feat(CG-1311): add AWS security hub

james-zhou-inspire11 · james-zhou-inspire11 · commit 067bf70678fd · 2022-12-13T11:21:33.000-06:00
diff --git a/src/enums/resources.ts b/src/enums/resources.ts
@@ -44,6 +44,7 @@ export default {
   dynamoDbTable: 'aws_dynamodb_table',
   kinesisStream: 'aws_kinesis_stream',
   securityGroup: 'aws_security_group',
+  securityHub: 'aws_security_hub',
   iamRolePolicy: 'aws_iam_role_policy',
   efsMountTarget: 'aws_efs_mount_target',
   route53ZRecord: 'aws_route53_record',
diff --git a/src/enums/schemasMap.ts b/src/enums/schemasMap.ts
@@ -78,6 +78,7 @@ export default {
   [services.nat]: 'awsNatGateway',
   [services.networkInterface]: 'awsNetworkInterface',
   [services.sg]: 'awsSecurityGroup',
+  [services.securityHub]: 'awsSecurityHub',
   [services.subnet]: 'awsSubnet',
   [services.vpc]: 'awsVpc',
   [services.vpcEndpoint]: 'awsVpcEndpoint',
diff --git a/src/enums/serviceAliases.ts b/src/enums/serviceAliases.ts
@@ -67,6 +67,7 @@ export default {
   [services.sageMakerProject]: 'sageMakerProjects',
   [services.secretsManager]: 'secretsManager',
   [services.sg]: 'securityGroups',
+  [services.securityHub]: 'securityHubs',
   [services.subnet]: 'subnets',
   [services.systemsManagerDocument]: 'systemsManagerDocuments',
   [services.systemsManagerInstance]: 'systemsManagerInstances',
diff --git a/src/enums/serviceMap.ts b/src/enums/serviceMap.ts
@@ -53,6 +53,7 @@ import Route53HostedZone from '../services/route53HostedZone'
 import Route53Record from '../services/route53Record'
 import RouteTable from '../services/routeTable'
 import SecretsManager from '../services/secretsManager'
+import SecurityHub from '../services/securityHub'
 import S3 from '../services/s3'
 import SES from '../services/ses'
 import SQS from '../services/sqs'
@@ -182,6 +183,7 @@ export default {
   [services.sageMakerProject]: SageMakerProject,
   [services.s3]: S3,
   [services.secretsManager]: SecretsManager,
+  [services.securityHub]: SecurityHub,
   [services.ses]: SES,
   [services.iamAccessAnalyzer]: IamAccessAnalyzer,
   [services.iamUser]: IamUser,
diff --git a/src/enums/services.ts b/src/enums/services.ts
@@ -84,6 +84,7 @@ export default {
   sageMakerProject: 'sageMakerProject',
   s3: 's3',
   secretsManager: 'secretsManager',
+  securityHub: 'securityHub',
   ses: 'ses',
   sg: 'sg',
   sns: 'sns',
diff --git a/src/properties/logger.ts b/src/properties/logger.ts
@@ -689,4 +689,10 @@ export default {
    * Vpc Peering Connections
    */
   fetchedVpcPeeringConnections: (num: number): string => `Found ${num} Vpc Peering Connections`,
+  /**
+   * Security Hub
+   */
+  securityHubNotFound: (region: string): string => `Security Hub not found/disabled for region: ${region}`,
+  fetchedSecurityHub: (region: string): string => `Security Hub found/enabled for region: ${region}`,
+  fetchingSecurityHub: 'Fetching Security Hub data for this AWS account via the AWS SDK...',
 }
diff --git a/src/services/account/schema.graphql b/src/services/account/schema.graphql
@@ -86,6 +86,7 @@ type awsAccount implements awsOptionalService @key(fields: "id") {
   sageMakerProjects: [awsSageMakerProject]
   secretsManager: [awsSecretsManager]
   securityGroups: [awsSecurityGroup]
+  securityHub: [awsSecurityHub]
   systemsManagerDocuments: [awsSystemsManagerDocument]
   systemsManagerInstances: [awsSystemsManagerInstance]
   ses: [awsSes]
diff --git a/src/services/securityHub/data.ts b/src/services/securityHub/data.ts
@@ -0,0 +1,70 @@
+import CloudGraph from '@cloudgraph/sdk'
+import SecurityHub, { DescribeHubResponse } from 'aws-sdk/clients/securityhub'
+import { AWSError } from 'aws-sdk/lib/error'
+import groupBy from 'lodash/groupBy'
+import isEmpty from 'lodash/isEmpty'
+import { Config } from 'aws-sdk/lib/config'
+import { initTestEndpoint } from '../../utils'
+import AwsErrorLog from '../../utils/errorLog'
+import awsLoggerText from '../../properties/logger'
+
+const { logger } = CloudGraph
+const lt = { ...awsLoggerText }
+const serviceName = 'SecurityHub'
+const errorLog = new AwsErrorLog(serviceName)
+const endpoint = initTestEndpoint(serviceName)
+
+export interface RawAwsSecurityHub {
+  HubArn: string;
+  SubscribedAt: string;
+  AutoEnableControls?: boolean;
+  region: string;
+}
+
+export default async ({
+  regions,
+  config,
+}: {
+  regions: string
+  config: Config
+}): Promise<{ [property: string]: RawAwsSecurityHub[] }> =>
+  new Promise(async resolve => {
+    const hubData: RawAwsSecurityHub[] = []
+
+    const regionPromises = regions.split(',').map(region => {
+      const securityHub = new SecurityHub({ ...config, region, endpoint })
+      return new Promise<void>(resolveRegion =>
+        securityHub.describeHub(
+          {},
+          (err: AWSError, data: DescribeHubResponse) => {
+            if (err) {
+              errorLog.generateAwsErrorLog({
+                functionName: 'securityHub:describeHub',
+                err,
+              })
+            }
+
+            if (isEmpty(data) || !data) {
+              logger.debug(lt.securityHubNotFound(region))
+              return resolveRegion()
+            }
+
+            logger.debug(lt.fetchedSecurityHub(region))
+            hubData.push({
+              HubArn: data.HubArn,
+              SubscribedAt: data.SubscribedAt,
+              AutoEnableControls: data.AutoEnableControls,
+              region,
+            })
+            resolveRegion()
+          }
+        )
+      )
+    })
+
+    logger.debug(lt.fetchingSecurityHub)
+    await Promise.all(regionPromises)
+    errorLog.reset()
+
+    resolve(groupBy(hubData, 'region'))
+  })
diff --git a/src/services/securityHub/format.ts b/src/services/securityHub/format.ts
@@ -0,0 +1,34 @@
+import { RawAwsSecurityHub } from './data'
+import {
+  AwsSecurityHub
+} from '../../types/generated'
+
+
+/**
+ * Security Hub
+ */
+
+export default ({
+  service,
+  account,
+  region,
+}: {
+  service: RawAwsSecurityHub
+  account: string
+  region: string
+}): AwsSecurityHub => {
+  const {
+    HubArn: arn,
+    SubscribedAt: subscribedAt,
+    AutoEnableControls: autoEnableControls,
+  } = service
+
+  return {
+    id: arn,
+    accountId: account,
+    arn,
+    region,
+    subscribedAt,
+    autoEnableControls,
+  }
+}
diff --git a/src/services/securityHub/index.ts b/src/services/securityHub/index.ts
@@ -0,0 +1,13 @@
+import { Service } from '@cloudgraph/sdk'
+import BaseService from '../base'
+import format from './format'
+import getData from './data'
+import mutation from './mutation'
+
+export default class SecurityHub extends BaseService implements Service {
+  format = format.bind(this)
+
+  getData = getData.bind(this)
+
+  mutation = mutation
+}
diff --git a/src/services/securityHub/mutation.ts b/src/services/securityHub/mutation.ts
@@ -0,0 +1,5 @@
+export default `mutation($input: [AddawsSecurityHubInput!]!) {
+  addawsSecurityHub(input: $input, upsert: true) {
+    numUids
+  }
+}`
diff --git a/src/services/securityHub/schema.graphql b/src/services/securityHub/schema.graphql
@@ -0,0 +1,4 @@
+type awsSecurityHub implements awsBaseService @key(fields: "arn") {
+  subscribedAt: String @search(by: [hash, regexp])
+  autoEnableControls: Boolean @search 
+}
diff --git a/src/types/generated.ts b/src/types/generated.ts
@@ -221,6 +221,7 @@ export type AwsAccount = AwsOptionalService & {
   sageMakerProjects?: Maybe<Array<Maybe<AwsSageMakerProject>>>;
   secretsManager?: Maybe<Array<Maybe<AwsSecretsManager>>>;
   securityGroups?: Maybe<Array<Maybe<AwsSecurityGroup>>>;
+  securityHub?: Maybe<Array<Maybe<AwsSecurityHub>>>;
   ses?: Maybe<Array<Maybe<AwsSes>>>;
   sns?: Maybe<Array<Maybe<AwsSns>>>;
   sqs?: Maybe<Array<Maybe<AwsSqs>>>;
@@ -4063,6 +4064,11 @@ export type AwsSecurityGroup = AwsBaseService & {
   vpcId?: Maybe<Scalars['String']>;
 };
 
+export type AwsSecurityHub = AwsBaseService & {
+  autoEnableControls?: Maybe<Scalars['Boolean']>;
+  subscribedAt?: Maybe<Scalars['String']>;
+};
+
 export type AwsServiceBillingInfo = {
   cost?: Maybe<Scalars['Float']>;
   currency?: Maybe<Scalars['String']>;
