Add mapper for AWS Config Rules

[jkufro]

Adds aws_config_mapper. This pulls Ruby AWS SDK data to translate AWS Config Rule results into HDF format json to be viewable in Heimdall. Our intended use case is to incorporate this into an AWS lambda that will pull & translate config compliance and push that up to a Heimdall server via the API.

Example execution (relies on having AWS credentials set up on your local machine): heimdall_tools aws_config_mapper -m my_addl_rule_mappings.csv -o aws_config_results.json

[rbclark]

It may be worth another opinion on this, but wouldn't INSUFFICIENT_DATA mean not_reviewed and not skipped? To me insufficient data sounds like something you would need to go validate.

[jkufro]

I chose skipped here based on the schema options here https://github.com/mitre/inspecjs/blob/master/schemas/exec-json.json#L124

Is not_reviewed also a legal option for the status field?

[rbclark]

I did a bit more digging, not_reviewed is not a legal option, however in Heimdall an impact of 0 && a result.status of skipped is considered 'Not Applicable', and an impact of greater-than 0 and a result.status of skipped is considered 'Not Reviewed.

[jkufro]

Just made a change to make NOT_APPLICABLE have impact set to 0

[ejaronne]

Is there a sample of AWS Config data to review? (As a former assessor, I need better context to help you decide which "bucket" to put the result in.)

[ejaronne]

I don't necessarily concur with setting whatever "insufficient data" means to "not applicable". Need some original data for context. Thanks!

[rbclark]

If insufficient_data is updated to map to not_reviewed then mapping here should include it as well.

[aaronlippold]

if possible, could we add a function to also add the impact to the control as well? Our impacts are in the range:
This will help the overall display and completeness of the data.

0.0 none
0.1 - 0.3 low ( defaults to 0.3 )
0.4 - 0.6 medium ( defaults to 0.5 )
0.7 - 0.8 high ( defaults to 0.7 )
0.9 - 1.0 critical ( defaults to 0.9 )

i would also love to see the lambda work you guys are doing - as we are also working on a lambda task - https://github.com/mitre/serverless-inspec

[jkufro]

if possible, could we add a function to also add the impact to the control as well? Our impacts are in the range:
This will help the overall display and completeness of the data.

0.0 none
0.1 - 0.3 low ( defaults to 0.3 )
0.4 - 0.6 medium ( defaults to 0.5 )
0.7 - 0.8 high ( defaults to 0.7 )
0.9 - 1.0 critical ( defaults to 0.9 )

i would also love to see the lambda work you guys are doing - as we are also working on a lambda task - https://github.com/mitre/serverless-inspec

@aaronlippold Are you requesting something different than the function that is defined here and is called here? I have it set up now so that you can tag an AWS Config Rule with Info, Low, Medium, High, or Critical. Should I add the ability to assign a numerical value between 0 and 1 in addition to this?

Also, totally happy to collaborate on lambda work.

[rbclark]

I've already reviewed this, it is just waiting on a final look from @rx294 before being merged.

[rx294]

@jkufro
The current design of the aws_config_mapper requires user setup (ie tag placement) on the aws_config rules, which will be a deviation from pattern used in other mappers. Please see below suggestions to align the aws_config_mapper to the general pattern in used in heimdall_tools.

This will help with reusability and consistency of the HDFs generated by aws_config_mapper across multiple users.

1. Control Title mapped title of the AWS_Config rule (as is the case currently)
2. Description: Parsed from the aws_config rule description feild.

3. Check Text to include the config rule arn and parameters used for the rule. Consider formatting the data fields with linefeeds.

4. Set the severity to the "average" of 0.5 (medium)" for all controls.

5. Nist Tag: Create a CSV file mapping config_rule titles to NIST 800-53 mappings as in examples here https://github.com/mitre/heimdall_tools/blob/master/lib/data/owasp-nist-mapping.csv and use it in mapping NIST tags to the controls. This way mapping to NIST controls stays consistant and centralized at heimdall_tools codebase.

6. Remove references to cce_id cis_impact cis_rid fix rationale cweid confidence cis_level at this iteration.

7. Please add sample hdf jsons to this location https://github.com/mitre/heimdall_tools/tree/master/sample_jsons

8. Please add readme updates

9. Please resolve merge conflicts.

[aaronlippold]

if possible, could we add a function to also add the impact to the control as well? Our impacts are in the range:
This will help the overall display and completeness of the data.

0.0 none
0.1 - 0.3 low ( defaults to 0.3 )
0.4 - 0.6 medium ( defaults to 0.5 )
0.7 - 0.8 high ( defaults to 0.7 )
0.9 - 1.0 critical ( defaults to 0.9 )

i would also love to see the lambda work you guys are doing - as we are also working on a lambda task - https://github.com/mitre/serverless-inspec

@aaronlippold Are you requesting something different than the function that is defined here and is called here? I have it set up now so that you can tag an AWS Config Rule with Info, Low, Medium, High, or Critical. Should I add the ability to assign a numerical value between 0 and 1 in addition to this?

Also, totally happy to collaborate on lambda work.

@rx294 @rbclark @ejaronne and @aaronlippold meet earlier today and @rx294 will be providing some feedback on our suggested direction for the PR.

Great start so far, but we have a few thoughts on some backend learning we have done but not yet put forward on a docs page about 'how to develop mappers', 'what and how you should transform data', 'do and don't on data transform assumptions', 'what to embed, what to hardcode, and what to reference' etc. all things we should have documented.

The list above I think would be great sections on a 'contributing_a_mapper.md' which may come out of our collaboration on this PR.

Looking forward to it.

[aaronlippold]

@jkufro some additions to the unit and functional tests as well with some representative source and expected converted data would be great as well so we keep the code coverage up to par.

[jkufro]

@jkufro
The current design of the aws_config_mapper requires user setup (ie tag placement) on the aws_config rules, which will be a deviation from pattern used in other mappers. Please see below suggestions to align the aws_config_mapper to the general pattern in used in heimdall_tools.

This will help with reusability and consistency of the HDFs generated by aws_config_mapper across multiple users.

1. Control Title mapped title of the AWS_Config rule (as is the case currently)
2. Description: Parsed from the aws_config rule description feild.

1. Check Text to include the config rule arn and parameters used for the rule. Consider formatting the data fields with linefeeds.

1. Set the severity to the "average" of 0.5 (medium)" for all controls.
2. Nist Tag: Create a CSV file mapping config_rule titles to NIST 800-53 mappings as in examples here https://github.com/mitre/heimdall_tools/blob/master/lib/data/owasp-nist-mapping.csv and use it in mapping NIST tags to the controls. This way mapping to NIST controls stays consistant and centralized at heimdall_tools codebase.
3. Remove references to cce_id cis_impact cis_rid fix rationale cweid confidence cis_level at this iteration.
4. Please add sample hdf jsons to this location https://github.com/mitre/heimdall_tools/tree/master/sample_jsons
5. Please add readme updates
6. Please resolve merge conflicts.

@rx294 One major aspect of our use case is continued development/implementation of custom AWS Config rules AWS Docs. My concern with hardcoding Config Rule Name -> 800-53 Control mappings inside the heimdall_tools repository is that as we (or others) develop new rules, we would be required to update the heimdall_tools code to perform proper mappings. Another issue with adding custom rule names to a heimdall_tools CSV mapper is that the source code for each custom rule may not be available open source, so the heimdall_tools CSV for AWS Config could become bloated with rules that only apply to a handful of projects. The original reason I chose to avoid a CSV when creating this mapper was to allow the simplicity of creating a rule with the proper tags to be the only thing necessary to fully configure a rule for mapping & use within heimdall.

EDIT: Here are some examples of Python custom rules made by AWS: https://github.com/awslabs/aws-config-rules/tree/master/python

[jkufro]

@aaronlippold @rbclark @rx294 Please review the latest updates that address the requested changed. Thanks!

[ejaronne]

I have several comments. This is the first time we've introduced an idea of end-user defined 800-53 control assertions, which may cause confusion or complaints against this tool. Most assume the mapping comes from either the original approved standard or a mapping set in the heimdall-tools repo. The heimdall-tools repo owner can own-up to these, but cannot to user-defined mappings. Note: CAAT file export does not carry over the "(user provided)" text.

[ejaronne]

I would rephrase this "feature" to "Custom-rule NIST SP 800-53 Security Control mappings" and restate the paragraph as:
"For user-defined custom AWS config rules (NOT the default rules provided by AWS), users may provide their own assertion as to the NIST SP 800-53 Security Controls touched on by their user-defined custom AWS config rules. This may be provided..."

[ejaronne]

Also, this is not "additional mapping". it is "--custom-mapping"

[jkufro]

pushed update that changes the description and keyword arg name

[ejaronne]

For the first release, may we please not reveal in the cli help the custom-mapping feature until we've had a chance to adapt Heimdall and its CAAT export to clearly expose the (user-provided) aspect?

[jkufro]

disabled cli arg for the custom mapping for the time being

[rx294]

@jkufro I think you intended it to be options[: custom_mapping] and not options[:addl_mapping]

[jkufro]

done

[rx294]

Please unify to custom_mapping in sync with usage in the cli.rb.

[jkufro]

done

[rx294]

@jkufro filter_map is only available in ruby 7.x which will limit heimdall_tools to ruby 7.x.

Please use and alternate implementation that doesn't not force a > 2.7 dependency.

[jkufro]

Changing back to map. I had changed this to filter_map previously for something that I have since removed.

[rx294]

Please include details from your excellent documentation from aws_config_mapper.md here in the Readme as well.

[jkufro]

done

[ejaronne]

Looks good, Thanks!

[rx294]

LGTM, thanks @jkufro . Please resolve conflicts, that should be the last fix.

[aaronlippold]

Just a reminder, please add an issue to the board to revisit the issue of 'user provided' data - aka overlay data - in our workflow so we can make sure to address the capability we didn't want to try to push in v1.0

[rx294]

Just a reminder, please add an issue to the board to revisit the issue of 'user provided' data - aka overlay data - in our workflow so we can make sure to address the capability we didn't want to try to push in v1.0

https://github.com/mitre/heimdall_tools/issues/73

[aaronlippold]

👍🏻 great job all