Merge branch 'satv2-presentation' into 'main'

Satv2 presentation

See merge request wwps-security-developer/aws-security-assessment-solution!13

2-sat2-codebuild-prowler.yaml

@@ -167,6 +167,9 @@ Resources:
     DeletionPolicy: Retain 
     Type: AWS::S3::Bucket
     Properties:
+      NotificationConfiguration:
+           EventBridgeConfiguration:
+                EventBridgeEnabled: !If [ EnableReporting, true, false ]
       BucketEncryption: 
         ServerSideEncryptionConfiguration:
           - ServerSideEncryptionByDefault:
@@ -422,7 +425,8 @@ Resources:
             post_build:
               commands:
                 - echo "Uploading reports to S3..."
-                - aws s3 cp --exclude "*" --include "*.csv" output/ s3://$BUCKET_REPORT/csv/ --recursive
+                - aws s3 cp --exclude "*" --include "*.csv" --exclude "compliance**" output/ s3://$BUCKET_REPORT/csv/ --recursive
+                - aws s3 cp --exclude "*" --include "*.csv" output/compliance/ s3://$BUCKET_REPORT/compliance/ --recursive
                 - aws s3 cp --exclude "*" --include "*.ocsf.json" output/ s3://$BUCKET_REPORT/ocsf-json/ --recursive
                 - aws s3 cp --exclude "*" --include "*.json" --exclude "*.ocsf.json" --exclude "*.asff.json" output/ s3://$BUCKET_REPORT/json/ --recursive
                 - aws s3 cp --exclude "*" --include "*.html" output/ s3://$BUCKET_REPORT/html/ --recursive
@@ -648,7 +652,8 @@ Resources:
         PublishCloudWatchMetricsEnabled: false
         RequesterPaysEnabled: false
         ResultConfiguration:
-          OutputLocation: !Sub s3://${ProwlerFindingsBucket}/reports
+          OutputLocation: !Sub s3://${ProwlerFindingsBucket}/athena_results
+        EnforceWorkGroupConfiguration: false
 
   qProwlerOrgSummary:
     Condition: EnableReporting
@@ -767,7 +772,8 @@ Resources:
                 print("Starting query...")
                 response = athena.start_query_execution(
                     QueryString="""SELECT * FROM \"AwsDataCatalog\".\"{}\".\"prowler\"""".format(S3_BUCKET),
-                    WorkGroup=WORKGROUP
+                    WorkGroup=WORKGROUP,
+                    ResultConfiguration={'OutputLocation': f's3://{S3_BUCKET}/reports'}
                     )
                 print(response)
               except ClientError as e:
@@ -833,7 +839,231 @@ Resources:
             InputTemplate: !Sub >-
               "The query to summarize reporting has <status>."
 
-              "You can view your results in the ${ProwlerFindingsBucket}/reporting bucket."
+              "You can view your results in the ${ProwlerFindingsBucket}/reports bucket."
+
+# PPTX reporting
+  ProwlerReportingLambdaRole:
+    Condition: EnableReporting
+    Type: 'AWS::IAM::Role'
+    Properties:
+      AssumeRolePolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Effect: Allow
+            Principal:
+              Service: lambda.amazonaws.com
+            Action:
+              - 'sts:AssumeRole'
+      Path: /
+      ManagedPolicyArns:
+        - !Sub arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
+      Policies:
+        - PolicyName: AccessToS3
+          PolicyDocument:
+            Statement:
+              - Effect: Allow
+                Action:
+                 - s3:GetBucketLocation
+                 - s3:GetObject
+                 - s3:ListBucket
+                 - s3:ListBucketMultipartUploads
+                 - s3:AbortMultipartUpload
+                 - s3:PutObject
+                 - s3:ListMultipartUploadPart
+                Resource: 
+                 - !GetAtt ProwlerFindingsBucket.Arn
+                 - !Sub ${ProwlerFindingsBucket.Arn}/*
+        - PolicyName: AccessToCodeBuild
+          PolicyDocument:
+            Statement:
+              - Effect: Allow
+                Action:
+                  - 'codebuild:StartBuild'
+                Resource: !GetAtt ProwlerReportingCodeBuild.Arn
+
+  ProwlerReportingLogGroup:
+    Condition: EnableReporting
+    Metadata:
+      cfn_nag:
+        rules_to_suppress:
+          - id: W84
+            reason: CloudWatch Logs protects data at rest using encryption. All log groups are encrypted. By default, the CloudWatch Logs service manages the server-side encryption keys.
+    UpdateReplacePolicy: Delete
+    DeletionPolicy: Delete
+    Type: AWS::Logs::LogGroup
+    Properties:
+      LogGroupName: !Sub '/aws/lambda/${ProwlerReportingLambda}'
+      RetentionInDays: 7      
+
+  ProwlerReportingLambda:
+    Condition: EnableReporting
+    Metadata:
+      cfn_nag:
+        rules_to_suppress:
+          - id: W58
+            reason: The ProwlerReportingLambdaRole gives Lambda access to write CloudWatch logs.
+          - id: W89
+            reason: Lambda is not deployed inside of a VPC.
+          - id: W92
+            reason: Reserved concurrent executions is not set.
+    Type: AWS::Lambda::Function
+    Properties:
+      Handler: index.lambda_handler
+      Role: !Sub ${ProwlerReportingLambdaRole.Arn}
+      Timeout: 120
+      Runtime: python3.10
+      Code:
+        ZipFile: |
+          import boto3
+          from botocore.exceptions import ClientError
+
+          def startCodeBuildReport(event, context):
+              print(event)
+              
+              bucket = event['detail']['bucket']['name']
+              key = event['detail']['object']['key']
+              full_path = f"s3://{bucket}/{key}"
+              print(f"Summary CSV from Athena: {full_path}")
+              
+              cb = boto3.client('codebuild')
+              try:
+                print("Starting build...")
+                response = cb.start_build(projectName='ProwlerReportingCodeBuild', \
+                environmentVariablesOverride=[
+                  {
+                      'name': 'ATHENA_SUMMARY_CSV',
+                      'value': full_path
+                  }])
+                print(response)
+              except ClientError as e:
+                print("Failed to start query")
+                print(e)
+
+          def lambda_handler(event,context):
+              startCodeBuildReport(event, context)
+
+  ProwlerReportingLambdaInvokePermission:
+    Condition: EnableReporting
+    Type: AWS::Lambda::Permission
+    Properties:
+      FunctionName: !GetAtt ProwlerReportingLambda.Arn
+      Action: "lambda:InvokeFunction"
+      Principal: "events.amazonaws.com"
+      SourceArn: !GetAtt ProwlerReportingS3Upload.Arn
+
+  ProwlerReportingS3Upload:
+    Condition: EnableReporting
+    Type: AWS::Events::Rule
+    Properties:
+      EventBusName: default
+      EventPattern:
+        source:
+          - aws.s3
+        detail-type:
+          - Object Created
+        detail:
+          bucket:
+            name:
+              - !Ref ProwlerFindingsBucket
+          object:
+            key:
+              - wildcard: reports/*.csv
+      State: ENABLED
+      Targets:
+        - Id: toLambda
+          Arn: !GetAtt ProwlerReportingLambda.Arn
+
+  ProwlerReportingCodeBuildRole:
+    Condition: EnableReporting
+    Type: AWS::IAM::Role
+    Properties:
+      Path: '/service-role/'
+      AssumeRolePolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          -
+            Action: 'sts:AssumeRole'
+            Effect: Allow
+            Principal:
+              Service:
+                - codebuild.amazonaws.com
+      Policies:
+        - PolicyName: LogGroup
+          PolicyDocument:
+            Version: '2012-10-17'
+            Statement:
+              - Action:
+                  - logs:CreateLogGroup
+                  - logs:CreateLogStream
+                  - logs:PutLogEvents
+                Effect: Allow
+                Resource: !Sub 'arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/*'
+        - PolicyName: AccessToS3
+          PolicyDocument:
+            Statement:
+              - Effect: Allow
+                Action:
+                 - s3:GetBucketLocation
+                 - s3:GetObject
+                 - s3:ListBucket
+                 - s3:ListBucketMultipartUploads
+                 - s3:AbortMultipartUpload
+                 - s3:PutObject
+                 - s3:ListMultipartUploadPart
+                Resource: 
+                 - !GetAtt ProwlerFindingsBucket.Arn
+                 - !Sub ${ProwlerFindingsBucket.Arn}/*
+
+  ProwlerReportingCodeBuild:
+    Condition: EnableReporting
+    Metadata:
+      cfn_nag:
+        rules_to_suppress:
+          - id: W32
+            reason: CodeBuild uses the managed KMS key for S3.
+    Type: AWS::CodeBuild::Project
+    Properties:
+      Name: ProwlerReportingCodeBuild
+      Environment:
+        ComputeType: "BUILD_GENERAL1_SMALL"
+        Image: "aws/codebuild/amazonlinux2-x86_64-standard:5.0"
+        Type: "LINUX_CONTAINER"
+        EnvironmentVariables:
+          - Name: ATHENA_SUMMARY_CSV
+            Value: ""
+            Type: PLAINTEXT
+          - Name: BUCKET_REPORT
+            Value: !Ref ProwlerFindingsBucket
+            Type: PLAINTEXT  
+      Description: Create Prowler report
+      ServiceRole: !GetAtt ProwlerReportingCodeBuildRole.Arn
+      TimeoutInMinutes: 60
+      Artifacts:
+        Type: NO_ARTIFACTS
+      Source:
+        Type: NO_SOURCE
+        BuildSpec: |
+          version: 0.2
+          phases:
+            install:
+              runtime-versions:
+                python: 3.11
+              commands:
+                - echo "Downloading repo..."
+                - git clone https://github.com/awslabs/aws-security-assessment-solution.git
+                - cd satv2-reporting/reporting
+                - echo "Installing dependencies..."
+                - pip3 install -r requirements.txt
+            build:
+              commands:
+                - echo "Using Athena summary csv $ATHENA_SUMMARY_CSV"
+                - aws s3 cp $ATHENA_SUMMARY_CSV .
+                - python report.py
+            post_build:
+              commands:
+                - echo "Uploading report to S3..."
+                - aws s3 cp SHIP_v3_Updated.pptx s3://$BUCKET_REPORT/reports/
+                - echo "Done!"
 
 Outputs:
   AccountID: 

README.md

@@ -8,6 +8,7 @@ We have developed an inexpensive, easy to deploy, secure, and fast solution to p
 
 ## Table of Contents<!-- omit from toc -->
 - [Overview](#overview)
+- [Parameters](#parameters)
 - [Deployment](#deployment)
 - [Single account scan](#single-account-scan)
   - [AWS CloudShell](#aws-cloudshell)
@@ -43,6 +44,18 @@ Once the template is deployed, the CodeBuild project will run. The default asses
 
 ![architecture diagram](img/architecture.png)
 
+## Parameters
+SATv2 can be customized by updating the CloudFormation parameters. This section summarizes the available options and provides a link to the section with more information.
+
+| Parameter | Description | More information |
+| --- | --- | ---| 
+| ProwlerScanType | Specify which type of scan to perform. Selecting full without specifying different ProwlerOptions will do a full scan. To perform a specific check, choose Full and append -c <check> to ProwlerOptions. | [Scan types](#scan-types) 
+| MultiAccountScan | Set this to true if you want to scan all accounts in your organization. You must have deployed the prerequisite template to provision a role, or specify a different ProwlerRole with the appropriate permissions. | [Multi-account scan](#multi-account-scan)
+| MultiAccountListOverride | Specify a space delimited list of accounts to scan. Leaving this blank will scan all accounts in your organization. If you can't provide delegated ListAccount access, you can provide the MultiAccountListOverride parameter. | [Multi-account scan](#multi-account-scan)
+| EmailAddress | Specify an address if you want to receive an email when the assessment completes. | [Notifications](#notifications)
+| Reporting | Set this to true if you want to summarize the Prowler reports into a single csv and create a presentation. This is helpful when scanning multiple accounts. | [Reporting Summary](#reporting-summary)
+
+
 ## Deployment
 You can use this project to run Prowler across multiple accounts in an AWS Organization, or a single account. We provide instructions to use  AWS CloudShell or the AWS console. Choose an option to get started.
 
@@ -321,7 +334,7 @@ Determine if you have delegated administrator or a resource policy that already
 </details>
 
 ## Review the results
-After the solution is deployed, a Lambda function starts the CodeBuild project. After the CodeBuild project is finished building, the Prowler results will be uploaded to the created Amazon S3 bucket. If you configured [notifications](#notifications), you will get an email when the Prowler scan is complete. If you configured [reporting](#reporting-summary), you will have a consolidated csv file in the /reporting folder.
+After the solution is deployed, a Lambda function starts the CodeBuild project. After the CodeBuild project is finished building, the Prowler results will be uploaded to the created Amazon S3 bucket. If you configured [notifications](#notifications), you will get an email when the Prowler scan is complete. If you configured [reporting](#reporting-summary), you will have a consolidated csv and presentation file in the /reports folder.
 
 If you didn't configure email alerts, you can monitor the progress from the [CodeBuild console](https://console.aws.amazon.com/codesuite/codebuild/projects).
 
@@ -425,7 +438,9 @@ With or without the optional EmailAddress parameter set, you can view the progre
 
 ## Reporting Summary
 
-You can optionally enable reporting to summarize multiple Prowler scan csv files into a single file. This may be helpful when running Prowler across multiple accounts in an AWS Organization. The reporting summary feature is off by default. To enable reporting, set the Reporting parameter to true when you deploy the CloudFormation template. This will create an Athena WorkGroup, a Glue table, and automatically run a query to consolidate the results. The summarized csv file is located in the same S3 bucket as the Prowler results in the /reporting folder.
+You can optionally enable reporting to summarize multiple Prowler scan csv files into a single file. This may be helpful when running Prowler across multiple accounts in an AWS Organization. The reporting summary feature is off by default. To enable reporting, set the Reporting parameter to true when you deploy the CloudFormation template. This will create an Athena WorkGroup, a Glue table, and automatically run a query to consolidate the results. The summarized csv file is located in the same S3 bucket as the Prowler results in the /reports folder.
+
+The consolidated csv file will be used to create a SHIP HealthCheck presentation. Once the csv file is written to the bucket, an EventBridge rule runs a Lambda function that starts a CodeBuild job. The updated presentation is stored in the same S3 bucket in the /reports folder.
 
 If you specify an email address while reporting is enabled, you will get a second email when the Athena query is finished. 
 
@@ -438,7 +453,7 @@ aws cloudformation deploy --template-file 2-sat2-codebuild-prowler.yaml \
 --parameter-overrides MultiAccountScan=true Reporting=true [email protected]
 ```
 
-![reporting architecture diagram](img/reporting.png)
+![reporting architecture diagram](img/reporting2.png)
 
 A saved query is created as an example. This query counts the checks that failed across all the accounts assessed. To review and run the query, follow these steps: