{ "Description": "(SO0111M) Automated Security Response on AWS Member Account Stack, v3.1.6", "AWSTemplateFormatVersion": "2010-09-09", "Metadata": { "AWS::CloudFormation::Interface": { "ParameterGroups": [ { "Label": { "default": "LogGroup Configuration" }, "Parameters": [ "LogGroupName" ] }, { "Label": { "default": "Consolidated control finding Playbook" }, "Parameters": [ "LoadSCMemberStack" ] }, { "Label": { "default": "Security Standard Playbooks" }, "Parameters": [ "LoadAFSBPMemberStack", "LoadCIS120MemberStack", "LoadCIS140MemberStack", "LoadCIS300MemberStack", "LoadNIST80053MemberStack", "LoadPCI321MemberStack" ] }, { "Label": { "default": "Configuration" }, "Parameters": [ "CreateS3BucketForRedshiftAuditLogging", "SecHubAdminAccount", "Namespace" ] } ], "ParameterLabels": { "LogGroupName": { "default": "Provide the name of the LogGroup to be used to create Metric Filters and Alarms" } } } }, "Parameters": { "SecHubAdminAccount": { "Type": "String", "AllowedPattern": "^\\d{12}$", "Description": "Admin account number" }, "Namespace": { "Type": "String", "AllowedPattern": "(?!(^xn--|^sthree-|^sthree-configurator|^amzn-s3-demo-|.+-s3alias|.+--ol-s3|.+.mrap|.+--x-s3$))^[a-z0-9][a-z0-9-]{1,7}[a-z0-9]$", "ConstraintDescription": "The Namespace parameter must follow naming restrictions for S3 buckets and have a minimum length of 3 and a maximum length of 9. https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucketnamingrules.html", "Description": "Choose a unique namespace to be added as a suffix to remediation IAM role names. The same namespace should be used in the Member Roles and Member stacks. This string should be unique for each solution deployment, but does not need to be changed during stack updates.", "MaxLength": 9, "MinLength": 3 }, "EnableCloudTrailForASRActionLog": { "Type": "String", "Default": "no", "AllowedValues": [ "yes", "no" ], "Description": "Create a CloudTrail to monitor ASR actions in this account on the ASR CloudWatch Dashboard. " }, "CreateS3BucketForRedshiftAuditLogging": { "Type": "String", "Default": "no", "AllowedValues": [ "yes", "no" ], "Description": "Create S3 Bucket For Redshift Cluster Audit Logging." }, "LogGroupName": { "Type": "String", "Description": "Name of the log group to be used to create metric filters and cloudwatch alarms. You must use a Log Group that is the the logging destination of a multi-region CloudTrail. Mandatory to use certain CloudWatch controls (e.g. PCI.CW.1).", "MinLength": 1 }, "LoadAFSBPMemberStack": { "Type": "String", "Default": "no", "AllowedValues": [ "yes", "no" ], "Description": "Install the member components for automated remediation of AFSBP controls?" }, "LoadCIS120MemberStack": { "Type": "String", "Default": "no", "AllowedValues": [ "yes", "no" ], "Description": "Install the member components for automated remediation of CIS120 controls?" }, "LoadCIS140MemberStack": { "Type": "String", "Default": "no", "AllowedValues": [ "yes", "no" ], "Description": "Install the member components for automated remediation of CIS140 controls?" }, "LoadNIST80053MemberStack": { "Type": "String", "Default": "no", "AllowedValues": [ "yes", "no" ], "Description": "Install the member components for automated remediation of NIST80053 controls?" }, "LoadPCI321MemberStack": { "Type": "String", "Default": "no", "AllowedValues": [ "yes", "no" ], "Description": "Install the member components for automated remediation of PCI321 controls?" }, "LoadCIS300MemberStack": { "Type": "String", "Default": "no", "AllowedValues": [ "yes", "no" ], "Description": "Install the member components for automated remediation of CIS300 controls?" }, "LoadSCMemberStack": { "Type": "String", "Default": "yes", "AllowedValues": [ "yes", "no" ], "Description": "If the consolidated control findings feature is turned on in Security Hub, only enable the Security Control (SC) playbook. If the feature is not turned on, enable the playbooks for the security standards that are enabled in Security Hub. Enabling additional playbooks can result in reaching the quota for EventBridge Rules." } }, "Conditions": { "CloudTrailCondition": { "Fn::Equals": [ { "Ref": "EnableCloudTrailForASRActionLog" }, "yes" ] }, "EnableS3BucketForRedShift4": { "Fn::Equals": [ { "Ref": "CreateS3BucketForRedshiftAuditLogging" }, "yes" ] }, "loadAFSBPCond": { "Fn::Equals": [ { "Ref": "LoadAFSBPMemberStack" }, "yes" ] }, "loadAFSBP1Cond": { "Fn::Equals": [ { "Ref": "LoadAFSBPMemberStack" }, "yes" ] }, "loadCIS120Cond": { "Fn::Equals": [ { "Ref": "LoadCIS120MemberStack" }, "yes" ] }, "loadCIS140Cond": { "Fn::Equals": [ { "Ref": "LoadCIS140MemberStack" }, "yes" ] }, "loadNIST80053Cond": { "Fn::Equals": [ { "Ref": "LoadNIST80053MemberStack" }, "yes" ] }, "loadNIST800531Cond": { "Fn::Equals": [ { "Ref": "LoadNIST80053MemberStack" }, "yes" ] }, "loadPCI321Cond": { "Fn::Equals": [ { "Ref": "LoadPCI321MemberStack" }, "yes" ] }, "loadCIS300Cond": { "Fn::Equals": [ { "Ref": "LoadCIS300MemberStack" }, "yes" ] }, "loadSCCond": { "Fn::Equals": [ { "Ref": "LoadSCMemberStack" }, "yes" ] }, "loadSC1Cond": { "Fn::Equals": [ { "Ref": "LoadSCMemberStack" }, "yes" ] } }, "Resources": { "S3BucketForRedShiftAuditLogging652E7355": { "Type": "AWS::S3::Bucket", "Properties": { "BucketEncryption": { "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { "SSEAlgorithm": "AES256" } } ] }, "PublicAccessBlockConfiguration": { "BlockPublicAcls": true, "BlockPublicPolicy": true, "IgnorePublicAcls": true, "RestrictPublicBuckets": true }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ], "VersioningConfiguration": { "Status": "Enabled" } }, "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain", "Metadata": { "guard": { "SuppressedRules": [ "S3_BUCKET_LOGGING_ENABLED" ] } }, "Condition": "EnableS3BucketForRedShift4" }, "S3BucketForRedShiftAuditLoggingBucketPolicyAB8BAA40": { "Type": "AWS::S3::BucketPolicy", "Properties": { "Bucket": { "Ref": "S3BucketForRedShiftAuditLogging652E7355" }, "PolicyDocument": { "Statement": [ { "Action": [ "s3:GetBucketAcl", "s3:PutObject" ], "Effect": "Allow", "Principal": { "Service": "redshift.amazonaws.com" }, "Resource": [ { "Fn::GetAtt": [ "S3BucketForRedShiftAuditLogging652E7355", "Arn" ] }, { "Fn::Sub": [ "arn:${AWS::Partition}:s3:::${BucketName}/*", { "BucketName": { "Ref": "S3BucketForRedShiftAuditLogging652E7355" } } ] } ], "Sid": "Put bucket policy needed for audit logging" }, { "Action": "s3:*", "Condition": { "Bool": { "aws:SecureTransport": "false" } }, "Effect": "Deny", "Principal": "*", "Resource": [ { "Fn::GetAtt": [ "S3BucketForRedShiftAuditLogging652E7355", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "S3BucketForRedShiftAuditLogging652E7355", "Arn" ] }, "/*" ] ] } ], "Sid": "EnforceSSL" } ], "Version": "2012-10-17" } }, "DependsOn": [ "S3BucketForRedShiftAuditLogging652E7355" ], "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain", "Condition": "EnableS3BucketForRedShift4" }, "SSMParameterForS3BucketNameForREDSHIFT441DD36B1": { "Type": "AWS::SSM::Parameter", "Properties": { "Description": "Parameter to store the S3 bucket name for the remediation FSBP.REDSHIFT.4, the default value is bucket-name which has to be updated by the user before using the remediation.", "Name": "/Solutions/SO0111/afsbp/1.0.0/REDSHIFT.4/S3BucketNameForAuditLogging", "Tags": { "Solutions:SolutionID": "SO0111", "Solutions:SolutionName": "automated-security-response-on-aws", "Solutions:SolutionVersion": "v3.1.6" }, "Type": "String", "Value": { "Ref": "S3BucketForRedShiftAuditLogging652E7355" } }, "DependsOn": [ "S3BucketForRedShiftAuditLogging652E7355" ], "Condition": "EnableS3BucketForRedShift4" }, "SHARRRemediationKeyE744743D": { "Type": "AWS::KMS::Key", "Properties": { "EnableKeyRotation": true, "KeyPolicy": { "Statement": [ { "Action": [ "kms:GenerateDataKey", "kms:GenerateDataKeyPair", "kms:GenerateDataKeyPairWithoutPlaintext", "kms:GenerateDataKeyWithoutPlaintext", "kms:Decrypt", "kms:Encrypt", "kms:ReEncryptFrom", "kms:ReEncryptTo", "kms:DescribeKey", "kms:DescribeCustomKeyStores" ], "Effect": "Allow", "Principal": { "Service": [ "sns.amazonaws.com", "s3.amazonaws.com", { "Fn::Join": [ "", [ "logs.", { "Ref": "AWS::URLSuffix" } ] ] }, { "Fn::Join": [ "", [ "logs.", { "Ref": "AWS::Region" }, ".", { "Ref": "AWS::URLSuffix" } ] ] }, { "Fn::Join": [ "", [ "cloudtrail.", { "Ref": "AWS::URLSuffix" } ] ] }, "cloudwatch.amazonaws.com" ] }, "Resource": "*" }, { "Action": "kms:*", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } }, "Resource": "*" } ], "Version": "2012-10-17" }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ] }, "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain" }, "SHARRRemediationKeyAlias5531874D": { "Type": "AWS::KMS::Alias", "Properties": { "AliasName": "alias/SO0111-SHARR-Remediation-Key", "TargetKeyId": { "Fn::GetAtt": [ "SHARRRemediationKeyE744743D", "Arn" ] } } }, "SHARRKeyAliasEBF509D8": { "Type": "AWS::SSM::Parameter", "Properties": { "Description": "KMS Customer Managed Key that will encrypt data for remediations", "Name": "/Solutions/SO0111/CMK_REMEDIATION_ARN", "Tags": { "Solutions:SolutionID": "SO0111", "Solutions:SolutionName": "automated-security-response-on-aws", "Solutions:SolutionVersion": "v3.1.6" }, "Type": "String", "Value": { "Fn::GetAtt": [ "SHARRRemediationKeyE744743D", "Arn" ] } } }, "SHARRMemberVersionEDAB5C42": { "Type": "AWS::SSM::Parameter", "Properties": { "Description": "Version of the AWS Security Hub Automated Response and Remediation solution", "Name": "/Solutions/SO0111/member-version", "Tags": { "Solutions:SolutionID": "SO0111", "Solutions:SolutionName": "automated-security-response-on-aws", "Solutions:SolutionVersion": "v3.1.6" }, "Type": "String", "Value": "v3.1.6" } }, "SSMParameterLogGroupName47918519": { "Type": "AWS::SSM::Parameter", "Properties": { "Description": "Parameter to store log group name", "Name": "/Solutions/SO0111/Metrics_LogGroupName", "Tags": { "Solutions:SolutionID": "SO0111", "Solutions:SolutionName": "automated-security-response-on-aws", "Solutions:SolutionVersion": "v3.1.6" }, "Type": "String", "Value": { "Ref": "LogGroupName" } } }, "SSMParameterForS34EncryptionKeyAlias73DD8A98": { "Type": "AWS::SSM::Parameter", "Properties": { "Description": "Parameter to store encryption key alias for the PCI.S3.4/FSBP.S3.4, replace the default value with the KMS Key Alias, other wise the remediation will enable the default AES256 encryption for the bucket.", "Name": "/Solutions/SO0111/afsbp/1.0.0/S3.4/KmsKeyAlias", "Tags": { "Solutions:SolutionID": "SO0111", "Solutions:SolutionName": "automated-security-response-on-aws", "Solutions:SolutionVersion": "v3.1.6" }, "Type": "String", "Value": "default-s3-encryption" } }, "NestedStackFactoryGatePlaybookMemberStackAFSBP137036A57": { "Type": "AWS::CloudFormation::WaitConditionHandle", "Metadata": { "PlaybookMemberStackAFSBPReady": { "Fn::If": [ "loadAFSBPCond", { "Ref": "PlaybookMemberStackAFSBP" }, "" ] } } }, "NestedStackFactoryGatePlaybookMemberStackCIS120E08EFB8B": { "Type": "AWS::CloudFormation::WaitConditionHandle", "Metadata": { "PlaybookMemberStackAFSBPReady": { "Fn::If": [ "loadAFSBPCond", { "Ref": "PlaybookMemberStackAFSBP" }, "" ] }, "PlaybookMemberStackAFSBP1Ready": { "Fn::If": [ "loadAFSBP1Cond", { "Ref": "PlaybookMemberStackAFSBP1" }, "" ] } } }, "NestedStackFactoryGatePlaybookMemberStackCIS1402A4735A6": { "Type": "AWS::CloudFormation::WaitConditionHandle", "Metadata": { "PlaybookMemberStackAFSBPReady": { "Fn::If": [ "loadAFSBPCond", { "Ref": "PlaybookMemberStackAFSBP" }, "" ] }, "PlaybookMemberStackAFSBP1Ready": { "Fn::If": [ "loadAFSBP1Cond", { "Ref": "PlaybookMemberStackAFSBP1" }, "" ] }, "PlaybookMemberStackCIS120Ready": { "Fn::If": [ "loadCIS120Cond", { "Ref": "PlaybookMemberStackCIS120" }, "" ] } } }, "NestedStackFactoryGatePlaybookMemberStackNIST80053C3D22DE7": { "Type": "AWS::CloudFormation::WaitConditionHandle", "Metadata": { "PlaybookMemberStackAFSBPReady": { "Fn::If": [ "loadAFSBPCond", { "Ref": "PlaybookMemberStackAFSBP" }, "" ] }, "PlaybookMemberStackAFSBP1Ready": { "Fn::If": [ "loadAFSBP1Cond", { "Ref": "PlaybookMemberStackAFSBP1" }, "" ] }, "PlaybookMemberStackCIS120Ready": { "Fn::If": [ "loadCIS120Cond", { "Ref": "PlaybookMemberStackCIS120" }, "" ] }, "PlaybookMemberStackCIS140Ready": { "Fn::If": [ "loadCIS140Cond", { "Ref": "PlaybookMemberStackCIS140" }, "" ] } } }, "NestedStackFactoryGatePlaybookMemberStackNIST8005311D6A30FD": { "Type": "AWS::CloudFormation::WaitConditionHandle", "Metadata": { "PlaybookMemberStackAFSBPReady": { "Fn::If": [ "loadAFSBPCond", { "Ref": "PlaybookMemberStackAFSBP" }, "" ] }, "PlaybookMemberStackAFSBP1Ready": { "Fn::If": [ "loadAFSBP1Cond", { "Ref": "PlaybookMemberStackAFSBP1" }, "" ] }, "PlaybookMemberStackCIS120Ready": { "Fn::If": [ "loadCIS120Cond", { "Ref": "PlaybookMemberStackCIS120" }, "" ] }, "PlaybookMemberStackCIS140Ready": { "Fn::If": [ "loadCIS140Cond", { "Ref": "PlaybookMemberStackCIS140" }, "" ] }, "PlaybookMemberStackNIST80053Ready": { "Fn::If": [ "loadNIST80053Cond", { "Ref": "PlaybookMemberStackNIST80053" }, "" ] } } }, "NestedStackFactoryGatePlaybookMemberStackPCI3214A12B906": { "Type": "AWS::CloudFormation::WaitConditionHandle", "Metadata": { "PlaybookMemberStackAFSBPReady": { "Fn::If": [ "loadAFSBPCond", { "Ref": "PlaybookMemberStackAFSBP" }, "" ] }, "PlaybookMemberStackAFSBP1Ready": { "Fn::If": [ "loadAFSBP1Cond", { "Ref": "PlaybookMemberStackAFSBP1" }, "" ] }, "PlaybookMemberStackCIS120Ready": { "Fn::If": [ "loadCIS120Cond", { "Ref": "PlaybookMemberStackCIS120" }, "" ] }, "PlaybookMemberStackCIS140Ready": { "Fn::If": [ "loadCIS140Cond", { "Ref": "PlaybookMemberStackCIS140" }, "" ] }, "PlaybookMemberStackNIST80053Ready": { "Fn::If": [ "loadNIST80053Cond", { "Ref": "PlaybookMemberStackNIST80053" }, "" ] }, "PlaybookMemberStackNIST800531Ready": { "Fn::If": [ "loadNIST800531Cond", { "Ref": "PlaybookMemberStackNIST800531" }, "" ] } } }, "NestedStackFactoryGatePlaybookMemberStackCIS300FA804242": { "Type": "AWS::CloudFormation::WaitConditionHandle", "Metadata": { "PlaybookMemberStackAFSBPReady": { "Fn::If": [ "loadAFSBPCond", { "Ref": "PlaybookMemberStackAFSBP" }, "" ] }, "PlaybookMemberStackAFSBP1Ready": { "Fn::If": [ "loadAFSBP1Cond", { "Ref": "PlaybookMemberStackAFSBP1" }, "" ] }, "PlaybookMemberStackCIS120Ready": { "Fn::If": [ "loadCIS120Cond", { "Ref": "PlaybookMemberStackCIS120" }, "" ] }, "PlaybookMemberStackCIS140Ready": { "Fn::If": [ "loadCIS140Cond", { "Ref": "PlaybookMemberStackCIS140" }, "" ] }, "PlaybookMemberStackNIST80053Ready": { "Fn::If": [ "loadNIST80053Cond", { "Ref": "PlaybookMemberStackNIST80053" }, "" ] }, "PlaybookMemberStackNIST800531Ready": { "Fn::If": [ "loadNIST800531Cond", { "Ref": "PlaybookMemberStackNIST800531" }, "" ] }, "PlaybookMemberStackPCI321Ready": { "Fn::If": [ "loadPCI321Cond", { "Ref": "PlaybookMemberStackPCI321" }, "" ] } } }, "NestedStackFactoryGatePlaybookMemberStackSC0515DB36": { "Type": "AWS::CloudFormation::WaitConditionHandle", "Metadata": { "PlaybookMemberStackAFSBPReady": { "Fn::If": [ "loadAFSBPCond", { "Ref": "PlaybookMemberStackAFSBP" }, "" ] }, "PlaybookMemberStackAFSBP1Ready": { "Fn::If": [ "loadAFSBP1Cond", { "Ref": "PlaybookMemberStackAFSBP1" }, "" ] }, "PlaybookMemberStackCIS120Ready": { "Fn::If": [ "loadCIS120Cond", { "Ref": "PlaybookMemberStackCIS120" }, "" ] }, "PlaybookMemberStackCIS140Ready": { "Fn::If": [ "loadCIS140Cond", { "Ref": "PlaybookMemberStackCIS140" }, "" ] }, "PlaybookMemberStackNIST80053Ready": { "Fn::If": [ "loadNIST80053Cond", { "Ref": "PlaybookMemberStackNIST80053" }, "" ] }, "PlaybookMemberStackNIST800531Ready": { "Fn::If": [ "loadNIST800531Cond", { "Ref": "PlaybookMemberStackNIST800531" }, "" ] }, "PlaybookMemberStackPCI321Ready": { "Fn::If": [ "loadPCI321Cond", { "Ref": "PlaybookMemberStackPCI321" }, "" ] }, "PlaybookMemberStackCIS300Ready": { "Fn::If": [ "loadCIS300Cond", { "Ref": "PlaybookMemberStackCIS300" }, "" ] } } }, "NestedStackFactoryGatePlaybookMemberStackSC1042EDDD9": { "Type": "AWS::CloudFormation::WaitConditionHandle", "Metadata": { "PlaybookMemberStackAFSBPReady": { "Fn::If": [ "loadAFSBPCond", { "Ref": "PlaybookMemberStackAFSBP" }, "" ] }, "PlaybookMemberStackAFSBP1Ready": { "Fn::If": [ "loadAFSBP1Cond", { "Ref": "PlaybookMemberStackAFSBP1" }, "" ] }, "PlaybookMemberStackCIS120Ready": { "Fn::If": [ "loadCIS120Cond", { "Ref": "PlaybookMemberStackCIS120" }, "" ] }, "PlaybookMemberStackCIS140Ready": { "Fn::If": [ "loadCIS140Cond", { "Ref": "PlaybookMemberStackCIS140" }, "" ] }, "PlaybookMemberStackNIST80053Ready": { "Fn::If": [ "loadNIST80053Cond", { "Ref": "PlaybookMemberStackNIST80053" }, "" ] }, "PlaybookMemberStackNIST800531Ready": { "Fn::If": [ "loadNIST800531Cond", { "Ref": "PlaybookMemberStackNIST800531" }, "" ] }, "PlaybookMemberStackPCI321Ready": { "Fn::If": [ "loadPCI321Cond", { "Ref": "PlaybookMemberStackPCI321" }, "" ] }, "PlaybookMemberStackCIS300Ready": { "Fn::If": [ "loadCIS300Cond", { "Ref": "PlaybookMemberStackCIS300" }, "" ] }, "PlaybookMemberStackSCReady": { "Fn::If": [ "loadSCCond", { "Ref": "PlaybookMemberStackSC" }, "" ] } } }, "NestedStackFactoryGateMemberCloudTrailStackD769B835": { "Type": "AWS::CloudFormation::WaitConditionHandle", "Metadata": { "PlaybookMemberStackAFSBPReady": { "Fn::If": [ "loadAFSBPCond", { "Ref": "PlaybookMemberStackAFSBP" }, "" ] }, "PlaybookMemberStackAFSBP1Ready": { "Fn::If": [ "loadAFSBP1Cond", { "Ref": "PlaybookMemberStackAFSBP1" }, "" ] }, "PlaybookMemberStackCIS120Ready": { "Fn::If": [ "loadCIS120Cond", { "Ref": "PlaybookMemberStackCIS120" }, "" ] }, "PlaybookMemberStackCIS140Ready": { "Fn::If": [ "loadCIS140Cond", { "Ref": "PlaybookMemberStackCIS140" }, "" ] }, "PlaybookMemberStackNIST80053Ready": { "Fn::If": [ "loadNIST80053Cond", { "Ref": "PlaybookMemberStackNIST80053" }, "" ] }, "PlaybookMemberStackNIST800531Ready": { "Fn::If": [ "loadNIST800531Cond", { "Ref": "PlaybookMemberStackNIST800531" }, "" ] }, "PlaybookMemberStackPCI321Ready": { "Fn::If": [ "loadPCI321Cond", { "Ref": "PlaybookMemberStackPCI321" }, "" ] }, "PlaybookMemberStackCIS300Ready": { "Fn::If": [ "loadCIS300Cond", { "Ref": "PlaybookMemberStackCIS300" }, "" ] }, "PlaybookMemberStackSCReady": { "Fn::If": [ "loadSCCond", { "Ref": "PlaybookMemberStackSC" }, "" ] }, "PlaybookMemberStackSC1Ready": { "Fn::If": [ "loadSC1Cond", { "Ref": "PlaybookMemberStackSC1" }, "" ] } } }, "WaitProviderRole83B0295F": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ], "Version": "2012-10-17" }, "Policies": [ { "PolicyDocument": { "Statement": [ { "Action": "cloudwatch:PutMetricData", "Effect": "Allow", "Resource": "*" }, { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "LambdaPolicy" } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ] }, "Metadata": { "guard": { "SuppressedRules": [ "IAM_NO_INLINE_POLICY_CHECK", "IAM_POLICYDOCUMENT_NO_WILDCARD_RESOURCE" ] } } }, "WaitProviderFunction3D90ED36": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "S3Bucket": { "Fn::Join": [ "", [ "solutions-", { "Ref": "AWS::Region" } ] ] }, "S3Key": "automated-security-response-on-aws/v3.1.6/lambda/wait_provider-3a2ab616.zip" }, "Environment": { "Variables": { "LOG_LEVEL": "INFO" } }, "Handler": "wait_provider.lambda_handler", "Role": { "Fn::GetAtt": [ "WaitProviderRole83B0295F", "Arn" ] }, "Runtime": "python3.11", "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ], "Timeout": 900 }, "DependsOn": [ "WaitProviderRole83B0295F" ], "Metadata": { "guard": { "SuppressedRules": [ "LAMBDA_CONCURRENCY_CHECK", "LAMBDA_INSIDE_VPC" ] } } }, "RunbookStackNoRoles": { "Type": "AWS::CloudFormation::Stack", "Properties": { "Parameters": { "WaitProviderServiceToken": { "Fn::GetAtt": [ "WaitProviderFunction3D90ED36", "Arn" ] }, "Namespace": { "Ref": "Namespace" } }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ], "TemplateURL": { "Fn::Join": [ "", [ "https://", { "Fn::FindInMap": [ "NestedStackFactorySourceCodeA11A36A7", "General", "S3Bucket" ] }, "-reference.s3.amazonaws.com/", { "Fn::FindInMap": [ "NestedStackFactorySourceCodeA11A36A7", "General", "KeyPrefix" ] }, "/automated-security-response-remediation-runbooks.template" ] ] } }, "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete" }, "PlaybookMemberStackAFSBP": { "Type": "AWS::CloudFormation::Stack", "Properties": { "Parameters": { "SecHubAdminAccount": { "Ref": "SecHubAdminAccount" }, "WaitProviderServiceToken": { "Fn::GetAtt": [ "WaitProviderFunction3D90ED36", "Arn" ] }, "Namespace": { "Ref": "Namespace" } }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ], "TemplateURL": { "Fn::Join": [ "", [ "https://", { "Fn::FindInMap": [ "NestedStackFactorySourceCodeA11A36A7", "General", "S3Bucket" ] }, "-reference.s3.amazonaws.com/", { "Fn::FindInMap": [ "NestedStackFactorySourceCodeA11A36A7", "General", "KeyPrefix" ] }, "/playbooks/AFSBPMemberStack.template" ] ] } }, "DependsOn": [ "RunbookStackNoRoles" ], "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete", "Condition": "loadAFSBPCond" }, "PlaybookMemberStackAFSBP1": { "Type": "AWS::CloudFormation::Stack", "Properties": { "Parameters": { "SecHubAdminAccount": { "Ref": "SecHubAdminAccount" }, "WaitProviderServiceToken": { "Fn::GetAtt": [ "WaitProviderFunction3D90ED36", "Arn" ] }, "Namespace": { "Ref": "Namespace" } }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ], "TemplateURL": { "Fn::Join": [ "", [ "https://", { "Fn::FindInMap": [ "NestedStackFactorySourceCodeA11A36A7", "General", "S3Bucket" ] }, "-reference.s3.amazonaws.com/", { "Fn::FindInMap": [ "NestedStackFactorySourceCodeA11A36A7", "General", "KeyPrefix" ] }, "/playbooks/AFSBPMemberStack1.template" ] ] } }, "DependsOn": [ "NestedStackFactoryGatePlaybookMemberStackAFSBP137036A57", "RunbookStackNoRoles" ], "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete", "Condition": "loadAFSBP1Cond" }, "PlaybookMemberStackCIS120": { "Type": "AWS::CloudFormation::Stack", "Properties": { "Parameters": { "SecHubAdminAccount": { "Ref": "SecHubAdminAccount" }, "WaitProviderServiceToken": { "Fn::GetAtt": [ "WaitProviderFunction3D90ED36", "Arn" ] }, "Namespace": { "Ref": "Namespace" } }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ], "TemplateURL": { "Fn::Join": [ "", [ "https://", { "Fn::FindInMap": [ "NestedStackFactorySourceCodeA11A36A7", "General", "S3Bucket" ] }, "-reference.s3.amazonaws.com/", { "Fn::FindInMap": [ "NestedStackFactorySourceCodeA11A36A7", "General", "KeyPrefix" ] }, "/playbooks/CIS120MemberStack.template" ] ] } }, "DependsOn": [ "NestedStackFactoryGatePlaybookMemberStackCIS120E08EFB8B", "RunbookStackNoRoles" ], "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete", "Condition": "loadCIS120Cond" }, "PlaybookMemberStackCIS140": { "Type": "AWS::CloudFormation::Stack", "Properties": { "Parameters": { "SecHubAdminAccount": { "Ref": "SecHubAdminAccount" }, "WaitProviderServiceToken": { "Fn::GetAtt": [ "WaitProviderFunction3D90ED36", "Arn" ] }, "Namespace": { "Ref": "Namespace" } }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ], "TemplateURL": { "Fn::Join": [ "", [ "https://", { "Fn::FindInMap": [ "NestedStackFactorySourceCodeA11A36A7", "General", "S3Bucket" ] }, "-reference.s3.amazonaws.com/", { "Fn::FindInMap": [ "NestedStackFactorySourceCodeA11A36A7", "General", "KeyPrefix" ] }, "/playbooks/CIS140MemberStack.template" ] ] } }, "DependsOn": [ "NestedStackFactoryGatePlaybookMemberStackCIS1402A4735A6", "RunbookStackNoRoles" ], "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete", "Condition": "loadCIS140Cond" }, "PlaybookMemberStackNIST80053": { "Type": "AWS::CloudFormation::Stack", "Properties": { "Parameters": { "SecHubAdminAccount": { "Ref": "SecHubAdminAccount" }, "WaitProviderServiceToken": { "Fn::GetAtt": [ "WaitProviderFunction3D90ED36", "Arn" ] }, "Namespace": { "Ref": "Namespace" } }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ], "TemplateURL": { "Fn::Join": [ "", [ "https://", { "Fn::FindInMap": [ "NestedStackFactorySourceCodeA11A36A7", "General", "S3Bucket" ] }, "-reference.s3.amazonaws.com/", { "Fn::FindInMap": [ "NestedStackFactorySourceCodeA11A36A7", "General", "KeyPrefix" ] }, "/playbooks/NIST80053MemberStack.template" ] ] } }, "DependsOn": [ "NestedStackFactoryGatePlaybookMemberStackNIST80053C3D22DE7", "RunbookStackNoRoles" ], "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete", "Condition": "loadNIST80053Cond" }, "PlaybookMemberStackNIST800531": { "Type": "AWS::CloudFormation::Stack", "Properties": { "Parameters": { "SecHubAdminAccount": { "Ref": "SecHubAdminAccount" }, "WaitProviderServiceToken": { "Fn::GetAtt": [ "WaitProviderFunction3D90ED36", "Arn" ] }, "Namespace": { "Ref": "Namespace" } }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ], "TemplateURL": { "Fn::Join": [ "", [ "https://", { "Fn::FindInMap": [ "NestedStackFactorySourceCodeA11A36A7", "General", "S3Bucket" ] }, "-reference.s3.amazonaws.com/", { "Fn::FindInMap": [ "NestedStackFactorySourceCodeA11A36A7", "General", "KeyPrefix" ] }, "/playbooks/NIST80053MemberStack1.template" ] ] } }, "DependsOn": [ "NestedStackFactoryGatePlaybookMemberStackNIST8005311D6A30FD", "RunbookStackNoRoles" ], "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete", "Condition": "loadNIST800531Cond" }, "PlaybookMemberStackPCI321": { "Type": "AWS::CloudFormation::Stack", "Properties": { "Parameters": { "SecHubAdminAccount": { "Ref": "SecHubAdminAccount" }, "WaitProviderServiceToken": { "Fn::GetAtt": [ "WaitProviderFunction3D90ED36", "Arn" ] }, "Namespace": { "Ref": "Namespace" } }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ], "TemplateURL": { "Fn::Join": [ "", [ "https://", { "Fn::FindInMap": [ "NestedStackFactorySourceCodeA11A36A7", "General", "S3Bucket" ] }, "-reference.s3.amazonaws.com/", { "Fn::FindInMap": [ "NestedStackFactorySourceCodeA11A36A7", "General", "KeyPrefix" ] }, "/playbooks/PCI321MemberStack.template" ] ] } }, "DependsOn": [ "NestedStackFactoryGatePlaybookMemberStackPCI3214A12B906", "RunbookStackNoRoles" ], "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete", "Condition": "loadPCI321Cond" }, "PlaybookMemberStackCIS300": { "Type": "AWS::CloudFormation::Stack", "Properties": { "Parameters": { "SecHubAdminAccount": { "Ref": "SecHubAdminAccount" }, "WaitProviderServiceToken": { "Fn::GetAtt": [ "WaitProviderFunction3D90ED36", "Arn" ] }, "Namespace": { "Ref": "Namespace" } }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ], "TemplateURL": { "Fn::Join": [ "", [ "https://", { "Fn::FindInMap": [ "NestedStackFactorySourceCodeA11A36A7", "General", "S3Bucket" ] }, "-reference.s3.amazonaws.com/", { "Fn::FindInMap": [ "NestedStackFactorySourceCodeA11A36A7", "General", "KeyPrefix" ] }, "/playbooks/CIS300MemberStack.template" ] ] } }, "DependsOn": [ "NestedStackFactoryGatePlaybookMemberStackCIS300FA804242", "RunbookStackNoRoles" ], "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete", "Condition": "loadCIS300Cond" }, "PlaybookMemberStackSC": { "Type": "AWS::CloudFormation::Stack", "Properties": { "Parameters": { "SecHubAdminAccount": { "Ref": "SecHubAdminAccount" }, "WaitProviderServiceToken": { "Fn::GetAtt": [ "WaitProviderFunction3D90ED36", "Arn" ] }, "Namespace": { "Ref": "Namespace" } }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ], "TemplateURL": { "Fn::Join": [ "", [ "https://", { "Fn::FindInMap": [ "NestedStackFactorySourceCodeA11A36A7", "General", "S3Bucket" ] }, "-reference.s3.amazonaws.com/", { "Fn::FindInMap": [ "NestedStackFactorySourceCodeA11A36A7", "General", "KeyPrefix" ] }, "/playbooks/SCMemberStack.template" ] ] } }, "DependsOn": [ "NestedStackFactoryGatePlaybookMemberStackSC0515DB36", "RunbookStackNoRoles" ], "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete", "Condition": "loadSCCond" }, "PlaybookMemberStackSC1": { "Type": "AWS::CloudFormation::Stack", "Properties": { "Parameters": { "SecHubAdminAccount": { "Ref": "SecHubAdminAccount" }, "WaitProviderServiceToken": { "Fn::GetAtt": [ "WaitProviderFunction3D90ED36", "Arn" ] }, "Namespace": { "Ref": "Namespace" } }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ], "TemplateURL": { "Fn::Join": [ "", [ "https://", { "Fn::FindInMap": [ "NestedStackFactorySourceCodeA11A36A7", "General", "S3Bucket" ] }, "-reference.s3.amazonaws.com/", { "Fn::FindInMap": [ "NestedStackFactorySourceCodeA11A36A7", "General", "KeyPrefix" ] }, "/playbooks/SCMemberStack1.template" ] ] } }, "DependsOn": [ "NestedStackFactoryGatePlaybookMemberStackSC1042EDDD9", "RunbookStackNoRoles" ], "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete", "Condition": "loadSC1Cond" }, "MemberCloudTrailNestedStackMemberCloudTrailNestedStackResource2ED3A9F6": { "Type": "AWS::CloudFormation::Stack", "Properties": { "Parameters": { "CloudTrailLogGroupName": "/aws/lambda/SO0111-ASR-CloudTrailEvents", "Namespace": { "Ref": "Namespace" }, "LogWriterRoleArn": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "SecHubAdminAccount" }, ":role/CrossAccountLogWriterRole" ] ] } }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ], "TemplateURL": { "Fn::Join": [ "", [ "https://", { "Fn::FindInMap": [ "NestedStackFactorySourceCodeA11A36A7", "General", "S3Bucket" ] }, "-reference.s3.amazonaws.com/", { "Fn::FindInMap": [ "NestedStackFactorySourceCodeA11A36A7", "General", "KeyPrefix" ] }, "/automated-security-response-member-cloudtrail.template" ] ] } }, "DependsOn": [ "NestedStackFactoryGateMemberCloudTrailStackD769B835", "RunbookStackNoRoles" ], "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete", "Condition": "CloudTrailCondition" }, "ASRLambdaLayerDAD507E4": { "Type": "AWS::Lambda::LayerVersion", "Properties": { "CompatibleRuntimes": [ "python3.11" ], "Content": { "S3Bucket": { "Fn::Join": [ "", [ "solutions-", { "Ref": "AWS::Region" } ] ] }, "S3Key": "automated-security-response-on-aws/v3.1.6/lambda/layer-b0988aef.zip" }, "Description": "SO0111 ASR Common functions used by the solution", "LicenseInfo": "https://www.apache.org/licenses/LICENSE-2.0" } }, "MetricResourcesMetricResourcesRoleC49ABA6D": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ], "Version": "2012-10-17" }, "Policies": [ { "PolicyDocument": { "Statement": [ { "Action": "cloudwatch:PutMetricData", "Effect": "Allow", "Resource": "*" }, { "Action": [ "logs:CreateLogStream", "logs:PutLogEvents" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":logs:*:", { "Ref": "AWS::AccountId" }, ":log-group:*:log-stream:*" ] ] } }, { "Action": "logs:CreateLogGroup", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":logs:*:", { "Ref": "AWS::AccountId" }, ":log-group:*" ] ] } }, { "Action": [ "ssm:GetParameter", "ssm:GetParameters", "ssm:PutParameter", "ssm:DeleteParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "securityhub:DescribeSecurityHubV2", "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "LambdaPolicy" } ], "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ] }, "Metadata": { "guard": { "SuppressedRules": [ "IAM_NO_INLINE_POLICY_CHECK", "IAM_POLICYDOCUMENT_NO_WILDCARD_RESOURCE" ] } } }, "MetricResourcesASRDeploymentCustomResourceLambda02CE6550": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "S3Bucket": { "Fn::Join": [ "", [ "solutions-", { "Ref": "AWS::Region" } ] ] }, "S3Key": "automated-security-response-on-aws/v3.1.6/lambda/deployment_metrics_custom_resource-ce1a21cd.zip" }, "Description": "ASR - Handles deployment related custom actions", "Environment": { "Variables": { "LOG_LEVEL": "INFO", "AWS_PARTITION": { "Ref": "AWS::Partition" }, "SOLUTION_ID": "SO0111", "SOLUTION_VERSION": "v3.1.6", "POWERTOOLS_SERVICE_NAME": "deployment_metrics_custom_resource", "POWERTOOLS_LOG_LEVEL": "INFO", "POWERTOOLS_LOGGER_LOG_EVENT": "false", "POWERTOOLS_TRACER_CAPTURE_RESPONSE": "true", "POWERTOOLS_TRACER_CAPTURE_ERROR": "true", "AWS_ACCOUNT_ID": { "Ref": "AWS::AccountId" }, "STACK_ID": { "Ref": "AWS::StackId" } } }, "Handler": "deployment_metrics_custom_resource.lambda_handler", "Layers": [ { "Ref": "ASRLambdaLayerDAD507E4" } ], "MemorySize": 256, "Role": { "Fn::GetAtt": [ "MetricResourcesMetricResourcesRoleC49ABA6D", "Arn" ] }, "Runtime": "python3.11", "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ], "Timeout": 5 }, "DependsOn": [ "MetricResourcesMetricResourcesRoleC49ABA6D" ], "Metadata": { "guard": { "SuppressedRules": [ "LAMBDA_INSIDE_VPC", "LAMBDA_CONCURRENCY_CHECK" ] } } }, "MetricResourcesASRDeploymentMetricsCustomResource0940D9B2": { "Type": "Custom::DeploymentMetrics", "Properties": { "ServiceToken": { "Fn::GetAtt": [ "MetricResourcesASRDeploymentCustomResourceLambda02CE6550", "Arn" ] }, "StackParameters": { "SecHubAdminAccount": { "Ref": "SecHubAdminAccount" }, "Namespace": { "Ref": "Namespace" }, "EnableCloudTrailForASRActionLog": { "Ref": "EnableCloudTrailForASRActionLog" }, "CreateS3BucketForRedshiftAuditLogging": { "Ref": "CreateS3BucketForRedshiftAuditLogging" }, "LogGroupName": { "Ref": "LogGroupName" }, "LoadAFSBPMemberStack": { "Ref": "LoadAFSBPMemberStack" }, "LoadCIS120MemberStack": { "Ref": "LoadCIS120MemberStack" }, "LoadCIS140MemberStack": { "Ref": "LoadCIS140MemberStack" }, "LoadNIST80053MemberStack": { "Ref": "LoadNIST80053MemberStack" }, "LoadPCI321MemberStack": { "Ref": "LoadPCI321MemberStack" }, "LoadCIS300MemberStack": { "Ref": "LoadCIS300MemberStack" }, "LoadSCMemberStack": { "Ref": "LoadSCMemberStack" } }, "Timestamp": "1779298068332" }, "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete" } }, "Mappings": { "NestedStackFactorySourceCodeA11A36A7": { "General": { "S3Bucket": "solutions", "KeyPrefix": "automated-security-response-on-aws/v3.1.6" } }, "SourceCode": { "General": { "S3Bucket": "solutions", "KeyPrefix": "automated-security-response-on-aws/v3.1.6" } } } }