fix: Improve the SHARR notification messages to include more relevant info for administrators receiving the events #185 #186
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
*Issue #185 *
Description of changes:
Added additional properties to the Notification that is sent by SHARR on the SNS Topic when a Remediation is initiated and it's state changes.
re: Testing ...This patch was pulled from a custom branch that I have been running in production for months now.
Added Properties:
account_alias- the alias of theaccount_idas returned from theorganizations.list_accountsAPIlink- andhttplink in the formhttps://console.aws.amazon.com/securityhub/home?region={finding.region}#/findings?search={finding.id}'that provides a quick link to the full finding details.note- theNotefield from the Finding. This is found by looking up the Finding by it's ARN in Security Hub (securityhub.get_findings) and then reading theNote.Textvalue from it.resource- either theAffectedObjectfrom the the Notification payload, or the Resource Id from the Finding. This is very helpful when a batch of remediations are run to identify quickly which resource the remediation was for.Permissions Changes
securityhub:GetFindings: required to lookup the Findings in Security Hub to get the Note off of it.note = ''if there is any error in reading the finding.SolutionDeployStackspecifically for theSHARR_Orchestrator_Notifierpolicy.organizations:ListAccounts: required to look up the Account Alias for the Account Id which is the target of the remediation.account_aliasto theaccount_idvalue so it is never empty.SolutionDeployStackspecifically for theSHARR_Orchestrator_Notifierpolicy.Example Notifications:
Account Id changed to a dummy value for this comment
{ "severity": "INFO", "message": "Remediation queued for SC control EC2.7 in account 123456789001", "finding": { "finding_id": "04f78bbd-e10f-4a3e-b473-63a561c7b002", "finding_description": "This control checks whether Amazon Elastic Block Store (EBS) encryption is enabled by default. The control fails if EBS default encryption is not enabled.", "standard_name": "security-control", "standard_version": "2.0.0", "standard_control": "EC2.7", "title": "EBS default encryption should be enabled", "region": "us-east-1", "account": "123456789001", "finding_arn": "arn:aws:securityhub:us-east-1:123456789001:security-control/EC2.7/finding/04f78bbd-e10f-4a3e-b473-63a561c7b002", "account_alias": "qcex-cloudformation-admin", "link": "https://console.aws.amazon.com/securityhub/home?region=us-east-1#/findings?search=Id%3D%255Coperator%255C%253AEQUALS%255C%253Aarn%253Aaws%253Asecurityhub%253Aus-east-1%253A123456789001%253Asecurity-control%252FEC2.7%252Ffinding%252F04f78bbd-e10f-4a3e-b473-63a561c7b002", "note": "", "resource": "123456789001" }, "state": "QUEUED", "execution_id": "836c1d27-d8ca-44b2-8af0-11481cc2695c" }{ "severity": "INFO", "message": "Remediation succeeded for SC control EC2.7 in account 123456789001: Remediation status: Success - please verify remediation (AwsAccount AWS::::Account:123456789001)", "finding": { "finding_id": "04f78bbd-e10f-4a3e-b473-63a561c7b002", "finding_description": "This control checks whether Amazon Elastic Block Store (EBS) encryption is enabled by default. The control fails if EBS default encryption is not enabled.", "standard_name": "security-control", "standard_version": "2.0.0", "standard_control": "EC2.7", "title": "EBS default encryption should be enabled", "region": "us-east-1", "account": "123456789001", "finding_arn": "arn:aws:securityhub:us-east-1:123456789001:security-control/EC2.7/finding/04f78bbd-e10f-4a3e-b473-63a561c7b002", "account_alias": "qcex-cloudformation-admin", "link": "https://console.aws.amazon.com/securityhub/home?region=us-east-1#/findings?search=Id%3D%255Coperator%255C%253AEQUALS%255C%253Aarn%253Aaws%253Asecurityhub%253Aus-east-1%253A123456789001%253Asecurity-control%252FEC2.7%252Ffinding%252F04f78bbd-e10f-4a3e-b473-63a561c7b002", "note": "", "resource": "AWS::::Account:123456789001" }, "state": "SUCCESS", "execution_id": "836c1d27-d8ca-44b2-8af0-11481cc2695c" }By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.