Merge pull request #24 from SPHTech-Platform/feat/add-cspm-sechub-integration

PFMENG-743 : Add CSPM sechub integration

Author: smoneyan

README.md

@@ -11,7 +11,7 @@
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.55.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.65.0 |
 | <a name="provider_time"></a> [time](#provider\_time) | 0.9.1 |
 
 ## Modules
@@ -21,27 +21,38 @@
 | <a name="module_kms"></a> [kms](#module\_kms) | terraform-aws-modules/kms/aws | ~> 1.5.0 |
 | <a name="module_lambda"></a> [lambda](#module\_lambda) | terraform-aws-modules/lambda/aws | ~> 4.10.1 |
 | <a name="module_lambda_role"></a> [lambda\_role](#module\_lambda\_role) | terraform-aws-modules/iam/aws//modules/iam-assumable-role | ~> 5.9.0 |
+| <a name="module_sechub_integration_lambda"></a> [sechub\_integration\_lambda](#module\_sechub\_integration\_lambda) | terraform-aws-modules/lambda/aws | ~> 4.10.1 |
 
 ## Resources
 
 | Name | Type |
 |------|------|
 | [aws_iam_policy.aqua_cspm_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.aqua_cspm_supplemental](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_policy.aquasec_importfindings](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_role.aqua_cspm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role.aqua_cspm_sechub](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role_policy_attachment.aqua_cspm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.aqua_cspm_sechub](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_lambda_invocation.external_id](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_invocation) | resource |
 | [aws_lambda_invocation.onboarding](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_invocation) | resource |
+| [aws_lambda_invocation.sechub_integration_external_id](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_invocation) | resource |
+| [aws_lambda_invocation.sechub_integration_onboarding](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_invocation) | resource |
 | [aws_secretsmanager_secret.aqua_cspm_secret](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) | resource |
 | [aws_secretsmanager_secret_policy.aqua_cspm_secret](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_policy) | resource |
 | [aws_secretsmanager_secret_version.aqua_cspm_secret](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version) | resource |
+| [time_sleep.sechub_integration_wait_10_aqua_cspm_secret](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
+| [time_sleep.sechub_integration_wait_10_seconds](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
+| [time_sleep.wait_10_aqua_cspm_secret](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
 | [time_sleep.wait_10_seconds](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_iam_policy_document.aqua_cspm_control_tower_kms_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.aqua_cspm_custom_trust](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.aqua_cspm_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.aqua_cspm_secret](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.aqua_cspm_supplemental](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.aquahub_sechub_trust](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.aquasec_importfindings](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 
@@ -52,6 +63,7 @@
 | <a name="input_aqua_cspm_apikey"></a> [aqua\_cspm\_apikey](#input\_aqua\_cspm\_apikey) | Aqua CSPM API key: Account Management > API Keys > Generate Key | `string` | n/a | yes |
 | <a name="input_aqua_cspm_secretkey"></a> [aqua\_cspm\_secretkey](#input\_aqua\_cspm\_secretkey) | Aqua CSPM Secret | `string` | n/a | yes |
 | <a name="input_aqua_group_name"></a> [aqua\_group\_name](#input\_aqua\_group\_name) | Aqua CSPM Group Name from the Aqua Wave console | `string` | `"Default"` | no |
+| <a name="input_aqua_sechub_integration"></a> [aqua\_sechub\_integration](#input\_aqua\_sechub\_integration) | Enables aqua security hub integration. If enabled, findings from Aquasec will be pushed to security hub.<br>Notification type can be either "send\_all" or "send\_only\_failed". Default is "send\_all" | <pre>object({<br>    enabled           = bool<br>    notification_type = optional(string, "send_all")<br>  })</pre> | <pre>{<br>  "enabled": false<br>}</pre> | no |
 | <a name="input_enable_kms_key_rotation"></a> [enable\_kms\_key\_rotation](#input\_enable\_kms\_key\_rotation) | Specifies whether key rotation is enabled. Defaults to true | `bool` | `true` | no |
 | <a name="input_kms_aliases"></a> [kms\_aliases](#input\_kms\_aliases) | A list of aliases to create. Note - due to the use of toset(), values must be static strings and not computed values | `list(string)` | <pre>[<br>  "alias/AquaCSPM-Control-Tower-AquaSec"<br>]</pre> | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no |

data.tf

@@ -353,3 +353,65 @@ data "aws_iam_policy_document" "aqua_cspm_custom_trust" {
     aws_lambda_invocation.external_id,
   ]
 }
+
+data "aws_iam_policy_document" "aquahub_sechub_trust" {
+  statement {
+    effect = "Allow"
+
+    actions = [
+      "sts:AssumeRole",
+    ]
+
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::${local.aquasec_account_id}:role/uwbwh-lambda-cloudsploit-api"]
+    }
+
+    condition {
+      test     = "StringEquals"
+      variable = "sts:ExternalId"
+      values = [
+        local.sechub_external_id,
+      ]
+    }
+  }
+
+  statement {
+    effect = "Allow"
+
+    actions = [
+      "sts:AssumeRole",
+    ]
+
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::${local.aquasec_account_id}:role/uwbwh-lambda-cloudsploit-executor"]
+    }
+
+    condition {
+      test     = "StringEquals"
+      variable = "sts:ExternalId"
+      values = [
+        local.sechub_external_id,
+      ]
+    }
+  }
+
+  depends_on = [
+    aws_lambda_invocation.sechub_integration_external_id,
+  ]
+}
+
+#tfsec:ignore:aws-iam-no-policy-wildcards
+data "aws_iam_policy_document" "aquasec_importfindings" {
+  #checkov:skip=CKV_AWS_111
+  #checkov:skip=CKV_AWS_108
+  statement {
+    actions = [
+      "securityhub:BatchImportFindings"
+    ]
+    resources = [
+      "*",
+    ]
+  }
+}

iam.tf

@@ -52,3 +52,34 @@ resource "aws_iam_role_policy_attachment" "aqua_cspm" {
   policy_arn = element(local.aqua_cspm_role_policy_arns, count.index)
   role       = aws_iam_role.aqua_cspm.name
 }
+
+
+resource "aws_iam_policy" "aquasec_importfindings" {
+  count = local.enable_security_hub_integration ? 1 : 0
+
+  name_prefix = "${local.name_prefix}-sechub-import-findings-"
+  policy      = data.aws_iam_policy_document.aquasec_importfindings.json
+}
+
+resource "aws_iam_role" "aqua_cspm_sechub" {
+  count = local.enable_security_hub_integration ? 1 : 0
+
+  depends_on = [
+    aws_lambda_invocation.sechub_integration_external_id,
+  ]
+
+  name        = "${local.name_prefix}-sechub-import-role"
+  description = "Role assumed by AquaSec for importing Sechub findings from CSPM"
+
+  path                 = "/"
+  max_session_duration = "3600"
+
+  assume_role_policy = data.aws_iam_policy_document.aquahub_sechub_trust.json
+}
+
+resource "aws_iam_role_policy_attachment" "aqua_cspm_sechub" {
+  count = local.enable_security_hub_integration ? 1 : 0
+
+  policy_arn = aws_iam_policy.aquasec_importfindings[0].arn
+  role       = aws_iam_role.aqua_cspm_sechub[0].name
+}

locals.tf

@@ -3,9 +3,19 @@ locals {
 
   secret_name = "/aquacspm/secret-cspm"
 
-  external_id = jsondecode(aws_lambda_invocation.external_id.result)["status"] == "FAILED" ? jsondecode(aws_lambda_invocation.external_id.result)["message"] : jsondecode(aws_lambda_invocation.external_id.result)["ExternalId"]
+  external_id        = jsondecode(aws_lambda_invocation.external_id.result)["status"] == "FAILED" ? jsondecode(aws_lambda_invocation.external_id.result)["message"] : jsondecode(aws_lambda_invocation.external_id.result)["ExternalId"]
+  sechub_external_id = jsondecode(aws_lambda_invocation.sechub_integration_external_id[0].result)["status"] == "FAILED" ? jsondecode(aws_lambda_invocation.sechub_integration_external_id[0].result)["message"] : jsondecode(aws_lambda_invocation.sechub_integration_external_id[0].result)["ExternalId"]
+
+  aquasec_account_id = "057012691312"
   # public_ip   = "13.215.18.141/32"
 
+  enable_security_hub_integration = var.aqua_sechub_integration.enabled
+  notification_type = {
+    send_all         = "Send All Scan Reports"
+    send_only_failed = "Send Only Failed Scan Reports"
+  }
+  sechub_notification_type = lookup(local.notification_type, var.aqua_sechub_integration.notification_type)
+
   aqua_cspm_role_policy_arns = [
     "arn:aws:iam::aws:policy/SecurityAudit",
     aws_iam_policy.aqua_cspm_supplemental.arn,

security_hub_integration.tf

@@ -0,0 +1,83 @@
+module "sechub_integration_lambda" {
+  source  = "terraform-aws-modules/lambda/aws"
+  version = "~> 4.10.1"
+
+  count = local.enable_security_hub_integration ? 1 : 0
+
+  function_name = "${local.name_prefix}-sechub-integration-function"
+  description   = "Retrieves the External ID from Aqua CSPM"
+  handler       = "index.lambda_handler"
+  runtime       = "python3.9"
+
+  memory_size = 128
+  timeout     = 30
+
+  create_package         = false
+  local_existing_package = "${path.module}/src/security_hub_integration_function/lambda_function.zip"
+
+  create_role = false
+  lambda_role = module.lambda_role.iam_role_arn
+
+  tags = var.tags
+}
+
+resource "aws_lambda_invocation" "sechub_integration_external_id" {
+  count = local.enable_security_hub_integration ? 1 : 0
+
+  function_name = module.sechub_integration_lambda[0].lambda_function_name
+  input = jsonencode({
+    ResourceProperties = {
+      Secret = local.secret_name
+    },
+    LogicalResourceId = "ExternalIDInvoke"
+  })
+
+  depends_on = [
+    module.sechub_integration_lambda,
+    aws_secretsmanager_secret_version.aqua_cspm_secret,
+    time_sleep.sechub_integration_wait_10_aqua_cspm_secret,
+  ]
+}
+
+resource "aws_lambda_invocation" "sechub_integration_onboarding" {
+  count = local.enable_security_hub_integration ? 1 : 0
+
+  function_name = module.sechub_integration_lambda[0].lambda_function_name
+  input = jsonencode({
+    ResourceProperties = {
+      Secret            = local.secret_name,
+      RoleArn           = aws_iam_role.aqua_cspm_sechub[0].arn,
+      ExtId             = local.sechub_external_id,
+      AccId             = data.aws_caller_identity.current.account_id,
+      Region            = data.aws_region.current.name,
+      ScanNotifications = local.sechub_notification_type,
+    },
+    LogicalResourceId = "IntegrationInvoke"
+  })
+
+  depends_on = [
+    time_sleep.sechub_integration_wait_10_seconds,
+    aws_lambda_invocation.sechub_integration_external_id,
+    aws_iam_role.aqua_cspm,
+  ]
+}
+
+resource "time_sleep" "sechub_integration_wait_10_seconds" {
+  count = local.enable_security_hub_integration ? 1 : 0
+
+  depends_on = [
+    aws_lambda_invocation.sechub_integration_external_id,
+  ]
+
+  create_duration = "10s"
+}
+
+resource "time_sleep" "sechub_integration_wait_10_aqua_cspm_secret" {
+  count = local.enable_security_hub_integration ? 1 : 0
+
+  depends_on = [
+    aws_secretsmanager_secret_version.aqua_cspm_secret,
+  ]
+
+  create_duration = "10s"
+}

src/security_hub_integration_function/index.py

@@ -0,0 +1,117 @@
+import json
+import boto3
+import os
+import logging
+import urllib3.request
+import hashlib
+import time
+import hmac
+import base64
+
+LOGGER = logging.getLogger()
+LOGGER.setLevel(logging.INFO)
+sess = boto3.session.Session()
+sm_client = sess.client('secretsmanager')
+
+def lambda_handler(event, ctxt):
+    LOGGER.info('Lambda started :{}'.format(event))
+    aqua_url = 'https://asia-1.api.cloudsploit.com'
+    resData = {}
+    rp = event['ResourceProperties']
+    secret = rp['Secret']
+    try:
+        conf = get_conf(secret)
+        aqua_api_key = conf['aqua_api_key']
+        aqua_secret = conf['aqua_secret']
+    except Exception as e:
+        LOGGER.error('Error retrieving Keys: {e}')
+        failRetKey = {'status': 'FAILED', 'message': 'Error retrieving Keys'}
+        return failRetKey
+    if event['LogicalResourceId'] == 'ExternalIDInvoke':
+        LOGGER.info('ExtID creation started :{}'.format(event))
+        try:
+            extid = get_ext_id(aqua_url, aqua_api_key, aqua_secret)
+            sucExtID = {'status': 'SUCCESS', 'ExternalId': extid}
+            return sucExtID
+        except Exception as e:
+            LOGGER.error(e)
+            failExtID = {'status': 'FAILED', 'message': str(e)}
+            return failExtID
+    elif event['LogicalResourceId'] == 'IntegrationInvoke':
+        LOGGER.info('Started integrating :{}'.format(event))
+        extid = rp['ExtId']
+        region = rp['Region']
+        role_arn = rp['RoleArn']
+        notifications = rp['ScanNotifications']
+        acc = rp['AccId']
+        intData = {}
+        try:
+            integrate(aqua_url, aqua_api_key, aqua_secret, acc, role_arn, extid, region, notifications)
+            LOGGER.info(f'Integration successful {acc}')
+            sucMsg = {'status': 'SUCCESS', 'AccountId': acc, 'Integrating': True}
+            return sucMsg
+        except Exception as e:
+            LOGGER.error(e)
+            errMsg = {'status': 'FAILED', 'message': str(e)}
+            return errMsg
+
+def get_conf(secret):
+    val = sm_client.get_secret_value(SecretId=secret)
+    resp = val['SecretString']
+    return json.loads(resp)
+
+def get_ext_id(url, api_key, aqua_secret):
+    path = "/v2/generatedids"
+    method = "POST"
+    tstmp = str(int(time.time() * 1000))
+    enc = tstmp + method + path
+    enc_b = bytes(enc, 'utf-8')
+    secret = bytes(aqua_secret, 'utf-8')
+    sig = hmac.new(secret, enc_b, hashlib.sha256).hexdigest()
+    hdr = {
+        "Accept": "application/json",
+        "X-API-Key": api_key,
+        "X-Signature": sig,
+        "X-Timestamp": tstmp,
+        "content-type": "application/json"
+    }
+    http = urllib3.PoolManager()
+    req = http.request('POST', url + path, headers=hdr)
+    res = json.loads(req.data.decode('utf-8'))
+    return res['data'][0]['generated_id']
+
+def integrate(url, api_key, aqua_secret, acc, role, ext_id, region, notificationType):
+    path = "/v2/integrations"
+    method = "POST"
+    tstmp = str(int(time.time() * 1000))
+    body = {
+        "enabled": True,
+        "name": "security_hub_" + acc,
+        "settings": {
+        "role_arn": role,
+        "external_id": ext_id,
+        "product_arn": "arn:aws:securityhub:" + region + "::product/aquasecurity/aquasecurity"
+        },
+        "type": "securityhub"
+    }
+    if notificationType == 'Send New Risks Only':
+        body['send_new_risks'] = True
+    else:
+        body['send_scan_results'] = True
+    body_str = json.dumps(body, separators=(',', ':'))
+    LOGGER.info(body_str)
+    enc = tstmp + method + path + body_str
+    enc_b = bytes(enc, 'utf-8')
+    secret = bytes(aqua_secret, 'utf-8')
+    sig = hmac.new(secret, enc_b, hashlib.sha256).hexdigest()
+    hdr = {
+        "Accept": "application/json",
+        "X-API-Key": api_key,
+        "X-Signature": sig,
+        "X-Timestamp": tstmp,
+        "content-type": "application/json"
+    }
+    http = urllib3.PoolManager()
+    req = http.request('POST', url + path, headers=hdr, body=body_str)
+    res = req.data
+    LOGGER.info(f'Registration: {res}')

src/security_hub_integration_function/lambda_function.zip

@@ -0,0 +1,2 @@
+boto3==1.26.75
+urllib3==1.26.14