Merge pull request #197 from aws-solutions/release/v2.1.2

Updated to version v2.1.2

Author: tbelmega

.github/ISSUE_TEMPLATE/bug_report.md

@@ -22,13 +22,13 @@ assignees: ""
 
 - [ ] Version: [e.g. v1.0.0]
 
-To get the version of the solution, you can look at the description of the created CloudFormation stack. For example, *"(SO0111) AWS Security Hub Automated Response & Remediation Administrator Stack, v1.4.0"*. You can also find the version from [releases](https://github.com/aws-solutions/aws-security-hub-automated-response-and-remediation/releases)
+To get the version of the solution, you can look at the description of the created CloudFormation stack. For example, *"(SO0111) AWS Security Hub Automated Response & Remediation Administrator Stack, v1.4.0"*. You can also find the version from [releases](https://github.com/aws-solutions/automated-security-response-on-aws/releases)
 
 - [ ] Region: [e.g. us-east-1]
 - [ ] Was the solution modified from the version published on this repository?
 - [ ] If the answer to the previous question was yes, are the changes available on GitHub?
 - [ ] Have you checked your [service quotas](https://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html) for the sevices this solution uses?
-- [ ] Were there any errors in the CloudWatch Logs? [Troubleshooting](https://docs.aws.amazon.com/solutions/latest/aws-security-hub-automated-response-and-remediation/troubleshooting.html)
+- [ ] Were there any errors in the CloudWatch Logs? [Troubleshooting](https://docs.aws.amazon.com/solutions/latest/automated-security-response-on-aws/troubleshooting.html)
 
 **Screenshots**
 If applicable, add screenshots to help explain your problem (please **DO NOT include sensitive information**).

CHANGELOG.md

@@ -5,6 +5,17 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [2.1.2] - 2024-06-20
+
+### Fixed
+
+- Disabled AppRegistry for certain playbooks to avoid errors when updating solution
+- Created list of playbooks instead of creating stacks dynamically to avoid this in the future
+
+### Security
+
+- Updated braces package version for CVE-2024-4068 - https://avd.aquasec.com/nvd/cve-2024-4068
+
 ## [2.1.1] - 2024-04-10
 
 ### Changed
@@ -32,7 +43,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Fixed
 
-- Disabled AppRegistry functionality in China regions. AppRegistry is not available in those regions.
+- Disabled AppRegistry functionality in China regions. AppRegistry is not available in those regions
 - Added missing EventBridge rules for CloudFormation.1, EC2.15, SNS.1, SNS.2, and SQS.1
 - Fixed SC_SNS.2 Not executing due to wrong automation document
 - Fixed RDS.4 remediation failing to remediate due to incorrect regex
@@ -114,8 +125,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Changed
 
-- Bug Fix for issue [47](https://github.com/aws-solutions/aws-security-hub-automated-response-and-remediation/issues/47)
-- Bug Fix for issue [48](https://github.com/aws-solutions/aws-security-hub-automated-response-and-remediation/issues/48)
+- Bug Fix for issue [47](https://github.com/aws-solutions/automated-security-response-on-aws/issues/47)
+- Bug Fix for issue [48](https://github.com/aws-solutions/automated-security-response-on-aws/issues/48)
 
 ## [1.4.0] - 2021-12-13
 

CONTRIBUTING.md

@@ -11,7 +11,7 @@ information to effectively respond to your bug report or contribution.
 
 We welcome you to use the GitHub issue tracker to report bugs or suggest features.
 
-When filing an issue, please check [existing open](https://github.com/aws-solutions/aws-security-hub-automated-response-and-remediation/issues), or [recently closed](https://github.com/aws-solutions/aws-security-hub-automated-response-and-remediation/issues?utf8=%E2%9C%93&q=is%3Aissue%20is%3Aclosed%20), issues to make sure somebody else hasn't already
+When filing an issue, please check [existing open](https://github.com/aws-solutions/automated-security-response-on-aws/issues), or [recently closed](https://github.com/aws-solutions/automated-security-response-on-aws/issues?utf8=%E2%9C%93&q=is%3Aissue%20is%3Aclosed%20), issues to make sure somebody else hasn't already
 reported the issue. Please try to include as much information as you can. Details like these are incredibly useful:
 
 * A reproducible test case or series of steps
@@ -41,7 +41,7 @@ GitHub provides additional document on [forking a repository](https://help.githu
 
 
 ## Finding contributions to work on
-Looking at the existing issues is a great way to find something to contribute on. As our projects, by default, use the default GitHub issue labels ((enhancement/bug/duplicate/help wanted/invalid/question/wontfix), looking at any ['help wanted'](https://github.com/aws-solutions/aws-security-hub-automated-response-and-remediation/labels/help%20wanted) issues is a great place to start.
+Looking at the existing issues is a great way to find something to contribute on. As our projects, by default, use the default GitHub issue labels ((enhancement/bug/duplicate/help wanted/invalid/question/wontfix), looking at any ['help wanted'](https://github.com/aws-solutions/automated-security-response-on-aws/labels/help%20wanted) issues is a great place to start.
 
 
 ## Code of Conduct
@@ -56,6 +56,6 @@ If you discover a potential security issue in this project we ask that you notif
 
 ## Licensing
 
-See the [LICENSE](https://github.com/aws-solutions/aws-security-hub-automated-response-and-remediation/blob/main/LICENSE.txt) file for our project's licensing. We will ask you to confirm the licensing of your contribution.
+See the [LICENSE](https://github.com/aws-solutions/automated-security-response-on-aws/blob/main/LICENSE.txt) file for our project's licensing. We will ask you to confirm the licensing of your contribution.
 
 We may ask you to sign a [Contributor License Agreement (CLA)](http://en.wikipedia.org/wiki/Contributor_License_Agreement) for larger changes.

README.md

@@ -2,9 +2,9 @@
 
 [🚀 Solution Landing Page](https://aws.amazon.com/solutions/implementations/automated-security-response-on-aws/) \| [🚧
 Feature
-request](https://github.com/aws-solutions/aws-security-hub-automated-response-and-remediation/issues/new?assignees=&labels=feature-request%2C+enhancement&template=feature_request.md&title=)
+request](https://github.com/aws-solutions/automated-security-response-on-aws/issues/new?assignees=&labels=feature-request%2C+enhancement&template=feature_request.md&title=)
 \| [🐛 Bug
-Report](https://github.com/aws-solutions/aws-security-hub-automated-response-and-remediation/issues/new?assignees=&labels=bug%2C+triage&template=bug_report.md&title=)
+Report](https://github.com/aws-solutions/automated-security-response-on-aws/issues/new?assignees=&labels=bug%2C+triage&template=bug_report.md&title=)
 
 Automated Security Response (ASR) on AWS is a solution that enables AWS Security Hub customers to remediate findings
 with a single click using sets of predefined response and remediation actions called Playbooks. The remediations are
@@ -63,13 +63,13 @@ make to your private copy of the solution.
 **Git Clone example:**
 
 ```bash
-git clone https://github.com/aws-solutions/aws-security-hub-automated-response-and-remediation.git
+git clone https://github.com/aws-solutions/automated-security-response-on-aws.git
 ```
 
 **Download Zip example:**
 
 ```bash
-wget https://github.com/aws-solutions/aws-security-hub-automated-response-and-remediation/archive/main.zip
+wget https://github.com/aws-solutions/automated-security-response-on-aws/archive/main.zip
 ```
 
 ### Custom Playbooks
@@ -127,6 +127,26 @@ from the StandardsControlArn:
 const remediations: IControl[] = [{ control: "RDS.6" }];
 ```
 
+#### Add your playbook as a new nested stack in the solution template
+
+Edit **playbooks/playbook-index.ts** to include the new playbook.
+
+Add the new playbook to the end of the `standardPlaybookProps` array.
+
+**Important** Do not change the order of the items in this array. Doing so will change the App Registry logical IDs for the nested stacks. 
+This will cause an error when updating the solution.
+
+Interface:
+
+```typescript
+export interface PlaybookProps {
+  name: string; // Playbook short name
+  useAppRegistry: boolean; // Add this playbook's nested stack to app registry for the solution
+  defaultParameterValue?: 'yes' | 'no'; // Default value for enabling this playbook in CloudFormation. Will default to 'no' if not provided.
+  description?: string; // Description for the CloudFormation parameter. Solution will provide a generated description if left blank.
+}
+```
+
 #### Create the Remediations
 
 Remediations are executed using SSM Automation Runbooks. Each control has a specific runbook. ASR Runbooks must follow
@@ -187,7 +207,7 @@ Confirm that all unit tests pass.
 **Note**: Verify bucket ownership before uploading.
 
 By default, the templates created by build-s3-dist.sh expect the software to be stored in
-**aws-security-hub-automated-response-and-remediation/v\<version\>**. If in doubt, view the template.
+**automated-security-response-on-aws/v\<version\>**. If in doubt, view the template.
 
 Use a tool such as the AWS S3 CLI "sync" command to upload your templates to the reference bucket and code to the
 regional bucket.
@@ -198,7 +218,7 @@ See the [Automated Security Response on AWS Implementation
 Guide](https://docs.aws.amazon.com/solutions/latest/automated-security-response-on-aws/solution-overview.html) for
 deployment instructions, using the link to the SolutionDeployStack.template from your bucket, rather than the one for
 AWS Solutions. Ex.
-https://mybucket-reference.s3.amazonaws.com/aws-security-hub-automated-response-and-remediation/v1.3.0.mybuild/aws-sharr-deploy.template
+https://mybucket-reference.s3.amazonaws.com/automated-security-response-on-aws/v1.3.0.mybuild/aws-sharr-deploy.template
 
 ## Directory structure
 

deployment/build-s3-dist.sh

@@ -148,7 +148,7 @@ main() {
     header "[Create] Playbooks"
 
     for playbook in $(ls "$source_dir"/playbooks); do
-        if [ $playbook == 'NEWPLAYBOOK' ] || [ $playbook == '.coverage' ] || [ $playbook == 'common' ]; then
+        if [ $playbook == 'NEWPLAYBOOK' ] || [ $playbook == '.coverage' ] || [ $playbook == 'common' ] || [ $playbook == 'playbook-index.ts' ]; then
             continue
         fi
         echo Create $playbook playbook

pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "automated_security_response_on_aws"
-version = "2.1.1"
+version = "2.1.2"
 
 [tool.setuptools]
 package-dir = {"" = "source"}

solution-manifest.yaml

@@ -1,6 +1,6 @@
 id: SO0111
 name: security-hub-automated-response-and-remediation
-version: 2.1.1
+version: 2.1.2
 cloudformation_templates:
   - template: aws-sharr-deploy.template
     main_template: true

source/lib/__snapshots__/member-stack.test.ts.snap

@@ -31,6 +31,16 @@ exports[`member stack snapshot matches 1`] = `
         "yes",
       ],
     },
+    "loadAFSBPCondAndShouldDeployAppReg": {
+      "Fn::And": [
+        {
+          "Condition": "ShouldDeployAppReg",
+        },
+        {
+          "Condition": "loadAFSBPCond",
+        },
+      ],
+    },
     "loadCIS120Cond": {
       "Fn::Equals": [
         {
@@ -39,6 +49,16 @@ exports[`member stack snapshot matches 1`] = `
         "yes",
       ],
     },
+    "loadCIS120CondAndShouldDeployAppReg": {
+      "Fn::And": [
+        {
+          "Condition": "ShouldDeployAppReg",
+        },
+        {
+          "Condition": "loadCIS120Cond",
+        },
+      ],
+    },
     "loadCIS140Cond": {
       "Fn::Equals": [
         {
@@ -47,6 +67,16 @@ exports[`member stack snapshot matches 1`] = `
         "yes",
       ],
     },
+    "loadCIS140CondAndShouldDeployAppReg": {
+      "Fn::And": [
+        {
+          "Condition": "ShouldDeployAppReg",
+        },
+        {
+          "Condition": "loadCIS140Cond",
+        },
+      ],
+    },
     "loadNIST80053Cond": {
       "Fn::Equals": [
         {
@@ -55,6 +85,16 @@ exports[`member stack snapshot matches 1`] = `
         "yes",
       ],
     },
+    "loadNIST80053CondAndShouldDeployAppReg": {
+      "Fn::And": [
+        {
+          "Condition": "ShouldDeployAppReg",
+        },
+        {
+          "Condition": "loadNIST80053Cond",
+        },
+      ],
+    },
     "loadPCI321Cond": {
       "Fn::Equals": [
         {
@@ -307,6 +347,101 @@ exports[`member stack snapshot matches 1`] = `
       },
       "Type": "AWS::ServiceCatalogAppRegistry::AttributeGroupAssociation",
     },
+    "AppRegistryResourceAssociation142839FB0": {
+      "Condition": "ShouldDeployAppReg",
+      "DependsOn": [
+        "RunbookStackNoRoles",
+      ],
+      "Properties": {
+        "Application": {
+          "Fn::GetAtt": [
+            "AppRegistry968496A3",
+            "Id",
+          ],
+        },
+        "Resource": {
+          "Ref": "RunbookStackNoRoles",
+        },
+        "ResourceType": "CFN_STACK",
+      },
+      "Type": "AWS::ServiceCatalogAppRegistry::ResourceAssociation",
+    },
+    "AppRegistryResourceAssociation2BB1A3300": {
+      "Condition": "loadAFSBPCondAndShouldDeployAppReg",
+      "DependsOn": [
+        "PlaybookMemberStackAFSBP",
+      ],
+      "Properties": {
+        "Application": {
+          "Fn::GetAtt": [
+            "AppRegistry968496A3",
+            "Id",
+          ],
+        },
+        "Resource": {
+          "Ref": "PlaybookMemberStackAFSBP",
+        },
+        "ResourceType": "CFN_STACK",
+      },
+      "Type": "AWS::ServiceCatalogAppRegistry::ResourceAssociation",
+    },
+    "AppRegistryResourceAssociation3BEAC7BB7": {
+      "Condition": "loadCIS120CondAndShouldDeployAppReg",
+      "DependsOn": [
+        "PlaybookMemberStackCIS120",
+      ],
+      "Properties": {
+        "Application": {
+          "Fn::GetAtt": [
+            "AppRegistry968496A3",
+            "Id",
+          ],
+        },
+        "Resource": {
+          "Ref": "PlaybookMemberStackCIS120",
+        },
+        "ResourceType": "CFN_STACK",
+      },
+      "Type": "AWS::ServiceCatalogAppRegistry::ResourceAssociation",
+    },
+    "AppRegistryResourceAssociation46F7B9873": {
+      "Condition": "loadCIS140CondAndShouldDeployAppReg",
+      "DependsOn": [
+        "PlaybookMemberStackCIS140",
+      ],
+      "Properties": {
+        "Application": {
+          "Fn::GetAtt": [
+            "AppRegistry968496A3",
+            "Id",
+          ],
+        },
+        "Resource": {
+          "Ref": "PlaybookMemberStackCIS140",
+        },
+        "ResourceType": "CFN_STACK",
+      },
+      "Type": "AWS::ServiceCatalogAppRegistry::ResourceAssociation",
+    },
+    "AppRegistryResourceAssociation5FAA30631": {
+      "Condition": "loadNIST80053CondAndShouldDeployAppReg",
+      "DependsOn": [
+        "PlaybookMemberStackNIST80053",
+      ],
+      "Properties": {
+        "Application": {
+          "Fn::GetAtt": [
+            "AppRegistry968496A3",
+            "Id",
+          ],
+        },
+        "Resource": {
+          "Ref": "PlaybookMemberStackNIST80053",
+        },
+        "ResourceType": "CFN_STACK",
+      },
+      "Type": "AWS::ServiceCatalogAppRegistry::ResourceAssociation",
+    },
     "DefaultApplicationAttributesFC1CC26B": {
       "Condition": "ShouldDeployAppReg",
       "Properties": {

source/lib/member-stack.test.ts

@@ -5,7 +5,7 @@ import { Runtime } from 'aws-cdk-lib/aws-lambda';
 import { Template } from 'aws-cdk-lib/assertions';
 import { AwsSolutionsChecks } from 'cdk-nag';
 import { MemberStack } from './member-stack';
-import { AppRegister } from '../lib/appregistry/applyAppRegistry';
+import { AppRegister } from './appregistry/applyAppRegistry';
 
 const description = 'ASR Member Stack';
 const solutionId = 'SO9999';
@@ -33,7 +33,7 @@ function getMemberStack(): Stack {
     solutionDistBucket,
     runtimePython: Runtime.PYTHON_3_9,
   });
-  appregistry.applyAppRegistryToStacks(stack, []);
+  appregistry.applyAppRegistryToStacks(stack, stack.nestedStacksWithAppRegistry);
   Aspects.of(app).add(new AwsSolutionsChecks({ verbose: true }));
   return stack;
 }