Merge pull request #134 from justin-kontny/main

added NIST Security Standard

Author: cyphronix

CHANGELOG.md

@@ -3,7 +3,8 @@
 ## Table of Contents<!-- omit in toc -->
 
 - [Introduction](#introduction)
-- [2022-01-19](#2022-01-19)
+- [2023-04-10](#2023-04-10)
+- [2023-01-19](#2023-01-19)
 - [2022-12-02](#2022-12-02)
 - [2022-09-15](#2022-09-15)
 - [2022-07-29](#2022-07-29)
@@ -33,7 +34,14 @@
 All notable changes to this project will be documented in this file.
 
 ---
-## 2022-01-19
+## 2023-04-10
+
+### Changed<!-- omit in toc -->
+
+- Added NIST Security Standard to Security Hub solution [Security Hub Organization](aws_sra_examples/solutions/securityhub/securityhub_org)
+---
+
+## 2023-01-19
 
 ### Changed<!-- omit in toc -->
 

aws_sra_examples/solutions/securityhub/securityhub_org/customizations_for_aws_control_tower/manifest-v2.yaml

@@ -27,6 +27,8 @@ resources:
         parameter_value: ''
       - parameter_key: pEnablePCIStandard
         parameter_value: 'false'
+      - parameter_key: pEnableNISTStandard
+        parameter_value: 'false'
       - parameter_key: pEnableSecurityBestPracticesStandard
         parameter_value: 'true'
       - parameter_key: pLambdaLogGroupKmsKey

aws_sra_examples/solutions/securityhub/securityhub_org/lambda/src/app.py

@@ -67,9 +67,11 @@ def get_standards_dictionary(params: dict) -> dict:
         "SecurityBestPracticesVersion": params["SECURITY_BEST_PRACTICES_VERSION"],
         "CISVersion": params["CIS_VERSION"],
         "PCIVersion": params["PCI_VERSION"],
+        "NISTVersion": params["NIST_VERSION"],
         "StandardsToEnable": {
             "cis": params["ENABLE_CIS_STANDARD"] == "true",
             "pci": params["ENABLE_PCI_STANDARD"] == "true",
+            "nist": params["ENABLE_NIST_STANDARD"] == "true",
             "sbp": params["ENABLE_SECURITY_BEST_PRACTICES_STANDARD"] == "true",
         },
     }
@@ -296,6 +298,7 @@ def get_validated_parameters(event: Dict[str, Any]) -> dict:
     params.update(parameter_pattern_validator("DISABLE_SECURITY_HUB", os.environ.get("DISABLE_SECURITY_HUB"), pattern=true_false_pattern))
     params.update(parameter_pattern_validator("ENABLE_CIS_STANDARD", os.environ.get("ENABLE_CIS_STANDARD"), pattern=true_false_pattern))
     params.update(parameter_pattern_validator("ENABLE_PCI_STANDARD", os.environ.get("ENABLE_PCI_STANDARD"), pattern=true_false_pattern))
+    params.update(parameter_pattern_validator("ENABLE_NIST_STANDARD", os.environ.get("ENABLE_NIST_STANDARD"), pattern=true_false_pattern))
     params.update(
         parameter_pattern_validator(
             "ENABLE_SECURITY_BEST_PRACTICES_STANDARD", os.environ.get("ENABLE_SECURITY_BEST_PRACTICES_STANDARD"), pattern=true_false_pattern
@@ -306,6 +309,7 @@ def get_validated_parameters(event: Dict[str, Any]) -> dict:
     )
     params.update(parameter_pattern_validator("MANAGEMENT_ACCOUNT_ID", os.environ.get("MANAGEMENT_ACCOUNT_ID"), pattern=r"^\d{12}$"))
     params.update(parameter_pattern_validator("PCI_VERSION", os.environ.get("PCI_VERSION"), pattern=version_pattern))
+    params.update(parameter_pattern_validator("NIST_VERSION", os.environ.get("NIST_VERSION"), pattern=version_pattern))
     params.update(
         parameter_pattern_validator("REGION_LINKING_MODE", os.environ.get("REGION_LINKING_MODE"), pattern=r"^ALL_REGIONS|SPECIFIED_REGIONS$")
     )

aws_sra_examples/solutions/securityhub/securityhub_org/lambda/src/securityhub.py

@@ -258,6 +258,7 @@ def enable_account_securityhub(account_id: str, regions: list, configuration_rol
             standards_user_input["SecurityBestPracticesVersion"],
             standards_user_input["CISVersion"],
             standards_user_input["PCIVersion"],
+            standards_user_input["NISTVersion"],
         )
         securityhub_client: SecurityHubClient = account_session.client("securityhub", region, config=BOTO3_CONFIG)
 
@@ -333,13 +334,22 @@ def configure_member_account(account_id: str, configuration_role_name: str, regi
             standards_user_input["SecurityBestPracticesVersion"],
             standards_user_input["CISVersion"],
             standards_user_input["PCIVersion"],
+            standards_user_input["NISTVersion"],
         )
         config_client: ConfigServiceClient = account_session.client("config", region, config=BOTO3_CONFIG)
         if is_config_enabled(config_client):
             process_standards(securityhub_client, standard_dict, standards_user_input["StandardsToEnable"])
 
 
-def get_standard_dictionary(account_id: str, region: str, aws_partition: str, sbp_version: str, cis_version: str, pci_version: str) -> dict:
+def get_standard_dictionary(
+    account_id: str,
+    region: str,
+    aws_partition: str,
+    sbp_version: str,
+    cis_version: str,
+    pci_version: str,
+    nist_version: str,
+) -> dict:
     """Get Standard ARNs.
 
     Args:
@@ -349,6 +359,7 @@ def get_standard_dictionary(account_id: str, region: str, aws_partition: str, sb
         sbp_version: AWS Security Best Practices Standard Version
         cis_version: CIS Standard Version
         pci_version: PCI Standard Version
+        nist_version: NIST Standard
 
     Returns:
         Standard ARN Dictionary
@@ -370,6 +381,12 @@ def get_standard_dictionary(account_id: str, region: str, aws_partition: str, sb
             "standard_arn": f"arn:{aws_partition}:securityhub:{region}::standards/pci-dss/v/{pci_version}",
             "subscription_arn": f"arn:{aws_partition}:securityhub:{region}:{account_id}:subscription/pci-dss/v/{pci_version}",
         },
+        "nist": {
+            "name": "National Institute of Standards and Technology (NIST) SP 800-53 Rev. 5",
+            "enabled": False,
+            "standard_arn": f"arn:{aws_partition}:securityhub:{region}::standards/nist-800-53/v/{nist_version}",
+            "subscription_arn": f"arn:{aws_partition}:securityhub:{region}:{account_id}:subscription/nist-800-53/v/{nist_version}",
+        },
         "sbp": {
             "name": "AWS Foundational Security Best Practices Standard",
             "enabled": False,
@@ -437,7 +454,8 @@ def get_current_enabled_standards(securityhub_client: SecurityHubClient, standar
                 standard_dict["cis"]["enabled"] = True
             if standard_dict["pci"]["standard_arn"] == item["StandardsArn"]:
                 standard_dict["pci"]["enabled"] = True
-
+            if standard_dict["nist"]["standard_arn"] == item["StandardsArn"]:
+                standard_dict["nist"]["enabled"] = True
     return standard_dict
 
 
@@ -510,7 +528,7 @@ def process_standard(securityhub_client: SecurityHubClient, standards_to_enable:
                 else:
                     LOGGER.info(f"{standard_definition['name']} is already disabled")
         except securityhub_client.exceptions.InvalidInputException:
-            LOGGER.error("Retry after the standard is no longer in pending state.")
+            LOGGER.error("InvalidInputException while enabling or disabling standard")
     return True
 
 

aws_sra_examples/solutions/securityhub/securityhub_org/templates/sra-securityhub-org-configuration.yaml

@@ -38,9 +38,11 @@ Metadata:
           - pRegionLinkingMode
           - pEnableCISStandard
           - pEnablePCIStandard
+          - pEnableNISTStandard
           - pEnableSecurityBestPracticesStandard
           - pCISStandardVersion
           - pPCIStandardVersion
+          - pNISTStandardVersion
           - pSecurityBestPracticesStandardVersion
 
       - Label:
@@ -77,6 +79,8 @@ Metadata:
         default: Enable CIS Standard
       pEnablePCIStandard:
         default: Enable PCI Standard
+      pEnableNISTStandard:
+        default: Enable NIST Standard
       pEnableSecurityBestPracticesStandard:
         default: Enable AWS Foundational Security Best Practices Standard
       pEnabledRegions:
@@ -93,6 +97,8 @@ Metadata:
         default: Organization ID
       pPCIStandardVersion:
         default: PCI Standard Version
+      pNISTStandardVersion:
+        default: NIST Standard Version
       pRegionLinkingMode:
         default: Region Linking Mode
       pSecurityBestPracticesStandardVersion:
@@ -168,6 +174,11 @@ Parameters:
     Default: 'false'
     Description: Indicates whether to enable the Payment Card Industry Data Security Standard (PCI DSS).
     Type: String
+  pEnableNISTStandard:
+    AllowedValues: ['true', 'false']
+    Default: 'false'
+    Description: Indicates whether to enable the National Institute of Standards and Technology (NIST) SP 800-53 Rev. 5.
+    Type: String
   pEnableSecurityBestPracticesStandard:
     AllowedValues: ['true', 'false']
     Default: 'true'
@@ -184,6 +195,11 @@ Parameters:
     Default: 3.2.1
     Description: PCI Standard Version
     Type: String
+  pNISTStandardVersion:
+    AllowedValues: [5.0.0]
+    Default: 5.0.0
+    Description: NIST Standard Version
+    Type: String
   pSecurityBestPracticesStandardVersion:
     AllowedValues: [1.0.0]
     Default: 1.0.0
@@ -488,10 +504,12 @@ Resources:
           ENABLED_REGIONS: !Ref pEnabledRegions
           ENABLE_CIS_STANDARD: !Ref pEnableCISStandard
           ENABLE_PCI_STANDARD: !Ref pEnablePCIStandard
+          ENABLE_NIST_STANDARD: !Ref pEnableNISTStandard
           ENABLE_SECURITY_BEST_PRACTICES_STANDARD: !Ref pEnableSecurityBestPracticesStandard
           HOME_REGION: !Ref AWS::Region
           MANAGEMENT_ACCOUNT_ID: !Ref AWS::AccountId
           PCI_VERSION: !Ref pPCIStandardVersion
+          NIST_VERSION: !Ref pNISTStandardVersion
           REGION_LINKING_MODE: !Ref pRegionLinkingMode
           SECURITY_BEST_PRACTICES_VERSION: !Ref pSecurityBestPracticesStandardVersion
           SNS_TOPIC_ARN: !Ref rSecurityHubOrgTopic
@@ -512,8 +530,10 @@ Resources:
       ENABLED_REGIONS: !Ref pEnabledRegions
       ENABLE_CIS_STANDARD: !Ref pEnableCISStandard
       ENABLE_PCI_STANDARD: !Ref pEnablePCIStandard
+      ENABLE_NIST_STANDARD: !Ref pEnableNISTStandard
       ENABLE_SECURITY_BEST_PRACTICES_STANDARD: !Ref pEnableSecurityBestPracticesStandard
       PCI_VERSION: !Ref pPCIStandardVersion
+      NIST_VERSION: !Ref pNISTStandardVersion
       REGION_LINKING_MODE: !Ref pRegionLinkingMode
       SECURITY_BEST_PRACTICES_VERSION: !Ref pSecurityBestPracticesStandardVersion
       SNS_TOPIC_ARN: !Ref rSecurityHubOrgTopic

aws_sra_examples/solutions/securityhub/securityhub_org/templates/sra-securityhub-org-main-ssm.yaml

@@ -34,6 +34,8 @@ Metadata:
           - pEnableCISStandard
           - pCISStandardVersion
           - pEnablePCIStandard
+          - pEnableNISTStandard
+          - pNISTStandardVersion
           - pRegionLinkingMode
           - pControlTowerRegionsOnly
           - pEnabledRegions
@@ -68,6 +70,8 @@ Metadata:
         default: Enable CIS Standard
       pEnablePCIStandard:
         default: Enable PCI Standard
+      pEnableNISTStandard:
+        default: Enable NIST Standard
       pEnableSecurityBestPracticesStandard:
         default: Enable AWS Foundational Security Best Practices Standard
       pEnabledRegions:
@@ -78,6 +82,8 @@ Metadata:
         default: Lambda Log Group Retention
       pLambdaLogLevel:
         default: Lambda Log Level
+      pNISTStandardVersion:
+        default: NIST Standard Version
       pOrganizationId:
         default: Organization ID
       pRegionLinkingMode:
@@ -150,6 +156,11 @@ Parameters:
     Default: 'false'
     Description: Indicates whether to enable the Payment Card Industry Data Security Standard (PCI DSS).
     Type: String
+  pEnableNISTStandard:
+    AllowedValues: ['true', 'false']
+    Default: 'false'
+    Description: Indicates whether to enable the National Institute of Standards and Technology (NIST) SP 800-53 Rev. 5.
+    Type: String
   pEnableSecurityBestPracticesStandard:
     AllowedValues: ['true', 'false']
     Default: 'true'
@@ -173,6 +184,11 @@ Parameters:
     Default: INFO
     Description: Lambda Function Logging Level
     Type: String
+  pNISTStandardVersion:
+    AllowedValues: [5.0.0]
+    Default: 5.0.0
+    Description: NIST Standard Version
+    Type: String
   pOrganizationId:
     AllowedPattern: '^([\w.-]{1,900})$|^(\/[\w.-]{1,900})*[\w.-]{1,900}$'
     ConstraintDescription:
@@ -295,11 +311,13 @@ Resources:
         pDisableSecurityHub: !Ref pDisableSecurityHub
         pEnableCISStandard: !Ref pEnableCISStandard
         pEnablePCIStandard: !Ref pEnablePCIStandard
+        pEnableNISTStandard: !Ref pEnableNISTStandard
         pEnableSecurityBestPracticesStandard: !Ref pEnableSecurityBestPracticesStandard
         pEnabledRegions: !Ref pEnabledRegions
         pLambdaLogGroupKmsKey: !Ref pLambdaLogGroupKmsKey
         pLambdaLogGroupRetention: !Ref pLambdaLogGroupRetention
         pLambdaLogLevel: !Ref pLambdaLogLevel
+        pNISTStandardVersion: !Ref pNISTStandardVersion
         pOrganizationId: !Ref pOrganizationId
         pRegionLinkingMode: !Ref pRegionLinkingMode
         pSRAAlarmEmail: !Ref pSRAAlarmEmail

aws_sra_examples/solutions/securityhub/securityhub_org/templates/sra-securityhub-org-main.yaml

@@ -33,9 +33,11 @@ Metadata:
           - pEnableCISStandard
           - pCISStandardVersion
           - pEnablePCIStandard
+          - pEnableNISTStandard
           - pRegionLinkingMode
           - pControlTowerRegionsOnly
           - pEnabledRegions
+          - pNISTStandardVersion
 
       - Label:
           default: General Lambda Function Properties
@@ -67,6 +69,8 @@ Metadata:
         default: Enable CIS Standard
       pEnablePCIStandard:
         default: Enable PCI Standard
+      pEnableNISTStandard:
+        default: Enable NIST Standard
       pEnableSecurityBestPracticesStandard:
         default: Enable AWS Foundational Security Best Practices Standard
       pEnabledRegions:
@@ -77,6 +81,8 @@ Metadata:
         default: Lambda Log Group Retention
       pLambdaLogLevel:
         default: Lambda Log Level
+      pNISTStandardVersion:
+        default: NIST Standard Version
       pOrganizationId:
         default: Organization ID
       pRegionLinkingMode:
@@ -146,6 +152,11 @@ Parameters:
     Default: 'false'
     Description: Indicates whether to enable the Payment Card Industry Data Security Standard (PCI DSS).
     Type: String
+  pEnableNISTStandard:
+    AllowedValues: ['true', 'false']
+    Default: 'false'
+    Description: Indicates whether to enable the National Institute of Standards and Technology (NIST) SP 800-53 Rev. 5.
+    Type: String
   pEnableSecurityBestPracticesStandard:
     AllowedValues: ['true', 'false']
     Default: 'true'
@@ -169,6 +180,11 @@ Parameters:
     Default: INFO
     Description: Lambda Function Logging Level
     Type: String
+  pNISTStandardVersion:
+    AllowedValues: [5.0.0]
+    Default: 5.0.0
+    Description: NIST Standard Version
+    Type: String
   pOrganizationId:
     AllowedPattern: '^([\w.-]{1,900})$|^(\/[\w.-]{1,900})*[\w.-]{1,900}$'
     ConstraintDescription:
@@ -281,11 +297,13 @@ Resources:
         pDisableSecurityHub: !Ref pDisableSecurityHub
         pEnableCISStandard: !Ref pEnableCISStandard
         pEnablePCIStandard: !Ref pEnablePCIStandard
+        pEnableNISTStandard: !Ref pEnableNISTStandard
         pEnableSecurityBestPracticesStandard: !Ref pEnableSecurityBestPracticesStandard
         pEnabledRegions: !Ref pEnabledRegions
         pLambdaLogGroupKmsKey: !Ref pLambdaLogGroupKmsKey
         pLambdaLogGroupRetention: !Ref pLambdaLogGroupRetention
         pLambdaLogLevel: !Ref pLambdaLogLevel
+        pNISTStandardVersion: !Ref pNISTStandardVersion
         pOrganizationId: !Ref pOrganizationId
         pRegionLinkingMode: !Ref pRegionLinkingMode
         pSRAAlarmEmail: !Ref pSRAAlarmEmail