Merge pull request #200 from aws-solutions/release/v2.1.3

Upgrade to v2.1.3

Author: tbelmega

.viperlightignore

@@ -5,6 +5,17 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [2.1.3] - 2024-09-18
+
+### Fixed
+- Resolved an issue in the remediation scripts for EC2.18 and EC2.19 where security group rules with IpProtocol set to "-1" were being incorrectly ignored.
+
+### Changed
+- Upgraded all Python runtimes in remediation SSM documents from Python 3.8 to Python 3.11.
+
+### Security
+- Upgraded micromatch package to mitigate [CVE-2024-4067](https://avd.aquasec.com/nvd/2024/cve-2024-4067/)
+
 ## [2.1.2] - 2024-06-20
 
 ### Fixed

.viperlightrc

@@ -5,4 +5,4 @@ subsequently address any potential vulnerabilities as quickly as possible. If yo
 security issue in this project, please notify AWS/Amazon Security via
 our [vulnerability reporting page](http://aws.amazon.com/security/vulnerability-reporting/) or
 directly via email to [AWS Security](mailto:aws-security@amazon.com). Please do not create a public GitHub issue in this
-project.
+project.

.viperlightrc_global

@@ -13,9 +13,9 @@ export overrideWarningsEnabled=false
     echo "UPDATE MODE: CDK Snapshots will be updated. CDK UNIT TESTS WILL BE SKIPPED"
 } || update="false"
 
-[[ ! -d .venv ]] && python3 -m venv .venv
+[[ ! -d .venv ]] && python3.11 -m venv .venv
 source ./.venv/bin/activate
-python3 -m pip install -U pip setuptools
+python3.11 -m pip install -U pip setuptools
 
 echo 'Installing required Python testing modules'
 pip install -r ./requirements_dev.txt
@@ -39,7 +39,7 @@ run_pytest() {
     echo "coverage report path set to ${report_file}"
 
     # Use -vv for debugging
-    python3 -m pytest --cov --cov-report=term-missing --cov-report "xml:$report_file"
+    python3.11 -m pytest --cov --cov-report=term-missing --cov-report "xml:$report_file"
     rc=$?
 
     if [ "$rc" -ne "0" ]; then

CHANGELOG.md

@@ -1,6 +1,6 @@
 [project]
 name = "automated_security_response_on_aws"
-version = "2.1.2"
+version = "2.1.3"
 
 [tool.setuptools]
 package-dir = {"" = "source"}

SECURITY.md

@@ -1,6 +1,6 @@
 id: SO0111
 name: security-hub-automated-response-and-remediation
-version: 2.1.2
+version: 2.1.3
 cloudformation_templates:
   - template: aws-sharr-deploy.template
     main_template: true

deployment/run-unit-tests.sh

@@ -1,6 +1,6 @@
 {
     "name": "aws-security-hub-automated-response-and-remediation",
-    "version": "2.1.2",
+    "version": "2.1.3",
     "description": "Automated remediation for AWS Security Hub (SO0111)",
     "bin": {
         "solution_deploy": "bin/solution_deploy.js"

pyproject.toml

@@ -65,7 +65,7 @@ mainSteps:
         parse_id_pattern: '^arn:(?:aws|aws-cn|aws-us-gov):autoscaling:(?:[a-z]{2}(?:-gov)?-[a-z]+-\d):\d{12}:autoScalingGroup:(?:[0-9a-fA-F]{8}-(?:[0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}):autoScalingGroupName/(.{1,255})$'
         expected_control_id:
         - 'AutoScaling.1'
-      Runtime: python3.8
+      Runtime: python3.11
       Handler: parse_event
       Script: |-
         %%SCRIPT=common/parse_input.py%%

solution-manifest.yaml

@@ -57,7 +57,7 @@ mainSteps:
       parse_id_pattern: '^(arn:(?:aws|aws-us-gov|aws-cn):cloudformation:(?:[a-z]{2}(?:-gov)?-[a-z]+-\d):\d{12}:stack/[a-zA-Z][a-zA-Z0-9-]{0,127}/[a-fA-F0-9]{8}-(?:[a-fA-F0-9]{4}-){3}[a-fA-F0-9]{12})$'
       expected_control_id:
       - 'CloudFormation.1'
-    Runtime: 'python3.8'
+    Runtime: 'python3.11'
     Handler: 'parse_event'
     Script: |-
       %%SCRIPT=common/parse_input.py%%

source/package-lock.json

@@ -57,7 +57,7 @@ mainSteps:
       parse_id_pattern: '^(arn:(?:aws|aws-us-gov|aws-cn):cloudfront::\d{12}:distribution\/([A-Z0-9]+))$'
       expected_control_id:
       - 'CloudFront.1'
-    Runtime: 'python3.8'
+    Runtime: 'python3.11'
     Handler: 'parse_event'
     Script: |-
       %%SCRIPT=common/parse_input.py%%

source/package.json

@@ -57,7 +57,7 @@ mainSteps:
       parse_id_pattern: '^arn:(?:aws|aws-cn|aws-us-gov):cloudfront::[0-9]{12}:distribution\/([A-Z0-9]*)$'
       expected_control_id:
       - 'CloudFront.12'
-    Runtime: 'python3.8'
+    Runtime: 'python3.11'
     Handler: 'parse_event'
     Script: |-
       %%SCRIPT=common/parse_input.py%%

source/playbooks/AFSBP/ssmdocs/AFSBP_AutoScaling.1.yaml

@@ -54,7 +54,7 @@ mainSteps:
         parse_id_pattern: ''
         expected_control_id:
         - 'CloudTrail.1'
-      Runtime: python3.8
+      Runtime: python3.11
       Handler: parse_event
       Script: |-
         %%SCRIPT=common/parse_input.py%%

source/playbooks/AFSBP/ssmdocs/AFSBP_CloudFormation.1.yaml

@@ -69,7 +69,7 @@ mainSteps:
         parse_id_pattern: ''
         expected_control_id:
         - 'CloudTrail.2'
-      Runtime: python3.8
+      Runtime: python3.11
       Handler: parse_event
       Script: |-
         %%SCRIPT=common/parse_input.py%%

source/playbooks/AFSBP/ssmdocs/AFSBP_CloudFront.1.yaml

@@ -64,7 +64,7 @@ mainSteps:
         parse_id_pattern: '^arn:(?:aws|aws-cn|aws-us-gov):cloudtrail:(?:[a-z]{2}(?:-gov)?-[a-z]+-\d):\d{12}:trail/([A-Za-z0-9._-]{3,128})$'
         expected_control_id:
         - 'CloudTrail.4'
-      Runtime: python3.8
+      Runtime: python3.11
       Handler: parse_event
       Script: |-
         %%SCRIPT=common/parse_input.py%%

source/playbooks/AFSBP/ssmdocs/AFSBP_CloudFront.12.yaml

@@ -63,7 +63,7 @@ mainSteps:
         parse_id_pattern: '^arn:(?:aws|aws-cn|aws-us-gov):cloudtrail:(?:[a-z]{2}(?:-gov)?-[a-z]+-\d):\d{12}:trail/([A-Za-z0-9._-]{3,128})$'
         expected_control_id:
         - 'CloudTrail.5'
-      Runtime: python3.8
+      Runtime: python3.11
       Handler: parse_event
       Script: |-
         %%SCRIPT=common/parse_input.py%%

source/playbooks/AFSBP/ssmdocs/AFSBP_CloudTrail.1.yaml

@@ -50,7 +50,7 @@ mainSteps:
         Finding: '{{Finding}}'
         parse_id_pattern: '^arn:(?:aws|aws-cn|aws-us-gov):codebuild:(?:[a-z]{2}(?:-gov)?-[a-z]+-\d):\d{12}:project/([A-Za-z0-9][A-Za-z0-9\-_]{1,254})$'
         expected_control_id: [ 'CodeBuild.2' ]
-      Runtime: python3.8
+      Runtime: python3.11
       Handler: parse_event
       Script: |-
         %%SCRIPT=common/parse_input.py%%

source/playbooks/AFSBP/ssmdocs/AFSBP_CloudTrail.2.yaml

@@ -60,7 +60,7 @@ mainSteps:
         Finding: '{{Finding}}'
         parse_id_pattern: '^arn:(?:aws|aws-cn|aws-us-gov):codebuild:(?:[a-z]{2}(?:-gov)?-[a-z]+-\d):\d{12}:project/([A-Za-z0-9][A-Za-z0-9\-_]{1,254})$'
         expected_control_id: [ 'CodeBuild.5' ]
-      Runtime: python3.8
+      Runtime: python3.11
       Handler: parse_event
       Script: |-
         %%SCRIPT=common/parse_input.py%%

source/playbooks/AFSBP/ssmdocs/AFSBP_CloudTrail.4.yaml

@@ -58,7 +58,7 @@ mainSteps:
         parse_id_pattern: ''
         expected_control_id:
         - 'Config.1'
-      Runtime: python3.8
+      Runtime: python3.11
       Handler: parse_event
       Script: |-
         %%SCRIPT=common/parse_input.py%%

source/playbooks/AFSBP/ssmdocs/AFSBP_CloudTrail.5.yaml

@@ -55,7 +55,7 @@ mainSteps:
         resource_index: 2
         expected_control_id:
         - 'EC2.1'
-      Runtime: python3.8
+      Runtime: python3.11
       Handler: parse_event
       Script: |-
         %%SCRIPT=common/parse_input.py%%

source/playbooks/AFSBP/ssmdocs/AFSBP_CodeBuild.2.yaml

@@ -65,7 +65,7 @@ mainSteps:
         parse_id_pattern: ''
         expected_control_id: 
           - 'EC2.15'
-      Runtime: python3.8
+      Runtime: python3.11
       Handler: parse_event
       Script: |-
         %%SCRIPT=common/parse_input.py%%

source/playbooks/AFSBP/ssmdocs/AFSBP_CodeBuild.5.yaml

@@ -68,7 +68,7 @@ mainSteps:
         parse_id_pattern: '^arn:(?:aws|aws-cn|aws-us-gov):ec2:(?:[a-z]{2}(?:-gov)?-[a-z]+-\d):\d{12}:security-group/(sg-[0-9a-f]*)$'
         expected_control_id: 
           - 'EC2.18'
-      Runtime: python3.8
+      Runtime: python3.11
       Handler: parse_event
       Script: |-
         %%SCRIPT=common/parse_input.py%%
@@ -90,7 +90,7 @@ mainSteps:
           "authorizedUdpPorts": [],
         }
         expected_control_id: [ 'EC2.18' ]
-      Runtime: python3.8
+      Runtime: python3.11
       Handler: get_input_params
       Script: |-
         %%SCRIPT=common/get_input_params.py%%

source/playbooks/AFSBP/ssmdocs/AFSBP_Config.1.yaml

@@ -65,7 +65,7 @@ mainSteps:
         parse_id_pattern: '^arn:(?:aws|aws-cn|aws-us-gov):ec2:(?:[a-z]{2}(?:-gov)?-[a-z]+-\d):\d{12}:security-group/(sg-[0-9a-f]*)$'
         expected_control_id: 
           - 'EC2.19'
-      Runtime: python3.8
+      Runtime: python3.11
       Handler: parse_event
       Script: |-
         %%SCRIPT=common/parse_input.py%%

source/playbooks/AFSBP/ssmdocs/AFSBP_EC2.1.yaml

@@ -64,7 +64,7 @@ mainSteps:
         parse_id_pattern: '^arn:(?:aws|aws-cn|aws-us-gov):ec2:(?:[a-z]{2}(?:-gov)?-[a-z]+-\d):\d{12}:security-group/(sg-[0-9a-f]*)$'
         expected_control_id:
         - 'EC2.2'
-      Runtime: python3.8
+      Runtime: python3.11
       Handler: parse_event
       Script: |-
         %%SCRIPT=common/parse_input.py%%

source/playbooks/AFSBP/ssmdocs/AFSBP_EC2.15.yaml

@@ -65,7 +65,7 @@ mainSteps:
         parse_id_pattern: '^arn:(?:aws|aws-cn|aws-us-gov):ec2:[a-z]{2}-[a-z]+-\d{1}:\d{12}:transit-gateway\/(tgw-[a-z0-9\-]+)$'
         expected_control_id: 
           - 'EC2.23'
-      Runtime: python3.8
+      Runtime: python3.11
       Handler: parse_event
       Script: |-
         %%SCRIPT=common/parse_input.py%%

source/playbooks/AFSBP/ssmdocs/AFSBP_EC2.18.yaml

@@ -60,7 +60,7 @@ mainSteps:
         parse_id_pattern: '^arn:(?:aws|aws-cn|aws-us-gov):ec2:(?:[a-z]{2}(?:-gov)?-[a-z]+-\d):\d{12}:instance\/(i-[0-9a-f]*)$'
         expected_control_id: 
           - 'EC2.4'
-      Runtime: python3.8
+      Runtime: python3.11
       Handler: parse_event
       Script: |-
         %%SCRIPT=common/parse_input.py%%

source/playbooks/AFSBP/ssmdocs/AFSBP_EC2.19.yaml

@@ -63,7 +63,7 @@ mainSteps:
         parse_id_pattern: '^arn:(?:aws|aws-cn|aws-us-gov):ec2:.*:\d{12}:vpc/(vpc-[0-9a-f]{8,17})$'
         expected_control_id:
         - 'EC2.6'
-      Runtime: python3.8
+      Runtime: python3.11
       Handler: parse_event
       Script: |-
         %%SCRIPT=common/parse_input.py%%

source/playbooks/AFSBP/ssmdocs/AFSBP_EC2.2.yaml

@@ -51,7 +51,7 @@ mainSteps:
         parse_id_pattern: ''
         expected_control_id:
         - 'EC2.7'
-      Runtime: python3.8
+      Runtime: python3.11
       Handler: parse_event
       Script: |-
         %%SCRIPT=common/parse_input.py%%

source/playbooks/AFSBP/ssmdocs/AFSBP_EC2.23.yaml

@@ -60,7 +60,7 @@ mainSteps:
         parse_id_pattern: ''
         expected_control_id:
         - 'EC2.8'
-      Runtime: python3.8
+      Runtime: python3.11
       Handler: parse_event
       Script: |-
         %%SCRIPT=common/parse_input.py%%

source/playbooks/AFSBP/ssmdocs/AFSBP_EC2.4.yaml

@@ -65,7 +65,7 @@ mainSteps:
         parse_id_pattern: '^arn:(?:aws|aws-cn|aws-us-gov):ecr:[a-z]{2}-[a-z]+-\d{1}:\d{12}:repository\/([a-z0-9._\/\-]+)$'
         expected_control_id: 
           - 'ECR.1'
-      Runtime: python3.8
+      Runtime: python3.11
       Handler: parse_event
       Script: |-
         %%SCRIPT=common/parse_input.py%%

source/playbooks/AFSBP/ssmdocs/AFSBP_EC2.6.yaml

@@ -65,7 +65,7 @@ mainSteps:
         parse_id_pattern: ''
         expected_control_id: 
           - 'GuardDuty.1'
-      Runtime: python3.8
+      Runtime: python3.11
       Handler: parse_event
       Script: |-
         %%SCRIPT=common/parse_input.py%%

source/playbooks/AFSBP/ssmdocs/AFSBP_EC2.7.yaml

@@ -64,7 +64,7 @@ mainSteps:
         parse_id_pattern: '^arn:(?:aws|aws-cn|aws-us-gov):iam::\d{12}:user(?:(?:\u002F)|(?:\u002F[\u0021-\u007F]{1,510}\u002F))([\w+=,.@-]{1,64})$'
         expected_control_id:
         - 'IAM.3'
-      Runtime: python3.8
+      Runtime: python3.11
       Handler: parse_event
       Script: |-
         %%SCRIPT=common/parse_input.py%%

source/playbooks/AFSBP/ssmdocs/AFSBP_EC2.8.yaml

@@ -54,7 +54,7 @@ mainSteps:
         Finding: '{{Finding}}'
         parse_id_pattern: ''
         expected_control_id: [ 'IAM.7' ]
-      Runtime: python3.8
+      Runtime: python3.11
       Handler: parse_event
       Script: |-
         %%SCRIPT=common/parse_input.py%%
@@ -104,7 +104,7 @@ mainSteps:
         "PasswordReusePrevention": 24 
         }
         expected_control_id: [ 'IAM.7' ]
-      Runtime: python3.8
+      Runtime: python3.11
       Handler: get_input_params
       Script: |-
         %%SCRIPT=common/get_input_params.py%%

source/playbooks/AFSBP/ssmdocs/AFSBP_ECR.1.yaml

@@ -56,7 +56,7 @@ mainSteps:
         parse_id_pattern: ''
         expected_control_id:
         - 'IAM.8'
-      Runtime: python3.8
+      Runtime: python3.11
       Handler: parse_event
       Script: |-
         %%SCRIPT=common/parse_input.py%%