A CLI tool to disable and enable security standards controls in AWS Security Hub

Related tags

Command-line Toolsaws-security-hub-controls-cli
Overview

Security Hub Controls CLI

A CLI tool to disable and enable security standards controls in AWS Security Hub. It is designed to work together with AWS Security Hub Cross-Account Controls Disabler.

Purpose

The goal of this tool is to provide a possibility to maintain the status (DISABLED or ENABLED) of standards controls in AWS Security Hub within a file. That way, the status can be configured by using a code repository and a CICD pipeline.

Install

This tool can be install using pip:

git clone https://github.com/aws-samples/aws-security-hub-controls-cli/
pip install ./aws-security-hub-controls-cli

Usage

usage: shc_cli [-h] [-d] [-u UPLOAD] [--json] [--profile PROFILE]
               [--dynamodb DYNAMODB] [--max-retries MAX_RETRIES] [-v]

Disable or Enable security standards controls in AWS Security Hub.

optional arguments:
  -h, --help            show this help message and exit
  -d, --download        Get current controls configurations from Security Hub.
  -u UPLOAD, --upload UPLOAD
                        Upload Security Hub controls configurations as defined
                        in UPLOAD file.
  --json                Use json as file format (instead of yaml) when
                        downloading current controls configurations from
                        Security Hub. Only effective when used in conjunction
                        with -d/--download
  --profile PROFILE     Use a specific profile from your credential file.
  --dynamodb DYNAMODB   Optional - Specify DynamoDB table name storing exceptions.
  --max-retries MAX_RETRIES
                        Maximal amount of retries in case of a
                        TooManyRequestsException when updating Security Hub
                        controls. (default: infinity)
  -v, --verbosity       Debugging information

Prerequisites

AWS Security Hub and security standards must be enabled.

You need following permissions to use this tool to update controls and security standards in Security Hub:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "securityhub:GetEnabledStandards",
                "securityhub:DescribeStandardsControls",
                "securityhub:UpdateStandardsControl"
            ],
            "Resource": "*"
        }
    ]
}

To use the --dynamodb option for storing exceptions in AWS DynamoDB, you need a DynamoDB table in the same AWS account as the Security Hub instance updated by the tool. A template which generates the needed DynamoDB table can be found here. Additionally to that, the following permissions are needed:

} ] } "> 
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "dynamodb:Scan",
                "dynamodb:PutItem"
            ],
            "Resource": 
   
    
        }
    ]
}

Workflow and examples

This section describes some basic use-cases and workflows

Getting current controls and initializing the local file

To get the current control statuses from Security Hub, use the following command:

$ shd_cli -d
cis-aws-foundations-benchmark:
  CIS.1.1:
    Title: Avoid the use of the "root" account
    ControlStatus: ENABLED
    DisabledReason: ''
  CIS.1.2:
    Title: Ensure multi-factor authentication (MFA) is enabled for all IAM users that
      have a console password
    ControlStatus: ENABLED
    DisabledReason: ''
...

If you prefer JSON over yaml, use the --json option:

$ shd_cli -d --json
{
    "cis-aws-foundations-benchmark": {
        "CIS.1.1": {
            "Title": "Avoid the use of the \"root\" account",
            "ControlStatus": "ENABLED",
            "DisabledReason": ""
        },
        "CIS.1.2": {
            "Title": "Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password",
            "ControlStatus": "ENABLED",
            "DisabledReason": ""
        },
...

You can write the output into a local file:

$ shd_cli -d > controls.yaml
$ cat controls.yaml
cis-aws-foundations-benchmark:
  CIS.1.1:
    Title: Avoid the use of the "root" account
    ControlStatus: ENABLED
    DisabledReason: ''
  CIS.1.2:
    Title: Ensure multi-factor authentication (MFA) is enabled for all IAM users that
      have a console password
    ControlStatus: ENABLED
    DisabledReason: ''
...

Update Security Hub controls as defined in local file

The local file can be used to edit the ControlStatus of single controls.
If you do not provide a DisabledReason, the default Updated via CLI is used.
Let's disable controls CIS.1.1 and CIS.1.2. We provide a DisabledReason for CIS.1.1:

$ cat controls.yaml
cis-aws-foundations-benchmark:
  CIS.1.1:
    Title: Avoid the use of the "root" account
    ControlStatus: DISABLED
    DisabledReason: 'Risk accepted by Security Department'
  CIS.1.2:
    Title: Ensure multi-factor authentication (MFA) is enabled for all IAM users that
      have a console password
    ControlStatus: DISABLED
    DisabledReason: ''
...

Now, let's update the controls in Security Hub:

$ shc_cli -u controls.yaml
Start updating security standard controls...
CIS.1.1 : Update to DISABLED
CIS.1.1 : Done
CIS.1.2 : Update to DISABLED
CIS.1.2 : Done
Security standard controls updated.
Start updating security standard controls...
Security standard controls updated.

These are the new statuses of the security standard controls:

$ shc_cli -d
cis-aws-foundations-benchmark:
  CIS.1.1:
    Title: Avoid the use of the "root" account
    ControlStatus: DISABLED
    DisabledReason: Risk accepted by Security Department
  CIS.1.2:
    Title: Ensure multi-factor authentication (MFA) is enabled for all IAM users that
      have a console password
    ControlStatus: DISABLED
    DisabledReason: Updated via CLI
...

New security standard or control added to Security Hub

In the case of activating a new security standard or AWS adding a new control to an existing standard, this tool will update the local file accordingly.
Let's simulate this situation by removing the CIS.1.1 control from the local file:

$ cat controls.yaml
cis-aws-foundations-benchmark:
  CIS.1.2:
    Title: Ensure multi-factor authentication (MFA) is enabled for all IAM users that
      have a console password
    ControlStatus: DISABLED
    DisabledReason: Updated via CLI
  CIS.1.3:
    Title: Ensure credentials unused for 90 days or greater are disabled
    ControlStatus: ENABLED
    DisabledReason: ''
...

When the controls are now updated with this tool, you receive an information that a new control was discovered and the local file has been updated:

$ shc_cli -u controls.yaml
Start updating security standard controls...
[WARNING] Control cis-aws-foundations-benchmark:CIS.1.1 does not exist in local file. Local file is being updated ...
Security standard controls updated.
Start updating security standard controls...
Security standard controls updated.

$ cat controls.yaml
cis-aws-foundations-benchmark:
  CIS.1.1:
    Title: Avoid the use of the "root" account
    ControlStatus: DISABLED
    DisabledReason: 'Risk accepted by Security Department'
  CIS.1.2:
    Title: Ensure multi-factor authentication (MFA) is enabled for all IAM users that
      have a console password
    ControlStatus: DISABLED
    DisabledReason: ''
...

Adding an exception for individual accounts

If you specify a DynamoDB table with the --dynamodb option, you can define exceptional disable/enable actions for individual accounts. This will save the information in the DynamoDB table. The needed action of actually processing the information and enabling/disabling the controls for the specified accounts needs to implemented seperatly.
As a prerequisite, an according DynamoDB table must be present in the same AWS account as the Security Hub instance updated by the tool. A template which generates the needed DynamoDB table can be found here.

Exceptions are defined as a list of account IDs in the optional Enabled and Disabled fields per control, as seen in the following example.

$ cat controls.yaml
cis-aws-foundations-benchmark:
  CIS.1.1:
    Title: Avoid the use of the "root" account
    ControlStatus: DISABLED
    DisabledReason: 'Risk accepted by Security Department'
    Enabled:
      - 111111111111
  CIS.1.2:
    Title: Ensure multi-factor authentication (MFA) is enabled for all IAM users that
      have a console password
    ControlStatus: ENABLED
    DisabledReason: ''
    Disabled:
      - 222222222222
...

If no DisabledReason is specified, as for CIS.1.2 above, Exception will be used as a default DisabledReason in the DynamoDB table.
When the controls are now updated with this tool, you receive an information that the exceptions will be created (or updated) in the DynamoDB table.

$ shc_cli -u controls.yaml --dynamodb DYNAMODB_TABLENAME
Start updating security standard controls...
CIS.1.1 : Update to DISABLED
CIS.1.1 : Done
CIS.1.2 : Update to ENABLED
CIS.1.2 : Done
Security standard controls updated.
Start updating exceptions in DynamoDB table...
CIS.1.1: Create exceptions in DynamoDB table.
CIS.1.2: Create exceptions in DynamoDB table.
Exceptions in DynamoDB table updated.

When you now download the control statuses by providing the DynamoDB table name, you will receive the exceptions as well:

$ shc_cli -d --dynamodb DYNAMODB_TABLENAME
cis-aws-foundations-benchmark:
  CIS.1.1:
    Title: Avoid the use of the "root" account
    ControlStatus: DISABLED
    DisabledReason: Risk accepted by Security Department
    Enabled:
    - '111111111111'
  CIS.1.2:
    Title: Ensure multi-factor authentication (MFA) is enabled for all IAM users that
      have a console password
    ControlStatus: ENABLED
    DisabledReason: Exception
    Disabled:
    - '22222222222'
...
Owner
AWS Samples
AWS Samples
GitHub Repository
🐍The nx-python plugin allows users to create a basic python application using nx commands.

🐍 NxPy: Nx Python plugin This project was generated using Nx. The nx-python plugin allows users to create a basic python application using nx command

StandUP Communications 74 Aug 31, 2022
A set of libraries and functions for simplifying automating Cisco devices through SecureCRT.

This is a set of libraries for automating Cisco devices (and to a lesser extent, bash prompts) over ssh/telnet in SecureCRT.

Matthew Spangler 7 Mar 30, 2022
spid-sp-test is a SAML2 SPID/CIE Service Provider validation tool that can be executed from the command line.

spid-sp-test spid-sp-test is a SAML2 SPID/CIE Service Provider validation tool that can be executed from the command line. This tool was born by separ

Developers Italia 30 Nov 08, 2022
πŸ•° The command line tool for scheduling Python scripts

hickory is a simple command line tool for scheduling Python scripts.

Max Humber 146 Dec 07, 2022
Plumbum: Shell Combinators

Plumbum: Shell Combinators Ever wished the compactness of shell scripts be put into a real programming language? Say hello to Plumbum Shell Combinator

Tomer Filiba 2.5k Dec 28, 2022
This is an app for creating your own color scheme for Termux!

Termux Terminal Theme Creator [WIP] If you need help on how to use the program, you can either create a GitHub issue or join this temporary Discord se

asxlvm 3 Dec 31, 2022
Ntfy - πŸ–₯οΈπŸ“±πŸ”” A utility for sending notifications, on demand and when commands finish.

About ntfy ntfy brings notification to your shell. It can automatically provide desktop notifications when long running commands finish or it can send

Daniel Schep 4.5k Jan 01, 2023
Simple CLI for managing Postgres databases in Flask.

Overview Simple CLI that provides the following commands: flask psql create flask psql init flask psql drop flask psql setup: create β†’ init flask psql

Daniel Reeves 21 Oct 03, 2022
jrnl is a simple journal application for the command line.

jrnl To get help, submit an issue on Github. jrnl is a simple journal application for the command line. You can use it to easily create, search, and v

jrnl 5.7k Dec 31, 2022
inklayers is a command line program that exports layers from an SVG file.

inklayers is a command line program that exports layers from an SVG file. It can be used to create slide shows by editing a single SVG file.

11 Mar 29, 2022
A CLI messenger for the Signum community.

A CLI messenger for the Signum community. Built for people who like using terminal for their work and want to communicate with other users in the Signum community.

Jush 5 Mar 18, 2022
Low-Cost Open Source Ventilator or PAPR

Last updated 2020/04/19 Low-Cost Open-Source Ventilator-ish Device or PAPR NOTE: This is currently an independent project not affiliated with any comm

Johnny Lee 1.7k Dec 21, 2022
ddgr is a cmdline utility to search DuckDuckGo (html version) from the terminal

ddgr is a cmdline utility to search DuckDuckGo (html version) from the terminal. While googler is extremely popular among cmdline users, in many forums the need of a similar utility for privacy-aware

PiΓ±a Colada 2.5k Dec 25, 2022
PyArmor is a command line tool used to obfuscate python scripts

PyArmor is a command line tool used to obfuscate python scripts, bind obfuscated scripts to fixed machine or expire obfuscated scripts.

Dashingsoft 2k Jan 07, 2023
Double Pendulum visualised with fetching system information in Python.

Show off your terminal, in style. A nice relaxing double pendulum simulation using ASCII, able to simulate multiple pendulums at once, and provide tra

Nekurone 62 Dec 14, 2022
pwy - A simple weather tool.

A simple weather tool. I made this as a way for me to learn Python, API, and PyPi packaging. Name changed from wwy to pwy.

Clint 105 Dec 31, 2022
A simple CLI tool for getting region-specific status of Logz.io components.

About A simple CLI tool for checking the current status of Logz.io components per region. Built With Python 3 The following packeges (see requirements

Yotam Bernaz 1 Dec 11, 2021
AutoSub is a CLI application to generate subtitle files (.srt, .vtt, and .txt transcript) for any video file using Mozilla DeepSpeech.

AutoSub About Motivation Installation Docker How-to example How it works TO-DO Contributing References About AutoSub is a CLI application to generate

Abhiroop Talasila 414 Jan 06, 2023
Wik is use to get information about anything on the shell using Wikipedia.

WIK wik is a tool to view wikipedia pages from your terminal. It also let you search for any wikipedia up to date article on one query from your termi

Yash Singh 340 Dec 18, 2022
Python remote shell.

Python remote shell.

Steven 9 Oct 17, 2022