From 1840778ae12634196f84d91fd5d123150ec7bbde Mon Sep 17 00:00:00 2001
From: Arya Subramanyam <55098383+arya23065@users.noreply.github.com>
Date: Wed, 6 Dec 2023 11:54:10 -0500
Subject: [PATCH] Fixed default control standards autoenable on enable sechub
 (#195)

* Fixed default control standards autoenabled on enable sechub

* Fixed linting
---
 .../securityhub_org/lambda/src/app.py         | 17 +++----
 .../securityhub_org/lambda/src/securityhub.py | 48 +++++++++++++++++--
 ...ra-securityhub-org-configuration-role.yaml |  1 +
 3 files changed, 55 insertions(+), 11 deletions(-)

diff --git a/aws_sra_examples/solutions/securityhub/securityhub_org/lambda/src/app.py b/aws_sra_examples/solutions/securityhub/securityhub_org/lambda/src/app.py
index f43a80c3..07d21520 100644
--- a/aws_sra_examples/solutions/securityhub/securityhub_org/lambda/src/app.py
+++ b/aws_sra_examples/solutions/securityhub/securityhub_org/lambda/src/app.py
@@ -199,15 +199,14 @@ def process_add_update_event(params: dict) -> str:
         create_sns_messages(accounts, regions, params["SNS_TOPIC_ARN"], "disable")
         return "DISABLE_COMPLETE"
 
-    if params["action"] == "Add":
-        LOGGER.info("...Enable Security Hub")
+    LOGGER.info("...Enable Security Hub")
 
-        # Configure Security Hub in the Management Account
-        securityhub.enable_account_securityhub(
-            params["MANAGEMENT_ACCOUNT_ID"], regions, params["CONFIGURATION_ROLE_NAME"], params["AWS_PARTITION"], get_standards_dictionary(params)
-        )
-        LOGGER.info("Waiting 20 seconds before configuring the delegated admin account.")
-        sleep(20)
+    # Configure Security Hub in the Management Account first, or else the default standards are automatically enabled for member accounts
+    securityhub.enable_account_securityhub(
+        params["MANAGEMENT_ACCOUNT_ID"], regions, params["CONFIGURATION_ROLE_NAME"], params["AWS_PARTITION"], get_standards_dictionary(params)
+    )
+    LOGGER.info("Waiting 20 seconds before configuring the delegated admin account.")
+    sleep(20)
 
     # Configure Security Hub Delegated Admin and Organizations
     securityhub.configure_delegated_admin_securityhub(
@@ -217,6 +216,8 @@ def process_add_update_event(params: dict) -> str:
         params["CONFIGURATION_ROLE_NAME"],
         params["REGION_LINKING_MODE"],
         params["HOME_REGION"],
+        params["AWS_PARTITION"],
+        get_standards_dictionary(params),
     )
     # Configure Security Hub in the Delegated Admin Account
     securityhub.enable_account_securityhub(
diff --git a/aws_sra_examples/solutions/securityhub/securityhub_org/lambda/src/securityhub.py b/aws_sra_examples/solutions/securityhub/securityhub_org/lambda/src/securityhub.py
index 1d10db6f..42b2b9a9 100644
--- a/aws_sra_examples/solutions/securityhub/securityhub_org/lambda/src/securityhub.py
+++ b/aws_sra_examples/solutions/securityhub/securityhub_org/lambda/src/securityhub.py
@@ -35,6 +35,8 @@
 MAX_RETRY = 5
 SECURITY_HUB_THROTTLE_PERIOD = 0.2
 BOTO3_CONFIG = Config(retries={"max_attempts": 10, "mode": "standard"})
+AWS_DEFAULT_SBP_VERSION = "1.0.0"
+AWS_DEFAULT_CIS_VERSION = "1.2.0"
 
 try:
     MANAGEMENT_ACCOUNT_SESSION = boto3.Session()
@@ -276,7 +278,14 @@ def enable_account_securityhub(account_id: str, regions: list, configuration_rol
 
 
 def configure_delegated_admin_securityhub(
-    accounts: list, regions: list, delegated_admin_account_id: str, configuration_role_name: str, region_linking_mode: str, home_region: str
+    accounts: list,
+    regions: list,
+    delegated_admin_account_id: str,
+    configuration_role_name: str,
+    region_linking_mode: str,
+    home_region: str,
+    aws_partition: str,
+    standards_user_input: dict,
 ) -> None:
     """Configure delegated admin security hub.
 
@@ -287,13 +296,46 @@ def configure_delegated_admin_securityhub(
         configuration_role_name: Configuration Role Name
         region_linking_mode: Region Linking Mode
         home_region: Home Region
+        aws_partition: AWS Partition
+        standards_user_input: Dictionary of standards
     """
     process_organization_admin_account(delegated_admin_account_id, regions)
-    delegated_admin_session = common.assume_role(configuration_role_name, "sra-enable-security-hub", delegated_admin_account_id)
+    delegated_admin_session: boto3.Session = common.assume_role(configuration_role_name, "sra-enable-security-hub", delegated_admin_account_id)
 
     for region in regions:
         securityhub_delegated_admin_region_client: SecurityHubClient = delegated_admin_session.client("securityhub", region, config=BOTO3_CONFIG)
-        update_organization_configuration_response = securityhub_delegated_admin_region_client.update_organization_configuration(AutoEnable=True)
+
+        standard_dict = get_standard_dictionary(
+            delegated_admin_account_id,
+            region,
+            aws_partition,
+            AWS_DEFAULT_SBP_VERSION,
+            AWS_DEFAULT_CIS_VERSION,
+            standards_user_input["PCIVersion"],
+            standards_user_input["NISTVersion"],
+        )
+
+        for i in range(10):
+            standards_subscriptions = get_enabled_standards(securityhub_delegated_admin_region_client)
+            if (
+                all_standards_in_status(standards_subscriptions, "READY", securityhub_delegated_admin_region_client)
+                and len(standards_subscriptions) != 0
+            ):
+                break
+            LOGGER.info(f"Waiting 20 seconds before checking if delegated admin default standards are in READY status. {i} of 10")
+            sleep(20)
+
+        # Manually disable Security Hub default standards in Admin Account
+        batch_disable_standards_response = securityhub_delegated_admin_region_client.batch_disable_standards(
+            StandardsSubscriptionArns=[standard_dict["sbp"]["subscription_arn"], standard_dict["cis"]["subscription_arn"]]
+        )
+        api_call_details = {"API_Call": "securityhub:BatchDisableStandards", "API_Response": batch_disable_standards_response}
+        LOGGER.info(api_call_details)
+        LOGGER.info(f"SecurityHub default standards disabled in {region}")
+
+        update_organization_configuration_response = securityhub_delegated_admin_region_client.update_organization_configuration(
+            AutoEnable=True, AutoEnableStandards="NONE"
+        )
         api_call_details = {"API_Call": "securityhub:UpdateOrganizationConfiguration", "API_Response": update_organization_configuration_response}
         LOGGER.info(api_call_details)
         LOGGER.info(f"SecurityHub organization configuration updated in {region}")
diff --git a/aws_sra_examples/solutions/securityhub/securityhub_org/templates/sra-securityhub-org-configuration-role.yaml b/aws_sra_examples/solutions/securityhub/securityhub_org/templates/sra-securityhub-org-configuration-role.yaml
index 505d3413..407ed52b 100644
--- a/aws_sra_examples/solutions/securityhub/securityhub_org/templates/sra-securityhub-org-configuration-role.yaml
+++ b/aws_sra_examples/solutions/securityhub/securityhub_org/templates/sra-securityhub-org-configuration-role.yaml
@@ -169,6 +169,7 @@ Resources:
                     - securityhub:DeleteMembers
                     - securityhub:GetMembers
                     - securityhub:UpdateOrganizationConfiguration
+                    - securityhub:BatchDisableStandards
                   Resource:
                     - !Sub arn:${AWS::Partition}:securityhub:*:${AWS::AccountId}:hub/default
                     - !Sub arn:${AWS::Partition}:securityhub:*:${AWS::AccountId}:/accounts