You must be logged in to view saved presets
Configuration Packages
PCI DSS Compliance Monitoring with Security Hub
A configuration package to enable compliance monitoring for a subset of the PCI DSS 3.2.1 controls using AWS Security Hub in an AWS account. The configuration package also includes enabling service prerequisites and configuring notifications for Security Hub findings. AWS Security Hub also turns on CIS AWS Foundations Compliance Standards by default. This package includes:
Premium: Get PCI DSS compliance reports for your environment
A premium subscription is required for this contentYou can access configuration templates for all includes services in our repository for free! Go to Library
Items
7
Size
4.6 KB
AWSTemplateFormatVersion: '2010-09-09'
Description: ''
Resources:
SecurityHub:
Type: 'AWS::SecurityHub::Hub'
Properties: {}
SecurityHubStandards:
Type: 'Custom::SecurityHubStandards'
Properties:
ServiceToken:
'Fn::GetAtt':
- SecurityHubStandardsResourceLambda
- Arn
DependsOn: SecurityHub
SecurityHubStandardsResourceLambdaRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action:
- 'sts:AssumeRole'
Path: /
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole'
Policies:
- PolicyName: scp-access
PolicyDocument:
Statement:
- Effect: Allow
Action:
- 'securityhub:GetEnabledStandards'
- 'securityhub:BatchDisableStandards'
- 'securityhub:BatchEnableStandards'
Resource: '*'
SecurityHubStandardsResourceLambda:
Type: 'AWS::Lambda::Function'
Properties:
Code:
ZipFile: |
'use strict';
const AWS = require('aws-sdk');
const response = require('./cfn-response');
const securityhub = new AWS.SecurityHub();
exports.handler = (event, context, cb) => {
let region = process.env.AWS_REGION
let accountId = context.invokedFunctionArn.split(":")[4]
console.log('Invoke:', JSON.stringify(event));
const done = (err, data) => {
if (err) {
console.log('Error: ', err);
response.send(event, context, response.FAILED, {}, 'CustomResourcePhysicalID');
} else {
console.log('Data: ', data)
response.send(event, context, response.SUCCESS, {}, 'CustomResourcePhysicalID');
}
};
if (event.RequestType === 'Create' || event.RequestType === 'Update') {
securityhub.batchEnableStandards({
StandardsSubscriptionRequests: [
{StandardsArn: `arn:aws:securityhub:${region}::standards/pci-dss/v/3.2.1`}
]
}, done)
}
else if (event.RequestType === 'Delete'){
securityhub.batchDisableStandards({
StandardsSubscriptionArns: [
`arn:aws:securityhub:${region}:${accountId}:subscription/pci-dss/v/3.2.1`
]
}, done)
}
else {
cb(new Error('unsupported RequestType: ', event.RequestType));
}
};
Handler: index.handler
MemorySize: 128
Role:
'Fn::GetAtt':
- SecurityHubStandardsResourceLambdaRole
- Arn
Runtime: nodejs16.x
Timeout: 120
SnsTopic1:
Type: 'AWS::SNS::Topic'
Properties:
Subscription:
- Endpoint: email@example.com
Protocol: email
TopicName: sns-topic
CwEvent1:
Type: 'AWS::Events::Rule'
Properties:
Name: detect-securityhub-finding
Description: A CloudWatch Event Rule that triggers on AWS Security Hub findings. The Event Rule can be used to trigger notifications or remediative actions using AWS Lambda.
State: ENABLED
Targets:
- Arn:
Ref: SnsTopic1
Id: target-id1
EventPattern:
detail-type:
- Security Hub Findings - Imported
source:
- aws.securityhub
SnsTopicPolicyCwEvent1:
Type: 'AWS::SNS::TopicPolicy'
Properties:
PolicyDocument:
Statement:
- Sid: __default_statement_ID
Effect: Allow
Principal:
AWS: '*'
Action:
- 'SNS:GetTopicAttributes'
- 'SNS:SetTopicAttributes'
- 'SNS:AddPermission'
- 'SNS:RemovePermission'
- 'SNS:DeleteTopic'
- 'SNS:Subscribe'
- 'SNS:ListSubscriptionsByTopic'
- 'SNS:Publish'
- 'SNS:Receive'
Resource:
Ref: SnsTopic1
Condition:
StringEquals:
'AWS:SourceOwner':
Ref: 'AWS::AccountId'
- Sid: TrustCWEToPublishEventsToMyTopic
Effect: Allow
Principal:
Service: events.amazonaws.com
Action: 'sns:Publish'
Resource:
Ref: SnsTopic1
Topics:
- Ref: SnsTopic1
Parameters: {}
Metadata: {}
Conditions: {}
© 2024 asecurecloud. All rights reserved.