Skip to content

Commit

Permalink
feat gsn-10918: check suppressions note matching (#18)
Browse files Browse the repository at this point in the history 
* feat gsn-10918: test a full set of suppressions through event handling logic

* feat gsn-10918: test payload construction through event handling logic

* feat gsn-10918: test full suppression features from query results
  • Loading branch information
@carlovoSBP
carlovoSBP authored Jul 26, 2024
1 parent 56e8349 commit a355b08
Show file tree
Hide file tree
Showing 18 changed files with 2,117 additions and 18 deletions.
6 changes: 5 additions & 1 deletion awsfindingsmanagerlib/awsfindingsmanagerlib.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -723,7 +723,11 @@ def _get_findings(self, query_filter: Dict):
regions_to_retrieve = [aggregating_region] if aggregating_region else self.regions
for region in regions_to_retrieve:
self._logger.debug(f'Trying to get findings for region {region}')
iterator = self._get_security_hub_paginator_iterator(region, 'get_findings', query_filter)
iterator = self._get_security_hub_paginator_iterator(
region=region,
operation_name='get_findings',
query_filter=query_filter
)
try:
for page in iterator:
for finding_data in page['Findings']:
Expand Down
63 changes: 63 additions & 0 deletions tests/fixtures/batch_update_findings_full.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
[
{
"FindingIdentifiers": [
{
"Id": "arn:aws:securityhub:eu-west-1:988763490897:security-control/S3.9/finding/180e73dc-a807-4ddd-a36a-14696c85ba9e",
"ProductArn": "arn:aws:securityhub:eu-west-1::product/aws/securityhub"
},
{
"Id": "arn:aws:securityhub:eu-west-1:988763490897:security-control/S3.9/finding/71a625e2-1a57-4fee-bc3f-22cf3f9f9e57",
"ProductArn": "arn:aws:securityhub:eu-west-1::product/aws/securityhub"
}
],
"Workflow": {
"Status": "SUPPRESSED"
},
"Note": {
"Text": "Too expensive on non-prod",
"UpdatedBy": "FindingsManager"
}
},
{
"FindingIdentifiers": [
{
"Id": "arn:aws:securityhub:eu-west-1:988763490897:security-control/S3.14/finding/e27c3ee5-4616-4d32-9eaf-adcf01921246",
"ProductArn": "arn:aws:securityhub:eu-west-1::product/aws/securityhub"
},
{
"Id": "arn:aws:securityhub:eu-west-1:988763490897:security-control/S3.14/finding/db101219-4b19-4176-a660-490d30b7945d",
"ProductArn": "arn:aws:securityhub:eu-west-1::product/aws/securityhub"
}
],
"Workflow": {
"Status": "SUPPRESSED"
},
"Note": {
"Text": "Config as code",
"UpdatedBy": "FindingsManager"
}
},
{
"FindingIdentifiers": [
{
"Id": "arn:aws:securityhub:eu-west-1:988763490897:security-control/S3.20/finding/45fee04a-22ed-4242-a316-ebaecd5a1b36",
"ProductArn": "arn:aws:securityhub:eu-west-1::product/aws/securityhub"
},
{
"Id": "arn:aws:securityhub:eu-west-1:988763490897:security-control/S3.20/finding/2e14352c-2bb5-4dfc-88af-71467172d92f",
"ProductArn": "arn:aws:securityhub:eu-west-1::product/aws/securityhub"
},
{
"Id": "arn:aws:securityhub:eu-west-1:988763490897:security-control/S3.20/finding/c9403a5e-0f03-45f6-a85e-754f043a6b10",
"ProductArn": "arn:aws:securityhub:eu-west-1::product/aws/securityhub"
}
],
"Workflow": {
"Status": "SUPPRESSED"
},
"Note": {
"Text": "MF-Neigh",
"UpdatedBy": "FindingsManager"
}
}
]
92 changes: 92 additions & 0 deletions tests/fixtures/findings/full/S3.14/acc.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,92 @@
{
"SchemaVersion": "2018-10-08",
"Id": "arn:aws:securityhub:eu-west-1:988763490897:security-control/S3.14/finding/e27c3ee5-4616-4d32-9eaf-adcf01921246",
"ProductArn": "arn:aws:securityhub:eu-west-1::product/aws/securityhub",
"ProductName": "Security Hub",
"CompanyName": "AWS",
"Region": "eu-west-1",
"GeneratorId": "security-control/S3.14",
"AwsAccountId": "988763490897",
"Types": [
"Software and Configuration Checks/Industry and Regulatory Standards"
],
"FirstObservedAt": "2024-07-24T19:02:50.270Z",
"LastObservedAt": "2024-07-24T19:05:18.868Z",
"CreatedAt": "2024-07-24T19:02:50.270Z",
"UpdatedAt": "2024-07-24T19:05:05.304Z",
"Severity": {
"Label": "LOW",
"Normalized": 1,
"Original": "LOW"
},
"Title": "S3 general purpose buckets should have versioning enabled",
"Description": "This control checks whether an Amazon S3 general purpose bucket has versioning enabled. The control fails if versioning is suspended for the bucket.",
"Remediation": {
"Recommendation": {
"Text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.",
"Url": "https://docs.aws.amazon.com/console/securityhub/S3.14/remediation"
}
},
"ProductFields": {
"RelatedAWSResources:0/name": "securityhub-s3-bucket-versioning-enabled-a376307d",
"RelatedAWSResources:0/type": "AWS::Config::ConfigRule",
"aws/securityhub/ProductName": "Security Hub",
"aws/securityhub/CompanyName": "AWS",
"Resources:0/Id": "arn:aws:s3:::boeket-acc",
"aws/securityhub/FindingId": "arn:aws:securityhub:eu-west-1::product/aws/securityhub/arn:aws:securityhub:eu-west-1:988763490897:security-control/S3.14/finding/e27c3ee5-4616-4d32-9eaf-adcf01921246"
},
"Resources": [
{
"Type": "AwsS3Bucket",
"Id": "arn:aws:s3:::boeket-acc",
"Partition": "aws",
"Region": "eu-west-1",
"Tags": {
"ManagedBy": "CFN"
},
"Details": {
"AwsS3Bucket": {
"OwnerId": "2240facc0082445db039bc31ec992cbbcbdc1f0f703d4f3dac0f91273a05d33f",
"CreatedAt": "2024-07-24T19:02:06.000Z",
"Name": "boeket-acc"
}
}
}
],
"Compliance": {
"Status": "FAILED",
"RelatedRequirements": [
"NIST.800-53.r5 AU-9(2)",
"NIST.800-53.r5 CP-10",
"NIST.800-53.r5 CP-6",
"NIST.800-53.r5 CP-6(1)",
"NIST.800-53.r5 CP-6(2)",
"NIST.800-53.r5 CP-9",
"NIST.800-53.r5 SC-5(2)",
"NIST.800-53.r5 SI-12",
"NIST.800-53.r5 SI-13(5)"
],
"SecurityControlId": "S3.14",
"AssociatedStandards": [
{
"StandardsId": "standards/nist-800-53/v/5.0.0"
}
]
},
"WorkflowState": "NEW",
"Workflow": {
"Status": "NEW"
},
"RecordState": "ACTIVE",
"FindingProviderFields": {
"Severity": {
"Label": "LOW",
"Original": "LOW"
},
"Types": [
"Software and Configuration Checks/Industry and Regulatory Standards"
]
},
"ProcessedAt": "2024-07-24T19:05:21.841Z",
"AwsAccountName": "watcher"
}
93 changes: 93 additions & 0 deletions tests/fixtures/findings/full/S3.14/dev.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,93 @@
{
"SchemaVersion": "2018-10-08",
"Id": "arn:aws:securityhub:eu-west-1:988763490897:security-control/S3.14/finding/4b0d331f-2396-4663-847b-344126c3e780",
"ProductArn": "arn:aws:securityhub:eu-west-1::product/aws/securityhub",
"ProductName": "Security Hub",
"CompanyName": "AWS",
"Region": "eu-west-1",
"GeneratorId": "security-control/S3.14",
"AwsAccountId": "988763490897",
"Types": [
"Software and Configuration Checks/Industry and Regulatory Standards"
],
"FirstObservedAt": "2024-07-24T19:02:50.271Z",
"LastObservedAt": "2024-07-24T19:07:24.672Z",
"CreatedAt": "2024-07-24T19:02:50.271Z",
"UpdatedAt": "2024-07-24T19:07:14.170Z",
"Severity": {
"Label": "LOW",
"Normalized": 1,
"Original": "LOW"
},
"Title": "S3 general purpose buckets should have versioning enabled",
"Description": "This control checks whether an Amazon S3 general purpose bucket has versioning enabled. The control fails if versioning is suspended for the bucket.",
"Remediation": {
"Recommendation": {
"Text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.",
"Url": "https://docs.aws.amazon.com/console/securityhub/S3.14/remediation"
}
},
"ProductFields": {
"RelatedAWSResources:0/name": "securityhub-s3-bucket-versioning-enabled-a376307d",
"RelatedAWSResources:0/type": "AWS::Config::ConfigRule",
"aws/securityhub/ProductName": "Security Hub",
"aws/securityhub/CompanyName": "AWS",
"Resources:0/Id": "arn:aws:s3:::boeket-dev",
"aws/securityhub/FindingId": "arn:aws:securityhub:eu-west-1::product/aws/securityhub/arn:aws:securityhub:eu-west-1:988763490897:security-control/S3.14/finding/4b0d331f-2396-4663-847b-344126c3e780"
},
"Resources": [
{
"Type": "AwsS3Bucket",
"Id": "arn:aws:s3:::boeket-dev",
"Partition": "aws",
"Region": "eu-west-1",
"Tags": {
"ManagedBy": "Pulumi",
"Terraform": "ManagedBy"
},
"Details": {
"AwsS3Bucket": {
"OwnerId": "2240facc0082445db039bc31ec992cbbcbdc1f0f703d4f3dac0f91273a05d33f",
"CreatedAt": "2024-07-24T19:01:29.000Z",
"Name": "boeket-dev"
}
}
}
],
"Compliance": {
"Status": "FAILED",
"RelatedRequirements": [
"NIST.800-53.r5 AU-9(2)",
"NIST.800-53.r5 CP-10",
"NIST.800-53.r5 CP-6",
"NIST.800-53.r5 CP-6(1)",
"NIST.800-53.r5 CP-6(2)",
"NIST.800-53.r5 CP-9",
"NIST.800-53.r5 SC-5(2)",
"NIST.800-53.r5 SI-12",
"NIST.800-53.r5 SI-13(5)"
],
"SecurityControlId": "S3.14",
"AssociatedStandards": [
{
"StandardsId": "standards/nist-800-53/v/5.0.0"
}
]
},
"WorkflowState": "NEW",
"Workflow": {
"Status": "NEW"
},
"RecordState": "ACTIVE",
"FindingProviderFields": {
"Severity": {
"Label": "LOW",
"Original": "LOW"
},
"Types": [
"Software and Configuration Checks/Industry and Regulatory Standards"
]
},
"ProcessedAt": "2024-07-24T19:07:28.104Z",
"AwsAccountName": "watcher"
}
92 changes: 92 additions & 0 deletions tests/fixtures/findings/full/S3.14/prd.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,92 @@
{
"SchemaVersion": "2018-10-08",
"Id": "arn:aws:securityhub:eu-west-1:988763490897:security-control/S3.14/finding/db101219-4b19-4176-a660-490d30b7945d",
"ProductArn": "arn:aws:securityhub:eu-west-1::product/aws/securityhub",
"ProductName": "Security Hub",
"CompanyName": "AWS",
"Region": "eu-west-1",
"GeneratorId": "security-control/S3.14",
"AwsAccountId": "988763490897",
"Types": [
"Software and Configuration Checks/Industry and Regulatory Standards"
],
"FirstObservedAt": "2024-07-24T19:05:05.304Z",
"LastObservedAt": "2024-07-24T19:05:20.186Z",
"CreatedAt": "2024-07-24T19:05:05.304Z",
"UpdatedAt": "2024-07-24T19:05:05.304Z",
"Severity": {
"Label": "LOW",
"Normalized": 1,
"Original": "LOW"
},
"Title": "S3 general purpose buckets should have versioning enabled",
"Description": "This control checks whether an Amazon S3 general purpose bucket has versioning enabled. The control fails if versioning is suspended for the bucket.",
"Remediation": {
"Recommendation": {
"Text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.",
"Url": "https://docs.aws.amazon.com/console/securityhub/S3.14/remediation"
}
},
"ProductFields": {
"RelatedAWSResources:0/name": "securityhub-s3-bucket-versioning-enabled-a376307d",
"RelatedAWSResources:0/type": "AWS::Config::ConfigRule",
"aws/securityhub/ProductName": "Security Hub",
"aws/securityhub/CompanyName": "AWS",
"Resources:0/Id": "arn:aws:s3:::boeket-prd",
"aws/securityhub/FindingId": "arn:aws:securityhub:eu-west-1::product/aws/securityhub/arn:aws:securityhub:eu-west-1:988763490897:security-control/S3.14/finding/db101219-4b19-4176-a660-490d30b7945d"
},
"Resources": [
{
"Type": "AwsS3Bucket",
"Id": "arn:aws:s3:::boeket-prd",
"Partition": "aws",
"Region": "eu-west-1",
"Tags": {
"ManagedBy": "Terraform"
},
"Details": {
"AwsS3Bucket": {
"OwnerId": "2240facc0082445db039bc31ec992cbbcbdc1f0f703d4f3dac0f91273a05d33f",
"CreatedAt": "2024-07-24T19:02:52.000Z",
"Name": "boeket-prd"
}
}
}
],
"Compliance": {
"Status": "FAILED",
"RelatedRequirements": [
"NIST.800-53.r5 AU-9(2)",
"NIST.800-53.r5 CP-10",
"NIST.800-53.r5 CP-6",
"NIST.800-53.r5 CP-6(1)",
"NIST.800-53.r5 CP-6(2)",
"NIST.800-53.r5 CP-9",
"NIST.800-53.r5 SC-5(2)",
"NIST.800-53.r5 SI-12",
"NIST.800-53.r5 SI-13(5)"
],
"SecurityControlId": "S3.14",
"AssociatedStandards": [
{
"StandardsId": "standards/nist-800-53/v/5.0.0"
}
]
},
"WorkflowState": "NEW",
"Workflow": {
"Status": "NEW"
},
"RecordState": "ACTIVE",
"FindingProviderFields": {
"Severity": {
"Label": "LOW",
"Original": "LOW"
},
"Types": [
"Software and Configuration Checks/Industry and Regulatory Standards"
]
},
"ProcessedAt": "2024-07-24T19:05:23.098Z",
"AwsAccountName": "watcher"
}
Loading

0 comments on commit a355b08

Please sign in to comment.