jonrau1 / electriceye Goto Github PK

Story
As a user of ElectricEye I want all Terraform config files writen in v0.12.x so that I can ensure I can use the latest AWS Provider and potentially scan my the files in CI/CD with some awesome SAST tool

Definition of Done

• All Terraform is upgraded to 0.12.x

Nice to Have
N/A

Additional Information
N/A

Story
As a user of ElectricEye, I want to be able to run security scans against my AWS Glue data catalog and crawlers so that I can know their security posture and/or fulfill regulatory or compliance requirements

Definition of Done

• New Auditor created for Firehose
  • Crawler Sec Policy: S3 Encryption, Metadata Encryption, CWL Encryption
  • Data Catalog Encryption
  • Database access
• IAM Policies update in CFN, TF and standalone
• Readme list updated with new Auditor checks
• Total counts update in the Readme
• Complete mapping to the ASFF

Nice to Have
N/A

Additional Information

• Data Protection: https://docs.aws.amazon.com/glue/latest/dg/data-protection.html
• Glue RBP: https://docs.aws.amazon.com/glue/latest/dg/glue-resource-policies.html
• Boto3 DCE: https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/glue.html#Glue.Client.get_data_catalog_encryption_settings
• Boto3 Sec Conf: https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/glue.html#Glue.Client.get_security_configuration

Unable to run task
Unable to assume the service linked role. Please verify that the ECS service linked role exists.

Launch type
FARGATE
EC2
Switch to capacity provider strategy
Task Definition
electric-eye
Platform version
Cluster
electric-eye-vpc-ecs-cluster
Cluster VPC*
Subnets*
subnet-02e5aceba8a1f7d68
(10.66.3.0/24) | electric-eye-vpc-PUB-Subnet-us-east-1b - us-east-1b
assign ipv6 on creation: Disabled
Security groups*
sg-0728cc3d60b15da21, sg-07a3c2dfc94dbae7c Edit
Auto-assign public IP
Configure security groups
A security group is a set of firewall rules that control the traffic for your task. On this page, you can add rules to allow specific traffic to reach your task, or you can choose to use an existing security group. Learn more.

Assigned security groups
Create new security group
Select existing security group
Existing security groups
All existing security groups for the VPC of this cluster are listed below.

2 selected 0-0
sg-005bdee0a84bbb955
FMManagedSecurityGroup5befee08-2c79-4d5d-b0fd-4f420365cd0c-sg-0b4b3d5c102e4bb86-vpc-097cb6ba8ff70ee6b
FMS managed security group.
Copy to new
sg-0728cc3d60b15da21
electric-eye-vpc-sec-group
ElectricEye Security Group - Managed by Terraform
Copy to new
sg-07a3c2dfc94dbae7c
electr-9670
2020-03-13T16:28:40.210Z
Copy to new
sg-0fc88a2daec557391
default
default VPC security group
Copy to new
Inbound rules for selected security groups
sg-0728cc3d60b15da21
HTTPS
TCP
443
0.0.0.0/0
sg-07a3c2dfc94dbae7c
HTTP
TCP
80
0.0.0.0/0
Cancel Save
Advanced Options
Task Overrides
Task Role - currentelectriceye-task-role
Task Role - override
Optional IAM role that tasks can use to make API requests to authorized AWS services. Create an Amazon Elastic Container Service Task Role in the IAM Console

Task Execution Role - currentelectriceye-exec-role
Task Execution Role - override
electriceye

Story
As the Author of ElectricEye, I want to complete an integration into Microsoft Sentinel (FKA Azure Sentinel) by using Log Analytics along with providing Analytics rules so that I can support users who use Microsoft Sentinel as their SIEM / SOAR / UEBA platform

Definition of Done

• New Output for Microsoft Sentinel
• Flatten ASFF / EE findings for better indexing and not to exceed 500 unique columns within Log Analytics Workspaces
• Provided Analytics rules for creating Incidents / Alerts within Microsoft Sentinel
• Document changes and new output required Parameters / Environment Variables
• Updated CFN & TF Templates with new Fargate ENV VARs and TF Vars/CFN Params

Nice to Have
Workbook / Notebook? Complex Analytics Rules?

Additional Information
Will be using LAWS Custom code for connector

Story
As the Author of ElectricEye, I want to onboard additional Auditors to increase service coverage and checks so that users can identify potential misconfigurations within more services, specifically IOT and AI/ML offerings.

Definition of Done

• Onboard the following Checks (Variable)
  • OpenSearch Service: Mirror all supported ES checks (Masters, Cognito/SAML, TLS, at-Rest Encryption, public access, etc.)
  • Backup: DocDB coverage, Neptune coverage, Regional Opt-In Checks, Global Cross-Account Opt-In
  • Neptune: Snapshot exists
  • DocDB: Snapshot exists
  • Comprehend: Endpoint State not Failed/Degraded, 4x Classifier-related Encryption (KMS) Checks
  • Resilience Hub: Apps Exist (Account level), App Assessment in Compliance
  • IOT Core (Device Defender): Integration (per Finding mapping), Policy exists, Policy violations, CA/X509 Checks (??)
  • SES: DKIM, User Validation
  • Route 53: Domain Expiration, Domain Logging
  • Route 53 Resolver: DNSFW Association, Query Log Forwarding Check
  • Batch: Build Env Degradation, Job Def Container Def EFS (IAM/TLS), Job Def Node Def EFS (IAM/TLS)
  • AppFlow: Customer-managed KMS, PrivateLink enabled flows, non degraded Connections
  • Cloud9: SSM Env Checks, Shared Env Checks
  • CodePipeline: Encrypted Artifacts, third-party providers
  • Greengrass V2: Healthy Device check, Failed Deployment
  • WAT: Integration? Answers/Lens? "If Exists" Check?
  • RDS: Per-DB type TLS checks (parameters - e.g., PostgreSQL, MySQL, MSSQL, etc.)
  • ELBv1: SG Risk (Allow ports not in Listeners) check
  • ELBv2: SG Risk (Allow ports not in Listeners) check
  • Secrets Manager: Secret Policy in use
  • SSM: Parameter Policies, Update SSM Agent Check, Patch State Check, Inv Collection Check
• Table of Checks & total Services/Component/Check support updated
• Update all 3 IAM Policies: Standalone, TF, CFN

Nice to Have

• Add tests

Additional Information
Lack of IOT Device Defender integration w/ Security Hub is the main driver here, also want to bring in newly released services and SaaS/PaaS-stack type offerings within the ML space (Comprehend, Rekognition, etc.)

Describe the bug
[Firehose.1] AWS Kinesis Firehose delivery streams should be encrypted not getting assessed due to key error.
In code, it is firehoseArn = str(response["DeliveryStreamARN"]), which should be firehoseArn = str(response["DeliveryStreamDescription"]["DeliveryStreamARN"]), because of which it is going in exception block.
To Reproduce
Steps to reproduce the behavior:

1. Run the assessment and view the findings for [Firehose.1] AWS Kinesis Firehose delivery streams should be encrypted

Expected behavior
[Firehose.1] AWS Kinesis Firehose delivery streams should be encrypted should have findings

Screenshots
If applicable, add screenshots to help explain your problem.

Logs
Any stack traces, error reports, CloudTrail logs, etc.

Additional context
Add any other context about the problem here.

Story
As a user of ElectricEye I want to have new checks for other AWS services onboarded into ElectricEye v2.0 so that I can use the new framework for checking the compliance on services such as Global Accelerator so that I can assess my cloud security posture and take action. note some of these are the deferred checks from #23

Definition of Done

• All 3 IAM permissions (CFN, TF, Standalone) are updated to include new required permissions
• Readme updated for total count of auditors/checks and the new checks are added
• All new checks mapped to Compliance.RelatedRequirements checks
• The following checks are added:
  • Global Accelerator: Check the healthiness of Endpoint Groups by Endpoint ID using DescribeEndpointGroup API - if HealthState = UNHEALTHY it fails the check. The ASFF Resource.Type should be AwsGlobalAcceleratorEndpoint
  • Global Aceelerator: Check if GA has access logging enabled by using the DescribeAcceleratorAttributes - if FlowLogsEnabled = False it fails the check. The ASFF Resource.Type should be AwsGlobalAcceleratorAccelerator (yes, it's annoying, yes it's a req)
  • Security Shared Services: Check if Maciev2 is enabled by querying the GetMacieSession API. If it fails there is likely not a session enabled in that region. The ASFF Resource.Type should be scoped to AwsAccount and added to the Security/SSVC Auditor
  • EC2 Image Builder: Check if tests for image builder pipelines are enabled using the GetImagePipeline API - if they are disabled the check fails. The ASFF Resource.Type should be AwsEc2ImageBuilderPipeline.
  • EC2 Image Builder: Check if the image recipes encrypt EBS volumes by default - if ebs.encrypted = False it fails the check. The ASFF Resource.Type should be AwsEc2ImageBuilderRecipe.
  • Resource Access Manager: Check if any RAM shares are Failed by using the GetResourceShares API. The ASFF Resource.Type should be AwsResourceAccessManagerShare
  • Resource Access Manager: Check if any RAM shares share to external principals by using the GetResourceShares API. The ASFF Resource.Type should be AwsResourceAccessManagerShare
  • Kinesis Data Analytics: Check if KDA Applications log to CloudWatch using the DescribeApplication API, if CloudWatchLoggingOptionDescriptions returns an empty list then the check fails. The ASFF Resource.Type should be AwsKinesisDataAnalyticsApplication
  • Multiple CloudFront: Check the distros for multiple types of configurations (ActiveTrustedSigners, Origin HTTPS only, TLS 1.2 Only support for Origins, Viewer Protocol HTTPS/Redirect HTTPS, Logging, GeoRestrictions, WAF Assocation, TLS 1.2 ViewerCert). All checks use the GetDistrobution API.

Nice to Have
N/A

Additional Information
N/A

Describe the bug
While running a check called ec2_instance_ssm_managed_check belonging to an Auditor called Amazon_EC2_SSM_Auditor , the result of this check was not appearing at search result of findings tab of SecurityHub console

Further looking into status code of the API call for batch_import_findings revealed the error message

To Reproduce
Steps to reproduce the behavior:

1. Go to file 'sechub.py'

2. Add a variable status to capture the resposne of API call 'sechub_client.batch_import_findings' is made.

3. Log the variable 'status '

4. Run the python3 controller.py --auditor-name Amazon_APIGW_Auditor,Amazon_S3_Auditor --check-name ec2_instance_ssm_managed_check,bucket_encryption_check from your console

5. Inspect the keys FailedCount, FailedFindings, ErrorCode and ErrorMessage

Expected behavior
These fields FailedCount, FailedFindings, ErrorCode and ErrorMessage at the status of API call should be empty
Finding has to get successfully written to SecurityHub

Screenshots

Logs

{'ResponseMetadata': {'RequestId': '7137df0c-1ba2-4f4f-af61-e8904834f2a0', 'HTTPStatusCode': 200, 'HTTPHeaders': {'date': 'Sat, 21 Nov 2020 07:33:12 GMT', 'content-type': 'application/json', 'content-length
': '460', 'connection': 'keep-alive', 'x-amzn-requestid': '7137df0c-1ba2-4f4f-af61-e8904834f2a0', 'x-amz-apigw-id': 'WWNczFByCYcFmWQ=', 'x-amzn-trace-id': 'Root=1-5fb8c2b8-08f382c14640d1e447d71879;Sampled=0
'}, 'RetryAttempts': 0}, 'FailedCount': 1, 'SuccessCount': 0, 'FailedFindings': [{'Id': 'arn:aws:ec2:us-east-2:******5:instance/i-******/ec2-managed-by-ssm-check', 'ErrorCode': 'InvalidInput
', 'ErrorMessage': 'Finding does not adhere to Amazon Finding Format. data.Resources[0].Details.AwsEc2Instance.LaunchedAt should match pattern "(\\d\\d\\d\\d)-[0-1](\\d)-[0-3](\\d)[Tt](?:[0-2](\\d):[0-5](\\
d):[0-5](\\d)|23:59:60)(?:\\.(\\d)+)?(?:[Zz]|[+-](\\d\\d)(?::?(\\d\\d))?)$".'}]}

Additional context
Ran the command python3 controller.py --auditor-name Amazon_APIGW_Auditor,Amazon_S3_Auditor --check-name ec2_instance_ssm_managed_check,bucket_encryption_check
through console

Right after this started drilling at SecurityHub console for this Finding for check ec2_instance_ssm_managed_check
No matter the amount of search queries tried , findings did not appear at search results.
Found that this findings was not even written to SecurityHub
Problem is with the Regex for key 'LaunchedAt': '2020-07-15 12:21:17+00:00' does not adhere to SecurityHub format.

Story
As a user of ElectricEye, I want to indicate scope in a configurable manner so that I can limit/selectively target resources via tags and/or resource type.

Currently the Python Auditors are separate files uploaded to S3 and to change scope ElectricEye users are instructed to modify the Python Auditor files directly.

Definition of Done

• Default configuration provided
• Documented configuration (examples, etc)
• Support existing ElectricEye deployments (generate default config file if it does not exist?)
• Python Auditors updated to use configuration file
• Configuration is not AWS specific (as it appears ElectricEye plans to expand to non-AWS cloud auditing)
• Configuration file could be stored in same S3 bucket as Auditors, but suggest a different folder to prevent accidental overwrites when updating Auditor files.

Nice to Have
Taking this idea further, the proposed configuration file could also determine if individual Python Auditor files (and their multiple checks) are to be active/deactive (run/not run). Currently this is achieved by removing those files from the S3 bucket.

Additional Information
As originally suggested here: https://github.com/jonrau1/ElectricEye#7-can-i-scope-these-checks-by-tag-or-by-a-certain-resource

Story
As a user of ElectricEye, I want to be able to receive findings in Security Hub regarding services that are indexed by Shodan.io so that I can take additional steps to harden their security posture and/or fulfill regulatory or compliance requirements.

Definition of Done
The Shodan.io Auditor / integration should be expanded to add the following AWS Services which may have internet-facing resources:

• ELBv1 (Classic Load Balancer) (added 16 MAR 2020)
• ECS Services
• EKS Clusters (Ingress, Public Accessible Endpoints?)
• Redshift Clusters (publicly accessible)
• EMR Clusters??
• LightSail?

Nice to Have

• ElectricEye-Response playbooks, these can be to generate new EIPs, reboot a resource (to force a new public IP) or similar
• A way to acknowledge findings or mark them as false positive depending if the Shodan.io index is reflective of the resource or if it was an old index from someone else's stuff

Additional Information
N/A - expand the existing Shodan auditor

Story
As the maintainer of ElectricEye, I want to add Attack Surface Management (ASM) capabilities to ElectricEye to expand its capabilities and prevent application-level misconfigurations running on AWS infrastructure so that users of ElectricEye can receive high-risk configurations and remediate them accordingly.

Definition of Done

• Update Dockerfile to be able to install nmap using apk
• Update requirements.txt to include python3-nmap
• Ensure Dockerfile builds and runs correctly
• Create a Minimal Viable Auditor (MVA, lol) for ASM for EC2
  • Banner checks for HTTP/HTTPS
  • Top 10 Ports + DB/Caching Ports
• Create a Minimal Viable Auditor (MVA, lol) for ASM for ELB
  • Banner checks for HTTP/HTTPS
  • Top 10 Ports + DB/Caching Ports

Nice to Have
Adding limited scripts to check for wide-open DBs and caching without access such as MySQL, PostgreSQL or Redis and similar.
Ideally will add unauthorized access checks to MySQL, PostgreSQL, MSSQL and Redis

Additional Information
With two Auditors each checking Top 10 and MySQL, PostgreSQL, MSSQL, Redis, RabbitMQ, Docker, K8s that will come out to 34 Checks just for the ports.

Adding 4 to each auditor for HTTP and HTTPS Banners and Page Names is another 8 checks then an additional 2 per the "nice to have" checks I want to add will take this entire buildout to 50 checks

Naming conventions will need to be selected....either [ASM.EC2.1], [AttackSurface.EC2.1] or [NMAP.EC2.1]

Using this to share, if we would like the same elsewhere lmk.

Side note: I'm open to writing the code for instance profile suggested with policy if we would like.

Need to digest why I'm getting the below when running tf apply. All else works fine prior and we verified https://docs.aws.amazon.com/cloud9/latest/user-guide/auth-and-access-control.html#auth-and-access-control-temporary-managed-credentials. As well the CLI works otherwise we could not have made ECS. Will look into this when I get a chance.

AWSReservedSSO_AWSAdministratorAccess_a63741ec6f766dc5:~/environment/ElectricEye/terraform-config-files (master) $ terraform apply -auto-approve
aws_cloudwatch_event_rule.Electric_Eye_Task_Scheduling_CW_Event_Rule: Refreshing state... (ID: electriceye-scheduler)
aws_vpc.Electric_Eye_VPC: Refreshing state... (ID: vpc-01abc8cddf44f7fe9)
aws_cloudwatch_log_group.Electric_Eye_ECS_Task_Definition_CW_Logs_Group: Refreshing state... (ID: /ecs/electriceye)
data.aws_caller_identity.current: Refreshing state...
aws_cloudwatch_log_group.Electric_Eye_FlowLogs_CWL_Group: Refreshing state... (ID: FlowLogs/electric-eye-vpc)
aws_ecs_cluster.Electric_Eye_ECS_Cluster: Refreshing state... (ID: arn:aws:ecs:us-east-1:162650249536:cluster/electric-eye-vpc-ecs-cluster)
data.aws_iam_policy.AWS_Managed_ECS_Events_Role: Refreshing state...
data.aws_availability_zones.Available_AZ: Refreshing state...
aws_s3_bucket.Electric_Eye_Security_Artifact_Bucket: Refreshing state... (ID: electriceye-artifact-bucket-us-east-1-162650249536)
aws_ssm_parameter.Electric_Eye_Bucket_Parameter: Refreshing state... (ID: electriceye-bucket)
aws_default_security_group.Default_Security_Group: Refreshing state... (ID: sg-0fcca8a97d731e1b6)
aws_subnet.Electric_Eye_Public_Subnets[1]: Refreshing state... (ID: subnet-0bd38eaf9530fe5cf)
aws_security_group.Electric_Eye_Sec_Group: Refreshing state... (ID: sg-046f662f39750d737)
aws_internet_gateway.Electric_Eye_IGW: Refreshing state... (ID: igw-076263f3fb9e1f7e0)
aws_subnet.Electric_Eye_Public_Subnets[0]: Refreshing state... (ID: subnet-06f28221aa7933ba9)
aws_route_table.Electric_Eye_Public_RTB[1]: Refreshing state... (ID: rtb-0718c9334c5045749)
aws_route_table.Electric_Eye_Public_RTB[0]: Refreshing state... (ID: rtb-06f019e345c048e82)
aws_route_table_association.Public_Subnet_Association[0]: Refreshing state... (ID: rtbassoc-0286e3233e5f44545)
aws_route_table_association.Public_Subnet_Association[1]: Refreshing state... (ID: rtbassoc-0ffb251239a5158e6)
aws_iam_role.Electric_Eye_ECS_Task_Execution_Role: Creating...
arn: "" => ""
assume_role_policy: "" => "{\n "Version": "2012-10-17",\n "Statement": [\n {\n "Sid": "",\n "Effect": "Allow",\n "Principal": {\n "Service": "ecs-tasks.amazonaws.com"\n },\n "Action": "sts:AssumeRole"\n }\n ]\n}\n"
create_date: "" => ""
force_detach_policies: "" => "false"
max_session_duration: "" => "3600"
name: "" => "electriceye-exec-role"
path: "" => "/"
unique_id: "" => ""
aws_iam_role.Electric_Eye_ECS_Task_Role: Creating...
arn: "" => ""
assume_role_policy: "" => "{\n "Version": "2012-10-17",\n "Statement": [\n {\n "Sid": "",\n "Effect": "Allow",\n "Principal": {\n "Service": "ecs-tasks.amazonaws.com"\n },\n "Action": "sts:AssumeRole"\n }\n ]\n}\n"
create_date: "" => ""
force_detach_policies: "" => "false"
max_session_duration: "" => "3600"
name: "" => "electriceye-task-role"
path: "" => "/"
unique_id: "" => ""
aws_iam_role.Electric_Eye_Scheduled_Task_Event_Role: Creating...
arn: "" => ""
assume_role_policy: "" => "{\n "Version": "2012-10-17",\n "Statement": [\n {\n "Sid": "",\n "Effect": "Allow",\n "Principal": {\n "Service": "events.amazonaws.com"\n },\n "Action": "sts:AssumeRole"\n }\n ]\n}\n"
create_date: "" => ""
force_detach_policies: "" => "false"
max_session_duration: "" => "3600"
name: "" => "electriceye-event-role"
path: "" => "/"
unique_id: "" => ""
aws_iam_role.Electric_Eye_FlowLogs_to_CWL_Role: Creating...
arn: "" => ""
assume_role_policy: "" => "{\n "Version": "2012-10-17",\n "Statement": [\n {\n "Sid": "",\n "Effect": "Allow",\n "Principal": {\n "Service": "vpc-flow-logs.amazonaws.com"\n },\n "Action": "sts:AssumeRole"\n }\n ]\n}\n"
create_date: "" => ""
force_detach_policies: "" => "false"
max_session_duration: "" => "3600"
name: "" => "electric-eye-vpc-flowlog-role"
path: "" => "/"
unique_id: "" => ""

Error: Error applying plan:

4 errors occurred:
* aws_iam_role.Electric_Eye_ECS_Task_Execution_Role: 1 error occurred:
* aws_iam_role.Electric_Eye_ECS_Task_Execution_Role: Error creating IAM Role electriceye-exec-role: InvalidClientTokenId: The security token included in the request is invalid
status code: 403, request id: 6d99ab49-839d-4bd2-a050-1450c41d6ef7

    * aws_iam_role.Electric_Eye_Scheduled_Task_Event_Role: 1 error occurred:
    * aws_iam_role.Electric_Eye_Scheduled_Task_Event_Role: Error creating IAM Role electriceye-event-role: InvalidClientTokenId: The security token included in the request is invalid
    status code: 403, request id: 595dd7b1-bcda-4f7b-ba3c-e297cfc347f1


    * aws_iam_role.Electric_Eye_ECS_Task_Role: 1 error occurred:
    * aws_iam_role.Electric_Eye_ECS_Task_Role: Error creating IAM Role electriceye-task-role: InvalidClientTokenId: The security token included in the request is invalid
    status code: 403, request id: f00bf274-f582-4997-bc25-4b352dc1c789


    * aws_iam_role.Electric_Eye_FlowLogs_to_CWL_Role: 1 error occurred:
    * aws_iam_role.Electric_Eye_FlowLogs_to_CWL_Role: Error creating IAM Role electric-eye-vpc-flowlog-role: InvalidClientTokenId: The security token included in the request is invalid
    status code: 403, request id: cbfee016-6805-47c1-9bc2-0f9a04cce970

Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.

Story
As a maintainer of ElectricEye, I want to onboard additional Auditors and expand current Auditors so that I can increase coverage and win the arms race of open source AWS CSPM tools

Definition of Done

• Documentation & IAM Updates in TF, CFN, Standalone, and Markdown Table
• Mapping into NIST and other checks for new Checks & Auditors

New Checks

• FSx-Windows: Multi-AZ, Self-mng AD, Automated Backups
• CloudFront: Georestrictions, Origin Shield, Field Level Encryption, WAF, Default Viewer, Default TLS, Custom Origin TLS
• Elasticsearch: Publicly reachable
• SQS: Publicly reachable, Encrypted
• Shodan: Cloudfront
• DataSync: Public Agents, Task Logging
• ELBv2: ALB Desync Protection
• ECS: Priv, Security Labels,
• Cloud9: No SSM Connection
• Lambda: Tracing, code signing, public layer
• Xray: Default Encryption
• CloudSearch: TLS 1.2, Https enforcement

Some other ones I thought of

• Amplify: Basic Auth on App, Auto-delete disabled
• CloudHSMv2: Degraded HSM, Backup check
• CodeArtifact: Domain IAM policy check, Repo IAM Policy check
• EC2: Serial port check
• EFS: Policy check
• SecGroups: NFS, Docker API, Rsync, VNC, TFTP, DNS
• Health: Active Risk Events, Active Sec Events, Active Abuse Events
• TA: ELB SG Mirror, IAM Key Mirror
• Shield: GAX, Attacks in last week
• Airflow: Encryption, Logs 5x (DAG, Workers, WebServer, etc.)
• Backup: FSX
• SecSvc: DNS Firewall, NFW, WAF (Removed DNS FW and NFW)
• WAFv2: Metrics enabled, sampling enabled, KDS logging (2x - Regional & Global)
• ECR: Repo Policy, Registry Policy, X-Region Backups

Nice to Have
Research NMAP, or spin-off

Additional Information
So I don't forget...
https://github.com/bytesizedalex/nmap/blob/master/Dockerfile

Story
As a user of ElectricEye I want to be able to monitor my Google Cloud Platform infrastructure using ElectricEye and AWS Security Hub so that I can have a similar toolset and framework of which to detect and respond to security misconfigurations in GCP.

Some extra context
With both the rich taxonomy that the AWS Security Finding Format (ASFF) gives and changes to ElectricEye coming in 2.0, it makes a lot of sense to bring in GCP data, especially if it is a secondary cloud. Google Cloud Security Center only has Alpha API/SDK support and doesn't natively integrate with something like Pub/Sub to be able to funnel data around, so it is easier to make (a very dangerous) Service Account in a GCP Org and loop through all Projects and Zones to identify basic misconfigurations from GCP and send it to Security Hub.

Response capabilities will likely be relegate to ChatOps / Issue Management until the future - cross-platform remediation is not something I have foreseen doing yet.

Definition of Done

• New instructions added to ElectricEye Classic and 2.0 for onboarding a Service Account to an GCP Organization
• New Auditors developed for GCP: GCE, VPC, GCS
• Updated requirements.txt & Dockerfile
• Excerpt explaining the ASFF schema for GCP
• Updated list of total checks & compliance mappings. (Breakout?)

Nice to Have

• Stretch goals for GCP Auditors: GKE, GAE, CloudSQL, BigQuery

Additional Information
N/A

Describe the bug
When AWS account is scanned, AWS managed appstream images are only present in the report and the ones which are user created i.e, custom appstream images are ignored during the scan.

To Reproduce
Steps to reproduce the behavior:

1. Create sample Appstream images in the AWS account.
2. Scan the account using electric eye.
3. Check EE report, only AWS managed Appstream images can be found and not the created appstream image.

Expected behavior
EE scans and there should be findings for all appstream images and not only for AWS managed ones.

Story
As a user of ElectricEye, I want to run ElectricEye from a single home region and have the checks run in every other region so that I can use my home region Security Hub as a single pane of glass for all ElectricEye checks from other regions and collect them there and take action on them accordingly.

The AWS Security Finding Format (ASFF) allows you to set a region and resource ID in the Resources list and does not check them to match against your own region. This would allow collection of Health, Trusted Advisor and Shield Advanced information, but also allows you to bring in other checks from other regions.

With this functionality, your "home region" is whatever region you decide to build and run ElectricEye from, and every other region would be looped through.

Definition of Done

• ElectricEye can run from a single region only and collect results from all other regions automatically
• Home Region is dynamically set by where ElectricEye runs
• The Security Hub Default ARN is populated by the home region
• Finding ID's are reviewed to ensure uniqueness (this should be built in, technically)
• Documentation is updated

Nice to Have
N/A

Additional Information
N/A

Story
if looking at tools in thee other section, I think custodian (oss / apache 2.0) is worth a mention here as it supports deep integration with security hub (including actions / processing other sources findings), and supports custom detection/policies on most (160+) aws resources
https://cloudcustodian.io/docs/aws/topics/securityhub.html

Story
As a user of ElectricEye, I want to migrate my finding Severity from Severity.Normalized to Severity.Label so that I can have the latest ASFF changes reflected in my changes and have an easy to read and parse finding severity that is based on strings and not integers.

Definition of Done

• All instances of Severity.Normalized translated to Severity.Label
• Updated documentation

Nice to Have
We should consider changing the CloudWatch Event / EventBridge Rules that look at the ProductFields.aws/securityhub/SeverityLabel to Severity.Label instead as that namespace is populated on the backend

Additional Information
https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html#asff-severity

Describe the bug
[KinesisAnalytics.1] Applications should log to CloudWatch is not getting assessed with the error message showing AWS region us-east-1 not supported for kinesisanalyticsv2, because supported regions is returning an empty list. AWS Kinesis Analytics is supported in this region and also if logging is not configured then "CloudWatchLoggingOptionDescriptions" key is not present which gives keyError. It should be handle in try exception. In the exception block, we can pass the finding.

To Reproduce
Steps to reproduce the behavior:

1. Run the assessment and check for [KinesisAnalytics.1]

Expected behavior
[KinesisAnalytics.1] Applications should log to CloudWatch control should have a finding.

Screenshots
If applicable, add screenshots to help explain your problem.

Logs
Any stack traces, error reports, CloudTrail logs, etc.

Additional context
Add any other context about the problem here.

Describe the bug
It has been observed that findings for all the assets don't show up in the report. The issue is related to pagination and cache handling. For the first control within an auditor, all the assets get enumerated but for other controls in the same auditor, only a few assets are getting enumerated resulting in not getting findings for the assets in that service.
e.g. In Amazon_DynamoDB_Auditor.py for the control ddb_kms_cmk_check all the assets gets enumerated (say, 335) but for the other two controls ddb_pitr_check and ddb_ttl_check only last few assets are coming in cache (say, 35).

To Reproduce
Steps to reproduce the behaviour:

1. Run the assessment and view the findings for the service which more than 200 or 300 assets for all the controls within that auditor.

Expected behavior
Every asset within a service should get enumerated for every control in the cache as well and findings for the same should come in the report.

Screenshots
NA

Logs
NA

Additional context
NA

Story
As a user of ElectricEye, I want to be able to run security scans against a multitude of AWS services and components so that I can know their security posture and/or fulfill regulatory or compliance requirements.

Definition of Done

• New Auditors and Checks added:
  • QLDB: Ledger deletion protection & journal xfer encryption
  • Comprehend: completed built-in job output encryption, input encryption and VPC config (15 checks in total for each of the 5 built-in jobs [i.e. entity, sentiment, etc]
  • Management Service: Config recorder, Config SNS, Budgets, Compute Optimizer, RAM External Principals check, Xray KMS check
  • Forecast: Dataset encryption, Forecast export job encryption
  • Image Builder: EBS encryption, deletion on fail, test enabled
• Expand the Security Services auditor:
  • Macie protection on Bucket (for supported regions)
  • Inspector assessment check (just looking if it exists)
  • Detective graph check (for supported regions)
  • KMS Rotation
• IAM Policies update in CFN, TF and standalone
• Readme list updated with new Auditor checks
• Total counts update in the Readme
• Complete mapping to the ASFF

Nice to Have

• Response Playbooks where it makes sense
  • Pagerduty
  • Glue Data Catalog encryption
  • Macie protection
• AMB Fabric Auditor (when AWS fixes the API / feature)

Additional Information
Will be adding 5 new auditors for 28 net-new checks and updating the Security Services auditor for 4 net-new checks.

If AMB is fixed, this will be 6 new auditors and 35 checks in total

Story
As a user of ElectricEye I want it to be faster so that I don't have to give all of my money to the AWS Fargate team or run a marathon while waiting for my checks to complete.

Definition of Done

• Parallelization added to ElectricEye either to run every Check per Auditor at the same time or run multiple Checks at the same time
• Documentation updates, as needed

Nice to Have

• Preferably Multiprocessing
• Option via CLI?

Additional Information
Unsure if the decerators for each Function will take a crap if you add a new main() function to start, join and terminate all of the checks. Will also have to check for the use of a Resource versus a Client in some places

Story
As the author of ElectricEye, I want to add more MITRE ATT&CK mappings so that I can do what I was supposed to in the last PR...additionally, continue improvements so morale improves.

Definition of Done

• MITRE ATT&CK mappings to things that make sense
  • IAM
  • AppStream 2.0
  • Cognito
• Further performance upgrades
• RDS Checks that are missing

Nice to Have
N/A

Additional Information
https://attack.mitre.org/

Story
The current format of markdown at Slack and Teams make it harder to read a message. As a Security / DevOps / Infra Engineer of ElectricEye, I want to see a failed finding to be neatly formatted with an header containing sections.

Definition of Done

• Use of Slacks' rich message layouts consisting of block kit layout blocks and block elements a failed findings has been revamped.

• Use of Teams message cards consisting of facts and sections

• A screenshot of a failed finding at Slack
  

• A screenshot of a failed finding at Teams
  

• An updated working python code that pushes findings to Slack and Teams Source Code

Nice to Have
For each of the failed finding I would like to either remediate or suppress with a click of a button followed by an instant feedback at the same Slack message to know the status of remediation or suppression. Given that there is a one-2-one mapping between a failed findings and its remediation. As a part of my college project, I have built the feature using Slack's outgoing webhooks, SNS , API Gateway, Lambda, SSM Automation Documents and RDS MySQL. Then tested it through clicking the remediate and suppress buttons at Slack. Check the screenshots below to know more.


I would also like to built the same for the Teams message

Additional Information
Slack : Creating rich message layouts - https://api.slack.com/messaging/composing/layouts
MSFT Teams : https://docs.microsoft.com/en-us/outlook/actionable-messages/message-card-reference

Story
As the maintainer of ElectricEye I want to continue to improve Auditors, add Checks, have more "Pythonic" code so that ElectricEye continues to kickass and is prepared to go "Pro"...Also I'll forget if I don't write this down.

Definition of Done

• Revise the following Auditors, since their cache implementation/usage sucks
  • Backup DONE
  • Shodan
  • Shield (also us-east-1 override)
  • WAF (also us-east-1 override)
  • DocumentDB DONE
  • Neptune DONE
• Add new Auditors/Checks to existing Auditors
  • (NEW) Elastic Beanstalk: Enhanced health, managed platform updates, IMDSv2, more??
  • Backup: FSx, Aurora, DocDB, Neptune, SGW, Audit reports
  • DynamoDB: DAX Encryption
  • RDS: Auto-updates, auto-snapshotting, Cluster checks, SSL enforcement for certain engines...
• MITRE ATT&CK Compliance mappings added where it makes sense
  • Shodan checks
  • Public accessible checks
  • SG checks?
  • Default user checks
  • Cross-account/shared checks?

Nice to Have
New Auditor R&D / "Is this shit even possible?"

• Storage Gateway
• Athena THIS IS POSSIBLE
  • Metrics
  • Encryption for query results (vary levels on CSE/KMS/SSE)
• EMR-on-EKS
• Well-Architected Tool

Additional Information

• FSBP Controls: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html
• ASFF: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format-attributes.html

Describe the bug
While running a check called ec2_imdsv2_check belonging to an Auditor called Amazon_EC2_Auditor , the result of this check was not appearing at search result of findings tab of SecurityHub console

Further looking into status code of the API call for batch_import_findings revealed the error message

To Reproduce
Steps to reproduce the behavior:

1. Go to file 'sechub.py'

2. Add a variable status to capture the resposne of API call 'sechub_client.batch_import_findings' is made.

3. Log the variable 'status '

4. Run the python3 controller.py -a Amazon_EC2_Auditor -c ec2_imdsv2_check from your console

5. Inspect the keys FailedCount, FailedFindings, ErrorCode and ErrorMessage

Expected behavior
These fields FailedCount, FailedFindings, ErrorCode and ErrorMessage at the status of API call should be empty
Finding has to get successfully written to SecurityHub

Screenshots

Actual status of writing to SecurityHub

Expected status of writing to SecurityHub

Logs
Failed Count
1
Success Count
99
Failed Findings
[{'Id': 'arn:aws:ec2:us-east-2:***:instance/i-/ec2-imdsv2-check', 'ErrorCode': 'InvalidInput', 'ErrorMessage': 'Finding does not adhere to Amazon Finding Format. data.Resources[0].

Details.AwsEc2Instance.LaunchedAt should match pattern "(\d\d\d\d)-0-1-0-3Tt(?:\.(\d)+)?(?:[Zz]|+-(?::?(\d\d))?)$".'}]

Additional context
Ran the command python3 controller.py -a Amazon_EC2_Auditor -c ec2_imdsv2_check
through console

Right after this started drilling at SecurityHub console for this Finding for check ec2_imdsv2_check
No matter the amount of search queries tried , findings did not appear at search results.
Found that this findings was not even written to SecurityHub

Problem is with the Regex for key 'LaunchedAt': '2020-07-15 12:21:17+00:00' does not adhere to SecurityHub format.

Story
As the maintainer of ElectricEye, I want to convert all files and repo license to Apache-2.0 so that users and integrators have a more permissive license to use.

Definition of Done

• Main GitHub License file swapped to Apache-2.0
• Apache-2.0 heading added to: TF, CFN, Python, Dockerfile, etc.

Nice to Have
N/A

Additional Information
N/A

Story
As a user of ElectricEye, I want to be able to run security scans against my IAM principals so that I can have a detailed report on access keys, permissions boundaries, IAM users and MFA posture to fulfill regulatory or compliance requirements

Definition of Done

• New Auditor created for IAM for attached Security Policies
  • Access Keys over 60 days old
  • Consolidated CIS PW policy
  • Users without Perm Boundaries
  • Roles without Perm Boundaries
  • Signing Certificates
  • IAM Users w/ MFA
  • Check Users for direct-attached policies
• IAM Policies updated in CFN, TF and standalone
• Readme list updated with new Auditor checks
• Total counts update in the Readme
• Complete mapping to the ASFF

Nice to Have
N/A

Additional Information
N/A

Story
As a user of ElectricEye, I want to be able to send alerts from Security Hub via ElectricEye-ChatOps to my Microsoft Teams channels so that I can use it for my incident response workflow and take action on them.

Definition of Done

• Dynamic way to change which Microsoft Teams channel receives the alerts via Systems Manager Parameters and Lambda environmental variables
• Updated ReadMe to breakout Slack and Teams
• Terraform and CloudFormation Support
• Updated architecture diagram and instructions for generating Teams Apps, Redirect URIs and other technical details

Nice to Have
Microsoft's documentation gets less horrible...

Additional Information

• Teams Overview: https://docs.microsoft.com/en-us/graph/teams-concept-overview
• Webhook App Overview: https://docs.microsoft.com/en-us/microsoftteams/platform/webhooks-and-connectors/what-are-webhooks-and-connectors
• Graph API AuthN: https://docs.microsoft.com/en-us/graph/auth/

Story
As a user of ElectricEye I want to utilize Amazon QuickSight to create visualizations of my ElectricEye posture and provide executive dashboards to stakeholders to be able to quantify AWS risks relative to the severity and amount of misconfigurations in my AWS environment.

Definition of Done

• Improved architecture to integration with QuickSight that does not rely on DDB Streams or Kinesis
• Stateful records in QuickSight - using some questionable S3 object hacks probably
• Deployable as IAC (at least one kind - scripted/TF/CFN)
• New readme & architecture
• Sample dashboards / visualizations

Nice to Have
Full IAC support

Additional Information

• https://docs.aws.amazon.com/quicksight/latest/user/supported-data-sources.html

Describe the bug
When the scan is completed the issues are pushed to Security Hub but recently there are errors thrown around parameters validation failure which leads to none of the issues sent to Security Hub.

To Reproduce
Steps to reproduce the behavior:

1. Setup ECS task (Fargate) or run via Cloudshell - python3 eeauditor/controller.py
2. When the scan finishes the writing of results to Security Hub initiates
3. Error is thrown with parameter validation failed

Expected behavior
Successfull scan results pushed to Security Hub

Logs
Writing 376 results to SecurityHub
Error writing output: Parameter validation failed:
Unknown parameter in Findings[9].Resources[0].Details.AwsEc2Instance: "AmiAge", must be one of: Type, ImageId, IpV4Addresses, IpV6Addresses, KeyName, IamInstanceProfileArn, VpcId, SubnetId, LaunchedAt, NetworkInterfaces
Unknown parameter in Findings[10].Resources[0].Details.AwsEc2Instance: "AmiStatus", must be one of: Type, ImageId, IpV4Addresses, IpV6Addresses, KeyName, IamInstanceProfileArn, VpcId, SubnetId, LaunchedAt, NetworkInterfaces
Done.

Additional context
For testing purpose I removed Amazon_EC2_Auditor but again error is thrown for "Other" parameter (must be oneof:aws Type, Id, Partition, Region, ResourceRole, Tags, DataClassification, Details) which is present in almost all auditors.
Errors are thrown in the console when running via Cloud Shell or can be found in Cloudwatch when using ECS task.
The scan outputs are successfull for csv and json but error occurs only for Security Hub

Story
As a user of ElectricEye, I want to view information about why the failed checks are important in the finding description so that I can assess my risk from them.

Definition of Done

• Add informational blurb about why failing a check / having a certain configuration is bad
• Copy from AWS documentation as much as you can
• Descriptions should be no longer than 1024 characters

Nice to Have
N/A

Additional Information
Look at the newest auditors (AMB, AMQ, Glue) for context samples

Very nice feature,
Can it work with mattermost?
best regards

Story
As a user of ElectricEye, I want to be able to run security scans against my Amazon Kinesis Data Firehose delivery streams so that I can know their security posture and/or fulfill regulatory or compliance requirements

Definition of Done

• New Auditor created for Firehose
  • Delivery Stream Encryption Check
  • S3 destination encryption
  • CloudWatch Error Logging
• IAM Policies update in CFN, TF and standalone
• Readme list updated with new Auditor checks
• Total counts update in the Readme
• Complete mapping to the ASFF

Nice to Have
N/A

Additional Information

• https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/firehose.html#Firehose.Client.describe_delivery_stream
• https://docs.aws.amazon.com/firehose/latest/dev/security-best-practices.html

Story
As a user of ElectricEye I want to have the new ASFF Workflow included in all of my checks so that I can take advantage of new and upcoming Security Hub workflow features

Definition of Done

• The new Workflow object added to the ASFF of all Auditors
  • "NEW" for failed checks
  • "RESOLVED" for passing checks
• Documentation updated where appropriate

Nice to Have
N/A

Additional Information
https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html#asff-workflow

Story
As a user of ElectricEye, I want to output my findings to MongoDB (or Amazon DocumentDb) so that I can interact or process findings within my preferred database technology.

Definition of Done

• Test with Amazon DocDB (and maybe a MongoDB Container?)
• New Output plugin is fully functional
• Support for TLS Authentication / Username+Password into MongoDB
• Update CFN & TF variables / parameters for any new variables
• Updated Dockerfile & requirements for PyMongo and other dependencies
• Updated documentation & architecture - add EXPORT command examples to running local

Nice to Have
N/A

Additional Information
N/A

Story
As a user of ElectricEye I want a CLI command to be able to optionally run ElectricEye in multiple regions, defaulting to my current Region if not specified so I do not need to manually run / deploy ElectricEye everywhere.

Definition of Done

• Click CLI Option added to specify some (comma separated), all, or single Region. Defaults to Single Region
• Updated documentation and Dockerfile to show the new flag option

Nice to Have
N/A

Additional Information
Will likely live in the controller, will need find a smarter way to loop through all Regions and create Boto3 Sessions. The painful way would be to write options to a list using Click and add for loops everywhere in each Auditor and swap all clients to Session() bound clients with the override Region.

Story
As a user of ElectricEye, I want to run the auditors in GovCloud so that I can have the same experience with ElectricEye in the commercial AWS regions.

Definition of Done

• A new set of gov-cloud-auditors
• TF and CFN tested in GovCloud Regions
• the Resources.Partition field changed to aws-gov for all Auditors

Nice to Have
N/A

Additional Information
https://aws.amazon.com/about-aws/whats-new/2020/04/aws-security-hub-launches-in-aws-govcloud-us-regions/

Problem
As a result of executing AWS_CloudFormation_Auditor, the values o Id, GeneratorId, and Resource[Id] cannot be parsed in Arn format.

To Reproduce

Execute the following command

$ python3 eeauditor/controller.py -a AWS_CloudFormation_Auditor -o stdout

Running ElectricEye in AWS Region ap-northeast-1.
 Located in Partition aws.
 Profile AWS Account is ■■■■■■■■.
 Profile current IAM principal ARN is arn:aws:sts::■■■■■■■■:assumed-role/■■■■■■■■/■■■■■■■■
Executing Check: cfn_drift_check
Executing Check: cfn_monitoring_check
{"SchemaVersion": "2018-10-08", "Id": "arn:aws:cloudformation:ap-northeast-1:■■■■■■■■:stack/■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■/arn:aws:cloudformation:ap-northeast-1:■■■■■■■■:stack/■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■/■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■/cloudformation-drift-check", "ProductArn": "arn:aws:securityhub:ap-northeast-1:■■■■■■■■:product/■■■■■■■■/default"
...

An arn-formatted string is output twice for the value of Id.

Expected behavior

The stackArn variable is used for Id, GeneratorId, and Resource[Id] in AWS_CloudFormation_Auditor.py, respectively.
The stackArn variable uses stackId, and since stackId is an Arn format string, the Arn format string is repeated in the output.

Assign the stackId to the stackArn variable. Alternatively, it is preferable not to include stackId in stackArn.

Depshield will be deprecated on Monday December 12th

Please install our new product, Sonatype Lift with advanced features

Story
As a user of ElectricEye, I want to be able to run security scans against my EMR Clusters so that I can know their security posture and/or fulfill regulatory or compliance requirements

Definition of Done

• New Auditor created for EMR for attached Security Policies
  • Encryption at Rest (S3)
  • Encryption at Rest (EBS)
  • Encryption in Transit
  • Kerberos AuthN
  • IAM Hidden
  • Logging
  • Debugging
  • Deletion Protection
• IAM Policies updated in CFN, TF and standalone
• Readme list updated with new Auditor checks
• Total counts update in the Readme
• Complete mapping to the ASFF

Nice to Have
N/A

Additional Information
https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-security.html

Story
As a user of ElectricEye, I want to be able to send incidents from Security Hub via ElectricEye to PagerDuty so that I can use the findings for my incident response workflows and take action on them.

Definition of Done

• New add-on module for PagerDuty
• Terraform and CloudFormation Support
• Updated architecture diagram and instructions for generating PagerDuty API needed information
• Add a targeted playbook for ElectricEye-Response

Nice to Have
N/A

Additional Information

• PagerDuty Incident API: https://v2.developer.pagerduty.com/docs/incident-creation-api
• PagerDuty API Tokens: https://support.pagerduty.com/docs/generating-api-keys#section-generating-a-general-access-rest-api-key

Story
As the maintainer of ElectricEye, I want to add JUnit outputs to ElectricEye so that users can have new ways to ingest security findings into downstream systems, such as within testing apparatuses as part of post-deployment/continual runs of tools such as Jenkins or AWS CodeBuild

Definition of Done

• Add JUnit Output to ElectricEye
• Create mechanism to run ElectricEye within CodeBuild utilizing the JUnit output
• Update FAQs, README, and permissions as required

Nice to Have
CFN or bash script for CB with JUnit

Additional Information

• https://code-maven.com/python-parse-junit-xml
• https://github.com/prowler-cloud/prowler/pull/671/files
• prowler-cloud/prowler#673
• https://github.com/lightspin-tech/eks-creation-engine/blob/main/plugins/ECESecurity.py#L30

Story
As a user of ElectricEye I find that there are several auditors that do not produce checks upon a failure state and several other checks that emit errors that are not useful (endpoints, regional issues, non-active services) and I want to fix these so that troubleshooting ElectricEye and getting value is improved.

Definition of Done
Fix these Check-Error pairs...

Executing Check: ssm_instance_patch_state_state
'InstancePatchStates'
Executing Check: s3_logging_encryption_check
Failed to execute check s3_logging_encryption_check with exception 's3Logs'
Executing Check: kms_key_rotation_check
Failed to execute check kms_key_rotation_check with exception An error occurred (AccessDeniedException) when calling the GetKeyRotationStatus operation: User: arn:aws:sts::REDACTED is not authorized to perform: kms:GetKeyRotationStatus on resource: arn:aws:kms:REDACTED because no resource-based policy allows the kms:GetKeyRotationStatus action
**I think this is for AppStream?**
Executing Check: default_internet_access_check
Failed to execute check default_internet_access_check with exception An error occurred (AccessDeniedException) when calling the DescribeFleets operation: 
Executing Check: public_image_check
Failed to execute check public_image_check with exception An error occurred (AccessDeniedException) when calling the DescribeImages operation: 
Executing Check: compromise_appstream_user_check
Failed to execute check compromise_appstream_user_check with exception An error occurred (AccessDeniedException) when calling the DescribeUsers operation: 
Executing Check: userpool_auth_check
Failed to execute check userpool_auth_check with exception An error occurred (AccessDeniedException) when calling the DescribeUsers operation: 
Executing Check: cloudsearch_https_enforcement_check
Failed to execute check cloudsearch_https_enforcement_check with exception Could not connect to the endpoint URL: "https://cloudsearch.us-east-2.amazonaws.com/"
Executing Check: sns_cross_account_check
Failed to execute check sns_cross_account_check with exception list index out of range
Executing Check: eks_secrets_envelope_encryption_check
Issue with EKS Envelope Encryption check 'cluster'
Executing Check: amb_fabric_node_chaincode_logging_check
Failed to execute check amb_fabric_node_chaincode_logging_check with exception Could not connect to the endpoint URL: "https://managedblockchain.us-east-2.amazonaws.com/networks?framework=HYPERLEDGER_FABRIC"
Executing Check: s3_account_level_block
Failed to execute check s3_account_level_block with exception An error occurred (NoSuchPublicAccessBlockConfiguration) when calling the GetPublicAccessBlock operation: The public access block configuration was not found
Executing Check: shield_advanced_drt_s3_bucket_check
Failed to execute check shield_advanced_drt_s3_bucket_check with exception An error occurred (ResourceNotFoundException) when calling the DescribeDRTAccess operation: The subscription does not exist.
Executing Check: workspaces_user_volume_encryption_check
Failed to execute check workspaces_user_volume_encryption_check with exception Could not connect to the endpoint URL: "https://workspaces.us-east-2.amazonaws.com/"
Executing Check: cloudfront_shodan_check
'Items'

Nice to Have

• Stop running Shodan checks when "placeholder" or non env var is provided

Additional Information
N/A

For example, each auditor has compliance violations pre-populated for every violation.
"RelatedRequirements": [
"NIST CSF DE.AE-3",
"NIST SP 800-53 AU-6",
"NIST SP 800-53 CA-7",
"NIST SP 800-53 IR-4",
"NIST SP 800-53 IR-5",
"NIST SP 800-53 IR-8",
"NIST SP 800-53 SI-4",
"AICPA TSC CC7.2",
"ISO 27001:2013 A.12.4.1",
"ISO 27001:2013 A.16.1.7",
]

How is this decided or mapped?

Story
As a user of ElectricEye, I want to be able to run security scans against my Amazon LightSail Virtual Private Servers (VPS) so that I can know their security posture and/or fulfill regulatory or compliance requirements

Definition of Done

• New Auditor created for LightSail
• IAM Policies update in CFN, TF and standalone
• Readme list updated with new Auditor checks
• Total counts update in the Readme
• Complete mapping to the ASFF

Nice to Have

• ElectricEye-Response playbooks for LightSail

Additional Information

• https://lightsail.aws.amazon.com/ls/docs/en_us/all
• https://lightsail.aws.amazon.com/ls/docs/en_us/articles/security
• https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/lightsail.html

Story
As the maintainer of ElectricEye I want to advance the parent image of the ElectricEye Dockerfile to use the latest, stable version of a 3.15.2 Alpine Linux container and further reduce to lower the attack surface, remediate vulnerabilities, and decrease the container size.

Definition of Done

• Update Dockerfile Parent image to the latest, stable Hash referencing Alpine 3.15.2
• All libraries work
• Eliminate APK build cache and PIP/Python build caches
• Optimize Dockerfile syntax (ENV, LABEL, RUN)

Nice to Have
N/A

Additional Information
N/A

Story
As a user of ElectricEye, I want to connect my ECS Cluster within my VPC to ECR over AWS PrivateLink which help me satisfy regulatory or compliance requirements and isolate my network traffic when I download the ElectricEye Docker Image.

Definition of Done

• VPC Interface Endpoint created for ECR using com.amazonaws.region.ecr.dkr
• VPC Gateway Endpoint created for S3
• ElectricEye ECS Task is able to successfully download the Docker Image

Nice to Have

• Least-privileged VPC endpoint policy allowing only the ElectricEye task role to interact with it

Additional Information
Amazon ECR Interface VPC Endpoints (AWS PrivateLink)

Story
As a user of ElectricEye and someone who needs to align to the NIST CSF for corporate requirements (or otherwise), I want to be able to have a subset of the Auditor scripts available to me that map to NIST CSF Subcategories so that I can prove alignment to them to my Board, or otherwise.

Defintion of Done

• Alignment with NIST CSF Subcategories, AICPA TSC "points of focus", ISO 27001:2013 and NIST SP 800-53 r4
• Use NIST's and AICPA's mappings to map CSF into TSC, ISO 27001 and 800-53
• A new sub-directory in the core module titled auditors-nist-csf
• All Auditors have relevant compliance controls mapped to Compliance.RelatedRequirements in the ASFF
• No more than 32 requirements should be in the Compliance.RelatedRequirements array

Nice to Have

• Separate Readme with a mapping of Auditor Checks to NIST
• ServiceNow GRC integration
• Canned QuickSight dashboards in ElectricEye-Reports
• Canned Kibana dashboards

Additional Information

• NIST CSF: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
• AICPA TSC to NIST CSF https://www.aicpa.org/content/dam/aicpa/interestareas/frc/assuranceadvisoryservices/downloadabledocuments/othermapping/trust-services-map-to-nist-csf.xlsx

The AWS Security Finding Format (ASFF) supports an array of up to 32 strings in the Compliance object named Compliance.RelatedRequirements.

This is used for the current PCI-DSS security standard in Security Hub, and can also be used to provide the requirements for other frameworks such as the NIST CSF. The NIST CSF is a very high-level and industry / country agnostic framework that a lot of the ElectricEye controls can map into. NIST CSF also provides mapping into ISA 62443, ISO 27001, NIST SP 800-53r4 and others.

As I noted in FAQs in the core module, checkbox compliance for the sake of doing it can be dangerous, but a lot of organizations have decided to index heavily on NIST CSF. The other good thing is that NIST doesn't recognize any certifying bodies, so you can self-assess against it versus needing something like a PCI QSA to attest to the mappings.

Story
As a user of ElectricEye, I want to I want to be able to run security scans against my AWS App Mesh meshes, virtual nodes and virtual routers so that I can know their security posture and/or fulfill regulatory or compliance requirements.

Definition of Done

• New Auditor created for AppMesh
• IAM Policies updated in CFN, TF and standalone
• Readme list updated with new Auditor checks
• Total counts update in the Readme
• Complete mapping to the ASFF

Nice to Have

• New ElectricEye-Response Playbooks

Additional Information

• https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/appmesh.html#AppMesh.Client.describe_virtual_node
• https://docs.aws.amazon.com/app-mesh/latest/userguide/security.html