Merge pull request #89 from SumoLogic/sechub_timestamp_fix

Security Hub Timestamp fixed

.travis.yml

@@ -7,23 +7,22 @@ jobs:
   include:
   - stage: Node 8
     node_js: '8.10'
-    env: FUNCTION_DIR=cloudwatchlogs-with-dlq TEST_FILE=test_cwl_lambda.py NODE_VERSION="8.10"
+    env: FUNCTION_DIR=cloudwatchlogs-with-dlq TEST_DIR=cloudwatchlogs-with-dlq TEST_FILE=test_cwl_lambda.py NODE_VERSION="8.10"
   - stage: Node 8
     node_js: '8.10'
-    env: FUNCTION_DIR=loggroup-lambda-connector/test TEST_FILE=test_loggroup_lambda_connector.py NODE_VERSION="8.10"
+    env: FUNCTION_DIR=loggroup-lambda-connector TEST_DIR=loggroup-lambda-connector/test TEST_FILE=test_loggroup_lambda_connector.py NODE_VERSION="8.10"
   - stage: Node 6
     node_js: '6.10'
-    env: FUNCTION_DIR=cloudwatchlogs-with-dlq TEST_FILE=test_cwl_lambda.py NODE_VERSION="6.10"
+    env: FUNCTION_DIR=cloudwatchlogs-with-dlq TEST_DIR=cloudwatchlogs-with-dlq TEST_FILE=test_cwl_lambda.py NODE_VERSION="6.10"
   - stage: Node 6
     node_js: '6.10'
-    env: FUNCTION_DIR=loggroup-lambda-connector/test TEST_FILE=test_loggroup_lambda_connector.py NODE_VERSION="6.10"
+    env: FUNCTION_DIR=loggroup-lambda-connector TEST_DIR=loggroup-lambda-connector/test TEST_FILE=test_loggroup_lambda_connector.py NODE_VERSION="6.10"
 before_install:
 - sudo apt-get install python-pip
-- cd $FUNCTION_DIR
-- sudo pip install -r requirements.txt
+- cd $TEST_DIR && sudo pip install -r requirements.txt && cd -
 script:
-- npm run build
-- python $TEST_FILE
+- cd $FUNCTION_DIR && npm run build && cd -
+- cd $TEST_DIR && python $TEST_FILE && cd -
 env:
   global:
   - secure: iGATK/X1PfH8FCJlUpBbJ//mQ57QBQT0jETyDDH2r+GxZxXPnFS46ugPGsWTX0IDDEGjXE+/P6wnm0ORo7aa3yp7DZnfWFDyrgFchgUo1p3unt5sQcHg/9mitkQF7lHFlnAqM1D69AEGP5WU63m/9xQoj0BVYCVb2eUEqatV1AU8lpvRAkFc2juumy1ba4skoDFLOtrsaO2k+SCCBfMKq2SOJkcPnfMZGTOT7niaNnNAZSDYDovAlMYaLDOR10EMUAyklnmmAADyDxNRwSSAG8JKJMmfxSqIe4+s7xjqztjtkApWmEAjevDLpc62v1TWe0O2zCxnb4E4EBN6A31R1XJha4i/IKSeVL99J9X8aV1wIb9feV85qmZmlxVL2EU7/CcFGTdKeAak3qQWHZ1C6X32TBB6x5C0qASSC/x5pwDDJIOyeZr0Z93+dDhnBLNmzz8sA3h7AyzQZfhTqG/f4/SOgxTf7aF13X8BKuoM8BaGfXjy0keaVb0xbTjtDvi9F21EymWPdwNlQHsKca+EcTT2KE3mwFNrHAsTeNhGzMbrzmbZzvNHlmIwjB1C5l9h4GpUkxNb/mqi9SBTx9YfDIgz0bDOds1T92tGIAcBaHfJLTjc2JIgxwgdL13X3cL8GJBiFFwiJqiKJCSz4SxhWqsrrbsGSQBUqN5UoSsyKco=

cloudwatchevents/guardduty/cloudwatchevents.json

@@ -0,0 +1,139 @@
+{
+
+        "AWSTemplateFormatVersion": "2010-09-09",
+        "Outputs": {
+            "CloudWatchEventFunction": {
+                "Description": "CloudWatchEvent Processor Function ARN",
+                "Value": {
+                    "Fn::GetAtt": [
+                        "CloudWatchEventFunction",
+                        "Arn"
+                    ]
+                },
+                "Export" : {
+                    "Name" : { "Fn::Join": [ "-", [ "CloudWatchEventFunctionArn", { "Fn::Select" : [ "2", {"Fn::Split" : [ "/" , { "Ref": "AWS::StackId" } ]}] } ] ] }
+                }
+            }
+        },
+        "Mappings" : {
+            "RegionMap" : {
+                "us-east-1": {"bucketname": "appdevzipfiles-us-east-1"},
+                "us-east-2": {"bucketname": "appdevzipfiles-us-east-2"},
+                "us-west-1": {"bucketname": "appdevzipfiles-us-west-1"},
+                "us-west-2": {"bucketname": "appdevzipfiles-us-west-2"},
+                "ap-south-1": {"bucketname": "appdevzipfiles-ap-south-1"},
+                "ap-northeast-2": {"bucketname": "appdevzipfiles-ap-northeast-2"},
+                "ap-southeast-1": {"bucketname": "appdevzipfiles-ap-southeast-1"},
+                "ap-southeast-2": {"bucketname": "appdevzipfiles-ap-southeast-2"},
+                "ap-northeast-1": {"bucketname": "appdevzipfiles-ap-northeast-1"},
+                "ca-central-1": {"bucketname": "appdevzipfiles-ca-central-1"},
+                "eu-central-1": {"bucketname": "appdevzipfiles-eu-central-1"},
+                "eu-west-1": {"bucketname": "appdevzipfiles-eu-west-1"},
+                "eu-west-2": {"bucketname": "appdevzipfiles-eu-west-2"},
+                "eu-west-3": {"bucketname": "appdevzipfiles-eu-west-3"},
+                "eu-north-1": {"bucketname": "appdevzipfiles-eu-north-1s"},
+                "sa-east-1": {"bucketname": "appdevzipfiles-sa-east-1"}
+            }
+        },
+        "Resources": {
+            "CloudWatchEventFunctionCloudWatchEventTrigger": {
+                "Type": "AWS::Events::Rule",
+                "Properties": {
+                    "EventPattern": {
+                        "source": [
+                            "aws.guardduty"
+                        ]
+                    },
+                    "Targets": [
+                        {
+                            "Id": "CloudWatchEventFunctionCloudWatchEventTriggerLambdaTarget",
+                            "Arn": {
+                                "Fn::GetAtt": [
+                                    "CloudWatchEventFunction",
+                                    "Arn"
+                                ]
+                            }
+                        }
+                    ]
+                }
+            },
+            "CloudWatchEventFunction": {
+                "Type": "AWS::Lambda::Function",
+                "Properties": {
+                    "Code": {
+                        "S3Bucket": { "Fn::FindInMap" : [ "RegionMap", { "Ref" : "AWS::Region" }, "bucketname"]},
+                        "S3Key": "guardduty.zip"
+                    },
+                    "Tags": [
+                        {
+                            "Value": "SAM",
+                            "Key": "lambda:createdBy"
+                        }
+                    ],
+                    "Environment": {
+                        "Variables": {
+                            "SUMO_ENDPOINT": {
+                                "Ref": "SumoEndpointUrl"
+                            }
+                        }
+                    },
+                    "Handler": "cloudwatchevents.handler",
+                    "Role": {
+                        "Fn::GetAtt": [
+                            "CloudWatchEventFunctionRole",
+                            "Arn"
+                        ]
+                    },
+                    "Timeout": 300,
+                    "Runtime": "nodejs8.10"
+                }
+            },
+            "CloudWatchEventFunctionCloudWatchEventTriggerPermission": {
+                "Type": "AWS::Lambda::Permission",
+                "Properties": {
+                    "Action": "lambda:invokeFunction",
+                    "Principal": "events.amazonaws.com",
+                    "FunctionName": {
+                        "Ref": "CloudWatchEventFunction"
+                    },
+                    "SourceArn": {
+                        "Fn::GetAtt": [
+                            "CloudWatchEventFunctionCloudWatchEventTrigger",
+                            "Arn"
+                        ]
+                    }
+                }
+            },
+            "CloudWatchEventFunctionRole": {
+                "Type": "AWS::IAM::Role",
+                "Properties": {
+                    "ManagedPolicyArns": [
+                        "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+                    ],
+                    "AssumeRolePolicyDocument": {
+                        "Version": "2012-10-17",
+                        "Statement": [
+                            {
+                                "Action": [
+                                    "sts:AssumeRole"
+                                ],
+                                "Effect": "Allow",
+                                "Principal": {
+                                    "Service": [
+                                        "lambda.amazonaws.com"
+                                    ]
+                                }
+                            }
+                        ]
+                    }
+                }
+            }
+        },
+        "Description": "This function is invoked by AWS CloudWatch events in response to state change in your AWS resources which matches a event target definition. The event payload received is then forwarded to Sumo Logic HTTP source endpoint.\n",
+        "Parameters": {
+            "SumoEndpointUrl": {
+                "Type": "String"
+            }
+        }
+
+}

cloudwatchevents/package.json

@@ -11,10 +11,14 @@
     "test": "cd guardduty && sam local invoke CloudWatchEventFunction -e event.json",
     "build_guardduty": "cd guardduty && sam package --template-file template.yaml --s3-bucket $SAM_S3_BUCKET  --output-template-file packaged.yaml",
     "deploy_guardduty": "cd guardduty && sam deploy --template-file packaged.yaml --stack-name testingguarddutylambda --capabilities CAPABILITY_IAM --parameter-overrides SumoEndpointUrl=$SUMO_ENDPOINT",
-    "view_deploy_logs": "aws cloudformation describe-stack-events --stack-name testingguarddutylambda"
+    "view_deploy_logs": "aws cloudformation describe-stack-events --stack-name testingguarddutylambda",
+    "build_zip": "rm -f guardduty.zip && cd src && zip ../guardduty.zip cloudwatchevents.js && cd ..",
+    "build_temp": "aws cloudformation get-template --stack-name testingguarddutylambda  --region $AWS_REGION"
   },
   "keywords": [
     "lambda",
     "cloudwatch-events"
   ]
 }
+
+

cloudwatchlogs-with-dlq/DLQLambdaCloudFormation.json

@@ -46,6 +46,7 @@
             "eu-west-1": {"bucketname": "appdevzipfiles-eu-west-1"},
             "eu-west-2": {"bucketname": "appdevzipfiles-eu-west-2"},
             "eu-west-3": {"bucketname": "appdevzipfiles-eu-west-3"},
+            "eu-north-1": {"bucketname": "appdevzipfiles-eu-north-1s"},
             "sa-east-1": {"bucketname": "appdevzipfiles-sa-east-1"}
         }
     },

cloudwatchlogs-with-dlq/package.json

@@ -10,7 +10,7 @@
   "devDependencies": {},
   "scripts": {
     "test": "node -e 'require('./test').test()'",
-    "build": "rm -f cloudwatchlogs-with-dlq.zip && zip -r cloudwatchlogs-with-dlq.zip DLQProcessor.js cloudwatchlogs_lambda.js vpcutils.js package.json sumo-dlq-function-utils/ node_modules/",
+    "build": "rm -f cloudwatchlogs-with-dlq.zip && npm install && zip -r cloudwatchlogs-with-dlq.zip DLQProcessor.js cloudwatchlogs_lambda.js vpcutils.js package.json sumo-dlq-function-utils/ node_modules/",
     "prod_deploy": "python -c 'from test_cwl_lambda import prod_deploy;prod_deploy()'"
   },
   "author": "Himanshu Pal",

deploy_function.py

@@ -0,0 +1,99 @@
+import boto3
+import os
+from argparse import ArgumentParser
+
+regions = [
+        "us-east-2",
+        "us-east-1",
+        "us-west-1",
+        "us-west-2",
+        "ap-south-1",
+        "ap-northeast-2",
+        "ap-southeast-1",
+        "ap-southeast-2",
+        "ap-northeast-1",
+        "ca-central-1",
+        # "cn-north-1",
+        "eu-central-1",
+        "eu-west-1",
+        "eu-west-2",
+        "eu-west-3",
+        "eu-north-1",
+        "sa-east-1"
+    ]
+
+
+def get_bucket_name(bucket_prefix, region):
+    if region == "eu-north-1":
+        return '%s-%ss' % (bucket_prefix, region)
+    return '%s-%s' % (bucket_prefix, region)
+
+
+def upload_code_in_multiple_regions(filepath, bucket_prefix):
+
+    for region in regions:
+        upload_code_in_S3(filepath, get_bucket_name(bucket_prefix, region), region)
+
+
+def create_buckets(bucket_prefix):
+    for region in regions:
+        s3 = boto3.client('s3', region)
+        bucket_name = get_bucket_name(bucket_prefix, region)
+        try:
+            if region == "us-east-1":
+                response = s3.create_bucket(Bucket=bucket_name) # the operation is idempotent
+            else:
+                response = s3.create_bucket(Bucket=bucket_name,
+                                            CreateBucketConfiguration={
+                                                'LocationConstraint': region
+                                            })
+            print("Creating bucket", region, response)
+        except:
+            pass
+
+
+def upload_code_in_S3(filepath, bucket_name, region):
+    print("Uploading zip file in S3", region)
+    s3 = boto3.client('s3', region)
+    filename = os.path.basename(filepath)
+    s3.upload_file(filepath, bucket_name, filename,
+                   ExtraArgs={'ACL': 'public-read'})
+
+
+def upload_cftemplate(templatepath, bucket_name, region='us-east-1'):
+    print("Uploading template file in S3")
+    s3 = boto3.client('s3', region)
+    filename = os.path.basename(templatepath)
+    s3.upload_file(templatepath, bucket_name, filename,
+                   ExtraArgs={'ACL': 'public-read'})
+
+
+if __name__ == '__main__':
+
+    parser = ArgumentParser()
+    parser.add_argument("-t", "--templatefile", dest="templatefile",
+                        help="CF template")
+
+    parser.add_argument("-z", "--zipfile", dest="zipfile",
+                        help="deployment package")
+
+    parser.add_argument("-d", "--deployment", dest="deployment", default="dev",
+                        help="aws account type")
+
+    args = parser.parse_args()
+    if args.deployment == "prod":
+        zip_bucket_prefix = "appdevzipfiles"
+        template_bucket = "appdev-cloudformation-templates"
+    else:
+        zip_bucket_prefix = "appdevstore"
+        template_bucket = "cf-templates-5d0x5unchag-us-east-1"
+
+    if not os.path.isfile(args.templatefile):
+        raise Exception("templatefile does not exists")
+    if not os.path.isfile(args.zipfile):
+        raise Exception("zipfile does not exists")
+
+    create_buckets(zip_bucket_prefix)
+    upload_code_in_multiple_regions(args.zipfile, zip_bucket_prefix)
+    upload_cftemplate(args.templatefile, template_bucket)
+    print("Deployment Successfull: ALL files copied to %s" % args.deployment)

loggroup-lambda-connector/test/test_loggroup_lambda_connector.py

@@ -220,7 +220,8 @@ def upload_code_in_S3(region):
     s3 = boto3.client('s3', region)
     bucket_name = get_bucket_name(region)
     filename = TestLambda.ZIP_FILE
-    s3.upload_file(filename, bucket_name, filename,
+    key = os.path.basename(filename)
+    s3.upload_file(filename, bucket_name, key,
                    ExtraArgs={'ACL': 'public-read'})
 
 
@@ -230,9 +231,10 @@ def prod_deploy():
     upload_code_in_multiple_regions()
     print("Uploading template file in S3")
     s3 = boto3.client('s3', "us-east-1")
-    filename = 'loggroup-lambda-cft.json'
+    filename = os.path.join('test', 'loggroup-lambda-cft.json')
     bucket_name = "appdev-cloudformation-templates"
-    s3.upload_file(filename, bucket_name, filename,
+    key = os.path.basename(filename)
+    s3.upload_file(filename, bucket_name, key,
                    ExtraArgs={'ACL': 'public-read'})
     print("Deployment Successfull: ALL files copied to Sumocontent")
 

securityhub-collector/sam/create_layer.sh

@@ -1,10 +1,26 @@
-mkdir python
-cd python
-pip install -r ../requirements.txt -t ./
-zip -r ../securityhub_deps.zip .
-cd ..
-aws s3 cp securityhub_deps.zip s3://appdevstore/ --region us-east-1
+#!bash/bin
 
-aws lambda publish-layer-version --layer-name securityhub_deps --description "contains securityhub solution dependencies" --license-info "MIT" --content S3Bucket=appdevstore,S3Key=securityhub_deps.zip --compatible-runtimes python3.7 python3.6 --region us-east-1
+if [ ! -f securityhub_deps.zip ]; then
+    echo "creating zip file"
+    mkdir python
+    cd python
+    pip install -r ../requirements.txt -t ./
+    zip -r ../securityhub_deps.zip .
+    cd ..
+fi
 
-aws lambda add-layer-version-permission --layer-name securityhub_deps  --statement-id securityhub-deps --version-number 3 --principal '*' --action lambda:GetLayerVersion --region us-east-1
+declare -a regions=("us-east-2" "us-east-1" "us-west-1" "us-west-2" "ap-south-1" "ap-northeast-2" "ap-southeast-1" "ap-southeast-2" "ap-northeast-1" "ca-central-1" "eu-central-1" "eu-west-1" "eu-west-2" "eu-west-3" "sa-east-1")
+
+for i in "${regions[@]}"
+do
+    echo "Deploying layer in $i"
+    bucket_name="appdevzipfiles-$i"
+    aws s3 cp securityhub_deps.zip s3://$bucket_name/ --region $i
+
+    aws lambda publish-layer-version --layer-name securityhub_deps --description "contains securityhub solution dependencies" --license-info "MIT" --content S3Bucket=$bucket_name,S3Key=securityhub_deps.zip --compatible-runtimes python3.7 python3.6 --region $i
+
+    aws lambda add-layer-version-permission --layer-name securityhub_deps  --statement-id securityhub-deps --version-number 1 --principal '*' --action lambda:GetLayerVersion --region $i
+done
+
+# aws lambda remove-layer-version-permission --layer-name securityhub_deps --version-number 1 --statement-id securityhub-deps --region us-east-1
+# aws lambda get-layer-version-policy --layer-name securityhub_deps --region us-east-1

securityhub-collector/sam/packaged.yaml

@@ -22,7 +22,7 @@ Parameters:
 Resources:
   SecurityHubCollectorFunction:
     Properties:
-      CodeUri: s3://appdevstore/d6d324a075082bfb9446aa118eeb64c6
+      CodeUri: s3://appdevstore/cc901e7163326ccceb15877d3cc3fe9a
       Environment:
         Variables:
           LOCK_TABLE:
@@ -31,7 +31,7 @@ Resources:
             Ref: S3SourceBucketName
       Handler: securityhub_collector.lambda_handler
       Layers:
-      - arn:aws:lambda:us-east-1:956882708938:layer:securityhub_deps:1
+      - Fn::Sub: arn:aws:lambda:${AWS::Region}:956882708938:layer:securityhub_deps:1
       MemorySize: 128
       Policies:
       - Statement:
@@ -86,7 +86,7 @@ Resources:
     Type: AWS::DynamoDB::Table
   SecurityHubSchedulerFunction:
     Properties:
-      CodeUri: s3://appdevstore/d6d324a075082bfb9446aa118eeb64c6
+      CodeUri: s3://appdevstore/cc901e7163326ccceb15877d3cc3fe9a
       Environment:
         Variables:
           LOCK_TABLE:
@@ -100,7 +100,7 @@ Resources:
           Type: Schedule
       Handler: securityhub_scheduler.lambda_handler
       Layers:
-      - arn:aws:lambda:us-east-1:956882708938:layer:securityhub_deps:3
+      - Fn::Sub: arn:aws:lambda:${AWS::Region}:956882708938:layer:securityhub_deps:1
       MemorySize: 128
       Policies:
       - Statement: