A CLI tool to disable and enable security standards controls in AWS Security Hub

Related tags

Command-line Toolsaws-security-hub-controls-cli
Overview

Security Hub Controls CLI

A CLI tool to disable and enable security standards controls in AWS Security Hub. It is designed to work together with AWS Security Hub Cross-Account Controls Disabler.

Purpose

The goal of this tool is to provide a possibility to maintain the status (DISABLED or ENABLED) of standards controls in AWS Security Hub within a file. That way, the status can be configured by using a code repository and a CICD pipeline.

Install

This tool can be install using pip:

git clone https://github.com/aws-samples/aws-security-hub-controls-cli/
pip install ./aws-security-hub-controls-cli

Usage

usage: shc_cli [-h] [-d] [-u UPLOAD] [--json] [--profile PROFILE]
               [--dynamodb DYNAMODB] [--max-retries MAX_RETRIES] [-v]

Disable or Enable security standards controls in AWS Security Hub.

optional arguments:
  -h, --help            show this help message and exit
  -d, --download        Get current controls configurations from Security Hub.
  -u UPLOAD, --upload UPLOAD
                        Upload Security Hub controls configurations as defined
                        in UPLOAD file.
  --json                Use json as file format (instead of yaml) when
                        downloading current controls configurations from
                        Security Hub. Only effective when used in conjunction
                        with -d/--download
  --profile PROFILE     Use a specific profile from your credential file.
  --dynamodb DYNAMODB   Optional - Specify DynamoDB table name storing exceptions.
  --max-retries MAX_RETRIES
                        Maximal amount of retries in case of a
                        TooManyRequestsException when updating Security Hub
                        controls. (default: infinity)
  -v, --verbosity       Debugging information

Prerequisites

AWS Security Hub and security standards must be enabled.

You need following permissions to use this tool to update controls and security standards in Security Hub:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "securityhub:GetEnabledStandards",
                "securityhub:DescribeStandardsControls",
                "securityhub:UpdateStandardsControl"
            ],
            "Resource": "*"
        }
    ]
}

To use the --dynamodb option for storing exceptions in AWS DynamoDB, you need a DynamoDB table in the same AWS account as the Security Hub instance updated by the tool. A template which generates the needed DynamoDB table can be found here. Additionally to that, the following permissions are needed:

} ] } "> 
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "dynamodb:Scan",
                "dynamodb:PutItem"
            ],
            "Resource": 
   
    
        }
    ]
}

Workflow and examples

This section describes some basic use-cases and workflows

Getting current controls and initializing the local file

To get the current control statuses from Security Hub, use the following command:

$ shd_cli -d
cis-aws-foundations-benchmark:
  CIS.1.1:
    Title: Avoid the use of the "root" account
    ControlStatus: ENABLED
    DisabledReason: ''
  CIS.1.2:
    Title: Ensure multi-factor authentication (MFA) is enabled for all IAM users that
      have a console password
    ControlStatus: ENABLED
    DisabledReason: ''
...

If you prefer JSON over yaml, use the --json option:

$ shd_cli -d --json
{
    "cis-aws-foundations-benchmark": {
        "CIS.1.1": {
            "Title": "Avoid the use of the \"root\" account",
            "ControlStatus": "ENABLED",
            "DisabledReason": ""
        },
        "CIS.1.2": {
            "Title": "Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password",
            "ControlStatus": "ENABLED",
            "DisabledReason": ""
        },
...

You can write the output into a local file:

$ shd_cli -d > controls.yaml
$ cat controls.yaml
cis-aws-foundations-benchmark:
  CIS.1.1:
    Title: Avoid the use of the "root" account
    ControlStatus: ENABLED
    DisabledReason: ''
  CIS.1.2:
    Title: Ensure multi-factor authentication (MFA) is enabled for all IAM users that
      have a console password
    ControlStatus: ENABLED
    DisabledReason: ''
...

Update Security Hub controls as defined in local file

The local file can be used to edit the ControlStatus of single controls.
If you do not provide a DisabledReason, the default Updated via CLI is used.
Let's disable controls CIS.1.1 and CIS.1.2. We provide a DisabledReason for CIS.1.1:

$ cat controls.yaml
cis-aws-foundations-benchmark:
  CIS.1.1:
    Title: Avoid the use of the "root" account
    ControlStatus: DISABLED
    DisabledReason: 'Risk accepted by Security Department'
  CIS.1.2:
    Title: Ensure multi-factor authentication (MFA) is enabled for all IAM users that
      have a console password
    ControlStatus: DISABLED
    DisabledReason: ''
...

Now, let's update the controls in Security Hub:

$ shc_cli -u controls.yaml
Start updating security standard controls...
CIS.1.1 : Update to DISABLED
CIS.1.1 : Done
CIS.1.2 : Update to DISABLED
CIS.1.2 : Done
Security standard controls updated.
Start updating security standard controls...
Security standard controls updated.

These are the new statuses of the security standard controls:

$ shc_cli -d
cis-aws-foundations-benchmark:
  CIS.1.1:
    Title: Avoid the use of the "root" account
    ControlStatus: DISABLED
    DisabledReason: Risk accepted by Security Department
  CIS.1.2:
    Title: Ensure multi-factor authentication (MFA) is enabled for all IAM users that
      have a console password
    ControlStatus: DISABLED
    DisabledReason: Updated via CLI
...

New security standard or control added to Security Hub

In the case of activating a new security standard or AWS adding a new control to an existing standard, this tool will update the local file accordingly.
Let's simulate this situation by removing the CIS.1.1 control from the local file:

$ cat controls.yaml
cis-aws-foundations-benchmark:
  CIS.1.2:
    Title: Ensure multi-factor authentication (MFA) is enabled for all IAM users that
      have a console password
    ControlStatus: DISABLED
    DisabledReason: Updated via CLI
  CIS.1.3:
    Title: Ensure credentials unused for 90 days or greater are disabled
    ControlStatus: ENABLED
    DisabledReason: ''
...

When the controls are now updated with this tool, you receive an information that a new control was discovered and the local file has been updated:

$ shc_cli -u controls.yaml
Start updating security standard controls...
[WARNING] Control cis-aws-foundations-benchmark:CIS.1.1 does not exist in local file. Local file is being updated ...
Security standard controls updated.
Start updating security standard controls...
Security standard controls updated.

$ cat controls.yaml
cis-aws-foundations-benchmark:
  CIS.1.1:
    Title: Avoid the use of the "root" account
    ControlStatus: DISABLED
    DisabledReason: 'Risk accepted by Security Department'
  CIS.1.2:
    Title: Ensure multi-factor authentication (MFA) is enabled for all IAM users that
      have a console password
    ControlStatus: DISABLED
    DisabledReason: ''
...

Adding an exception for individual accounts

If you specify a DynamoDB table with the --dynamodb option, you can define exceptional disable/enable actions for individual accounts. This will save the information in the DynamoDB table. The needed action of actually processing the information and enabling/disabling the controls for the specified accounts needs to implemented seperatly.
As a prerequisite, an according DynamoDB table must be present in the same AWS account as the Security Hub instance updated by the tool. A template which generates the needed DynamoDB table can be found here.

Exceptions are defined as a list of account IDs in the optional Enabled and Disabled fields per control, as seen in the following example.

$ cat controls.yaml
cis-aws-foundations-benchmark:
  CIS.1.1:
    Title: Avoid the use of the "root" account
    ControlStatus: DISABLED
    DisabledReason: 'Risk accepted by Security Department'
    Enabled:
      - 111111111111
  CIS.1.2:
    Title: Ensure multi-factor authentication (MFA) is enabled for all IAM users that
      have a console password
    ControlStatus: ENABLED
    DisabledReason: ''
    Disabled:
      - 222222222222
...

If no DisabledReason is specified, as for CIS.1.2 above, Exception will be used as a default DisabledReason in the DynamoDB table.
When the controls are now updated with this tool, you receive an information that the exceptions will be created (or updated) in the DynamoDB table.

$ shc_cli -u controls.yaml --dynamodb DYNAMODB_TABLENAME
Start updating security standard controls...
CIS.1.1 : Update to DISABLED
CIS.1.1 : Done
CIS.1.2 : Update to ENABLED
CIS.1.2 : Done
Security standard controls updated.
Start updating exceptions in DynamoDB table...
CIS.1.1: Create exceptions in DynamoDB table.
CIS.1.2: Create exceptions in DynamoDB table.
Exceptions in DynamoDB table updated.

When you now download the control statuses by providing the DynamoDB table name, you will receive the exceptions as well:

$ shc_cli -d --dynamodb DYNAMODB_TABLENAME
cis-aws-foundations-benchmark:
  CIS.1.1:
    Title: Avoid the use of the "root" account
    ControlStatus: DISABLED
    DisabledReason: Risk accepted by Security Department
    Enabled:
    - '111111111111'
  CIS.1.2:
    Title: Ensure multi-factor authentication (MFA) is enabled for all IAM users that
      have a console password
    ControlStatus: ENABLED
    DisabledReason: Exception
    Disabled:
    - '22222222222'
...
Owner
AWS Samples
AWS Samples
GitHub Repository
Quickly open any path on your terminal window in your $EDITOR of choice!

Tmux fpp Plugin wrapper around Facebook PathPicker. Quickly open any path on your terminal window in your $EDITOR of choice! Demo Dependencies fpp - F

257 Dec 28, 2022
A simple terminal-based localhost chat application written in python

Chat House A simple terminal-based localhost chat application written in python How to Use? Clone the repo git clone https://github.com/heksadecimal/c

Heks 10 Nov 09, 2021
Easily handle day to day CLI operation via Python instead of regular Bash programs.

pz Ever wished to use Python in Bash? Would you choose the Python syntax over sed, awk, ...? Should you exactly know what command would you use in Pyt

CZ.NIC 697 Jan 03, 2023
šŸƒ Python3 Solutions of All Problems in GCJ 2022 (In Progress)

GoogleCodeJam 2022 Python3 solutions of Google Code Jam 2022. Solution begins with * means it will get TLE in the largest data set. Total computation

kamyu 12 Dec 20, 2022
A dashboard for your Terminal written in the Python 3 language,

termDash is a handy little program, written in the Python 3 language, and is a small little dashboard for your terminal, designed to be a utility to help people, as well as helping new users get used

Rebecca White 2 Dec 03, 2021
A minimalist Vim plugin manager.

A minimalist Vim plugin manager. Pros. Easy to set up: Single file. No boilerplate code required. Easy to use: Concise, intuitive syntax Super-fast pa

Junegunn Choi 30.2k Jan 08, 2023
A cli tool , which shows you all the next possible words you can guess from in the game of Wordle.

wordle-helper A cli tool , which shows you all the next possible words you can guess from the Game Wordle. This repo has the code discussed in the You

1 Jan 17, 2022
dbt-subdocs is a python CLI you can used to generate a dbt-docs for a subset of your dbt project

dbt-subdocs dbt-subdocs is a python CLI you can used to generate a dbt-docs for a subset of your dbt project šŸ¤” Description This project is useful if

Jambe 6 Jan 03, 2023
CLI tool to build, test, debug, and deploy Serverless applications using AWS SAM

AWS SAM The AWS Serverless Application Model (SAM) is an open-source framework for building serverless applications. It provides shorthand syntax to e

Amazon Web Services 6.2k Jan 08, 2023
This CLI give the possibility to do a queries in Star Wars API and returns a JSON in a terminal.

Star Wars CLI (swcli) This CLI give the possibility to do a queries in Star Wars API and returns a JSON in a terminal. Install $ pip install swcli Qu

Pery Lemke 5 Nov 05, 2021
Shellmon is a tool used to create and control a webshell remotely, created using the Python3

An Simple PHP Webshell Manager Description Shellmon is a tool used to create and control a webshell remotely, created using the Python3 programming la

22XploiterCrew 12 Dec 30, 2022
A simple file transfer tools, similar to rz / sz but compatible with tmux (control mode), which works with iTerm2 and has a nice progress bar

trzsz A simple file transfer tools, similar to rz/sz but compatible with tmux (control mode), which works with iTerm2 and has a nice progress bar. Why

561 Jan 05, 2023
Command line interface for unasync

CLI for unasync Command line interface for unasync Getting started Install Run the following command to install the package with pip: pip install unas

Leynier GutiƩrrez GonzƔlez 3 Apr 04, 2022
Dark powered asynchronous completion framework for neovim/Vim8

deoplete.nvim Dark powered asynchronous completion framework for neovim/Vim8 Note: The development of this plugin is finished. Accepts minor patches a

Shougo 5.9k Dec 30, 2022
A project designed to make taking notes easier than ever - by doing it all on command line

A project designed to make taking notes easier than ever - by doing it all on command line! Yes, all of your files are easily accessible through one command interface, and can be written to at any ti

1 Dec 10, 2021
CLI based diff viewer

Rich Diff CLI based diff viewer

Suresh Kumar 24 Nov 15, 2022
This is my fetch, with ascii arts from neofetch and internet

deadfetch This is my fetch, with ascii arts from neofetch and internet Installation First what you need its python Fedora sudo dnf install python3 sud

DedSec 8 Jan 20, 2022
Simple Terminal Styling for Python

escape Escape is a very simple terminal styling library largely inspired by the excellent javascript chalk library. There are other terminal styling l

Syed Abbas 8 Sep 03, 2019
Dart Version Manager CLI implemented with Python and Typer.

Dart Version Manager Dart Version Manager CLI implemented with Python and Typer Usage: $ dvm [OPTIONS] COMMAND [ARGS]... Options: --install-completion

EducUp 6 Jun 26, 2022
Container images for portable development environments

Docker Dev Spin up a container to develop from anywhere! To run, just: docker run -ti aghost7/nodejs-dev:boron tmux new Alternatively, if on Linux: p

Jonathan Boudreau 163 Dec 22, 2022