Skip to content

Latest commit

 

History

History
85 lines (56 loc) · 3.17 KB

README.md

File metadata and controls

85 lines (56 loc) · 3.17 KB

Security Hub Collector

Description

This tool pulls findings from AWS Security Hub and outputs them for consumption by visualization tools. To use this tool, you need one of the following, depending on whether you provide team data via Athena or a JSON file:

To configure with an Athena table:

  • an Athena table of teams to accounts that follows the format expected by the Athena library
  • an S3 bucket for Athena query outputs
  • a single IAM role that is valid for all of the accounts in the Athena table

To configure with a JSON team map:

  • one or more IAM roles that are valid for each account listed in the map of accounts to teams provided to the tool

Installation

go get -u github.com/Enterprise-CMCS/mac-fc-security-hub-collector

Usage

security-hub-collector is a CLI for retrieving Security Hub findings for visualization.

To display a full list of CLI options, build the application and run security-hub-collector -h.

Run Docker Image Locally

To run the Docker image locally for testing, do the following:

  1. Create a file at the top level called docker-gitconfig with the following content:

    [url "https://<username>:<personal access token>@github.com/Enterprise-CMCS/"]
  insteadOf = https://github.com/Enterprise-CMCS/

  2. docker build . -t local-collector-test

  3. set AWS creds in the environment (AWS_SECRET_ACCESS_KEY, AWS_ACCESS_KEY_ID, AWS_SESSION_TOKEN)

  4. run the image:

    • using an Athena table
    docker run \
-e AWS_SECRET_ACCESS_KEY -e AWS_SESSION_TOKEN -e AWS_ACCESS_KEY_ID \
-e ATHENA_TEAMS_TABLE=athenacurcfn_cms_cloud_cur_monthly.teams \
-e QUERY_OUTPUT_LOCATION=s3://cms-macbis-cost-analysis/professor-mac/teams-query/ \
-e COLLECTOR_ROLE_PATH=delegatedadmin/developer/security-hub-collector \
-e AWS_REGION=us-east-1 \
-e S3_BUCKET=my-bucket \
local-collector-test
    • using a team map
    export BASE64_TEAM_MAP=$(cat team_map.json | base64)
docker run \
-e AWS_SECRET_ACCESS_KEY -e AWS_SESSION_TOKEN -e AWS_ACCESS_KEY_ID \
-e BASE64_TEAM_MAP \
-e AWS_REGION=us-east-1 \
-e S3_BUCKET=my-bucket \
local-collector-test

Terraform

The repo contains Terraform for:

  • an ECR repo that hosts the Collector image, which is deployed in the MACBIS Shared DSO Dev account. A team's AWS account ID must be on the access list to have permission to pull the Collector image. The access list is maintained via the ecr_read_account_ids variable in terraform/dev/account/terraform.tfvars. To request access, please open a Jira ticket in the CMCS-MACBIS-DSO project
  • those IAM resources needed for the build-and-push-dev workflow

GitHub Actions Workflows

build-and-push

This workflow builds and pushes the Collector image to a private ECR registry in MACBIS Shared DSO dev. It tags the image with the SHA. We have deprecated the latest tag, but the image with this tag should not be removed from the ECR registry because it is in use.

validate

This workflow runs pre-commit, Go tests, and a Docker build upon pull requests