Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feat/use security hub severity levels #41

Merged
merged 17 commits into from
May 30, 2024
Merged

Feat/use security hub severity levels #41

merged 17 commits into from
May 30, 2024

Conversation

bensonce
Copy link
Contributor

@bensonce bensonce commented May 23, 2024
edited
Loading

Currently, new Config Rules are added with a Medium severity by default because AWS doesn't set severity levels for the rules themselves. However, AWS Security Hub does maintain a list of security controls and standards that reference Config Rules, and that list does include severity levels for the corresponding rules. It's possible that setting a rule severity to Medium by default masks the suggested severity set by the Security Hub controls.

This PR scrapes the Security Hub controls references and matches the severities to the appropriate rules. A new list of rules and severities is generated when the automation is run so any severities set manually are overwritten. The changes here are a result of running the updated scripts.

@bensonce bensonce self-assigned this May 23, 2024
@bensonce bensonce added the enhancement New feature or request label May 23, 2024
@bensonce bensonce marked this pull request as ready for review May 24, 2024 10:30
@bensonce bensonce requested review from duraikkannuv2 and yangx17 May 24, 2024 10:30
bensonce added 15 commits May 24, 2024 07:47
@bensonce
Get changes, run tflint and terraform fmt, and only commit if changes…
db0fcdc 
… are detected
@bensonce
Changes to update-rules workflow
28ec90b
@bensonce
Changes to the updates-rules workflow
4d2ff5e
@bensonce
Changes to update-rules workflow
44ed66d
@bensonce
More workflow changes
ef337c0
@bensonce
Revert changes for testing
682e599
@bensonce
Fixed an issue where the incorrect rule identifier was returned when …
5575958 
…the config rule name and its identifier didn't match. This is necessary because the Security Hub controls use the rule name, not its identifier, in the documentation.
@bensonce
Fixed an issue where the severity levels were being set incorrectly f…
5390b4c 
…or some rules
@bensonce
Pass output file path as argument when generating config rule data
79d279e
@bensonce
Add functionality for loading both YAML and JSON source files
d6a0653
@bensonce
Pass path as argument when running 'terraform fmt', add logging
56e6c70
@bensonce
Add functionality for setting severity level overrides per rule. Thes…
f40ef4b 
…e overrides replace severities set by Security Hub and are maintained manually.
@bensonce
Set custom severity levels for rules based on research and suggestion…
51258c1 
…gs from internal teams
@bensonce
Merge branch 'main' into feat/use-security-hub-severity-levels
b028f38
@bensonce
Apply severity overrides to the latest list of Config Rules
d8ba8ea
yangx17
yangx17 approved these changes May 30, 2024
View reviewed changes
Copy link
Contributor

@yangx17 yangx17 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! Thanks a lot for your great work!

@bensonce bensonce merged commit 13c7ed6 into main May 30, 2024
5 checks passed
@bensonce bensonce deleted the feat/use-security-hub-severity-levels branch May 30, 2024 18:21
@bensonce bensonce mentioned this pull request May 30, 2024
Closed
@bensonce bensonce added the ci Improvement or fix for CI label May 31, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yangx17 yangx17 yangx17 approved these changes

@duraikkannuv2 duraikkannuv2 Awaiting requested review from duraikkannuv2

Assignees

@bensonce bensonce

Labels
ci Improvement or fix for CI enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@bensonce @yangx17