fix(core): Fixing SSM-Document-Share (#666)

* Fixing SSM Document share and other issues

- Fixing number of accountIds passing to ssm modify-document-permission
- Fixing number of accounts passing to GuardDuty createMembers, updateMembers and deleteMembers
- Adding security-hub-excl-regions and not enabling security hub in those regions

* Enable SecurityHub based on sucurity-hub flag

* Fixing pageSize for guardDuty and SSM Document share

Author: naveenkoppula

src/deployments/cdk/src/deployments/security-hub/step-1.ts

@@ -12,9 +12,20 @@ export interface SecurityHubStep1Props {
   outputs: StackOutput[];
 }
 
+/**
+ *
+ * @param props
+ * @returns
+ *
+ * Enables SecurityHub in Audit Account also send invites
+ * to sub accounts in all regions excluding security-hub-excl-regions
+ */
 export async function step1(props: SecurityHubStep1Props) {
   const { accounts, accountStacks, config, outputs } = props;
   const globalOptions = config['global-options'];
+  if (!globalOptions['central-security-services']['security-hub']) {
+    return;
+  }
   const regions = globalOptions['supported-regions'];
   const securityAccountKey = config.getMandatoryAccountKey('central-security');
   const securityMasterAccount = accounts.find(a => a.key === securityAccountKey);
@@ -36,7 +47,12 @@ export async function step1(props: SecurityHubStep1Props) {
     return;
   }
 
+  const securityHubExclRegions = globalOptions['central-security-services']['security-hub-excl-regions'] || [];
   for (const region of regions) {
+    if (securityHubExclRegions.includes(region)) {
+      console.info(`Security Hub is disabled in region "${region}" based on global-options/security-hub-excl-regions'`);
+      continue;
+    }
     const securityMasterAccountStack = accountStacks.tryGetOrCreateAccountStack(securityAccountKey, region);
     if (!securityMasterAccountStack) {
       console.warn(`Cannot find security stack in region ${region}`);

src/deployments/cdk/src/deployments/security-hub/step-2.ts

@@ -11,10 +11,17 @@ export interface SecurityHubStep2Props {
   accountStacks: AccountStacks;
   outputs: StackOutput[];
 }
-
+/**
+ *
+ * @param props
+ * Accept invites in sub accounts in all regions excluding security-hub-excl-regions
+ */
 export async function step2(props: SecurityHubStep2Props) {
   const { accounts, accountStacks, config, outputs } = props;
   const globalOptions = config['global-options'];
+  if (!globalOptions['central-security-services']['security-hub']) {
+    return;
+  }
   const regions = globalOptions['supported-regions'];
   const securityAccountKey = config.getMandatoryAccountKey('central-security');
   const securityMasterAccount = accounts.find(a => a.key === securityAccountKey);
@@ -33,7 +40,14 @@ export async function step2(props: SecurityHubStep2Props) {
       continue;
     }
 
+    const securityHubExclRegions = globalOptions['central-security-services']['security-hub-excl-regions'] || [];
     for (const region of regions) {
+      if (securityHubExclRegions.includes(region)) {
+        console.info(
+          `Security Hub is disabled in region "${region}" based on global-options/security-hub-excl-regions'`,
+        );
+        continue;
+      }
       const memberAccountStack = accountStacks.tryGetOrCreateAccountStack(account.key, region);
       if (!memberAccountStack) {
         console.warn(`Cannot find account stack ${account.key} in region ${region}`);

src/deployments/cdk/src/deployments/security-hub/step-3.ts

@@ -11,12 +11,19 @@ export interface SecurityHubStep3Props {
   accountStacks: AccountStacks;
   outputs: StackOutput[];
 }
-
+/**
+ *
+ * @param props
+ * Disable SecurityHub Controls in all accounts all regions excluding security-hub-excl-regions
+ * Disable based on "global-options/security-hub-frameworks/standards/[*]/controls-to-disable"
+ */
 export async function step3(props: SecurityHubStep3Props) {
   const { accounts, accountStacks, config, outputs } = props;
   const globalOptions = config['global-options'];
+  if (!globalOptions['central-security-services']['security-hub']) {
+    return;
+  }
   const regions = globalOptions['supported-regions'];
-
   for (const account of accounts) {
     const securityHubRoleOutput = IamRoleOutputFinder.tryFindOneByName({
       outputs,
@@ -27,7 +34,14 @@ export async function step3(props: SecurityHubStep3Props) {
       continue;
     }
 
+    const securityHubExclRegions = globalOptions['central-security-services']['security-hub-excl-regions'] || [];
     for (const region of regions) {
+      if (securityHubExclRegions.includes(region)) {
+        console.info(
+          `Security Hub is disabled in region "${region}" based on global-options/security-hub-excl-regions'`,
+        );
+        continue;
+      }
       const accountStack = accountStacks.tryGetOrCreateAccountStack(account.key, region);
       if (!accountStack) {
         console.warn(`Cannot find account stack ${account.key} in region ${region}`);

src/lib/common-config/src/index.ts

@@ -679,6 +679,7 @@ export const CentralServicesConfigType = t.interface({
   account: NonEmptyString,
   region: NonEmptyString,
   'security-hub': fromNullable(t.boolean, false),
+  'security-hub-excl-regions': optional(t.array(t.string)),
   guardduty: fromNullable(t.boolean, false),
   'guardduty-excl-regions': optional(t.array(t.string)),
   'guardduty-s3': fromNullable(t.boolean, false),

src/lib/custom-resources/cdk-cfn-utils/cdk/index.ts

@@ -27,3 +27,7 @@ export const isThrottlingError = (e: any) =>
 export async function delay(ms: number) {
   return new Promise((resolve, reject) => setTimeout(resolve, ms));
 }
+
+export function paginate<T>(input: T[], pageNumber: number, pageSize: number): T[] {
+  return input.slice((pageNumber - 1) * pageSize, pageNumber * pageSize);
+}

src/lib/custom-resources/cdk-guardduty-admin-setup/runtime/src/index.ts

@@ -7,11 +7,14 @@ import {
   CloudFormationCustomResourceDeleteEvent,
 } from 'aws-lambda';
 import { errorHandler } from '@aws-accelerator/custom-resource-runtime-cfn-response';
-import { throttlingBackOff } from '@aws-accelerator/custom-resource-cfn-utils';
+import { throttlingBackOff, paginate } from '@aws-accelerator/custom-resource-cfn-utils';
 
 const physicalResourceId = 'GaurdDutyDeligatedAdminAccountSetup';
 const guardduty = new AWS.GuardDuty();
 
+// Guardduty CreateMembers, UpdateMembers and DeleteMembers apis only supports max 50 accounts per request
+const pageSize = 50;
+
 export interface AccountDetail {
   AccountId: string;
   Email: string;
@@ -95,15 +98,20 @@ async function getDetectorId(): Promise<string | undefined> {
 // Step 2 of https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_organizations.html
 async function createMembers(memberAccounts: AccountDetail[], detectorId: string) {
   try {
-    console.log(`Calling api "guardduty.createMembers()", ${memberAccounts}, ${detectorId}`);
-    await throttlingBackOff(() =>
-      guardduty
-        .createMembers({
-          AccountDetails: memberAccounts,
-          DetectorId: detectorId,
-        })
-        .promise(),
-    );
+    let pageNumber = 1;
+    let currentAccounts: AccountDetail[] = paginate(memberAccounts, pageNumber, pageSize);
+    while (currentAccounts.length > 0) {
+      console.log(`Calling api "guardduty.createMembers()", ${currentAccounts}, ${detectorId}`);
+      await throttlingBackOff(() =>
+        guardduty
+          .createMembers({
+            AccountDetails: currentAccounts,
+            DetectorId: detectorId,
+          })
+          .promise(),
+      );
+      currentAccounts = paginate(memberAccounts, ++pageNumber, pageSize);
+    }
   } catch (error) {
     console.error(
       `Error Occurred while creating members in Delegator Account of GuardDuty ${error.code}: ${error.message}`,
@@ -160,22 +168,27 @@ async function updateMemberDataSource(memberAccounts: AccountDetail[], detectorI
     return;
   }
   try {
-    console.log(
-      `Calling api "guardduty.updateMemberDetectors()", ${memberAccounts}, ${detectorId} to disable S3Protection`,
-    );
-    await throttlingBackOff(() =>
-      guardduty
-        .updateMemberDetectors({
-          AccountIds: memberAccounts.map(acc => acc.AccountId),
-          DetectorId: detectorId,
-          DataSources: {
-            S3Logs: {
-              Enable: false,
+    let pageNumber = 1;
+    let currentAccounts: AccountDetail[] = paginate(memberAccounts, pageNumber, pageSize);
+    while (currentAccounts.length > 0) {
+      console.log(
+        `Calling api "guardduty.updateMemberDetectors()", ${currentAccounts}, ${detectorId} to disable S3Protection`,
+      );
+      await throttlingBackOff(() =>
+        guardduty
+          .updateMemberDetectors({
+            AccountIds: currentAccounts.map(acc => acc.AccountId),
+            DetectorId: detectorId,
+            DataSources: {
+              S3Logs: {
+                Enable: false,
+              },
             },
-          },
-        })
-        .promise(),
-    );
+          })
+          .promise(),
+      );
+      currentAccounts = paginate(memberAccounts, ++pageNumber, pageSize);
+    }
   } catch (error) {
     console.error(`Error Occurred while updateMemberDetectors of GuardDuty ${error.code}: ${error.message}`);
     throw error;
@@ -204,15 +217,20 @@ async function updateS3Protection(detectorId: string, s3Protection: boolean) {
 
 async function deleteMembers(memberAccounts: AccountDetail[], detectorId: string) {
   try {
-    console.log(`Calling api "guardduty.createMembers()", ${memberAccounts}, ${detectorId}`);
-    await throttlingBackOff(() =>
-      guardduty
-        .deleteMembers({
-          DetectorId: detectorId,
-          AccountIds: memberAccounts.map(acc => acc.AccountId),
-        })
-        .promise(),
-    );
+    let pageNumber = 1;
+    let currentAccounts: AccountDetail[] = paginate(memberAccounts, pageNumber, pageSize);
+    while (currentAccounts.length > 0) {
+      console.log(`Calling api "guardduty.createMembers()", ${currentAccounts}, ${detectorId}`);
+      await throttlingBackOff(() =>
+        guardduty
+          .deleteMembers({
+            DetectorId: detectorId,
+            AccountIds: currentAccounts.map(acc => acc.AccountId),
+          })
+          .promise(),
+      );
+      currentAccounts = paginate(memberAccounts, ++pageNumber, pageSize);
+    }
   } catch (error) {
     console.error(
       `Error Occurred while creating members in Delegator Account of GuardDuty ${error.code}: ${error.message}`,

src/lib/custom-resources/cdk-ssm-document-share/runtime/src/index.ts

@@ -7,13 +7,15 @@ import {
   CloudFormationCustomResourceUpdateEvent,
 } from 'aws-lambda';
 import { errorHandler } from '@aws-accelerator/custom-resource-runtime-cfn-response';
-import { throttlingBackOff } from '@aws-accelerator/custom-resource-cfn-utils';
+import { throttlingBackOff, paginate } from '@aws-accelerator/custom-resource-cfn-utils';
 
 export interface HandlerProperties {
   name: string;
   accountIds: string[];
 }
 
+// SSM modifyDocumentPermission api only supports max 20 accounts per request
+const pageSize = 20;
 const ssm = new AWS.SSM();
 
 export const handler = errorHandler(onEvent);
@@ -35,15 +37,21 @@ async function onEvent(event: CloudFormationCustomResourceEvent) {
 
 async function onCreate(event: CloudFormationCustomResourceCreateEvent) {
   const { accountIds, name } = (event.ResourceProperties as unknown) as HandlerProperties;
-  await throttlingBackOff(() =>
-    ssm
-      .modifyDocumentPermission({
-        Name: name,
-        PermissionType: 'Share',
-        AccountIdsToAdd: accountIds,
-      })
-      .promise(),
-  );
+  let pageNumber = 1;
+  let currentAccountIds: string[] = paginate(accountIds, pageNumber, pageSize);
+  while (currentAccountIds.length > 0) {
+    await throttlingBackOff(() =>
+      ssm
+        .modifyDocumentPermission({
+          Name: name,
+          PermissionType: 'Share',
+          AccountIdsToAdd: currentAccountIds,
+        })
+        .promise(),
+    );
+    currentAccountIds = paginate(accountIds, ++pageNumber, pageSize);
+  }
+
   return {
     physicalResourceId: `SSMDocumentShare-${name}`,
   };
@@ -58,27 +66,37 @@ async function onUpdate(event: CloudFormationCustomResourceUpdateEvent) {
   const unShareAccounts = oldProperties.accountIds.filter(accountId => !accountIds.includes(accountId));
 
   if (shareAccounts.length > 0) {
-    await throttlingBackOff(() =>
-      ssm
-        .modifyDocumentPermission({
-          Name: name,
-          PermissionType: 'Share',
-          AccountIdsToAdd: shareAccounts,
-        })
-        .promise(),
-    );
+    let pageNumber = 1;
+    let currentAccountIds: string[] = paginate(shareAccounts, pageNumber, pageSize);
+    while (currentAccountIds.length > 0) {
+      await throttlingBackOff(() =>
+        ssm
+          .modifyDocumentPermission({
+            Name: name,
+            PermissionType: 'Share',
+            AccountIdsToAdd: currentAccountIds,
+          })
+          .promise(),
+      );
+      currentAccountIds = paginate(shareAccounts, ++pageNumber, pageSize);
+    }
   }
 
   if (unShareAccounts.length > 0) {
-    await throttlingBackOff(() =>
-      ssm
-        .modifyDocumentPermission({
-          Name: name,
-          PermissionType: 'Share',
-          AccountIdsToRemove: unShareAccounts,
-        })
-        .promise(),
-    );
+    let pageNumber = 1;
+    let currentAccountIds: string[] = paginate(unShareAccounts, pageNumber, pageSize);
+    while (currentAccountIds.length > 0) {
+      await throttlingBackOff(() =>
+        ssm
+          .modifyDocumentPermission({
+            Name: name,
+            PermissionType: 'Share',
+            AccountIdsToRemove: currentAccountIds,
+          })
+          .promise(),
+      );
+      currentAccountIds = paginate(unShareAccounts, ++pageNumber, pageSize);
+    }
   }
 
   return {
@@ -96,15 +114,20 @@ async function onDelete(event: CloudFormationCustomResourceDeleteEvent) {
     };
   }
   try {
-    await throttlingBackOff(() =>
-      ssm
-        .modifyDocumentPermission({
-          Name: name,
-          PermissionType: 'Share',
-          AccountIdsToRemove: accountIds,
-        })
-        .promise(),
-    );
+    let pageNumber = 1;
+    let currentAccountIds: string[] = paginate(accountIds, pageNumber, pageSize);
+    while (currentAccountIds.length > 0) {
+      await throttlingBackOff(() =>
+        ssm
+          .modifyDocumentPermission({
+            Name: name,
+            PermissionType: 'Share',
+            AccountIdsToRemove: currentAccountIds,
+          })
+          .promise(),
+      );
+      currentAccountIds = paginate(accountIds, ++pageNumber, pageSize);
+    }
   } catch (error) {
     console.warn(error);
   }