Skip to content

fix: Improve the SHARR notification messages to include more relevant info for administrators receiving the events #185 #186

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix: Improve the SHARR notification messages to include more relevant info for administrators receiving the events #185 #186

wants to merge 1 commit into from

Conversation

@thesuavehog
Copy link

*Issue #185 *

Description of changes:

Added additional properties to the Notification that is sent by SHARR on the SNS Topic when a Remediation is initiated and it's state changes.

re: Testing ...This patch was pulled from a custom branch that I have been running in production for months now.

Added Properties:

  • account_alias - the alias of the account_id as returned from the organizations.list_accounts API
  • link - and http link in the form https://console.aws.amazon.com/securityhub/home?region={finding.region}#/findings?search={finding.id}' that provides a quick link to the full finding details.
    • Clicking the link takes you to whatever AWS Account you are logged in with but if you login first to the right Account and then click the link it's still much faster than copy-pasting and searching the Finding ID/ARN
  • note - the Note field from the Finding. This is found by looking up the Finding by it's ARN in Security Hub (securityhub.get_findings) and then reading the Note.Text value from it.
  • resource - either the AffectedObject from the the Notification payload, or the Resource Id from the Finding. This is very helpful when a batch of remediations are run to identify quickly which resource the remediation was for.

Permissions Changes

  • securityhub:GetFindings: required to lookup the Findings in Security Hub to get the Note off of it.
    • There is a graceful fallback if the permission is not enabled which will log an INFO level message and leave the note = '' if there is any error in reading the finding.
    • The permission is added in the SolutionDeployStack specifically for the SHARR_Orchestrator_Notifier policy.
  • organizations:ListAccounts: required to look up the Account Alias for the Account Id which is the target of the remediation.
    • There is a graceful fallback if the permission is not enabled which will log a WARN level message and set the account_alias to the account_id value so it is never empty.
    • The permission is added in the SolutionDeployStack specifically for the SHARR_Orchestrator_Notifier policy.

Example Notifications:
Account Id changed to a dummy value for this comment

{
  "severity": "INFO",
  "message": "Remediation queued for SC control EC2.7 in account 123456789001",
  "finding": {
    "finding_id": "04f78bbd-e10f-4a3e-b473-63a561c7b002",
    "finding_description": "This control checks whether Amazon Elastic Block Store (EBS) encryption is enabled by default. The control fails if EBS default encryption is not enabled.",
    "standard_name": "security-control",
    "standard_version": "2.0.0",
    "standard_control": "EC2.7",
    "title": "EBS default encryption should be enabled",
    "region": "us-east-1",
    "account": "123456789001",
    "finding_arn": "arn:aws:securityhub:us-east-1:123456789001:security-control/EC2.7/finding/04f78bbd-e10f-4a3e-b473-63a561c7b002",
    "account_alias": "qcex-cloudformation-admin",
    "link": "https://console.aws.amazon.com/securityhub/home?region=us-east-1#/findings?search=Id%3D%255Coperator%255C%253AEQUALS%255C%253Aarn%253Aaws%253Asecurityhub%253Aus-east-1%253A123456789001%253Asecurity-control%252FEC2.7%252Ffinding%252F04f78bbd-e10f-4a3e-b473-63a561c7b002",
    "note": "",
    "resource": "123456789001"
  },
  "state": "QUEUED",
  "execution_id": "836c1d27-d8ca-44b2-8af0-11481cc2695c"
}
{
  "severity": "INFO",
  "message": "Remediation succeeded for SC control EC2.7 in account 123456789001: Remediation status: Success - please verify remediation (AwsAccount AWS::::Account:123456789001)",
  "finding": {
    "finding_id": "04f78bbd-e10f-4a3e-b473-63a561c7b002",
    "finding_description": "This control checks whether Amazon Elastic Block Store (EBS) encryption is enabled by default. The control fails if EBS default encryption is not enabled.",
    "standard_name": "security-control",
    "standard_version": "2.0.0",
    "standard_control": "EC2.7",
    "title": "EBS default encryption should be enabled",
    "region": "us-east-1",
    "account": "123456789001",
    "finding_arn": "arn:aws:securityhub:us-east-1:123456789001:security-control/EC2.7/finding/04f78bbd-e10f-4a3e-b473-63a561c7b002",
    "account_alias": "qcex-cloudformation-admin",
    "link": "https://console.aws.amazon.com/securityhub/home?region=us-east-1#/findings?search=Id%3D%255Coperator%255C%253AEQUALS%255C%253Aarn%253Aaws%253Asecurityhub%253Aus-east-1%253A123456789001%253Asecurity-control%252FEC2.7%252Ffinding%252F04f78bbd-e10f-4a3e-b473-63a561c7b002",
    "note": "",
    "resource": "AWS::::Account:123456789001"
  },
  "state": "SUCCESS",
  "execution_id": "836c1d27-d8ca-44b2-8af0-11481cc2695c"
}

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@thesuavehog
Copy link
Author

Closes #185

@tmekari tmekari added the triaged Has been triaged by solutions team label Dec 18, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

triaged Has been triaged by solutions team

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@thesuavehog @tmekari