From 4dac3aab5537f3c1699c9aa36cd6efb3f5491be5 Mon Sep 17 00:00:00 2001 From: Marc Jay Date: Fri, 5 Jun 2020 12:55:53 +0100 Subject: [PATCH] Import Security Hub finding into the same region as the related resource Force the batch-import-findings AWS CLI call to be directed at the region the currently reporting resource is located in, as Security Hub enforces this requirement When checking that Security Hub is enabled, check for all regions that are in scope, e.g. all regions, unless '-f ' is used Fixes #618 --- include/outputs | 10 +++++----- include/securityhub_integration | 19 ++++++++++++------- 2 files changed, 17 insertions(+), 12 deletions(-) diff --git a/include/outputs b/include/outputs index fd64fd8c..97f8c29b 100644 --- a/include/outputs +++ b/include/outputs @@ -27,13 +27,13 @@ TIMESTAMP=$(get_iso8601_timestamp) PROWLER_PARAMETERS=$@ # Ensure that output directory always exists when -M is used -if [[ $MODE ]];then +if [[ $MODE ]];then mkdir -p "${OUTPUT_DIR}" if [[ "${MODES[@]}" =~ "html" ]]; then addHtmlHeader > ${OUTPUT_FILE_NAME}.$EXTENSION_HTML HTML_REPORT_INIT="1" fi -fi +fi if [[ $PROFILE == "" ]];then PROFILE="ENV" @@ -60,7 +60,7 @@ textPass(){ JSON_ASFF_OUTPUT=$(generateJsonAsffOutput "$1" "PASSED" "INFORMATIONAL") echo "${JSON_ASFF_OUTPUT}" | tee -a $OUTPUT_FILE_NAME.$EXTENSION_ASFF if [[ "${SEND_TO_SECURITY_HUB}" -eq 1 ]]; then - sendToSecurityHub "${JSON_ASFF_OUTPUT}" + sendToSecurityHub "${JSON_ASFF_OUTPUT}" "${REPREGION}" fi fi if is_junit_output_enabled; then @@ -147,7 +147,7 @@ textFail(){ JSON_ASFF_OUTPUT=$(generateJsonAsffOutput "$1" "${level}" "HIGH") echo "${JSON_ASFF_OUTPUT}" | tee -a ${OUTPUT_FILE_NAME}.${EXTENSION_ASFF} if [[ "${SEND_TO_SECURITY_HUB}" -eq 1 ]]; then - sendToSecurityHub "${JSON_ASFF_OUTPUT}" + sendToSecurityHub "${JSON_ASFF_OUTPUT}" "${REPREGION}" fi fi if is_junit_output_enabled; then @@ -318,7 +318,7 @@ generateHtmlOutput(){ echo ''$TITLE_TEXT'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo ''$message'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo '' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML - fi + fi if [[ $status == "PASS" ]];then echo '' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo '' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML diff --git a/include/securityhub_integration b/include/securityhub_integration index b08f5277..9c36264b 100644 --- a/include/securityhub_integration +++ b/include/securityhub_integration @@ -14,21 +14,26 @@ # Checks that the correct mode (json-asff) has been specified if wanting to send check output to AWS Security Hub # and that Security Hub is enabled in the chosen region checkSecurityHubCompatibility(){ + local regx if [[ "${MODE}" != "json-asff" ]]; then echo -e "\n$RED ERROR!$NORMAL Output can only be sent to Security Hub when the output mode is json-asff, i.e. -M json-asff -S\n" EXITCODE=1 exit $EXITCODE fi - SECURITY_HUB_ENABLED=$($AWSCLI securityhub --region $REGION $PROFILE_OPT describe-hub) - if [[ -z "${SECURITY_HUB_ENABLED}" ]]; then - echo -e "\n$RED ERROR!$NORMAL Security Hub is not enabled in $REGION. Enable it by calling '$AWSCLI securityhub --region $REGION $PROFILE_OPT enable-security-hub'\n" - EXITCODE=1 - exit $EXITCODE - fi + for regx in $REGIONS; do + SECURITY_HUB_ENABLED=$($AWSCLI securityhub --region "$regx" $PROFILE_OPT describe-hub) + if [[ -z "${SECURITY_HUB_ENABLED}" ]]; then + echo -e "\n$RED ERROR!$NORMAL Security Hub is not enabled in $regx. Enable it by calling '$AWSCLI securityhub --region $regx $PROFILE_OPT enable-security-hub'\n" + EXITCODE=1 + exit $EXITCODE + fi + done } sendToSecurityHub(){ - BATCH_IMPORT_RESULT=$($AWSCLI securityhub --region $REGION $PROFILE_OPT batch-import-findings --findings "$1") + local findings="$1" + local region="$2" + BATCH_IMPORT_RESULT=$($AWSCLI securityhub --region "$region" $PROFILE_OPT batch-import-findings --findings "${findings}") # A successful CLI response is: {"SuccessCount": 1,"FailedFindings": [],"FailedCount": 0} # Therefore, check that SuccessCount is indeed 1 if [[ -z "${BATCH_IMPORT_RESULT}" ]] || ! jq -e '.SuccessCount == 1' <<< "${BATCH_IMPORT_RESULT}" > /dev/null 2>&1; then