Giter VIP home page Giter VIP logo

security-hub-controls's Introduction

Security Hub Controls Reference

A JSONL-formatted scrape of the AWS Security Hub controls reference, along with a Python program to update it.

Use this repo to compliment the official Change log for Security Hub controls. The official change log also describes planned breaking changes to controls such as removals and renames.

Version 1 scrapes the table from the main reference page. See dump-controls for the implementation. Execute the script to try it.

Version 2 will scrape the controls page for each service to include all the available data. See the tutorial folder for an attempt to do this by adapting the Scrapy tutorial. To try it, run poetry install, enter the folder, and run scrapy crawl quotes.

Security Hub has a public API called ListSecurityControlDefinitions provides something similar to version 1 of this data. You need to enabled Security Hub in your AWS account before you can call the API. In any case, the documentation is still the most complete source for the data.

I was inspired by fluggo's AWS service authorization reference and z0ph's Monitor for AWS Managed IAM Policies.

Data structure

Each line in security-hub-controls.jsonl looks like this when pretty-printed:

{
  "Id": "Account.1",
  "Title": "Security contact information should be provided for an AWS account",
  "ApplicableStandards": [
    "AWS Foundational Security Best Practices v1.0.0",
    "Service-Managed Standard: AWS Control Tower",
    "NIST SP 800-53 Rev. 5"
  ],
  "Severity": "MEDIUM",
  "SupportsCustomParameters": "No",
  "ScheduleType": "Periodic"
}

Use cases

Fetch the dump for querying locally.

curl \
--url "https://raw.githubusercontent.com/iainelder/security-hub-controls/main/security-hub-controls.jsonl" \
--output controls.jsonl \
--silent \
--show-error

Which controls are rated critical by Security Hub?

cat controls.jsonl \
| jq -c 'select(.Severity == "CRITICAL") | {Id, Title}'
{"Id":"CloudFront.1","Title":"CloudFront distributions should have a default root object configured"}
{"Id":"CloudTrail.6","Title":"Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible"}
{"Id":"CodeBuild.1","Title":"CodeBuild GitHub or Bitbucket source repository URLs should use OAuth"}
...

How many controls does each linked standard have?

cat controls.jsonl \
| jq -c '.ApplicableStandards[]' \
| jq -sc '
  group_by(.)
  | map({ApplicableStandard: .[0], ControlCount: length})
  | sort_by(.ControlCount)
  | reverse
  | .[]
'
{"ApplicableStandard":"NIST SP 800-53 Rev. 5","ControlCount":227}
{"ApplicableStandard":"AWS Foundational Security Best Practices v1.0.0","ControlCount":211}
{"ApplicableStandard":"Service-Managed Standard: AWS Control Tower","ControlCount":172}
...

Which controls are linked to standard Service-Managed Standard: AWS Control Tower?

cat controls.jsonl \
| jq -c '
  select(.ApplicableStandards | contains(["Service-Managed Standard: AWS Control Tower"]))
  | {Id, Title}
'
{"Id":"Account.1","Title":"Security contact information should be provided for an AWS account"}
{"Id":"ACM.1","Title":"Imported and ACM-issued certificates should be renewed after a specified time period"}
{"Id":"APIGateway.1","Title":"API Gateway REST and WebSocket API execution logging should be enabled"}
...

How does Security Hub check backups? (This example also shows how to format results as prose.)

cat controls.jsonl \
| jq -r 'select(tostring | test("BACKUP"; "i")) | "\(.Id): \(.Title)"'
  • DynamoDB.4: DynamoDB tables should be present in a backup plan
  • EC2.28: EBS volumes should be in a backup plan
  • EFS.2: Amazon EFS volumes should be in backup plans
  • ElastiCache.1: ElastiCache Redis clusters should have automatic backup enabled
  • RDS.11: RDS instances should have automatic backups enabled
  • RDS.26: RDS DB instances should be protected by a backup plan

security-hub-controls's People

Contributors

actions-user avatar iainelder avatar

Stargazers

avatar

Watchers

avatar

security-hub-controls's Issues

Complete version 2

Version 2 is still an unfinished prototype.

Complete it to enrich the controls database with extra details.

Extract field for custom parameters

The main table added a column called "Supports custom parameters".

The latest dump failed because of it.

Use the Python debugger to reproduce it locally.

python3 -m pdb ./dump-controls 
> /tmp/dir.NAz/security-hub-controls/dump-controls(3)<module>()
-> """
(Pdb) c

Traceback (most recent call last):
  File "/usr/lib/python3.8/pdb.py", line 1705, in main
    pdb._runscript(mainpyfile)
  File "/usr/lib/python3.8/pdb.py", line 1573, in _runscript
    self.run(statement)
  File "/usr/lib/python3.8/bdb.py", line 580, in run
    exec(cmd, globals, locals)
  File "<string>", line 1, in <module>
  File "/tmp/dir.NAz/security-hub-controls/dump-controls", line 3, in <module>
    """
  File "/tmp/dir.NAz/security-hub-controls/dump-controls", line 32, in main
    controls = get_available_controls()
  File "/tmp/dir.NAz/security-hub-controls/dump-controls", line 40, in get_available_controls
    return parse_controls(markup)
  File "/tmp/dir.NAz/security-hub-controls/dump-controls", line 48, in parse_controls
    check_header(document)
  File "/tmp/dir.NAz/security-hub-controls/dump-controls", line 64, in check_header
    assert header_texts == expected
AssertionError
Uncaught exception. Entering post mortem debugging
Running 'cont' or 'step' will restart the program
> /tmp/dir.NAz/security-hub-controls/dump-controls(64)check_header()
-> assert header_texts == expected

(Pdb) expected
['Security control ID', 'Security control title', 'Applicable standards', 'Severity', 'Schedule type']
(Pdb) header_texts
['Security control ID', 'Security control title', 'Applicable standards', 'Severity', 'Supports custom parameters', 'Schedule type']

Fix dump format

The source table has changed structure. The dumper successfully extracted something, but it doesn't look right.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.