Merge pull request #214 from aws-solutions/release/v2.1.4

release/v2.1.4

Author: tbelmega

CHANGELOG.md

@@ -5,6 +5,13 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [2.1.4] - 2024-11-18
+### Changed
+- Upgraded python runtimes in all control runbooks from python3.8 to python3.11.
+  - Upgrade is done at build-time temporarily, until the `cdklabs/cdk-ssm-documents` package adds support for newer python runtimes. 
+### Security
+- Upgraded cross-spawn to mitigate [CVE-2024-21538](https://avd.aquasec.com/nvd/cve-2024-21538)
+
 ## [2.1.3] - 2024-09-18
 
 ### Fixed

deployment/build-s3-dist.sh

@@ -181,6 +181,8 @@ main() {
     mv "$template_dist_dir"/MemberRoleStack.template "$template_dist_dir"/aws-sharr-member-roles.template
 
     rm "$template_dist_dir"/*.nested.template
+
+    python3 $template_dir/upgrade_python_runtimes.py $template_dist_dir/playbooks
 }
 
 main "$@"

deployment/upgrade_python_runtimes.py

@@ -0,0 +1,48 @@
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+# !/usr/bin/env python3
+
+import json
+import os
+import re
+import sys
+
+
+def update_python_runtimes(directory):
+    """
+    The @cdklabs/cdk-ssm-documents package used to create some of the solution's control runbooks (SSM Documents)
+    does not support python runtimes newer than python3.8 as of 11/14/2024. This function updates all member runbook templates
+    to use python3.11 instead of python3.8 after they are synthesized.
+    :param directory: directory where synthesized templates are located.
+    """
+    for template_filename in os.listdir(directory):
+        if re.search(r"MemberStack(\d*).template$", template_filename):
+            file_path = os.path.join(directory, template_filename)
+
+            with open(file_path, "r") as file:
+                try:
+                    data = json.load(file)
+                except json.JSONDecodeError:
+                    print(f"Skipping {template_filename}: not a valid JSON file.")
+                    continue
+            # Convert template JSON to string and replace "python3.8" with "python3.11"
+            template_str = json.dumps(data)
+            updated_template_str = template_str.replace("python3.8", "python3.11")
+            updated_template = json.loads(updated_template_str)
+            # Write the updated template back to the .template file
+            with open(file_path, "w") as file:
+                json.dump(updated_template, file, indent=1)
+            print(
+                f"Successfully updated python runtimes in {template_filename} from python3.8 --> python3.11"
+            )
+
+
+if __name__ == "__main__":
+    if len(sys.argv) != 2:
+        print(
+            "Invalid invocation. Script should be invoked like: python upgrade_python_runtimes.py <directory_path>"
+        )
+        sys.exit(1)
+    directory_path = sys.argv[1]
+    update_python_runtimes(directory_path)

pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "automated_security_response_on_aws"
-version = "2.1.3"
+version = "2.1.4"
 
 [tool.setuptools]
 package-dir = {"" = "source"}

solution-manifest.yaml

@@ -1,6 +1,6 @@
 id: SO0111
 name: security-hub-automated-response-and-remediation
-version: 2.1.3
+version: 2.1.4
 cloudformation_templates:
   - template: aws-sharr-deploy.template
     main_template: true

source/lib/__snapshots__/member-stack.test.ts.snap

@@ -1265,6 +1265,14 @@ exports[`member stack snapshot matches 1`] = `
       "DependsOn": [
         "WaitProviderRole83B0295F",
       ],
+      "Metadata": {
+        "guard": {
+          "SuppressedRules": [
+            "LAMBDA_CONCURRENCY_CHECK",
+            "LAMBDA_INSIDE_VPC",
+          ],
+        },
+      },
       "Properties": {
         "Code": {
           "S3Bucket": {
@@ -1307,6 +1315,12 @@ exports[`member stack snapshot matches 1`] = `
             },
           ],
         },
+        "guard": {
+          "SuppressedRules": [
+            "IAM_NO_INLINE_POLICY_CHECK",
+            "IAM_POLICYDOCUMENT_NO_WILDCARD_RESOURCE",
+          ],
+        },
       },
       "Properties": {
         "AssumeRolePolicyDocument": {

source/lib/cdk-helper/add-cfn-nag-suppression.ts

@@ -24,3 +24,24 @@ export function addCfnNagSuppression(resource: IConstruct, suppression: CfnNagSu
     };
   }
 }
+
+export function addCfnGuardSuppression(resource: IConstruct, suppression: string): void {
+  const cfnResource = resource.node.defaultChild as CfnResource;
+  if (!cfnResource?.cfnOptions) {
+    throw new Error(`Resource ${cfnResource?.logicalId} has no cfnOptions, unable to add CfnGuard suppression`);
+  }
+  const existingSuppressions: string[] = cfnResource.cfnOptions.metadata?.guard?.SuppressedRules;
+  if (existingSuppressions) {
+    existingSuppressions.push(suppression);
+  } else if (cfnResource.cfnOptions.metadata) {
+    cfnResource.cfnOptions.metadata.guard = {
+      SuppressedRules: [suppression],
+    };
+  } else {
+    cfnResource.cfnOptions.metadata = {
+      guard: {
+        SuppressedRules: [suppression],
+      },
+    };
+  }
+}

source/lib/cloudwatch_metrics.ts

@@ -19,6 +19,7 @@ import { Topic } from 'aws-cdk-lib/aws-sns';
 import { Key } from 'aws-cdk-lib/aws-kms';
 import { SnsAction } from 'aws-cdk-lib/aws-cloudwatch-actions';
 import { ServicePrincipal } from 'aws-cdk-lib/aws-iam';
+import { addCfnGuardSuppression } from './cdk-helper/add-cfn-nag-suppression';
 
 export interface CloudWatchMetricsProps {
   solutionId: string;
@@ -195,6 +196,7 @@ export class CloudWatchMetrics {
     });
     setCondition(noRemediationErrorAlarm, isUsingCloudWatchMetricsAlarms);
     noRemediationErrorAlarm.addAlarmAction(new SnsAction(snsAlarmTopic));
+    addCfnGuardSuppression(noRemediationErrorAlarm, 'CFN_NO_EXPLICIT_RESOURCE_NAMES');
 
     const failedAssumeRoleAlarm = failedAssumeRoleMetric.createAlarm(scope, 'FailedAssumeRoleAlarm', {
       alarmName: 'ASR-RunbookAssumeRoleFailure',
@@ -210,6 +212,8 @@ export class CloudWatchMetrics {
     setCondition(failedAssumeRoleAlarm, isUsingCloudWatchMetricsAlarms);
     failedAssumeRoleAlarm.addAlarmAction(new SnsAction(snsAlarmTopic));
 
+    addCfnGuardSuppression(failedAssumeRoleAlarm, 'CFN_NO_EXPLICIT_RESOURCE_NAMES');
+
     const stateMachineExecutionsAlarm = stateMachineExecutionsMetric.createAlarm(scope, 'StateMachineExecutions', {
       alarmName: 'ASR-StateMachineExecutions',
       evaluationPeriods: 1,
@@ -222,6 +226,7 @@ export class CloudWatchMetrics {
 
     setCondition(stateMachineExecutionsAlarm, isUsingCloudWatchMetricsAlarms);
     stateMachineExecutionsAlarm.addAlarmAction(new SnsAction(snsAlarmTopic));
+    addCfnGuardSuppression(stateMachineExecutionsAlarm, 'CFN_NO_EXPLICIT_RESOURCE_NAMES');
 
     /// CloudWatch Dashboard
     const remediationDashboard = new Dashboard(scope, 'RemediationDashboard', {

source/lib/common-orchestrator-construct.ts

@@ -10,6 +10,7 @@ import { Construct } from 'constructs';
 import * as cdk_nag from 'cdk-nag';
 import { Timeout } from 'aws-cdk-lib/aws-stepfunctions';
 import { IQueue } from 'aws-cdk-lib/aws-sqs';
+import { addCfnGuardSuppression } from './cdk-helper/add-cfn-nag-suppression';
 
 export interface ConstructProps {
   roleArn: string;
@@ -494,6 +495,7 @@ export class OrchestratorConstruct extends Construct {
           'CloudWatch Logs permissions require resource * except for DescribeLogGroups, except for GovCloud, which only works with resource *',
       },
     ]);
+    addCfnGuardSuppression(orchestratorRole, 'IAM_NO_INLINE_POLICY_CHECK');
 
     const orchestratorStateMachine = new sfn.StateMachine(this, 'StateMachine', {
       definitionBody: sfn.DefinitionBody.fromChainable(extractFindings),

source/lib/orchestrator_roles-construct.ts

@@ -12,6 +12,7 @@ import {
   CfnRole,
 } from 'aws-cdk-lib/aws-iam';
 import { Construct } from 'constructs';
+import { addCfnGuardSuppression } from './cdk-helper/add-cfn-nag-suppression';
 
 export interface OrchRoleProps {
   solutionId: string;
@@ -142,5 +143,6 @@ export class OrchestratorMemberRole extends Construct {
         ],
       },
     };
+    addCfnGuardSuppression(memberRole, 'IAM_NO_INLINE_POLICY_CHECK');
   }
 }