Patch: Merge pull request #49 from reflexivesecurity/automated-multia…

…ccount-refactor Automated - Multi Account Update
reflexivesecurity · Oct 4, 2020 · 48b79f7 · 48b79f7
2 parents b9818ed + 177b3ca
commit 48b79f7
Show file tree

Hide file tree

Showing 6 changed files with 30 additions and 9 deletions.
diff --git a/README.md b/README.md
@@ -4,7 +4,7 @@ A Reflex rule to detect when CloudFront logging is disabled.
 To learn more about CloudFront logging, see [the AWS Documentation](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/reports-and-monitoring.html).
 
 ## Getting Started
-To get started using Reflex, check out [the Reflex Documentation](https://docs.cloudmitigator.com/).
+To get started using Reflex, check out [the Reflex Documentation](https://docs.reflexivesecurity.com/).
 
 ## Usage
 To use this rule either add it to your `reflex.yaml` configuration file: 
@@ -18,7 +18,7 @@ rules:
 or add it directly to your Terraform: 
 ```
 module "cloudfront-logging-disabled" {
- source = "git::https://github.com/cloudmitigator/reflex-aws-cloudfront-logging-disabled.git?ref=latest"
+ source = "git::https://github.com/reflexivesecurity/reflex-aws-cloudfront-logging-disabled.git?ref=latest"
  sns_topic_arn = module.central-sns-topic.arn
  reflex_kms_key_id = module.reflex-kms-key.key_id
 }
@@ -30,7 +30,7 @@ Note: The `sns_topic_arn` and `reflex_kms_key_id` example values shown here assu
 This rule has no configuration options.
 
 ## Contributing
-If you are interested in contributing, please review [our contribution guide](https://docs.cloudmitigator.com/about/contributing.html).
+If you are interested in contributing, please review [our contribution guide](https://docs.reflexivesecurity.com/about/contributing.html).
 
 ## License
-This Reflex rule is made available under the MPL 2.0 license. For more information view the [LICENSE](https://github.com/cloudmitigator/reflex-aws-cloudfront-logging-disabled/blob/master/LICENSE) 
+This Reflex rule is made available under the MPL 2.0 license. For more information view the [LICENSE](https://github.com/reflexivesecurity/reflex-aws-cloudfront-logging-disabled/blob/master/LICENSE) 
diff --git a/source/reflex_aws_cloudfront_logging_disabled.py b/source/reflex_aws_cloudfront_logging_disabled.py
@@ -2,7 +2,7 @@
 
 import json
 
-from reflex_core import AWSRule
+from reflex_core import AWSRule, subscription_confirmation
 
 
 class CloudfrontLoggingDisabled(AWSRule):
@@ -14,7 +14,9 @@ def __init__(self, event):
  def extract_event_data(self, event):
  """ Extract required event data """
  self.distribution_id = event["detail"]["responseElements"]["distribution"]["id"]
- self.logging_enabled = event["detail"]["responseElements"]["distribution"]["distributionConfig"]["logging"]["enabled"]
+ self.logging_enabled = event["detail"]["responseElements"]["distribution"][
+ "distributionConfig"
+ ]["logging"]["enabled"]
 
  def resource_compliant(self):
  """
@@ -31,5 +33,10 @@ def get_remediation_message(self):
 
 def lambda_handler(event, _):
  """ Handles the incoming event """
- rule = CloudfrontLoggingDisabled(json.loads(event["Records"][0]["body"]))
+ print(event)
+ event_payload = json.loads(event["Records"][0]["body"])
+ if subscription_confirmation.is_subscription_confirmation(event_payload):
+ subscription_confirmation.confirm_subscription(event_payload)
+ return
+ rule = CloudfrontLoggingDisabled(event_payload)
  rule.run_compliance_rule()
diff --git a/terraform/assume_role/assume_role.tf b/terraform/assume_role/assume_role.tf
@@ -0,0 +1,9 @@
+data "aws_caller_identity" "current" {}
+module "assume_role" {
+ source = "git::https://github.com/reflexivesecurity/reflex-engine.git//modules/sqs_lambda/modules/iam_assume_role?ref=v2.1.0"
+
+ function_name = "CloudfrontLoggingDisabled"
+
+ lambda_execution_role_arn = "arn:aws:iam::${var.parent_account}:role/ReflexCloudfrontLoggingDisabledLambdaExecution"
+
+}
diff --git a/terraform/assume_role/variables.tf b/terraform/assume_role/variables.tf
@@ -0,0 +1,5 @@
+variable "parent_account" {
+ description = "Account id of parent forwarded account."
+ type = string
+}
+
diff --git a/terraform/cwe/main.tf b/terraform/cwe/main.tf
@@ -1,5 +1,5 @@
 module "cwe" {
- source = "git::https://github.com/cloudmitigator/reflex-engine.git//modules/cwe?ref=v2.0.1"
+ source = "git::https://github.com/reflexivesecurity/reflex-engine.git//modules/cwe?ref=v2.1.0"
  name = "CloudfrontLoggingDisabled"
  description = "A reflex rule to detect when CloudFront logging is disabled."
 

diff --git a/terraform/sqs_lambda/sqs_lambda.tf b/terraform/sqs_lambda/sqs_lambda.tf
@@ -1,5 +1,5 @@
 module "sqs_lambda" {
- source = "git::https://github.com/cloudmitigator/reflex-engine.git//modules/sqs_lambda?ref=v2.0.1"
+ source = "git::https://github.com/reflexivesecurity/reflex-engine.git//modules/sqs_lambda?ref=v2.1.0"
  cloudwatch_event_rule_id = var.cloudwatch_event_rule_id
  cloudwatch_event_rule_arn = var.cloudwatch_event_rule_arn
  function_name = "CloudfrontLoggingDisabled"