Merge pull request #155 from cloudgraphdev/feat/EP-3207

feat: add securityHub missing services

Author: dezky

README.md

@@ -85,6 +85,9 @@ export default {
   [services.secretsManager]: 'secretsManager',
   [services.sg]: 'securityGroups',
   [services.securityHub]: 'securityHubs',
+  [services.securityHubMember]: 'securityHubMembers',
+  [services.securityHubStandardSubscription]:
+    'securityHubStandardSubscriptions',
   [services.subnet]: 'subnets',
   [services.systemsManagerDocument]: 'systemsManagerDocuments',
   [services.systemsManagerInstance]: 'systemsManagerInstances',

src/enums/serviceAliases.ts

@@ -104,6 +104,8 @@ import SageMakerProject from '../services/sageMakerProject'
 import SecretsManager from '../services/secretsManager'
 import AwsSecurityGroup from '../services/securityGroup'
 import SecurityHub from '../services/securityHub'
+import SecurityHubMember from '../services/securityHubMember'
+import SecurityHubStandardSubscription from '../services/securityHubStandardSubscription'
 import SES from '../services/ses'
 import SESReceiptRuleSet from '../services/sesReceiptRuleSet'
 import SESEmail from '../services/sesEmail'
@@ -230,6 +232,8 @@ export default {
   [services.s3]: S3,
   [services.secretsManager]: SecretsManager,
   [services.securityHub]: SecurityHub,
+  [services.securityHubMember]: SecurityHubMember,
+  [services.securityHubStandardSubscription]: SecurityHubStandardSubscription,
   [services.ses]: SES,
   [services.sesReceiptRuleSet]: SESReceiptRuleSet,
   [services.sesEmail]: SESEmail,

src/enums/serviceMap.ts

@@ -106,6 +106,8 @@ export default {
   s3: 's3',
   secretsManager: 'secretsManager',
   securityHub: 'securityHub',
+  securityHubMember: 'securityHubMember',
+  securityHubStandardSubscription: 'securityHubStandardSubscription',
   ses: 'ses',
   sesReceiptRuleSet: 'sesReceiptRuleSet',
   sesEmail: 'sesEmail',

src/enums/services.ts

@@ -762,6 +762,10 @@ export default {
     `Security Hub found/enabled for region: ${region}`,
   fetchingSecurityHub:
     'Fetching Security Hub data for this AWS account via the AWS SDK...',
+  fetchedSecurityHubMembers: (num: number): string =>
+    `Found ${num} Security Hub Members`,
+  fetchedSecurityHubStandardSubscriptions: (num: number): string =>
+    `Found ${num} Security Hub Standard Subscription`,
   /**
    * Msk
    */

src/properties/logger.ts

@@ -104,6 +104,8 @@ type awsAccount implements awsOptionalService @key(fields: "id") {
   secretsManager: [awsSecretsManager]
   securityGroups: [awsSecurityGroup]
   securityHub: [awsSecurityHub]
+  securityHubMember: [awsSecurityHubMember]
+  securityHubStandardSubscription: [awsSecurityHubStandardSubscription]
   systemsManagerDocuments: [awsSystemsManagerDocument]
   systemsManagerInstances: [awsSystemsManagerInstance]
   systemsManagerParameters: [awsSystemsManagerParameter]

src/services/account/schema.graphql

@@ -0,0 +1,100 @@
+import CloudGraph from '@cloudgraph/sdk'
+import SecurityHub, {
+  ListMembersRequest,
+  ListMembersResponse,
+  Member,
+  MemberList,
+} from 'aws-sdk/clients/securityhub'
+import { AWSError } from 'aws-sdk/lib/error'
+import groupBy from 'lodash/groupBy'
+import isEmpty from 'lodash/isEmpty'
+import { Config } from 'aws-sdk/lib/config'
+import { initTestEndpoint } from '../../utils'
+import AwsErrorLog from '../../utils/errorLog'
+import awsLoggerText from '../../properties/logger'
+
+const { logger } = CloudGraph
+const lt = { ...awsLoggerText }
+const serviceName = 'SecurityHub Member'
+const errorLog = new AwsErrorLog(serviceName)
+const endpoint = initTestEndpoint(serviceName)
+
+export interface RawAwsSecurityHubMember extends Member {
+  region: string
+}
+
+const getMembersForRegion = async ({
+  securityHub,
+}: {
+  securityHub: SecurityHub
+}): Promise<MemberList> =>
+  new Promise<MemberList>(resolve => {
+    const memberList: MemberList = []
+    const listMemberOpts: ListMembersRequest = {}
+    const listAllMembers = (token?: string): void => {
+      if (token) {
+        listMemberOpts.NextToken = token
+      }
+      try {
+        securityHub.listMembers(
+          listMemberOpts,
+          (err: AWSError, data: ListMembersResponse) => {
+            const { NextToken: nextToken, Members = [] } = data || {}
+            if (err) {
+              errorLog.generateAwsErrorLog({
+                functionName: 'securityHub:listMembers',
+                err,
+              })
+            }
+
+            memberList.push(...Members)
+
+            if (nextToken) {
+              listAllMembers(nextToken)
+            } else {
+              resolve(memberList)
+            }
+          }
+        )
+      } catch (err) {
+        resolve([])
+      }
+    }
+    listAllMembers()
+  })
+
+export default async ({
+  regions,
+  config,
+}: {
+  regions: string
+  config: Config
+}): Promise<{ [property: string]: RawAwsSecurityHubMember[] }> =>
+  new Promise(async resolve => {
+    const memberData: RawAwsSecurityHubMember[] = []
+    const regionPromises = []
+
+    regions.split(',').forEach(region => {
+      const securityHub = new SecurityHub({ ...config, region, endpoint })
+
+      const regionPromise = new Promise<void>(async resolveRegion => {
+        const members = await getMembersForRegion({ securityHub })
+        if (!isEmpty(members)) {
+          memberData.push(
+            ...members.map(member => ({
+              ...member,
+              region,
+            }))
+          )
+        }
+        resolveRegion()
+      })
+      regionPromises.push(regionPromise)
+    })
+
+    await Promise.all(regionPromises)
+    logger.debug(lt.fetchedSecurityHubMembers(memberData.length))
+    errorLog.reset()
+
+    resolve(groupBy(memberData, 'region'))
+  })

src/services/securityHubMember/data.ts

@@ -0,0 +1,25 @@
+import { RawAwsSecurityHubMember } from './data'
+import { AwsSecurityHubMember } from '../../types/generated'
+
+/**
+ * Security Hub Member
+ */
+
+export default ({
+  service,
+  account,
+  region,
+}: {
+  service: RawAwsSecurityHubMember
+  account: string
+  region: string
+}): AwsSecurityHubMember => {
+  const { AccountId: accountId } = service
+
+  return {
+    id: accountId,
+    accountId: account,
+    arn: accountId,
+    region,
+  }
+}

src/services/securityHubMember/format.ts

@@ -0,0 +1,13 @@
+import { Service } from '@cloudgraph/sdk'
+import BaseService from '../base'
+import format from './format'
+import getData from './data'
+import mutation from './mutation'
+
+export default class SecurityHubMember extends BaseService implements Service {
+  format = format.bind(this)
+
+  getData = getData.bind(this)
+
+  mutation = mutation
+}

src/services/securityHubMember/index.ts

@@ -0,0 +1,5 @@
+export default `mutation($input: [AddawsSecurityHubMemberInput!]!) {
+  addawsSecurityHubMember(input: $input, upsert: true) {
+    numUids
+  }
+}`