fix(core): Updating Security Hub Standards based on Configuration file (#526)

* fix(core): enables disabling security hub frameworks and re-enabling individual controls within the frameworks
* fix(core): Disable/Enable SecurityHub Controls based on Config

Co-authored-by: Brian969 <56414362+Brian969@users.noreply.github.com>

Author: naveenkoppula

src/deployments/cdk/src/apps/phase-2.ts

@@ -219,7 +219,8 @@ export async function deploy({ acceleratorConfig, accountStacks, accounts, conte
     }
   }
 
-  // Deploy Security Hub Step-1
+  // Deploy Security Hub in Security Account
+  // Enables Security Hub, Standards and send invites to member accounts
   await securityHub.step1({
     accountStacks,
     accounts,

src/lib/custom-resources/cdk-security-hub-disable-controls/runtime/src/index.ts

@@ -1,13 +1,18 @@
 import * as AWS from 'aws-sdk';
 AWS.config.logger = console;
-import { CloudFormationCustomResourceEvent } from 'aws-lambda';
+import { CloudFormationCustomResourceEvent, CloudFormationCustomResourceUpdateEvent } from 'aws-lambda';
 import { throttlingBackOff } from '@aws-accelerator/custom-resource-cfn-utils';
 import { errorHandler } from '@aws-accelerator/custom-resource-runtime-cfn-response';
 
 const hub = new AWS.SecurityHub();
 
 export const handler = errorHandler(onEvent);
 
+interface SecurityHubStandard {
+  name: string;
+  'controls-to-disable': string[] | undefined;
+}
+
 async function onEvent(event: CloudFormationCustomResourceEvent) {
   console.log(`Disable Security Hub Standards specific controls...`);
   console.log(JSON.stringify(event, null, 2));
@@ -62,10 +67,77 @@ async function onCreate(event: CloudFormationCustomResourceEvent) {
       );
     }
   }
+
+  return {
+    physicalResourceId: `SecurityHubEnableControls`,
+  };
 }
 
-async function onUpdate(event: CloudFormationCustomResourceEvent) {
-  return onCreate(event);
+async function onUpdate(event: CloudFormationCustomResourceUpdateEvent) {
+  const standards = event.ResourceProperties.standards as SecurityHubStandard[];
+  const oldStandards = event.OldResourceProperties.standards as SecurityHubStandard[];
+  const standardNames = standards.map(st => st.name);
+
+  const standardsResponse = await throttlingBackOff(() => hub.describeStandards().promise());
+  const enabledStandardsResponse = await throttlingBackOff(() => hub.getEnabledStandards().promise());
+  // Getting standards and disabling specific Controls for each standard
+  for (const standard of standards) {
+    const standardArn = standardsResponse.Standards?.find(x => x.Name === standard.name)?.StandardsArn;
+    const standardSubscriptionArn = enabledStandardsResponse.StandardsSubscriptions?.find(
+      s => s.StandardsArn === standardArn,
+    )?.StandardsSubscriptionArn;
+
+    const standardControls = await throttlingBackOff(() =>
+      hub
+        .describeStandardsControls({
+          StandardsSubscriptionArn: standardSubscriptionArn!,
+          MaxResults: 100,
+        })
+        .promise(),
+    );
+    for (const disableControl of standard['controls-to-disable'] || []) {
+      const standardControl = standardControls.Controls?.find(x => x.ControlId === disableControl);
+      if (!standardControl) {
+        console.log(`Control "${disableControl}" not found for Standard "${standard.name}"`);
+        continue;
+      }
+
+      console.log(`Disabling Control "${disableControl}" for Standard "${standard.name}"`);
+      await throttlingBackOff(() =>
+        hub
+          .updateStandardsControl({
+            StandardsControlArn: standardControl.StandardsControlArn!,
+            ControlStatus: 'DISABLED',
+            DisabledReason: 'Control disabled by Accelerator',
+          })
+          .promise(),
+      );
+    }
+    const oldStandard = oldStandards.find(st => st.name === standard.name);
+    if (oldStandard) {
+      const enableControls = oldStandard['controls-to-disable']?.filter(
+        c => !standard['controls-to-disable']?.includes(c),
+      );
+      for (const enableControl of enableControls || []) {
+        const standardControl = standardControls.Controls?.find(x => x.ControlId === enableControl);
+        if (!standardControl) {
+          console.log(`Control "${enableControl}" not found for Standard "${standard.name}"`);
+          continue;
+        }
+        await throttlingBackOff(() =>
+          hub
+            .updateStandardsControl({
+              StandardsControlArn: standardControl.StandardsControlArn!,
+              ControlStatus: 'ENABLED',
+            })
+            .promise(),
+        );
+      }
+    }
+  }
+  return {
+    physicalResourceId: `SecurityHubEnableControls`,
+  };
 }
 
 async function onDelete(_: CloudFormationCustomResourceEvent) {

src/lib/custom-resources/cdk-security-hub-enable/runtime/src/index.ts

@@ -1,13 +1,23 @@
 import * as AWS from 'aws-sdk';
 AWS.config.logger = console;
-import { CloudFormationCustomResourceEvent } from 'aws-lambda';
+import {
+  CloudFormationCustomResourceDeleteEvent,
+  CloudFormationCustomResourceEvent,
+  CloudFormationCustomResourceUpdateEvent,
+} from 'aws-lambda';
 import { throttlingBackOff } from '@aws-accelerator/custom-resource-cfn-utils';
 import { errorHandler } from '@aws-accelerator/custom-resource-runtime-cfn-response';
+import { StandardsSubscriptionRequests } from 'aws-sdk/clients/securityhub';
 
 const hub = new AWS.SecurityHub();
 
 export const handler = errorHandler(onEvent);
 
+interface SecurityHubStandard {
+  name: string;
+  'controls-to-disable': string[] | undefined;
+}
+
 async function onEvent(event: CloudFormationCustomResourceEvent) {
   console.log(`Enabling Security Hub and Security Hub Standards...`);
   console.log(JSON.stringify(event, null, 2));
@@ -34,30 +44,108 @@ async function onCreate(event: CloudFormationCustomResourceEvent) {
     }
   }
 
-  const standards = event.ResourceProperties.standards;
+  const standards = event.ResourceProperties.standards as SecurityHubStandard[];
   const standardsResponse = await throttlingBackOff(() => hub.describeStandards().promise());
 
-  // Enable standards based on input
+  const standardRequests: StandardsSubscriptionRequests = [];
   for (const standard of standards) {
-    const standardArn = standardsResponse.Standards?.find(x => x.Name === standard.name)?.StandardsArn;
+    standardRequests.push({
+      StandardsArn: standardsResponse.Standards?.find(x => x.Name === standard.name)?.StandardsArn!,
+    });
+  }
+
+  await throttlingBackOff(() =>
+    hub
+      .batchEnableStandards({
+        StandardsSubscriptionRequests: standardRequests,
+      })
+      .promise(),
+  );
+
+  return {
+    physicalResourceId: `SecurityHubEnable`,
+  };
+}
+
+async function onUpdate(event: CloudFormationCustomResourceUpdateEvent) {
+  try {
+    await throttlingBackOff(() => hub.enableSecurityHub().promise());
+  } catch (error) {
+    if (error.code === 'ResourceConflictException') {
+      console.log('Account is already subscribed to Security Hub');
+    } else {
+      throw new Error(error);
+    }
+  }
+
+  const standardNames = (event.ResourceProperties.standards as SecurityHubStandard[]).map(st => st.name);
+  const standardsResponse = await throttlingBackOff(() => hub.describeStandards().promise());
+
+  const oldStandardNames = (event.OldResourceProperties.standards as SecurityHubStandard[]).map(st => st.name);
+
+  const removedStandards = oldStandardNames.filter(st => !standardNames.includes(st));
+
+  const standardRequests: StandardsSubscriptionRequests = [];
+  for (const standard of standardNames) {
+    standardRequests.push({
+      StandardsArn: standardsResponse.Standards?.find(x => x.Name === standard)?.StandardsArn!,
+    });
+  }
+
+  await throttlingBackOff(() =>
+    hub
+      .batchEnableStandards({
+        StandardsSubscriptionRequests: standardRequests,
+      })
+      .promise(),
+  );
+
+  // Disable standards based on change
+  if (removedStandards.length > 0) {
+    const getEnabledStandards = await throttlingBackOff(() => hub.getEnabledStandards().promise());
+    const enabledStandardArns = standardsResponse.Standards?.filter(st => removedStandards.includes(st.Name!)).map(
+      x => x.StandardsArn,
+    );
+    const enabledStandardSubscriptionsArns = getEnabledStandards.StandardsSubscriptions?.filter(st =>
+      enabledStandardArns?.includes(st.StandardsArn),
+    ).map(x => x.StandardsSubscriptionArn);
     await throttlingBackOff(() =>
       hub
-        .batchEnableStandards({
-          StandardsSubscriptionRequests: [
-            {
-              StandardsArn: standardArn!,
-            },
-          ],
+        .batchDisableStandards({
+          StandardsSubscriptionArns: enabledStandardSubscriptionsArns!,
         })
         .promise(),
     );
   }
-}
 
-async function onUpdate(event: CloudFormationCustomResourceEvent) {
-  return onCreate(event);
+  return {
+    physicalResourceId: `SecurityHubEnable`,
+  };
 }
 
-async function onDelete(_: CloudFormationCustomResourceEvent) {
-  console.log(`Nothing to do for delete...`);
+async function onDelete(event: CloudFormationCustomResourceDeleteEvent) {
+  if (event.PhysicalResourceId !== 'SecurityHubEnable') {
+    return;
+  }
+  const standardNames = (event.ResourceProperties.standards as SecurityHubStandard[]).map(st => st.name);
+
+  const allStandardsResponse = await throttlingBackOff(() => hub.describeStandards().promise());
+  // Disable standards based on change
+  if (standardNames.length > 0) {
+    const getEnabledStandards = await throttlingBackOff(() => hub.getEnabledStandards().promise());
+    const enabledStandardArns = allStandardsResponse.Standards?.filter(st => standardNames.includes(st.Name!)).map(
+      x => x.StandardsArn,
+    );
+    const enabledStandardSubscriptionsArns = getEnabledStandards.StandardsSubscriptions?.filter(st =>
+      enabledStandardArns?.includes(st.StandardsArn),
+    ).map(x => x.StandardsSubscriptionArn);
+
+    await throttlingBackOff(() =>
+      hub
+        .batchDisableStandards({
+          StandardsSubscriptionArns: enabledStandardSubscriptionsArns!,
+        })
+        .promise(),
+    );
+  }
 }