generate({ "Findings": findings }) - item['results'] = details.map { |d| d['results'] }.flatten.uniq + item['results'] = group.map { |d| d['results'] }.flatten.uniq controls << item end end - scaninfo = extract_scaninfo - results = HeimdallDataFormat.new(profile_name: scaninfo['name'], - title: scaninfo['title'], + results = HeimdallDataFormat.new(profile_name: @meta && @meta.key?('name') ? @meta['name'] : 'AWS Security Finding Format', + title: @meta && @meta.key?('title') ? @meta['title'] : "ASFF findings", controls: controls) results.to_hdf end diff --git a/lib/heimdall_tools/cli.rb b/lib/heimdall_tools/cli.rb index b1a502e..bb23c7b 100644 --- a/lib/heimdall_tools/cli.rb +++ b/lib/heimdall_tools/cli.rb @@ -158,11 +158,10 @@ def scoutsuite_mapper desc 'asff_mapper', 'asff_mapper translates AWS Security Finding Format results from JSON to HDF-formatted JSON so as to be viewable on Heimdall' long_desc Help.text(:asff_mapper) option :json, required: true, banner: 'ASFF-FINDING-JSON', aliases: ['-i', '--input', '-j'] - option :enabled, required: false, banner: 'ASFF-ENABLED-STANDARDS-JSON', aliases: ['-e', '--input-enabled-standards'] - option :standard, required: false, type: :array, banner: 'ASFF-STANDARD-JSON', aliases: ['-s', '--input-standard'] + option :securityhub_standards, required: false, type: :array, banner: 'ASFF-SECURITYHUB-STANDARDS-JSON', aliases: ['--sh', '--input-securityhub-standards'] option :output, required: true, banner: 'HDF-SCAN-RESULTS-JSON', aliases: '-o' def asff_mapper - hdf = HeimdallTools::ASFFMapper.new(File.read(options[:json]), options[:enabled].nil? ? nil : File.read(options[:enabled]), options[:standard].empty? ? nil : options[:standard].map { |filename| File.read(filename) }).to_hdf + hdf = HeimdallTools::ASFFMapper.new(File.read(options[:json]), securityhub_standards_json_array: options[:securityhub_standards].nil? ? nil : options[:securityhub_standards].map { |filename| File.read(filename) }).to_hdf File.write(options[:output], hdf) puts "\rHDF Generated:\n" puts options[:output].to_s diff --git a/lib/heimdall_tools/help/asff_mapper.md b/lib/heimdall_tools/help/asff_mapper.md index 3706490..8383819 100644 --- a/lib/heimdall_tools/help/asff_mapper.md +++ b/lib/heimdall_tools/help/asff_mapper.md @@ -3,3 +3,4 @@ Examples: heimdall_tools asff_mapper -i -o + heimdall_tools asff_mapper -i --sh ... -o diff --git a/lib/heimdall_tools/prowler_mapper.rb b/lib/heimdall_tools/prowler_mapper.rb index ef93937..6d9c49a 100644 --- a/lib/heimdall_tools/prowler_mapper.rb +++ b/lib/heimdall_tools/prowler_mapper.rb @@ -1,7 +1,8 @@ module HeimdallTools class ProwlerMapper < ASFFMapper def initialize(prowler_asff_json) - super("{ \"Findings\": [#{prowler_asff_json.split("\n").join(',')}]}") + # comes as an asff-json file which is basically all the findings concatenated into one file instead of putting it in the proper wrapper data structure + super("{ \"Findings\": [#{prowler_asff_json.split("\n").join(',')}]}", meta: { 'name' => 'Prowler', 'title' => 'Prowler findings' }) end end end diff --git a/sample_jsons/asff_mapper/asff_hdf.json b/sample_jsons/asff_mapper/asff_hdf.json new file mode 100644 index 0000000..e5debfa --- /dev/null +++ b/sample_jsons/asff_mapper/asff_hdf.json @@ -0,0 +1 @@ +{"platform":{"name":"Heimdall Tools","release":"1.3.45.13.gda065ed.1.dirty.20210804.235852","target_id":""},"version":"1.3.45.13.gda065ed.1.dirty.20210804.235852","statistics":{"duration":null},"profiles":[{"name":"AWS Security Finding Format","version":null,"title":"ASFF findings","maintainer":null,"summary":null,"license":null,"copyright":null,"copyright_email":null,"supports":[],"attributes":[],"depends":[],"groups":[],"status":"loaded","controls":[{"id":"Config.1","title":"AWS Foundational Security Best Practices v1.0.0: Config.1 AWS Config should be enabled","tags":{"nist":["SA-11","RA-5"]},"impact":0.5,"desc":"This AWS control checks whether the Config service is enabled in the account for the local region and is recording all resources.","descriptions":[{"data":"For directions on how to fix this issue, please consult the AWS Security Hub Foundational Security Best Practices documentation.\nhttps://docs.aws.amazon.com/console/securityhub/Config.1/remediation","label":"fix"}],"refs":[],"source_location":{},"code":"{\n \"Findings\": [\n {\n \"SchemaVersion\": \"2018-10-08\",\n \"Id\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/aws-foundational-security-best-practices/v/1.0.0/Config.1/finding/9ffec6a3-3ce8-4011-bf90-17dbe94bf1d3\",\n \"ProductArn\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub\",\n \"ProductName\": \"Security Hub\",\n \"CompanyName\": \"AWS\",\n \"Region\": \"us-east-1\",\n \"GeneratorId\": \"aws-foundational-security-best-practices/v/1.0.0/Config.1\",\n \"AwsAccountId\": \"123456789123\",\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices\"\n ],\n \"FirstObservedAt\": \"2021-07-23T23:40:39.455Z\",\n \"LastObservedAt\": \"2021-08-04T23:30:26.675Z\",\n \"CreatedAt\": \"2021-07-23T23:40:39.455Z\",\n \"UpdatedAt\": \"2021-08-04T23:30:24.804Z\",\n \"Severity\": {\n \"Product\": 40,\n \"Label\": \"MEDIUM\",\n \"Normalized\": 40,\n \"Original\": \"MEDIUM\"\n },\n \"Title\": \"Config.1 AWS Config should be enabled\",\n \"Description\": \"This AWS control checks whether the Config service is enabled in the account for the local region and is recording all resources.\",\n \"Remediation\": {\n \"Recommendation\": {\n \"Text\": \"For directions on how to fix this issue, please consult the AWS Security Hub Foundational Security Best Practices documentation.\",\n \"Url\": \"https://docs.aws.amazon.com/console/securityhub/Config.1/remediation\"\n }\n },\n \"ProductFields\": {\n \"StandardsArn\": \"arn:aws:securityhub:::standards/aws-foundational-security-best-practices/v/1.0.0\",\n \"StandardsSubscriptionArn\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/aws-foundational-security-best-practices/v/1.0.0\",\n \"ControlId\": \"Config.1\",\n \"RecommendationUrl\": \"https://docs.aws.amazon.com/console/securityhub/Config.1/remediation\",\n \"StandardsControlArn\": \"arn:aws:securityhub:us-east-1:123456789123:control/aws-foundational-security-best-practices/v/1.0.0/Config.1\",\n \"aws/securityhub/ProductName\": \"Security Hub\",\n \"aws/securityhub/CompanyName\": \"AWS\",\n \"Resources:0/Id\": \"arn:aws:iam::123456789123:root\",\n \"aws/securityhub/FindingId\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789123:subscription/aws-foundational-security-best-practices/v/1.0.0/Config.1/finding/9ffec6a3-3ce8-4011-bf90-17dbe94bf1d3\"\n },\n \"Resources\": [\n {\n \"Type\": \"AwsAccount\",\n \"Id\": \"AWS::::Account:123456789123\",\n \"Partition\": \"aws\",\n \"Region\": \"us-east-1\"\n }\n ],\n \"Compliance\": {\n \"Status\": \"FAILED\"\n },\n \"WorkflowState\": \"NEW\",\n \"Workflow\": {\n \"Status\": \"NEW\"\n },\n \"RecordState\": \"ACTIVE\",\n \"FindingProviderFields\": {\n \"Severity\": {\n \"Label\": \"MEDIUM\",\n \"Original\": \"MEDIUM\"\n },\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices\"\n ]\n }\n }\n ]\n}","results":[{"status":"failed","code_desc":"Resources: [Type: AwsAccount, Id: AWS::::Account:123456789123, Partition: aws, Region: us-east-1]","start_time":"2021-08-04T23:30:26.675Z"}]},{"id":"CIS.1.1","title":"CIS AWS Foundations Benchmark v1.2.0: Avoid the use of the "root" account","tags":{"nist":["SA-11","RA-5"]},"impact":0.3,"desc":"The "root" account has unrestricted access to all resources in the AWS account. It is highly recommended that the use of this account be avoided.","descriptions":[{"data":"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\nhttps://docs.aws.amazon.com/console/securityhub/standards-cis-1.1/remediation","label":"fix"}],"refs":[],"source_location":{},"code":"{\n \"Findings\": [\n {\n \"SchemaVersion\": \"2018-10-08\",\n \"Id\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/1.1/finding/564b8d35-d697-475e-8a02-dfb23552dc24\",\n \"ProductArn\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub\",\n \"ProductName\": \"Security Hub\",\n \"CompanyName\": \"AWS\",\n \"Region\": \"us-east-1\",\n \"GeneratorId\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/1.1\",\n \"AwsAccountId\": \"123456789123\",\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ],\n \"FirstObservedAt\": \"2021-07-23T23:39:05.607Z\",\n \"LastObservedAt\": \"2021-08-04T23:29:17.637Z\",\n \"CreatedAt\": \"2021-07-23T23:39:05.607Z\",\n \"UpdatedAt\": \"2021-08-04T23:29:15.639Z\",\n \"Severity\": {\n \"Product\": 30,\n \"Label\": \"LOW\",\n \"Normalized\": 30,\n \"Original\": \"LOW\"\n },\n \"Title\": \"1.1 Avoid the use of the \\\"root\\\" account\",\n \"Description\": \"The \\\"root\\\" account has unrestricted access to all resources in the AWS account. It is highly recommended that the use of this account be avoided.\",\n \"Remediation\": {\n \"Recommendation\": {\n \"Text\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\",\n \"Url\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-1.1/remediation\"\n }\n },\n \"ProductFields\": {\n \"StandardsGuideArn\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0\",\n \"StandardsGuideSubscriptionArn\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0\",\n \"RuleId\": \"1.1\",\n \"RecommendationUrl\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-1.1/remediation\",\n \"StandardsControlArn\": \"arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/1.1\",\n \"aws/securityhub/ProductName\": \"Security Hub\",\n \"aws/securityhub/CompanyName\": \"AWS\",\n \"aws/securityhub/annotation\": \"Multi region CloudTrail with the required configuration does not exist in the account\",\n \"Resources:0/Id\": \"arn:aws:iam::123456789123:root\",\n \"aws/securityhub/FindingId\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/1.1/finding/564b8d35-d697-475e-8a02-dfb23552dc24\"\n },\n \"Resources\": [\n {\n \"Type\": \"AwsAccount\",\n \"Id\": \"AWS::::Account:123456789123\",\n \"Partition\": \"aws\",\n \"Region\": \"us-east-1\"\n }\n ],\n \"Compliance\": {\n \"Status\": \"FAILED\",\n \"StatusReasons\": [\n {\n \"ReasonCode\": \"CLOUDTRAIL_MULTI_REGION_NOT_PRESENT\",\n \"Description\": \"Multi region CloudTrail with the required configuration does not exist in the account\"\n }\n ]\n },\n \"WorkflowState\": \"NEW\",\n \"Workflow\": {\n \"Status\": \"NEW\"\n },\n \"RecordState\": \"ACTIVE\",\n \"FindingProviderFields\": {\n \"Severity\": {\n \"Label\": \"LOW\",\n \"Original\": \"LOW\"\n },\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ]\n }\n }\n ]\n}","results":[{"status":"failed","message":"ReasonCode\nCLOUDTRAIL_MULTI_REGION_NOT_PRESENT\nDescription\nMulti region CloudTrail with the required configuration does not exist in the account","code_desc":"Resources: [Type: AwsAccount, Id: AWS::::Account:123456789123, Partition: aws, Region: us-east-1]","start_time":"2021-08-04T23:29:17.637Z"}]}],"sha256":"9b614d656ac023b78dba9df8bb2664f39d1cbebcea50412d744101072b060b30"}]} \ No newline at end of file diff --git a/sample_jsons/asff_mapper/sample_input_jsons/asff_sample.json b/sample_jsons/asff_mapper/sample_input_jsons/asff_sample.json new file mode 100644 index 0000000..3b159d0 --- /dev/null +++ b/sample_jsons/asff_mapper/sample_input_jsons/asff_sample.json @@ -0,0 +1,145 @@ +{ + "Findings": [ + { + "SchemaVersion": "2018-10-08", + "Id": "arn:aws:securityhub:us-east-1:123456789123:subscription/aws-foundational-security-best-practices/v/1.0.0/Config.1/finding/9ffec6a3-3ce8-4011-bf90-17dbe94bf1d3", + "ProductArn": "arn:aws:securityhub:us-east-1::product/aws/securityhub", + "ProductName": "Security Hub", + "CompanyName": "AWS", + "Region": "us-east-1", + "GeneratorId": "aws-foundational-security-best-practices/v/1.0.0/Config.1", + "AwsAccountId": "123456789123", + "Types": [ + "Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices" + ], + "FirstObservedAt": "2021-07-23T23:40:39.455Z", + "LastObservedAt": "2021-08-04T23:30:26.675Z", + "CreatedAt": "2021-07-23T23:40:39.455Z", + "UpdatedAt": "2021-08-04T23:30:24.804Z", + "Severity": { + "Product": 40, + "Label": "MEDIUM", + "Normalized": 40, + "Original": "MEDIUM" + }, + "Title": "Config.1 AWS Config should be enabled", + "Description": "This AWS control checks whether the Config service is enabled in the account for the local region and is recording all resources.", + "Remediation": { + "Recommendation": { + "Text": "For directions on how to fix this issue, please consult the AWS Security Hub Foundational Security Best Practices documentation.", + "Url": "https://docs.aws.amazon.com/console/securityhub/Config.1/remediation" + } + }, + "ProductFields": { + "StandardsArn": "arn:aws:securityhub:::standards/aws-foundational-security-best-practices/v/1.0.0", + "StandardsSubscriptionArn": "arn:aws:securityhub:us-east-1:123456789123:subscription/aws-foundational-security-best-practices/v/1.0.0", + "ControlId": "Config.1", + "RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/Config.1/remediation", + "StandardsControlArn": "arn:aws:securityhub:us-east-1:123456789123:control/aws-foundational-security-best-practices/v/1.0.0/Config.1", + "aws/securityhub/ProductName": "Security Hub", + "aws/securityhub/CompanyName": "AWS", + "Resources:0/Id": "arn:aws:iam::123456789123:root", + "aws/securityhub/FindingId": "arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789123:subscription/aws-foundational-security-best-practices/v/1.0.0/Config.1/finding/9ffec6a3-3ce8-4011-bf90-17dbe94bf1d3" + }, + "Resources": [ + { + "Type": "AwsAccount", + "Id": "AWS::::Account:123456789123", + "Partition": "aws", + "Region": "us-east-1" + } + ], + "Compliance": { + "Status": "FAILED" + }, + "WorkflowState": "NEW", + "Workflow": { + "Status": "NEW" + }, + "RecordState": "ACTIVE", + "FindingProviderFields": { + "Severity": { + "Label": "MEDIUM", + "Original": "MEDIUM" + }, + "Types": [ + "Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices" + ] + } + }, + { + "SchemaVersion": "2018-10-08", + "Id": "arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/1.1/finding/564b8d35-d697-475e-8a02-dfb23552dc24", + "ProductArn": "arn:aws:securityhub:us-east-1::product/aws/securityhub", + "ProductName": "Security Hub", + "CompanyName": "AWS", + "Region": "us-east-1", + "GeneratorId": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/1.1", + "AwsAccountId": "123456789123", + "Types": [ + "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" + ], + "FirstObservedAt": "2021-07-23T23:39:05.607Z", + "LastObservedAt": "2021-08-04T23:29:17.637Z", + "CreatedAt": "2021-07-23T23:39:05.607Z", + "UpdatedAt": "2021-08-04T23:29:15.639Z", + "Severity": { + "Product": 30, + "Label": "LOW", + "Normalized": 30, + "Original": "LOW" + }, + "Title": "1.1 Avoid the use of the \"root\" account", + "Description": "The \"root\" account has unrestricted access to all resources in the AWS account. It is highly recommended that the use of this account be avoided.", + "Remediation": { + "Recommendation": { + "Text": "For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.", + "Url": "https://docs.aws.amazon.com/console/securityhub/standards-cis-1.1/remediation" + } + }, + "ProductFields": { + "StandardsGuideArn": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", + "StandardsGuideSubscriptionArn": "arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0", + "RuleId": "1.1", + "RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/standards-cis-1.1/remediation", + "StandardsControlArn": "arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/1.1", + "aws/securityhub/ProductName": "Security Hub", + "aws/securityhub/CompanyName": "AWS", + "aws/securityhub/annotation": "Multi region CloudTrail with the required configuration does not exist in the account", + "Resources:0/Id": "arn:aws:iam::123456789123:root", + "aws/securityhub/FindingId": "arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/1.1/finding/564b8d35-d697-475e-8a02-dfb23552dc24" + }, + "Resources": [ + { + "Type": "AwsAccount", + "Id": "AWS::::Account:123456789123", + "Partition": "aws", + "Region": "us-east-1" + } + ], + "Compliance": { + "Status": "FAILED", + "StatusReasons": [ + { + "ReasonCode": "CLOUDTRAIL_MULTI_REGION_NOT_PRESENT", + "Description": "Multi region CloudTrail with the required configuration does not exist in the account" + } + ] + }, + "WorkflowState": "NEW", + "Workflow": { + "Status": "NEW" + }, + "RecordState": "ACTIVE", + "FindingProviderFields": { + "Severity": { + "Label": "LOW", + "Original": "LOW" + }, + "Types": [ + "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" + ] + } + } + ] +} diff --git a/sample_jsons/asff_mapper/sample_input_jsons/aws_cis_standard.json b/sample_jsons/asff_mapper/sample_input_jsons/aws_cis_standard.json new file mode 100644 index 0000000..446c02c --- /dev/null +++ b/sample_jsons/asff_mapper/sample_input_jsons/aws_cis_standard.json @@ -0,0 +1,563 @@ +{ + "Controls": [ + { + "StandardsControlArn": "arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/1.1", + "ControlStatus": "ENABLED", + "ControlStatusUpdatedAt": "2021-07-23T22:32:24.104000+00:00", + "ControlId": "CIS.1.1", + "Title": "Avoid the use of the \"root\" account", + "Description": "The \"root\" account has unrestricted access to all resources in the AWS account. It is highly recommended that the use of this account be avoided.", + "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/standards-cis-1.1/remediation", + "SeverityRating": "LOW", + "RelatedRequirements": [ + "CIS AWS Foundations 1.1" + ] + }, + { + "StandardsControlArn": "arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/1.10", + "ControlStatus": "ENABLED", + "ControlStatusUpdatedAt": "2021-07-23T22:32:24.125000+00:00", + "ControlId": "CIS.1.10", + "Title": "Ensure IAM password policy prevents password reuse", + "Description": "IAM password policies can prevent the reuse of a given password by the same user. It is recommended that the password policy prevent the reuse of passwords.", + "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/standards-cis-1.10/remediation", + "SeverityRating": "LOW", + "RelatedRequirements": [ + "CIS AWS Foundations 1.10" + ] + }, + { + "StandardsControlArn": "arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/1.11", + "ControlStatus": "ENABLED", + "ControlStatusUpdatedAt": "2021-07-23T22:32:24.126000+00:00", + "ControlId": "CIS.1.11", + "Title": "Ensure IAM password policy expires passwords within 90 days or less", + "Description": "IAM password policies can require passwords to be rotated or expired after a given number of days. It is recommended that the password policy expire passwords after 90 days or less.", + "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/standards-cis-1.11/remediation", + "SeverityRating": "LOW", + "RelatedRequirements": [ + "CIS AWS Foundations 1.11" + ] + }, + { + "StandardsControlArn": "arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/1.12", + "ControlStatus": "ENABLED", + "ControlStatusUpdatedAt": "2021-07-23T22:32:24.128000+00:00", + "ControlId": "CIS.1.12", + "Title": "Ensure no root account access key exists", + "Description": "The root account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the root account be removed.", + "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/standards-cis-1.12/remediation", + "SeverityRating": "CRITICAL", + "RelatedRequirements": [ + "CIS AWS Foundations 1.12" + ] + }, + { + "StandardsControlArn": "arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/1.13", + "ControlStatus": "ENABLED", + "ControlStatusUpdatedAt": "2021-07-23T22:32:24.130000+00:00", + "ControlId": "CIS.1.13", + "Title": "Ensure MFA is enabled for the \"root\" account", + "Description": "The root account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device.", + "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/standards-cis-1.13/remediation", + "SeverityRating": "CRITICAL", + "RelatedRequirements": [ + "CIS AWS Foundations 1.13" + ] + }, + { + "StandardsControlArn": "arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/1.14", + "ControlStatus": "ENABLED", + "ControlStatusUpdatedAt": "2021-07-23T22:32:24.131000+00:00", + "ControlId": "CIS.1.14", + "Title": "Ensure hardware MFA is enabled for the \"root\" account", + "Description": "The root account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. For Level 2, it is recommended that the root account be protected with a hardware MFA.", + "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/standards-cis-1.14/remediation", + "SeverityRating": "CRITICAL", + "RelatedRequirements": [ + "CIS AWS Foundations 1.14" + ] + }, + { + "StandardsControlArn": "arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/1.16", + "ControlStatus": "ENABLED", + "ControlStatusUpdatedAt": "2021-07-23T22:32:24.133000+00:00", + "ControlId": "CIS.1.16", + "Title": "Ensure IAM policies are attached only to groups or roles", + "Description": "By default, IAM users, groups, and roles have no access to AWS resources. IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended that IAM policies be applied directly to groups and roles but not users.", + "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/standards-cis-1.16/remediation", + "SeverityRating": "LOW", + "RelatedRequirements": [ + "CIS AWS Foundations 1.16" + ] + }, + { + "StandardsControlArn": "arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/1.2", + "ControlStatus": "ENABLED", + "ControlStatusUpdatedAt": "2021-07-23T22:32:24.106000+00:00", + "ControlId": "CIS.1.2", + "Title": "Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password", + "Description": "Multi-Factor Authentication (MFA) adds an extra layer of protection on top of a user name and password. It is recommended that MFA be enabled for all accounts that have a console password.", + "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/standards-cis-1.2/remediation", + "SeverityRating": "MEDIUM", + "RelatedRequirements": [ + "CIS AWS Foundations 1.2" + ] + }, + { + "StandardsControlArn": "arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/1.20", + "ControlStatus": "ENABLED", + "ControlStatusUpdatedAt": "2021-07-23T22:32:24.143000+00:00", + "ControlId": "CIS.1.20", + "Title": "Ensure a support role has been created to manage incidents with AWS Support", + "Description": "AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services. Create an IAM Role to allow authorized users to manage incidents with AWS Support.", + "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/standards-cis-1.20/remediation", + "SeverityRating": "LOW", + "RelatedRequirements": [ + "CIS AWS Foundations 1.20" + ] + }, + { + "StandardsControlArn": "arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/1.22", + "ControlStatus": "ENABLED", + "ControlStatusUpdatedAt": "2021-07-23T22:32:24.145000+00:00", + "ControlId": "CIS.1.22", + "Title": "Ensure IAM policies that allow full \"*:*\" administrative privileges are not created", + "Description": "IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended and considered a standard security advice to grant least privilege—that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform only those tasks, instead of allowing full administrative privileges.", + "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/standards-cis-1.22/remediation", + "SeverityRating": "HIGH", + "RelatedRequirements": [ + "CIS AWS Foundations 1.22" + ] + }, + { + "StandardsControlArn": "arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/1.3", + "ControlStatus": "ENABLED", + "ControlStatusUpdatedAt": "2021-07-23T22:32:24.108000+00:00", + "ControlId": "CIS.1.3", + "Title": "Ensure credentials unused for 90 days or greater are disabled", + "Description": "AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all credentials that have been unused in 90 or greater days be removed or deactivated.", + "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/standards-cis-1.3/remediation", + "SeverityRating": "MEDIUM", + "RelatedRequirements": [ + "CIS AWS Foundations 1.3" + ] + }, + { + "StandardsControlArn": "arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/1.4", + "ControlStatus": "ENABLED", + "ControlStatusUpdatedAt": "2021-07-23T22:32:24.109000+00:00", + "ControlId": "CIS.1.4", + "Title": "Ensure access keys are rotated every 90 days or less", + "Description": "Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. It is recommended that all access keys be regularly rotated.", + "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/standards-cis-1.4/remediation", + "SeverityRating": "MEDIUM", + "RelatedRequirements": [ + "CIS AWS Foundations 1.4" + ] + }, + { + "StandardsControlArn": "arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/1.5", + "ControlStatus": "ENABLED", + "ControlStatusUpdatedAt": "2021-07-23T22:32:24.111000+00:00", + "ControlId": "CIS.1.5", + "Title": "Ensure IAM password policy requires at least one uppercase letter", + "Description": "Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure passwords are comprised of different character sets. It is recommended that the password policy require at least one uppercase letter.", + "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/standards-cis-1.5/remediation", + "SeverityRating": "MEDIUM", + "RelatedRequirements": [ + "CIS AWS Foundations 1.5" + ] + }, + { + "StandardsControlArn": "arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/1.6", + "ControlStatus": "ENABLED", + "ControlStatusUpdatedAt": "2021-07-23T22:32:24.112000+00:00", + "ControlId": "CIS.1.6", + "Title": "Ensure IAM password policy requires at least one lowercase letter", + "Description": "Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure passwords are comprised of different character sets. It is recommended that the password policy require at least one lowercase letter.", + "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/standards-cis-1.6/remediation", + "SeverityRating": "MEDIUM", + "RelatedRequirements": [ + "CIS AWS Foundations 1.6" + ] + }, + { + "StandardsControlArn": "arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/1.7", + "ControlStatus": "ENABLED", + "ControlStatusUpdatedAt": "2021-07-23T22:32:24.113000+00:00", + "ControlId": "CIS.1.7", + "Title": "Ensure IAM password policy requires at least one symbol", + "Description": "Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure passwords are comprised of different character sets. It is recommended that the password policy require at least one symbol.", + "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/standards-cis-1.7/remediation", + "SeverityRating": "MEDIUM", + "RelatedRequirements": [ + "CIS AWS Foundations 1.7" + ] + }, + { + "StandardsControlArn": "arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/1.8", + "ControlStatus": "ENABLED", + "ControlStatusUpdatedAt": "2021-07-23T22:32:24.115000+00:00", + "ControlId": "CIS.1.8", + "Title": "Ensure IAM password policy requires at least one number", + "Description": "Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure passwords are comprised of different character sets. It is recommended that the password policy require at least one number.", + "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/standards-cis-1.8/remediation", + "SeverityRating": "MEDIUM", + "RelatedRequirements": [ + "CIS AWS Foundations 1.8" + ] + }, + { + "StandardsControlArn": "arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/1.9", + "ControlStatus": "ENABLED", + "ControlStatusUpdatedAt": "2021-07-23T22:32:24.123000+00:00", + "ControlId": "CIS.1.9", + "Title": "Ensure IAM password policy requires minimum password length of 14 or greater", + "Description": "Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure passwords are at least a given length. It is recommended that the password policy require a minimum password length 14.", + "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/standards-cis-1.9/remediation", + "SeverityRating": "MEDIUM", + "RelatedRequirements": [ + "CIS AWS Foundations 1.9" + ] + }, + { + "StandardsControlArn": "arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/2.1", + "ControlStatus": "ENABLED", + "ControlStatusUpdatedAt": "2021-07-23T22:32:24.146000+00:00", + "ControlId": "CIS.2.1", + "Title": "Ensure CloudTrail is enabled in all regions", + "Description": "AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service.", + "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/standards-cis-2.1/remediation", + "SeverityRating": "HIGH", + "RelatedRequirements": [ + "CIS AWS Foundations 2.1" + ] + }, + { + "StandardsControlArn": "arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/2.2", + "ControlStatus": "ENABLED", + "ControlStatusUpdatedAt": "2021-07-23T22:32:24.162000+00:00", + "ControlId": "CIS.2.2", + "Title": "Ensure CloudTrail log file validation is enabled", + "Description": "CloudTrail log file validation creates a digitally signed digest file containing a hash of each log that CloudTrail writes to S3. These digest files can be used to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log. It is recommended that file validation be enabled on all CloudTrails.", + "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/standards-cis-2.2/remediation", + "SeverityRating": "LOW", + "RelatedRequirements": [ + "CIS AWS Foundations 2.2" + ] + }, + { + "StandardsControlArn": "arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/2.3", + "ControlStatus": "ENABLED", + "ControlStatusUpdatedAt": "2021-07-23T22:32:24.168000+00:00", + "ControlId": "CIS.2.3", + "Title": "Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible", + "Description": "Details: 2.3 Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible", + "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/standards-cis-2.3/remediation", + "SeverityRating": "CRITICAL", + "RelatedRequirements": [ + "CIS AWS Foundations 2.3" + ] + }, + { + "StandardsControlArn": "arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/2.4", + "ControlStatus": "ENABLED", + "ControlStatusUpdatedAt": "2021-07-23T22:32:24.169000+00:00", + "ControlId": "CIS.2.4", + "Title": "Ensure CloudTrail trails are integrated with CloudWatch Logs", + "Description": "AWS CloudTrail is a web service that records AWS API calls made in a given AWS account. CloudTrail uses Amazon S3 for log file storage and delivery, so log files are stored durably. In addition to capturing CloudTrail logs within a specified S3 bucket for long term analysis, realtime analysis can be performed by configuring CloudTrail to send logs to CloudWatch Logs. It is recommended that CloudTrail logs be sent to CloudWatch Logs.", + "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/standards-cis-2.4/remediation", + "SeverityRating": "LOW", + "RelatedRequirements": [ + "CIS AWS Foundations 2.4" + ] + }, + { + "StandardsControlArn": "arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/2.5", + "ControlStatus": "ENABLED", + "ControlStatusUpdatedAt": "2021-07-23T22:32:24.184000+00:00", + "ControlId": "CIS.2.5", + "Title": "Ensure AWS Config is enabled", + "Description": "AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), and any configuration changes between resources. It is recommended to enable AWS Config in all regions.", + "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/standards-cis-2.5/remediation", + "SeverityRating": "MEDIUM", + "RelatedRequirements": [ + "CIS AWS Foundations 2.5" + ] + }, + { + "StandardsControlArn": "arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/2.6", + "ControlStatus": "ENABLED", + "ControlStatusUpdatedAt": "2021-07-23T22:32:24.187000+00:00", + "ControlId": "CIS.2.6", + "Title": "Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket", + "Description": "S3 Bucket Access Logging generates a log that contains access records for each request made to your S3 bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. It is recommended that bucket access logging be enabled on the CloudTrail S3 bucket.", + "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/standards-cis-2.6/remediation", + "SeverityRating": "LOW", + "RelatedRequirements": [ + "CIS AWS Foundations 2.6" + ] + }, + { + "StandardsControlArn": "arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/2.7", + "ControlStatus": "ENABLED", + "ControlStatusUpdatedAt": "2021-07-23T22:32:24.190000+00:00", + "ControlId": "CIS.2.7", + "Title": "Ensure CloudTrail logs are encrypted at rest using KMS CMKs", + "Description": "AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data, and uses Hardware Security Modules (HSMs) to protect the security of encryption keys. CloudTrail logs can be configured to leverage server side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs. It is recommended that CloudTrail be configured to use SSE-KMS.", + "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/standards-cis-2.7/remediation", + "SeverityRating": "MEDIUM", + "RelatedRequirements": [ + "CIS AWS Foundations 2.7" + ] + }, + { + "StandardsControlArn": "arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/2.8", + "ControlStatus": "ENABLED", + "ControlStatusUpdatedAt": "2021-07-23T22:32:24.191000+00:00", + "ControlId": "CIS.2.8", + "Title": "Ensure rotation for customer created CMKs is enabled", + "Description": "AWS Key Management Service (KMS) allows customers to rotate the backing key which is key material stored within the KMS which is tied to the key ID of the Customer Created customer master key (CMK). It is the backing key that is used to perform cryptographic operations such as encryption and decryption. It is recommended that CMK key rotation be enabled.", + "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/standards-cis-2.8/remediation", + "SeverityRating": "MEDIUM", + "RelatedRequirements": [ + "CIS AWS Foundations 2.8" + ] + }, + { + "StandardsControlArn": "arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/2.9", + "ControlStatus": "ENABLED", + "ControlStatusUpdatedAt": "2021-07-23T22:32:24.193000+00:00", + "ControlId": "CIS.2.9", + "Title": "Ensure VPC flow logging is enabled in all VPCs", + "Description": "VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. It is recommended that VPC Flow Logs be enabled for packet \"Rejects\" for VPCs.", + "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/standards-cis-2.9/remediation", + "SeverityRating": "MEDIUM", + "RelatedRequirements": [ + "CIS AWS Foundations 2.9" + ] + }, + { + "StandardsControlArn": "arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/3.1", + "ControlStatus": "ENABLED", + "ControlStatusUpdatedAt": "2021-07-23T22:32:24.204000+00:00", + "ControlId": "CIS.3.1", + "Title": "Ensure a log metric filter and alarm exist for unauthorized API calls", + "Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for unauthorized API calls.", + "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/standards-cis-3.1/remediation", + "SeverityRating": "LOW", + "RelatedRequirements": [ + "CIS AWS Foundations 3.1" + ] + }, + { + "StandardsControlArn": "arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/3.10", + "ControlStatus": "ENABLED", + "ControlStatusUpdatedAt": "2021-07-23T22:32:24.230000+00:00", + "ControlId": "CIS.3.10", + "Title": "Ensure a log metric filter and alarm exist for security group changes", + "Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Groups are a stateful packet filter that controls ingress and egress traffic within a VPC. It is recommended that a metric filter and alarm be established changes to Security Groups.", + "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/standards-cis-3.10/remediation", + "SeverityRating": "LOW", + "RelatedRequirements": [ + "CIS AWS Foundations 3.10" + ] + }, + { + "StandardsControlArn": "arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/3.11", + "ControlStatus": "ENABLED", + "ControlStatusUpdatedAt": "2021-07-23T22:32:24.231000+00:00", + "ControlId": "CIS.3.11", + "Title": "Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)", + "Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. NACLs are used as a stateless packet filter to control ingress and egress traffic for subnets within a VPC. It is recommended that a metric filter and alarm be established for changes made to NACLs.", + "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/standards-cis-3.11/remediation", + "SeverityRating": "LOW", + "RelatedRequirements": [ + "CIS AWS Foundations 3.11" + ] + }, + { + "StandardsControlArn": "arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/3.12", + "ControlStatus": "ENABLED", + "ControlStatusUpdatedAt": "2021-07-23T22:32:24.243000+00:00", + "ControlId": "CIS.3.12", + "Title": "Ensure a log metric filter and alarm exist for changes to network gateways", + "Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Network gateways are required to send/receive traffic to a destination outside of a VPC. It is recommended that a metric filter and alarm be established for changes to network gateways.", + "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/standards-cis-3.12/remediation", + "SeverityRating": "LOW", + "RelatedRequirements": [ + "CIS AWS Foundations 3.12" + ] + }, + { + "StandardsControlArn": "arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/3.13", + "ControlStatus": "ENABLED", + "ControlStatusUpdatedAt": "2021-07-23T22:32:24.245000+00:00", + "ControlId": "CIS.3.13", + "Title": "Ensure a log metric filter and alarm exist for route table changes", + "Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Routing tables are used to route network traffic between subnets and to network gateways. It is recommended that a metric filter and alarm be established for changes to route tables.", + "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/standards-cis-3.13/remediation", + "SeverityRating": "LOW", + "RelatedRequirements": [ + "CIS AWS Foundations 3.13" + ] + }, + { + "StandardsControlArn": "arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/3.14", + "ControlStatus": "ENABLED", + "ControlStatusUpdatedAt": "2021-07-23T22:32:24.247000+00:00", + "ControlId": "CIS.3.14", + "Title": "Ensure a log metric filter and alarm exist for VPC changes", + "Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is possible to have more than 1 VPC within an account, in addition it is also possible to create a peer connection between 2 VPCs enabling network traffic to route between VPCs. It is recommended that a metric filter and alarm be established for changes made to VPCs.", + "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/standards-cis-3.14/remediation", + "SeverityRating": "LOW", + "RelatedRequirements": [ + "CIS AWS Foundations 3.14" + ] + }, + { + "StandardsControlArn": "arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/3.2", + "ControlStatus": "ENABLED", + "ControlStatusUpdatedAt": "2021-07-23T22:32:24.205000+00:00", + "ControlId": "CIS.3.2", + "Title": "Ensure a log metric filter and alarm exist for Management Console sign-in without MFA", + "Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for console logins that are not protected by multi-factor authentication (MFA).", + "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/standards-cis-3.2/remediation", + "SeverityRating": "LOW", + "RelatedRequirements": [ + "CIS AWS Foundations 3.2" + ] + }, + { + "StandardsControlArn": "arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/3.3", + "ControlStatus": "ENABLED", + "ControlStatusUpdatedAt": "2021-07-23T22:32:24.207000+00:00", + "ControlId": "CIS.3.3", + "Title": "Ensure a log metric filter and alarm exist for usage of \"root\" account", + "Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for root login attempts.", + "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/standards-cis-3.3/remediation", + "SeverityRating": "LOW", + "RelatedRequirements": [ + "CIS AWS Foundations 3.3" + ] + }, + { + "StandardsControlArn": "arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/3.4", + "ControlStatus": "ENABLED", + "ControlStatusUpdatedAt": "2021-07-23T22:32:24.209000+00:00", + "ControlId": "CIS.3.4", + "Title": "Ensure a log metric filter and alarm exist for IAM policy changes", + "Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established changes made to Identity and Access Management (IAM) policies.", + "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/standards-cis-3.4/remediation", + "SeverityRating": "LOW", + "RelatedRequirements": [ + "CIS AWS Foundations 3.4" + ] + }, + { + "StandardsControlArn": "arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/3.5", + "ControlStatus": "ENABLED", + "ControlStatusUpdatedAt": "2021-07-23T22:32:24.211000+00:00", + "ControlId": "CIS.3.5", + "Title": "Ensure a log metric filter and alarm exist for CloudTrail configuration changes", + "Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations.", + "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/standards-cis-3.5/remediation", + "SeverityRating": "LOW", + "RelatedRequirements": [ + "CIS AWS Foundations 3.5" + ] + }, + { + "StandardsControlArn": "arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/3.6", + "ControlStatus": "ENABLED", + "ControlStatusUpdatedAt": "2021-07-23T22:32:24.212000+00:00", + "ControlId": "CIS.3.6", + "Title": "Ensure a log metric filter and alarm exist for AWS Management Console authentication failures", + "Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for failed console authentication attempts.", + "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/standards-cis-3.6/remediation", + "SeverityRating": "LOW", + "RelatedRequirements": [ + "CIS AWS Foundations 3.6" + ] + }, + { + "StandardsControlArn": "arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/3.7", + "ControlStatus": "ENABLED", + "ControlStatusUpdatedAt": "2021-07-23T22:32:24.224000+00:00", + "ControlId": "CIS.3.7", + "Title": "Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs", + "Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for customer created CMKs which have changed state to disabled or scheduled deletion.", + "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/standards-cis-3.7/remediation", + "SeverityRating": "LOW", + "RelatedRequirements": [ + "CIS AWS Foundations 3.7" + ] + }, + { + "StandardsControlArn": "arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/3.8", + "ControlStatus": "ENABLED", + "ControlStatusUpdatedAt": "2021-07-23T22:32:24.226000+00:00", + "ControlId": "CIS.3.8", + "Title": "Ensure a log metric filter and alarm exist for S3 bucket policy changes", + "Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for changes to S3 bucket policies.", + "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/standards-cis-3.8/remediation", + "SeverityRating": "LOW", + "RelatedRequirements": [ + "CIS AWS Foundations 3.8" + ] + }, + { + "StandardsControlArn": "arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/3.9", + "ControlStatus": "ENABLED", + "ControlStatusUpdatedAt": "2021-07-23T22:32:24.227000+00:00", + "ControlId": "CIS.3.9", + "Title": "Ensure a log metric filter and alarm exist for AWS Config configuration changes", + "Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations.", + "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/standards-cis-3.9/remediation", + "SeverityRating": "LOW", + "RelatedRequirements": [ + "CIS AWS Foundations 3.9" + ] + }, + { + "StandardsControlArn": "arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/4.1", + "ControlStatus": "ENABLED", + "ControlStatusUpdatedAt": "2021-07-23T22:32:24.249000+00:00", + "ControlId": "CIS.4.1", + "Title": "Ensure no security groups allow ingress from 0.0.0.0/0 to port 22", + "Description": "Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to port 22.", + "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/standards-cis-4.1/remediation", + "SeverityRating": "HIGH", + "RelatedRequirements": [ + "CIS AWS Foundations 4.1" + ] + }, + { + "StandardsControlArn": "arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/4.2", + "ControlStatus": "ENABLED", + "ControlStatusUpdatedAt": "2021-07-23T22:32:24.251000+00:00", + "ControlId": "CIS.4.2", + "Title": "Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389", + "Description": "Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to port 3389.", + "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/standards-cis-4.2/remediation", + "SeverityRating": "HIGH", + "RelatedRequirements": [ + "CIS AWS Foundations 4.2" + ] + }, + { + "StandardsControlArn": "arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/4.3", + "ControlStatus": "ENABLED", + "ControlStatusUpdatedAt": "2021-07-23T22:32:24.252000+00:00", + "ControlId": "CIS.4.3", + "Title": "Ensure the default security group of every VPC restricts all traffic", + "Description": "A VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group. It is recommended that the default security group restrict all traffic.", + "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/standards-cis-4.3/remediation", + "SeverityRating": "HIGH", + "RelatedRequirements": [ + "CIS AWS Foundations 4.3" + ] + } + ] +} diff --git a/sample_jsons/prowler_mapper/prowler_hdf.json b/sample_jsons/prowler_mapper/prowler_hdf.json new file mode 100644 index 0000000..b05052d --- /dev/null +++ b/sample_jsons/prowler_mapper/prowler_hdf.json @@ -0,0 +1 @@ +{"platform":{"name":"Heimdall Tools","release":"1.3.45.13.gda065ed.1.dirty.20210804.225913","target_id":""},"version":"1.3.45.13.gda065ed.1.dirty.20210804.225913","statistics":{"duration":null},"profiles":[{"name":"Prowler","version":null,"title":"Prowler findings","maintainer":null,"summary":null,"license":null,"copyright":null,"copyright_email":null,"supports":[],"attributes":[],"depends":[],"groups":[],"status":"loaded","controls":[{"id":"check11","title":"Prowler: [check11] Avoid the use of the root account (Scored)","tags":{"nist":["SA-11","RA-5"]},"impact":0.7,"desc":" ","descriptions":[],"refs":[],"source_location":{},"code":"{\n \"Findings\": [\n {\n \"SchemaVersion\": \"2018-10-08\",\n \"Id\": \"prowler-1.1-123456789123-us-east-1-Root_user_in_the_account_was_last_accessed_1_day_ago\",\n \"ProductArn\": \"arn:aws:securityhub:us-east-1::product/prowler/prowler\",\n \"RecordState\": \"ACTIVE\",\n \"ProductFields\": {\n \"ProviderName\": \"Prowler\",\n \"ProviderVersion\": \"2.4.0-07042021\"\n },\n \"GeneratorId\": \"prowler-check11\",\n \"AwsAccountId\": \"123456789123\",\n \"Types\": [\n \"Software and Configuration Checks\"\n ],\n \"FirstObservedAt\": \"2021-05-17T23:07:02Z\",\n \"UpdatedAt\": \"2021-05-17T23:07:02Z\",\n \"CreatedAt\": \"2021-05-17T23:07:02Z\",\n \"Severity\": {\n \"Label\": \"HIGH\"\n },\n \"Title\": \"[check11] Avoid the use of the root account (Scored)\",\n \"Description\": \"Root user in the account was last accessed 1 day ago\",\n \"Resources\": [\n {\n \"Type\": \"AwsAccount\",\n \"Id\": \"AWS::::Account:123456789123\",\n \"Partition\": \"aws\",\n \"Region\": \"us-east-1\"\n }\n ],\n \"Compliance\": {\n \"Status\": \"FAILED\",\n \"RelatedRequirements\": [\n \"Software and Configuration Checks\"\n ]\n }\n }\n ]\n}","results":[{"status":"failed","code_desc":"Root user in the account was last accessed 1 day ago; Resources: [Type: AwsAccount, Id: AWS::::Account:123456789123, Partition: aws, Region: us-east-1]","start_time":"2021-05-17T23:07:02Z"}]},{"id":"check12","title":"Prowler: [check12] Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Scored)","tags":{"nist":["SA-11","RA-5"]},"impact":0.7,"desc":" ","descriptions":[],"refs":[],"source_location":{},"code":"{\n \"Findings\": [\n {\n \"SchemaVersion\": \"2018-10-08\",\n \"Id\": \"prowler-1.2-123456789123-us-east-1-User_name1_has_Password_enabled_but_MFA_disabled\",\n \"ProductArn\": \"arn:aws:securityhub:us-east-1::product/prowler/prowler\",\n \"RecordState\": \"ACTIVE\",\n \"ProductFields\": {\n \"ProviderName\": \"Prowler\",\n \"ProviderVersion\": \"2.4.0-07042021\"\n },\n \"GeneratorId\": \"prowler-check12\",\n \"AwsAccountId\": \"123456789123\",\n \"Types\": [\n \"ens-op.acc.5.aws.iam.1\"\n ],\n \"FirstObservedAt\": \"2021-05-17T23:07:02Z\",\n \"UpdatedAt\": \"2021-05-17T23:07:02Z\",\n \"CreatedAt\": \"2021-05-17T23:07:02Z\",\n \"Severity\": {\n \"Label\": \"HIGH\"\n },\n \"Title\": \"[check12] Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Scored)\",\n \"Description\": \"User name1 has Password enabled but MFA disabled\",\n \"Resources\": [\n {\n \"Type\": \"AwsIamUser\",\n \"Id\": \"AWS::::Account:123456789123\",\n \"Partition\": \"aws\",\n \"Region\": \"us-east-1\"\n }\n ],\n \"Compliance\": {\n \"Status\": \"FAILED\",\n \"RelatedRequirements\": [\n \"ens-op.acc.5.aws.iam.1\"\n ]\n }\n },\n {\n \"SchemaVersion\": \"2018-10-08\",\n \"Id\": \"prowler-1.2-123456789123-us-east-1-User_name2_has_Password_enabled_but_MFA_disabled\",\n \"ProductArn\": \"arn:aws:securityhub:us-east-1::product/prowler/prowler\",\n \"RecordState\": \"ACTIVE\",\n \"ProductFields\": {\n \"ProviderName\": \"Prowler\",\n \"ProviderVersion\": \"2.4.0-07042021\"\n },\n \"GeneratorId\": \"prowler-check12\",\n \"AwsAccountId\": \"123456789123\",\n \"Types\": [\n \"ens-op.acc.5.aws.iam.1\"\n ],\n \"FirstObservedAt\": \"2021-05-17T23:07:02Z\",\n \"UpdatedAt\": \"2021-05-17T23:07:02Z\",\n \"CreatedAt\": \"2021-05-17T23:07:02Z\",\n \"Severity\": {\n \"Label\": \"HIGH\"\n },\n \"Title\": \"[check12] Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Scored)\",\n \"Description\": \"User name2 has Password enabled but MFA disabled\",\n \"Resources\": [\n {\n \"Type\": \"AwsIamUser\",\n \"Id\": \"AWS::::Account:123456789123\",\n \"Partition\": \"aws\",\n \"Region\": \"us-east-1\"\n }\n ],\n \"Compliance\": {\n \"Status\": \"FAILED\",\n \"RelatedRequirements\": [\n \"ens-op.acc.5.aws.iam.1\"\n ]\n }\n },\n {\n \"SchemaVersion\": \"2018-10-08\",\n \"Id\": \"prowler-1.2-123456789123-us-east-1-User_name3_has_Password_enabled_but_MFA_disabled\",\n \"ProductArn\": \"arn:aws:securityhub:us-east-1::product/prowler/prowler\",\n \"RecordState\": \"ACTIVE\",\n \"ProductFields\": {\n \"ProviderName\": \"Prowler\",\n \"ProviderVersion\": \"2.4.0-07042021\"\n },\n \"GeneratorId\": \"prowler-check12\",\n \"AwsAccountId\": \"123456789123\",\n \"Types\": [\n \"ens-op.acc.5.aws.iam.1\"\n ],\n \"FirstObservedAt\": \"2021-05-17T23:07:03Z\",\n \"UpdatedAt\": \"2021-05-17T23:07:03Z\",\n \"CreatedAt\": \"2021-05-17T23:07:03Z\",\n \"Severity\": {\n \"Label\": \"HIGH\"\n },\n \"Title\": \"[check12] Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Scored)\",\n \"Description\": \"User name3 has Password enabled but MFA disabled\",\n \"Resources\": [\n {\n \"Type\": \"AwsIamUser\",\n \"Id\": \"AWS::::Account:123456789123\",\n \"Partition\": \"aws\",\n \"Region\": \"us-east-1\"\n }\n ],\n \"Compliance\": {\n \"Status\": \"FAILED\",\n \"RelatedRequirements\": [\n \"ens-op.acc.5.aws.iam.1\"\n ]\n }\n },\n {\n \"SchemaVersion\": \"2018-10-08\",\n \"Id\": \"prowler-1.2-123456789123-us-east-1-User_name4_has_Password_enabled_but_MFA_disabled\",\n \"ProductArn\": \"arn:aws:securityhub:us-east-1::product/prowler/prowler\",\n \"RecordState\": \"ACTIVE\",\n \"ProductFields\": {\n \"ProviderName\": \"Prowler\",\n \"ProviderVersion\": \"2.4.0-07042021\"\n },\n \"GeneratorId\": \"prowler-check12\",\n \"AwsAccountId\": \"123456789123\",\n \"Types\": [\n \"ens-op.acc.5.aws.iam.1\"\n ],\n \"FirstObservedAt\": \"2021-05-17T23:07:03Z\",\n \"UpdatedAt\": \"2021-05-17T23:07:03Z\",\n \"CreatedAt\": \"2021-05-17T23:07:03Z\",\n \"Severity\": {\n \"Label\": \"HIGH\"\n },\n \"Title\": \"[check12] Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Scored)\",\n \"Description\": \"User name4 has Password enabled but MFA disabled\",\n \"Resources\": [\n {\n \"Type\": \"AwsIamUser\",\n \"Id\": \"AWS::::Account:123456789123\",\n \"Partition\": \"aws\",\n \"Region\": \"us-east-1\"\n }\n ],\n \"Compliance\": {\n \"Status\": \"FAILED\",\n \"RelatedRequirements\": [\n \"ens-op.acc.5.aws.iam.1\"\n ]\n }\n },\n {\n \"SchemaVersion\": \"2018-10-08\",\n \"Id\": \"prowler-1.2-123456789123-us-east-1-User_name5_has_Password_enabled_but_MFA_disabled\",\n \"ProductArn\": \"arn:aws:securityhub:us-east-1::product/prowler/prowler\",\n \"RecordState\": \"ACTIVE\",\n \"ProductFields\": {\n \"ProviderName\": \"Prowler\",\n \"ProviderVersion\": \"2.4.0-07042021\"\n },\n \"GeneratorId\": \"prowler-check12\",\n \"AwsAccountId\": \"123456789123\",\n \"Types\": [\n \"ens-op.acc.5.aws.iam.1\"\n ],\n \"FirstObservedAt\": \"2021-05-17T23:07:03Z\",\n \"UpdatedAt\": \"2021-05-17T23:07:03Z\",\n \"CreatedAt\": \"2021-05-17T23:07:03Z\",\n \"Severity\": {\n \"Label\": \"HIGH\"\n },\n \"Title\": \"[check12] Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Scored)\",\n \"Description\": \"User name5 has Password enabled but MFA disabled\",\n \"Resources\": [\n {\n \"Type\": \"AwsIamUser\",\n \"Id\": \"AWS::::Account:123456789123\",\n \"Partition\": \"aws\",\n \"Region\": \"us-east-1\"\n }\n ],\n \"Compliance\": {\n \"Status\": \"FAILED\",\n \"RelatedRequirements\": [\n \"ens-op.acc.5.aws.iam.1\"\n ]\n }\n },\n {\n \"SchemaVersion\": \"2018-10-08\",\n \"Id\": \"prowler-1.2-123456789123-us-east-1-User_name6_has_Password_enabled_but_MFA_disabled\",\n \"ProductArn\": \"arn:aws:securityhub:us-east-1::product/prowler/prowler\",\n \"RecordState\": \"ACTIVE\",\n \"ProductFields\": {\n \"ProviderName\": \"Prowler\",\n \"ProviderVersion\": \"2.4.0-07042021\"\n },\n \"GeneratorId\": \"prowler-check12\",\n \"AwsAccountId\": \"123456789123\",\n \"Types\": [\n \"ens-op.acc.5.aws.iam.1\"\n ],\n \"FirstObservedAt\": \"2021-05-17T23:07:03Z\",\n \"UpdatedAt\": \"2021-05-17T23:07:03Z\",\n \"CreatedAt\": \"2021-05-17T23:07:03Z\",\n \"Severity\": {\n \"Label\": \"HIGH\"\n },\n \"Title\": \"[check12] Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Scored)\",\n \"Description\": \"User name6 has Password enabled but MFA disabled\",\n \"Resources\": [\n {\n \"Type\": \"AwsIamUser\",\n \"Id\": \"AWS::::Account:123456789123\",\n \"Partition\": \"aws\",\n \"Region\": \"us-east-1\"\n }\n ],\n \"Compliance\": {\n \"Status\": \"FAILED\",\n \"RelatedRequirements\": [\n \"ens-op.acc.5.aws.iam.1\"\n ]\n }\n },\n {\n \"SchemaVersion\": \"2018-10-08\",\n \"Id\": \"prowler-1.2-123456789123-us-east-1-User_name7_has_Password_enabled_but_MFA_disabled\",\n \"ProductArn\": \"arn:aws:securityhub:us-east-1::product/prowler/prowler\",\n \"RecordState\": \"ACTIVE\",\n \"ProductFields\": {\n \"ProviderName\": \"Prowler\",\n \"ProviderVersion\": \"2.4.0-07042021\"\n },\n \"GeneratorId\": \"prowler-check12\",\n \"AwsAccountId\": \"123456789123\",\n \"Types\": [\n \"ens-op.acc.5.aws.iam.1\"\n ],\n \"FirstObservedAt\": \"2021-05-17T23:07:03Z\",\n \"UpdatedAt\": \"2021-05-17T23:07:03Z\",\n \"CreatedAt\": \"2021-05-17T23:07:03Z\",\n \"Severity\": {\n \"Label\": \"HIGH\"\n },\n \"Title\": \"[check12] Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Scored)\",\n \"Description\": \"User name7 has Password enabled but MFA disabled\",\n \"Resources\": [\n {\n \"Type\": \"AwsIamUser\",\n \"Id\": \"AWS::::Account:123456789123\",\n \"Partition\": \"aws\",\n \"Region\": \"us-east-1\"\n }\n ],\n \"Compliance\": {\n \"Status\": \"FAILED\",\n \"RelatedRequirements\": [\n \"ens-op.acc.5.aws.iam.1\"\n ]\n }\n },\n {\n \"SchemaVersion\": \"2018-10-08\",\n \"Id\": \"prowler-1.2-123456789123-us-east-1-User_name8_has_Password_enabled_but_MFA_disabled\",\n \"ProductArn\": \"arn:aws:securityhub:us-east-1::product/prowler/prowler\",\n \"RecordState\": \"ACTIVE\",\n \"ProductFields\": {\n \"ProviderName\": \"Prowler\",\n \"ProviderVersion\": \"2.4.0-07042021\"\n },\n \"GeneratorId\": \"prowler-check12\",\n \"AwsAccountId\": \"123456789123\",\n \"Types\": [\n \"ens-op.acc.5.aws.iam.1\"\n ],\n \"FirstObservedAt\": \"2021-05-17T23:07:03Z\",\n \"UpdatedAt\": \"2021-05-17T23:07:03Z\",\n \"CreatedAt\": \"2021-05-17T23:07:03Z\",\n \"Severity\": {\n \"Label\": \"HIGH\"\n },\n \"Title\": \"[check12] Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Scored)\",\n \"Description\": \"User name8 has Password enabled but MFA disabled\",\n \"Resources\": [\n {\n \"Type\": \"AwsIamUser\",\n \"Id\": \"AWS::::Account:123456789123\",\n \"Partition\": \"aws\",\n \"Region\": \"us-east-1\"\n }\n ],\n \"Compliance\": {\n \"Status\": \"FAILED\",\n \"RelatedRequirements\": [\n \"ens-op.acc.5.aws.iam.1\"\n ]\n }\n },\n {\n \"SchemaVersion\": \"2018-10-08\",\n \"Id\": \"prowler-1.2-123456789123-us-east-1-User_name9_has_Password_enabled_but_MFA_disabled\",\n \"ProductArn\": \"arn:aws:securityhub:us-east-1::product/prowler/prowler\",\n \"RecordState\": \"ACTIVE\",\n \"ProductFields\": {\n \"ProviderName\": \"Prowler\",\n \"ProviderVersion\": \"2.4.0-07042021\"\n },\n \"GeneratorId\": \"prowler-check12\",\n \"AwsAccountId\": \"123456789123\",\n \"Types\": [\n \"ens-op.acc.5.aws.iam.1\"\n ],\n \"FirstObservedAt\": \"2021-05-17T23:07:04Z\",\n \"UpdatedAt\": \"2021-05-17T23:07:04Z\",\n \"CreatedAt\": \"2021-05-17T23:07:04Z\",\n \"Severity\": {\n \"Label\": \"HIGH\"\n },\n \"Title\": \"[check12] Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Scored)\",\n \"Description\": \"User name9 has Password enabled but MFA disabled\",\n \"Resources\": [\n {\n \"Type\": \"AwsIamUser\",\n \"Id\": \"AWS::::Account:123456789123\",\n \"Partition\": \"aws\",\n \"Region\": \"us-east-1\"\n }\n ],\n \"Compliance\": {\n \"Status\": \"FAILED\",\n \"RelatedRequirements\": [\n \"ens-op.acc.5.aws.iam.1\"\n ]\n }\n }\n ]\n}","results":[{"status":"failed","code_desc":"User name1 has Password enabled but MFA disabled; Resources: [Type: AwsIamUser, Id: AWS::::Account:123456789123, Partition: aws, Region: us-east-1]","start_time":"2021-05-17T23:07:02Z"},{"status":"failed","code_desc":"User name2 has Password enabled but MFA disabled; Resources: [Type: AwsIamUser, Id: AWS::::Account:123456789123, Partition: aws, Region: us-east-1]","start_time":"2021-05-17T23:07:02Z"},{"status":"failed","code_desc":"User name3 has Password enabled but MFA disabled; Resources: [Type: AwsIamUser, Id: AWS::::Account:123456789123, Partition: aws, Region: us-east-1]","start_time":"2021-05-17T23:07:03Z"},{"status":"failed","code_desc":"User name4 has Password enabled but MFA disabled; Resources: [Type: AwsIamUser, Id: AWS::::Account:123456789123, Partition: aws, Region: us-east-1]","start_time":"2021-05-17T23:07:03Z"},{"status":"failed","code_desc":"User name5 has Password enabled but MFA disabled; Resources: [Type: AwsIamUser, Id: AWS::::Account:123456789123, Partition: aws, Region: us-east-1]","start_time":"2021-05-17T23:07:03Z"},{"status":"failed","code_desc":"User name6 has Password enabled but MFA disabled; Resources: [Type: AwsIamUser, Id: AWS::::Account:123456789123, Partition: aws, Region: us-east-1]","start_time":"2021-05-17T23:07:03Z"},{"status":"failed","code_desc":"User name7 has Password enabled but MFA disabled; Resources: [Type: AwsIamUser, Id: AWS::::Account:123456789123, Partition: aws, Region: us-east-1]","start_time":"2021-05-17T23:07:03Z"},{"status":"failed","code_desc":"User name8 has Password enabled but MFA disabled; Resources: [Type: AwsIamUser, Id: AWS::::Account:123456789123, Partition: aws, Region: us-east-1]","start_time":"2021-05-17T23:07:03Z"},{"status":"failed","code_desc":"User name9 has Password enabled but MFA disabled; Resources: [Type: AwsIamUser, Id: AWS::::Account:123456789123, Partition: aws, Region: us-east-1]","start_time":"2021-05-17T23:07:04Z"}]}],"sha256":"64be1644c383b809ae601ef8c247134317e09bf69836c64016f3b9b7a97f0f1b"}]} \ No newline at end of file diff --git a/sample_jsons/prowler_mapper/sample_input_jsons/prowler_sample.asff-json b/sample_jsons/prowler_mapper/sample_input_jsons/prowler_sample.asff-json new file mode 100644 index 0000000..e2f74e8 --- /dev/null +++ b/sample_jsons/prowler_mapper/sample_input_jsons/prowler_sample.asff-json @@ -0,0 +1,10 @@ +{"SchemaVersion":"2018-10-08","Id":"prowler-1.1-123456789123-us-east-1-Root_user_in_the_account_was_last_accessed_1_day_ago","ProductArn":"arn:aws:securityhub:us-east-1::product/prowler/prowler","RecordState":"ACTIVE","ProductFields":{"ProviderName":"Prowler","ProviderVersion":"2.4.0-07042021"},"GeneratorId":"prowler-check11","AwsAccountId":"123456789123","Types":["Software and Configuration Checks"],"FirstObservedAt":"2021-05-17T23:07:02Z","UpdatedAt":"2021-05-17T23:07:02Z","CreatedAt":"2021-05-17T23:07:02Z","Severity":{"Label":"HIGH"},"Title":"[check11] Avoid the use of the root account (Scored)","Description":"Root user in the account was last accessed 1 day ago","Resources":[{"Type":"AwsAccount","Id":"AWS::::Account:123456789123","Partition":"aws","Region":"us-east-1"}],"Compliance":{"Status":"FAILED","RelatedRequirements":["Software and Configuration Checks"]}} +{"SchemaVersion":"2018-10-08","Id":"prowler-1.2-123456789123-us-east-1-User_name1_has_Password_enabled_but_MFA_disabled","ProductArn":"arn:aws:securityhub:us-east-1::product/prowler/prowler","RecordState":"ACTIVE","ProductFields":{"ProviderName":"Prowler","ProviderVersion":"2.4.0-07042021"},"GeneratorId":"prowler-check12","AwsAccountId":"123456789123","Types":["ens-op.acc.5.aws.iam.1"],"FirstObservedAt":"2021-05-17T23:07:02Z","UpdatedAt":"2021-05-17T23:07:02Z","CreatedAt":"2021-05-17T23:07:02Z","Severity":{"Label":"HIGH"},"Title":"[check12] Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Scored)","Description":"User name1 has Password enabled but MFA disabled","Resources":[{"Type":"AwsIamUser","Id":"AWS::::Account:123456789123","Partition":"aws","Region":"us-east-1"}],"Compliance":{"Status":"FAILED","RelatedRequirements":["ens-op.acc.5.aws.iam.1"]}} +{"SchemaVersion":"2018-10-08","Id":"prowler-1.2-123456789123-us-east-1-User_name2_has_Password_enabled_but_MFA_disabled","ProductArn":"arn:aws:securityhub:us-east-1::product/prowler/prowler","RecordState":"ACTIVE","ProductFields":{"ProviderName":"Prowler","ProviderVersion":"2.4.0-07042021"},"GeneratorId":"prowler-check12","AwsAccountId":"123456789123","Types":["ens-op.acc.5.aws.iam.1"],"FirstObservedAt":"2021-05-17T23:07:02Z","UpdatedAt":"2021-05-17T23:07:02Z","CreatedAt":"2021-05-17T23:07:02Z","Severity":{"Label":"HIGH"},"Title":"[check12] Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Scored)","Description":"User name2 has Password enabled but MFA disabled","Resources":[{"Type":"AwsIamUser","Id":"AWS::::Account:123456789123","Partition":"aws","Region":"us-east-1"}],"Compliance":{"Status":"FAILED","RelatedRequirements":["ens-op.acc.5.aws.iam.1"]}} +{"SchemaVersion":"2018-10-08","Id":"prowler-1.2-123456789123-us-east-1-User_name3_has_Password_enabled_but_MFA_disabled","ProductArn":"arn:aws:securityhub:us-east-1::product/prowler/prowler","RecordState":"ACTIVE","ProductFields":{"ProviderName":"Prowler","ProviderVersion":"2.4.0-07042021"},"GeneratorId":"prowler-check12","AwsAccountId":"123456789123","Types":["ens-op.acc.5.aws.iam.1"],"FirstObservedAt":"2021-05-17T23:07:03Z","UpdatedAt":"2021-05-17T23:07:03Z","CreatedAt":"2021-05-17T23:07:03Z","Severity":{"Label":"HIGH"},"Title":"[check12] Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Scored)","Description":"User name3 has Password enabled but MFA disabled","Resources":[{"Type":"AwsIamUser","Id":"AWS::::Account:123456789123","Partition":"aws","Region":"us-east-1"}],"Compliance":{"Status":"FAILED","RelatedRequirements":["ens-op.acc.5.aws.iam.1"]}} +{"SchemaVersion":"2018-10-08","Id":"prowler-1.2-123456789123-us-east-1-User_name4_has_Password_enabled_but_MFA_disabled","ProductArn":"arn:aws:securityhub:us-east-1::product/prowler/prowler","RecordState":"ACTIVE","ProductFields":{"ProviderName":"Prowler","ProviderVersion":"2.4.0-07042021"},"GeneratorId":"prowler-check12","AwsAccountId":"123456789123","Types":["ens-op.acc.5.aws.iam.1"],"FirstObservedAt":"2021-05-17T23:07:03Z","UpdatedAt":"2021-05-17T23:07:03Z","CreatedAt":"2021-05-17T23:07:03Z","Severity":{"Label":"HIGH"},"Title":"[check12] Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Scored)","Description":"User name4 has Password enabled but MFA disabled","Resources":[{"Type":"AwsIamUser","Id":"AWS::::Account:123456789123","Partition":"aws","Region":"us-east-1"}],"Compliance":{"Status":"FAILED","RelatedRequirements":["ens-op.acc.5.aws.iam.1"]}} +{"SchemaVersion":"2018-10-08","Id":"prowler-1.2-123456789123-us-east-1-User_name5_has_Password_enabled_but_MFA_disabled","ProductArn":"arn:aws:securityhub:us-east-1::product/prowler/prowler","RecordState":"ACTIVE","ProductFields":{"ProviderName":"Prowler","ProviderVersion":"2.4.0-07042021"},"GeneratorId":"prowler-check12","AwsAccountId":"123456789123","Types":["ens-op.acc.5.aws.iam.1"],"FirstObservedAt":"2021-05-17T23:07:03Z","UpdatedAt":"2021-05-17T23:07:03Z","CreatedAt":"2021-05-17T23:07:03Z","Severity":{"Label":"HIGH"},"Title":"[check12] Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Scored)","Description":"User name5 has Password enabled but MFA disabled","Resources":[{"Type":"AwsIamUser","Id":"AWS::::Account:123456789123","Partition":"aws","Region":"us-east-1"}],"Compliance":{"Status":"FAILED","RelatedRequirements":["ens-op.acc.5.aws.iam.1"]}} +{"SchemaVersion":"2018-10-08","Id":"prowler-1.2-123456789123-us-east-1-User_name6_has_Password_enabled_but_MFA_disabled","ProductArn":"arn:aws:securityhub:us-east-1::product/prowler/prowler","RecordState":"ACTIVE","ProductFields":{"ProviderName":"Prowler","ProviderVersion":"2.4.0-07042021"},"GeneratorId":"prowler-check12","AwsAccountId":"123456789123","Types":["ens-op.acc.5.aws.iam.1"],"FirstObservedAt":"2021-05-17T23:07:03Z","UpdatedAt":"2021-05-17T23:07:03Z","CreatedAt":"2021-05-17T23:07:03Z","Severity":{"Label":"HIGH"},"Title":"[check12] Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Scored)","Description":"User name6 has Password enabled but MFA disabled","Resources":[{"Type":"AwsIamUser","Id":"AWS::::Account:123456789123","Partition":"aws","Region":"us-east-1"}],"Compliance":{"Status":"FAILED","RelatedRequirements":["ens-op.acc.5.aws.iam.1"]}} +{"SchemaVersion":"2018-10-08","Id":"prowler-1.2-123456789123-us-east-1-User_name7_has_Password_enabled_but_MFA_disabled","ProductArn":"arn:aws:securityhub:us-east-1::product/prowler/prowler","RecordState":"ACTIVE","ProductFields":{"ProviderName":"Prowler","ProviderVersion":"2.4.0-07042021"},"GeneratorId":"prowler-check12","AwsAccountId":"123456789123","Types":["ens-op.acc.5.aws.iam.1"],"FirstObservedAt":"2021-05-17T23:07:03Z","UpdatedAt":"2021-05-17T23:07:03Z","CreatedAt":"2021-05-17T23:07:03Z","Severity":{"Label":"HIGH"},"Title":"[check12] Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Scored)","Description":"User name7 has Password enabled but MFA disabled","Resources":[{"Type":"AwsIamUser","Id":"AWS::::Account:123456789123","Partition":"aws","Region":"us-east-1"}],"Compliance":{"Status":"FAILED","RelatedRequirements":["ens-op.acc.5.aws.iam.1"]}} +{"SchemaVersion":"2018-10-08","Id":"prowler-1.2-123456789123-us-east-1-User_name8_has_Password_enabled_but_MFA_disabled","ProductArn":"arn:aws:securityhub:us-east-1::product/prowler/prowler","RecordState":"ACTIVE","ProductFields":{"ProviderName":"Prowler","ProviderVersion":"2.4.0-07042021"},"GeneratorId":"prowler-check12","AwsAccountId":"123456789123","Types":["ens-op.acc.5.aws.iam.1"],"FirstObservedAt":"2021-05-17T23:07:03Z","UpdatedAt":"2021-05-17T23:07:03Z","CreatedAt":"2021-05-17T23:07:03Z","Severity":{"Label":"HIGH"},"Title":"[check12] Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Scored)","Description":"User name8 has Password enabled but MFA disabled","Resources":[{"Type":"AwsIamUser","Id":"AWS::::Account:123456789123","Partition":"aws","Region":"us-east-1"}],"Compliance":{"Status":"FAILED","RelatedRequirements":["ens-op.acc.5.aws.iam.1"]}} +{"SchemaVersion":"2018-10-08","Id":"prowler-1.2-123456789123-us-east-1-User_name9_has_Password_enabled_but_MFA_disabled","ProductArn":"arn:aws:securityhub:us-east-1::product/prowler/prowler","RecordState":"ACTIVE","ProductFields":{"ProviderName":"Prowler","ProviderVersion":"2.4.0-07042021"},"GeneratorId":"prowler-check12","AwsAccountId":"123456789123","Types":["ens-op.acc.5.aws.iam.1"],"FirstObservedAt":"2021-05-17T23:07:04Z","UpdatedAt":"2021-05-17T23:07:04Z","CreatedAt":"2021-05-17T23:07:04Z","Severity":{"Label":"HIGH"},"Title":"[check12] Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Scored)","Description":"User name9 has Password enabled but MFA disabled","Resources":[{"Type":"AwsIamUser","Id":"AWS::::Account:123456789123","Partition":"aws","Region":"us-east-1"}],"Compliance":{"Status":"FAILED","RelatedRequirements":["ens-op.acc.5.aws.iam.1"]}} From 041b781a64ca43e768aef53c3f3554a6aa1c7e47 Mon Sep 17 00:00:00 2001 From: Amndeep Singh Mann Date: Thu, 5 Aug 2021 00:34:31 -0400 Subject: [PATCH 11/20] appeased rubocop Signed-off-by: Amndeep Singh Mann --- .rubocop_todo.yml | 27 ++++++-------- heimdall_tools.gemspec | 2 +- .../asff_compatible_products/securityhub.rb | 17 +++++---- lib/heimdall_tools/asff_mapper.rb | 35 +++++++++---------- lib/heimdall_tools/fortify_mapper.rb | 2 -- 5 files changed, 36 insertions(+), 47 deletions(-) diff --git a/.rubocop_todo.yml b/.rubocop_todo.yml index 0fa2a19..ccf61a0 100644 --- a/.rubocop_todo.yml +++ b/.rubocop_todo.yml @@ -1,6 +1,6 @@ # This configuration was generated by # `rubocop --auto-gen-config` -# on 2021-06-07 20:33:06 UTC using RuboCop version 1.16.0. +# on 2021-08-05 04:56:46 UTC using RuboCop version 1.14.0. # The point is for the user to remove these configuration records # one by one as the offenses are removed from the code base. # Note that changes in the inspected code, or installation of new @@ -19,12 +19,6 @@ Lint/DuplicateBranch: Exclude: - 'lib/heimdall_tools/dbprotect_mapper.rb' -# Offense count: 1 -# Configuration parameters: MaximumRangeSize. -Lint/MissingCopEnableDirective: - Exclude: - - 'lib/heimdall_tools/nessus_mapper.rb' - # Offense count: 1 Lint/RequireParentheses: Exclude: @@ -37,10 +31,10 @@ Lint/UnusedMethodArgument: Exclude: - 'lib/heimdall_tools/hdf.rb' -# Offense count: 37 +# Offense count: 49 # Configuration parameters: IgnoredMethods, CountRepeatedAttributes. Metrics/AbcSize: - Max: 124 + Max: 165 # Offense count: 5 # Configuration parameters: CountComments, CountAsOne, ExcludedMethods, IgnoredMethods. @@ -53,17 +47,17 @@ Metrics/BlockLength: Metrics/BlockNesting: Max: 5 -# Offense count: 9 +# Offense count: 10 # Configuration parameters: CountComments, CountAsOne. Metrics/ClassLength: Max: 175 -# Offense count: 10 +# Offense count: 13 # Configuration parameters: IgnoredMethods. Metrics/CyclomaticComplexity: - Max: 17 + Max: 30 -# Offense count: 40 +# Offense count: 44 # Configuration parameters: CountComments, CountAsOne, ExcludedMethods, IgnoredMethods. Metrics/MethodLength: Max: 56 @@ -73,10 +67,10 @@ Metrics/MethodLength: Metrics/ParameterLists: Max: 18 -# Offense count: 8 +# Offense count: 11 # Configuration parameters: IgnoredMethods. Metrics/PerceivedComplexity: - Max: 17 + Max: 30 # Offense count: 3 Naming/AccessorMethodName: @@ -98,10 +92,11 @@ Naming/VariableName: Exclude: - 'lib/heimdall_tools/burpsuite_mapper.rb' -# Offense count: 12 +# Offense count: 15 # Configuration parameters: AllowedVariables. Style/GlobalVars: Exclude: + - 'lib/heimdall_tools/asff_mapper.rb' - 'lib/heimdall_tools/jfrog_xray_mapper.rb' - 'lib/heimdall_tools/nessus_mapper.rb' - 'lib/heimdall_tools/nikto_mapper.rb' diff --git a/heimdall_tools.gemspec b/heimdall_tools.gemspec index b1b549c..4e1a068 100644 --- a/heimdall_tools.gemspec +++ b/heimdall_tools.gemspec @@ -28,8 +28,8 @@ Gem::Specification.new do |spec| spec.test_files = spec.files.grep(%r{^(test|spec|features)/}) spec.require_paths = ['lib'] - spec.add_runtime_dependency 'aws-sdk-securityhub', '~> 1' spec.add_runtime_dependency 'aws-sdk-configservice', '~> 1' + spec.add_runtime_dependency 'aws-sdk-securityhub', '~> 1' spec.add_runtime_dependency 'csv', '~> 3.1' spec.add_runtime_dependency 'git-lite-version-bump', '>= 0.17.2' spec.add_runtime_dependency 'htmlentities', '~> 4.3.4' diff --git a/lib/heimdall_tools/asff_compatible_products/securityhub.rb b/lib/heimdall_tools/asff_compatible_products/securityhub.rb index 2a296b5..edabaa5 100644 --- a/lib/heimdall_tools/asff_compatible_products/securityhub.rb +++ b/lib/heimdall_tools/asff_compatible_products/securityhub.rb @@ -25,17 +25,15 @@ def self.supporting_docs(standards:) { controls: controls, aws_config_mapping: aws_config_mapping } end - def self.finding_id(finding, *, controls: nil, encode:, **) + def self.finding_id(finding, *, encode:, controls: nil, **) ret = if !controls.nil? && !(control = corresponding_control(controls, finding)).nil? control['ControlId'] + elsif finding['ProductFields'].member?('ControlId') # check if aws + finding['ProductFields']['ControlId'] + elsif finding['ProductFields'].member?('RuleId') # check if cis + finding['ProductFields']['RuleId'] else - if finding['ProductFields'].member?('ControlId') # check if aws - finding['ProductFields']['ControlId'] - elsif finding['ProductFields'].member?('RuleId') # check if cis - finding['ProductFields']['RuleId'] - else - finding['GeneratorId'].split('/')[-1] - end + finding['GeneratorId'].split('/')[-1] end encode.call(ret) end @@ -54,10 +52,11 @@ def self.finding_impact(finding, *, controls: nil, **) def self.finding_nist_tag(finding, *, aws_config_mapping:, **) return {} unless finding['ProductFields']['RelatedAWSResources:0/type'] == 'AWS::Config::ConfigRule' + aws_config_mapping.select { |rule| finding['ProductFields']['RelatedAWSResources:0/name'].include? rule[:awsconfigrulename] } end - def self.finding_title(finding, *, controls: nil, encode:, **) + def self.finding_title(finding, *, encode:, controls: nil, **) ret = if !controls.nil? && !(control = corresponding_control(controls, finding)).nil? control['Title'] else diff --git a/lib/heimdall_tools/asff_mapper.rb b/lib/heimdall_tools/asff_mapper.rb index d15eb73..c1b0138 100644 --- a/lib/heimdall_tools/asff_mapper.rb +++ b/lib/heimdall_tools/asff_mapper.rb @@ -6,7 +6,6 @@ require 'heimdall_tools/asff_compatible_products/prowler' require 'heimdall_tools/asff_compatible_products/securityhub' - module HeimdallTools DEFAULT_NIST_TAG = %w{SA-11 RA-5}.freeze @@ -40,19 +39,19 @@ class ASFFMapper }.freeze PRODUCT_ARN_MAPPING = { - /arn:.+:securityhub:.+:.*:product\/aws\/firewall-manager/ => FirewallManager, - /arn:.+:securityhub:.+:.*:product\/aws\/securityhub/ => SecurityHub, - /arn:.+:securityhub:.+:.*:product\/prowler\/prowler/ => Prowler + %r{arn:.+:securityhub:.+:.*:product/aws/firewall-manager} => FirewallManager, + %r{arn:.+:securityhub:.+:.*:product/aws/securityhub} => SecurityHub, + %r{arn:.+:securityhub:.+:.*:product/prowler/prowler} => Prowler }.freeze def initialize(asff_json, securityhub_standards_json_array: nil, meta: nil) @meta = meta @supporting_docs = {} - @supporting_docs[SecurityHub] = SecurityHub.supporting_docs({standards: securityhub_standards_json_array}) + @supporting_docs[SecurityHub] = SecurityHub.supporting_docs({ standards: securityhub_standards_json_array }) begin - asff_required_keys = %w(AwsAccountId CreatedAt Description GeneratorId Id ProductArn Resources SchemaVersion Severity Title Types UpdatedAt) + asff_required_keys = %w{AwsAccountId CreatedAt Description GeneratorId Id ProductArn Resources SchemaVersion Severity Title Types UpdatedAt} @report = JSON.parse(asff_json) if @report.length == 1 && @report.member?('Findings') && @report['Findings'].each { |finding| asff_required_keys.difference(finding.keys).none? }.all? # ideal case that is spec compliant @@ -61,7 +60,7 @@ def initialize(asff_json, securityhub_standards_json_array: nil, meta: nil) # individual finding so have to add wrapping array @report = { 'Findings' => [@report] } else - raise "Not a findings file nor an individual finding" + raise 'Not a findings file nor an individual finding' end rescue StandardError => e raise "Invalid ASFF file provided:\nException: #{e}" @@ -79,12 +78,10 @@ def external_product_handler(product, data, func, default) keywords = { encode: method(:encode) } keywords = keywords.merge(@supporting_docs[PRODUCT_ARN_MAPPING[arn || product]]) if @supporting_docs.member?(PRODUCT_ARN_MAPPING[arn || product]) PRODUCT_ARN_MAPPING[arn || product].send(func, data, **keywords) + elsif default.is_a? Proc + default.call else - if default.is_a? Proc - default.call - else - default - end + default end end @@ -100,7 +97,7 @@ def impact(finding) imp = :INFORMATIONAL else # severity is required, but can be either 'label' or 'normalized' internally with 'label' being preferred. other values can be in here too such as the original severity rating. - default = Proc.new { finding['Severity'].key?('Label') ? finding['Severity']['Label'].to_sym : finding['Severity']['Normalized']/100.0 } + default = proc { finding['Severity'].key?('Label') ? finding['Severity']['Label'].to_sym : finding['Severity']['Normalized']/100.0 } imp = external_product_handler(finding['ProductArn'], finding, :finding_impact, default) end imp.is_a?(Symbol) ? IMPACT_MAPPING[imp] : imp @@ -140,7 +137,7 @@ def subfindings(finding) subfinding['code_desc'] = external_product_handler(finding['ProductArn'], finding, :subfindings_code_desc, '') subfinding['code_desc'] += '; ' unless subfinding['code_desc'].empty? - subfinding['code_desc'] += "Resources: [#{finding['Resources'].map { |r| "Type: #{encode(r['Type'])}, Id: #{encode(r['Id'])}#{', Partition: ' + encode(r['Partition']) if r.key?('Partition')}#{', Region: ' + encode(r['Region']) if r.key?('Region')}" }.join(', ') }]" + subfinding['code_desc'] += "Resources: [#{finding['Resources'].map { |r| "Type: #{encode(r['Type'])}, Id: #{encode(r['Id'])}#{", Partition: #{encode(r['Partition'])}" if r.key?('Partition')}#{", Region: #{encode(r['Region'])}" if r.key?('Region')}" }.join(', ')}]" subfinding['start_time'] = finding.key?('LastObservedAt') ? finding['LastObservedAt'] : finding['UpdatedAt'] @@ -167,7 +164,7 @@ def to_hdf item['desc'] = encode(finding['Description']) item['descriptions'] = [] - item['descriptions'] << desc_tags(finding['Remediation']['Recommendation'].map { |k,v| encode(v) }.join("\n"), 'fix') if finding.key?('Remediation') && finding['Remediation'].key?('Recommendation') + item['descriptions'] << desc_tags(finding['Remediation']['Recommendation'].map { |_k, v| encode(v) }.join("\n"), 'fix') if finding.key?('Remediation') && finding['Remediation'].key?('Recommendation') item['refs'] = [] item['refs'] << { url: finding['SourceUrl'] } if finding.key?('SourceUrl') @@ -203,7 +200,7 @@ def to_hdf # add product name to id if any ids are the same across products item['id'] = product_groups.filter { |pg| pg != product }.values.any? { |ig| ig.keys.include?(id) } ? "[#{product_name}] #{id}" : id - item['title'] = "#{product_name}: #{group.map { |d| d['title'] }.uniq.join(";")}" + item['title'] = "#{product_name}: #{group.map { |d| d['title'] }.uniq.join(';')}" item['tags'] = { nist: group.map { |d| d['tags'][:nist] }.flatten.uniq } @@ -216,7 +213,7 @@ def to_hdf item['refs'] = group.map { |d| d['refs'] }.flatten.compact.reject(&:empty?).uniq item['source_location'] = NA_HASH - item['code'] = JSON.pretty_generate({ "Findings": findings }) + item['code'] = JSON.pretty_generate({ Findings: findings }) item['results'] = group.map { |d| d['results'] }.flatten.uniq @@ -224,8 +221,8 @@ def to_hdf end end - results = HeimdallDataFormat.new(profile_name: @meta && @meta.key?('name') ? @meta['name'] : 'AWS Security Finding Format', - title: @meta && @meta.key?('title') ? @meta['title'] : "ASFF findings", + results = HeimdallDataFormat.new(profile_name: @meta&.key?('name') ? @meta['name'] : 'AWS Security Finding Format', + title: @meta&.key?('title') ? @meta['title'] : 'ASFF findings', controls: controls) results.to_hdf end diff --git a/lib/heimdall_tools/fortify_mapper.rb b/lib/heimdall_tools/fortify_mapper.rb index df89fab..465e1d9 100644 --- a/lib/heimdall_tools/fortify_mapper.rb +++ b/lib/heimdall_tools/fortify_mapper.rb @@ -55,7 +55,6 @@ def primaries(classid) findings.uniq end - # rubocop:disable Layout/LineEndStringConcatenationIndentation def snippet(snippetid) snippet = @snippets.select { |x| x['id'].eql?(snippetid) }.first "\nPath: #{snippet['File']}\n" \ @@ -63,7 +62,6 @@ def snippet(snippetid) "EndLine: #{snippet['EndLine']}\n" \ "Code:\n#{snippet['Text']['#cdata-section'].strip}" \ end - # rubocop:enable Layout/LineEndStringConcatenationIndentation def nist_tag(rule) references = rule['References']['Reference'] From f27d10abf388885525569f7e62fbf43ede21aab9 Mon Sep 17 00:00:00 2001 From: Amndeep Singh Mann Date: Mon, 9 Aug 2021 17:36:58 -0400 Subject: [PATCH 12/20] address the 'difference' method not being in array in 2.5 and how to handle the 'no_status' value as per review Signed-off-by: Amndeep Singh Mann --- lib/heimdall_tools/asff_mapper.rb | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/lib/heimdall_tools/asff_mapper.rb b/lib/heimdall_tools/asff_mapper.rb index c1b0138..06c80ac 100644 --- a/lib/heimdall_tools/asff_mapper.rb +++ b/lib/heimdall_tools/asff_mapper.rb @@ -1,4 +1,6 @@ require 'json' +require 'set' + require 'htmlentities' require 'heimdall_tools/hdf' @@ -29,6 +31,7 @@ module HeimdallTools end end + # todo: use hash.dig and safe navigation operator throughout class ASFFMapper IMPACT_MAPPING = { CRITICAL: 0.9, @@ -53,10 +56,10 @@ def initialize(asff_json, securityhub_standards_json_array: nil, meta: nil) begin asff_required_keys = %w{AwsAccountId CreatedAt Description GeneratorId Id ProductArn Resources SchemaVersion Severity Title Types UpdatedAt} @report = JSON.parse(asff_json) - if @report.length == 1 && @report.member?('Findings') && @report['Findings'].each { |finding| asff_required_keys.difference(finding.keys).none? }.all? + if @report.length == 1 && @report.member?('Findings') && @report['Findings'].each { |finding| asff_required_keys.to_set.difference(finding.keys.to_set).none? }.all? # ideal case that is spec compliant # might need to ensure that the file is utf-8 encoded and remove a BOM if one exists - elsif asff_required_keys.difference(@report.keys).none? + elsif asff_required_keys.to_set.difference(@report.keys.to_set).none? # individual finding so have to add wrapping array @report = { 'Findings' => [@report] } else @@ -127,11 +130,11 @@ def subfindings(finding) subfinding['status'] = 'skipped' subfinding['message'] = statusreason if statusreason else - subfinding['status'] = 'no_status' + subfinding['status'] = 'error' # not a valid value for the status enum subfinding['message'] = statusreason if statusreason end else - subfinding['status'] = 'no_status' + subfinding['status'] = 'skipped' # if no compliance status is provided which is a weird but possible case, then skip subfinding['message'] = statusreason if statusreason end From 63f868bd828da671a10af19e69a33a1d2a8edaf1 Mon Sep 17 00:00:00 2001 From: Amndeep Singh Mann Date: Mon, 9 Aug 2021 17:37:57 -0400 Subject: [PATCH 13/20] modified sample data to add more result types, more nist tags, and just have a larger sample on the whole as per review Signed-off-by: Amndeep Singh Mann --- sample_jsons/asff_mapper/asff_hdf.json | 2 +- .../sample_input_jsons/asff_sample.json | 1238 ++++++++++++++++- 2 files changed, 1208 insertions(+), 32 deletions(-) diff --git a/sample_jsons/asff_mapper/asff_hdf.json b/sample_jsons/asff_mapper/asff_hdf.json index e5debfa..bd0e88f 100644 --- a/sample_jsons/asff_mapper/asff_hdf.json +++ b/sample_jsons/asff_mapper/asff_hdf.json @@ -1 +1 @@ -{"platform":{"name":"Heimdall Tools","release":"1.3.45.13.gda065ed.1.dirty.20210804.235852","target_id":""},"version":"1.3.45.13.gda065ed.1.dirty.20210804.235852","statistics":{"duration":null},"profiles":[{"name":"AWS Security Finding Format","version":null,"title":"ASFF findings","maintainer":null,"summary":null,"license":null,"copyright":null,"copyright_email":null,"supports":[],"attributes":[],"depends":[],"groups":[],"status":"loaded","controls":[{"id":"Config.1","title":"AWS Foundational Security Best Practices v1.0.0: Config.1 AWS Config should be enabled","tags":{"nist":["SA-11","RA-5"]},"impact":0.5,"desc":"This AWS control checks whether the Config service is enabled in the account for the local region and is recording all resources.","descriptions":[{"data":"For directions on how to fix this issue, please consult the AWS Security Hub Foundational Security Best Practices documentation.\nhttps://docs.aws.amazon.com/console/securityhub/Config.1/remediation","label":"fix"}],"refs":[],"source_location":{},"code":"{\n \"Findings\": [\n {\n \"SchemaVersion\": \"2018-10-08\",\n \"Id\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/aws-foundational-security-best-practices/v/1.0.0/Config.1/finding/9ffec6a3-3ce8-4011-bf90-17dbe94bf1d3\",\n \"ProductArn\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub\",\n \"ProductName\": \"Security Hub\",\n \"CompanyName\": \"AWS\",\n \"Region\": \"us-east-1\",\n \"GeneratorId\": \"aws-foundational-security-best-practices/v/1.0.0/Config.1\",\n \"AwsAccountId\": \"123456789123\",\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices\"\n ],\n \"FirstObservedAt\": \"2021-07-23T23:40:39.455Z\",\n \"LastObservedAt\": \"2021-08-04T23:30:26.675Z\",\n \"CreatedAt\": \"2021-07-23T23:40:39.455Z\",\n \"UpdatedAt\": \"2021-08-04T23:30:24.804Z\",\n \"Severity\": {\n \"Product\": 40,\n \"Label\": \"MEDIUM\",\n \"Normalized\": 40,\n \"Original\": \"MEDIUM\"\n },\n \"Title\": \"Config.1 AWS Config should be enabled\",\n \"Description\": \"This AWS control checks whether the Config service is enabled in the account for the local region and is recording all resources.\",\n \"Remediation\": {\n \"Recommendation\": {\n \"Text\": \"For directions on how to fix this issue, please consult the AWS Security Hub Foundational Security Best Practices documentation.\",\n \"Url\": \"https://docs.aws.amazon.com/console/securityhub/Config.1/remediation\"\n }\n },\n \"ProductFields\": {\n \"StandardsArn\": \"arn:aws:securityhub:::standards/aws-foundational-security-best-practices/v/1.0.0\",\n \"StandardsSubscriptionArn\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/aws-foundational-security-best-practices/v/1.0.0\",\n \"ControlId\": \"Config.1\",\n \"RecommendationUrl\": \"https://docs.aws.amazon.com/console/securityhub/Config.1/remediation\",\n \"StandardsControlArn\": \"arn:aws:securityhub:us-east-1:123456789123:control/aws-foundational-security-best-practices/v/1.0.0/Config.1\",\n \"aws/securityhub/ProductName\": \"Security Hub\",\n \"aws/securityhub/CompanyName\": \"AWS\",\n \"Resources:0/Id\": \"arn:aws:iam::123456789123:root\",\n \"aws/securityhub/FindingId\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789123:subscription/aws-foundational-security-best-practices/v/1.0.0/Config.1/finding/9ffec6a3-3ce8-4011-bf90-17dbe94bf1d3\"\n },\n \"Resources\": [\n {\n \"Type\": \"AwsAccount\",\n \"Id\": \"AWS::::Account:123456789123\",\n \"Partition\": \"aws\",\n \"Region\": \"us-east-1\"\n }\n ],\n \"Compliance\": {\n \"Status\": \"FAILED\"\n },\n \"WorkflowState\": \"NEW\",\n \"Workflow\": {\n \"Status\": \"NEW\"\n },\n \"RecordState\": \"ACTIVE\",\n \"FindingProviderFields\": {\n \"Severity\": {\n \"Label\": \"MEDIUM\",\n \"Original\": \"MEDIUM\"\n },\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices\"\n ]\n }\n }\n ]\n}","results":[{"status":"failed","code_desc":"Resources: [Type: AwsAccount, Id: AWS::::Account:123456789123, Partition: aws, Region: us-east-1]","start_time":"2021-08-04T23:30:26.675Z"}]},{"id":"CIS.1.1","title":"CIS AWS Foundations Benchmark v1.2.0: Avoid the use of the "root" account","tags":{"nist":["SA-11","RA-5"]},"impact":0.3,"desc":"The "root" account has unrestricted access to all resources in the AWS account. It is highly recommended that the use of this account be avoided.","descriptions":[{"data":"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\nhttps://docs.aws.amazon.com/console/securityhub/standards-cis-1.1/remediation","label":"fix"}],"refs":[],"source_location":{},"code":"{\n \"Findings\": [\n {\n \"SchemaVersion\": \"2018-10-08\",\n \"Id\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/1.1/finding/564b8d35-d697-475e-8a02-dfb23552dc24\",\n \"ProductArn\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub\",\n \"ProductName\": \"Security Hub\",\n \"CompanyName\": \"AWS\",\n \"Region\": \"us-east-1\",\n \"GeneratorId\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/1.1\",\n \"AwsAccountId\": \"123456789123\",\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ],\n \"FirstObservedAt\": \"2021-07-23T23:39:05.607Z\",\n \"LastObservedAt\": \"2021-08-04T23:29:17.637Z\",\n \"CreatedAt\": \"2021-07-23T23:39:05.607Z\",\n \"UpdatedAt\": \"2021-08-04T23:29:15.639Z\",\n \"Severity\": {\n \"Product\": 30,\n \"Label\": \"LOW\",\n \"Normalized\": 30,\n \"Original\": \"LOW\"\n },\n \"Title\": \"1.1 Avoid the use of the \\\"root\\\" account\",\n \"Description\": \"The \\\"root\\\" account has unrestricted access to all resources in the AWS account. It is highly recommended that the use of this account be avoided.\",\n \"Remediation\": {\n \"Recommendation\": {\n \"Text\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\",\n \"Url\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-1.1/remediation\"\n }\n },\n \"ProductFields\": {\n \"StandardsGuideArn\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0\",\n \"StandardsGuideSubscriptionArn\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0\",\n \"RuleId\": \"1.1\",\n \"RecommendationUrl\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-1.1/remediation\",\n \"StandardsControlArn\": \"arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/1.1\",\n \"aws/securityhub/ProductName\": \"Security Hub\",\n \"aws/securityhub/CompanyName\": \"AWS\",\n \"aws/securityhub/annotation\": \"Multi region CloudTrail with the required configuration does not exist in the account\",\n \"Resources:0/Id\": \"arn:aws:iam::123456789123:root\",\n \"aws/securityhub/FindingId\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/1.1/finding/564b8d35-d697-475e-8a02-dfb23552dc24\"\n },\n \"Resources\": [\n {\n \"Type\": \"AwsAccount\",\n \"Id\": \"AWS::::Account:123456789123\",\n \"Partition\": \"aws\",\n \"Region\": \"us-east-1\"\n }\n ],\n \"Compliance\": {\n \"Status\": \"FAILED\",\n \"StatusReasons\": [\n {\n \"ReasonCode\": \"CLOUDTRAIL_MULTI_REGION_NOT_PRESENT\",\n \"Description\": \"Multi region CloudTrail with the required configuration does not exist in the account\"\n }\n ]\n },\n \"WorkflowState\": \"NEW\",\n \"Workflow\": {\n \"Status\": \"NEW\"\n },\n \"RecordState\": \"ACTIVE\",\n \"FindingProviderFields\": {\n \"Severity\": {\n \"Label\": \"LOW\",\n \"Original\": \"LOW\"\n },\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ]\n }\n }\n ]\n}","results":[{"status":"failed","message":"ReasonCode\nCLOUDTRAIL_MULTI_REGION_NOT_PRESENT\nDescription\nMulti region CloudTrail with the required configuration does not exist in the account","code_desc":"Resources: [Type: AwsAccount, Id: AWS::::Account:123456789123, Partition: aws, Region: us-east-1]","start_time":"2021-08-04T23:29:17.637Z"}]}],"sha256":"9b614d656ac023b78dba9df8bb2664f39d1cbebcea50412d744101072b060b30"}]} \ No newline at end of file +{"platform":{"name":"Heimdall Tools","release":"1.3.48.12.g041b781.1.dirty.20210809.173522","target_id":""},"version":"1.3.48.12.g041b781.1.dirty.20210809.173522","statistics":{"duration":null},"profiles":[{"name":"AWS Security Finding Format","version":null,"title":"ASFF findings","maintainer":null,"summary":null,"license":null,"copyright":null,"copyright_email":null,"supports":[],"attributes":[],"depends":[],"groups":[],"status":"loaded","controls":[{"id":"CIS.1.1","title":"CIS AWS Foundations Benchmark v1.2.0: Avoid the use of the "root" account","tags":{"nist":["SA-11","RA-5"]},"impact":0.3,"desc":"The "root" account has unrestricted access to all resources in the AWS account. It is highly recommended that the use of this account be avoided.","descriptions":[{"data":"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\nhttps://docs.aws.amazon.com/console/securityhub/standards-cis-1.1/remediation","label":"fix"}],"refs":[],"source_location":{},"code":"{\n \"Findings\": [\n {\n \"SchemaVersion\": \"2018-10-08\",\n \"Id\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/1.1/finding/564b8d35-d697-475e-8a02-dfb23552dc24\",\n \"ProductArn\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub\",\n \"ProductName\": \"Security Hub\",\n \"CompanyName\": \"AWS\",\n \"Region\": \"us-east-1\",\n \"GeneratorId\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/1.1\",\n \"AwsAccountId\": \"123456789123\",\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ],\n \"FirstObservedAt\": \"2021-07-23T23:39:05.607Z\",\n \"LastObservedAt\": \"2021-08-09T11:28:16.331Z\",\n \"CreatedAt\": \"2021-07-23T23:39:05.607Z\",\n \"UpdatedAt\": \"2021-08-09T11:28:13.288Z\",\n \"Severity\": {\n \"Product\": 30,\n \"Label\": \"LOW\",\n \"Normalized\": 30,\n \"Original\": \"LOW\"\n },\n \"Title\": \"1.1 Avoid the use of the \\\"root\\\" account\",\n \"Description\": \"The \\\"root\\\" account has unrestricted access to all resources in the AWS account. It is highly recommended that the use of this account be avoided.\",\n \"Remediation\": {\n \"Recommendation\": {\n \"Text\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\",\n \"Url\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-1.1/remediation\"\n }\n },\n \"ProductFields\": {\n \"StandardsGuideArn\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0\",\n \"StandardsGuideSubscriptionArn\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0\",\n \"RuleId\": \"1.1\",\n \"RecommendationUrl\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-1.1/remediation\",\n \"StandardsControlArn\": \"arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/1.1\",\n \"aws/securityhub/ProductName\": \"Security Hub\",\n \"aws/securityhub/CompanyName\": \"AWS\",\n \"aws/securityhub/annotation\": \"Multi region CloudTrail with the required configuration does not exist in the account\",\n \"Resources:0/Id\": \"arn:aws:iam::123456789123:root\",\n \"aws/securityhub/FindingId\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/1.1/finding/564b8d35-d697-475e-8a02-dfb23552dc24\"\n },\n \"Resources\": [\n {\n \"Type\": \"AwsAccount\",\n \"Id\": \"AWS::::Account:123456789123\",\n \"Partition\": \"aws\",\n \"Region\": \"us-east-1\"\n }\n ],\n \"Compliance\": {\n \"Status\": \"FAILED\",\n \"StatusReasons\": [\n {\n \"ReasonCode\": \"CLOUDTRAIL_MULTI_REGION_NOT_PRESENT\",\n \"Description\": \"Multi region CloudTrail with the required configuration does not exist in the account\"\n }\n ]\n },\n \"WorkflowState\": \"NEW\",\n \"Workflow\": {\n \"Status\": \"NEW\"\n },\n \"RecordState\": \"ACTIVE\",\n \"FindingProviderFields\": {\n \"Severity\": {\n \"Label\": \"LOW\",\n \"Original\": \"LOW\"\n },\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ]\n }\n }\n ]\n}","results":[{"status":"failed","message":"ReasonCode\nCLOUDTRAIL_MULTI_REGION_NOT_PRESENT\nDescription\nMulti region CloudTrail with the required configuration does not exist in the account","code_desc":"Resources: [Type: AwsAccount, Id: AWS::::Account:123456789123, Partition: aws, Region: us-east-1]","start_time":"2021-08-09T11:28:16.331Z"}]},{"id":"CIS.2.5","title":"CIS AWS Foundations Benchmark v1.2.0: Ensure AWS Config is enabled","tags":{"nist":["SA-11","RA-5"]},"impact":0.5,"desc":"AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), and any configuration changes between resources. It is recommended to enable AWS Config in all regions.","descriptions":[{"data":"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\nhttps://docs.aws.amazon.com/console/securityhub/standards-cis-2.5/remediation","label":"fix"}],"refs":[],"source_location":{},"code":"{\n \"Findings\": [\n {\n \"SchemaVersion\": \"2018-10-08\",\n \"Id\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/2.5/finding/fad62e7c-5402-4757-850c-3aadc8212c47\",\n \"ProductArn\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub\",\n \"ProductName\": \"Security Hub\",\n \"CompanyName\": \"AWS\",\n \"Region\": \"us-east-1\",\n \"GeneratorId\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/2.5\",\n \"AwsAccountId\": \"123456789123\",\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ],\n \"FirstObservedAt\": \"2021-07-23T23:39:03.660Z\",\n \"LastObservedAt\": \"2021-08-09T11:28:15.499Z\",\n \"CreatedAt\": \"2021-07-23T23:39:03.660Z\",\n \"UpdatedAt\": \"2021-08-09T11:28:12.889Z\",\n \"Severity\": {\n \"Product\": 40,\n \"Label\": \"MEDIUM\",\n \"Normalized\": 40,\n \"Original\": \"MEDIUM\"\n },\n \"Title\": \"2.5 Ensure AWS Config is enabled\",\n \"Description\": \"AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), and any configuration changes between resources. It is recommended to enable AWS Config in all regions.\",\n \"Remediation\": {\n \"Recommendation\": {\n \"Text\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\",\n \"Url\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-2.5/remediation\"\n }\n },\n \"ProductFields\": {\n \"StandardsGuideArn\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0\",\n \"StandardsGuideSubscriptionArn\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0\",\n \"RuleId\": \"2.5\",\n \"RecommendationUrl\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-2.5/remediation\",\n \"StandardsControlArn\": \"arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/2.5\",\n \"aws/securityhub/ProductName\": \"Security Hub\",\n \"aws/securityhub/CompanyName\": \"AWS\",\n \"Resources:0/Id\": \"arn:aws:iam::123456789123:root\",\n \"aws/securityhub/FindingId\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/2.5/finding/fad62e7c-5402-4757-850c-3aadc8212c47\"\n },\n \"Resources\": [\n {\n \"Type\": \"AwsAccount\",\n \"Id\": \"AWS::::Account:123456789123\",\n \"Partition\": \"aws\",\n \"Region\": \"us-east-1\"\n }\n ],\n \"Compliance\": {\n \"Status\": \"FAILED\"\n },\n \"WorkflowState\": \"NEW\",\n \"Workflow\": {\n \"Status\": \"NEW\"\n },\n \"RecordState\": \"ACTIVE\",\n \"FindingProviderFields\": {\n \"Severity\": {\n \"Label\": \"MEDIUM\",\n \"Original\": \"MEDIUM\"\n },\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ]\n }\n }\n ]\n}","results":[{"status":"failed","code_desc":"Resources: [Type: AwsAccount, Id: AWS::::Account:123456789123, Partition: aws, Region: us-east-1]","start_time":"2021-08-09T11:28:15.499Z"}]},{"id":"CIS.3.9","title":"CIS AWS Foundations Benchmark v1.2.0: Ensure a log metric filter and alarm exist for AWS Config configuration changes","tags":{"nist":["SA-11","RA-5"]},"impact":0.3,"desc":"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations.","descriptions":[{"data":"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\nhttps://docs.aws.amazon.com/console/securityhub/standards-cis-3.9/remediation","label":"fix"}],"refs":[],"source_location":{},"code":"{\n \"Findings\": [\n {\n \"SchemaVersion\": \"2018-10-08\",\n \"Id\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.9/finding/a18960c3-863a-4bec-b083-ff0583d1a44f\",\n \"ProductArn\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub\",\n \"ProductName\": \"Security Hub\",\n \"CompanyName\": \"AWS\",\n \"Region\": \"us-east-1\",\n \"GeneratorId\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.9\",\n \"AwsAccountId\": \"123456789123\",\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ],\n \"FirstObservedAt\": \"2021-07-23T23:39:00.932Z\",\n \"LastObservedAt\": \"2021-08-09T11:28:12.508Z\",\n \"CreatedAt\": \"2021-07-23T23:39:00.932Z\",\n \"UpdatedAt\": \"2021-08-09T11:28:08.812Z\",\n \"Severity\": {\n \"Product\": 30,\n \"Label\": \"LOW\",\n \"Normalized\": 30,\n \"Original\": \"LOW\"\n },\n \"Title\": \"3.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes\",\n \"Description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations.\",\n \"Remediation\": {\n \"Recommendation\": {\n \"Text\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\",\n \"Url\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.9/remediation\"\n }\n },\n \"ProductFields\": {\n \"StandardsGuideArn\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0\",\n \"StandardsGuideSubscriptionArn\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0\",\n \"RuleId\": \"3.9\",\n \"RecommendationUrl\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.9/remediation\",\n \"StandardsControlArn\": \"arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/3.9\",\n \"aws/securityhub/ProductName\": \"Security Hub\",\n \"aws/securityhub/CompanyName\": \"AWS\",\n \"aws/securityhub/annotation\": \"Multi region CloudTrail with the required configuration does not exist in the account\",\n \"Resources:0/Id\": \"arn:aws:iam::123456789123:root\",\n \"aws/securityhub/FindingId\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.9/finding/a18960c3-863a-4bec-b083-ff0583d1a44f\"\n },\n \"Resources\": [\n {\n \"Type\": \"AwsAccount\",\n \"Id\": \"AWS::::Account:123456789123\",\n \"Partition\": \"aws\",\n \"Region\": \"us-east-1\"\n }\n ],\n \"Compliance\": {\n \"Status\": \"FAILED\",\n \"StatusReasons\": [\n {\n \"ReasonCode\": \"CLOUDTRAIL_MULTI_REGION_NOT_PRESENT\",\n \"Description\": \"Multi region CloudTrail with the required configuration does not exist in the account\"\n }\n ]\n },\n \"WorkflowState\": \"NEW\",\n \"Workflow\": {\n \"Status\": \"NEW\"\n },\n \"RecordState\": \"ACTIVE\",\n \"FindingProviderFields\": {\n \"Severity\": {\n \"Label\": \"LOW\",\n \"Original\": \"LOW\"\n },\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ]\n }\n }\n ]\n}","results":[{"status":"failed","message":"ReasonCode\nCLOUDTRAIL_MULTI_REGION_NOT_PRESENT\nDescription\nMulti region CloudTrail with the required configuration does not exist in the account","code_desc":"Resources: [Type: AwsAccount, Id: AWS::::Account:123456789123, Partition: aws, Region: us-east-1]","start_time":"2021-08-09T11:28:12.508Z"}]},{"id":"CIS.3.8","title":"CIS AWS Foundations Benchmark v1.2.0: Ensure a log metric filter and alarm exist for S3 bucket policy changes","tags":{"nist":["SA-11","RA-5"]},"impact":0.3,"desc":"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for changes to S3 bucket policies.","descriptions":[{"data":"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\nhttps://docs.aws.amazon.com/console/securityhub/standards-cis-3.8/remediation","label":"fix"}],"refs":[],"source_location":{},"code":"{\n \"Findings\": [\n {\n \"SchemaVersion\": \"2018-10-08\",\n \"Id\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.8/finding/2366f847-6ae6-437b-a873-b5851950f495\",\n \"ProductArn\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub\",\n \"ProductName\": \"Security Hub\",\n \"CompanyName\": \"AWS\",\n \"Region\": \"us-east-1\",\n \"GeneratorId\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.8\",\n \"AwsAccountId\": \"123456789123\",\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ],\n \"FirstObservedAt\": \"2021-07-23T23:39:00.932Z\",\n \"LastObservedAt\": \"2021-08-09T11:28:12.460Z\",\n \"CreatedAt\": \"2021-07-23T23:39:00.932Z\",\n \"UpdatedAt\": \"2021-08-09T11:28:08.812Z\",\n \"Severity\": {\n \"Product\": 30,\n \"Label\": \"LOW\",\n \"Normalized\": 30,\n \"Original\": \"LOW\"\n },\n \"Title\": \"3.8 Ensure a log metric filter and alarm exist for S3 bucket policy changes\",\n \"Description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for changes to S3 bucket policies.\",\n \"Remediation\": {\n \"Recommendation\": {\n \"Text\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\",\n \"Url\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.8/remediation\"\n }\n },\n \"ProductFields\": {\n \"StandardsGuideArn\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0\",\n \"StandardsGuideSubscriptionArn\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0\",\n \"RuleId\": \"3.8\",\n \"RecommendationUrl\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.8/remediation\",\n \"StandardsControlArn\": \"arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/3.8\",\n \"aws/securityhub/ProductName\": \"Security Hub\",\n \"aws/securityhub/CompanyName\": \"AWS\",\n \"aws/securityhub/annotation\": \"Multi region CloudTrail with the required configuration does not exist in the account\",\n \"Resources:0/Id\": \"arn:aws:iam::123456789123:root\",\n \"aws/securityhub/FindingId\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.8/finding/2366f847-6ae6-437b-a873-b5851950f495\"\n },\n \"Resources\": [\n {\n \"Type\": \"AwsAccount\",\n \"Id\": \"AWS::::Account:123456789123\",\n \"Partition\": \"aws\",\n \"Region\": \"us-east-1\"\n }\n ],\n \"Compliance\": {\n \"Status\": \"FAILED\",\n \"StatusReasons\": [\n {\n \"ReasonCode\": \"CLOUDTRAIL_MULTI_REGION_NOT_PRESENT\",\n \"Description\": \"Multi region CloudTrail with the required configuration does not exist in the account\"\n }\n ]\n },\n \"WorkflowState\": \"NEW\",\n \"Workflow\": {\n \"Status\": \"NEW\"\n },\n \"RecordState\": \"ACTIVE\",\n \"FindingProviderFields\": {\n \"Severity\": {\n \"Label\": \"LOW\",\n \"Original\": \"LOW\"\n },\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ]\n }\n }\n ]\n}","results":[{"status":"failed","message":"ReasonCode\nCLOUDTRAIL_MULTI_REGION_NOT_PRESENT\nDescription\nMulti region CloudTrail with the required configuration does not exist in the account","code_desc":"Resources: [Type: AwsAccount, Id: AWS::::Account:123456789123, Partition: aws, Region: us-east-1]","start_time":"2021-08-09T11:28:12.460Z"}]},{"id":"CIS.3.7","title":"CIS AWS Foundations Benchmark v1.2.0: Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs","tags":{"nist":["SA-11","RA-5"]},"impact":0.3,"desc":"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for customer created CMKs which have changed state to disabled or scheduled deletion.","descriptions":[{"data":"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\nhttps://docs.aws.amazon.com/console/securityhub/standards-cis-3.7/remediation","label":"fix"}],"refs":[],"source_location":{},"code":"{\n \"Findings\": [\n {\n \"SchemaVersion\": \"2018-10-08\",\n \"Id\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.7/finding/5893e3d9-73ba-468b-a5ae-a47d5167687d\",\n \"ProductArn\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub\",\n \"ProductName\": \"Security Hub\",\n \"CompanyName\": \"AWS\",\n \"Region\": \"us-east-1\",\n \"GeneratorId\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.7\",\n \"AwsAccountId\": \"123456789123\",\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ],\n \"FirstObservedAt\": \"2021-07-23T23:39:00.932Z\",\n \"LastObservedAt\": \"2021-08-09T11:28:10.511Z\",\n \"CreatedAt\": \"2021-07-23T23:39:00.932Z\",\n \"UpdatedAt\": \"2021-08-09T11:28:08.812Z\",\n \"Severity\": {\n \"Product\": 30,\n \"Label\": \"LOW\",\n \"Normalized\": 30,\n \"Original\": \"LOW\"\n },\n \"Title\": \"3.7 Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs\",\n \"Description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for customer created CMKs which have changed state to disabled or scheduled deletion.\",\n \"Remediation\": {\n \"Recommendation\": {\n \"Text\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\",\n \"Url\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.7/remediation\"\n }\n },\n \"ProductFields\": {\n \"StandardsGuideArn\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0\",\n \"StandardsGuideSubscriptionArn\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0\",\n \"RuleId\": \"3.7\",\n \"RecommendationUrl\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.7/remediation\",\n \"StandardsControlArn\": \"arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/3.7\",\n \"aws/securityhub/ProductName\": \"Security Hub\",\n \"aws/securityhub/CompanyName\": \"AWS\",\n \"aws/securityhub/annotation\": \"Multi region CloudTrail with the required configuration does not exist in the account\",\n \"Resources:0/Id\": \"arn:aws:iam::123456789123:root\",\n \"aws/securityhub/FindingId\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.7/finding/5893e3d9-73ba-468b-a5ae-a47d5167687d\"\n },\n \"Resources\": [\n {\n \"Type\": \"AwsAccount\",\n \"Id\": \"AWS::::Account:123456789123\",\n \"Partition\": \"aws\",\n \"Region\": \"us-east-1\"\n }\n ],\n \"Compliance\": {\n \"Status\": \"FAILED\",\n \"StatusReasons\": [\n {\n \"ReasonCode\": \"CLOUDTRAIL_MULTI_REGION_NOT_PRESENT\",\n \"Description\": \"Multi region CloudTrail with the required configuration does not exist in the account\"\n }\n ]\n },\n \"WorkflowState\": \"NEW\",\n \"Workflow\": {\n \"Status\": \"NEW\"\n },\n \"RecordState\": \"ACTIVE\",\n \"FindingProviderFields\": {\n \"Severity\": {\n \"Label\": \"LOW\",\n \"Original\": \"LOW\"\n },\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ]\n }\n }\n ]\n}","results":[{"status":"failed","message":"ReasonCode\nCLOUDTRAIL_MULTI_REGION_NOT_PRESENT\nDescription\nMulti region CloudTrail with the required configuration does not exist in the account","code_desc":"Resources: [Type: AwsAccount, Id: AWS::::Account:123456789123, Partition: aws, Region: us-east-1]","start_time":"2021-08-09T11:28:10.511Z"}]},{"id":"CIS.3.6","title":"CIS AWS Foundations Benchmark v1.2.0: Ensure a log metric filter and alarm exist for AWS Management Console authentication failures","tags":{"nist":["SA-11","RA-5"]},"impact":0.3,"desc":"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for failed console authentication attempts.","descriptions":[{"data":"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\nhttps://docs.aws.amazon.com/console/securityhub/standards-cis-3.6/remediation","label":"fix"}],"refs":[],"source_location":{},"code":"{\n \"Findings\": [\n {\n \"SchemaVersion\": \"2018-10-08\",\n \"Id\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.6/finding/0b589f7e-cf16-4518-a41a-f37ef89dc8f8\",\n \"ProductArn\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub\",\n \"ProductName\": \"Security Hub\",\n \"CompanyName\": \"AWS\",\n \"Region\": \"us-east-1\",\n \"GeneratorId\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.6\",\n \"AwsAccountId\": \"123456789123\",\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ],\n \"FirstObservedAt\": \"2021-07-23T23:39:00.932Z\",\n \"LastObservedAt\": \"2021-08-09T11:28:10.542Z\",\n \"CreatedAt\": \"2021-07-23T23:39:00.932Z\",\n \"UpdatedAt\": \"2021-08-09T11:28:08.812Z\",\n \"Severity\": {\n \"Product\": 30,\n \"Label\": \"LOW\",\n \"Normalized\": 30,\n \"Original\": \"LOW\"\n },\n \"Title\": \"3.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures\",\n \"Description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for failed console authentication attempts.\",\n \"Remediation\": {\n \"Recommendation\": {\n \"Text\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\",\n \"Url\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.6/remediation\"\n }\n },\n \"ProductFields\": {\n \"StandardsGuideArn\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0\",\n \"StandardsGuideSubscriptionArn\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0\",\n \"RuleId\": \"3.6\",\n \"RecommendationUrl\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.6/remediation\",\n \"StandardsControlArn\": \"arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/3.6\",\n \"aws/securityhub/ProductName\": \"Security Hub\",\n \"aws/securityhub/CompanyName\": \"AWS\",\n \"aws/securityhub/annotation\": \"Multi region CloudTrail with the required configuration does not exist in the account\",\n \"Resources:0/Id\": \"arn:aws:iam::123456789123:root\",\n \"aws/securityhub/FindingId\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.6/finding/0b589f7e-cf16-4518-a41a-f37ef89dc8f8\"\n },\n \"Resources\": [\n {\n \"Type\": \"AwsAccount\",\n \"Id\": \"AWS::::Account:123456789123\",\n \"Partition\": \"aws\",\n \"Region\": \"us-east-1\"\n }\n ],\n \"Compliance\": {\n \"Status\": \"FAILED\",\n \"StatusReasons\": [\n {\n \"ReasonCode\": \"CLOUDTRAIL_MULTI_REGION_NOT_PRESENT\",\n \"Description\": \"Multi region CloudTrail with the required configuration does not exist in the account\"\n }\n ]\n },\n \"WorkflowState\": \"NEW\",\n \"Workflow\": {\n \"Status\": \"NEW\"\n },\n \"RecordState\": \"ACTIVE\",\n \"FindingProviderFields\": {\n \"Severity\": {\n \"Label\": \"LOW\",\n \"Original\": \"LOW\"\n },\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ]\n }\n }\n ]\n}","results":[{"status":"failed","message":"ReasonCode\nCLOUDTRAIL_MULTI_REGION_NOT_PRESENT\nDescription\nMulti region CloudTrail with the required configuration does not exist in the account","code_desc":"Resources: [Type: AwsAccount, Id: AWS::::Account:123456789123, Partition: aws, Region: us-east-1]","start_time":"2021-08-09T11:28:10.542Z"}]},{"id":"CIS.3.5","title":"CIS AWS Foundations Benchmark v1.2.0: Ensure a log metric filter and alarm exist for CloudTrail configuration changes","tags":{"nist":["SA-11","RA-5"]},"impact":0.3,"desc":"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations.","descriptions":[{"data":"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\nhttps://docs.aws.amazon.com/console/securityhub/standards-cis-3.5/remediation","label":"fix"}],"refs":[],"source_location":{},"code":"{\n \"Findings\": [\n {\n \"SchemaVersion\": \"2018-10-08\",\n \"Id\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.5/finding/62ce4a90-73c1-484b-8170-588f124e1fc2\",\n \"ProductArn\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub\",\n \"ProductName\": \"Security Hub\",\n \"CompanyName\": \"AWS\",\n \"Region\": \"us-east-1\",\n \"GeneratorId\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.5\",\n \"AwsAccountId\": \"123456789123\",\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ],\n \"FirstObservedAt\": \"2021-07-23T23:39:00.932Z\",\n \"LastObservedAt\": \"2021-08-09T11:28:10.630Z\",\n \"CreatedAt\": \"2021-07-23T23:39:00.932Z\",\n \"UpdatedAt\": \"2021-08-09T11:28:08.812Z\",\n \"Severity\": {\n \"Product\": 30,\n \"Label\": \"LOW\",\n \"Normalized\": 30,\n \"Original\": \"LOW\"\n },\n \"Title\": \"3.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes\",\n \"Description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations.\",\n \"Remediation\": {\n \"Recommendation\": {\n \"Text\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\",\n \"Url\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.5/remediation\"\n }\n },\n \"ProductFields\": {\n \"StandardsGuideArn\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0\",\n \"StandardsGuideSubscriptionArn\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0\",\n \"RuleId\": \"3.5\",\n \"RecommendationUrl\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.5/remediation\",\n \"StandardsControlArn\": \"arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/3.5\",\n \"aws/securityhub/ProductName\": \"Security Hub\",\n \"aws/securityhub/CompanyName\": \"AWS\",\n \"aws/securityhub/annotation\": \"Multi region CloudTrail with the required configuration does not exist in the account\",\n \"Resources:0/Id\": \"arn:aws:iam::123456789123:root\",\n \"aws/securityhub/FindingId\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.5/finding/62ce4a90-73c1-484b-8170-588f124e1fc2\"\n },\n \"Resources\": [\n {\n \"Type\": \"AwsAccount\",\n \"Id\": \"AWS::::Account:123456789123\",\n \"Partition\": \"aws\",\n \"Region\": \"us-east-1\"\n }\n ],\n \"Compliance\": {\n \"Status\": \"FAILED\",\n \"StatusReasons\": [\n {\n \"ReasonCode\": \"CLOUDTRAIL_MULTI_REGION_NOT_PRESENT\",\n \"Description\": \"Multi region CloudTrail with the required configuration does not exist in the account\"\n }\n ]\n },\n \"WorkflowState\": \"NEW\",\n \"Workflow\": {\n \"Status\": \"NEW\"\n },\n \"RecordState\": \"ACTIVE\",\n \"FindingProviderFields\": {\n \"Severity\": {\n \"Label\": \"LOW\",\n \"Original\": \"LOW\"\n },\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ]\n }\n }\n ]\n}","results":[{"status":"failed","message":"ReasonCode\nCLOUDTRAIL_MULTI_REGION_NOT_PRESENT\nDescription\nMulti region CloudTrail with the required configuration does not exist in the account","code_desc":"Resources: [Type: AwsAccount, Id: AWS::::Account:123456789123, Partition: aws, Region: us-east-1]","start_time":"2021-08-09T11:28:10.630Z"}]},{"id":"CIS.3.4","title":"CIS AWS Foundations Benchmark v1.2.0: Ensure a log metric filter and alarm exist for IAM policy changes","tags":{"nist":["SA-11","RA-5"]},"impact":0.3,"desc":"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established changes made to Identity and Access Management (IAM) policies.","descriptions":[{"data":"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\nhttps://docs.aws.amazon.com/console/securityhub/standards-cis-3.4/remediation","label":"fix"}],"refs":[],"source_location":{},"code":"{\n \"Findings\": [\n {\n \"SchemaVersion\": \"2018-10-08\",\n \"Id\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.4/finding/4ec7fd2f-2e44-4225-ae4c-f01384543946\",\n \"ProductArn\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub\",\n \"ProductName\": \"Security Hub\",\n \"CompanyName\": \"AWS\",\n \"Region\": \"us-east-1\",\n \"GeneratorId\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.4\",\n \"AwsAccountId\": \"123456789123\",\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ],\n \"FirstObservedAt\": \"2021-07-23T23:39:00.932Z\",\n \"LastObservedAt\": \"2021-08-09T11:28:11.788Z\",\n \"CreatedAt\": \"2021-07-23T23:39:00.932Z\",\n \"UpdatedAt\": \"2021-08-09T11:28:08.812Z\",\n \"Severity\": {\n \"Product\": 30,\n \"Label\": \"LOW\",\n \"Normalized\": 30,\n \"Original\": \"LOW\"\n },\n \"Title\": \"3.4 Ensure a log metric filter and alarm exist for IAM policy changes\",\n \"Description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established changes made to Identity and Access Management (IAM) policies.\",\n \"Remediation\": {\n \"Recommendation\": {\n \"Text\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\",\n \"Url\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.4/remediation\"\n }\n },\n \"ProductFields\": {\n \"StandardsGuideArn\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0\",\n \"StandardsGuideSubscriptionArn\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0\",\n \"RuleId\": \"3.4\",\n \"RecommendationUrl\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.4/remediation\",\n \"StandardsControlArn\": \"arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/3.4\",\n \"aws/securityhub/ProductName\": \"Security Hub\",\n \"aws/securityhub/CompanyName\": \"AWS\",\n \"aws/securityhub/annotation\": \"Multi region CloudTrail with the required configuration does not exist in the account\",\n \"Resources:0/Id\": \"arn:aws:iam::123456789123:root\",\n \"aws/securityhub/FindingId\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.4/finding/4ec7fd2f-2e44-4225-ae4c-f01384543946\"\n },\n \"Resources\": [\n {\n \"Type\": \"AwsAccount\",\n \"Id\": \"AWS::::Account:123456789123\",\n \"Partition\": \"aws\",\n \"Region\": \"us-east-1\"\n }\n ],\n \"Compliance\": {\n \"Status\": \"FAILED\",\n \"StatusReasons\": [\n {\n \"ReasonCode\": \"CLOUDTRAIL_MULTI_REGION_NOT_PRESENT\",\n \"Description\": \"Multi region CloudTrail with the required configuration does not exist in the account\"\n }\n ]\n },\n \"WorkflowState\": \"NEW\",\n \"Workflow\": {\n \"Status\": \"NEW\"\n },\n \"RecordState\": \"ACTIVE\",\n \"FindingProviderFields\": {\n \"Severity\": {\n \"Label\": \"LOW\",\n \"Original\": \"LOW\"\n },\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ]\n }\n }\n ]\n}","results":[{"status":"failed","message":"ReasonCode\nCLOUDTRAIL_MULTI_REGION_NOT_PRESENT\nDescription\nMulti region CloudTrail with the required configuration does not exist in the account","code_desc":"Resources: [Type: AwsAccount, Id: AWS::::Account:123456789123, Partition: aws, Region: us-east-1]","start_time":"2021-08-09T11:28:11.788Z"}]},{"id":"CIS.3.3","title":"CIS AWS Foundations Benchmark v1.2.0: Ensure a log metric filter and alarm exist for usage of "root" account","tags":{"nist":["SA-11","RA-5"]},"impact":0.3,"desc":"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for root login attempts.","descriptions":[{"data":"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\nhttps://docs.aws.amazon.com/console/securityhub/standards-cis-3.3/remediation","label":"fix"}],"refs":[],"source_location":{},"code":"{\n \"Findings\": [\n {\n \"SchemaVersion\": \"2018-10-08\",\n \"Id\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.3/finding/7e616501-7e4f-43b1-8092-610513f73baa\",\n \"ProductArn\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub\",\n \"ProductName\": \"Security Hub\",\n \"CompanyName\": \"AWS\",\n \"Region\": \"us-east-1\",\n \"GeneratorId\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.3\",\n \"AwsAccountId\": \"123456789123\",\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ],\n \"FirstObservedAt\": \"2021-07-23T23:39:00.932Z\",\n \"LastObservedAt\": \"2021-08-09T11:28:09.830Z\",\n \"CreatedAt\": \"2021-07-23T23:39:00.932Z\",\n \"UpdatedAt\": \"2021-08-09T11:28:08.812Z\",\n \"Severity\": {\n \"Product\": 30,\n \"Label\": \"LOW\",\n \"Normalized\": 30,\n \"Original\": \"LOW\"\n },\n \"Title\": \"3.3 Ensure a log metric filter and alarm exist for usage of \\\"root\\\" account\",\n \"Description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for root login attempts.\",\n \"Remediation\": {\n \"Recommendation\": {\n \"Text\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\",\n \"Url\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.3/remediation\"\n }\n },\n \"ProductFields\": {\n \"StandardsGuideArn\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0\",\n \"StandardsGuideSubscriptionArn\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0\",\n \"RuleId\": \"3.3\",\n \"RecommendationUrl\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.3/remediation\",\n \"StandardsControlArn\": \"arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/3.3\",\n \"aws/securityhub/ProductName\": \"Security Hub\",\n \"aws/securityhub/CompanyName\": \"AWS\",\n \"aws/securityhub/annotation\": \"Multi region CloudTrail with the required configuration does not exist in the account\",\n \"Resources:0/Id\": \"arn:aws:iam::123456789123:root\",\n \"aws/securityhub/FindingId\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.3/finding/7e616501-7e4f-43b1-8092-610513f73baa\"\n },\n \"Resources\": [\n {\n \"Type\": \"AwsAccount\",\n \"Id\": \"AWS::::Account:123456789123\",\n \"Partition\": \"aws\",\n \"Region\": \"us-east-1\"\n }\n ],\n \"Compliance\": {\n \"Status\": \"FAILED\",\n \"StatusReasons\": [\n {\n \"ReasonCode\": \"CLOUDTRAIL_MULTI_REGION_NOT_PRESENT\",\n \"Description\": \"Multi region CloudTrail with the required configuration does not exist in the account\"\n }\n ]\n },\n \"WorkflowState\": \"NEW\",\n \"Workflow\": {\n \"Status\": \"NEW\"\n },\n \"RecordState\": \"ACTIVE\",\n \"FindingProviderFields\": {\n \"Severity\": {\n \"Label\": \"LOW\",\n \"Original\": \"LOW\"\n },\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ]\n }\n }\n ]\n}","results":[{"status":"failed","message":"ReasonCode\nCLOUDTRAIL_MULTI_REGION_NOT_PRESENT\nDescription\nMulti region CloudTrail with the required configuration does not exist in the account","code_desc":"Resources: [Type: AwsAccount, Id: AWS::::Account:123456789123, Partition: aws, Region: us-east-1]","start_time":"2021-08-09T11:28:09.830Z"}]},{"id":"CIS.3.2","title":"CIS AWS Foundations Benchmark v1.2.0: Ensure a log metric filter and alarm exist for Management Console sign-in without MFA","tags":{"nist":["SA-11","RA-5"]},"impact":0.3,"desc":"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for console logins that are not protected by multi-factor authentication (MFA).","descriptions":[{"data":"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\nhttps://docs.aws.amazon.com/console/securityhub/standards-cis-3.2/remediation","label":"fix"}],"refs":[],"source_location":{},"code":"{\n \"Findings\": [\n {\n \"SchemaVersion\": \"2018-10-08\",\n \"Id\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.2/finding/c3ff01fc-2e66-46ed-86a1-b10c384b92e5\",\n \"ProductArn\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub\",\n \"ProductName\": \"Security Hub\",\n \"CompanyName\": \"AWS\",\n \"Region\": \"us-east-1\",\n \"GeneratorId\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.2\",\n \"AwsAccountId\": \"123456789123\",\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ],\n \"FirstObservedAt\": \"2021-07-23T23:39:00.932Z\",\n \"LastObservedAt\": \"2021-08-09T11:28:12.172Z\",\n \"CreatedAt\": \"2021-07-23T23:39:00.932Z\",\n \"UpdatedAt\": \"2021-08-09T11:28:08.811Z\",\n \"Severity\": {\n \"Product\": 30,\n \"Label\": \"LOW\",\n \"Normalized\": 30,\n \"Original\": \"LOW\"\n },\n \"Title\": \"3.2 Ensure a log metric filter and alarm exist for Management Console sign-in without MFA\",\n \"Description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for console logins that are not protected by multi-factor authentication (MFA).\",\n \"Remediation\": {\n \"Recommendation\": {\n \"Text\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\",\n \"Url\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.2/remediation\"\n }\n },\n \"ProductFields\": {\n \"StandardsGuideArn\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0\",\n \"StandardsGuideSubscriptionArn\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0\",\n \"RuleId\": \"3.2\",\n \"RecommendationUrl\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.2/remediation\",\n \"StandardsControlArn\": \"arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/3.2\",\n \"aws/securityhub/ProductName\": \"Security Hub\",\n \"aws/securityhub/CompanyName\": \"AWS\",\n \"aws/securityhub/annotation\": \"Multi region CloudTrail with the required configuration does not exist in the account\",\n \"Resources:0/Id\": \"arn:aws:iam::123456789123:root\",\n \"aws/securityhub/FindingId\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.2/finding/c3ff01fc-2e66-46ed-86a1-b10c384b92e5\"\n },\n \"Resources\": [\n {\n \"Type\": \"AwsAccount\",\n \"Id\": \"AWS::::Account:123456789123\",\n \"Partition\": \"aws\",\n \"Region\": \"us-east-1\"\n }\n ],\n \"Compliance\": {\n \"Status\": \"FAILED\",\n \"StatusReasons\": [\n {\n \"ReasonCode\": \"CLOUDTRAIL_MULTI_REGION_NOT_PRESENT\",\n \"Description\": \"Multi region CloudTrail with the required configuration does not exist in the account\"\n }\n ]\n },\n \"WorkflowState\": \"NEW\",\n \"Workflow\": {\n \"Status\": \"NEW\"\n },\n \"RecordState\": \"ACTIVE\",\n \"FindingProviderFields\": {\n \"Severity\": {\n \"Label\": \"LOW\",\n \"Original\": \"LOW\"\n },\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ]\n }\n }\n ]\n}","results":[{"status":"failed","message":"ReasonCode\nCLOUDTRAIL_MULTI_REGION_NOT_PRESENT\nDescription\nMulti region CloudTrail with the required configuration does not exist in the account","code_desc":"Resources: [Type: AwsAccount, Id: AWS::::Account:123456789123, Partition: aws, Region: us-east-1]","start_time":"2021-08-09T11:28:12.172Z"}]},{"id":"CIS.3.14","title":"CIS AWS Foundations Benchmark v1.2.0: Ensure a log metric filter and alarm exist for VPC changes","tags":{"nist":["SA-11","RA-5"]},"impact":0.3,"desc":"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is possible to have more than 1 VPC within an account, in addition it is also possible to create a peer connection between 2 VPCs enabling network traffic to route between VPCs. It is recommended that a metric filter and alarm be established for changes made to VPCs.","descriptions":[{"data":"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\nhttps://docs.aws.amazon.com/console/securityhub/standards-cis-3.14/remediation","label":"fix"}],"refs":[],"source_location":{},"code":"{\n \"Findings\": [\n {\n \"SchemaVersion\": \"2018-10-08\",\n \"Id\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.14/finding/7933efb4-1f20-4e0d-b313-5f7549bf3a0c\",\n \"ProductArn\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub\",\n \"ProductName\": \"Security Hub\",\n \"CompanyName\": \"AWS\",\n \"Region\": \"us-east-1\",\n \"GeneratorId\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.14\",\n \"AwsAccountId\": \"123456789123\",\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ],\n \"FirstObservedAt\": \"2021-07-23T23:39:00.932Z\",\n \"LastObservedAt\": \"2021-08-09T11:28:09.392Z\",\n \"CreatedAt\": \"2021-07-23T23:39:00.932Z\",\n \"UpdatedAt\": \"2021-08-09T11:28:08.811Z\",\n \"Severity\": {\n \"Product\": 30,\n \"Label\": \"LOW\",\n \"Normalized\": 30,\n \"Original\": \"LOW\"\n },\n \"Title\": \"3.14 Ensure a log metric filter and alarm exist for VPC changes\",\n \"Description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is possible to have more than 1 VPC within an account, in addition it is also possible to create a peer connection between 2 VPCs enabling network traffic to route between VPCs. It is recommended that a metric filter and alarm be established for changes made to VPCs.\",\n \"Remediation\": {\n \"Recommendation\": {\n \"Text\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\",\n \"Url\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.14/remediation\"\n }\n },\n \"ProductFields\": {\n \"StandardsGuideArn\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0\",\n \"StandardsGuideSubscriptionArn\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0\",\n \"RuleId\": \"3.14\",\n \"RecommendationUrl\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.14/remediation\",\n \"StandardsControlArn\": \"arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/3.14\",\n \"aws/securityhub/ProductName\": \"Security Hub\",\n \"aws/securityhub/CompanyName\": \"AWS\",\n \"aws/securityhub/annotation\": \"Multi region CloudTrail with the required configuration does not exist in the account\",\n \"Resources:0/Id\": \"arn:aws:iam::123456789123:root\",\n \"aws/securityhub/FindingId\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.14/finding/7933efb4-1f20-4e0d-b313-5f7549bf3a0c\"\n },\n \"Resources\": [\n {\n \"Type\": \"AwsAccount\",\n \"Id\": \"AWS::::Account:123456789123\",\n \"Partition\": \"aws\",\n \"Region\": \"us-east-1\"\n }\n ],\n \"Compliance\": {\n \"Status\": \"FAILED\",\n \"StatusReasons\": [\n {\n \"ReasonCode\": \"CLOUDTRAIL_MULTI_REGION_NOT_PRESENT\",\n \"Description\": \"Multi region CloudTrail with the required configuration does not exist in the account\"\n }\n ]\n },\n \"WorkflowState\": \"NEW\",\n \"Workflow\": {\n \"Status\": \"NEW\"\n },\n \"RecordState\": \"ACTIVE\",\n \"FindingProviderFields\": {\n \"Severity\": {\n \"Label\": \"LOW\",\n \"Original\": \"LOW\"\n },\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ]\n }\n }\n ]\n}","results":[{"status":"failed","message":"ReasonCode\nCLOUDTRAIL_MULTI_REGION_NOT_PRESENT\nDescription\nMulti region CloudTrail with the required configuration does not exist in the account","code_desc":"Resources: [Type: AwsAccount, Id: AWS::::Account:123456789123, Partition: aws, Region: us-east-1]","start_time":"2021-08-09T11:28:09.392Z"}]},{"id":"CIS.3.13","title":"CIS AWS Foundations Benchmark v1.2.0: Ensure a log metric filter and alarm exist for route table changes","tags":{"nist":["SA-11","RA-5"]},"impact":0.3,"desc":"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Routing tables are used to route network traffic between subnets and to network gateways. It is recommended that a metric filter and alarm be established for changes to route tables.","descriptions":[{"data":"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\nhttps://docs.aws.amazon.com/console/securityhub/standards-cis-3.13/remediation","label":"fix"}],"refs":[],"source_location":{},"code":"{\n \"Findings\": [\n {\n \"SchemaVersion\": \"2018-10-08\",\n \"Id\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.13/finding/3fa90615-aadb-43a1-8f23-2e6dac062baa\",\n \"ProductArn\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub\",\n \"ProductName\": \"Security Hub\",\n \"CompanyName\": \"AWS\",\n \"Region\": \"us-east-1\",\n \"GeneratorId\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.13\",\n \"AwsAccountId\": \"123456789123\",\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ],\n \"FirstObservedAt\": \"2021-07-23T23:39:00.932Z\",\n \"LastObservedAt\": \"2021-08-09T11:28:10.315Z\",\n \"CreatedAt\": \"2021-07-23T23:39:00.932Z\",\n \"UpdatedAt\": \"2021-08-09T11:28:08.811Z\",\n \"Severity\": {\n \"Product\": 30,\n \"Label\": \"LOW\",\n \"Normalized\": 30,\n \"Original\": \"LOW\"\n },\n \"Title\": \"3.13 Ensure a log metric filter and alarm exist for route table changes\",\n \"Description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Routing tables are used to route network traffic between subnets and to network gateways. It is recommended that a metric filter and alarm be established for changes to route tables.\",\n \"Remediation\": {\n \"Recommendation\": {\n \"Text\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\",\n \"Url\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.13/remediation\"\n }\n },\n \"ProductFields\": {\n \"StandardsGuideArn\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0\",\n \"StandardsGuideSubscriptionArn\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0\",\n \"RuleId\": \"3.13\",\n \"RecommendationUrl\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.13/remediation\",\n \"StandardsControlArn\": \"arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/3.13\",\n \"aws/securityhub/ProductName\": \"Security Hub\",\n \"aws/securityhub/CompanyName\": \"AWS\",\n \"aws/securityhub/annotation\": \"Multi region CloudTrail with the required configuration does not exist in the account\",\n \"Resources:0/Id\": \"arn:aws:iam::123456789123:root\",\n \"aws/securityhub/FindingId\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.13/finding/3fa90615-aadb-43a1-8f23-2e6dac062baa\"\n },\n \"Resources\": [\n {\n \"Type\": \"AwsAccount\",\n \"Id\": \"AWS::::Account:123456789123\",\n \"Partition\": \"aws\",\n \"Region\": \"us-east-1\"\n }\n ],\n \"Compliance\": {\n \"Status\": \"FAILED\",\n \"StatusReasons\": [\n {\n \"ReasonCode\": \"CLOUDTRAIL_MULTI_REGION_NOT_PRESENT\",\n \"Description\": \"Multi region CloudTrail with the required configuration does not exist in the account\"\n }\n ]\n },\n \"WorkflowState\": \"NEW\",\n \"Workflow\": {\n \"Status\": \"NEW\"\n },\n \"RecordState\": \"ACTIVE\",\n \"FindingProviderFields\": {\n \"Severity\": {\n \"Label\": \"LOW\",\n \"Original\": \"LOW\"\n },\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ]\n }\n }\n ]\n}","results":[{"status":"failed","message":"ReasonCode\nCLOUDTRAIL_MULTI_REGION_NOT_PRESENT\nDescription\nMulti region CloudTrail with the required configuration does not exist in the account","code_desc":"Resources: [Type: AwsAccount, Id: AWS::::Account:123456789123, Partition: aws, Region: us-east-1]","start_time":"2021-08-09T11:28:10.315Z"}]},{"id":"CIS.3.12","title":"CIS AWS Foundations Benchmark v1.2.0: Ensure a log metric filter and alarm exist for changes to network gateways","tags":{"nist":["SA-11","RA-5"]},"impact":0.3,"desc":"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Network gateways are required to send/receive traffic to a destination outside of a VPC. It is recommended that a metric filter and alarm be established for changes to network gateways.","descriptions":[{"data":"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\nhttps://docs.aws.amazon.com/console/securityhub/standards-cis-3.12/remediation","label":"fix"}],"refs":[],"source_location":{},"code":"{\n \"Findings\": [\n {\n \"SchemaVersion\": \"2018-10-08\",\n \"Id\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.12/finding/8f481e76-9011-4feb-b2b7-b7eb9d1fcec7\",\n \"ProductArn\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub\",\n \"ProductName\": \"Security Hub\",\n \"CompanyName\": \"AWS\",\n \"Region\": \"us-east-1\",\n \"GeneratorId\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.12\",\n \"AwsAccountId\": \"123456789123\",\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ],\n \"FirstObservedAt\": \"2021-07-23T23:39:00.932Z\",\n \"LastObservedAt\": \"2021-08-09T11:28:12.267Z\",\n \"CreatedAt\": \"2021-07-23T23:39:00.932Z\",\n \"UpdatedAt\": \"2021-08-09T11:28:08.811Z\",\n \"Severity\": {\n \"Product\": 30,\n \"Label\": \"LOW\",\n \"Normalized\": 30,\n \"Original\": \"LOW\"\n },\n \"Title\": \"3.12 Ensure a log metric filter and alarm exist for changes to network gateways\",\n \"Description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Network gateways are required to send/receive traffic to a destination outside of a VPC. It is recommended that a metric filter and alarm be established for changes to network gateways.\",\n \"Remediation\": {\n \"Recommendation\": {\n \"Text\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\",\n \"Url\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.12/remediation\"\n }\n },\n \"ProductFields\": {\n \"StandardsGuideArn\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0\",\n \"StandardsGuideSubscriptionArn\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0\",\n \"RuleId\": \"3.12\",\n \"RecommendationUrl\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.12/remediation\",\n \"StandardsControlArn\": \"arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/3.12\",\n \"aws/securityhub/ProductName\": \"Security Hub\",\n \"aws/securityhub/CompanyName\": \"AWS\",\n \"aws/securityhub/annotation\": \"Multi region CloudTrail with the required configuration does not exist in the account\",\n \"Resources:0/Id\": \"arn:aws:iam::123456789123:root\",\n \"aws/securityhub/FindingId\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.12/finding/8f481e76-9011-4feb-b2b7-b7eb9d1fcec7\"\n },\n \"Resources\": [\n {\n \"Type\": \"AwsAccount\",\n \"Id\": \"AWS::::Account:123456789123\",\n \"Partition\": \"aws\",\n \"Region\": \"us-east-1\"\n }\n ],\n \"Compliance\": {\n \"Status\": \"FAILED\",\n \"StatusReasons\": [\n {\n \"ReasonCode\": \"CLOUDTRAIL_MULTI_REGION_NOT_PRESENT\",\n \"Description\": \"Multi region CloudTrail with the required configuration does not exist in the account\"\n }\n ]\n },\n \"WorkflowState\": \"NEW\",\n \"Workflow\": {\n \"Status\": \"NEW\"\n },\n \"RecordState\": \"ACTIVE\",\n \"FindingProviderFields\": {\n \"Severity\": {\n \"Label\": \"LOW\",\n \"Original\": \"LOW\"\n },\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ]\n }\n }\n ]\n}","results":[{"status":"failed","message":"ReasonCode\nCLOUDTRAIL_MULTI_REGION_NOT_PRESENT\nDescription\nMulti region CloudTrail with the required configuration does not exist in the account","code_desc":"Resources: [Type: AwsAccount, Id: AWS::::Account:123456789123, Partition: aws, Region: us-east-1]","start_time":"2021-08-09T11:28:12.267Z"}]},{"id":"CIS.3.11","title":"CIS AWS Foundations Benchmark v1.2.0: Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)","tags":{"nist":["SA-11","RA-5"]},"impact":0.3,"desc":"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. NACLs are used as a stateless packet filter to control ingress and egress traffic for subnets within a VPC. It is recommended that a metric filter and alarm be established for changes made to NACLs.","descriptions":[{"data":"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\nhttps://docs.aws.amazon.com/console/securityhub/standards-cis-3.11/remediation","label":"fix"}],"refs":[],"source_location":{},"code":"{\n \"Findings\": [\n {\n \"SchemaVersion\": \"2018-10-08\",\n \"Id\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.11/finding/a5aca330-1359-4106-b19d-335f36f89b94\",\n \"ProductArn\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub\",\n \"ProductName\": \"Security Hub\",\n \"CompanyName\": \"AWS\",\n \"Region\": \"us-east-1\",\n \"GeneratorId\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.11\",\n \"AwsAccountId\": \"123456789123\",\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ],\n \"FirstObservedAt\": \"2021-07-23T23:39:00.932Z\",\n \"LastObservedAt\": \"2021-08-09T11:28:12.297Z\",\n \"CreatedAt\": \"2021-07-23T23:39:00.932Z\",\n \"UpdatedAt\": \"2021-08-09T11:28:08.811Z\",\n \"Severity\": {\n \"Product\": 30,\n \"Label\": \"LOW\",\n \"Normalized\": 30,\n \"Original\": \"LOW\"\n },\n \"Title\": \"3.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)\",\n \"Description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. NACLs are used as a stateless packet filter to control ingress and egress traffic for subnets within a VPC. It is recommended that a metric filter and alarm be established for changes made to NACLs.\",\n \"Remediation\": {\n \"Recommendation\": {\n \"Text\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\",\n \"Url\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.11/remediation\"\n }\n },\n \"ProductFields\": {\n \"StandardsGuideArn\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0\",\n \"StandardsGuideSubscriptionArn\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0\",\n \"RuleId\": \"3.11\",\n \"RecommendationUrl\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.11/remediation\",\n \"StandardsControlArn\": \"arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/3.11\",\n \"aws/securityhub/ProductName\": \"Security Hub\",\n \"aws/securityhub/CompanyName\": \"AWS\",\n \"aws/securityhub/annotation\": \"Multi region CloudTrail with the required configuration does not exist in the account\",\n \"Resources:0/Id\": \"arn:aws:iam::123456789123:root\",\n \"aws/securityhub/FindingId\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.11/finding/a5aca330-1359-4106-b19d-335f36f89b94\"\n },\n \"Resources\": [\n {\n \"Type\": \"AwsAccount\",\n \"Id\": \"AWS::::Account:123456789123\",\n \"Partition\": \"aws\",\n \"Region\": \"us-east-1\"\n }\n ],\n \"Compliance\": {\n \"Status\": \"FAILED\",\n \"StatusReasons\": [\n {\n \"ReasonCode\": \"CLOUDTRAIL_MULTI_REGION_NOT_PRESENT\",\n \"Description\": \"Multi region CloudTrail with the required configuration does not exist in the account\"\n }\n ]\n },\n \"WorkflowState\": \"NEW\",\n \"Workflow\": {\n \"Status\": \"NEW\"\n },\n \"RecordState\": \"ACTIVE\",\n \"FindingProviderFields\": {\n \"Severity\": {\n \"Label\": \"LOW\",\n \"Original\": \"LOW\"\n },\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ]\n }\n }\n ]\n}","results":[{"status":"failed","message":"ReasonCode\nCLOUDTRAIL_MULTI_REGION_NOT_PRESENT\nDescription\nMulti region CloudTrail with the required configuration does not exist in the account","code_desc":"Resources: [Type: AwsAccount, Id: AWS::::Account:123456789123, Partition: aws, Region: us-east-1]","start_time":"2021-08-09T11:28:12.297Z"}]},{"id":"CIS.3.10","title":"CIS AWS Foundations Benchmark v1.2.0: Ensure a log metric filter and alarm exist for security group changes","tags":{"nist":["SA-11","RA-5"]},"impact":0.3,"desc":"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Groups are a stateful packet filter that controls ingress and egress traffic within a VPC. It is recommended that a metric filter and alarm be established changes to Security Groups.","descriptions":[{"data":"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\nhttps://docs.aws.amazon.com/console/securityhub/standards-cis-3.10/remediation","label":"fix"}],"refs":[],"source_location":{},"code":"{\n \"Findings\": [\n {\n \"SchemaVersion\": \"2018-10-08\",\n \"Id\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.10/finding/6f2753c4-782e-460c-86e1-53f12a1046bc\",\n \"ProductArn\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub\",\n \"ProductName\": \"Security Hub\",\n \"CompanyName\": \"AWS\",\n \"Region\": \"us-east-1\",\n \"GeneratorId\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.10\",\n \"AwsAccountId\": \"123456789123\",\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ],\n \"FirstObservedAt\": \"2021-07-23T23:39:00.931Z\",\n \"LastObservedAt\": \"2021-08-09T11:28:13.084Z\",\n \"CreatedAt\": \"2021-07-23T23:39:00.931Z\",\n \"UpdatedAt\": \"2021-08-09T11:28:08.811Z\",\n \"Severity\": {\n \"Product\": 30,\n \"Label\": \"LOW\",\n \"Normalized\": 30,\n \"Original\": \"LOW\"\n },\n \"Title\": \"3.10 Ensure a log metric filter and alarm exist for security group changes\",\n \"Description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Groups are a stateful packet filter that controls ingress and egress traffic within a VPC. It is recommended that a metric filter and alarm be established changes to Security Groups.\",\n \"Remediation\": {\n \"Recommendation\": {\n \"Text\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\",\n \"Url\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.10/remediation\"\n }\n },\n \"ProductFields\": {\n \"StandardsGuideArn\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0\",\n \"StandardsGuideSubscriptionArn\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0\",\n \"RuleId\": \"3.10\",\n \"RecommendationUrl\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.10/remediation\",\n \"StandardsControlArn\": \"arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/3.10\",\n \"aws/securityhub/ProductName\": \"Security Hub\",\n \"aws/securityhub/CompanyName\": \"AWS\",\n \"aws/securityhub/annotation\": \"Multi region CloudTrail with the required configuration does not exist in the account\",\n \"Resources:0/Id\": \"arn:aws:iam::123456789123:root\",\n \"aws/securityhub/FindingId\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.10/finding/6f2753c4-782e-460c-86e1-53f12a1046bc\"\n },\n \"Resources\": [\n {\n \"Type\": \"AwsAccount\",\n \"Id\": \"AWS::::Account:123456789123\",\n \"Partition\": \"aws\",\n \"Region\": \"us-east-1\"\n }\n ],\n \"Compliance\": {\n \"Status\": \"FAILED\",\n \"StatusReasons\": [\n {\n \"ReasonCode\": \"CLOUDTRAIL_MULTI_REGION_NOT_PRESENT\",\n \"Description\": \"Multi region CloudTrail with the required configuration does not exist in the account\"\n }\n ]\n },\n \"WorkflowState\": \"NEW\",\n \"Workflow\": {\n \"Status\": \"NEW\"\n },\n \"RecordState\": \"ACTIVE\",\n \"FindingProviderFields\": {\n \"Severity\": {\n \"Label\": \"LOW\",\n \"Original\": \"LOW\"\n },\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ]\n }\n }\n ]\n}","results":[{"status":"failed","message":"ReasonCode\nCLOUDTRAIL_MULTI_REGION_NOT_PRESENT\nDescription\nMulti region CloudTrail with the required configuration does not exist in the account","code_desc":"Resources: [Type: AwsAccount, Id: AWS::::Account:123456789123, Partition: aws, Region: us-east-1]","start_time":"2021-08-09T11:28:13.084Z"}]},{"id":"CIS.3.1","title":"CIS AWS Foundations Benchmark v1.2.0: Ensure a log metric filter and alarm exist for unauthorized API calls","tags":{"nist":["SA-11","RA-5"]},"impact":0.3,"desc":"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for unauthorized API calls.","descriptions":[{"data":"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\nhttps://docs.aws.amazon.com/console/securityhub/standards-cis-3.1/remediation","label":"fix"}],"refs":[],"source_location":{},"code":"{\n \"Findings\": [\n {\n \"SchemaVersion\": \"2018-10-08\",\n \"Id\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.1/finding/3750d146-a5d4-4ca0-b0a0-0ef8997495c2\",\n \"ProductArn\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub\",\n \"ProductName\": \"Security Hub\",\n \"CompanyName\": \"AWS\",\n \"Region\": \"us-east-1\",\n \"GeneratorId\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.1\",\n \"AwsAccountId\": \"123456789123\",\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ],\n \"FirstObservedAt\": \"2021-07-23T23:39:00.931Z\",\n \"LastObservedAt\": \"2021-08-09T11:28:12.445Z\",\n \"CreatedAt\": \"2021-07-23T23:39:00.931Z\",\n \"UpdatedAt\": \"2021-08-09T11:28:08.811Z\",\n \"Severity\": {\n \"Product\": 30,\n \"Label\": \"LOW\",\n \"Normalized\": 30,\n \"Original\": \"LOW\"\n },\n \"Title\": \"3.1 Ensure a log metric filter and alarm exist for unauthorized API calls\",\n \"Description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for unauthorized API calls.\",\n \"Remediation\": {\n \"Recommendation\": {\n \"Text\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\",\n \"Url\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.1/remediation\"\n }\n },\n \"ProductFields\": {\n \"StandardsGuideArn\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0\",\n \"StandardsGuideSubscriptionArn\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0\",\n \"RuleId\": \"3.1\",\n \"RecommendationUrl\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.1/remediation\",\n \"StandardsControlArn\": \"arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/3.1\",\n \"aws/securityhub/ProductName\": \"Security Hub\",\n \"aws/securityhub/CompanyName\": \"AWS\",\n \"aws/securityhub/annotation\": \"Multi region CloudTrail with the required configuration does not exist in the account\",\n \"Resources:0/Id\": \"arn:aws:iam::123456789123:root\",\n \"aws/securityhub/FindingId\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.1/finding/3750d146-a5d4-4ca0-b0a0-0ef8997495c2\"\n },\n \"Resources\": [\n {\n \"Type\": \"AwsAccount\",\n \"Id\": \"AWS::::Account:123456789123\",\n \"Partition\": \"aws\",\n \"Region\": \"us-east-1\"\n }\n ],\n \"Compliance\": {\n \"Status\": \"FAILED\",\n \"StatusReasons\": [\n {\n \"ReasonCode\": \"CLOUDTRAIL_MULTI_REGION_NOT_PRESENT\",\n \"Description\": \"Multi region CloudTrail with the required configuration does not exist in the account\"\n }\n ]\n },\n \"WorkflowState\": \"NEW\",\n \"Workflow\": {\n \"Status\": \"NEW\"\n },\n \"RecordState\": \"ACTIVE\",\n \"FindingProviderFields\": {\n \"Severity\": {\n \"Label\": \"LOW\",\n \"Original\": \"LOW\"\n },\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ]\n }\n }\n ]\n}","results":[{"status":"failed","message":"ReasonCode\nCLOUDTRAIL_MULTI_REGION_NOT_PRESENT\nDescription\nMulti region CloudTrail with the required configuration does not exist in the account","code_desc":"Resources: [Type: AwsAccount, Id: AWS::::Account:123456789123, Partition: aws, Region: us-east-1]","start_time":"2021-08-09T11:28:12.445Z"}]},{"id":"Config.1","title":"AWS Foundational Security Best Practices v1.0.0: Config.1 AWS Config should be enabled","tags":{"nist":["SA-11","RA-5"]},"impact":0.5,"desc":"This AWS control checks whether the Config service is enabled in the account for the local region and is recording all resources.","descriptions":[{"data":"For directions on how to fix this issue, please consult the AWS Security Hub Foundational Security Best Practices documentation.\nhttps://docs.aws.amazon.com/console/securityhub/Config.1/remediation","label":"fix"}],"refs":[],"source_location":{},"code":"{\n \"Findings\": [\n {\n \"SchemaVersion\": \"2018-10-08\",\n \"Id\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/aws-foundational-security-best-practices/v/1.0.0/Config.1/finding/9ffec6a3-3ce8-4011-bf90-17dbe94bf1d3\",\n \"ProductArn\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub\",\n \"ProductName\": \"Security Hub\",\n \"CompanyName\": \"AWS\",\n \"Region\": \"us-east-1\",\n \"GeneratorId\": \"aws-foundational-security-best-practices/v/1.0.0/Config.1\",\n \"AwsAccountId\": \"123456789123\",\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices\"\n ],\n \"FirstObservedAt\": \"2021-07-23T23:40:39.455Z\",\n \"LastObservedAt\": \"2021-08-09T11:21:11.282Z\",\n \"CreatedAt\": \"2021-07-23T23:40:39.455Z\",\n \"UpdatedAt\": \"2021-08-09T11:21:09.408Z\",\n \"Severity\": {\n \"Product\": 40,\n \"Label\": \"MEDIUM\",\n \"Normalized\": 40,\n \"Original\": \"MEDIUM\"\n },\n \"Title\": \"Config.1 AWS Config should be enabled\",\n \"Description\": \"This AWS control checks whether the Config service is enabled in the account for the local region and is recording all resources.\",\n \"Remediation\": {\n \"Recommendation\": {\n \"Text\": \"For directions on how to fix this issue, please consult the AWS Security Hub Foundational Security Best Practices documentation.\",\n \"Url\": \"https://docs.aws.amazon.com/console/securityhub/Config.1/remediation\"\n }\n },\n \"ProductFields\": {\n \"StandardsArn\": \"arn:aws:securityhub:::standards/aws-foundational-security-best-practices/v/1.0.0\",\n \"StandardsSubscriptionArn\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/aws-foundational-security-best-practices/v/1.0.0\",\n \"ControlId\": \"Config.1\",\n \"RecommendationUrl\": \"https://docs.aws.amazon.com/console/securityhub/Config.1/remediation\",\n \"StandardsControlArn\": \"arn:aws:securityhub:us-east-1:123456789123:control/aws-foundational-security-best-practices/v/1.0.0/Config.1\",\n \"aws/securityhub/ProductName\": \"Security Hub\",\n \"aws/securityhub/CompanyName\": \"AWS\",\n \"Resources:0/Id\": \"arn:aws:iam::123456789123:root\",\n \"aws/securityhub/FindingId\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789123:subscription/aws-foundational-security-best-practices/v/1.0.0/Config.1/finding/9ffec6a3-3ce8-4011-bf90-17dbe94bf1d3\"\n },\n \"Resources\": [\n {\n \"Type\": \"AwsAccount\",\n \"Id\": \"AWS::::Account:123456789123\",\n \"Partition\": \"aws\",\n \"Region\": \"us-east-1\"\n }\n ],\n \"Compliance\": {\n \"Status\": \"FAILED\"\n },\n \"WorkflowState\": \"NEW\",\n \"Workflow\": {\n \"Status\": \"NEW\"\n },\n \"RecordState\": \"ACTIVE\",\n \"FindingProviderFields\": {\n \"Severity\": {\n \"Label\": \"MEDIUM\",\n \"Original\": \"MEDIUM\"\n },\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices\"\n ]\n }\n }\n ]\n}","results":[{"status":"failed","code_desc":"Resources: [Type: AwsAccount, Id: AWS::::Account:123456789123, Partition: aws, Region: us-east-1]","start_time":"2021-08-09T11:21:11.282Z"}]},{"id":"S3.2","title":"AWS Foundational Security Best Practices v1.0.0: S3.2 S3 buckets should prohibit public read access","tags":{"nist":["AC-3","AC-4","AC-6","AC-21(b)","SC-7","SC-7(3)"]},"impact":0.5,"desc":"This AWS control checks whether your S3 buckets allow public read access by evaluating the Block Public Access settings, the bucket policy, and the bucket access control list (ACL).","descriptions":[{"data":"For directions on how to fix this issue, please consult the AWS Security Hub Foundational Security Best Practices documentation.\nhttps://docs.aws.amazon.com/console/securityhub/S3.2/remediation","label":"fix"}],"refs":[],"source_location":{},"code":"{\n \"Findings\": [\n {\n \"SchemaVersion\": \"2018-10-08\",\n \"Id\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/aws-foundational-security-best-practices/v/1.0.0/S3.2/finding/5fd36ec6-3f98-4d5b-a9cb-5f82e389a8e9\",\n \"ProductArn\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub\",\n \"GeneratorId\": \"aws-foundational-security-best-practices/v/1.0.0/S3.2\",\n \"AwsAccountId\": \"123456789123\",\n \"Types\": [\n \"Effects/Data Exposure/AWS-Foundational-Security-Best-Practices\"\n ],\n \"FirstObservedAt\": \"2021-04-28T14:57:54.547Z\",\n \"LastObservedAt\": \"2021-07-02T16:02:48.476Z\",\n \"CreatedAt\": \"2021-04-28T14:57:54.547Z\",\n \"UpdatedAt\": \"2021-07-02T16:02:46.396Z\",\n \"Severity\": {\n \"Product\": 0,\n \"Label\": \"INFORMATIONAL\",\n \"Normalized\": 0,\n \"Original\": \"INFORMATIONAL\"\n },\n \"Title\": \"S3.2 S3 buckets should prohibit public read access\",\n \"Description\": \"This AWS control checks whether your S3 buckets allow public read access by evaluating the Block Public Access settings, the bucket policy, and the bucket access control list (ACL).\",\n \"Remediation\": {\n \"Recommendation\": {\n \"Text\": \"For directions on how to fix this issue, please consult the AWS Security Hub Foundational Security Best Practices documentation.\",\n \"Url\": \"https://docs.aws.amazon.com/console/securityhub/S3.2/remediation\"\n }\n },\n \"ProductFields\": {\n \"StandardsArn\": \"arn:aws:securityhub:::standards/aws-foundational-security-best-practices/v/1.0.0\",\n \"StandardsSubscriptionArn\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/aws-foundational-security-best-practices/v/1.0.0\",\n \"ControlId\": \"S3.2\",\n \"RecommendationUrl\": \"https://docs.aws.amazon.com/console/securityhub/S3.2/remediation\",\n \"RelatedAWSResources:0/name\": \"securityhub-s3-bucket-public-read-prohibited-491148b1\",\n \"RelatedAWSResources:0/type\": \"AWS::Config::ConfigRule\",\n \"StandardsControlArn\": \"arn:aws:securityhub:us-east-1:123456789123:control/aws-foundational-security-best-practices/v/1.0.0/S3.2\",\n \"aws/securityhub/ProductName\": \"Security Hub\",\n \"aws/securityhub/CompanyName\": \"AWS\",\n \"Resources:0/Id\": \"arn:aws:s3:::example-bucket-123456789123-us-east-1\",\n \"aws/securityhub/FindingId\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789123:subscription/aws-foundational-security-best-practices/v/1.0.0/S3.2/finding/5fd36ec6-3f98-4d5b-a9cb-5f82e389a8e9\"\n },\n \"Resources\": [\n {\n \"Type\": \"AwsS3Bucket\",\n \"Id\": \"arn:aws:s3:::example-bucket-123456789123-us-east-1\",\n \"Partition\": \"aws\",\n \"Region\": \"us-east-1\",\n \"Details\": {\n \"AwsS3Bucket\": {\n \"OwnerId\": \"abe813ee284239446607ac88bf580a6f7348abec9053fd187e6234b58102e826\",\n \"CreatedAt\": \"2021-03-12T20:14:09.000Z\"\n }\n }\n }\n ],\n \"Compliance\": {\n \"Status\": \"PASSED\"\n },\n \"WorkflowState\": \"NEW\",\n \"Workflow\": {\n \"Status\": \"RESOLVED\"\n },\n \"RecordState\": \"ACTIVE\",\n \"FindingProviderFields\": {\n \"Severity\": {\n \"Label\": \"INFORMATIONAL\",\n \"Original\": \"INFORMATIONAL\"\n },\n \"Types\": [\n \"Effects/Data Exposure/AWS-Foundational-Security-Best-Practices\"\n ]\n }\n }\n ]\n}","results":[{"status":"passed","code_desc":"Resources: [Type: AwsS3Bucket, Id: arn:aws:s3:::example-bucket-123456789123-us-east-1, Partition: aws, Region: us-east-1]","start_time":"2021-07-02T16:02:48.476Z"}]}],"sha256":"9d44a2af3a64f1ad7fbc5adcbd1baef33911b15963f905f8ab9ad28dbbff518d"}]} \ No newline at end of file diff --git a/sample_jsons/asff_mapper/sample_input_jsons/asff_sample.json b/sample_jsons/asff_mapper/sample_input_jsons/asff_sample.json index 3b159d0..7deb080 100644 --- a/sample_jsons/asff_mapper/sample_input_jsons/asff_sample.json +++ b/sample_jsons/asff_mapper/sample_input_jsons/asff_sample.json @@ -2,44 +2,118 @@ "Findings": [ { "SchemaVersion": "2018-10-08", - "Id": "arn:aws:securityhub:us-east-1:123456789123:subscription/aws-foundational-security-best-practices/v/1.0.0/Config.1/finding/9ffec6a3-3ce8-4011-bf90-17dbe94bf1d3", + "Id": "arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/1.1/finding/564b8d35-d697-475e-8a02-dfb23552dc24", "ProductArn": "arn:aws:securityhub:us-east-1::product/aws/securityhub", "ProductName": "Security Hub", "CompanyName": "AWS", "Region": "us-east-1", - "GeneratorId": "aws-foundational-security-best-practices/v/1.0.0/Config.1", + "GeneratorId": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/1.1", "AwsAccountId": "123456789123", "Types": [ - "Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices" + "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], - "FirstObservedAt": "2021-07-23T23:40:39.455Z", - "LastObservedAt": "2021-08-04T23:30:26.675Z", - "CreatedAt": "2021-07-23T23:40:39.455Z", - "UpdatedAt": "2021-08-04T23:30:24.804Z", + "FirstObservedAt": "2021-07-23T23:39:05.607Z", + "LastObservedAt": "2021-08-09T11:28:16.331Z", + "CreatedAt": "2021-07-23T23:39:05.607Z", + "UpdatedAt": "2021-08-09T11:28:13.288Z", + "Severity": { + "Product": 30, + "Label": "LOW", + "Normalized": 30, + "Original": "LOW" + }, + "Title": "1.1 Avoid the use of the \"root\" account", + "Description": "The \"root\" account has unrestricted access to all resources in the AWS account. It is highly recommended that the use of this account be avoided.", + "Remediation": { + "Recommendation": { + "Text": "For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.", + "Url": "https://docs.aws.amazon.com/console/securityhub/standards-cis-1.1/remediation" + } + }, + "ProductFields": { + "StandardsGuideArn": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", + "StandardsGuideSubscriptionArn": "arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0", + "RuleId": "1.1", + "RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/standards-cis-1.1/remediation", + "StandardsControlArn": "arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/1.1", + "aws/securityhub/ProductName": "Security Hub", + "aws/securityhub/CompanyName": "AWS", + "aws/securityhub/annotation": "Multi region CloudTrail with the required configuration does not exist in the account", + "Resources:0/Id": "arn:aws:iam::123456789123:root", + "aws/securityhub/FindingId": "arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/1.1/finding/564b8d35-d697-475e-8a02-dfb23552dc24" + }, + "Resources": [ + { + "Type": "AwsAccount", + "Id": "AWS::::Account:123456789123", + "Partition": "aws", + "Region": "us-east-1" + } + ], + "Compliance": { + "Status": "FAILED", + "StatusReasons": [ + { + "ReasonCode": "CLOUDTRAIL_MULTI_REGION_NOT_PRESENT", + "Description": "Multi region CloudTrail with the required configuration does not exist in the account" + } + ] + }, + "WorkflowState": "NEW", + "Workflow": { + "Status": "NEW" + }, + "RecordState": "ACTIVE", + "FindingProviderFields": { + "Severity": { + "Label": "LOW", + "Original": "LOW" + }, + "Types": [ + "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" + ] + } + }, + { + "SchemaVersion": "2018-10-08", + "Id": "arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/2.5/finding/fad62e7c-5402-4757-850c-3aadc8212c47", + "ProductArn": "arn:aws:securityhub:us-east-1::product/aws/securityhub", + "ProductName": "Security Hub", + "CompanyName": "AWS", + "Region": "us-east-1", + "GeneratorId": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/2.5", + "AwsAccountId": "123456789123", + "Types": [ + "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" + ], + "FirstObservedAt": "2021-07-23T23:39:03.660Z", + "LastObservedAt": "2021-08-09T11:28:15.499Z", + "CreatedAt": "2021-07-23T23:39:03.660Z", + "UpdatedAt": "2021-08-09T11:28:12.889Z", "Severity": { "Product": 40, "Label": "MEDIUM", "Normalized": 40, "Original": "MEDIUM" }, - "Title": "Config.1 AWS Config should be enabled", - "Description": "This AWS control checks whether the Config service is enabled in the account for the local region and is recording all resources.", + "Title": "2.5 Ensure AWS Config is enabled", + "Description": "AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), and any configuration changes between resources. It is recommended to enable AWS Config in all regions.", "Remediation": { "Recommendation": { - "Text": "For directions on how to fix this issue, please consult the AWS Security Hub Foundational Security Best Practices documentation.", - "Url": "https://docs.aws.amazon.com/console/securityhub/Config.1/remediation" + "Text": "For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.", + "Url": "https://docs.aws.amazon.com/console/securityhub/standards-cis-2.5/remediation" } }, "ProductFields": { - "StandardsArn": "arn:aws:securityhub:::standards/aws-foundational-security-best-practices/v/1.0.0", - "StandardsSubscriptionArn": "arn:aws:securityhub:us-east-1:123456789123:subscription/aws-foundational-security-best-practices/v/1.0.0", - "ControlId": "Config.1", - "RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/Config.1/remediation", - "StandardsControlArn": "arn:aws:securityhub:us-east-1:123456789123:control/aws-foundational-security-best-practices/v/1.0.0/Config.1", + "StandardsGuideArn": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", + "StandardsGuideSubscriptionArn": "arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0", + "RuleId": "2.5", + "RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/standards-cis-2.5/remediation", + "StandardsControlArn": "arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/2.5", "aws/securityhub/ProductName": "Security Hub", "aws/securityhub/CompanyName": "AWS", "Resources:0/Id": "arn:aws:iam::123456789123:root", - "aws/securityhub/FindingId": "arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789123:subscription/aws-foundational-security-best-practices/v/1.0.0/Config.1/finding/9ffec6a3-3ce8-4011-bf90-17dbe94bf1d3" + "aws/securityhub/FindingId": "arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/2.5/finding/fad62e7c-5402-4757-850c-3aadc8212c47" }, "Resources": [ { @@ -63,51 +137,199 @@ "Original": "MEDIUM" }, "Types": [ - "Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices" + "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ] } }, { "SchemaVersion": "2018-10-08", - "Id": "arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/1.1/finding/564b8d35-d697-475e-8a02-dfb23552dc24", + "Id": "arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.9/finding/a18960c3-863a-4bec-b083-ff0583d1a44f", "ProductArn": "arn:aws:securityhub:us-east-1::product/aws/securityhub", "ProductName": "Security Hub", "CompanyName": "AWS", "Region": "us-east-1", - "GeneratorId": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/1.1", + "GeneratorId": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.9", "AwsAccountId": "123456789123", "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], - "FirstObservedAt": "2021-07-23T23:39:05.607Z", - "LastObservedAt": "2021-08-04T23:29:17.637Z", - "CreatedAt": "2021-07-23T23:39:05.607Z", - "UpdatedAt": "2021-08-04T23:29:15.639Z", + "FirstObservedAt": "2021-07-23T23:39:00.932Z", + "LastObservedAt": "2021-08-09T11:28:12.508Z", + "CreatedAt": "2021-07-23T23:39:00.932Z", + "UpdatedAt": "2021-08-09T11:28:08.812Z", "Severity": { "Product": 30, "Label": "LOW", "Normalized": 30, "Original": "LOW" }, - "Title": "1.1 Avoid the use of the \"root\" account", - "Description": "The \"root\" account has unrestricted access to all resources in the AWS account. It is highly recommended that the use of this account be avoided.", + "Title": "3.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes", + "Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations.", "Remediation": { "Recommendation": { "Text": "For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.", - "Url": "https://docs.aws.amazon.com/console/securityhub/standards-cis-1.1/remediation" + "Url": "https://docs.aws.amazon.com/console/securityhub/standards-cis-3.9/remediation" } }, "ProductFields": { "StandardsGuideArn": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", "StandardsGuideSubscriptionArn": "arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0", - "RuleId": "1.1", - "RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/standards-cis-1.1/remediation", - "StandardsControlArn": "arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/1.1", + "RuleId": "3.9", + "RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/standards-cis-3.9/remediation", + "StandardsControlArn": "arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/3.9", "aws/securityhub/ProductName": "Security Hub", "aws/securityhub/CompanyName": "AWS", "aws/securityhub/annotation": "Multi region CloudTrail with the required configuration does not exist in the account", "Resources:0/Id": "arn:aws:iam::123456789123:root", - "aws/securityhub/FindingId": "arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/1.1/finding/564b8d35-d697-475e-8a02-dfb23552dc24" + "aws/securityhub/FindingId": "arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.9/finding/a18960c3-863a-4bec-b083-ff0583d1a44f" + }, + "Resources": [ + { + "Type": "AwsAccount", + "Id": "AWS::::Account:123456789123", + "Partition": "aws", + "Region": "us-east-1" + } + ], + "Compliance": { + "Status": "FAILED", + "StatusReasons": [ + { + "ReasonCode": "CLOUDTRAIL_MULTI_REGION_NOT_PRESENT", + "Description": "Multi region CloudTrail with the required configuration does not exist in the account" + } + ] + }, + "WorkflowState": "NEW", + "Workflow": { + "Status": "NEW" + }, + "RecordState": "ACTIVE", + "FindingProviderFields": { + "Severity": { + "Label": "LOW", + "Original": "LOW" + }, + "Types": [ + "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" + ] + } + }, + { + "SchemaVersion": "2018-10-08", + "Id": "arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.8/finding/2366f847-6ae6-437b-a873-b5851950f495", + "ProductArn": "arn:aws:securityhub:us-east-1::product/aws/securityhub", + "ProductName": "Security Hub", + "CompanyName": "AWS", + "Region": "us-east-1", + "GeneratorId": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.8", + "AwsAccountId": "123456789123", + "Types": [ + "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" + ], + "FirstObservedAt": "2021-07-23T23:39:00.932Z", + "LastObservedAt": "2021-08-09T11:28:12.460Z", + "CreatedAt": "2021-07-23T23:39:00.932Z", + "UpdatedAt": "2021-08-09T11:28:08.812Z", + "Severity": { + "Product": 30, + "Label": "LOW", + "Normalized": 30, + "Original": "LOW" + }, + "Title": "3.8 Ensure a log metric filter and alarm exist for S3 bucket policy changes", + "Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for changes to S3 bucket policies.", + "Remediation": { + "Recommendation": { + "Text": "For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.", + "Url": "https://docs.aws.amazon.com/console/securityhub/standards-cis-3.8/remediation" + } + }, + "ProductFields": { + "StandardsGuideArn": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", + "StandardsGuideSubscriptionArn": "arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0", + "RuleId": "3.8", + "RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/standards-cis-3.8/remediation", + "StandardsControlArn": "arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/3.8", + "aws/securityhub/ProductName": "Security Hub", + "aws/securityhub/CompanyName": "AWS", + "aws/securityhub/annotation": "Multi region CloudTrail with the required configuration does not exist in the account", + "Resources:0/Id": "arn:aws:iam::123456789123:root", + "aws/securityhub/FindingId": "arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.8/finding/2366f847-6ae6-437b-a873-b5851950f495" + }, + "Resources": [ + { + "Type": "AwsAccount", + "Id": "AWS::::Account:123456789123", + "Partition": "aws", + "Region": "us-east-1" + } + ], + "Compliance": { + "Status": "FAILED", + "StatusReasons": [ + { + "ReasonCode": "CLOUDTRAIL_MULTI_REGION_NOT_PRESENT", + "Description": "Multi region CloudTrail with the required configuration does not exist in the account" + } + ] + }, + "WorkflowState": "NEW", + "Workflow": { + "Status": "NEW" + }, + "RecordState": "ACTIVE", + "FindingProviderFields": { + "Severity": { + "Label": "LOW", + "Original": "LOW" + }, + "Types": [ + "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" + ] + } + }, + { + "SchemaVersion": "2018-10-08", + "Id": "arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.7/finding/5893e3d9-73ba-468b-a5ae-a47d5167687d", + "ProductArn": "arn:aws:securityhub:us-east-1::product/aws/securityhub", + "ProductName": "Security Hub", + "CompanyName": "AWS", + "Region": "us-east-1", + "GeneratorId": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.7", + "AwsAccountId": "123456789123", + "Types": [ + "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" + ], + "FirstObservedAt": "2021-07-23T23:39:00.932Z", + "LastObservedAt": "2021-08-09T11:28:10.511Z", + "CreatedAt": "2021-07-23T23:39:00.932Z", + "UpdatedAt": "2021-08-09T11:28:08.812Z", + "Severity": { + "Product": 30, + "Label": "LOW", + "Normalized": 30, + "Original": "LOW" + }, + "Title": "3.7 Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs", + "Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for customer created CMKs which have changed state to disabled or scheduled deletion.", + "Remediation": { + "Recommendation": { + "Text": "For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.", + "Url": "https://docs.aws.amazon.com/console/securityhub/standards-cis-3.7/remediation" + } + }, + "ProductFields": { + "StandardsGuideArn": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", + "StandardsGuideSubscriptionArn": "arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0", + "RuleId": "3.7", + "RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/standards-cis-3.7/remediation", + "StandardsControlArn": "arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/3.7", + "aws/securityhub/ProductName": "Security Hub", + "aws/securityhub/CompanyName": "AWS", + "aws/securityhub/annotation": "Multi region CloudTrail with the required configuration does not exist in the account", + "Resources:0/Id": "arn:aws:iam::123456789123:root", + "aws/securityhub/FindingId": "arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.7/finding/5893e3d9-73ba-468b-a5ae-a47d5167687d" }, "Resources": [ { @@ -140,6 +362,960 @@ "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ] } + }, + { + "SchemaVersion": "2018-10-08", + "Id": "arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.6/finding/0b589f7e-cf16-4518-a41a-f37ef89dc8f8", + "ProductArn": "arn:aws:securityhub:us-east-1::product/aws/securityhub", + "ProductName": "Security Hub", + "CompanyName": "AWS", + "Region": "us-east-1", + "GeneratorId": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.6", + "AwsAccountId": "123456789123", + "Types": [ + "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" + ], + "FirstObservedAt": "2021-07-23T23:39:00.932Z", + "LastObservedAt": "2021-08-09T11:28:10.542Z", + "CreatedAt": "2021-07-23T23:39:00.932Z", + "UpdatedAt": "2021-08-09T11:28:08.812Z", + "Severity": { + "Product": 30, + "Label": "LOW", + "Normalized": 30, + "Original": "LOW" + }, + "Title": "3.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures", + "Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for failed console authentication attempts.", + "Remediation": { + "Recommendation": { + "Text": "For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.", + "Url": "https://docs.aws.amazon.com/console/securityhub/standards-cis-3.6/remediation" + } + }, + "ProductFields": { + "StandardsGuideArn": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", + "StandardsGuideSubscriptionArn": "arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0", + "RuleId": "3.6", + "RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/standards-cis-3.6/remediation", + "StandardsControlArn": "arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/3.6", + "aws/securityhub/ProductName": "Security Hub", + "aws/securityhub/CompanyName": "AWS", + "aws/securityhub/annotation": "Multi region CloudTrail with the required configuration does not exist in the account", + "Resources:0/Id": "arn:aws:iam::123456789123:root", + "aws/securityhub/FindingId": "arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.6/finding/0b589f7e-cf16-4518-a41a-f37ef89dc8f8" + }, + "Resources": [ + { + "Type": "AwsAccount", + "Id": "AWS::::Account:123456789123", + "Partition": "aws", + "Region": "us-east-1" + } + ], + "Compliance": { + "Status": "FAILED", + "StatusReasons": [ + { + "ReasonCode": "CLOUDTRAIL_MULTI_REGION_NOT_PRESENT", + "Description": "Multi region CloudTrail with the required configuration does not exist in the account" + } + ] + }, + "WorkflowState": "NEW", + "Workflow": { + "Status": "NEW" + }, + "RecordState": "ACTIVE", + "FindingProviderFields": { + "Severity": { + "Label": "LOW", + "Original": "LOW" + }, + "Types": [ + "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" + ] + } + }, + { + "SchemaVersion": "2018-10-08", + "Id": "arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.5/finding/62ce4a90-73c1-484b-8170-588f124e1fc2", + "ProductArn": "arn:aws:securityhub:us-east-1::product/aws/securityhub", + "ProductName": "Security Hub", + "CompanyName": "AWS", + "Region": "us-east-1", + "GeneratorId": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.5", + "AwsAccountId": "123456789123", + "Types": [ + "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" + ], + "FirstObservedAt": "2021-07-23T23:39:00.932Z", + "LastObservedAt": "2021-08-09T11:28:10.630Z", + "CreatedAt": "2021-07-23T23:39:00.932Z", + "UpdatedAt": "2021-08-09T11:28:08.812Z", + "Severity": { + "Product": 30, + "Label": "LOW", + "Normalized": 30, + "Original": "LOW" + }, + "Title": "3.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes", + "Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations.", + "Remediation": { + "Recommendation": { + "Text": "For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.", + "Url": "https://docs.aws.amazon.com/console/securityhub/standards-cis-3.5/remediation" + } + }, + "ProductFields": { + "StandardsGuideArn": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", + "StandardsGuideSubscriptionArn": "arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0", + "RuleId": "3.5", + "RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/standards-cis-3.5/remediation", + "StandardsControlArn": "arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/3.5", + "aws/securityhub/ProductName": "Security Hub", + "aws/securityhub/CompanyName": "AWS", + "aws/securityhub/annotation": "Multi region CloudTrail with the required configuration does not exist in the account", + "Resources:0/Id": "arn:aws:iam::123456789123:root", + "aws/securityhub/FindingId": "arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.5/finding/62ce4a90-73c1-484b-8170-588f124e1fc2" + }, + "Resources": [ + { + "Type": "AwsAccount", + "Id": "AWS::::Account:123456789123", + "Partition": "aws", + "Region": "us-east-1" + } + ], + "Compliance": { + "Status": "FAILED", + "StatusReasons": [ + { + "ReasonCode": "CLOUDTRAIL_MULTI_REGION_NOT_PRESENT", + "Description": "Multi region CloudTrail with the required configuration does not exist in the account" + } + ] + }, + "WorkflowState": "NEW", + "Workflow": { + "Status": "NEW" + }, + "RecordState": "ACTIVE", + "FindingProviderFields": { + "Severity": { + "Label": "LOW", + "Original": "LOW" + }, + "Types": [ + "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" + ] + } + }, + { + "SchemaVersion": "2018-10-08", + "Id": "arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.4/finding/4ec7fd2f-2e44-4225-ae4c-f01384543946", + "ProductArn": "arn:aws:securityhub:us-east-1::product/aws/securityhub", + "ProductName": "Security Hub", + "CompanyName": "AWS", + "Region": "us-east-1", + "GeneratorId": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.4", + "AwsAccountId": "123456789123", + "Types": [ + "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" + ], + "FirstObservedAt": "2021-07-23T23:39:00.932Z", + "LastObservedAt": "2021-08-09T11:28:11.788Z", + "CreatedAt": "2021-07-23T23:39:00.932Z", + "UpdatedAt": "2021-08-09T11:28:08.812Z", + "Severity": { + "Product": 30, + "Label": "LOW", + "Normalized": 30, + "Original": "LOW" + }, + "Title": "3.4 Ensure a log metric filter and alarm exist for IAM policy changes", + "Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established changes made to Identity and Access Management (IAM) policies.", + "Remediation": { + "Recommendation": { + "Text": "For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.", + "Url": "https://docs.aws.amazon.com/console/securityhub/standards-cis-3.4/remediation" + } + }, + "ProductFields": { + "StandardsGuideArn": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", + "StandardsGuideSubscriptionArn": "arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0", + "RuleId": "3.4", + "RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/standards-cis-3.4/remediation", + "StandardsControlArn": "arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/3.4", + "aws/securityhub/ProductName": "Security Hub", + "aws/securityhub/CompanyName": "AWS", + "aws/securityhub/annotation": "Multi region CloudTrail with the required configuration does not exist in the account", + "Resources:0/Id": "arn:aws:iam::123456789123:root", + "aws/securityhub/FindingId": "arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.4/finding/4ec7fd2f-2e44-4225-ae4c-f01384543946" + }, + "Resources": [ + { + "Type": "AwsAccount", + "Id": "AWS::::Account:123456789123", + "Partition": "aws", + "Region": "us-east-1" + } + ], + "Compliance": { + "Status": "FAILED", + "StatusReasons": [ + { + "ReasonCode": "CLOUDTRAIL_MULTI_REGION_NOT_PRESENT", + "Description": "Multi region CloudTrail with the required configuration does not exist in the account" + } + ] + }, + "WorkflowState": "NEW", + "Workflow": { + "Status": "NEW" + }, + "RecordState": "ACTIVE", + "FindingProviderFields": { + "Severity": { + "Label": "LOW", + "Original": "LOW" + }, + "Types": [ + "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" + ] + } + }, + { + "SchemaVersion": "2018-10-08", + "Id": "arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.3/finding/7e616501-7e4f-43b1-8092-610513f73baa", + "ProductArn": "arn:aws:securityhub:us-east-1::product/aws/securityhub", + "ProductName": "Security Hub", + "CompanyName": "AWS", + "Region": "us-east-1", + "GeneratorId": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.3", + "AwsAccountId": "123456789123", + "Types": [ + "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" + ], + "FirstObservedAt": "2021-07-23T23:39:00.932Z", + "LastObservedAt": "2021-08-09T11:28:09.830Z", + "CreatedAt": "2021-07-23T23:39:00.932Z", + "UpdatedAt": "2021-08-09T11:28:08.812Z", + "Severity": { + "Product": 30, + "Label": "LOW", + "Normalized": 30, + "Original": "LOW" + }, + "Title": "3.3 Ensure a log metric filter and alarm exist for usage of \"root\" account", + "Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for root login attempts.", + "Remediation": { + "Recommendation": { + "Text": "For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.", + "Url": "https://docs.aws.amazon.com/console/securityhub/standards-cis-3.3/remediation" + } + }, + "ProductFields": { + "StandardsGuideArn": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", + "StandardsGuideSubscriptionArn": "arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0", + "RuleId": "3.3", + "RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/standards-cis-3.3/remediation", + "StandardsControlArn": "arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/3.3", + "aws/securityhub/ProductName": "Security Hub", + "aws/securityhub/CompanyName": "AWS", + "aws/securityhub/annotation": "Multi region CloudTrail with the required configuration does not exist in the account", + "Resources:0/Id": "arn:aws:iam::123456789123:root", + "aws/securityhub/FindingId": "arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.3/finding/7e616501-7e4f-43b1-8092-610513f73baa" + }, + "Resources": [ + { + "Type": "AwsAccount", + "Id": "AWS::::Account:123456789123", + "Partition": "aws", + "Region": "us-east-1" + } + ], + "Compliance": { + "Status": "FAILED", + "StatusReasons": [ + { + "ReasonCode": "CLOUDTRAIL_MULTI_REGION_NOT_PRESENT", + "Description": "Multi region CloudTrail with the required configuration does not exist in the account" + } + ] + }, + "WorkflowState": "NEW", + "Workflow": { + "Status": "NEW" + }, + "RecordState": "ACTIVE", + "FindingProviderFields": { + "Severity": { + "Label": "LOW", + "Original": "LOW" + }, + "Types": [ + "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" + ] + } + }, + { + "SchemaVersion": "2018-10-08", + "Id": "arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.2/finding/c3ff01fc-2e66-46ed-86a1-b10c384b92e5", + "ProductArn": "arn:aws:securityhub:us-east-1::product/aws/securityhub", + "ProductName": "Security Hub", + "CompanyName": "AWS", + "Region": "us-east-1", + "GeneratorId": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.2", + "AwsAccountId": "123456789123", + "Types": [ + "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" + ], + "FirstObservedAt": "2021-07-23T23:39:00.932Z", + "LastObservedAt": "2021-08-09T11:28:12.172Z", + "CreatedAt": "2021-07-23T23:39:00.932Z", + "UpdatedAt": "2021-08-09T11:28:08.811Z", + "Severity": { + "Product": 30, + "Label": "LOW", + "Normalized": 30, + "Original": "LOW" + }, + "Title": "3.2 Ensure a log metric filter and alarm exist for Management Console sign-in without MFA", + "Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for console logins that are not protected by multi-factor authentication (MFA).", + "Remediation": { + "Recommendation": { + "Text": "For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.", + "Url": "https://docs.aws.amazon.com/console/securityhub/standards-cis-3.2/remediation" + } + }, + "ProductFields": { + "StandardsGuideArn": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", + "StandardsGuideSubscriptionArn": "arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0", + "RuleId": "3.2", + "RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/standards-cis-3.2/remediation", + "StandardsControlArn": "arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/3.2", + "aws/securityhub/ProductName": "Security Hub", + "aws/securityhub/CompanyName": "AWS", + "aws/securityhub/annotation": "Multi region CloudTrail with the required configuration does not exist in the account", + "Resources:0/Id": "arn:aws:iam::123456789123:root", + "aws/securityhub/FindingId": "arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.2/finding/c3ff01fc-2e66-46ed-86a1-b10c384b92e5" + }, + "Resources": [ + { + "Type": "AwsAccount", + "Id": "AWS::::Account:123456789123", + "Partition": "aws", + "Region": "us-east-1" + } + ], + "Compliance": { + "Status": "FAILED", + "StatusReasons": [ + { + "ReasonCode": "CLOUDTRAIL_MULTI_REGION_NOT_PRESENT", + "Description": "Multi region CloudTrail with the required configuration does not exist in the account" + } + ] + }, + "WorkflowState": "NEW", + "Workflow": { + "Status": "NEW" + }, + "RecordState": "ACTIVE", + "FindingProviderFields": { + "Severity": { + "Label": "LOW", + "Original": "LOW" + }, + "Types": [ + "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" + ] + } + }, + { + "SchemaVersion": "2018-10-08", + "Id": "arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.14/finding/7933efb4-1f20-4e0d-b313-5f7549bf3a0c", + "ProductArn": "arn:aws:securityhub:us-east-1::product/aws/securityhub", + "ProductName": "Security Hub", + "CompanyName": "AWS", + "Region": "us-east-1", + "GeneratorId": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.14", + "AwsAccountId": "123456789123", + "Types": [ + "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" + ], + "FirstObservedAt": "2021-07-23T23:39:00.932Z", + "LastObservedAt": "2021-08-09T11:28:09.392Z", + "CreatedAt": "2021-07-23T23:39:00.932Z", + "UpdatedAt": "2021-08-09T11:28:08.811Z", + "Severity": { + "Product": 30, + "Label": "LOW", + "Normalized": 30, + "Original": "LOW" + }, + "Title": "3.14 Ensure a log metric filter and alarm exist for VPC changes", + "Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is possible to have more than 1 VPC within an account, in addition it is also possible to create a peer connection between 2 VPCs enabling network traffic to route between VPCs. It is recommended that a metric filter and alarm be established for changes made to VPCs.", + "Remediation": { + "Recommendation": { + "Text": "For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.", + "Url": "https://docs.aws.amazon.com/console/securityhub/standards-cis-3.14/remediation" + } + }, + "ProductFields": { + "StandardsGuideArn": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", + "StandardsGuideSubscriptionArn": "arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0", + "RuleId": "3.14", + "RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/standards-cis-3.14/remediation", + "StandardsControlArn": "arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/3.14", + "aws/securityhub/ProductName": "Security Hub", + "aws/securityhub/CompanyName": "AWS", + "aws/securityhub/annotation": "Multi region CloudTrail with the required configuration does not exist in the account", + "Resources:0/Id": "arn:aws:iam::123456789123:root", + "aws/securityhub/FindingId": "arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.14/finding/7933efb4-1f20-4e0d-b313-5f7549bf3a0c" + }, + "Resources": [ + { + "Type": "AwsAccount", + "Id": "AWS::::Account:123456789123", + "Partition": "aws", + "Region": "us-east-1" + } + ], + "Compliance": { + "Status": "FAILED", + "StatusReasons": [ + { + "ReasonCode": "CLOUDTRAIL_MULTI_REGION_NOT_PRESENT", + "Description": "Multi region CloudTrail with the required configuration does not exist in the account" + } + ] + }, + "WorkflowState": "NEW", + "Workflow": { + "Status": "NEW" + }, + "RecordState": "ACTIVE", + "FindingProviderFields": { + "Severity": { + "Label": "LOW", + "Original": "LOW" + }, + "Types": [ + "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" + ] + } + }, + { + "SchemaVersion": "2018-10-08", + "Id": "arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.13/finding/3fa90615-aadb-43a1-8f23-2e6dac062baa", + "ProductArn": "arn:aws:securityhub:us-east-1::product/aws/securityhub", + "ProductName": "Security Hub", + "CompanyName": "AWS", + "Region": "us-east-1", + "GeneratorId": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.13", + "AwsAccountId": "123456789123", + "Types": [ + "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" + ], + "FirstObservedAt": "2021-07-23T23:39:00.932Z", + "LastObservedAt": "2021-08-09T11:28:10.315Z", + "CreatedAt": "2021-07-23T23:39:00.932Z", + "UpdatedAt": "2021-08-09T11:28:08.811Z", + "Severity": { + "Product": 30, + "Label": "LOW", + "Normalized": 30, + "Original": "LOW" + }, + "Title": "3.13 Ensure a log metric filter and alarm exist for route table changes", + "Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Routing tables are used to route network traffic between subnets and to network gateways. It is recommended that a metric filter and alarm be established for changes to route tables.", + "Remediation": { + "Recommendation": { + "Text": "For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.", + "Url": "https://docs.aws.amazon.com/console/securityhub/standards-cis-3.13/remediation" + } + }, + "ProductFields": { + "StandardsGuideArn": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", + "StandardsGuideSubscriptionArn": "arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0", + "RuleId": "3.13", + "RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/standards-cis-3.13/remediation", + "StandardsControlArn": "arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/3.13", + "aws/securityhub/ProductName": "Security Hub", + "aws/securityhub/CompanyName": "AWS", + "aws/securityhub/annotation": "Multi region CloudTrail with the required configuration does not exist in the account", + "Resources:0/Id": "arn:aws:iam::123456789123:root", + "aws/securityhub/FindingId": "arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.13/finding/3fa90615-aadb-43a1-8f23-2e6dac062baa" + }, + "Resources": [ + { + "Type": "AwsAccount", + "Id": "AWS::::Account:123456789123", + "Partition": "aws", + "Region": "us-east-1" + } + ], + "Compliance": { + "Status": "FAILED", + "StatusReasons": [ + { + "ReasonCode": "CLOUDTRAIL_MULTI_REGION_NOT_PRESENT", + "Description": "Multi region CloudTrail with the required configuration does not exist in the account" + } + ] + }, + "WorkflowState": "NEW", + "Workflow": { + "Status": "NEW" + }, + "RecordState": "ACTIVE", + "FindingProviderFields": { + "Severity": { + "Label": "LOW", + "Original": "LOW" + }, + "Types": [ + "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" + ] + } + }, + { + "SchemaVersion": "2018-10-08", + "Id": "arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.12/finding/8f481e76-9011-4feb-b2b7-b7eb9d1fcec7", + "ProductArn": "arn:aws:securityhub:us-east-1::product/aws/securityhub", + "ProductName": "Security Hub", + "CompanyName": "AWS", + "Region": "us-east-1", + "GeneratorId": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.12", + "AwsAccountId": "123456789123", + "Types": [ + "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" + ], + "FirstObservedAt": "2021-07-23T23:39:00.932Z", + "LastObservedAt": "2021-08-09T11:28:12.267Z", + "CreatedAt": "2021-07-23T23:39:00.932Z", + "UpdatedAt": "2021-08-09T11:28:08.811Z", + "Severity": { + "Product": 30, + "Label": "LOW", + "Normalized": 30, + "Original": "LOW" + }, + "Title": "3.12 Ensure a log metric filter and alarm exist for changes to network gateways", + "Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Network gateways are required to send/receive traffic to a destination outside of a VPC. It is recommended that a metric filter and alarm be established for changes to network gateways.", + "Remediation": { + "Recommendation": { + "Text": "For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.", + "Url": "https://docs.aws.amazon.com/console/securityhub/standards-cis-3.12/remediation" + } + }, + "ProductFields": { + "StandardsGuideArn": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", + "StandardsGuideSubscriptionArn": "arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0", + "RuleId": "3.12", + "RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/standards-cis-3.12/remediation", + "StandardsControlArn": "arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/3.12", + "aws/securityhub/ProductName": "Security Hub", + "aws/securityhub/CompanyName": "AWS", + "aws/securityhub/annotation": "Multi region CloudTrail with the required configuration does not exist in the account", + "Resources:0/Id": "arn:aws:iam::123456789123:root", + "aws/securityhub/FindingId": "arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.12/finding/8f481e76-9011-4feb-b2b7-b7eb9d1fcec7" + }, + "Resources": [ + { + "Type": "AwsAccount", + "Id": "AWS::::Account:123456789123", + "Partition": "aws", + "Region": "us-east-1" + } + ], + "Compliance": { + "Status": "FAILED", + "StatusReasons": [ + { + "ReasonCode": "CLOUDTRAIL_MULTI_REGION_NOT_PRESENT", + "Description": "Multi region CloudTrail with the required configuration does not exist in the account" + } + ] + }, + "WorkflowState": "NEW", + "Workflow": { + "Status": "NEW" + }, + "RecordState": "ACTIVE", + "FindingProviderFields": { + "Severity": { + "Label": "LOW", + "Original": "LOW" + }, + "Types": [ + "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" + ] + } + }, + { + "SchemaVersion": "2018-10-08", + "Id": "arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.11/finding/a5aca330-1359-4106-b19d-335f36f89b94", + "ProductArn": "arn:aws:securityhub:us-east-1::product/aws/securityhub", + "ProductName": "Security Hub", + "CompanyName": "AWS", + "Region": "us-east-1", + "GeneratorId": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.11", + "AwsAccountId": "123456789123", + "Types": [ + "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" + ], + "FirstObservedAt": "2021-07-23T23:39:00.932Z", + "LastObservedAt": "2021-08-09T11:28:12.297Z", + "CreatedAt": "2021-07-23T23:39:00.932Z", + "UpdatedAt": "2021-08-09T11:28:08.811Z", + "Severity": { + "Product": 30, + "Label": "LOW", + "Normalized": 30, + "Original": "LOW" + }, + "Title": "3.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)", + "Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. NACLs are used as a stateless packet filter to control ingress and egress traffic for subnets within a VPC. It is recommended that a metric filter and alarm be established for changes made to NACLs.", + "Remediation": { + "Recommendation": { + "Text": "For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.", + "Url": "https://docs.aws.amazon.com/console/securityhub/standards-cis-3.11/remediation" + } + }, + "ProductFields": { + "StandardsGuideArn": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", + "StandardsGuideSubscriptionArn": "arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0", + "RuleId": "3.11", + "RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/standards-cis-3.11/remediation", + "StandardsControlArn": "arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/3.11", + "aws/securityhub/ProductName": "Security Hub", + "aws/securityhub/CompanyName": "AWS", + "aws/securityhub/annotation": "Multi region CloudTrail with the required configuration does not exist in the account", + "Resources:0/Id": "arn:aws:iam::123456789123:root", + "aws/securityhub/FindingId": "arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.11/finding/a5aca330-1359-4106-b19d-335f36f89b94" + }, + "Resources": [ + { + "Type": "AwsAccount", + "Id": "AWS::::Account:123456789123", + "Partition": "aws", + "Region": "us-east-1" + } + ], + "Compliance": { + "Status": "FAILED", + "StatusReasons": [ + { + "ReasonCode": "CLOUDTRAIL_MULTI_REGION_NOT_PRESENT", + "Description": "Multi region CloudTrail with the required configuration does not exist in the account" + } + ] + }, + "WorkflowState": "NEW", + "Workflow": { + "Status": "NEW" + }, + "RecordState": "ACTIVE", + "FindingProviderFields": { + "Severity": { + "Label": "LOW", + "Original": "LOW" + }, + "Types": [ + "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" + ] + } + }, + { + "SchemaVersion": "2018-10-08", + "Id": "arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.10/finding/6f2753c4-782e-460c-86e1-53f12a1046bc", + "ProductArn": "arn:aws:securityhub:us-east-1::product/aws/securityhub", + "ProductName": "Security Hub", + "CompanyName": "AWS", + "Region": "us-east-1", + "GeneratorId": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.10", + "AwsAccountId": "123456789123", + "Types": [ + "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" + ], + "FirstObservedAt": "2021-07-23T23:39:00.931Z", + "LastObservedAt": "2021-08-09T11:28:13.084Z", + "CreatedAt": "2021-07-23T23:39:00.931Z", + "UpdatedAt": "2021-08-09T11:28:08.811Z", + "Severity": { + "Product": 30, + "Label": "LOW", + "Normalized": 30, + "Original": "LOW" + }, + "Title": "3.10 Ensure a log metric filter and alarm exist for security group changes", + "Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Groups are a stateful packet filter that controls ingress and egress traffic within a VPC. It is recommended that a metric filter and alarm be established changes to Security Groups.", + "Remediation": { + "Recommendation": { + "Text": "For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.", + "Url": "https://docs.aws.amazon.com/console/securityhub/standards-cis-3.10/remediation" + } + }, + "ProductFields": { + "StandardsGuideArn": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", + "StandardsGuideSubscriptionArn": "arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0", + "RuleId": "3.10", + "RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/standards-cis-3.10/remediation", + "StandardsControlArn": "arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/3.10", + "aws/securityhub/ProductName": "Security Hub", + "aws/securityhub/CompanyName": "AWS", + "aws/securityhub/annotation": "Multi region CloudTrail with the required configuration does not exist in the account", + "Resources:0/Id": "arn:aws:iam::123456789123:root", + "aws/securityhub/FindingId": "arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.10/finding/6f2753c4-782e-460c-86e1-53f12a1046bc" + }, + "Resources": [ + { + "Type": "AwsAccount", + "Id": "AWS::::Account:123456789123", + "Partition": "aws", + "Region": "us-east-1" + } + ], + "Compliance": { + "Status": "FAILED", + "StatusReasons": [ + { + "ReasonCode": "CLOUDTRAIL_MULTI_REGION_NOT_PRESENT", + "Description": "Multi region CloudTrail with the required configuration does not exist in the account" + } + ] + }, + "WorkflowState": "NEW", + "Workflow": { + "Status": "NEW" + }, + "RecordState": "ACTIVE", + "FindingProviderFields": { + "Severity": { + "Label": "LOW", + "Original": "LOW" + }, + "Types": [ + "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" + ] + } + }, + { + "SchemaVersion": "2018-10-08", + "Id": "arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.1/finding/3750d146-a5d4-4ca0-b0a0-0ef8997495c2", + "ProductArn": "arn:aws:securityhub:us-east-1::product/aws/securityhub", + "ProductName": "Security Hub", + "CompanyName": "AWS", + "Region": "us-east-1", + "GeneratorId": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.1", + "AwsAccountId": "123456789123", + "Types": [ + "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" + ], + "FirstObservedAt": "2021-07-23T23:39:00.931Z", + "LastObservedAt": "2021-08-09T11:28:12.445Z", + "CreatedAt": "2021-07-23T23:39:00.931Z", + "UpdatedAt": "2021-08-09T11:28:08.811Z", + "Severity": { + "Product": 30, + "Label": "LOW", + "Normalized": 30, + "Original": "LOW" + }, + "Title": "3.1 Ensure a log metric filter and alarm exist for unauthorized API calls", + "Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for unauthorized API calls.", + "Remediation": { + "Recommendation": { + "Text": "For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.", + "Url": "https://docs.aws.amazon.com/console/securityhub/standards-cis-3.1/remediation" + } + }, + "ProductFields": { + "StandardsGuideArn": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", + "StandardsGuideSubscriptionArn": "arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0", + "RuleId": "3.1", + "RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/standards-cis-3.1/remediation", + "StandardsControlArn": "arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/3.1", + "aws/securityhub/ProductName": "Security Hub", + "aws/securityhub/CompanyName": "AWS", + "aws/securityhub/annotation": "Multi region CloudTrail with the required configuration does not exist in the account", + "Resources:0/Id": "arn:aws:iam::123456789123:root", + "aws/securityhub/FindingId": "arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.1/finding/3750d146-a5d4-4ca0-b0a0-0ef8997495c2" + }, + "Resources": [ + { + "Type": "AwsAccount", + "Id": "AWS::::Account:123456789123", + "Partition": "aws", + "Region": "us-east-1" + } + ], + "Compliance": { + "Status": "FAILED", + "StatusReasons": [ + { + "ReasonCode": "CLOUDTRAIL_MULTI_REGION_NOT_PRESENT", + "Description": "Multi region CloudTrail with the required configuration does not exist in the account" + } + ] + }, + "WorkflowState": "NEW", + "Workflow": { + "Status": "NEW" + }, + "RecordState": "ACTIVE", + "FindingProviderFields": { + "Severity": { + "Label": "LOW", + "Original": "LOW" + }, + "Types": [ + "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" + ] + } + }, + { + "SchemaVersion": "2018-10-08", + "Id": "arn:aws:securityhub:us-east-1:123456789123:subscription/aws-foundational-security-best-practices/v/1.0.0/Config.1/finding/9ffec6a3-3ce8-4011-bf90-17dbe94bf1d3", + "ProductArn": "arn:aws:securityhub:us-east-1::product/aws/securityhub", + "ProductName": "Security Hub", + "CompanyName": "AWS", + "Region": "us-east-1", + "GeneratorId": "aws-foundational-security-best-practices/v/1.0.0/Config.1", + "AwsAccountId": "123456789123", + "Types": [ + "Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices" + ], + "FirstObservedAt": "2021-07-23T23:40:39.455Z", + "LastObservedAt": "2021-08-09T11:21:11.282Z", + "CreatedAt": "2021-07-23T23:40:39.455Z", + "UpdatedAt": "2021-08-09T11:21:09.408Z", + "Severity": { + "Product": 40, + "Label": "MEDIUM", + "Normalized": 40, + "Original": "MEDIUM" + }, + "Title": "Config.1 AWS Config should be enabled", + "Description": "This AWS control checks whether the Config service is enabled in the account for the local region and is recording all resources.", + "Remediation": { + "Recommendation": { + "Text": "For directions on how to fix this issue, please consult the AWS Security Hub Foundational Security Best Practices documentation.", + "Url": "https://docs.aws.amazon.com/console/securityhub/Config.1/remediation" + } + }, + "ProductFields": { + "StandardsArn": "arn:aws:securityhub:::standards/aws-foundational-security-best-practices/v/1.0.0", + "StandardsSubscriptionArn": "arn:aws:securityhub:us-east-1:123456789123:subscription/aws-foundational-security-best-practices/v/1.0.0", + "ControlId": "Config.1", + "RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/Config.1/remediation", + "StandardsControlArn": "arn:aws:securityhub:us-east-1:123456789123:control/aws-foundational-security-best-practices/v/1.0.0/Config.1", + "aws/securityhub/ProductName": "Security Hub", + "aws/securityhub/CompanyName": "AWS", + "Resources:0/Id": "arn:aws:iam::123456789123:root", + "aws/securityhub/FindingId": "arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789123:subscription/aws-foundational-security-best-practices/v/1.0.0/Config.1/finding/9ffec6a3-3ce8-4011-bf90-17dbe94bf1d3" + }, + "Resources": [ + { + "Type": "AwsAccount", + "Id": "AWS::::Account:123456789123", + "Partition": "aws", + "Region": "us-east-1" + } + ], + "Compliance": { + "Status": "FAILED" + }, + "WorkflowState": "NEW", + "Workflow": { + "Status": "NEW" + }, + "RecordState": "ACTIVE", + "FindingProviderFields": { + "Severity": { + "Label": "MEDIUM", + "Original": "MEDIUM" + }, + "Types": [ + "Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices" + ] + } + }, + { + "SchemaVersion": "2018-10-08", + "Id": "arn:aws:securityhub:us-east-1:123456789123:subscription/aws-foundational-security-best-practices/v/1.0.0/S3.2/finding/5fd36ec6-3f98-4d5b-a9cb-5f82e389a8e9", + "ProductArn": "arn:aws:securityhub:us-east-1::product/aws/securityhub", + "GeneratorId": "aws-foundational-security-best-practices/v/1.0.0/S3.2", + "AwsAccountId": "123456789123", + "Types": [ + "Effects/Data Exposure/AWS-Foundational-Security-Best-Practices" + ], + "FirstObservedAt": "2021-04-28T14:57:54.547Z", + "LastObservedAt": "2021-07-02T16:02:48.476Z", + "CreatedAt": "2021-04-28T14:57:54.547Z", + "UpdatedAt": "2021-07-02T16:02:46.396Z", + "Severity": { + "Product": 0, + "Label": "INFORMATIONAL", + "Normalized": 0, + "Original": "INFORMATIONAL" + }, + "Title": "S3.2 S3 buckets should prohibit public read access", + "Description": "This AWS control checks whether your S3 buckets allow public read access by evaluating the Block Public Access settings, the bucket policy, and the bucket access control list (ACL).", + "Remediation": { + "Recommendation": { + "Text": "For directions on how to fix this issue, please consult the AWS Security Hub Foundational Security Best Practices documentation.", + "Url": "https://docs.aws.amazon.com/console/securityhub/S3.2/remediation" + } + }, + "ProductFields": { + "StandardsArn": "arn:aws:securityhub:::standards/aws-foundational-security-best-practices/v/1.0.0", + "StandardsSubscriptionArn": "arn:aws:securityhub:us-east-1:123456789123:subscription/aws-foundational-security-best-practices/v/1.0.0", + "ControlId": "S3.2", + "RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/S3.2/remediation", + "RelatedAWSResources:0/name": "securityhub-s3-bucket-public-read-prohibited-491148b1", + "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", + "StandardsControlArn": "arn:aws:securityhub:us-east-1:123456789123:control/aws-foundational-security-best-practices/v/1.0.0/S3.2", + "aws/securityhub/ProductName": "Security Hub", + "aws/securityhub/CompanyName": "AWS", + "Resources:0/Id": "arn:aws:s3:::example-bucket-123456789123-us-east-1", + "aws/securityhub/FindingId": "arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789123:subscription/aws-foundational-security-best-practices/v/1.0.0/S3.2/finding/5fd36ec6-3f98-4d5b-a9cb-5f82e389a8e9" + }, + "Resources": [ + { + "Type": "AwsS3Bucket", + "Id": "arn:aws:s3:::example-bucket-123456789123-us-east-1", + "Partition": "aws", + "Region": "us-east-1", + "Details": { + "AwsS3Bucket": { + "OwnerId": "abe813ee284239446607ac88bf580a6f7348abec9053fd187e6234b58102e826", + "CreatedAt": "2021-03-12T20:14:09.000Z" + } + } + } + ], + "Compliance": { + "Status": "PASSED" + }, + "WorkflowState": "NEW", + "Workflow": { + "Status": "RESOLVED" + }, + "RecordState": "ACTIVE", + "FindingProviderFields": { + "Severity": { + "Label": "INFORMATIONAL", + "Original": "INFORMATIONAL" + }, + "Types": [ + "Effects/Data Exposure/AWS-Foundational-Security-Best-Practices" + ] + } } + ] } From cc0349f8003102699f48baa9d763ab21f839f8a4 Mon Sep 17 00:00:00 2001 From: Amndeep Singh Mann Date: Mon, 9 Aug 2021 17:56:57 -0400 Subject: [PATCH 14/20] hash.filter as an alias for hash.select was not in 2.5. using select instead. Signed-off-by: Amndeep Singh Mann --- lib/heimdall_tools/asff_mapper.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/heimdall_tools/asff_mapper.rb b/lib/heimdall_tools/asff_mapper.rb index 06c80ac..ecdf3ae 100644 --- a/lib/heimdall_tools/asff_mapper.rb +++ b/lib/heimdall_tools/asff_mapper.rb @@ -201,7 +201,7 @@ def to_hdf item = {} # add product name to id if any ids are the same across products - item['id'] = product_groups.filter { |pg| pg != product }.values.any? { |ig| ig.keys.include?(id) } ? "[#{product_name}] #{id}" : id + item['id'] = product_groups.select { |pg| pg != product }.values.any? { |ig| ig.keys.include?(id) } ? "[#{product_name}] #{id}" : id item['title'] = "#{product_name}: #{group.map { |d| d['title'] }.uniq.join(';')}" From c80a46a4744a586fa9a36d2ccf51878e4d5df76c Mon Sep 17 00:00:00 2001 From: Amndeep Singh Mann Date: Mon, 9 Aug 2021 18:04:06 -0400 Subject: [PATCH 15/20] appease rubocop Signed-off-by: Amndeep Singh Mann --- lib/heimdall_tools/asff_mapper.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/heimdall_tools/asff_mapper.rb b/lib/heimdall_tools/asff_mapper.rb index ecdf3ae..f5db430 100644 --- a/lib/heimdall_tools/asff_mapper.rb +++ b/lib/heimdall_tools/asff_mapper.rb @@ -31,7 +31,7 @@ module HeimdallTools end end - # todo: use hash.dig and safe navigation operator throughout + # TODO: use hash.dig and safe navigation operator throughout class ASFFMapper IMPACT_MAPPING = { CRITICAL: 0.9, @@ -201,7 +201,7 @@ def to_hdf item = {} # add product name to id if any ids are the same across products - item['id'] = product_groups.select { |pg| pg != product }.values.any? { |ig| ig.keys.include?(id) } ? "[#{product_name}] #{id}" : id + item['id'] = product_groups.reject { |pg| pg == product }.values.any? { |ig| ig.keys.include?(id) } ? "[#{product_name}] #{id}" : id item['title'] = "#{product_name}: #{group.map { |d| d['title'] }.uniq.join(';')}" From 0aad3b54fdd680e350f88fea55102bf5661bba36 Mon Sep 17 00:00:00 2001 From: Amndeep Singh Mann Date: Mon, 9 Aug 2021 18:09:31 -0400 Subject: [PATCH 16/20] rubocop spitting errors on github side but not on local for some reason Signed-off-by: Amndeep Singh Mann --- lib/heimdall_tools/fortify_mapper.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/heimdall_tools/fortify_mapper.rb b/lib/heimdall_tools/fortify_mapper.rb index 465e1d9..a21a6f0 100644 --- a/lib/heimdall_tools/fortify_mapper.rb +++ b/lib/heimdall_tools/fortify_mapper.rb @@ -58,9 +58,9 @@ def primaries(classid) def snippet(snippetid) snippet = @snippets.select { |x| x['id'].eql?(snippetid) }.first "\nPath: #{snippet['File']}\n" \ - "StartLine: #{snippet['StartLine']}, " \ - "EndLine: #{snippet['EndLine']}\n" \ - "Code:\n#{snippet['Text']['#cdata-section'].strip}" \ + "StartLine: #{snippet['StartLine']}, " \ + "EndLine: #{snippet['EndLine']}\n" \ + "Code:\n#{snippet['Text']['#cdata-section'].strip}" \ end def nist_tag(rule) From 9bd66bd9a957f25dbcd1efa319f8c34eee3e29cb Mon Sep 17 00:00:00 2001 From: Amndeep Singh Mann Date: Mon, 9 Aug 2021 23:44:55 -0400 Subject: [PATCH 17/20] fixed nist tags to properly be in the compatible product Signed-off-by: Amndeep Singh Mann --- .../asff_compatible_products/securityhub.rb | 12 +++++++++++- lib/heimdall_tools/asff_mapper.rb | 5 ++--- sample_jsons/asff_mapper/asff_hdf.json | 2 +- 3 files changed, 14 insertions(+), 5 deletions(-) diff --git a/lib/heimdall_tools/asff_compatible_products/securityhub.rb b/lib/heimdall_tools/asff_compatible_products/securityhub.rb index edabaa5..cc90062 100644 --- a/lib/heimdall_tools/asff_compatible_products/securityhub.rb +++ b/lib/heimdall_tools/asff_compatible_products/securityhub.rb @@ -53,7 +53,17 @@ def self.finding_impact(finding, *, controls: nil, **) def self.finding_nist_tag(finding, *, aws_config_mapping:, **) return {} unless finding['ProductFields']['RelatedAWSResources:0/type'] == 'AWS::Config::ConfigRule' - aws_config_mapping.select { |rule| finding['ProductFields']['RelatedAWSResources:0/name'].include? rule[:awsconfigrulename] } + entries = aws_config_mapping.select { |rule| finding['ProductFields']['RelatedAWSResources:0/name'].include? rule[:awsconfigrulename] } + entries.map do |rule| + tags_joined = rule[:nistid].split('|') # subheadings are joined together in the csv file + tags_joined.map do |tag| + if (i = tag.index('(')).nil? + tag + else + tag[i..].scan(/\(.+?\)/).map { |subheading| "#{tag[0..i-1]}#{subheading}" } + end + end + end.flatten.uniq end def self.finding_title(finding, *, encode:, controls: nil, **) diff --git a/lib/heimdall_tools/asff_mapper.rb b/lib/heimdall_tools/asff_mapper.rb index f5db430..9e8e6d5 100644 --- a/lib/heimdall_tools/asff_mapper.rb +++ b/lib/heimdall_tools/asff_mapper.rb @@ -89,9 +89,8 @@ def external_product_handler(product, data, func, default) end def nist_tag(finding) - entries = external_product_handler(finding['ProductArn'], finding, :finding_nist_tag, {}) - tags = entries.map { |rule| rule[:nistid].split('|') } - tags.empty? ? DEFAULT_NIST_TAG : tags.flatten.uniq + tags = external_product_handler(finding['ProductArn'], finding, :finding_nist_tag, {}) + tags.empty? ? DEFAULT_NIST_TAG : tags end def impact(finding) diff --git a/sample_jsons/asff_mapper/asff_hdf.json b/sample_jsons/asff_mapper/asff_hdf.json index bd0e88f..67ecf28 100644 --- a/sample_jsons/asff_mapper/asff_hdf.json +++ b/sample_jsons/asff_mapper/asff_hdf.json @@ -1 +1 @@ -{"platform":{"name":"Heimdall Tools","release":"1.3.48.12.g041b781.1.dirty.20210809.173522","target_id":""},"version":"1.3.48.12.g041b781.1.dirty.20210809.173522","statistics":{"duration":null},"profiles":[{"name":"AWS Security Finding Format","version":null,"title":"ASFF findings","maintainer":null,"summary":null,"license":null,"copyright":null,"copyright_email":null,"supports":[],"attributes":[],"depends":[],"groups":[],"status":"loaded","controls":[{"id":"CIS.1.1","title":"CIS AWS Foundations Benchmark v1.2.0: Avoid the use of the "root" account","tags":{"nist":["SA-11","RA-5"]},"impact":0.3,"desc":"The "root" account has unrestricted access to all resources in the AWS account. It is highly recommended that the use of this account be avoided.","descriptions":[{"data":"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\nhttps://docs.aws.amazon.com/console/securityhub/standards-cis-1.1/remediation","label":"fix"}],"refs":[],"source_location":{},"code":"{\n \"Findings\": [\n {\n \"SchemaVersion\": \"2018-10-08\",\n \"Id\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/1.1/finding/564b8d35-d697-475e-8a02-dfb23552dc24\",\n \"ProductArn\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub\",\n \"ProductName\": \"Security Hub\",\n \"CompanyName\": \"AWS\",\n \"Region\": \"us-east-1\",\n \"GeneratorId\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/1.1\",\n \"AwsAccountId\": \"123456789123\",\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ],\n \"FirstObservedAt\": \"2021-07-23T23:39:05.607Z\",\n \"LastObservedAt\": \"2021-08-09T11:28:16.331Z\",\n \"CreatedAt\": \"2021-07-23T23:39:05.607Z\",\n \"UpdatedAt\": \"2021-08-09T11:28:13.288Z\",\n \"Severity\": {\n \"Product\": 30,\n \"Label\": \"LOW\",\n \"Normalized\": 30,\n \"Original\": \"LOW\"\n },\n \"Title\": \"1.1 Avoid the use of the \\\"root\\\" account\",\n \"Description\": \"The \\\"root\\\" account has unrestricted access to all resources in the AWS account. It is highly recommended that the use of this account be avoided.\",\n \"Remediation\": {\n \"Recommendation\": {\n \"Text\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\",\n \"Url\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-1.1/remediation\"\n }\n },\n \"ProductFields\": {\n \"StandardsGuideArn\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0\",\n \"StandardsGuideSubscriptionArn\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0\",\n \"RuleId\": \"1.1\",\n \"RecommendationUrl\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-1.1/remediation\",\n \"StandardsControlArn\": \"arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/1.1\",\n \"aws/securityhub/ProductName\": \"Security Hub\",\n \"aws/securityhub/CompanyName\": \"AWS\",\n \"aws/securityhub/annotation\": \"Multi region CloudTrail with the required configuration does not exist in the account\",\n \"Resources:0/Id\": \"arn:aws:iam::123456789123:root\",\n \"aws/securityhub/FindingId\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/1.1/finding/564b8d35-d697-475e-8a02-dfb23552dc24\"\n },\n \"Resources\": [\n {\n \"Type\": \"AwsAccount\",\n \"Id\": \"AWS::::Account:123456789123\",\n \"Partition\": \"aws\",\n \"Region\": \"us-east-1\"\n }\n ],\n \"Compliance\": {\n \"Status\": \"FAILED\",\n \"StatusReasons\": [\n {\n \"ReasonCode\": \"CLOUDTRAIL_MULTI_REGION_NOT_PRESENT\",\n \"Description\": \"Multi region CloudTrail with the required configuration does not exist in the account\"\n }\n ]\n },\n \"WorkflowState\": \"NEW\",\n \"Workflow\": {\n \"Status\": \"NEW\"\n },\n \"RecordState\": \"ACTIVE\",\n \"FindingProviderFields\": {\n \"Severity\": {\n \"Label\": \"LOW\",\n \"Original\": \"LOW\"\n },\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ]\n }\n }\n ]\n}","results":[{"status":"failed","message":"ReasonCode\nCLOUDTRAIL_MULTI_REGION_NOT_PRESENT\nDescription\nMulti region CloudTrail with the required configuration does not exist in the account","code_desc":"Resources: [Type: AwsAccount, Id: AWS::::Account:123456789123, Partition: aws, Region: us-east-1]","start_time":"2021-08-09T11:28:16.331Z"}]},{"id":"CIS.2.5","title":"CIS AWS Foundations Benchmark v1.2.0: Ensure AWS Config is enabled","tags":{"nist":["SA-11","RA-5"]},"impact":0.5,"desc":"AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), and any configuration changes between resources. It is recommended to enable AWS Config in all regions.","descriptions":[{"data":"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\nhttps://docs.aws.amazon.com/console/securityhub/standards-cis-2.5/remediation","label":"fix"}],"refs":[],"source_location":{},"code":"{\n \"Findings\": [\n {\n \"SchemaVersion\": \"2018-10-08\",\n \"Id\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/2.5/finding/fad62e7c-5402-4757-850c-3aadc8212c47\",\n \"ProductArn\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub\",\n \"ProductName\": \"Security Hub\",\n \"CompanyName\": \"AWS\",\n \"Region\": \"us-east-1\",\n \"GeneratorId\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/2.5\",\n \"AwsAccountId\": \"123456789123\",\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ],\n \"FirstObservedAt\": \"2021-07-23T23:39:03.660Z\",\n \"LastObservedAt\": \"2021-08-09T11:28:15.499Z\",\n \"CreatedAt\": \"2021-07-23T23:39:03.660Z\",\n \"UpdatedAt\": \"2021-08-09T11:28:12.889Z\",\n \"Severity\": {\n \"Product\": 40,\n \"Label\": \"MEDIUM\",\n \"Normalized\": 40,\n \"Original\": \"MEDIUM\"\n },\n \"Title\": \"2.5 Ensure AWS Config is enabled\",\n \"Description\": \"AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), and any configuration changes between resources. It is recommended to enable AWS Config in all regions.\",\n \"Remediation\": {\n \"Recommendation\": {\n \"Text\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\",\n \"Url\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-2.5/remediation\"\n }\n },\n \"ProductFields\": {\n \"StandardsGuideArn\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0\",\n \"StandardsGuideSubscriptionArn\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0\",\n \"RuleId\": \"2.5\",\n \"RecommendationUrl\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-2.5/remediation\",\n \"StandardsControlArn\": \"arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/2.5\",\n \"aws/securityhub/ProductName\": \"Security Hub\",\n \"aws/securityhub/CompanyName\": \"AWS\",\n \"Resources:0/Id\": \"arn:aws:iam::123456789123:root\",\n \"aws/securityhub/FindingId\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/2.5/finding/fad62e7c-5402-4757-850c-3aadc8212c47\"\n },\n \"Resources\": [\n {\n \"Type\": \"AwsAccount\",\n \"Id\": \"AWS::::Account:123456789123\",\n \"Partition\": \"aws\",\n \"Region\": \"us-east-1\"\n }\n ],\n \"Compliance\": {\n \"Status\": \"FAILED\"\n },\n \"WorkflowState\": \"NEW\",\n \"Workflow\": {\n \"Status\": \"NEW\"\n },\n \"RecordState\": \"ACTIVE\",\n \"FindingProviderFields\": {\n \"Severity\": {\n \"Label\": \"MEDIUM\",\n \"Original\": \"MEDIUM\"\n },\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ]\n }\n }\n ]\n}","results":[{"status":"failed","code_desc":"Resources: [Type: AwsAccount, Id: AWS::::Account:123456789123, Partition: aws, Region: us-east-1]","start_time":"2021-08-09T11:28:15.499Z"}]},{"id":"CIS.3.9","title":"CIS AWS Foundations Benchmark v1.2.0: Ensure a log metric filter and alarm exist for AWS Config configuration changes","tags":{"nist":["SA-11","RA-5"]},"impact":0.3,"desc":"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations.","descriptions":[{"data":"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\nhttps://docs.aws.amazon.com/console/securityhub/standards-cis-3.9/remediation","label":"fix"}],"refs":[],"source_location":{},"code":"{\n \"Findings\": [\n {\n \"SchemaVersion\": \"2018-10-08\",\n \"Id\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.9/finding/a18960c3-863a-4bec-b083-ff0583d1a44f\",\n \"ProductArn\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub\",\n \"ProductName\": \"Security Hub\",\n \"CompanyName\": \"AWS\",\n \"Region\": \"us-east-1\",\n \"GeneratorId\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.9\",\n \"AwsAccountId\": \"123456789123\",\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ],\n \"FirstObservedAt\": \"2021-07-23T23:39:00.932Z\",\n \"LastObservedAt\": \"2021-08-09T11:28:12.508Z\",\n \"CreatedAt\": \"2021-07-23T23:39:00.932Z\",\n \"UpdatedAt\": \"2021-08-09T11:28:08.812Z\",\n \"Severity\": {\n \"Product\": 30,\n \"Label\": \"LOW\",\n \"Normalized\": 30,\n \"Original\": \"LOW\"\n },\n \"Title\": \"3.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes\",\n \"Description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations.\",\n \"Remediation\": {\n \"Recommendation\": {\n \"Text\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\",\n \"Url\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.9/remediation\"\n }\n },\n \"ProductFields\": {\n \"StandardsGuideArn\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0\",\n \"StandardsGuideSubscriptionArn\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0\",\n \"RuleId\": \"3.9\",\n \"RecommendationUrl\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.9/remediation\",\n \"StandardsControlArn\": \"arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/3.9\",\n \"aws/securityhub/ProductName\": \"Security Hub\",\n \"aws/securityhub/CompanyName\": \"AWS\",\n \"aws/securityhub/annotation\": \"Multi region CloudTrail with the required configuration does not exist in the account\",\n \"Resources:0/Id\": \"arn:aws:iam::123456789123:root\",\n \"aws/securityhub/FindingId\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.9/finding/a18960c3-863a-4bec-b083-ff0583d1a44f\"\n },\n \"Resources\": [\n {\n \"Type\": \"AwsAccount\",\n \"Id\": \"AWS::::Account:123456789123\",\n \"Partition\": \"aws\",\n \"Region\": \"us-east-1\"\n }\n ],\n \"Compliance\": {\n \"Status\": \"FAILED\",\n \"StatusReasons\": [\n {\n \"ReasonCode\": \"CLOUDTRAIL_MULTI_REGION_NOT_PRESENT\",\n \"Description\": \"Multi region CloudTrail with the required configuration does not exist in the account\"\n }\n ]\n },\n \"WorkflowState\": \"NEW\",\n \"Workflow\": {\n \"Status\": \"NEW\"\n },\n \"RecordState\": \"ACTIVE\",\n \"FindingProviderFields\": {\n \"Severity\": {\n \"Label\": \"LOW\",\n \"Original\": \"LOW\"\n },\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ]\n }\n }\n ]\n}","results":[{"status":"failed","message":"ReasonCode\nCLOUDTRAIL_MULTI_REGION_NOT_PRESENT\nDescription\nMulti region CloudTrail with the required configuration does not exist in the account","code_desc":"Resources: [Type: AwsAccount, Id: AWS::::Account:123456789123, Partition: aws, Region: us-east-1]","start_time":"2021-08-09T11:28:12.508Z"}]},{"id":"CIS.3.8","title":"CIS AWS Foundations Benchmark v1.2.0: Ensure a log metric filter and alarm exist for S3 bucket policy changes","tags":{"nist":["SA-11","RA-5"]},"impact":0.3,"desc":"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for changes to S3 bucket policies.","descriptions":[{"data":"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\nhttps://docs.aws.amazon.com/console/securityhub/standards-cis-3.8/remediation","label":"fix"}],"refs":[],"source_location":{},"code":"{\n \"Findings\": [\n {\n \"SchemaVersion\": \"2018-10-08\",\n \"Id\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.8/finding/2366f847-6ae6-437b-a873-b5851950f495\",\n \"ProductArn\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub\",\n \"ProductName\": \"Security Hub\",\n \"CompanyName\": \"AWS\",\n \"Region\": \"us-east-1\",\n \"GeneratorId\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.8\",\n \"AwsAccountId\": \"123456789123\",\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ],\n \"FirstObservedAt\": \"2021-07-23T23:39:00.932Z\",\n \"LastObservedAt\": \"2021-08-09T11:28:12.460Z\",\n \"CreatedAt\": \"2021-07-23T23:39:00.932Z\",\n \"UpdatedAt\": \"2021-08-09T11:28:08.812Z\",\n \"Severity\": {\n \"Product\": 30,\n \"Label\": \"LOW\",\n \"Normalized\": 30,\n \"Original\": \"LOW\"\n },\n \"Title\": \"3.8 Ensure a log metric filter and alarm exist for S3 bucket policy changes\",\n \"Description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for changes to S3 bucket policies.\",\n \"Remediation\": {\n \"Recommendation\": {\n \"Text\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\",\n \"Url\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.8/remediation\"\n }\n },\n \"ProductFields\": {\n \"StandardsGuideArn\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0\",\n \"StandardsGuideSubscriptionArn\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0\",\n \"RuleId\": \"3.8\",\n \"RecommendationUrl\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.8/remediation\",\n \"StandardsControlArn\": \"arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/3.8\",\n \"aws/securityhub/ProductName\": \"Security Hub\",\n \"aws/securityhub/CompanyName\": \"AWS\",\n \"aws/securityhub/annotation\": \"Multi region CloudTrail with the required configuration does not exist in the account\",\n \"Resources:0/Id\": \"arn:aws:iam::123456789123:root\",\n \"aws/securityhub/FindingId\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.8/finding/2366f847-6ae6-437b-a873-b5851950f495\"\n },\n \"Resources\": [\n {\n \"Type\": \"AwsAccount\",\n \"Id\": \"AWS::::Account:123456789123\",\n \"Partition\": \"aws\",\n \"Region\": \"us-east-1\"\n }\n ],\n \"Compliance\": {\n \"Status\": \"FAILED\",\n \"StatusReasons\": [\n {\n \"ReasonCode\": \"CLOUDTRAIL_MULTI_REGION_NOT_PRESENT\",\n \"Description\": \"Multi region CloudTrail with the required configuration does not exist in the account\"\n }\n ]\n },\n \"WorkflowState\": \"NEW\",\n \"Workflow\": {\n \"Status\": \"NEW\"\n },\n \"RecordState\": \"ACTIVE\",\n \"FindingProviderFields\": {\n \"Severity\": {\n \"Label\": \"LOW\",\n \"Original\": \"LOW\"\n },\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ]\n }\n }\n ]\n}","results":[{"status":"failed","message":"ReasonCode\nCLOUDTRAIL_MULTI_REGION_NOT_PRESENT\nDescription\nMulti region CloudTrail with the required configuration does not exist in the account","code_desc":"Resources: [Type: AwsAccount, Id: AWS::::Account:123456789123, Partition: aws, Region: us-east-1]","start_time":"2021-08-09T11:28:12.460Z"}]},{"id":"CIS.3.7","title":"CIS AWS Foundations Benchmark v1.2.0: Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs","tags":{"nist":["SA-11","RA-5"]},"impact":0.3,"desc":"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for customer created CMKs which have changed state to disabled or scheduled deletion.","descriptions":[{"data":"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\nhttps://docs.aws.amazon.com/console/securityhub/standards-cis-3.7/remediation","label":"fix"}],"refs":[],"source_location":{},"code":"{\n \"Findings\": [\n {\n \"SchemaVersion\": \"2018-10-08\",\n \"Id\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.7/finding/5893e3d9-73ba-468b-a5ae-a47d5167687d\",\n \"ProductArn\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub\",\n \"ProductName\": \"Security Hub\",\n \"CompanyName\": \"AWS\",\n \"Region\": \"us-east-1\",\n \"GeneratorId\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.7\",\n \"AwsAccountId\": \"123456789123\",\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ],\n \"FirstObservedAt\": \"2021-07-23T23:39:00.932Z\",\n \"LastObservedAt\": \"2021-08-09T11:28:10.511Z\",\n \"CreatedAt\": \"2021-07-23T23:39:00.932Z\",\n \"UpdatedAt\": \"2021-08-09T11:28:08.812Z\",\n \"Severity\": {\n \"Product\": 30,\n \"Label\": \"LOW\",\n \"Normalized\": 30,\n \"Original\": \"LOW\"\n },\n \"Title\": \"3.7 Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs\",\n \"Description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for customer created CMKs which have changed state to disabled or scheduled deletion.\",\n \"Remediation\": {\n \"Recommendation\": {\n \"Text\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\",\n \"Url\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.7/remediation\"\n }\n },\n \"ProductFields\": {\n \"StandardsGuideArn\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0\",\n \"StandardsGuideSubscriptionArn\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0\",\n \"RuleId\": \"3.7\",\n \"RecommendationUrl\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.7/remediation\",\n \"StandardsControlArn\": \"arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/3.7\",\n \"aws/securityhub/ProductName\": \"Security Hub\",\n \"aws/securityhub/CompanyName\": \"AWS\",\n \"aws/securityhub/annotation\": \"Multi region CloudTrail with the required configuration does not exist in the account\",\n \"Resources:0/Id\": \"arn:aws:iam::123456789123:root\",\n \"aws/securityhub/FindingId\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.7/finding/5893e3d9-73ba-468b-a5ae-a47d5167687d\"\n },\n \"Resources\": [\n {\n \"Type\": \"AwsAccount\",\n \"Id\": \"AWS::::Account:123456789123\",\n \"Partition\": \"aws\",\n \"Region\": \"us-east-1\"\n }\n ],\n \"Compliance\": {\n \"Status\": \"FAILED\",\n \"StatusReasons\": [\n {\n \"ReasonCode\": \"CLOUDTRAIL_MULTI_REGION_NOT_PRESENT\",\n \"Description\": \"Multi region CloudTrail with the required configuration does not exist in the account\"\n }\n ]\n },\n \"WorkflowState\": \"NEW\",\n \"Workflow\": {\n \"Status\": \"NEW\"\n },\n \"RecordState\": \"ACTIVE\",\n \"FindingProviderFields\": {\n \"Severity\": {\n \"Label\": \"LOW\",\n \"Original\": \"LOW\"\n },\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ]\n }\n }\n ]\n}","results":[{"status":"failed","message":"ReasonCode\nCLOUDTRAIL_MULTI_REGION_NOT_PRESENT\nDescription\nMulti region CloudTrail with the required configuration does not exist in the account","code_desc":"Resources: [Type: AwsAccount, Id: AWS::::Account:123456789123, Partition: aws, Region: us-east-1]","start_time":"2021-08-09T11:28:10.511Z"}]},{"id":"CIS.3.6","title":"CIS AWS Foundations Benchmark v1.2.0: Ensure a log metric filter and alarm exist for AWS Management Console authentication failures","tags":{"nist":["SA-11","RA-5"]},"impact":0.3,"desc":"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for failed console authentication attempts.","descriptions":[{"data":"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\nhttps://docs.aws.amazon.com/console/securityhub/standards-cis-3.6/remediation","label":"fix"}],"refs":[],"source_location":{},"code":"{\n \"Findings\": [\n {\n \"SchemaVersion\": \"2018-10-08\",\n \"Id\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.6/finding/0b589f7e-cf16-4518-a41a-f37ef89dc8f8\",\n \"ProductArn\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub\",\n \"ProductName\": \"Security Hub\",\n \"CompanyName\": \"AWS\",\n \"Region\": \"us-east-1\",\n \"GeneratorId\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.6\",\n \"AwsAccountId\": \"123456789123\",\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ],\n \"FirstObservedAt\": \"2021-07-23T23:39:00.932Z\",\n \"LastObservedAt\": \"2021-08-09T11:28:10.542Z\",\n \"CreatedAt\": \"2021-07-23T23:39:00.932Z\",\n \"UpdatedAt\": \"2021-08-09T11:28:08.812Z\",\n \"Severity\": {\n \"Product\": 30,\n \"Label\": \"LOW\",\n \"Normalized\": 30,\n \"Original\": \"LOW\"\n },\n \"Title\": \"3.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures\",\n \"Description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for failed console authentication attempts.\",\n \"Remediation\": {\n \"Recommendation\": {\n \"Text\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\",\n \"Url\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.6/remediation\"\n }\n },\n \"ProductFields\": {\n \"StandardsGuideArn\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0\",\n \"StandardsGuideSubscriptionArn\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0\",\n \"RuleId\": \"3.6\",\n \"RecommendationUrl\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.6/remediation\",\n \"StandardsControlArn\": \"arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/3.6\",\n \"aws/securityhub/ProductName\": \"Security Hub\",\n \"aws/securityhub/CompanyName\": \"AWS\",\n \"aws/securityhub/annotation\": \"Multi region CloudTrail with the required configuration does not exist in the account\",\n \"Resources:0/Id\": \"arn:aws:iam::123456789123:root\",\n \"aws/securityhub/FindingId\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.6/finding/0b589f7e-cf16-4518-a41a-f37ef89dc8f8\"\n },\n \"Resources\": [\n {\n \"Type\": \"AwsAccount\",\n \"Id\": \"AWS::::Account:123456789123\",\n \"Partition\": \"aws\",\n \"Region\": \"us-east-1\"\n }\n ],\n \"Compliance\": {\n \"Status\": \"FAILED\",\n \"StatusReasons\": [\n {\n \"ReasonCode\": \"CLOUDTRAIL_MULTI_REGION_NOT_PRESENT\",\n \"Description\": \"Multi region CloudTrail with the required configuration does not exist in the account\"\n }\n ]\n },\n \"WorkflowState\": \"NEW\",\n \"Workflow\": {\n \"Status\": \"NEW\"\n },\n \"RecordState\": \"ACTIVE\",\n \"FindingProviderFields\": {\n \"Severity\": {\n \"Label\": \"LOW\",\n \"Original\": \"LOW\"\n },\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ]\n }\n }\n ]\n}","results":[{"status":"failed","message":"ReasonCode\nCLOUDTRAIL_MULTI_REGION_NOT_PRESENT\nDescription\nMulti region CloudTrail with the required configuration does not exist in the account","code_desc":"Resources: [Type: AwsAccount, Id: AWS::::Account:123456789123, Partition: aws, Region: us-east-1]","start_time":"2021-08-09T11:28:10.542Z"}]},{"id":"CIS.3.5","title":"CIS AWS Foundations Benchmark v1.2.0: Ensure a log metric filter and alarm exist for CloudTrail configuration changes","tags":{"nist":["SA-11","RA-5"]},"impact":0.3,"desc":"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations.","descriptions":[{"data":"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\nhttps://docs.aws.amazon.com/console/securityhub/standards-cis-3.5/remediation","label":"fix"}],"refs":[],"source_location":{},"code":"{\n \"Findings\": [\n {\n \"SchemaVersion\": \"2018-10-08\",\n \"Id\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.5/finding/62ce4a90-73c1-484b-8170-588f124e1fc2\",\n \"ProductArn\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub\",\n \"ProductName\": \"Security Hub\",\n \"CompanyName\": \"AWS\",\n \"Region\": \"us-east-1\",\n \"GeneratorId\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.5\",\n \"AwsAccountId\": \"123456789123\",\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ],\n \"FirstObservedAt\": \"2021-07-23T23:39:00.932Z\",\n \"LastObservedAt\": \"2021-08-09T11:28:10.630Z\",\n \"CreatedAt\": \"2021-07-23T23:39:00.932Z\",\n \"UpdatedAt\": \"2021-08-09T11:28:08.812Z\",\n \"Severity\": {\n \"Product\": 30,\n \"Label\": \"LOW\",\n \"Normalized\": 30,\n \"Original\": \"LOW\"\n },\n \"Title\": \"3.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes\",\n \"Description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations.\",\n \"Remediation\": {\n \"Recommendation\": {\n \"Text\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\",\n \"Url\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.5/remediation\"\n }\n },\n \"ProductFields\": {\n \"StandardsGuideArn\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0\",\n \"StandardsGuideSubscriptionArn\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0\",\n \"RuleId\": \"3.5\",\n \"RecommendationUrl\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.5/remediation\",\n \"StandardsControlArn\": \"arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/3.5\",\n \"aws/securityhub/ProductName\": \"Security Hub\",\n \"aws/securityhub/CompanyName\": \"AWS\",\n \"aws/securityhub/annotation\": \"Multi region CloudTrail with the required configuration does not exist in the account\",\n \"Resources:0/Id\": \"arn:aws:iam::123456789123:root\",\n \"aws/securityhub/FindingId\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.5/finding/62ce4a90-73c1-484b-8170-588f124e1fc2\"\n },\n \"Resources\": [\n {\n \"Type\": \"AwsAccount\",\n \"Id\": \"AWS::::Account:123456789123\",\n \"Partition\": \"aws\",\n \"Region\": \"us-east-1\"\n }\n ],\n \"Compliance\": {\n \"Status\": \"FAILED\",\n \"StatusReasons\": [\n {\n \"ReasonCode\": \"CLOUDTRAIL_MULTI_REGION_NOT_PRESENT\",\n \"Description\": \"Multi region CloudTrail with the required configuration does not exist in the account\"\n }\n ]\n },\n \"WorkflowState\": \"NEW\",\n \"Workflow\": {\n \"Status\": \"NEW\"\n },\n \"RecordState\": \"ACTIVE\",\n \"FindingProviderFields\": {\n \"Severity\": {\n \"Label\": \"LOW\",\n \"Original\": \"LOW\"\n },\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ]\n }\n }\n ]\n}","results":[{"status":"failed","message":"ReasonCode\nCLOUDTRAIL_MULTI_REGION_NOT_PRESENT\nDescription\nMulti region CloudTrail with the required configuration does not exist in the account","code_desc":"Resources: [Type: AwsAccount, Id: AWS::::Account:123456789123, Partition: aws, Region: us-east-1]","start_time":"2021-08-09T11:28:10.630Z"}]},{"id":"CIS.3.4","title":"CIS AWS Foundations Benchmark v1.2.0: Ensure a log metric filter and alarm exist for IAM policy changes","tags":{"nist":["SA-11","RA-5"]},"impact":0.3,"desc":"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established changes made to Identity and Access Management (IAM) policies.","descriptions":[{"data":"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\nhttps://docs.aws.amazon.com/console/securityhub/standards-cis-3.4/remediation","label":"fix"}],"refs":[],"source_location":{},"code":"{\n \"Findings\": [\n {\n \"SchemaVersion\": \"2018-10-08\",\n \"Id\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.4/finding/4ec7fd2f-2e44-4225-ae4c-f01384543946\",\n \"ProductArn\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub\",\n \"ProductName\": \"Security Hub\",\n \"CompanyName\": \"AWS\",\n \"Region\": \"us-east-1\",\n \"GeneratorId\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.4\",\n \"AwsAccountId\": \"123456789123\",\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ],\n \"FirstObservedAt\": \"2021-07-23T23:39:00.932Z\",\n \"LastObservedAt\": \"2021-08-09T11:28:11.788Z\",\n \"CreatedAt\": \"2021-07-23T23:39:00.932Z\",\n \"UpdatedAt\": \"2021-08-09T11:28:08.812Z\",\n \"Severity\": {\n \"Product\": 30,\n \"Label\": \"LOW\",\n \"Normalized\": 30,\n \"Original\": \"LOW\"\n },\n \"Title\": \"3.4 Ensure a log metric filter and alarm exist for IAM policy changes\",\n \"Description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established changes made to Identity and Access Management (IAM) policies.\",\n \"Remediation\": {\n \"Recommendation\": {\n \"Text\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\",\n \"Url\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.4/remediation\"\n }\n },\n \"ProductFields\": {\n \"StandardsGuideArn\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0\",\n \"StandardsGuideSubscriptionArn\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0\",\n \"RuleId\": \"3.4\",\n \"RecommendationUrl\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.4/remediation\",\n \"StandardsControlArn\": \"arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/3.4\",\n \"aws/securityhub/ProductName\": \"Security Hub\",\n \"aws/securityhub/CompanyName\": \"AWS\",\n \"aws/securityhub/annotation\": \"Multi region CloudTrail with the required configuration does not exist in the account\",\n \"Resources:0/Id\": \"arn:aws:iam::123456789123:root\",\n \"aws/securityhub/FindingId\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.4/finding/4ec7fd2f-2e44-4225-ae4c-f01384543946\"\n },\n \"Resources\": [\n {\n \"Type\": \"AwsAccount\",\n \"Id\": \"AWS::::Account:123456789123\",\n \"Partition\": \"aws\",\n \"Region\": \"us-east-1\"\n }\n ],\n \"Compliance\": {\n \"Status\": \"FAILED\",\n \"StatusReasons\": [\n {\n \"ReasonCode\": \"CLOUDTRAIL_MULTI_REGION_NOT_PRESENT\",\n \"Description\": \"Multi region CloudTrail with the required configuration does not exist in the account\"\n }\n ]\n },\n \"WorkflowState\": \"NEW\",\n \"Workflow\": {\n \"Status\": \"NEW\"\n },\n \"RecordState\": \"ACTIVE\",\n \"FindingProviderFields\": {\n \"Severity\": {\n \"Label\": \"LOW\",\n \"Original\": \"LOW\"\n },\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ]\n }\n }\n ]\n}","results":[{"status":"failed","message":"ReasonCode\nCLOUDTRAIL_MULTI_REGION_NOT_PRESENT\nDescription\nMulti region CloudTrail with the required configuration does not exist in the account","code_desc":"Resources: [Type: AwsAccount, Id: AWS::::Account:123456789123, Partition: aws, Region: us-east-1]","start_time":"2021-08-09T11:28:11.788Z"}]},{"id":"CIS.3.3","title":"CIS AWS Foundations Benchmark v1.2.0: Ensure a log metric filter and alarm exist for usage of "root" account","tags":{"nist":["SA-11","RA-5"]},"impact":0.3,"desc":"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for root login attempts.","descriptions":[{"data":"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\nhttps://docs.aws.amazon.com/console/securityhub/standards-cis-3.3/remediation","label":"fix"}],"refs":[],"source_location":{},"code":"{\n \"Findings\": [\n {\n \"SchemaVersion\": \"2018-10-08\",\n \"Id\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.3/finding/7e616501-7e4f-43b1-8092-610513f73baa\",\n \"ProductArn\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub\",\n \"ProductName\": \"Security Hub\",\n \"CompanyName\": \"AWS\",\n \"Region\": \"us-east-1\",\n \"GeneratorId\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.3\",\n \"AwsAccountId\": \"123456789123\",\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ],\n \"FirstObservedAt\": \"2021-07-23T23:39:00.932Z\",\n \"LastObservedAt\": \"2021-08-09T11:28:09.830Z\",\n \"CreatedAt\": \"2021-07-23T23:39:00.932Z\",\n \"UpdatedAt\": \"2021-08-09T11:28:08.812Z\",\n \"Severity\": {\n \"Product\": 30,\n \"Label\": \"LOW\",\n \"Normalized\": 30,\n \"Original\": \"LOW\"\n },\n \"Title\": \"3.3 Ensure a log metric filter and alarm exist for usage of \\\"root\\\" account\",\n \"Description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for root login attempts.\",\n \"Remediation\": {\n \"Recommendation\": {\n \"Text\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\",\n \"Url\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.3/remediation\"\n }\n },\n \"ProductFields\": {\n \"StandardsGuideArn\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0\",\n \"StandardsGuideSubscriptionArn\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0\",\n \"RuleId\": \"3.3\",\n \"RecommendationUrl\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.3/remediation\",\n \"StandardsControlArn\": \"arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/3.3\",\n \"aws/securityhub/ProductName\": \"Security Hub\",\n \"aws/securityhub/CompanyName\": \"AWS\",\n \"aws/securityhub/annotation\": \"Multi region CloudTrail with the required configuration does not exist in the account\",\n \"Resources:0/Id\": \"arn:aws:iam::123456789123:root\",\n \"aws/securityhub/FindingId\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.3/finding/7e616501-7e4f-43b1-8092-610513f73baa\"\n },\n \"Resources\": [\n {\n \"Type\": \"AwsAccount\",\n \"Id\": \"AWS::::Account:123456789123\",\n \"Partition\": \"aws\",\n \"Region\": \"us-east-1\"\n }\n ],\n \"Compliance\": {\n \"Status\": \"FAILED\",\n \"StatusReasons\": [\n {\n \"ReasonCode\": \"CLOUDTRAIL_MULTI_REGION_NOT_PRESENT\",\n \"Description\": \"Multi region CloudTrail with the required configuration does not exist in the account\"\n }\n ]\n },\n \"WorkflowState\": \"NEW\",\n \"Workflow\": {\n \"Status\": \"NEW\"\n },\n \"RecordState\": \"ACTIVE\",\n \"FindingProviderFields\": {\n \"Severity\": {\n \"Label\": \"LOW\",\n \"Original\": \"LOW\"\n },\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ]\n }\n }\n ]\n}","results":[{"status":"failed","message":"ReasonCode\nCLOUDTRAIL_MULTI_REGION_NOT_PRESENT\nDescription\nMulti region CloudTrail with the required configuration does not exist in the account","code_desc":"Resources: [Type: AwsAccount, Id: AWS::::Account:123456789123, Partition: aws, Region: us-east-1]","start_time":"2021-08-09T11:28:09.830Z"}]},{"id":"CIS.3.2","title":"CIS AWS Foundations Benchmark v1.2.0: Ensure a log metric filter and alarm exist for Management Console sign-in without MFA","tags":{"nist":["SA-11","RA-5"]},"impact":0.3,"desc":"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for console logins that are not protected by multi-factor authentication (MFA).","descriptions":[{"data":"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\nhttps://docs.aws.amazon.com/console/securityhub/standards-cis-3.2/remediation","label":"fix"}],"refs":[],"source_location":{},"code":"{\n \"Findings\": [\n {\n \"SchemaVersion\": \"2018-10-08\",\n \"Id\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.2/finding/c3ff01fc-2e66-46ed-86a1-b10c384b92e5\",\n \"ProductArn\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub\",\n \"ProductName\": \"Security Hub\",\n \"CompanyName\": \"AWS\",\n \"Region\": \"us-east-1\",\n \"GeneratorId\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.2\",\n \"AwsAccountId\": \"123456789123\",\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ],\n \"FirstObservedAt\": \"2021-07-23T23:39:00.932Z\",\n \"LastObservedAt\": \"2021-08-09T11:28:12.172Z\",\n \"CreatedAt\": \"2021-07-23T23:39:00.932Z\",\n \"UpdatedAt\": \"2021-08-09T11:28:08.811Z\",\n \"Severity\": {\n \"Product\": 30,\n \"Label\": \"LOW\",\n \"Normalized\": 30,\n \"Original\": \"LOW\"\n },\n \"Title\": \"3.2 Ensure a log metric filter and alarm exist for Management Console sign-in without MFA\",\n \"Description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for console logins that are not protected by multi-factor authentication (MFA).\",\n \"Remediation\": {\n \"Recommendation\": {\n \"Text\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\",\n \"Url\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.2/remediation\"\n }\n },\n \"ProductFields\": {\n \"StandardsGuideArn\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0\",\n \"StandardsGuideSubscriptionArn\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0\",\n \"RuleId\": \"3.2\",\n \"RecommendationUrl\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.2/remediation\",\n \"StandardsControlArn\": \"arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/3.2\",\n \"aws/securityhub/ProductName\": \"Security Hub\",\n \"aws/securityhub/CompanyName\": \"AWS\",\n \"aws/securityhub/annotation\": \"Multi region CloudTrail with the required configuration does not exist in the account\",\n \"Resources:0/Id\": \"arn:aws:iam::123456789123:root\",\n \"aws/securityhub/FindingId\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.2/finding/c3ff01fc-2e66-46ed-86a1-b10c384b92e5\"\n },\n \"Resources\": [\n {\n \"Type\": \"AwsAccount\",\n \"Id\": \"AWS::::Account:123456789123\",\n \"Partition\": \"aws\",\n \"Region\": \"us-east-1\"\n }\n ],\n \"Compliance\": {\n \"Status\": \"FAILED\",\n \"StatusReasons\": [\n {\n \"ReasonCode\": \"CLOUDTRAIL_MULTI_REGION_NOT_PRESENT\",\n \"Description\": \"Multi region CloudTrail with the required configuration does not exist in the account\"\n }\n ]\n },\n \"WorkflowState\": \"NEW\",\n \"Workflow\": {\n \"Status\": \"NEW\"\n },\n \"RecordState\": \"ACTIVE\",\n \"FindingProviderFields\": {\n \"Severity\": {\n \"Label\": \"LOW\",\n \"Original\": \"LOW\"\n },\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ]\n }\n }\n ]\n}","results":[{"status":"failed","message":"ReasonCode\nCLOUDTRAIL_MULTI_REGION_NOT_PRESENT\nDescription\nMulti region CloudTrail with the required configuration does not exist in the account","code_desc":"Resources: [Type: AwsAccount, Id: AWS::::Account:123456789123, Partition: aws, Region: us-east-1]","start_time":"2021-08-09T11:28:12.172Z"}]},{"id":"CIS.3.14","title":"CIS AWS Foundations Benchmark v1.2.0: Ensure a log metric filter and alarm exist for VPC changes","tags":{"nist":["SA-11","RA-5"]},"impact":0.3,"desc":"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is possible to have more than 1 VPC within an account, in addition it is also possible to create a peer connection between 2 VPCs enabling network traffic to route between VPCs. It is recommended that a metric filter and alarm be established for changes made to VPCs.","descriptions":[{"data":"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\nhttps://docs.aws.amazon.com/console/securityhub/standards-cis-3.14/remediation","label":"fix"}],"refs":[],"source_location":{},"code":"{\n \"Findings\": [\n {\n \"SchemaVersion\": \"2018-10-08\",\n \"Id\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.14/finding/7933efb4-1f20-4e0d-b313-5f7549bf3a0c\",\n \"ProductArn\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub\",\n \"ProductName\": \"Security Hub\",\n \"CompanyName\": \"AWS\",\n \"Region\": \"us-east-1\",\n \"GeneratorId\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.14\",\n \"AwsAccountId\": \"123456789123\",\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ],\n \"FirstObservedAt\": \"2021-07-23T23:39:00.932Z\",\n \"LastObservedAt\": \"2021-08-09T11:28:09.392Z\",\n \"CreatedAt\": \"2021-07-23T23:39:00.932Z\",\n \"UpdatedAt\": \"2021-08-09T11:28:08.811Z\",\n \"Severity\": {\n \"Product\": 30,\n \"Label\": \"LOW\",\n \"Normalized\": 30,\n \"Original\": \"LOW\"\n },\n \"Title\": \"3.14 Ensure a log metric filter and alarm exist for VPC changes\",\n \"Description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is possible to have more than 1 VPC within an account, in addition it is also possible to create a peer connection between 2 VPCs enabling network traffic to route between VPCs. It is recommended that a metric filter and alarm be established for changes made to VPCs.\",\n \"Remediation\": {\n \"Recommendation\": {\n \"Text\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\",\n \"Url\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.14/remediation\"\n }\n },\n \"ProductFields\": {\n \"StandardsGuideArn\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0\",\n \"StandardsGuideSubscriptionArn\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0\",\n \"RuleId\": \"3.14\",\n \"RecommendationUrl\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.14/remediation\",\n \"StandardsControlArn\": \"arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/3.14\",\n \"aws/securityhub/ProductName\": \"Security Hub\",\n \"aws/securityhub/CompanyName\": \"AWS\",\n \"aws/securityhub/annotation\": \"Multi region CloudTrail with the required configuration does not exist in the account\",\n \"Resources:0/Id\": \"arn:aws:iam::123456789123:root\",\n \"aws/securityhub/FindingId\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.14/finding/7933efb4-1f20-4e0d-b313-5f7549bf3a0c\"\n },\n \"Resources\": [\n {\n \"Type\": \"AwsAccount\",\n \"Id\": \"AWS::::Account:123456789123\",\n \"Partition\": \"aws\",\n \"Region\": \"us-east-1\"\n }\n ],\n \"Compliance\": {\n \"Status\": \"FAILED\",\n \"StatusReasons\": [\n {\n \"ReasonCode\": \"CLOUDTRAIL_MULTI_REGION_NOT_PRESENT\",\n \"Description\": \"Multi region CloudTrail with the required configuration does not exist in the account\"\n }\n ]\n },\n \"WorkflowState\": \"NEW\",\n \"Workflow\": {\n \"Status\": \"NEW\"\n },\n \"RecordState\": \"ACTIVE\",\n \"FindingProviderFields\": {\n \"Severity\": {\n \"Label\": \"LOW\",\n \"Original\": \"LOW\"\n },\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ]\n }\n }\n ]\n}","results":[{"status":"failed","message":"ReasonCode\nCLOUDTRAIL_MULTI_REGION_NOT_PRESENT\nDescription\nMulti region CloudTrail with the required configuration does not exist in the account","code_desc":"Resources: [Type: AwsAccount, Id: AWS::::Account:123456789123, Partition: aws, Region: us-east-1]","start_time":"2021-08-09T11:28:09.392Z"}]},{"id":"CIS.3.13","title":"CIS AWS Foundations Benchmark v1.2.0: Ensure a log metric filter and alarm exist for route table changes","tags":{"nist":["SA-11","RA-5"]},"impact":0.3,"desc":"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Routing tables are used to route network traffic between subnets and to network gateways. It is recommended that a metric filter and alarm be established for changes to route tables.","descriptions":[{"data":"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\nhttps://docs.aws.amazon.com/console/securityhub/standards-cis-3.13/remediation","label":"fix"}],"refs":[],"source_location":{},"code":"{\n \"Findings\": [\n {\n \"SchemaVersion\": \"2018-10-08\",\n \"Id\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.13/finding/3fa90615-aadb-43a1-8f23-2e6dac062baa\",\n \"ProductArn\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub\",\n \"ProductName\": \"Security Hub\",\n \"CompanyName\": \"AWS\",\n \"Region\": \"us-east-1\",\n \"GeneratorId\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.13\",\n \"AwsAccountId\": \"123456789123\",\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ],\n \"FirstObservedAt\": \"2021-07-23T23:39:00.932Z\",\n \"LastObservedAt\": \"2021-08-09T11:28:10.315Z\",\n \"CreatedAt\": \"2021-07-23T23:39:00.932Z\",\n \"UpdatedAt\": \"2021-08-09T11:28:08.811Z\",\n \"Severity\": {\n \"Product\": 30,\n \"Label\": \"LOW\",\n \"Normalized\": 30,\n \"Original\": \"LOW\"\n },\n \"Title\": \"3.13 Ensure a log metric filter and alarm exist for route table changes\",\n \"Description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Routing tables are used to route network traffic between subnets and to network gateways. It is recommended that a metric filter and alarm be established for changes to route tables.\",\n \"Remediation\": {\n \"Recommendation\": {\n \"Text\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\",\n \"Url\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.13/remediation\"\n }\n },\n \"ProductFields\": {\n \"StandardsGuideArn\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0\",\n \"StandardsGuideSubscriptionArn\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0\",\n \"RuleId\": \"3.13\",\n \"RecommendationUrl\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.13/remediation\",\n \"StandardsControlArn\": \"arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/3.13\",\n \"aws/securityhub/ProductName\": \"Security Hub\",\n \"aws/securityhub/CompanyName\": \"AWS\",\n \"aws/securityhub/annotation\": \"Multi region CloudTrail with the required configuration does not exist in the account\",\n \"Resources:0/Id\": \"arn:aws:iam::123456789123:root\",\n \"aws/securityhub/FindingId\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.13/finding/3fa90615-aadb-43a1-8f23-2e6dac062baa\"\n },\n \"Resources\": [\n {\n \"Type\": \"AwsAccount\",\n \"Id\": \"AWS::::Account:123456789123\",\n \"Partition\": \"aws\",\n \"Region\": \"us-east-1\"\n }\n ],\n \"Compliance\": {\n \"Status\": \"FAILED\",\n \"StatusReasons\": [\n {\n \"ReasonCode\": \"CLOUDTRAIL_MULTI_REGION_NOT_PRESENT\",\n \"Description\": \"Multi region CloudTrail with the required configuration does not exist in the account\"\n }\n ]\n },\n \"WorkflowState\": \"NEW\",\n \"Workflow\": {\n \"Status\": \"NEW\"\n },\n \"RecordState\": \"ACTIVE\",\n \"FindingProviderFields\": {\n \"Severity\": {\n \"Label\": \"LOW\",\n \"Original\": \"LOW\"\n },\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ]\n }\n }\n ]\n}","results":[{"status":"failed","message":"ReasonCode\nCLOUDTRAIL_MULTI_REGION_NOT_PRESENT\nDescription\nMulti region CloudTrail with the required configuration does not exist in the account","code_desc":"Resources: [Type: AwsAccount, Id: AWS::::Account:123456789123, Partition: aws, Region: us-east-1]","start_time":"2021-08-09T11:28:10.315Z"}]},{"id":"CIS.3.12","title":"CIS AWS Foundations Benchmark v1.2.0: Ensure a log metric filter and alarm exist for changes to network gateways","tags":{"nist":["SA-11","RA-5"]},"impact":0.3,"desc":"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Network gateways are required to send/receive traffic to a destination outside of a VPC. It is recommended that a metric filter and alarm be established for changes to network gateways.","descriptions":[{"data":"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\nhttps://docs.aws.amazon.com/console/securityhub/standards-cis-3.12/remediation","label":"fix"}],"refs":[],"source_location":{},"code":"{\n \"Findings\": [\n {\n \"SchemaVersion\": \"2018-10-08\",\n \"Id\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.12/finding/8f481e76-9011-4feb-b2b7-b7eb9d1fcec7\",\n \"ProductArn\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub\",\n \"ProductName\": \"Security Hub\",\n \"CompanyName\": \"AWS\",\n \"Region\": \"us-east-1\",\n \"GeneratorId\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.12\",\n \"AwsAccountId\": \"123456789123\",\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ],\n \"FirstObservedAt\": \"2021-07-23T23:39:00.932Z\",\n \"LastObservedAt\": \"2021-08-09T11:28:12.267Z\",\n \"CreatedAt\": \"2021-07-23T23:39:00.932Z\",\n \"UpdatedAt\": \"2021-08-09T11:28:08.811Z\",\n \"Severity\": {\n \"Product\": 30,\n \"Label\": \"LOW\",\n \"Normalized\": 30,\n \"Original\": \"LOW\"\n },\n \"Title\": \"3.12 Ensure a log metric filter and alarm exist for changes to network gateways\",\n \"Description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Network gateways are required to send/receive traffic to a destination outside of a VPC. It is recommended that a metric filter and alarm be established for changes to network gateways.\",\n \"Remediation\": {\n \"Recommendation\": {\n \"Text\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\",\n \"Url\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.12/remediation\"\n }\n },\n \"ProductFields\": {\n \"StandardsGuideArn\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0\",\n \"StandardsGuideSubscriptionArn\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0\",\n \"RuleId\": \"3.12\",\n \"RecommendationUrl\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.12/remediation\",\n \"StandardsControlArn\": \"arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/3.12\",\n \"aws/securityhub/ProductName\": \"Security Hub\",\n \"aws/securityhub/CompanyName\": \"AWS\",\n \"aws/securityhub/annotation\": \"Multi region CloudTrail with the required configuration does not exist in the account\",\n \"Resources:0/Id\": \"arn:aws:iam::123456789123:root\",\n \"aws/securityhub/FindingId\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.12/finding/8f481e76-9011-4feb-b2b7-b7eb9d1fcec7\"\n },\n \"Resources\": [\n {\n \"Type\": \"AwsAccount\",\n \"Id\": \"AWS::::Account:123456789123\",\n \"Partition\": \"aws\",\n \"Region\": \"us-east-1\"\n }\n ],\n \"Compliance\": {\n \"Status\": \"FAILED\",\n \"StatusReasons\": [\n {\n \"ReasonCode\": \"CLOUDTRAIL_MULTI_REGION_NOT_PRESENT\",\n \"Description\": \"Multi region CloudTrail with the required configuration does not exist in the account\"\n }\n ]\n },\n \"WorkflowState\": \"NEW\",\n \"Workflow\": {\n \"Status\": \"NEW\"\n },\n \"RecordState\": \"ACTIVE\",\n \"FindingProviderFields\": {\n \"Severity\": {\n \"Label\": \"LOW\",\n \"Original\": \"LOW\"\n },\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ]\n }\n }\n ]\n}","results":[{"status":"failed","message":"ReasonCode\nCLOUDTRAIL_MULTI_REGION_NOT_PRESENT\nDescription\nMulti region CloudTrail with the required configuration does not exist in the account","code_desc":"Resources: [Type: AwsAccount, Id: AWS::::Account:123456789123, Partition: aws, Region: us-east-1]","start_time":"2021-08-09T11:28:12.267Z"}]},{"id":"CIS.3.11","title":"CIS AWS Foundations Benchmark v1.2.0: Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)","tags":{"nist":["SA-11","RA-5"]},"impact":0.3,"desc":"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. NACLs are used as a stateless packet filter to control ingress and egress traffic for subnets within a VPC. It is recommended that a metric filter and alarm be established for changes made to NACLs.","descriptions":[{"data":"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\nhttps://docs.aws.amazon.com/console/securityhub/standards-cis-3.11/remediation","label":"fix"}],"refs":[],"source_location":{},"code":"{\n \"Findings\": [\n {\n \"SchemaVersion\": \"2018-10-08\",\n \"Id\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.11/finding/a5aca330-1359-4106-b19d-335f36f89b94\",\n \"ProductArn\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub\",\n \"ProductName\": \"Security Hub\",\n \"CompanyName\": \"AWS\",\n \"Region\": \"us-east-1\",\n \"GeneratorId\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.11\",\n \"AwsAccountId\": \"123456789123\",\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ],\n \"FirstObservedAt\": \"2021-07-23T23:39:00.932Z\",\n \"LastObservedAt\": \"2021-08-09T11:28:12.297Z\",\n \"CreatedAt\": \"2021-07-23T23:39:00.932Z\",\n \"UpdatedAt\": \"2021-08-09T11:28:08.811Z\",\n \"Severity\": {\n \"Product\": 30,\n \"Label\": \"LOW\",\n \"Normalized\": 30,\n \"Original\": \"LOW\"\n },\n \"Title\": \"3.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)\",\n \"Description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. NACLs are used as a stateless packet filter to control ingress and egress traffic for subnets within a VPC. It is recommended that a metric filter and alarm be established for changes made to NACLs.\",\n \"Remediation\": {\n \"Recommendation\": {\n \"Text\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\",\n \"Url\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.11/remediation\"\n }\n },\n \"ProductFields\": {\n \"StandardsGuideArn\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0\",\n \"StandardsGuideSubscriptionArn\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0\",\n \"RuleId\": \"3.11\",\n \"RecommendationUrl\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.11/remediation\",\n \"StandardsControlArn\": \"arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/3.11\",\n \"aws/securityhub/ProductName\": \"Security Hub\",\n \"aws/securityhub/CompanyName\": \"AWS\",\n \"aws/securityhub/annotation\": \"Multi region CloudTrail with the required configuration does not exist in the account\",\n \"Resources:0/Id\": \"arn:aws:iam::123456789123:root\",\n \"aws/securityhub/FindingId\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.11/finding/a5aca330-1359-4106-b19d-335f36f89b94\"\n },\n \"Resources\": [\n {\n \"Type\": \"AwsAccount\",\n \"Id\": \"AWS::::Account:123456789123\",\n \"Partition\": \"aws\",\n \"Region\": \"us-east-1\"\n }\n ],\n \"Compliance\": {\n \"Status\": \"FAILED\",\n \"StatusReasons\": [\n {\n \"ReasonCode\": \"CLOUDTRAIL_MULTI_REGION_NOT_PRESENT\",\n \"Description\": \"Multi region CloudTrail with the required configuration does not exist in the account\"\n }\n ]\n },\n \"WorkflowState\": \"NEW\",\n \"Workflow\": {\n \"Status\": \"NEW\"\n },\n \"RecordState\": \"ACTIVE\",\n \"FindingProviderFields\": {\n \"Severity\": {\n \"Label\": \"LOW\",\n \"Original\": \"LOW\"\n },\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ]\n }\n }\n ]\n}","results":[{"status":"failed","message":"ReasonCode\nCLOUDTRAIL_MULTI_REGION_NOT_PRESENT\nDescription\nMulti region CloudTrail with the required configuration does not exist in the account","code_desc":"Resources: [Type: AwsAccount, Id: AWS::::Account:123456789123, Partition: aws, Region: us-east-1]","start_time":"2021-08-09T11:28:12.297Z"}]},{"id":"CIS.3.10","title":"CIS AWS Foundations Benchmark v1.2.0: Ensure a log metric filter and alarm exist for security group changes","tags":{"nist":["SA-11","RA-5"]},"impact":0.3,"desc":"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Groups are a stateful packet filter that controls ingress and egress traffic within a VPC. It is recommended that a metric filter and alarm be established changes to Security Groups.","descriptions":[{"data":"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\nhttps://docs.aws.amazon.com/console/securityhub/standards-cis-3.10/remediation","label":"fix"}],"refs":[],"source_location":{},"code":"{\n \"Findings\": [\n {\n \"SchemaVersion\": \"2018-10-08\",\n \"Id\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.10/finding/6f2753c4-782e-460c-86e1-53f12a1046bc\",\n \"ProductArn\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub\",\n \"ProductName\": \"Security Hub\",\n \"CompanyName\": \"AWS\",\n \"Region\": \"us-east-1\",\n \"GeneratorId\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.10\",\n \"AwsAccountId\": \"123456789123\",\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ],\n \"FirstObservedAt\": \"2021-07-23T23:39:00.931Z\",\n \"LastObservedAt\": \"2021-08-09T11:28:13.084Z\",\n \"CreatedAt\": \"2021-07-23T23:39:00.931Z\",\n \"UpdatedAt\": \"2021-08-09T11:28:08.811Z\",\n \"Severity\": {\n \"Product\": 30,\n \"Label\": \"LOW\",\n \"Normalized\": 30,\n \"Original\": \"LOW\"\n },\n \"Title\": \"3.10 Ensure a log metric filter and alarm exist for security group changes\",\n \"Description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Groups are a stateful packet filter that controls ingress and egress traffic within a VPC. It is recommended that a metric filter and alarm be established changes to Security Groups.\",\n \"Remediation\": {\n \"Recommendation\": {\n \"Text\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\",\n \"Url\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.10/remediation\"\n }\n },\n \"ProductFields\": {\n \"StandardsGuideArn\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0\",\n \"StandardsGuideSubscriptionArn\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0\",\n \"RuleId\": \"3.10\",\n \"RecommendationUrl\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.10/remediation\",\n \"StandardsControlArn\": \"arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/3.10\",\n \"aws/securityhub/ProductName\": \"Security Hub\",\n \"aws/securityhub/CompanyName\": \"AWS\",\n \"aws/securityhub/annotation\": \"Multi region CloudTrail with the required configuration does not exist in the account\",\n \"Resources:0/Id\": \"arn:aws:iam::123456789123:root\",\n \"aws/securityhub/FindingId\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.10/finding/6f2753c4-782e-460c-86e1-53f12a1046bc\"\n },\n \"Resources\": [\n {\n \"Type\": \"AwsAccount\",\n \"Id\": \"AWS::::Account:123456789123\",\n \"Partition\": \"aws\",\n \"Region\": \"us-east-1\"\n }\n ],\n \"Compliance\": {\n \"Status\": \"FAILED\",\n \"StatusReasons\": [\n {\n \"ReasonCode\": \"CLOUDTRAIL_MULTI_REGION_NOT_PRESENT\",\n \"Description\": \"Multi region CloudTrail with the required configuration does not exist in the account\"\n }\n ]\n },\n \"WorkflowState\": \"NEW\",\n \"Workflow\": {\n \"Status\": \"NEW\"\n },\n \"RecordState\": \"ACTIVE\",\n \"FindingProviderFields\": {\n \"Severity\": {\n \"Label\": \"LOW\",\n \"Original\": \"LOW\"\n },\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ]\n }\n }\n ]\n}","results":[{"status":"failed","message":"ReasonCode\nCLOUDTRAIL_MULTI_REGION_NOT_PRESENT\nDescription\nMulti region CloudTrail with the required configuration does not exist in the account","code_desc":"Resources: [Type: AwsAccount, Id: AWS::::Account:123456789123, Partition: aws, Region: us-east-1]","start_time":"2021-08-09T11:28:13.084Z"}]},{"id":"CIS.3.1","title":"CIS AWS Foundations Benchmark v1.2.0: Ensure a log metric filter and alarm exist for unauthorized API calls","tags":{"nist":["SA-11","RA-5"]},"impact":0.3,"desc":"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for unauthorized API calls.","descriptions":[{"data":"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\nhttps://docs.aws.amazon.com/console/securityhub/standards-cis-3.1/remediation","label":"fix"}],"refs":[],"source_location":{},"code":"{\n \"Findings\": [\n {\n \"SchemaVersion\": \"2018-10-08\",\n \"Id\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.1/finding/3750d146-a5d4-4ca0-b0a0-0ef8997495c2\",\n \"ProductArn\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub\",\n \"ProductName\": \"Security Hub\",\n \"CompanyName\": \"AWS\",\n \"Region\": \"us-east-1\",\n \"GeneratorId\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.1\",\n \"AwsAccountId\": \"123456789123\",\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ],\n \"FirstObservedAt\": \"2021-07-23T23:39:00.931Z\",\n \"LastObservedAt\": \"2021-08-09T11:28:12.445Z\",\n \"CreatedAt\": \"2021-07-23T23:39:00.931Z\",\n \"UpdatedAt\": \"2021-08-09T11:28:08.811Z\",\n \"Severity\": {\n \"Product\": 30,\n \"Label\": \"LOW\",\n \"Normalized\": 30,\n \"Original\": \"LOW\"\n },\n \"Title\": \"3.1 Ensure a log metric filter and alarm exist for unauthorized API calls\",\n \"Description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for unauthorized API calls.\",\n \"Remediation\": {\n \"Recommendation\": {\n \"Text\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\",\n \"Url\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.1/remediation\"\n }\n },\n \"ProductFields\": {\n \"StandardsGuideArn\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0\",\n \"StandardsGuideSubscriptionArn\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0\",\n \"RuleId\": \"3.1\",\n \"RecommendationUrl\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.1/remediation\",\n \"StandardsControlArn\": \"arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/3.1\",\n \"aws/securityhub/ProductName\": \"Security Hub\",\n \"aws/securityhub/CompanyName\": \"AWS\",\n \"aws/securityhub/annotation\": \"Multi region CloudTrail with the required configuration does not exist in the account\",\n \"Resources:0/Id\": \"arn:aws:iam::123456789123:root\",\n \"aws/securityhub/FindingId\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.1/finding/3750d146-a5d4-4ca0-b0a0-0ef8997495c2\"\n },\n \"Resources\": [\n {\n \"Type\": \"AwsAccount\",\n \"Id\": \"AWS::::Account:123456789123\",\n \"Partition\": \"aws\",\n \"Region\": \"us-east-1\"\n }\n ],\n \"Compliance\": {\n \"Status\": \"FAILED\",\n \"StatusReasons\": [\n {\n \"ReasonCode\": \"CLOUDTRAIL_MULTI_REGION_NOT_PRESENT\",\n \"Description\": \"Multi region CloudTrail with the required configuration does not exist in the account\"\n }\n ]\n },\n \"WorkflowState\": \"NEW\",\n \"Workflow\": {\n \"Status\": \"NEW\"\n },\n \"RecordState\": \"ACTIVE\",\n \"FindingProviderFields\": {\n \"Severity\": {\n \"Label\": \"LOW\",\n \"Original\": \"LOW\"\n },\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ]\n }\n }\n ]\n}","results":[{"status":"failed","message":"ReasonCode\nCLOUDTRAIL_MULTI_REGION_NOT_PRESENT\nDescription\nMulti region CloudTrail with the required configuration does not exist in the account","code_desc":"Resources: [Type: AwsAccount, Id: AWS::::Account:123456789123, Partition: aws, Region: us-east-1]","start_time":"2021-08-09T11:28:12.445Z"}]},{"id":"Config.1","title":"AWS Foundational Security Best Practices v1.0.0: Config.1 AWS Config should be enabled","tags":{"nist":["SA-11","RA-5"]},"impact":0.5,"desc":"This AWS control checks whether the Config service is enabled in the account for the local region and is recording all resources.","descriptions":[{"data":"For directions on how to fix this issue, please consult the AWS Security Hub Foundational Security Best Practices documentation.\nhttps://docs.aws.amazon.com/console/securityhub/Config.1/remediation","label":"fix"}],"refs":[],"source_location":{},"code":"{\n \"Findings\": [\n {\n \"SchemaVersion\": \"2018-10-08\",\n \"Id\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/aws-foundational-security-best-practices/v/1.0.0/Config.1/finding/9ffec6a3-3ce8-4011-bf90-17dbe94bf1d3\",\n \"ProductArn\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub\",\n \"ProductName\": \"Security Hub\",\n \"CompanyName\": \"AWS\",\n \"Region\": \"us-east-1\",\n \"GeneratorId\": \"aws-foundational-security-best-practices/v/1.0.0/Config.1\",\n \"AwsAccountId\": \"123456789123\",\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices\"\n ],\n \"FirstObservedAt\": \"2021-07-23T23:40:39.455Z\",\n \"LastObservedAt\": \"2021-08-09T11:21:11.282Z\",\n \"CreatedAt\": \"2021-07-23T23:40:39.455Z\",\n \"UpdatedAt\": \"2021-08-09T11:21:09.408Z\",\n \"Severity\": {\n \"Product\": 40,\n \"Label\": \"MEDIUM\",\n \"Normalized\": 40,\n \"Original\": \"MEDIUM\"\n },\n \"Title\": \"Config.1 AWS Config should be enabled\",\n \"Description\": \"This AWS control checks whether the Config service is enabled in the account for the local region and is recording all resources.\",\n \"Remediation\": {\n \"Recommendation\": {\n \"Text\": \"For directions on how to fix this issue, please consult the AWS Security Hub Foundational Security Best Practices documentation.\",\n \"Url\": \"https://docs.aws.amazon.com/console/securityhub/Config.1/remediation\"\n }\n },\n \"ProductFields\": {\n \"StandardsArn\": \"arn:aws:securityhub:::standards/aws-foundational-security-best-practices/v/1.0.0\",\n \"StandardsSubscriptionArn\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/aws-foundational-security-best-practices/v/1.0.0\",\n \"ControlId\": \"Config.1\",\n \"RecommendationUrl\": \"https://docs.aws.amazon.com/console/securityhub/Config.1/remediation\",\n \"StandardsControlArn\": \"arn:aws:securityhub:us-east-1:123456789123:control/aws-foundational-security-best-practices/v/1.0.0/Config.1\",\n \"aws/securityhub/ProductName\": \"Security Hub\",\n \"aws/securityhub/CompanyName\": \"AWS\",\n \"Resources:0/Id\": \"arn:aws:iam::123456789123:root\",\n \"aws/securityhub/FindingId\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789123:subscription/aws-foundational-security-best-practices/v/1.0.0/Config.1/finding/9ffec6a3-3ce8-4011-bf90-17dbe94bf1d3\"\n },\n \"Resources\": [\n {\n \"Type\": \"AwsAccount\",\n \"Id\": \"AWS::::Account:123456789123\",\n \"Partition\": \"aws\",\n \"Region\": \"us-east-1\"\n }\n ],\n \"Compliance\": {\n \"Status\": \"FAILED\"\n },\n \"WorkflowState\": \"NEW\",\n \"Workflow\": {\n \"Status\": \"NEW\"\n },\n \"RecordState\": \"ACTIVE\",\n \"FindingProviderFields\": {\n \"Severity\": {\n \"Label\": \"MEDIUM\",\n \"Original\": \"MEDIUM\"\n },\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices\"\n ]\n }\n }\n ]\n}","results":[{"status":"failed","code_desc":"Resources: [Type: AwsAccount, Id: AWS::::Account:123456789123, Partition: aws, Region: us-east-1]","start_time":"2021-08-09T11:21:11.282Z"}]},{"id":"S3.2","title":"AWS Foundational Security Best Practices v1.0.0: S3.2 S3 buckets should prohibit public read access","tags":{"nist":["AC-3","AC-4","AC-6","AC-21(b)","SC-7","SC-7(3)"]},"impact":0.5,"desc":"This AWS control checks whether your S3 buckets allow public read access by evaluating the Block Public Access settings, the bucket policy, and the bucket access control list (ACL).","descriptions":[{"data":"For directions on how to fix this issue, please consult the AWS Security Hub Foundational Security Best Practices documentation.\nhttps://docs.aws.amazon.com/console/securityhub/S3.2/remediation","label":"fix"}],"refs":[],"source_location":{},"code":"{\n \"Findings\": [\n {\n \"SchemaVersion\": \"2018-10-08\",\n \"Id\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/aws-foundational-security-best-practices/v/1.0.0/S3.2/finding/5fd36ec6-3f98-4d5b-a9cb-5f82e389a8e9\",\n \"ProductArn\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub\",\n \"GeneratorId\": \"aws-foundational-security-best-practices/v/1.0.0/S3.2\",\n \"AwsAccountId\": \"123456789123\",\n \"Types\": [\n \"Effects/Data Exposure/AWS-Foundational-Security-Best-Practices\"\n ],\n \"FirstObservedAt\": \"2021-04-28T14:57:54.547Z\",\n \"LastObservedAt\": \"2021-07-02T16:02:48.476Z\",\n \"CreatedAt\": \"2021-04-28T14:57:54.547Z\",\n \"UpdatedAt\": \"2021-07-02T16:02:46.396Z\",\n \"Severity\": {\n \"Product\": 0,\n \"Label\": \"INFORMATIONAL\",\n \"Normalized\": 0,\n \"Original\": \"INFORMATIONAL\"\n },\n \"Title\": \"S3.2 S3 buckets should prohibit public read access\",\n \"Description\": \"This AWS control checks whether your S3 buckets allow public read access by evaluating the Block Public Access settings, the bucket policy, and the bucket access control list (ACL).\",\n \"Remediation\": {\n \"Recommendation\": {\n \"Text\": \"For directions on how to fix this issue, please consult the AWS Security Hub Foundational Security Best Practices documentation.\",\n \"Url\": \"https://docs.aws.amazon.com/console/securityhub/S3.2/remediation\"\n }\n },\n \"ProductFields\": {\n \"StandardsArn\": \"arn:aws:securityhub:::standards/aws-foundational-security-best-practices/v/1.0.0\",\n \"StandardsSubscriptionArn\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/aws-foundational-security-best-practices/v/1.0.0\",\n \"ControlId\": \"S3.2\",\n \"RecommendationUrl\": \"https://docs.aws.amazon.com/console/securityhub/S3.2/remediation\",\n \"RelatedAWSResources:0/name\": \"securityhub-s3-bucket-public-read-prohibited-491148b1\",\n \"RelatedAWSResources:0/type\": \"AWS::Config::ConfigRule\",\n \"StandardsControlArn\": \"arn:aws:securityhub:us-east-1:123456789123:control/aws-foundational-security-best-practices/v/1.0.0/S3.2\",\n \"aws/securityhub/ProductName\": \"Security Hub\",\n \"aws/securityhub/CompanyName\": \"AWS\",\n \"Resources:0/Id\": \"arn:aws:s3:::example-bucket-123456789123-us-east-1\",\n \"aws/securityhub/FindingId\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789123:subscription/aws-foundational-security-best-practices/v/1.0.0/S3.2/finding/5fd36ec6-3f98-4d5b-a9cb-5f82e389a8e9\"\n },\n \"Resources\": [\n {\n \"Type\": \"AwsS3Bucket\",\n \"Id\": \"arn:aws:s3:::example-bucket-123456789123-us-east-1\",\n \"Partition\": \"aws\",\n \"Region\": \"us-east-1\",\n \"Details\": {\n \"AwsS3Bucket\": {\n \"OwnerId\": \"abe813ee284239446607ac88bf580a6f7348abec9053fd187e6234b58102e826\",\n \"CreatedAt\": \"2021-03-12T20:14:09.000Z\"\n }\n }\n }\n ],\n \"Compliance\": {\n \"Status\": \"PASSED\"\n },\n \"WorkflowState\": \"NEW\",\n \"Workflow\": {\n \"Status\": \"RESOLVED\"\n },\n \"RecordState\": \"ACTIVE\",\n \"FindingProviderFields\": {\n \"Severity\": {\n \"Label\": \"INFORMATIONAL\",\n \"Original\": \"INFORMATIONAL\"\n },\n \"Types\": [\n \"Effects/Data Exposure/AWS-Foundational-Security-Best-Practices\"\n ]\n }\n }\n ]\n}","results":[{"status":"passed","code_desc":"Resources: [Type: AwsS3Bucket, Id: arn:aws:s3:::example-bucket-123456789123-us-east-1, Partition: aws, Region: us-east-1]","start_time":"2021-07-02T16:02:48.476Z"}]}],"sha256":"9d44a2af3a64f1ad7fbc5adcbd1baef33911b15963f905f8ab9ad28dbbff518d"}]} \ No newline at end of file +{"platform":{"name":"Heimdall Tools","release":"1.3.48.17.g0aad3b5.1.dirty.20210809.233904","target_id":""},"version":"1.3.48.17.g0aad3b5.1.dirty.20210809.233904","statistics":{"duration":null},"profiles":[{"name":"AWS Security Finding Format","version":null,"title":"ASFF findings","maintainer":null,"summary":null,"license":null,"copyright":null,"copyright_email":null,"supports":[],"attributes":[],"depends":[],"groups":[],"status":"loaded","controls":[{"id":"CIS.1.1","title":"CIS AWS Foundations Benchmark v1.2.0: Avoid the use of the "root" account","tags":{"nist":["SA-11","RA-5"]},"impact":0.3,"desc":"The "root" account has unrestricted access to all resources in the AWS account. It is highly recommended that the use of this account be avoided.","descriptions":[{"data":"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\nhttps://docs.aws.amazon.com/console/securityhub/standards-cis-1.1/remediation","label":"fix"}],"refs":[],"source_location":{},"code":"{\n \"Findings\": [\n {\n \"SchemaVersion\": \"2018-10-08\",\n \"Id\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/1.1/finding/564b8d35-d697-475e-8a02-dfb23552dc24\",\n \"ProductArn\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub\",\n \"ProductName\": \"Security Hub\",\n \"CompanyName\": \"AWS\",\n \"Region\": \"us-east-1\",\n \"GeneratorId\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/1.1\",\n \"AwsAccountId\": \"123456789123\",\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ],\n \"FirstObservedAt\": \"2021-07-23T23:39:05.607Z\",\n \"LastObservedAt\": \"2021-08-09T11:28:16.331Z\",\n \"CreatedAt\": \"2021-07-23T23:39:05.607Z\",\n \"UpdatedAt\": \"2021-08-09T11:28:13.288Z\",\n \"Severity\": {\n \"Product\": 30,\n \"Label\": \"LOW\",\n \"Normalized\": 30,\n \"Original\": \"LOW\"\n },\n \"Title\": \"1.1 Avoid the use of the \\\"root\\\" account\",\n \"Description\": \"The \\\"root\\\" account has unrestricted access to all resources in the AWS account. It is highly recommended that the use of this account be avoided.\",\n \"Remediation\": {\n \"Recommendation\": {\n \"Text\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\",\n \"Url\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-1.1/remediation\"\n }\n },\n \"ProductFields\": {\n \"StandardsGuideArn\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0\",\n \"StandardsGuideSubscriptionArn\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0\",\n \"RuleId\": \"1.1\",\n \"RecommendationUrl\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-1.1/remediation\",\n \"StandardsControlArn\": \"arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/1.1\",\n \"aws/securityhub/ProductName\": \"Security Hub\",\n \"aws/securityhub/CompanyName\": \"AWS\",\n \"aws/securityhub/annotation\": \"Multi region CloudTrail with the required configuration does not exist in the account\",\n \"Resources:0/Id\": \"arn:aws:iam::123456789123:root\",\n \"aws/securityhub/FindingId\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/1.1/finding/564b8d35-d697-475e-8a02-dfb23552dc24\"\n },\n \"Resources\": [\n {\n \"Type\": \"AwsAccount\",\n \"Id\": \"AWS::::Account:123456789123\",\n \"Partition\": \"aws\",\n \"Region\": \"us-east-1\"\n }\n ],\n \"Compliance\": {\n \"Status\": \"FAILED\",\n \"StatusReasons\": [\n {\n \"ReasonCode\": \"CLOUDTRAIL_MULTI_REGION_NOT_PRESENT\",\n \"Description\": \"Multi region CloudTrail with the required configuration does not exist in the account\"\n }\n ]\n },\n \"WorkflowState\": \"NEW\",\n \"Workflow\": {\n \"Status\": \"NEW\"\n },\n \"RecordState\": \"ACTIVE\",\n \"FindingProviderFields\": {\n \"Severity\": {\n \"Label\": \"LOW\",\n \"Original\": \"LOW\"\n },\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ]\n }\n }\n ]\n}","results":[{"status":"failed","message":"ReasonCode\nCLOUDTRAIL_MULTI_REGION_NOT_PRESENT\nDescription\nMulti region CloudTrail with the required configuration does not exist in the account","code_desc":"Resources: [Type: AwsAccount, Id: AWS::::Account:123456789123, Partition: aws, Region: us-east-1]","start_time":"2021-08-09T11:28:16.331Z"}]},{"id":"CIS.2.5","title":"CIS AWS Foundations Benchmark v1.2.0: Ensure AWS Config is enabled","tags":{"nist":["SA-11","RA-5"]},"impact":0.5,"desc":"AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), and any configuration changes between resources. It is recommended to enable AWS Config in all regions.","descriptions":[{"data":"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\nhttps://docs.aws.amazon.com/console/securityhub/standards-cis-2.5/remediation","label":"fix"}],"refs":[],"source_location":{},"code":"{\n \"Findings\": [\n {\n \"SchemaVersion\": \"2018-10-08\",\n \"Id\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/2.5/finding/fad62e7c-5402-4757-850c-3aadc8212c47\",\n \"ProductArn\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub\",\n \"ProductName\": \"Security Hub\",\n \"CompanyName\": \"AWS\",\n \"Region\": \"us-east-1\",\n \"GeneratorId\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/2.5\",\n \"AwsAccountId\": \"123456789123\",\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ],\n \"FirstObservedAt\": \"2021-07-23T23:39:03.660Z\",\n \"LastObservedAt\": \"2021-08-09T11:28:15.499Z\",\n \"CreatedAt\": \"2021-07-23T23:39:03.660Z\",\n \"UpdatedAt\": \"2021-08-09T11:28:12.889Z\",\n \"Severity\": {\n \"Product\": 40,\n \"Label\": \"MEDIUM\",\n \"Normalized\": 40,\n \"Original\": \"MEDIUM\"\n },\n \"Title\": \"2.5 Ensure AWS Config is enabled\",\n \"Description\": \"AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), and any configuration changes between resources. It is recommended to enable AWS Config in all regions.\",\n \"Remediation\": {\n \"Recommendation\": {\n \"Text\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\",\n \"Url\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-2.5/remediation\"\n }\n },\n \"ProductFields\": {\n \"StandardsGuideArn\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0\",\n \"StandardsGuideSubscriptionArn\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0\",\n \"RuleId\": \"2.5\",\n \"RecommendationUrl\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-2.5/remediation\",\n \"StandardsControlArn\": \"arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/2.5\",\n \"aws/securityhub/ProductName\": \"Security Hub\",\n \"aws/securityhub/CompanyName\": \"AWS\",\n \"Resources:0/Id\": \"arn:aws:iam::123456789123:root\",\n \"aws/securityhub/FindingId\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/2.5/finding/fad62e7c-5402-4757-850c-3aadc8212c47\"\n },\n \"Resources\": [\n {\n \"Type\": \"AwsAccount\",\n \"Id\": \"AWS::::Account:123456789123\",\n \"Partition\": \"aws\",\n \"Region\": \"us-east-1\"\n }\n ],\n \"Compliance\": {\n \"Status\": \"FAILED\"\n },\n \"WorkflowState\": \"NEW\",\n \"Workflow\": {\n \"Status\": \"NEW\"\n },\n \"RecordState\": \"ACTIVE\",\n \"FindingProviderFields\": {\n \"Severity\": {\n \"Label\": \"MEDIUM\",\n \"Original\": \"MEDIUM\"\n },\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ]\n }\n }\n ]\n}","results":[{"status":"failed","code_desc":"Resources: [Type: AwsAccount, Id: AWS::::Account:123456789123, Partition: aws, Region: us-east-1]","start_time":"2021-08-09T11:28:15.499Z"}]},{"id":"CIS.3.9","title":"CIS AWS Foundations Benchmark v1.2.0: Ensure a log metric filter and alarm exist for AWS Config configuration changes","tags":{"nist":["SA-11","RA-5"]},"impact":0.3,"desc":"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations.","descriptions":[{"data":"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\nhttps://docs.aws.amazon.com/console/securityhub/standards-cis-3.9/remediation","label":"fix"}],"refs":[],"source_location":{},"code":"{\n \"Findings\": [\n {\n \"SchemaVersion\": \"2018-10-08\",\n \"Id\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.9/finding/a18960c3-863a-4bec-b083-ff0583d1a44f\",\n \"ProductArn\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub\",\n \"ProductName\": \"Security Hub\",\n \"CompanyName\": \"AWS\",\n \"Region\": \"us-east-1\",\n \"GeneratorId\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.9\",\n \"AwsAccountId\": \"123456789123\",\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ],\n \"FirstObservedAt\": \"2021-07-23T23:39:00.932Z\",\n \"LastObservedAt\": \"2021-08-09T11:28:12.508Z\",\n \"CreatedAt\": \"2021-07-23T23:39:00.932Z\",\n \"UpdatedAt\": \"2021-08-09T11:28:08.812Z\",\n \"Severity\": {\n \"Product\": 30,\n \"Label\": \"LOW\",\n \"Normalized\": 30,\n \"Original\": \"LOW\"\n },\n \"Title\": \"3.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes\",\n \"Description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations.\",\n \"Remediation\": {\n \"Recommendation\": {\n \"Text\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\",\n \"Url\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.9/remediation\"\n }\n },\n \"ProductFields\": {\n \"StandardsGuideArn\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0\",\n \"StandardsGuideSubscriptionArn\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0\",\n \"RuleId\": \"3.9\",\n \"RecommendationUrl\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.9/remediation\",\n \"StandardsControlArn\": \"arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/3.9\",\n \"aws/securityhub/ProductName\": \"Security Hub\",\n \"aws/securityhub/CompanyName\": \"AWS\",\n \"aws/securityhub/annotation\": \"Multi region CloudTrail with the required configuration does not exist in the account\",\n \"Resources:0/Id\": \"arn:aws:iam::123456789123:root\",\n \"aws/securityhub/FindingId\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.9/finding/a18960c3-863a-4bec-b083-ff0583d1a44f\"\n },\n \"Resources\": [\n {\n \"Type\": \"AwsAccount\",\n \"Id\": \"AWS::::Account:123456789123\",\n \"Partition\": \"aws\",\n \"Region\": \"us-east-1\"\n }\n ],\n \"Compliance\": {\n \"Status\": \"FAILED\",\n \"StatusReasons\": [\n {\n \"ReasonCode\": \"CLOUDTRAIL_MULTI_REGION_NOT_PRESENT\",\n \"Description\": \"Multi region CloudTrail with the required configuration does not exist in the account\"\n }\n ]\n },\n \"WorkflowState\": \"NEW\",\n \"Workflow\": {\n \"Status\": \"NEW\"\n },\n \"RecordState\": \"ACTIVE\",\n \"FindingProviderFields\": {\n \"Severity\": {\n \"Label\": \"LOW\",\n \"Original\": \"LOW\"\n },\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ]\n }\n }\n ]\n}","results":[{"status":"failed","message":"ReasonCode\nCLOUDTRAIL_MULTI_REGION_NOT_PRESENT\nDescription\nMulti region CloudTrail with the required configuration does not exist in the account","code_desc":"Resources: [Type: AwsAccount, Id: AWS::::Account:123456789123, Partition: aws, Region: us-east-1]","start_time":"2021-08-09T11:28:12.508Z"}]},{"id":"CIS.3.8","title":"CIS AWS Foundations Benchmark v1.2.0: Ensure a log metric filter and alarm exist for S3 bucket policy changes","tags":{"nist":["SA-11","RA-5"]},"impact":0.3,"desc":"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for changes to S3 bucket policies.","descriptions":[{"data":"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\nhttps://docs.aws.amazon.com/console/securityhub/standards-cis-3.8/remediation","label":"fix"}],"refs":[],"source_location":{},"code":"{\n \"Findings\": [\n {\n \"SchemaVersion\": \"2018-10-08\",\n \"Id\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.8/finding/2366f847-6ae6-437b-a873-b5851950f495\",\n \"ProductArn\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub\",\n \"ProductName\": \"Security Hub\",\n \"CompanyName\": \"AWS\",\n \"Region\": \"us-east-1\",\n \"GeneratorId\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.8\",\n \"AwsAccountId\": \"123456789123\",\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ],\n \"FirstObservedAt\": \"2021-07-23T23:39:00.932Z\",\n \"LastObservedAt\": \"2021-08-09T11:28:12.460Z\",\n \"CreatedAt\": \"2021-07-23T23:39:00.932Z\",\n \"UpdatedAt\": \"2021-08-09T11:28:08.812Z\",\n \"Severity\": {\n \"Product\": 30,\n \"Label\": \"LOW\",\n \"Normalized\": 30,\n \"Original\": \"LOW\"\n },\n \"Title\": \"3.8 Ensure a log metric filter and alarm exist for S3 bucket policy changes\",\n \"Description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for changes to S3 bucket policies.\",\n \"Remediation\": {\n \"Recommendation\": {\n \"Text\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\",\n \"Url\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.8/remediation\"\n }\n },\n \"ProductFields\": {\n \"StandardsGuideArn\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0\",\n \"StandardsGuideSubscriptionArn\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0\",\n \"RuleId\": \"3.8\",\n \"RecommendationUrl\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.8/remediation\",\n \"StandardsControlArn\": \"arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/3.8\",\n \"aws/securityhub/ProductName\": \"Security Hub\",\n \"aws/securityhub/CompanyName\": \"AWS\",\n \"aws/securityhub/annotation\": \"Multi region CloudTrail with the required configuration does not exist in the account\",\n \"Resources:0/Id\": \"arn:aws:iam::123456789123:root\",\n \"aws/securityhub/FindingId\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.8/finding/2366f847-6ae6-437b-a873-b5851950f495\"\n },\n \"Resources\": [\n {\n \"Type\": \"AwsAccount\",\n \"Id\": \"AWS::::Account:123456789123\",\n \"Partition\": \"aws\",\n \"Region\": \"us-east-1\"\n }\n ],\n \"Compliance\": {\n \"Status\": \"FAILED\",\n \"StatusReasons\": [\n {\n \"ReasonCode\": \"CLOUDTRAIL_MULTI_REGION_NOT_PRESENT\",\n \"Description\": \"Multi region CloudTrail with the required configuration does not exist in the account\"\n }\n ]\n },\n \"WorkflowState\": \"NEW\",\n \"Workflow\": {\n \"Status\": \"NEW\"\n },\n \"RecordState\": \"ACTIVE\",\n \"FindingProviderFields\": {\n \"Severity\": {\n \"Label\": \"LOW\",\n \"Original\": \"LOW\"\n },\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ]\n }\n }\n ]\n}","results":[{"status":"failed","message":"ReasonCode\nCLOUDTRAIL_MULTI_REGION_NOT_PRESENT\nDescription\nMulti region CloudTrail with the required configuration does not exist in the account","code_desc":"Resources: [Type: AwsAccount, Id: AWS::::Account:123456789123, Partition: aws, Region: us-east-1]","start_time":"2021-08-09T11:28:12.460Z"}]},{"id":"CIS.3.7","title":"CIS AWS Foundations Benchmark v1.2.0: Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs","tags":{"nist":["SA-11","RA-5"]},"impact":0.3,"desc":"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for customer created CMKs which have changed state to disabled or scheduled deletion.","descriptions":[{"data":"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\nhttps://docs.aws.amazon.com/console/securityhub/standards-cis-3.7/remediation","label":"fix"}],"refs":[],"source_location":{},"code":"{\n \"Findings\": [\n {\n \"SchemaVersion\": \"2018-10-08\",\n \"Id\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.7/finding/5893e3d9-73ba-468b-a5ae-a47d5167687d\",\n \"ProductArn\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub\",\n \"ProductName\": \"Security Hub\",\n \"CompanyName\": \"AWS\",\n \"Region\": \"us-east-1\",\n \"GeneratorId\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.7\",\n \"AwsAccountId\": \"123456789123\",\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ],\n \"FirstObservedAt\": \"2021-07-23T23:39:00.932Z\",\n \"LastObservedAt\": \"2021-08-09T11:28:10.511Z\",\n \"CreatedAt\": \"2021-07-23T23:39:00.932Z\",\n \"UpdatedAt\": \"2021-08-09T11:28:08.812Z\",\n \"Severity\": {\n \"Product\": 30,\n \"Label\": \"LOW\",\n \"Normalized\": 30,\n \"Original\": \"LOW\"\n },\n \"Title\": \"3.7 Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs\",\n \"Description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for customer created CMKs which have changed state to disabled or scheduled deletion.\",\n \"Remediation\": {\n \"Recommendation\": {\n \"Text\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\",\n \"Url\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.7/remediation\"\n }\n },\n \"ProductFields\": {\n \"StandardsGuideArn\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0\",\n \"StandardsGuideSubscriptionArn\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0\",\n \"RuleId\": \"3.7\",\n \"RecommendationUrl\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.7/remediation\",\n \"StandardsControlArn\": \"arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/3.7\",\n \"aws/securityhub/ProductName\": \"Security Hub\",\n \"aws/securityhub/CompanyName\": \"AWS\",\n \"aws/securityhub/annotation\": \"Multi region CloudTrail with the required configuration does not exist in the account\",\n \"Resources:0/Id\": \"arn:aws:iam::123456789123:root\",\n \"aws/securityhub/FindingId\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.7/finding/5893e3d9-73ba-468b-a5ae-a47d5167687d\"\n },\n \"Resources\": [\n {\n \"Type\": \"AwsAccount\",\n \"Id\": \"AWS::::Account:123456789123\",\n \"Partition\": \"aws\",\n \"Region\": \"us-east-1\"\n }\n ],\n \"Compliance\": {\n \"Status\": \"FAILED\",\n \"StatusReasons\": [\n {\n \"ReasonCode\": \"CLOUDTRAIL_MULTI_REGION_NOT_PRESENT\",\n \"Description\": \"Multi region CloudTrail with the required configuration does not exist in the account\"\n }\n ]\n },\n \"WorkflowState\": \"NEW\",\n \"Workflow\": {\n \"Status\": \"NEW\"\n },\n \"RecordState\": \"ACTIVE\",\n \"FindingProviderFields\": {\n \"Severity\": {\n \"Label\": \"LOW\",\n \"Original\": \"LOW\"\n },\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ]\n }\n }\n ]\n}","results":[{"status":"failed","message":"ReasonCode\nCLOUDTRAIL_MULTI_REGION_NOT_PRESENT\nDescription\nMulti region CloudTrail with the required configuration does not exist in the account","code_desc":"Resources: [Type: AwsAccount, Id: AWS::::Account:123456789123, Partition: aws, Region: us-east-1]","start_time":"2021-08-09T11:28:10.511Z"}]},{"id":"CIS.3.6","title":"CIS AWS Foundations Benchmark v1.2.0: Ensure a log metric filter and alarm exist for AWS Management Console authentication failures","tags":{"nist":["SA-11","RA-5"]},"impact":0.3,"desc":"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for failed console authentication attempts.","descriptions":[{"data":"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\nhttps://docs.aws.amazon.com/console/securityhub/standards-cis-3.6/remediation","label":"fix"}],"refs":[],"source_location":{},"code":"{\n \"Findings\": [\n {\n \"SchemaVersion\": \"2018-10-08\",\n \"Id\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.6/finding/0b589f7e-cf16-4518-a41a-f37ef89dc8f8\",\n \"ProductArn\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub\",\n \"ProductName\": \"Security Hub\",\n \"CompanyName\": \"AWS\",\n \"Region\": \"us-east-1\",\n \"GeneratorId\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.6\",\n \"AwsAccountId\": \"123456789123\",\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ],\n \"FirstObservedAt\": \"2021-07-23T23:39:00.932Z\",\n \"LastObservedAt\": \"2021-08-09T11:28:10.542Z\",\n \"CreatedAt\": \"2021-07-23T23:39:00.932Z\",\n \"UpdatedAt\": \"2021-08-09T11:28:08.812Z\",\n \"Severity\": {\n \"Product\": 30,\n \"Label\": \"LOW\",\n \"Normalized\": 30,\n \"Original\": \"LOW\"\n },\n \"Title\": \"3.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures\",\n \"Description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for failed console authentication attempts.\",\n \"Remediation\": {\n \"Recommendation\": {\n \"Text\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\",\n \"Url\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.6/remediation\"\n }\n },\n \"ProductFields\": {\n \"StandardsGuideArn\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0\",\n \"StandardsGuideSubscriptionArn\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0\",\n \"RuleId\": \"3.6\",\n \"RecommendationUrl\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.6/remediation\",\n \"StandardsControlArn\": \"arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/3.6\",\n \"aws/securityhub/ProductName\": \"Security Hub\",\n \"aws/securityhub/CompanyName\": \"AWS\",\n \"aws/securityhub/annotation\": \"Multi region CloudTrail with the required configuration does not exist in the account\",\n \"Resources:0/Id\": \"arn:aws:iam::123456789123:root\",\n \"aws/securityhub/FindingId\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.6/finding/0b589f7e-cf16-4518-a41a-f37ef89dc8f8\"\n },\n \"Resources\": [\n {\n \"Type\": \"AwsAccount\",\n \"Id\": \"AWS::::Account:123456789123\",\n \"Partition\": \"aws\",\n \"Region\": \"us-east-1\"\n }\n ],\n \"Compliance\": {\n \"Status\": \"FAILED\",\n \"StatusReasons\": [\n {\n \"ReasonCode\": \"CLOUDTRAIL_MULTI_REGION_NOT_PRESENT\",\n \"Description\": \"Multi region CloudTrail with the required configuration does not exist in the account\"\n }\n ]\n },\n \"WorkflowState\": \"NEW\",\n \"Workflow\": {\n \"Status\": \"NEW\"\n },\n \"RecordState\": \"ACTIVE\",\n \"FindingProviderFields\": {\n \"Severity\": {\n \"Label\": \"LOW\",\n \"Original\": \"LOW\"\n },\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ]\n }\n }\n ]\n}","results":[{"status":"failed","message":"ReasonCode\nCLOUDTRAIL_MULTI_REGION_NOT_PRESENT\nDescription\nMulti region CloudTrail with the required configuration does not exist in the account","code_desc":"Resources: [Type: AwsAccount, Id: AWS::::Account:123456789123, Partition: aws, Region: us-east-1]","start_time":"2021-08-09T11:28:10.542Z"}]},{"id":"CIS.3.5","title":"CIS AWS Foundations Benchmark v1.2.0: Ensure a log metric filter and alarm exist for CloudTrail configuration changes","tags":{"nist":["SA-11","RA-5"]},"impact":0.3,"desc":"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations.","descriptions":[{"data":"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\nhttps://docs.aws.amazon.com/console/securityhub/standards-cis-3.5/remediation","label":"fix"}],"refs":[],"source_location":{},"code":"{\n \"Findings\": [\n {\n \"SchemaVersion\": \"2018-10-08\",\n \"Id\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.5/finding/62ce4a90-73c1-484b-8170-588f124e1fc2\",\n \"ProductArn\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub\",\n \"ProductName\": \"Security Hub\",\n \"CompanyName\": \"AWS\",\n \"Region\": \"us-east-1\",\n \"GeneratorId\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.5\",\n \"AwsAccountId\": \"123456789123\",\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ],\n \"FirstObservedAt\": \"2021-07-23T23:39:00.932Z\",\n \"LastObservedAt\": \"2021-08-09T11:28:10.630Z\",\n \"CreatedAt\": \"2021-07-23T23:39:00.932Z\",\n \"UpdatedAt\": \"2021-08-09T11:28:08.812Z\",\n \"Severity\": {\n \"Product\": 30,\n \"Label\": \"LOW\",\n \"Normalized\": 30,\n \"Original\": \"LOW\"\n },\n \"Title\": \"3.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes\",\n \"Description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations.\",\n \"Remediation\": {\n \"Recommendation\": {\n \"Text\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\",\n \"Url\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.5/remediation\"\n }\n },\n \"ProductFields\": {\n \"StandardsGuideArn\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0\",\n \"StandardsGuideSubscriptionArn\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0\",\n \"RuleId\": \"3.5\",\n \"RecommendationUrl\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.5/remediation\",\n \"StandardsControlArn\": \"arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/3.5\",\n \"aws/securityhub/ProductName\": \"Security Hub\",\n \"aws/securityhub/CompanyName\": \"AWS\",\n \"aws/securityhub/annotation\": \"Multi region CloudTrail with the required configuration does not exist in the account\",\n \"Resources:0/Id\": \"arn:aws:iam::123456789123:root\",\n \"aws/securityhub/FindingId\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.5/finding/62ce4a90-73c1-484b-8170-588f124e1fc2\"\n },\n \"Resources\": [\n {\n \"Type\": \"AwsAccount\",\n \"Id\": \"AWS::::Account:123456789123\",\n \"Partition\": \"aws\",\n \"Region\": \"us-east-1\"\n }\n ],\n \"Compliance\": {\n \"Status\": \"FAILED\",\n \"StatusReasons\": [\n {\n \"ReasonCode\": \"CLOUDTRAIL_MULTI_REGION_NOT_PRESENT\",\n \"Description\": \"Multi region CloudTrail with the required configuration does not exist in the account\"\n }\n ]\n },\n \"WorkflowState\": \"NEW\",\n \"Workflow\": {\n \"Status\": \"NEW\"\n },\n \"RecordState\": \"ACTIVE\",\n \"FindingProviderFields\": {\n \"Severity\": {\n \"Label\": \"LOW\",\n \"Original\": \"LOW\"\n },\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ]\n }\n }\n ]\n}","results":[{"status":"failed","message":"ReasonCode\nCLOUDTRAIL_MULTI_REGION_NOT_PRESENT\nDescription\nMulti region CloudTrail with the required configuration does not exist in the account","code_desc":"Resources: [Type: AwsAccount, Id: AWS::::Account:123456789123, Partition: aws, Region: us-east-1]","start_time":"2021-08-09T11:28:10.630Z"}]},{"id":"CIS.3.4","title":"CIS AWS Foundations Benchmark v1.2.0: Ensure a log metric filter and alarm exist for IAM policy changes","tags":{"nist":["SA-11","RA-5"]},"impact":0.3,"desc":"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established changes made to Identity and Access Management (IAM) policies.","descriptions":[{"data":"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\nhttps://docs.aws.amazon.com/console/securityhub/standards-cis-3.4/remediation","label":"fix"}],"refs":[],"source_location":{},"code":"{\n \"Findings\": [\n {\n \"SchemaVersion\": \"2018-10-08\",\n \"Id\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.4/finding/4ec7fd2f-2e44-4225-ae4c-f01384543946\",\n \"ProductArn\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub\",\n \"ProductName\": \"Security Hub\",\n \"CompanyName\": \"AWS\",\n \"Region\": \"us-east-1\",\n \"GeneratorId\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.4\",\n \"AwsAccountId\": \"123456789123\",\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ],\n \"FirstObservedAt\": \"2021-07-23T23:39:00.932Z\",\n \"LastObservedAt\": \"2021-08-09T11:28:11.788Z\",\n \"CreatedAt\": \"2021-07-23T23:39:00.932Z\",\n \"UpdatedAt\": \"2021-08-09T11:28:08.812Z\",\n \"Severity\": {\n \"Product\": 30,\n \"Label\": \"LOW\",\n \"Normalized\": 30,\n \"Original\": \"LOW\"\n },\n \"Title\": \"3.4 Ensure a log metric filter and alarm exist for IAM policy changes\",\n \"Description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established changes made to Identity and Access Management (IAM) policies.\",\n \"Remediation\": {\n \"Recommendation\": {\n \"Text\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\",\n \"Url\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.4/remediation\"\n }\n },\n \"ProductFields\": {\n \"StandardsGuideArn\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0\",\n \"StandardsGuideSubscriptionArn\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0\",\n \"RuleId\": \"3.4\",\n \"RecommendationUrl\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.4/remediation\",\n \"StandardsControlArn\": \"arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/3.4\",\n \"aws/securityhub/ProductName\": \"Security Hub\",\n \"aws/securityhub/CompanyName\": \"AWS\",\n \"aws/securityhub/annotation\": \"Multi region CloudTrail with the required configuration does not exist in the account\",\n \"Resources:0/Id\": \"arn:aws:iam::123456789123:root\",\n \"aws/securityhub/FindingId\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.4/finding/4ec7fd2f-2e44-4225-ae4c-f01384543946\"\n },\n \"Resources\": [\n {\n \"Type\": \"AwsAccount\",\n \"Id\": \"AWS::::Account:123456789123\",\n \"Partition\": \"aws\",\n \"Region\": \"us-east-1\"\n }\n ],\n \"Compliance\": {\n \"Status\": \"FAILED\",\n \"StatusReasons\": [\n {\n \"ReasonCode\": \"CLOUDTRAIL_MULTI_REGION_NOT_PRESENT\",\n \"Description\": \"Multi region CloudTrail with the required configuration does not exist in the account\"\n }\n ]\n },\n \"WorkflowState\": \"NEW\",\n \"Workflow\": {\n \"Status\": \"NEW\"\n },\n \"RecordState\": \"ACTIVE\",\n \"FindingProviderFields\": {\n \"Severity\": {\n \"Label\": \"LOW\",\n \"Original\": \"LOW\"\n },\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ]\n }\n }\n ]\n}","results":[{"status":"failed","message":"ReasonCode\nCLOUDTRAIL_MULTI_REGION_NOT_PRESENT\nDescription\nMulti region CloudTrail with the required configuration does not exist in the account","code_desc":"Resources: [Type: AwsAccount, Id: AWS::::Account:123456789123, Partition: aws, Region: us-east-1]","start_time":"2021-08-09T11:28:11.788Z"}]},{"id":"CIS.3.3","title":"CIS AWS Foundations Benchmark v1.2.0: Ensure a log metric filter and alarm exist for usage of "root" account","tags":{"nist":["SA-11","RA-5"]},"impact":0.3,"desc":"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for root login attempts.","descriptions":[{"data":"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\nhttps://docs.aws.amazon.com/console/securityhub/standards-cis-3.3/remediation","label":"fix"}],"refs":[],"source_location":{},"code":"{\n \"Findings\": [\n {\n \"SchemaVersion\": \"2018-10-08\",\n \"Id\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.3/finding/7e616501-7e4f-43b1-8092-610513f73baa\",\n \"ProductArn\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub\",\n \"ProductName\": \"Security Hub\",\n \"CompanyName\": \"AWS\",\n \"Region\": \"us-east-1\",\n \"GeneratorId\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.3\",\n \"AwsAccountId\": \"123456789123\",\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ],\n \"FirstObservedAt\": \"2021-07-23T23:39:00.932Z\",\n \"LastObservedAt\": \"2021-08-09T11:28:09.830Z\",\n \"CreatedAt\": \"2021-07-23T23:39:00.932Z\",\n \"UpdatedAt\": \"2021-08-09T11:28:08.812Z\",\n \"Severity\": {\n \"Product\": 30,\n \"Label\": \"LOW\",\n \"Normalized\": 30,\n \"Original\": \"LOW\"\n },\n \"Title\": \"3.3 Ensure a log metric filter and alarm exist for usage of \\\"root\\\" account\",\n \"Description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for root login attempts.\",\n \"Remediation\": {\n \"Recommendation\": {\n \"Text\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\",\n \"Url\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.3/remediation\"\n }\n },\n \"ProductFields\": {\n \"StandardsGuideArn\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0\",\n \"StandardsGuideSubscriptionArn\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0\",\n \"RuleId\": \"3.3\",\n \"RecommendationUrl\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.3/remediation\",\n \"StandardsControlArn\": \"arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/3.3\",\n \"aws/securityhub/ProductName\": \"Security Hub\",\n \"aws/securityhub/CompanyName\": \"AWS\",\n \"aws/securityhub/annotation\": \"Multi region CloudTrail with the required configuration does not exist in the account\",\n \"Resources:0/Id\": \"arn:aws:iam::123456789123:root\",\n \"aws/securityhub/FindingId\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.3/finding/7e616501-7e4f-43b1-8092-610513f73baa\"\n },\n \"Resources\": [\n {\n \"Type\": \"AwsAccount\",\n \"Id\": \"AWS::::Account:123456789123\",\n \"Partition\": \"aws\",\n \"Region\": \"us-east-1\"\n }\n ],\n \"Compliance\": {\n \"Status\": \"FAILED\",\n \"StatusReasons\": [\n {\n \"ReasonCode\": \"CLOUDTRAIL_MULTI_REGION_NOT_PRESENT\",\n \"Description\": \"Multi region CloudTrail with the required configuration does not exist in the account\"\n }\n ]\n },\n \"WorkflowState\": \"NEW\",\n \"Workflow\": {\n \"Status\": \"NEW\"\n },\n \"RecordState\": \"ACTIVE\",\n \"FindingProviderFields\": {\n \"Severity\": {\n \"Label\": \"LOW\",\n \"Original\": \"LOW\"\n },\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ]\n }\n }\n ]\n}","results":[{"status":"failed","message":"ReasonCode\nCLOUDTRAIL_MULTI_REGION_NOT_PRESENT\nDescription\nMulti region CloudTrail with the required configuration does not exist in the account","code_desc":"Resources: [Type: AwsAccount, Id: AWS::::Account:123456789123, Partition: aws, Region: us-east-1]","start_time":"2021-08-09T11:28:09.830Z"}]},{"id":"CIS.3.2","title":"CIS AWS Foundations Benchmark v1.2.0: Ensure a log metric filter and alarm exist for Management Console sign-in without MFA","tags":{"nist":["SA-11","RA-5"]},"impact":0.3,"desc":"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for console logins that are not protected by multi-factor authentication (MFA).","descriptions":[{"data":"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\nhttps://docs.aws.amazon.com/console/securityhub/standards-cis-3.2/remediation","label":"fix"}],"refs":[],"source_location":{},"code":"{\n \"Findings\": [\n {\n \"SchemaVersion\": \"2018-10-08\",\n \"Id\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.2/finding/c3ff01fc-2e66-46ed-86a1-b10c384b92e5\",\n \"ProductArn\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub\",\n \"ProductName\": \"Security Hub\",\n \"CompanyName\": \"AWS\",\n \"Region\": \"us-east-1\",\n \"GeneratorId\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.2\",\n \"AwsAccountId\": \"123456789123\",\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ],\n \"FirstObservedAt\": \"2021-07-23T23:39:00.932Z\",\n \"LastObservedAt\": \"2021-08-09T11:28:12.172Z\",\n \"CreatedAt\": \"2021-07-23T23:39:00.932Z\",\n \"UpdatedAt\": \"2021-08-09T11:28:08.811Z\",\n \"Severity\": {\n \"Product\": 30,\n \"Label\": \"LOW\",\n \"Normalized\": 30,\n \"Original\": \"LOW\"\n },\n \"Title\": \"3.2 Ensure a log metric filter and alarm exist for Management Console sign-in without MFA\",\n \"Description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for console logins that are not protected by multi-factor authentication (MFA).\",\n \"Remediation\": {\n \"Recommendation\": {\n \"Text\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\",\n \"Url\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.2/remediation\"\n }\n },\n \"ProductFields\": {\n \"StandardsGuideArn\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0\",\n \"StandardsGuideSubscriptionArn\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0\",\n \"RuleId\": \"3.2\",\n \"RecommendationUrl\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.2/remediation\",\n \"StandardsControlArn\": \"arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/3.2\",\n \"aws/securityhub/ProductName\": \"Security Hub\",\n \"aws/securityhub/CompanyName\": \"AWS\",\n \"aws/securityhub/annotation\": \"Multi region CloudTrail with the required configuration does not exist in the account\",\n \"Resources:0/Id\": \"arn:aws:iam::123456789123:root\",\n \"aws/securityhub/FindingId\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.2/finding/c3ff01fc-2e66-46ed-86a1-b10c384b92e5\"\n },\n \"Resources\": [\n {\n \"Type\": \"AwsAccount\",\n \"Id\": \"AWS::::Account:123456789123\",\n \"Partition\": \"aws\",\n \"Region\": \"us-east-1\"\n }\n ],\n \"Compliance\": {\n \"Status\": \"FAILED\",\n \"StatusReasons\": [\n {\n \"ReasonCode\": \"CLOUDTRAIL_MULTI_REGION_NOT_PRESENT\",\n \"Description\": \"Multi region CloudTrail with the required configuration does not exist in the account\"\n }\n ]\n },\n \"WorkflowState\": \"NEW\",\n \"Workflow\": {\n \"Status\": \"NEW\"\n },\n \"RecordState\": \"ACTIVE\",\n \"FindingProviderFields\": {\n \"Severity\": {\n \"Label\": \"LOW\",\n \"Original\": \"LOW\"\n },\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ]\n }\n }\n ]\n}","results":[{"status":"failed","message":"ReasonCode\nCLOUDTRAIL_MULTI_REGION_NOT_PRESENT\nDescription\nMulti region CloudTrail with the required configuration does not exist in the account","code_desc":"Resources: [Type: AwsAccount, Id: AWS::::Account:123456789123, Partition: aws, Region: us-east-1]","start_time":"2021-08-09T11:28:12.172Z"}]},{"id":"CIS.3.14","title":"CIS AWS Foundations Benchmark v1.2.0: Ensure a log metric filter and alarm exist for VPC changes","tags":{"nist":["SA-11","RA-5"]},"impact":0.3,"desc":"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is possible to have more than 1 VPC within an account, in addition it is also possible to create a peer connection between 2 VPCs enabling network traffic to route between VPCs. It is recommended that a metric filter and alarm be established for changes made to VPCs.","descriptions":[{"data":"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\nhttps://docs.aws.amazon.com/console/securityhub/standards-cis-3.14/remediation","label":"fix"}],"refs":[],"source_location":{},"code":"{\n \"Findings\": [\n {\n \"SchemaVersion\": \"2018-10-08\",\n \"Id\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.14/finding/7933efb4-1f20-4e0d-b313-5f7549bf3a0c\",\n \"ProductArn\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub\",\n \"ProductName\": \"Security Hub\",\n \"CompanyName\": \"AWS\",\n \"Region\": \"us-east-1\",\n \"GeneratorId\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.14\",\n \"AwsAccountId\": \"123456789123\",\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ],\n \"FirstObservedAt\": \"2021-07-23T23:39:00.932Z\",\n \"LastObservedAt\": \"2021-08-09T11:28:09.392Z\",\n \"CreatedAt\": \"2021-07-23T23:39:00.932Z\",\n \"UpdatedAt\": \"2021-08-09T11:28:08.811Z\",\n \"Severity\": {\n \"Product\": 30,\n \"Label\": \"LOW\",\n \"Normalized\": 30,\n \"Original\": \"LOW\"\n },\n \"Title\": \"3.14 Ensure a log metric filter and alarm exist for VPC changes\",\n \"Description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is possible to have more than 1 VPC within an account, in addition it is also possible to create a peer connection between 2 VPCs enabling network traffic to route between VPCs. It is recommended that a metric filter and alarm be established for changes made to VPCs.\",\n \"Remediation\": {\n \"Recommendation\": {\n \"Text\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\",\n \"Url\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.14/remediation\"\n }\n },\n \"ProductFields\": {\n \"StandardsGuideArn\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0\",\n \"StandardsGuideSubscriptionArn\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0\",\n \"RuleId\": \"3.14\",\n \"RecommendationUrl\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.14/remediation\",\n \"StandardsControlArn\": \"arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/3.14\",\n \"aws/securityhub/ProductName\": \"Security Hub\",\n \"aws/securityhub/CompanyName\": \"AWS\",\n \"aws/securityhub/annotation\": \"Multi region CloudTrail with the required configuration does not exist in the account\",\n \"Resources:0/Id\": \"arn:aws:iam::123456789123:root\",\n \"aws/securityhub/FindingId\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.14/finding/7933efb4-1f20-4e0d-b313-5f7549bf3a0c\"\n },\n \"Resources\": [\n {\n \"Type\": \"AwsAccount\",\n \"Id\": \"AWS::::Account:123456789123\",\n \"Partition\": \"aws\",\n \"Region\": \"us-east-1\"\n }\n ],\n \"Compliance\": {\n \"Status\": \"FAILED\",\n \"StatusReasons\": [\n {\n \"ReasonCode\": \"CLOUDTRAIL_MULTI_REGION_NOT_PRESENT\",\n \"Description\": \"Multi region CloudTrail with the required configuration does not exist in the account\"\n }\n ]\n },\n \"WorkflowState\": \"NEW\",\n \"Workflow\": {\n \"Status\": \"NEW\"\n },\n \"RecordState\": \"ACTIVE\",\n \"FindingProviderFields\": {\n \"Severity\": {\n \"Label\": \"LOW\",\n \"Original\": \"LOW\"\n },\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ]\n }\n }\n ]\n}","results":[{"status":"failed","message":"ReasonCode\nCLOUDTRAIL_MULTI_REGION_NOT_PRESENT\nDescription\nMulti region CloudTrail with the required configuration does not exist in the account","code_desc":"Resources: [Type: AwsAccount, Id: AWS::::Account:123456789123, Partition: aws, Region: us-east-1]","start_time":"2021-08-09T11:28:09.392Z"}]},{"id":"CIS.3.13","title":"CIS AWS Foundations Benchmark v1.2.0: Ensure a log metric filter and alarm exist for route table changes","tags":{"nist":["SA-11","RA-5"]},"impact":0.3,"desc":"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Routing tables are used to route network traffic between subnets and to network gateways. It is recommended that a metric filter and alarm be established for changes to route tables.","descriptions":[{"data":"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\nhttps://docs.aws.amazon.com/console/securityhub/standards-cis-3.13/remediation","label":"fix"}],"refs":[],"source_location":{},"code":"{\n \"Findings\": [\n {\n \"SchemaVersion\": \"2018-10-08\",\n \"Id\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.13/finding/3fa90615-aadb-43a1-8f23-2e6dac062baa\",\n \"ProductArn\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub\",\n \"ProductName\": \"Security Hub\",\n \"CompanyName\": \"AWS\",\n \"Region\": \"us-east-1\",\n \"GeneratorId\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.13\",\n \"AwsAccountId\": \"123456789123\",\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ],\n \"FirstObservedAt\": \"2021-07-23T23:39:00.932Z\",\n \"LastObservedAt\": \"2021-08-09T11:28:10.315Z\",\n \"CreatedAt\": \"2021-07-23T23:39:00.932Z\",\n \"UpdatedAt\": \"2021-08-09T11:28:08.811Z\",\n \"Severity\": {\n \"Product\": 30,\n \"Label\": \"LOW\",\n \"Normalized\": 30,\n \"Original\": \"LOW\"\n },\n \"Title\": \"3.13 Ensure a log metric filter and alarm exist for route table changes\",\n \"Description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Routing tables are used to route network traffic between subnets and to network gateways. It is recommended that a metric filter and alarm be established for changes to route tables.\",\n \"Remediation\": {\n \"Recommendation\": {\n \"Text\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\",\n \"Url\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.13/remediation\"\n }\n },\n \"ProductFields\": {\n \"StandardsGuideArn\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0\",\n \"StandardsGuideSubscriptionArn\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0\",\n \"RuleId\": \"3.13\",\n \"RecommendationUrl\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.13/remediation\",\n \"StandardsControlArn\": \"arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/3.13\",\n \"aws/securityhub/ProductName\": \"Security Hub\",\n \"aws/securityhub/CompanyName\": \"AWS\",\n \"aws/securityhub/annotation\": \"Multi region CloudTrail with the required configuration does not exist in the account\",\n \"Resources:0/Id\": \"arn:aws:iam::123456789123:root\",\n \"aws/securityhub/FindingId\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.13/finding/3fa90615-aadb-43a1-8f23-2e6dac062baa\"\n },\n \"Resources\": [\n {\n \"Type\": \"AwsAccount\",\n \"Id\": \"AWS::::Account:123456789123\",\n \"Partition\": \"aws\",\n \"Region\": \"us-east-1\"\n }\n ],\n \"Compliance\": {\n \"Status\": \"FAILED\",\n \"StatusReasons\": [\n {\n \"ReasonCode\": \"CLOUDTRAIL_MULTI_REGION_NOT_PRESENT\",\n \"Description\": \"Multi region CloudTrail with the required configuration does not exist in the account\"\n }\n ]\n },\n \"WorkflowState\": \"NEW\",\n \"Workflow\": {\n \"Status\": \"NEW\"\n },\n \"RecordState\": \"ACTIVE\",\n \"FindingProviderFields\": {\n \"Severity\": {\n \"Label\": \"LOW\",\n \"Original\": \"LOW\"\n },\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ]\n }\n }\n ]\n}","results":[{"status":"failed","message":"ReasonCode\nCLOUDTRAIL_MULTI_REGION_NOT_PRESENT\nDescription\nMulti region CloudTrail with the required configuration does not exist in the account","code_desc":"Resources: [Type: AwsAccount, Id: AWS::::Account:123456789123, Partition: aws, Region: us-east-1]","start_time":"2021-08-09T11:28:10.315Z"}]},{"id":"CIS.3.12","title":"CIS AWS Foundations Benchmark v1.2.0: Ensure a log metric filter and alarm exist for changes to network gateways","tags":{"nist":["SA-11","RA-5"]},"impact":0.3,"desc":"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Network gateways are required to send/receive traffic to a destination outside of a VPC. It is recommended that a metric filter and alarm be established for changes to network gateways.","descriptions":[{"data":"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\nhttps://docs.aws.amazon.com/console/securityhub/standards-cis-3.12/remediation","label":"fix"}],"refs":[],"source_location":{},"code":"{\n \"Findings\": [\n {\n \"SchemaVersion\": \"2018-10-08\",\n \"Id\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.12/finding/8f481e76-9011-4feb-b2b7-b7eb9d1fcec7\",\n \"ProductArn\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub\",\n \"ProductName\": \"Security Hub\",\n \"CompanyName\": \"AWS\",\n \"Region\": \"us-east-1\",\n \"GeneratorId\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.12\",\n \"AwsAccountId\": \"123456789123\",\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ],\n \"FirstObservedAt\": \"2021-07-23T23:39:00.932Z\",\n \"LastObservedAt\": \"2021-08-09T11:28:12.267Z\",\n \"CreatedAt\": \"2021-07-23T23:39:00.932Z\",\n \"UpdatedAt\": \"2021-08-09T11:28:08.811Z\",\n \"Severity\": {\n \"Product\": 30,\n \"Label\": \"LOW\",\n \"Normalized\": 30,\n \"Original\": \"LOW\"\n },\n \"Title\": \"3.12 Ensure a log metric filter and alarm exist for changes to network gateways\",\n \"Description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Network gateways are required to send/receive traffic to a destination outside of a VPC. It is recommended that a metric filter and alarm be established for changes to network gateways.\",\n \"Remediation\": {\n \"Recommendation\": {\n \"Text\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\",\n \"Url\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.12/remediation\"\n }\n },\n \"ProductFields\": {\n \"StandardsGuideArn\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0\",\n \"StandardsGuideSubscriptionArn\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0\",\n \"RuleId\": \"3.12\",\n \"RecommendationUrl\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.12/remediation\",\n \"StandardsControlArn\": \"arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/3.12\",\n \"aws/securityhub/ProductName\": \"Security Hub\",\n \"aws/securityhub/CompanyName\": \"AWS\",\n \"aws/securityhub/annotation\": \"Multi region CloudTrail with the required configuration does not exist in the account\",\n \"Resources:0/Id\": \"arn:aws:iam::123456789123:root\",\n \"aws/securityhub/FindingId\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.12/finding/8f481e76-9011-4feb-b2b7-b7eb9d1fcec7\"\n },\n \"Resources\": [\n {\n \"Type\": \"AwsAccount\",\n \"Id\": \"AWS::::Account:123456789123\",\n \"Partition\": \"aws\",\n \"Region\": \"us-east-1\"\n }\n ],\n \"Compliance\": {\n \"Status\": \"FAILED\",\n \"StatusReasons\": [\n {\n \"ReasonCode\": \"CLOUDTRAIL_MULTI_REGION_NOT_PRESENT\",\n \"Description\": \"Multi region CloudTrail with the required configuration does not exist in the account\"\n }\n ]\n },\n \"WorkflowState\": \"NEW\",\n \"Workflow\": {\n \"Status\": \"NEW\"\n },\n \"RecordState\": \"ACTIVE\",\n \"FindingProviderFields\": {\n \"Severity\": {\n \"Label\": \"LOW\",\n \"Original\": \"LOW\"\n },\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ]\n }\n }\n ]\n}","results":[{"status":"failed","message":"ReasonCode\nCLOUDTRAIL_MULTI_REGION_NOT_PRESENT\nDescription\nMulti region CloudTrail with the required configuration does not exist in the account","code_desc":"Resources: [Type: AwsAccount, Id: AWS::::Account:123456789123, Partition: aws, Region: us-east-1]","start_time":"2021-08-09T11:28:12.267Z"}]},{"id":"CIS.3.11","title":"CIS AWS Foundations Benchmark v1.2.0: Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)","tags":{"nist":["SA-11","RA-5"]},"impact":0.3,"desc":"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. NACLs are used as a stateless packet filter to control ingress and egress traffic for subnets within a VPC. It is recommended that a metric filter and alarm be established for changes made to NACLs.","descriptions":[{"data":"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\nhttps://docs.aws.amazon.com/console/securityhub/standards-cis-3.11/remediation","label":"fix"}],"refs":[],"source_location":{},"code":"{\n \"Findings\": [\n {\n \"SchemaVersion\": \"2018-10-08\",\n \"Id\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.11/finding/a5aca330-1359-4106-b19d-335f36f89b94\",\n \"ProductArn\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub\",\n \"ProductName\": \"Security Hub\",\n \"CompanyName\": \"AWS\",\n \"Region\": \"us-east-1\",\n \"GeneratorId\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.11\",\n \"AwsAccountId\": \"123456789123\",\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ],\n \"FirstObservedAt\": \"2021-07-23T23:39:00.932Z\",\n \"LastObservedAt\": \"2021-08-09T11:28:12.297Z\",\n \"CreatedAt\": \"2021-07-23T23:39:00.932Z\",\n \"UpdatedAt\": \"2021-08-09T11:28:08.811Z\",\n \"Severity\": {\n \"Product\": 30,\n \"Label\": \"LOW\",\n \"Normalized\": 30,\n \"Original\": \"LOW\"\n },\n \"Title\": \"3.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)\",\n \"Description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. NACLs are used as a stateless packet filter to control ingress and egress traffic for subnets within a VPC. It is recommended that a metric filter and alarm be established for changes made to NACLs.\",\n \"Remediation\": {\n \"Recommendation\": {\n \"Text\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\",\n \"Url\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.11/remediation\"\n }\n },\n \"ProductFields\": {\n \"StandardsGuideArn\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0\",\n \"StandardsGuideSubscriptionArn\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0\",\n \"RuleId\": \"3.11\",\n \"RecommendationUrl\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.11/remediation\",\n \"StandardsControlArn\": \"arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/3.11\",\n \"aws/securityhub/ProductName\": \"Security Hub\",\n \"aws/securityhub/CompanyName\": \"AWS\",\n \"aws/securityhub/annotation\": \"Multi region CloudTrail with the required configuration does not exist in the account\",\n \"Resources:0/Id\": \"arn:aws:iam::123456789123:root\",\n \"aws/securityhub/FindingId\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.11/finding/a5aca330-1359-4106-b19d-335f36f89b94\"\n },\n \"Resources\": [\n {\n \"Type\": \"AwsAccount\",\n \"Id\": \"AWS::::Account:123456789123\",\n \"Partition\": \"aws\",\n \"Region\": \"us-east-1\"\n }\n ],\n \"Compliance\": {\n \"Status\": \"FAILED\",\n \"StatusReasons\": [\n {\n \"ReasonCode\": \"CLOUDTRAIL_MULTI_REGION_NOT_PRESENT\",\n \"Description\": \"Multi region CloudTrail with the required configuration does not exist in the account\"\n }\n ]\n },\n \"WorkflowState\": \"NEW\",\n \"Workflow\": {\n \"Status\": \"NEW\"\n },\n \"RecordState\": \"ACTIVE\",\n \"FindingProviderFields\": {\n \"Severity\": {\n \"Label\": \"LOW\",\n \"Original\": \"LOW\"\n },\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ]\n }\n }\n ]\n}","results":[{"status":"failed","message":"ReasonCode\nCLOUDTRAIL_MULTI_REGION_NOT_PRESENT\nDescription\nMulti region CloudTrail with the required configuration does not exist in the account","code_desc":"Resources: [Type: AwsAccount, Id: AWS::::Account:123456789123, Partition: aws, Region: us-east-1]","start_time":"2021-08-09T11:28:12.297Z"}]},{"id":"CIS.3.10","title":"CIS AWS Foundations Benchmark v1.2.0: Ensure a log metric filter and alarm exist for security group changes","tags":{"nist":["SA-11","RA-5"]},"impact":0.3,"desc":"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Groups are a stateful packet filter that controls ingress and egress traffic within a VPC. It is recommended that a metric filter and alarm be established changes to Security Groups.","descriptions":[{"data":"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\nhttps://docs.aws.amazon.com/console/securityhub/standards-cis-3.10/remediation","label":"fix"}],"refs":[],"source_location":{},"code":"{\n \"Findings\": [\n {\n \"SchemaVersion\": \"2018-10-08\",\n \"Id\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.10/finding/6f2753c4-782e-460c-86e1-53f12a1046bc\",\n \"ProductArn\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub\",\n \"ProductName\": \"Security Hub\",\n \"CompanyName\": \"AWS\",\n \"Region\": \"us-east-1\",\n \"GeneratorId\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.10\",\n \"AwsAccountId\": \"123456789123\",\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ],\n \"FirstObservedAt\": \"2021-07-23T23:39:00.931Z\",\n \"LastObservedAt\": \"2021-08-09T11:28:13.084Z\",\n \"CreatedAt\": \"2021-07-23T23:39:00.931Z\",\n \"UpdatedAt\": \"2021-08-09T11:28:08.811Z\",\n \"Severity\": {\n \"Product\": 30,\n \"Label\": \"LOW\",\n \"Normalized\": 30,\n \"Original\": \"LOW\"\n },\n \"Title\": \"3.10 Ensure a log metric filter and alarm exist for security group changes\",\n \"Description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Groups are a stateful packet filter that controls ingress and egress traffic within a VPC. It is recommended that a metric filter and alarm be established changes to Security Groups.\",\n \"Remediation\": {\n \"Recommendation\": {\n \"Text\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\",\n \"Url\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.10/remediation\"\n }\n },\n \"ProductFields\": {\n \"StandardsGuideArn\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0\",\n \"StandardsGuideSubscriptionArn\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0\",\n \"RuleId\": \"3.10\",\n \"RecommendationUrl\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.10/remediation\",\n \"StandardsControlArn\": \"arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/3.10\",\n \"aws/securityhub/ProductName\": \"Security Hub\",\n \"aws/securityhub/CompanyName\": \"AWS\",\n \"aws/securityhub/annotation\": \"Multi region CloudTrail with the required configuration does not exist in the account\",\n \"Resources:0/Id\": \"arn:aws:iam::123456789123:root\",\n \"aws/securityhub/FindingId\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.10/finding/6f2753c4-782e-460c-86e1-53f12a1046bc\"\n },\n \"Resources\": [\n {\n \"Type\": \"AwsAccount\",\n \"Id\": \"AWS::::Account:123456789123\",\n \"Partition\": \"aws\",\n \"Region\": \"us-east-1\"\n }\n ],\n \"Compliance\": {\n \"Status\": \"FAILED\",\n \"StatusReasons\": [\n {\n \"ReasonCode\": \"CLOUDTRAIL_MULTI_REGION_NOT_PRESENT\",\n \"Description\": \"Multi region CloudTrail with the required configuration does not exist in the account\"\n }\n ]\n },\n \"WorkflowState\": \"NEW\",\n \"Workflow\": {\n \"Status\": \"NEW\"\n },\n \"RecordState\": \"ACTIVE\",\n \"FindingProviderFields\": {\n \"Severity\": {\n \"Label\": \"LOW\",\n \"Original\": \"LOW\"\n },\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ]\n }\n }\n ]\n}","results":[{"status":"failed","message":"ReasonCode\nCLOUDTRAIL_MULTI_REGION_NOT_PRESENT\nDescription\nMulti region CloudTrail with the required configuration does not exist in the account","code_desc":"Resources: [Type: AwsAccount, Id: AWS::::Account:123456789123, Partition: aws, Region: us-east-1]","start_time":"2021-08-09T11:28:13.084Z"}]},{"id":"CIS.3.1","title":"CIS AWS Foundations Benchmark v1.2.0: Ensure a log metric filter and alarm exist for unauthorized API calls","tags":{"nist":["SA-11","RA-5"]},"impact":0.3,"desc":"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for unauthorized API calls.","descriptions":[{"data":"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\nhttps://docs.aws.amazon.com/console/securityhub/standards-cis-3.1/remediation","label":"fix"}],"refs":[],"source_location":{},"code":"{\n \"Findings\": [\n {\n \"SchemaVersion\": \"2018-10-08\",\n \"Id\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.1/finding/3750d146-a5d4-4ca0-b0a0-0ef8997495c2\",\n \"ProductArn\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub\",\n \"ProductName\": \"Security Hub\",\n \"CompanyName\": \"AWS\",\n \"Region\": \"us-east-1\",\n \"GeneratorId\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.1\",\n \"AwsAccountId\": \"123456789123\",\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ],\n \"FirstObservedAt\": \"2021-07-23T23:39:00.931Z\",\n \"LastObservedAt\": \"2021-08-09T11:28:12.445Z\",\n \"CreatedAt\": \"2021-07-23T23:39:00.931Z\",\n \"UpdatedAt\": \"2021-08-09T11:28:08.811Z\",\n \"Severity\": {\n \"Product\": 30,\n \"Label\": \"LOW\",\n \"Normalized\": 30,\n \"Original\": \"LOW\"\n },\n \"Title\": \"3.1 Ensure a log metric filter and alarm exist for unauthorized API calls\",\n \"Description\": \"Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for unauthorized API calls.\",\n \"Remediation\": {\n \"Recommendation\": {\n \"Text\": \"For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.\",\n \"Url\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.1/remediation\"\n }\n },\n \"ProductFields\": {\n \"StandardsGuideArn\": \"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0\",\n \"StandardsGuideSubscriptionArn\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0\",\n \"RuleId\": \"3.1\",\n \"RecommendationUrl\": \"https://docs.aws.amazon.com/console/securityhub/standards-cis-3.1/remediation\",\n \"StandardsControlArn\": \"arn:aws:securityhub:us-east-1:123456789123:control/cis-aws-foundations-benchmark/v/1.2.0/3.1\",\n \"aws/securityhub/ProductName\": \"Security Hub\",\n \"aws/securityhub/CompanyName\": \"AWS\",\n \"aws/securityhub/annotation\": \"Multi region CloudTrail with the required configuration does not exist in the account\",\n \"Resources:0/Id\": \"arn:aws:iam::123456789123:root\",\n \"aws/securityhub/FindingId\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789123:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.1/finding/3750d146-a5d4-4ca0-b0a0-0ef8997495c2\"\n },\n \"Resources\": [\n {\n \"Type\": \"AwsAccount\",\n \"Id\": \"AWS::::Account:123456789123\",\n \"Partition\": \"aws\",\n \"Region\": \"us-east-1\"\n }\n ],\n \"Compliance\": {\n \"Status\": \"FAILED\",\n \"StatusReasons\": [\n {\n \"ReasonCode\": \"CLOUDTRAIL_MULTI_REGION_NOT_PRESENT\",\n \"Description\": \"Multi region CloudTrail with the required configuration does not exist in the account\"\n }\n ]\n },\n \"WorkflowState\": \"NEW\",\n \"Workflow\": {\n \"Status\": \"NEW\"\n },\n \"RecordState\": \"ACTIVE\",\n \"FindingProviderFields\": {\n \"Severity\": {\n \"Label\": \"LOW\",\n \"Original\": \"LOW\"\n },\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark\"\n ]\n }\n }\n ]\n}","results":[{"status":"failed","message":"ReasonCode\nCLOUDTRAIL_MULTI_REGION_NOT_PRESENT\nDescription\nMulti region CloudTrail with the required configuration does not exist in the account","code_desc":"Resources: [Type: AwsAccount, Id: AWS::::Account:123456789123, Partition: aws, Region: us-east-1]","start_time":"2021-08-09T11:28:12.445Z"}]},{"id":"Config.1","title":"AWS Foundational Security Best Practices v1.0.0: Config.1 AWS Config should be enabled","tags":{"nist":["SA-11","RA-5"]},"impact":0.5,"desc":"This AWS control checks whether the Config service is enabled in the account for the local region and is recording all resources.","descriptions":[{"data":"For directions on how to fix this issue, please consult the AWS Security Hub Foundational Security Best Practices documentation.\nhttps://docs.aws.amazon.com/console/securityhub/Config.1/remediation","label":"fix"}],"refs":[],"source_location":{},"code":"{\n \"Findings\": [\n {\n \"SchemaVersion\": \"2018-10-08\",\n \"Id\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/aws-foundational-security-best-practices/v/1.0.0/Config.1/finding/9ffec6a3-3ce8-4011-bf90-17dbe94bf1d3\",\n \"ProductArn\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub\",\n \"ProductName\": \"Security Hub\",\n \"CompanyName\": \"AWS\",\n \"Region\": \"us-east-1\",\n \"GeneratorId\": \"aws-foundational-security-best-practices/v/1.0.0/Config.1\",\n \"AwsAccountId\": \"123456789123\",\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices\"\n ],\n \"FirstObservedAt\": \"2021-07-23T23:40:39.455Z\",\n \"LastObservedAt\": \"2021-08-09T11:21:11.282Z\",\n \"CreatedAt\": \"2021-07-23T23:40:39.455Z\",\n \"UpdatedAt\": \"2021-08-09T11:21:09.408Z\",\n \"Severity\": {\n \"Product\": 40,\n \"Label\": \"MEDIUM\",\n \"Normalized\": 40,\n \"Original\": \"MEDIUM\"\n },\n \"Title\": \"Config.1 AWS Config should be enabled\",\n \"Description\": \"This AWS control checks whether the Config service is enabled in the account for the local region and is recording all resources.\",\n \"Remediation\": {\n \"Recommendation\": {\n \"Text\": \"For directions on how to fix this issue, please consult the AWS Security Hub Foundational Security Best Practices documentation.\",\n \"Url\": \"https://docs.aws.amazon.com/console/securityhub/Config.1/remediation\"\n }\n },\n \"ProductFields\": {\n \"StandardsArn\": \"arn:aws:securityhub:::standards/aws-foundational-security-best-practices/v/1.0.0\",\n \"StandardsSubscriptionArn\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/aws-foundational-security-best-practices/v/1.0.0\",\n \"ControlId\": \"Config.1\",\n \"RecommendationUrl\": \"https://docs.aws.amazon.com/console/securityhub/Config.1/remediation\",\n \"StandardsControlArn\": \"arn:aws:securityhub:us-east-1:123456789123:control/aws-foundational-security-best-practices/v/1.0.0/Config.1\",\n \"aws/securityhub/ProductName\": \"Security Hub\",\n \"aws/securityhub/CompanyName\": \"AWS\",\n \"Resources:0/Id\": \"arn:aws:iam::123456789123:root\",\n \"aws/securityhub/FindingId\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789123:subscription/aws-foundational-security-best-practices/v/1.0.0/Config.1/finding/9ffec6a3-3ce8-4011-bf90-17dbe94bf1d3\"\n },\n \"Resources\": [\n {\n \"Type\": \"AwsAccount\",\n \"Id\": \"AWS::::Account:123456789123\",\n \"Partition\": \"aws\",\n \"Region\": \"us-east-1\"\n }\n ],\n \"Compliance\": {\n \"Status\": \"FAILED\"\n },\n \"WorkflowState\": \"NEW\",\n \"Workflow\": {\n \"Status\": \"NEW\"\n },\n \"RecordState\": \"ACTIVE\",\n \"FindingProviderFields\": {\n \"Severity\": {\n \"Label\": \"MEDIUM\",\n \"Original\": \"MEDIUM\"\n },\n \"Types\": [\n \"Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices\"\n ]\n }\n }\n ]\n}","results":[{"status":"failed","code_desc":"Resources: [Type: AwsAccount, Id: AWS::::Account:123456789123, Partition: aws, Region: us-east-1]","start_time":"2021-08-09T11:21:11.282Z"}]},{"id":"S3.2","title":"AWS Foundational Security Best Practices v1.0.0: S3.2 S3 buckets should prohibit public read access","tags":{"nist":["AC-3","AC-4","AC-6","AC-21(b)","SC-7","SC-7(3)"]},"impact":0.5,"desc":"This AWS control checks whether your S3 buckets allow public read access by evaluating the Block Public Access settings, the bucket policy, and the bucket access control list (ACL).","descriptions":[{"data":"For directions on how to fix this issue, please consult the AWS Security Hub Foundational Security Best Practices documentation.\nhttps://docs.aws.amazon.com/console/securityhub/S3.2/remediation","label":"fix"}],"refs":[],"source_location":{},"code":"{\n \"Findings\": [\n {\n \"SchemaVersion\": \"2018-10-08\",\n \"Id\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/aws-foundational-security-best-practices/v/1.0.0/S3.2/finding/5fd36ec6-3f98-4d5b-a9cb-5f82e389a8e9\",\n \"ProductArn\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub\",\n \"GeneratorId\": \"aws-foundational-security-best-practices/v/1.0.0/S3.2\",\n \"AwsAccountId\": \"123456789123\",\n \"Types\": [\n \"Effects/Data Exposure/AWS-Foundational-Security-Best-Practices\"\n ],\n \"FirstObservedAt\": \"2021-04-28T14:57:54.547Z\",\n \"LastObservedAt\": \"2021-07-02T16:02:48.476Z\",\n \"CreatedAt\": \"2021-04-28T14:57:54.547Z\",\n \"UpdatedAt\": \"2021-07-02T16:02:46.396Z\",\n \"Severity\": {\n \"Product\": 0,\n \"Label\": \"INFORMATIONAL\",\n \"Normalized\": 0,\n \"Original\": \"INFORMATIONAL\"\n },\n \"Title\": \"S3.2 S3 buckets should prohibit public read access\",\n \"Description\": \"This AWS control checks whether your S3 buckets allow public read access by evaluating the Block Public Access settings, the bucket policy, and the bucket access control list (ACL).\",\n \"Remediation\": {\n \"Recommendation\": {\n \"Text\": \"For directions on how to fix this issue, please consult the AWS Security Hub Foundational Security Best Practices documentation.\",\n \"Url\": \"https://docs.aws.amazon.com/console/securityhub/S3.2/remediation\"\n }\n },\n \"ProductFields\": {\n \"StandardsArn\": \"arn:aws:securityhub:::standards/aws-foundational-security-best-practices/v/1.0.0\",\n \"StandardsSubscriptionArn\": \"arn:aws:securityhub:us-east-1:123456789123:subscription/aws-foundational-security-best-practices/v/1.0.0\",\n \"ControlId\": \"S3.2\",\n \"RecommendationUrl\": \"https://docs.aws.amazon.com/console/securityhub/S3.2/remediation\",\n \"RelatedAWSResources:0/name\": \"securityhub-s3-bucket-public-read-prohibited-491148b1\",\n \"RelatedAWSResources:0/type\": \"AWS::Config::ConfigRule\",\n \"StandardsControlArn\": \"arn:aws:securityhub:us-east-1:123456789123:control/aws-foundational-security-best-practices/v/1.0.0/S3.2\",\n \"aws/securityhub/ProductName\": \"Security Hub\",\n \"aws/securityhub/CompanyName\": \"AWS\",\n \"Resources:0/Id\": \"arn:aws:s3:::example-bucket-123456789123-us-east-1\",\n \"aws/securityhub/FindingId\": \"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789123:subscription/aws-foundational-security-best-practices/v/1.0.0/S3.2/finding/5fd36ec6-3f98-4d5b-a9cb-5f82e389a8e9\"\n },\n \"Resources\": [\n {\n \"Type\": \"AwsS3Bucket\",\n \"Id\": \"arn:aws:s3:::example-bucket-123456789123-us-east-1\",\n \"Partition\": \"aws\",\n \"Region\": \"us-east-1\",\n \"Details\": {\n \"AwsS3Bucket\": {\n \"OwnerId\": \"abe813ee284239446607ac88bf580a6f7348abec9053fd187e6234b58102e826\",\n \"CreatedAt\": \"2021-03-12T20:14:09.000Z\"\n }\n }\n }\n ],\n \"Compliance\": {\n \"Status\": \"PASSED\"\n },\n \"WorkflowState\": \"NEW\",\n \"Workflow\": {\n \"Status\": \"RESOLVED\"\n },\n \"RecordState\": \"ACTIVE\",\n \"FindingProviderFields\": {\n \"Severity\": {\n \"Label\": \"INFORMATIONAL\",\n \"Original\": \"INFORMATIONAL\"\n },\n \"Types\": [\n \"Effects/Data Exposure/AWS-Foundational-Security-Best-Practices\"\n ]\n }\n }\n ]\n}","results":[{"status":"passed","code_desc":"Resources: [Type: AwsS3Bucket, Id: arn:aws:s3:::example-bucket-123456789123-us-east-1, Partition: aws, Region: us-east-1]","start_time":"2021-07-02T16:02:48.476Z"}]}],"sha256":"9d44a2af3a64f1ad7fbc5adcbd1baef33911b15963f905f8ab9ad28dbbff518d"}]} \ No newline at end of file From 50b7130556785b8bdf3f47201c371e338fdfabc8 Mon Sep 17 00:00:00 2001 From: Amndeep Singh Mann Date: Mon, 9 Aug 2021 23:48:05 -0400 Subject: [PATCH 18/20] endless ranges get added in 2.6 so gotta use -1 for 2.5 Signed-off-by: Amndeep Singh Mann --- lib/heimdall_tools/asff_compatible_products/securityhub.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/heimdall_tools/asff_compatible_products/securityhub.rb b/lib/heimdall_tools/asff_compatible_products/securityhub.rb index cc90062..885e7aa 100644 --- a/lib/heimdall_tools/asff_compatible_products/securityhub.rb +++ b/lib/heimdall_tools/asff_compatible_products/securityhub.rb @@ -60,7 +60,7 @@ def self.finding_nist_tag(finding, *, aws_config_mapping:, **) if (i = tag.index('(')).nil? tag else - tag[i..].scan(/\(.+?\)/).map { |subheading| "#{tag[0..i-1]}#{subheading}" } + tag[i..-1].scan(/\(.+?\)/).map { |subheading| "#{tag[0..i-1]}#{subheading}" } end end end.flatten.uniq From de38f5ec0eebce724ebfa137269452d3fb716673 Mon Sep 17 00:00:00 2001 From: Amndeep Singh Mann Date: Tue, 10 Aug 2021 12:33:39 -0400 Subject: [PATCH 19/20] need to use skip_message for skips Signed-off-by: Amndeep Singh Mann --- lib/heimdall_tools/asff_mapper.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/heimdall_tools/asff_mapper.rb b/lib/heimdall_tools/asff_mapper.rb index 9e8e6d5..51d5469 100644 --- a/lib/heimdall_tools/asff_mapper.rb +++ b/lib/heimdall_tools/asff_mapper.rb @@ -127,14 +127,14 @@ def subfindings(finding) when 'NOT_AVAILABLE' # primary meaning is that the check could not be performed due to a service outage or API error, but it's also overloaded to mean NOT_APPLICABLE so technically 'skipped' or 'error' could be applicable, but AWS seems to do the equivalent of skipped subfinding['status'] = 'skipped' - subfinding['message'] = statusreason if statusreason + subfinding['skip_message'] = statusreason if statusreason else subfinding['status'] = 'error' # not a valid value for the status enum subfinding['message'] = statusreason if statusreason end else subfinding['status'] = 'skipped' # if no compliance status is provided which is a weird but possible case, then skip - subfinding['message'] = statusreason if statusreason + subfinding['skip_message'] = statusreason if statusreason end subfinding['code_desc'] = external_product_handler(finding['ProductArn'], finding, :subfindings_code_desc, '') From 11ee33770cb993f5fe62be44a5f150ec93b5f806 Mon Sep 17 00:00:00 2001 From: Amndeep Singh Mann Date: Tue, 10 Aug 2021 18:04:49 -0400 Subject: [PATCH 20/20] rubocop complaining of intentional behavior with duplicate case body Signed-off-by: Amndeep Singh Mann --- .rubocop_todo.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/.rubocop_todo.yml b/.rubocop_todo.yml index ccf61a0..eed07ef 100644 --- a/.rubocop_todo.yml +++ b/.rubocop_todo.yml @@ -1,6 +1,6 @@ # This configuration was generated by # `rubocop --auto-gen-config` -# on 2021-08-05 04:56:46 UTC using RuboCop version 1.14.0. +# on 2021-08-10 22:03:51 UTC using RuboCop version 1.14.0. # The point is for the user to remove these configuration records # one by one as the offenses are removed from the code base. # Note that changes in the inspected code, or installation of new @@ -13,10 +13,11 @@ Gemspec/RequiredRubyVersion: Exclude: - 'heimdall_tools.gemspec' -# Offense count: 1 +# Offense count: 2 # Configuration parameters: IgnoreLiteralBranches, IgnoreConstantBranches. Lint/DuplicateBranch: Exclude: + - 'lib/heimdall_tools/asff_mapper.rb' - 'lib/heimdall_tools/dbprotect_mapper.rb' # Offense count: 1 @@ -31,7 +32,7 @@ Lint/UnusedMethodArgument: Exclude: - 'lib/heimdall_tools/hdf.rb' -# Offense count: 49 +# Offense count: 50 # Configuration parameters: IgnoredMethods, CountRepeatedAttributes. Metrics/AbcSize: Max: 165 @@ -57,7 +58,7 @@ Metrics/ClassLength: Metrics/CyclomaticComplexity: Max: 30 -# Offense count: 44 +# Offense count: 45 # Configuration parameters: CountComments, CountAsOne, ExcludedMethods, IgnoredMethods. Metrics/MethodLength: Max: 56