Upgrade to v2.1.3

Author: jrgaray27

.viperlightignore

@@ -1,5 +1,11 @@
 node_modules/
 .venv/
 
+# AWS Acccount IDs expected in .nightswatch/
+.nightswatch/deployment/govcloud-member-roles-stack.ym
+.nightswatch/deployment/govcloud-member-stack.yml
+.nightswatch/deployment/member-roles-stack.yml
+.nightswatch/deployment/member-stack.yml
+
 [python-pipoutdated]
 boto3=1.20.32 # Should match Lambda runtime: https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html

CHANGELOG.md

@@ -5,6 +5,14 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [2.1.3] - 2024-09-18
+
+### Fixed
+- Resolved an issue in the remediation scripts for EC2.18 and EC2.19 where security group rules with IpProtocol set to "-1" were being incorrectly ignored.
+
+### Changed
+- Upgraded all Python runtimes in remediation SSM documents from Python 3.8 to Python 3.11.
+
 ## [2.1.2] - 2024-06-20
 
 ### Fixed

SECURITY.md

@@ -13,9 +13,9 @@ export overrideWarningsEnabled=false
     echo "UPDATE MODE: CDK Snapshots will be updated. CDK UNIT TESTS WILL BE SKIPPED"
 } || update="false"
 
-[[ ! -d .venv ]] && python3 -m venv .venv
+[[ ! -d .venv ]] && python3.11 -m venv .venv
 source ./.venv/bin/activate
-python3 -m pip install -U pip setuptools
+python3.11 -m pip install -U pip setuptools
 
 echo 'Installing required Python testing modules'
 pip install -r ./requirements_dev.txt
@@ -39,7 +39,7 @@ run_pytest() {
     echo "coverage report path set to ${report_file}"
 
     # Use -vv for debugging
-    python3 -m pytest --cov --cov-report=term-missing --cov-report "xml:$report_file"
+    python3.11 -m pytest --cov --cov-report=term-missing --cov-report "xml:$report_file"
     rc=$?
 
     if [ "$rc" -ne "0" ]; then

deployment/run-unit-tests.sh

@@ -1,6 +1,6 @@
 [project]
 name = "automated_security_response_on_aws"
-version = "2.1.2"
+version = "2.1.3"
 
 [tool.setuptools]
 package-dir = {"" = "source"}

pyproject.toml

@@ -1,6 +1,6 @@
 id: SO0111
 name: security-hub-automated-response-and-remediation
-version: 2.1.2
+version: 2.1.3
 cloudformation_templates:
   - template: aws-sharr-deploy.template
     main_template: true

solution-manifest.yaml

@@ -1,6 +1,6 @@
 {
     "name": "aws-security-hub-automated-response-and-remediation",
-    "version": "2.1.2",
+    "version": "2.1.3",
     "description": "Automated remediation for AWS Security Hub (SO0111)",
     "bin": {
         "solution_deploy": "bin/solution_deploy.js"

source/package.json

@@ -65,7 +65,7 @@ mainSteps:
         parse_id_pattern: '^arn:(?:aws|aws-cn|aws-us-gov):autoscaling:(?:[a-z]{2}(?:-gov)?-[a-z]+-\d):\d{12}:autoScalingGroup:(?:[0-9a-fA-F]{8}-(?:[0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}):autoScalingGroupName/(.{1,255})$'
         expected_control_id:
         - 'AutoScaling.1'
-      Runtime: python3.8
+      Runtime: python3.11
       Handler: parse_event
       Script: |-
         %%SCRIPT=common/parse_input.py%%

source/playbooks/AFSBP/ssmdocs/AFSBP_AutoScaling.1.yaml

@@ -57,7 +57,7 @@ mainSteps:
       parse_id_pattern: '^(arn:(?:aws|aws-us-gov|aws-cn):cloudformation:(?:[a-z]{2}(?:-gov)?-[a-z]+-\d):\d{12}:stack/[a-zA-Z][a-zA-Z0-9-]{0,127}/[a-fA-F0-9]{8}-(?:[a-fA-F0-9]{4}-){3}[a-fA-F0-9]{12})$'
       expected_control_id:
       - 'CloudFormation.1'
-    Runtime: 'python3.8'
+    Runtime: 'python3.11'
     Handler: 'parse_event'
     Script: |-
       %%SCRIPT=common/parse_input.py%%

source/playbooks/AFSBP/ssmdocs/AFSBP_CloudFormation.1.yaml

@@ -57,7 +57,7 @@ mainSteps:
       parse_id_pattern: '^(arn:(?:aws|aws-us-gov|aws-cn):cloudfront::\d{12}:distribution\/([A-Z0-9]+))$'
       expected_control_id:
       - 'CloudFront.1'
-    Runtime: 'python3.8'
+    Runtime: 'python3.11'
     Handler: 'parse_event'
     Script: |-
       %%SCRIPT=common/parse_input.py%%