Skip to content

Commit 73e7c6b

Browse files
authored
Merge pull request #1 from PaloAltoNetworks/initial_setup
Initial setup
2 parents 72eed14 + 691f3de commit 73e7c6b

50 files changed

Lines changed: 5945 additions & 0 deletions

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

AWS/README.md

Lines changed: 122 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,122 @@
1+
# Prisma Cloud AWS Remediation
2+
3+
![Diagram](images/prisma_lambda_diagram.jpg)
4+
5+
## Setup
6+
Please see the [Setup Guide](docs/setup.md).
7+
8+
## How it works
9+
The Prisma Cloud platform sends alert messages to an AWS SQS Queue. SQS invokes a lambda function (index.py). The function then calls the appropriate runbook script to remediate the alert(s).
10+
11+
The `lambda_package` consists of two main components: `index.py` and `runbook`.
12+
13+
### index.py
14+
This is the lambda function handler. It does the following:
15+
- Parse/simplify the raw alert message.
16+
- Generate boto3 session based on the account ID and region. If the resource is located in another AWS account, lambda function will do `sts.assumeRole` and build the session to handle the remediation.
17+
- Trigger corresponding runbook.
18+
19+
The `parsed_alert` message has the following structure:
20+
21+
```
22+
- resource_id : AWS resource ID.
23+
- alert_id : Prisma Cloud alert ID.
24+
- account
25+
+ name : Account name.
26+
+ account_number : AWS account number ID.
27+
- region : AWS region code. (Example: us-east-1)
28+
- runbook_id : Converted Prisma Cloud policy ID to runbook ID. (Example: AWS-EC2-001)
29+
- metadata : Alert metadata object.
30+
```
31+
32+
### Runbook
33+
All remediation scripts/runbooks will be in this folder. Each runbook corresponds to a particular policy ID.
34+
35+
The runbook itself looks like:
36+
37+
```
38+
"""
39+
Remediate Prisma Cloud Policy:
40+
41+
AWS:SVC-000 Policy Title
42+
43+
Description:
44+
45+
Remediation description..
46+
47+
Required Permissions:
48+
49+
- ec2:Describe..
50+
- ec2:Modify..
51+
52+
Sample IAM Policy:
53+
54+
{
55+
"Version": "2012-10-17",
56+
"Statement": [
57+
{
58+
"Sid": "EC2Permissions",
59+
"Action": [
60+
"ec2:Describe..,"
61+
"ec2:Modify.."
62+
],
63+
"Effect": "Allow",
64+
"Resource": "*"
65+
}
66+
]
67+
}
68+
"""
69+
70+
import boto3
71+
from botocore.exceptions import ClientError
72+
73+
74+
def remediate(session, alert, lambda_context):
75+
"""
76+
Main Function invoked by index.py
77+
"""
78+
79+
# Data from the alert
80+
resource_id = alert['resource_id']
81+
region = alert['region']
82+
83+
# Create EC2 client session
84+
ec2 = session.client('ec2', region_name=region)
85+
86+
# Remediation check
87+
try:
88+
response = ec2.describe..
89+
except ClientError as e:
90+
print(e.response['Error']['Message'])
91+
return
92+
93+
# Remediate
94+
if response == None:
95+
result = ec2_fix_it(ec2, resource_id)
96+
97+
return
98+
99+
100+
def ec2_fix_it(ec2, resource_id):
101+
"""
102+
EC2 Fix it!
103+
"""
104+
105+
try:
106+
result = ec2.modify..
107+
except ClientError as e:
108+
print(e.response['Error']['Message'])
109+
110+
else:
111+
print('EC2 fixed resource {}.'.format(resource_id))
112+
113+
return
114+
115+
```
116+
117+
Notice the following:
118+
- **remediate**: is the function that will be invoked by `index.py`.
119+
- **session**: boto3 session, already tied to a region where the resource in the alert resides.
120+
- **alert**: See `parsed_alert` message.
121+
- **lambda_context**: The context object contains useful info about the lambda function. More info can be found in the following [AWS Documentation](https://docs.aws.amazon.com/lambda/latest/dg/python-context-object.html)
122+

AWS/docs/setup.md

Lines changed: 66 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,66 @@
1+
# Setup Guide
2+
3+
## Overview
4+
- Build the Lambda remediation infrastructure using a CloudFormation template in your Parent AWS account.
5+
- (Optional) Create an IAM Role and Policy in target (Child) AWS accounts using a CloudFormation template.
6+
- Integrate Prisma Cloud to send alerts to the Lambda remediation infrastructure.
7+
8+
---
9+
10+
## Step 1 - Create Prisma Cloud Remediation Stack
11+
[![Launch Button](https://s3.amazonaws.com/cloudformation-examples/cloudformation-launch-stack.png)](https://console.aws.amazon.com/cloudformation/home?region=us-west-2#/stacks/new?stackName=PrismaRemediation&templateURL=https://prisma-remediation-us-west-2.s3-us-west-2.amazonaws.com/templates/cloudformation_prisma_template.json)
12+
13+
This CloudFormation stack creates the following resources in the Oregon (us-west-2) region:
14+
- AWS SQS Queue
15+
- AWS IAM Role and Policy to be used by Lambda (See [iam_role_permission.json](../templates/iam_role_permission.json))
16+
- AWS Lambda package containing the runbook scripts to remediate Prisma Cloud alerts.
17+
18+
19+
## Step 2 - Setup IAM Permissions
20+
21+
### Single Account Setup
22+
To remediate a single AWS account, you're done. You can skip this step and move on to step 3, Prisma Cloud Integration.
23+
24+
### Multi Account Setup
25+
The account where the stack is launched (in step 1) can be considered the **Parent** account. All other accounts are called **Child** or **Target** accounts.
26+
27+
The Parent account will need permission to change/modify AWS resources in your Child account(s). Next, we'll create a Role that allows the lambda function to perform the remediation.
28+
29+
When you created the CloudFormation stack in step 1, one of the parameters was called `CrossAccountRoleName` (The default name is **CrossAccountRemediationRole**). Use the same name when using the CloudFormation template below to create the IAM Role in your Chlid account(s).
30+
31+
For Multi Account Setup, you will need to create this IAM Role in each Child/Target AWS account.
32+
33+
[![Launch Button](https://s3.amazonaws.com/cloudformation-examples/cloudformation-launch-stack.png)](https://console.aws.amazon.com/cloudformation/home?region=us-west-2#/stacks/new?stackName=PrismaChlidRemediationRole&templateURL=https://prisma-remediation-us-west-2.s3-us-west-2.amazonaws.com/templates/cloudformation_role_template.json)
34+
35+
This CloudFormation stack creates the following resources in the Oregon (us-west-2) region:
36+
- AWS IAM Role and Policy to be used by Lambda (See [iam_role_permission.json](../templates/iam_role_permission.json))
37+
38+
39+
## Step 3 - Prisma Cloud Integration
40+
You will need to get the **PrismaRemediationSQSQueue** URL from the Output section of the CloudFormation stack created in step 1.
41+
- Go to the AWS CloudFormation Dashboard. https://us-west-2.console.aws.amazon.com/cloudformation
42+
- Click on the Prisma Remediation stack name.
43+
- Select the **Outputs** tab.
44+
- Take note of the **PrismaRemediationSQSQueue** URL.
45+
46+
Create a new Prisma Cloud Integration:
47+
48+
- Login to the Prisma Cloud console.
49+
- From the left-side window pane, slect **Settings**.
50+
- Choose **Integrations**.
51+
- Near the top of the window, click **Add new**.
52+
- Fill out the **Integration name** and **Queue URL** fields, then click Next. Use the SQS Queue URL from the Output of your CloudFormation stack.
53+
- Click **Test**, then Save.
54+
55+
Create a new Prisma Cloud Alert rule:
56+
57+
- Login to the Prisma Cloud console.
58+
- From the left-side window pane, slect **Alerts**.
59+
- Choose **Alert rules**.
60+
- Near the top of the window, click **Add new**.
61+
- Fill out the **Alert name** field, then click Next.
62+
- Select the account group(s), and Next. These are the AWS accounts you're setting up for remediation.
63+
- Choose the Policies you'd like to remediate, then Next.
64+
- Enable **Amazon SQS** queue and select the integration you created above.
65+
- Save your new Alert rule.
66+
42.2 KB
Loading

AWS/lambda_package/README.md

Lines changed: 62 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,62 @@
1+
## Runbooks
2+
3+
Runbook | Description | CIS | Prisma Cloud Id
4+
:-----------:|:------------|-----|:-----------------------:
5+
**CloudFormation**
6+
AWS-CFM-003 | Enable CloudFormation Stack termination protection. | | n/a
7+
**CloudTrail**
8+
AWS-CLT-002 | Encrypt CloudTrail S3 logs with a KMS Customer Managed Key (CMK). | 2.7 | c2b84f89-7ec8-473e-a6af-404feeeb96c5
9+
AWS-CLT-004 | Integrate CloudTrail with CloudWatch Logs. Creates (if needed) the necessary IAM Policy and CloudWatch Logs group. | 2.4 | 962e0daa-3c2d-4d79-9a5f-e0bf8fd4bb3b
10+
AWS-CLT-005 | Enable CloudTrail log file validation. | 2.2 | 38e3d3cf-b694-46ec-8bd2-8f02194b5040
11+
AWS-CLT-006 | Remove CloudTrail S3 bucket ACL Public policy. | 2.3 | a5fe47e1-54f3-47e1-a2a3-deedfb2f70b2
12+
**Config**
13+
AWS-CONFIG-001 | Enable Config. Creates (if needed) the necessary IAM Role and S3 Bucket/ Policy. | 2.5 | n/a
14+
**ELB**
15+
AWS-ELB-009 | Enable ELB (Classic) Connection Draining. | | 7eb7f61e-df59-42d4-8236-7d012f278fa6
16+
AWS-ELB-012 | Enable ELB (Classic) Cross-Zone Load Balancing. | | 551ee7ba-edb6-468e-a018-8774da9b1e85
17+
AWS-ELB-013 | Enable ELB (Classic) Access Logs. Creates (if needed) an ELB logs S3 bucket for the region. | | b675c604-e886-43aa-a60f-a9ad1f3742d3
18+
AWS-ELB-015 | Enable Application ELB (elbv2) Access Logs. Creates (if needed) an ELB logs S3 bucket for the region. | | f2a2bcf1-2966-4cb5-9230-bd39c9903a02
19+
**EC2**
20+
AWS-EC2-001 | Create an EBS snapshot if a snapshot doesn't exist, or is older than 15 days. | | n/a
21+
AWS-EC2-002 | Remove EC2 security group rules containing global access to TCP port 22 (SSH). | 4.1 | 617b9138-584b-4e8e-ad15-7fbabafbed1a
22+
AWS-EC2-003 | Remove EC2 security group rules containing global access to TCP port 23 (Telnet). | | 519456f2-f9eb-407b-b32d-064f1ac7f0ca
23+
AWS-EC2-004 | Remove EC2 security group rules containing global access to TCP port 3389 (RDP). | 4.2 | b82f90ce-ed8b-4b49-970c-2268b0a6c2e5
24+
AWS-EC2-009 | Remove EC2 security group rules containing global access to TCP port 3306 (MySQL). | | 65daa6a0-e040-434e-aca3-9d5765c96e7c
25+
AWS-EC2-010 | Remove EC2 security group rules containing global access to TCP port 5432 (PostgreSQL). | | 3b642d25-4534-487a-9399-c2622754ecb5
26+
AWS-EC2-011 | Remove EC2 security group rules containing global access to TCP port 1433 (SQLServer). | | 760f2823-997e-495f-a538-5fb073c0ee78
27+
AWS-EC2-013 | Remove EC2 security group rules containing global access to TCP port 4333 (MYSQL). | | ab7f8eda-18ab-457c-b5d3-fd4f53c722bc
28+
AWS-EC2-014 | Remove EC2 security group rules containing global access to TCP port 5500 (VNC Listener). | | 8dd9e369-0c09-4477-97a2-ff0d50507fe2
29+
AWS-EC2-015 | Remove EC2 security group rules containing global access to TCP port 5900 (VNC Server). | | 89cbc2f1-fcb0-48b9-be71-4cbe2d18a5f7
30+
AWS-EC2-019 | Remove EC2 security group rules containing global access to TCP port 21 (FTP). | | 14d10ad2-51df-4b07-be69-e94951cc7067
31+
AWS-EC2-020 | Remove EC2 security group rules containing global access to TCP port 20 (FTP-Data). | | cdcd663c-e9c9-4472-9779-e5f38751524a
32+
AWS-EC2-021 | Remove EC2 security group rules containing global access to TCP port 25 (SMTP). | | c2074d5a-aa28-4dde-90c1-82f528cec55e
33+
AWS-EC2-024 | Remove EC2 security group rules containing global access to TCP port 53 (DNS). | | 6eaf6455-1659-4c4b-bff5-c8c7b0fda201
34+
AWS-EC2-031 | Delete unused EC2 security groups. | | n/a
35+
AWS-EC2-036 | Set Public AMI to Private. | | 81a2200a-c63e-4860-85a0-b54eaa581135
36+
AWS-EC2-038 | Remove All rules from the **default** EC2 security group. | 4.3 | 2378dbf4-b104-4bda-9b05-7417affbba3f
37+
AWS-EC2-039 | Remove EC2 security group rules with Global access on all ports. | | 566686e8-0581-4df5-ae22-5a901ed37b58
38+
AWS-EC2-042 | Set Public EBS snapshot to Private. | | 7c714cb4-3d47-4c32-98d4-c13f92ce4ec5
39+
**IAM**
40+
AWS-IAM-002 | Enforce AWS account best practices password policy. | 1.5 - 1.11
41+
AWS-IAM-015 | Deactivate unused IAM access keys. | 1.3 | 7ca5af2c-d18d-4004-9ad4-9c1fbfcab218
42+
AWS-IAM-016 | Remove IAM policies that allow full administrative privileges. | 1.22 | d9b86448-11a2-f9d4-74a5-f6fc590caeef
43+
AWS-IAM-018 | Create an IAM Support Role to manage incidents with AWS Support. | 1.20 | n/a
44+
**KMS**
45+
AWS-KMS-001 | Enable KMS rotation of a Customer Master Key. | 2.8 | 497f7e2c-b702-47c7-9a07-f0f6404ac896
46+
**RDS**
47+
AWS-RDS-005 | Set Public RDS DB instance to Private. | | 1bb6005a-dca6-40e2-b0a6-24da968c0808
48+
AWS-RDS-007 | Set Public RDS snapshot to Private. | | a707de6a-11b7-478a-b636-5e21ee1f6162
49+
AWS-RDS-010 | Enable RDS DB instance Multi-AZ. | | c5305272-a732-4e8e-8427-6a9701cd2a6f
50+
AWS-RDS-011 | Enable RDS DB instance Auto Minor Version Upgrade. | | 9dd6cc35-1855-48c8-86ba-0e1818ce11e2
51+
**Redshift**
52+
AWS-REDSHIFT-001 | Set Public Redshift cluster to Private. | | d65fd313-1c5c-42a1-98b2-a73bdeda19a6
53+
**S3**
54+
AWS-SSS-001 | Enable S3 bucket Object versioning. | | 89ea62c1-3845-4134-b337-cc82203b8ff9
55+
AWS-SSS-008 | Remove S3 bucket ACL Global policy. | | 43c42760-5283-4bc4-ac43-a80e58c4139f
56+
AWS-SSS-009 | Enable S3 bucket logging. Creates (if needed) a target logging bucket for the region. | 2.6 | 4daa435b-fa46-457a-9359-6a4b4a43a442
57+
AWS-SSS-014 | Enable S3 Server Side Encryption. | | 7913fcbf-b679-5aac-d979-1b6817becb22
58+
**VPC**
59+
AWS-VPC-013 | Release unassociated (unused) Elastic IP addresses. | | n/a
60+
AWS-VPC-020 | Enable VPC flow logs. Creates (if needed) the necessary IAM Policy and CloudWatch Logs group. | 2.9 | 49f4760d-c951-40e4-bfe1-08acaa17672a
61+
AWS-VPC-Default | Delete the AWS default VPC. | | n/a
62+

0 commit comments

Comments
 (0)