Merge pull request #316 from awslabs/master

RELEASE 0.8.1

README.rst

@@ -160,6 +160,29 @@ Once you have completed your compliance validation code and set your Rule's conf
 
 The exact output will vary depending on Lambda runtime.  You can use the --all flag to deploy all of the rules in your working directory.
 
+Deploy Organization Rule
+------------------------
+You can also deploy the Rule to your AWS Orgnization using the ``deploy-organization`` command.
+For successful evaluation of custom rules in child accounts, please make sure you do one of the following: 
+
+1. Set ASSUME_ROLE_MODE in Lambda code to True, to get the lambda to assume the Role attached on the Config Service and confirm that the role trusts the master account where the Lambda function is going to be deployed.
+2. Set ASSUME_ROLE_MODE in Lambda code to True, to get the lambda to assume a custom role and define an optional parameter with key as ExecutionRoleName and set the value to your custom role name; confirm that the role trusts the master account of the organization where the Lambda function will be deployed.
+
+::
+
+  $ rdk deploy-organization MyRule
+  Running deploy!
+  Zipping MyRule
+  Uploading MyRule
+  Creating CloudFormation Stack for MyRule
+  Waiting for CloudFormation stack operation to complete...
+  ...
+  Waiting for CloudFormation stack operation to complete...
+  Config deploy complete.
+  
+The exact output will vary depending on Lambda runtime.  You can use the --all flag to deploy all of the rules in your working directory.
+This command uses 'PutOrganizationConfigRule' API for the rule deployment. If a new account joins an organization, the rule is deployed to that account. When an account leaves an organization, the rule is removed. Deployment of existing organizational AWS Config Rules will only be retried for 7 hours after an account is added to your organization if a recorder is not available. You are expected to create a recorder if one doesn't exist within 7 hours of adding an account to your organization.
+
 View Logs For Deployed Rule
 ---------------------------
 Once the Rule has been deployed to AWS you can get the CloudWatch logs associated with your lambda function using the ``logs`` command.

integration/config-opscenter-integration-example/AWS_Config_and_OpsCenter.xml

@@ -0,0 +1 @@
+<mxfile host="drawio.corp.amazon.com" modified="2021-07-07T20:39:15.069Z" agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36" etag="W84RUIU1xn6_EfwDyDGi" version="12.4.8" type="device"><diagram id="0hZAyJKCxBIlR_5_V_cb" name="Page-1">7Vptc6I8FP01flwnhBfxo1q32+nL9qnddfeTEyEiUyBMCL7sr38SCAqEbq2LrdNpnbHkJsTknMO9N1c7+ijcXFIUL2+Ji4MOBO6mo190IOxrPf4uDNvcYBYGj/pubtL2hon/B0sjkNbUd3FSGcgICZgfV40OiSLssIoNUUrW1WELElQ/NUYeVgwTBwWqdeq7bJlbbRPs7d+w7y2LT9aA7AlRMVgakiVyybpk0scdfUQJYflVuBnhQGBX4JLf9/WZ3t3CKI7YITeA/4Lpj+uHX3Q2C4ez+6fNzU/ni5HPskJBKjcsF8u2BQKUpJGLxSSgow/XS5/hSYwc0bvmlHPbkoUBb2n8Ul2UXOcKU4Y3JZNc5CUmIWZ0y4fIXqMn17AtlCABXO/x10w7ty1L2Ot9ORBJzr3d3HtY+IVE5hUomeeHErTByyjpQEUJAngilKzzQ6l/diD1FJAG0wk3TLYJw2HCr25RxJ0KVbAjKQv8CI92jk5AuCARG5GA0GyMzl9fxWKGHkWuj/d9EYn4NMOEUfKESzcssj8xkR8ETRO5KFnuCBPA+9w33qA5Du5J4jOfRLwv9F1XLHM3YBD4nuiYE8ZIyDuQNAR4waosN4lA7EqGAq3Y5UQiIe5J+HA/8nhLF60likVPuPFECOqidWJ0Y0rc1GFXjljgMKb5RXVMkmM+CyXib+a+jAbJ2adSnP2M4riQFr73MWXm8DVlhJ6H0Jwc6nZcmnaUvHqnio19VV4h+sMx4AoLSOpOEXOWH1NlZ+XMHAH2OgO7pQTjSKGdyo8VJ4KS0r7HySh/0k+hr5qKhiNNNy1Fd3LwQdLaKaguLUbiF7xXWUWwpiLxkSiJ840u/I1YxzAmvphlvOKTJYXUmsRVi4IzEie7BbSgI1Or6agIdCUd9Rqy+cLWvo40RUdYgPSpoeM1lAE4y9/nKMlubkE7Oqzl77bxztqBinZGJIwDH0Xc5UNA0wAnn0I6XkgCwBlsRz27k91rPY91KvXoinoShlgqTn3OEkUeVqSDI3cgqliCiAAlie8ceEZmiHqY/W0xciB2KwUwFc0SWmZDvC9sFAeI+atq2awJQvkJ90ISpXRDr4YJWFQPiikSklIHy7vKZa76RLZdZb2ekOTIKBNljO62/Q8kqyU1h2LEhHvg+coVj7VvyTI4K5b1vl1jWTuOZV0HXQABAKYG+yYEenVaHXatXs/mnTYEVl1Kp1bAAeXCEuN1n60dyP2ZUGoYVS+rVGEPpVSZCLwta2r58uHHzVhUSm4Hd4PL8e347lHhkYei2hGwMSCXo7c0KfG1HoZ359CmQ2W1kNpCsOz1K+CbTTV3qIoInqqsoKmF0gdOwcXV4PHq+93H5cHQe2dGhFo/5GGMGx4xUiPZM4le/sUXqKemL9EV1FJWhaN/zWlrWbUJxKshNw0TB+Eu31oa4W6a8FOyx5mP23jurKrXg0DrmgrlTf67EEr7jKslPbzBTpqlMCjlAKMMbgge0mhOyNOr8xm88dkvoYEuMGXzd9YsWhcbqZCssS017jH1+TYFe39/5I5NjfhGsoD14iPxXgG3B2GhkCJSGqCwvDboWmZNftbb5kpQLcaUFfZ5kD72IF1CsZ0yHqgmCLqlBia76WutFuLS9PftlHkrO0onP7889K8naXrd8J08xQkJVpVzlhWIrGBO+ZXHMiAsFApSonki/s3FDnfO7ahTmeI+jvFF75vCm0aVW3hsCm/2axPxU5qhGz0bWsC2+qalt+RceHP/w5l8+P7XR/r4fw==</diagram></mxfile>

integration/config-opscenter-integration-example/README.md

@@ -0,0 +1,36 @@
+### AWS Config and OpsCenter integration ###
+
+This is an example showing how we can create a CloudWatch event to monitoring
+a change of compliance status and create an OpsItem in OpsCenter.
+
+# Scenario
+
+User wants to leverage OpsCenter to have a central location where operations engineers and IT professionals
+can view, investigate, and resolve operational work items (OpsItems) related to AWS resources. User also wants
+to create OpsItem automatically on non-compliant resouces found by AWS Config. In addition, OpsCenter provides
+action action to trigger a runbook. Engineers/professionals can easily trigger the remediation process with this
+feature.
+
+
+# Example Walkthrough
+
+pre-requisite:
+    aws account,
+    awscli,
+    IAM role permission to create config rules, cloudwatch event and opsitem with cloudformation
+
+1. execute "sh build.sh"
+    - create an IAM role and a managed config rule that checks if server side encryption enabled for a S3 bucket
+
+2. [Optional] Create a non-encrypted S3 bucket if you do not have one
+
+3. Go to AWS Config > Rules > my-config-rule-S3BucketServerSideEncryptionEnabled in Console
+    - click action button and select re-evaluate
+
+4. Once the evaluation is done, go to AWS Systems Manager > OpsCenter in the console and user will see OpsItems created
+    - User can get the details for the non-compliant resources, suggested runbook for remediation
+    - User can execute the runbook to resolve the issue.
+    - Please check the doc for more information on OpsCenter
+        https://docs.aws.amazon.com/systems-manager/latest/userguide/OpsCenter.html
+
+5. execute "sh cleanup.sh"

integration/config-opscenter-integration-example/build.sh

@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+
+
+aws cloudformation deploy --stack-name my-opsitem-role \
+--template-file opsitem-role.yaml \
+--capabilities CAPABILITY_IAM
+
+aws cloudformation deploy --stack-name my-config-rule \
+--template-file s3EncryptedConfigRule.yaml

integration/config-opscenter-integration-example/cleanup.sh

@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+
+
+aws cloudformation delete-stack --stack-name my-opsitem-role
+aws cloudformation delete-stack --stack-name my-config-rule

integration/config-opscenter-integration-example/opsitem-role.yaml

@@ -0,0 +1,43 @@
+#  Copyright 2021 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#  Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance with
+#  the License. A copy of the License is located at
+#      http://aws.amazon.com/apache2.0/
+#  or in the "license" file accompanying this file. This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+#  CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and
+#  limitations under the License.
+
+AWSTemplateFormatVersion: '2010-09-09'
+Description: Role to create OpsItem with CloudWatch event
+
+Resources:
+
+  OpsItemEventRole:
+    Type: AWS::IAM::Role
+    Properties:
+      AssumeRolePolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Principal:
+              Service:
+                - events.amazonaws.com
+            Action:
+              - sts:AssumeRole
+      Path: /
+      Policies:
+        - PolicyName: create-opsitem-event
+          PolicyDocument:
+            Version: "2012-10-17"
+            Statement:
+            - Effect: Allow
+              Action:
+                - ssm:CreateOpsItem
+              Resource: "*"
+
+
+Outputs:
+  OpsItemEventRoleArn:
+    Value: !GetAtt OpsItemEventRole.Arn
+    Description: 'Role to create OpsItem with CloudWatch event'
+    Export:
+      Name: "OpsItemEventRoleArn"

integration/config-opscenter-integration-example/s3EncryptedConfigRule.yaml

@@ -0,0 +1,70 @@
+#  Copyright 2021 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#  Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance with
+#  the License. A copy of the License is located at
+#      http://aws.amazon.com/apache2.0/
+#  or in the "license" file accompanying this file. This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+#  CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and
+#  limitations under the License.
+
+AWSTemplateFormatVersion: 2010-09-09
+
+Parameters:
+   CloudWatchEventIAMRole:
+     Type: String
+     Description: The IAM role that grants CloudWatchEvent access to create OpsItems
+     Default: opscenter-role
+
+Resources:
+  S3BucketServerSideEncryptionEnabled:
+    Type: AWS::Config::ConfigRule
+    Properties:
+      Scope:
+        ComplianceResourceTypes:
+          - "AWS::S3::Bucket"
+      Source:
+        Owner: AWS
+        SourceIdentifier: "S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED"
+
+  OpsItemGenForS3BucketServerSideEncryptionEnabled:
+     Type: 'AWS::Events::Rule'
+     Properties:
+       Description: "CloudWatch Rule which creates Ops Items for CloudTrail Compliance Events"
+       EventPattern:
+         source:
+           - aws.config
+         detail-type:
+           - 'Config Rules Compliance Change'
+         detail:
+           configRuleName:
+             - !Ref S3BucketServerSideEncryptionEnabled
+           newEvaluationResult:
+             complianceType:
+               - NON_COMPLIANT
+       State: "ENABLED"
+       Targets:
+         - Arn: !Sub arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:opsitem
+           Id: SSM-OpsItem
+           RoleArn: !ImportValue OpsItemEventRoleArn
+           InputTransformer:
+             InputTemplate:
+               Fn::Sub:
+                   '{ "title": "CloudTrail CloudWatch Logs Compliance Failure",
+                     "description": "CloudWatch Event Rule was triggered for Config Compliance Rule Failure.",
+                     "source": "Config Compliance",
+                     "priority": "2",
+                     "severity": "1",
+                     "notifications": [{ "arn": "arn:${AWS::Partition}:sns:${AWS::Region}:${AWS::AccountId}:OpsCenterEventNotificationTopic"}],
+                     "operationalData": {
+                       "/aws/dedup": {"type": "SearchableString","value": "{\"dedupString\":\"SSMOpsItems-S3-Encrypted-enabled-failed\"}"}, 
+                       "/aws/automations": { "value": "[ { \"automationType\": \"AWS:SSM:Automation\", \"automationId\": \"AWS-EnableS3BucketEncryption\" } ]" },
+                       "/aws/resources": {"value": "[{\"arn\":\"arn:aws:s3:::<resourceId>\"}]","type": "SearchableString"},
+                       "configRuleName": {"type": "SearchableString","value": <configRuleName>},
+                       "resourceType": {"type": "SearchableString","value": <resourceType>},
+                       "resourceId": {"type": "SearchableString","value": <resourceId>}
+                     }
+                   }'
+             InputPathsMap:
+               resourceType: "$.detail.resourceType"
+               resourceId: "$.detail.resourceId"
+               configRuleName: "$.detail.configRuleName"
+

rdk/__init__.py

@@ -6,4 +6,4 @@
 #
 #    or in the "license" file accompanying this file. This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
 
-MY_VERSION = "0.8.0"
+MY_VERSION = "0.8.1"