AWS security hub findings

codebundles/aws-c7n-security-hub/.runwhen/generation-rules/aws-c7n-security-hub.yaml

@@ -0,0 +1,22 @@
+apiVersion: runwhen.com/v1
+kind: GenerationRules
+spec:
+  platform: aws
+  generationRules:
+    - resourceTypes:
+        - aws_securityhub_hubs
+      matchRules:
+        - type: pattern
+          pattern: ".+"
+          properties: [name]
+          mode: substring
+      slxs:
+        - baseName: aws-c7n-security-hub
+          qualifiers: ["account_id"]
+          baseTemplateName: aws-c7n-security-hub
+          levelOfDetail: basic
+          outputItems:
+            - type: slx
+            - type: sli
+            - type: runbook
+              templateName: aws-c7n-security-hub-taskset.yaml

codebundles/aws-c7n-security-hub/.runwhen/templates/aws-c7n-security-hub-sli.yaml

@@ -0,0 +1,51 @@
+apiVersion: runwhen.com/v1
+kind: ServiceLevelIndicator
+metadata:
+  name: {{slx_name}}
+  labels:
+    {% include "common-labels.yaml" %}
+  annotations:
+    {% include "common-annotations.yaml" %}
+spec:
+  displayUnitsLong: OK
+  displayUnitsShort: ok
+  locations: 
+      - {{default_location}}
+  description: Check for AWS Security Hub findings in AWS account {{match_resource.resource.account_id}}
+  codeBundle:
+    {% if repo_url %}
+    repoUrl: {{repo_url}}
+    {% else %}
+    repoUrl: https://github.com/runwhen-contrib/rw-c7n-codecollection.git
+    {% endif %}
+    {% if ref %}
+    ref: {{ref}}
+    {% else %}
+    ref: main
+    {% endif %}
+    pathToRobot: codebundles/aws-c7n-security-hub/sli.robot
+  intervalStrategy: intermezzo
+  intervalSeconds: 600
+  configProvided:
+    - name: AWS_REGION
+      value: "{{match_resource.resource.region}}"
+    - name: AWS_ACCOUNT_ID
+      value: "{{match_resource.resource.account_id}}"
+  secretsProvided:
+    - name: AWS_ACCESS_KEY_ID
+      workspaceKey: {{custom.aws_access_key_id}}
+    - name: AWS_SECRET_ACCESS_KEY
+      workspaceKey: {{custom.aws_secret_access_key}}
+  alerts:
+    warning:
+      operator: '>'
+      threshold: '1'
+      for: '20m'
+    ticket:
+      operator: '>'
+      threshold: '1'
+      for: '40m'
+    page:
+      operator: '=='
+      threshold: '0'
+      for: ''

codebundles/aws-c7n-security-hub/.runwhen/templates/aws-c7n-security-hub-slx.yaml

@@ -0,0 +1,21 @@
+apiVersion: runwhen.com/v1
+kind: ServiceLevelX
+metadata:
+  name: {{slx_name}}
+  labels:
+    {% include "common-labels.yaml" %}
+  annotations:
+    {% include "common-annotations.yaml" %}
+spec:
+  imageURL: https://storage.googleapis.com/runwhen-nonprod-shared-images/icons/aws/Resource-Icons_06072024/Res_Security-Identity-Compliance/Res_AWS-Security-Hub_Finding_48.svg
+  alias: AWS Security Hub findings in AWS Account {{match_resource.resource.account_id}}
+  asMeasuredBy: The number of AWS Security Hub findings in AWS account {{match_resource.resource.account_id}}
+  configProvided:
+  - name: SLX_PLACEHOLDER
+    value: SLX_PLACEHOLDER
+  owners:
+  - {{workspace.owner_email}}
+  statement: List AWS Security Hub findings in the AWS account {{match_resource.resource.account_id}}
+  additionalContext:
+    region: "{{match_resource.resource.region}}"
+    account_id: "{{match_resource.resource.account_id}}"

codebundles/aws-c7n-security-hub/.runwhen/templates/aws-c7n-security-hub-taskset.yaml

@@ -0,0 +1,33 @@
+apiVersion: runwhen.com/v1
+kind: Runbook
+metadata:
+  name: {{slx_name}}
+  labels:
+    {% include "common-labels.yaml" %}
+  annotations:
+    {% include "common-annotations.yaml" %}
+spec:
+  location: {{default_location}}
+  description: List Security Hub findings in the AWS account {{match_resource.resource.account_id}}
+  codeBundle:
+    {% if repo_url %}
+    repoUrl: {{repo_url}}
+    {% else %}
+    repoUrl: https://github.com/runwhen-contrib/rw-c7n-codecollection.git
+    {% endif %}
+    {% if ref %}
+    ref: {{ref}}
+    {% else %}
+    ref: main
+    {% endif %}
+    pathToRobot: codebundles/aws-c7n-security-hub/runbook.robot
+  configProvided:
+    - name: AWS_REGION
+      value: "{{match_resource.resource.region}}"
+    - name: AWS_ACCOUNT_ID
+      value: "{{match_resource.resource.account_id}}"
+  secretsProvided:
+    - name: AWS_ACCESS_KEY_ID
+      workspaceKey: {{custom.aws_access_key_id}}
+    - name: AWS_SECRET_ACCESS_KEY
+      workspaceKey: {{custom.aws_secret_access_key}}

codebundles/aws-c7n-security-hub/.test/README.md

@@ -0,0 +1,102 @@
+### How to test this codebundle? 
+
+#### IAM User Configuration
+
+We create two distinct AWS IAM users with carefully scoped access:
+
+**CloudCustodian IAM User**
+
+Purpose: Service Level Indicator (SLI) monitoring and runbook automation and configured with least privilege access principles
+
+With the following policy:
+
+```json
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "VisualEditor0",
+            "Effect": "Allow",
+            "Action": [
+				"tag:GetResources",
+				"securityhub:GetFindings",
+				"s3:List*",
+				"s3:Get*",
+				"ec2:Describe*",
+				"iam:List*",
+				"iam:Get*",
+				"rds:Describe*",
+				"cloudwatch:Get*",
+				"cloudformation:Describe*",
+				"dynamodb:Scan",
+				"dynamodb:Describe*",
+				"lambda:List*",
+				"lambda:Get*",
+				"sns:List*"
+            ],
+            "Resource": "*"
+        }
+    ]
+}
+```
+**Note** Please ensure to update the policy whenever new resources are added to the `AWS_RESOURCE_PROVIDERS` list in the `sli.robot` and `runbook.robot`
+
+**Infrastructure Deployment User**
+
+Purpose: Cloud infrastructure provisioning and management using Terraform
+
+#### Credential Setup
+
+Navigate to the `.test/terraform` directory and configure two secret files for authentication:
+
+`cb.secret` - CloudCustodian and RunWhen Credentials
+
+Create this file with the following environment variables:
+
+	```sh
+	export RW_PAT=""
+	export RW_WORKSPACE=""
+	export RW_API_URL="papi.beta.runwhen.com"
+
+	export AWS_DEFAULT_REGION="us-west-2"
+	export AWS_ACCESS_KEY_ID=""
+	export AWS_SECRET_ACCESS_KEY=""
+	export AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query "Account" --output text)
+	```
+
+
+`tf.secret` - Terraform Deployment Credentials
+
+Create this file with the following environment variables:
+
+	```sh
+	export AWS_DEFAULT_REGION=""
+	export AWS_ACCESS_KEY_ID=""
+	export AWS_SECRET_ACCESS_KEY=""
+	export AWS_SESSION_TOKEN="" # Optional: Include if using temporary credentials
+	```
+
+####  Testing Workflow
+
+1. Build test infra:
+	```sh
+		task build-infra
+	```	
+
+2. Generate RunWhen Configurations
+	```sh
+		tasks
+	```
+
+3. Upload generated SLx to RunWhen Platform
+
+	```sh
+		task upload-slxs
+	```
+
+4. At last, after testing, clean up the test infrastructure.
+
+    ```sh
+        task clean
+    ```
+