feat gsn-10597: wip 2024-05-24-02

schubergphilis · May 24, 2024 · 6b70502 · 6b70502
1 parent 1b57354
commit 6b70502
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 4 deletions.
diff --git a/files/lambda-artifacts/securityhub-suppressor/requirements.txt b/files/lambda-artifacts/securityhub-suppressor/requirements.txt
@@ -1,4 +1,5 @@
 aws-lambda-powertools
+awsfindingsmanagerlib
 pylint-gitlab
 pyyaml
 jmespath

diff --git a/files/lambda-artifacts/securityhub-suppressor/securityhub_trigger.py b/files/lambda-artifacts/securityhub-suppressor/securityhub_trigger.py
@@ -1,13 +1,30 @@
+from aws_lambda_powertools import Logger
+from awsfindingsmanagerlib.backends import Backend
+from awsfindingsmanagerlib.awsfindingsmanagerlib import FindingsManager
 from os import environ
 from typing import Any
 from typing import Dict
 
 import boto3
-from aws_lambda_powertools import Logger
+import yaml
 
 LOGGER = Logger()
 S3_BUCKET_NAME = environ.get('S3_BUCKET_NAME')
-BOTO_S3 = boto3.resource('s3')
+
+
+class S3(Backend):
+
+    def __init__(self, bucket_name, file_name):
+        self._file_contents = self._get_file_contents(bucket_name, file_name)
+
+    @staticmethod
+    def _get_file_contents(bucket_name, file_name):
+        s3 = boto3.resource('s3')
+        return s3.Object(bucket_name, file_name).get()['Body'].read()
+
+    def _get_rules(self):
+        data = yaml.safe_load(self._file_contents)
+        return data.get('Rules')
 
 
 @LOGGER.inject_lambda_context(log_event=True)
@@ -16,5 +33,9 @@ def lambda_handler(event: Dict[str, Any], context):
     LOGGER.info(most_recent_event)
     s3_object_key = most_recent_event['s3']['object']['key']
     LOGGER.info(s3_object_key)
-    s3_object = BOTO_S3.Object(S3_BUCKET_NAME, s3_object_key).get()
-    LOGGER.info(s3_object['Body'].read())
+    s3_backend = S3(S3_BUCKET_NAME, s3_object_key)
+    rules = s3_backend.get_rules()
+    LOGGER.info(rules)
+    findings_manager = FindingsManager()
+    findings_manager.register_rules(rules)
+    findings_manager.suppress_matching_findings()
diff --git a/suppressor.tf b/suppressor.tf
@@ -96,6 +96,12 @@ data "aws_iam_policy_document" "lambda_security_hub_suppressor" {
     resources = ["${module.suppressions_bucket.arn}/*"]
   }
 
+  statement {
+    sid       = "EC2DescribeRegionsAccess"
+    actions   = ["ec2:DescribeRegions"]
+    resources = ["*"]
+  }
+
   statement {
     sid = "SecurityHubAccess"
     actions = [