Module 5: Missing s3 Configuration

In this module, as part of security governance, all s3 buckets must have s3 versioning configuration enabled. This policy helps organizations recover from deletion or alterations of data by keeping copies of previous versions. As a security engineer, you want to enable the pipeline to enforce enabling s3 bucket versioning configuration.

Setting Lambda to scan AWS Cloudformation templates for s3 configuration settings

  1. Browse to the Lambda console, and create a new function from scratch.
  2. Be sure to select the Python 2.7 runtime, and the module*PipelineLambdaRole- IAM Role.
  3. Name the function to your choosing. Create function.
  4. Set the Lambda time out to 1 minute.
  5. cfn_s3_versioning.py is provided in the workshop. Open this in your favorite editor.
  6. Paste the contents of cfn_s3_versioning.py source editor (the one in the Lambda console), overwriting the initial placeholder function.
  7. Browse back to the CodePipeline Console, and open your DevSecOps Pipeline again.
  8. Edit the pipeline, using the button at the top right.

Edit-Pipeline

  1. Use the Edit Stage button for the StaticCodeAnalysis stage.
  2. Select the Edit icon for the CFNParsing function.
  3. Copy the contents of “User Parameters (optional)” to your paste buffer. Close the Edit action pop-up.

Source

  1. Add a new action group.
    1. Select “Add action group”.
    2. Create a name for your key-scanning action, choose AWS Lambda from the Action provider drop-down.
    3. In “Function name”, select the name you gave your Lambda function in Step 2 above.
    4. TemplateSource in the “Input artifacts” drop-down.
    5. Paste the contents of your paste buffer from above into “User Parameters (optional)”
    6. Select Save the newly-edited pipeline. You must check the “No resource updates needed for this source action change” option on the pipeline save pop-up window.
  2. Your new Lambda function is now integrated into your pipeline.

Proceed to the next module to test your Lambda function.

What other things can you look for in an AWS Cloudformation template which you can create a security automation?