feat(core): Config Rules Remediation (#536)

* feat(core): Config Rules Remediation

* Adding remediation for S3PutEncryption with KMS Key Alias

* Prettier

* Updating configuration for "S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED" Config rule

Author: naveenkoppula

reference-artifacts/config.example.json

@@ -491,6 +491,11 @@
             "name": "SSM-ELB-Enable-Logging",
             "description": "Calls the AWS CLI to enable access logs on a specified ELB.",
             "template": "ssm-elb-enable-logging.yaml"
+          },
+          {
+            "name": "Put-S3-Encryption",
+            "description": "Enables S3 encryption using KMS",
+            "template": "s3-encryption.yaml"
           }
         ]
       }
@@ -515,6 +520,14 @@
               "LoadBalancerArn": "RESOURCE_ID",
               "LogDestination": "${SEA::LogArchiveAesBucket}"
             }
+          },
+          {
+            "name": "S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED",
+            "remediation-action": "Put-S3-Encryption",
+            "remediation-params": {
+              "BucketName": "RESOURCE_ID",
+              "KMSMasterKey": "${SEA::S3BucketEncryptionKey}"
+            }
           }
         ]
       }
@@ -1658,13 +1671,13 @@
         {
           "account": "operations",
           "regions": ["ca-central-1"],
-          "documents": ["SSM-ELB-Enable-Logging"]
+          "documents": ["SSM-ELB-Enable-Logging", "Put-S3-Encryption"]
         }
       ],
       "aws-config": [
         {
           "excl-regions": [],
-          "rules": ["ELB_LOGGING_ENABLED"],
+          "rules": ["ELB_LOGGING_ENABLED", "S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED"],
           "remediate-regions": ["ca-central-1"]
         }
       ]
@@ -2118,13 +2131,13 @@
         {
           "account": "operations",
           "regions": ["ca-central-1"],
-          "documents": ["SSM-ELB-Enable-Logging"]
+          "documents": ["SSM-ELB-Enable-Logging", "Put-S3-Encryption"]
         }
       ],
       "aws-config": [
         {
           "excl-regions": [],
-          "rules": ["ELB_LOGGING_ENABLED"],
+          "rules": ["ELB_LOGGING_ENABLED", "S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED"],
           "remediate-regions": ["ca-central-1"]
         }
       ]
@@ -2605,13 +2618,13 @@
         {
           "account": "operations",
           "regions": ["ca-central-1"],
-          "documents": ["SSM-ELB-Enable-Logging"]
+          "documents": ["SSM-ELB-Enable-Logging", "Put-S3-Encryption"]
         }
       ],
       "aws-config": [
         {
           "excl-regions": [],
-          "rules": ["ELB_LOGGING_ENABLED"],
+          "rules": ["ELB_LOGGING_ENABLED", "S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED"],
           "remediate-regions": ["ca-central-1"]
         }
       ]
@@ -3092,13 +3105,13 @@
         {
           "account": "operations",
           "regions": ["ca-central-1"],
-          "documents": ["SSM-ELB-Enable-Logging"]
+          "documents": ["SSM-ELB-Enable-Logging", "Put-S3-Encryption"]
         }
       ],
       "aws-config": [
         {
           "excl-regions": [],
-          "rules": ["ELB_LOGGING_ENABLED"],
+          "rules": ["ELB_LOGGING_ENABLED", "S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED"],
           "remediate-regions": ["ca-central-1"]
         }
       ]
@@ -3579,13 +3592,13 @@
         {
           "account": "operations",
           "regions": ["ca-central-1"],
-          "documents": ["SSM-ELB-Enable-Logging"]
+          "documents": ["SSM-ELB-Enable-Logging", "Put-S3-Encryption"]
         }
       ],
       "aws-config": [
         {
           "excl-regions": [],
-          "rules": ["ELB_LOGGING_ENABLED"],
+          "rules": ["ELB_LOGGING_ENABLED", "S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED"],
           "remediate-regions": ["ca-central-1"]
         }
       ]
@@ -4033,13 +4046,13 @@
         {
           "account": "operations",
           "regions": ["ca-central-1"],
-          "documents": ["SSM-ELB-Enable-Logging"]
+          "documents": ["SSM-ELB-Enable-Logging", "Put-S3-Encryption"]
         }
       ],
       "aws-config": [
         {
           "excl-regions": [],
-          "rules": ["ELB_LOGGING_ENABLED"],
+          "rules": ["ELB_LOGGING_ENABLED", "S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED"],
           "remediate-regions": ["ca-central-1"]
         }
       ]

reference-artifacts/ssm-documents/s3-encryption.yaml

@@ -0,0 +1,28 @@
+description: Enables Encryption on S3 Bucket
+schemaVersion: "0.3"
+assumeRole: "{{ AutomationAssumeRole }}"
+parameters:
+  BucketName:
+    type: String
+    description: (Required) The name of the S3 Bucket whose content will be encrypted.
+  KMSMasterKey:
+    type: String
+    description: (Optional) AWS Key Management Service (KMS) customer master key ARN to use for the default encryption.
+  AutomationAssumeRole:
+    type: String
+    description: (Optional) The ARN of the role that allows Automation to perform the actions on your behalf.
+    default: ""
+mainSteps:
+- name: PutBucketEncryption
+  action: aws:executeAwsApi
+  inputs:
+    Service: s3
+    Api:  PutBucketEncryption
+    Bucket: "{{BucketName}}"
+    ServerSideEncryptionConfiguration:
+        Rules:
+        -
+          ApplyServerSideEncryptionByDefault:
+            SSEAlgorithm: "aws:kms"
+            KMSMasterKeyID: "{{KMSMasterKey}}"
+  isEnd: true

src/deployments/cdk/src/apps/phase-3.ts

@@ -130,11 +130,10 @@ export async function deploy({ acceleratorConfig, accountStacks, accounts, conte
 
   await awsConfig.createRule({
     acceleratorExecutionRoleName: context.acceleratorExecutionRoleName,
-    centralAccountId: '',
-    centralBucketName: centralBucket.bucketName,
     config: acceleratorConfig,
     accountStacks,
     accounts,
     outputs,
+    defaultRegion: context.defaultRegion,
   });
 }

src/deployments/cdk/src/deployments/config/create.ts

@@ -5,32 +5,24 @@ import { createName } from '@aws-accelerator/cdk-accelerator/src/core/accelerato
 import * as awsConfig from '@aws-cdk/aws-config';
 import { Account, getAccountId } from '../../utils/accounts';
 import { StackOutput } from '@aws-accelerator/common-outputs/src/stack-output';
-import { LogBucketOutput } from '../defaults/outputs';
+import { LogBucketOutput, AccountBucketOutputFinder } from '../defaults/outputs';
 
 export interface CreateRuleProps {
   acceleratorExecutionRoleName: string;
-  centralBucketName: string;
-  centralAccountId: string;
   config: c.AcceleratorConfig;
   accountStacks: AccountStacks;
   accounts: Account[];
   outputs: StackOutput[];
+  defaultRegion: string;
 }
 
 export async function createRule(props: CreateRuleProps) {
-  const {
-    acceleratorExecutionRoleName,
-    config,
-    centralAccountId,
-    centralBucketName,
-    accountStacks,
-    accounts,
-    outputs,
-  } = props;
+  const { acceleratorExecutionRoleName, config, accountStacks, accounts, outputs, defaultRegion } = props;
   const awsConfigConf = config['global-options']['aws-config'];
   if (!awsConfigConf) {
     return;
   }
+
   const configRules = awsConfigConf['managed-rules'].rules;
   const configRuleDefaults = awsConfigConf['managed-rules'].defaults;
 
@@ -82,6 +74,8 @@ export async function createRule(props: CreateRuleProps) {
               ruleParams: awsConfigRule.parameters,
               config,
               outputs,
+              accountKey,
+              defaultRegion,
             });
             const configRule = new awsConfig.ManagedRule(accountStack, `ConfigRule-${ruleName}`, {
               identifier: ruleName,
@@ -126,8 +120,12 @@ export async function createRule(props: CreateRuleProps) {
                     accounts,
                     ssmDocInOu.account,
                   )}:document/${remediationActionName}`;
+                } else if (config['global-options']['default-ssm-documents'].includes(remediationAction)) {
+                  targetId = remediationAction;
                 } else {
-                  console.warn(`No Remediation is Created in account "${accountKey}" and region "${region}"`);
+                  console.warn(
+                    `No Remediation "${remediationAction}"is Created in account "${accountKey}" and region "${region}"`,
+                  );
                   continue;
                 }
               }
@@ -147,6 +145,8 @@ export async function createRule(props: CreateRuleProps) {
               remediationParams: awsConfigRule['remediation-params'],
               roleName: acceleratorExecutionRoleName,
               config,
+              accountKey,
+              defaultRegion,
             });
 
             new awsConfig.CfnRemediationConfiguration(accountStack, `ConfigRuleRemediation-${ruleName}`, {
@@ -181,19 +181,18 @@ export function getRemediationParameters(params: {
   roleName: string;
   outputs: StackOutput[];
   config: c.AcceleratorConfig;
+  accountKey: string;
+  defaultRegion: string;
 }): RemediationParameters {
   const reutrnParams: RemediationParameters = {};
-  const { outputs, remediationParams, roleName, config } = params;
-  if (!remediationParams.AutomationAssumeRole) {
-    reutrnParams.AutomationAssumeRole = {
-      StaticValue: {
-        Values: [`arn:aws:iam::${cdk.Aws.ACCOUNT_ID}:role/${roleName}`],
-      },
-    };
-  }
+  const { outputs, remediationParams, roleName, config, accountKey, defaultRegion } = params;
+  reutrnParams.AutomationAssumeRole = {
+    StaticValue: {
+      Values: [`arn:aws:iam::${cdk.Aws.ACCOUNT_ID}:role/${remediationParams.AutomationAssumeRole || roleName}`],
+    },
+  };
 
   Object.keys(remediationParams).map(key => {
-    console.log(remediationParams[key], remediationParams[key].startsWith('${SEA::'));
     if (remediationParams[key] === 'RESOURCE_ID') {
       reutrnParams[key] = {
         ResourceValue: {
@@ -212,11 +211,19 @@ export function getRemediationParameters(params: {
           const replaceKey = remediationParams[key].match('{SEA::(.*)}')?.[1]!;
           reutrnParams[key] = {
             StaticValue: {
-              Values: [getParameterValue(replaceKey, outputs, config)],
+              Values: [
+                getParameterValue({
+                  paramKey: replaceKey,
+                  outputs,
+                  config,
+                  accountKey,
+                  defaultRegion,
+                }),
+              ],
             },
           };
         } else {
-          reutrnParams.AutomationAssumeRole = {
+          reutrnParams[key] = {
             StaticValue: {
               Values: [remediationParams[key]],
             },
@@ -232,23 +239,46 @@ export function getConfigRuleParameters(params: {
   ruleParams: { [key: string]: string };
   outputs: StackOutput[];
   config: c.AcceleratorConfig;
+  accountKey: string;
+  defaultRegion: string;
 }): { [key: string]: string } {
-  const { config, outputs, ruleParams } = params;
+  const { config, outputs, ruleParams, accountKey, defaultRegion } = params;
   Object.keys(ruleParams).map(key => {
     if (ruleParams[key].startsWith('${SEA::')) {
       const replaceKey = ruleParams[key].match('{SEA::(.*)}')?.[1]!;
-      ruleParams[key] = getParameterValue(replaceKey, outputs, config);
+      ruleParams[key] = getParameterValue({
+        paramKey: replaceKey,
+        outputs,
+        config,
+        accountKey,
+        defaultRegion,
+      });
     }
   });
   return ruleParams;
 }
 
-export function getParameterValue(input: string, outputs: StackOutput[], config: c.AcceleratorConfig): string {
-  if (input === 'LogArchiveAesBucket') {
+export function getParameterValue(props: {
+  paramKey: string;
+  outputs: StackOutput[];
+  config: c.AcceleratorConfig;
+  accountKey: string;
+  defaultRegion: string;
+}): string {
+  const { accountKey, config, outputs, paramKey, defaultRegion } = props;
+  if (paramKey === 'LogArchiveAesBucket') {
     return LogBucketOutput.getBucketDetails({
       config,
       outputs,
     }).name;
   }
+  if (paramKey === 'S3BucketEncryptionKey') {
+    const accountBucket = AccountBucketOutputFinder.tryFindOne({
+      outputs,
+      accountKey,
+      region: defaultRegion,
+    });
+    return `arn:aws:kms:${cdk.Aws.REGION}:${cdk.Aws.ACCOUNT_ID}:alias/${accountBucket?.encryptionKeyName}`;
+  }
   return '';
 }