Azure
AWS security hub auth upgrade
Required items, please complete
Change(s):
- Added new template for setting up IdP in AWS
- Updated python-script to use Managed Identity of the function and use "AssumeRoleWithWebIdentity"
- Updated ZIP-package with new script, packages
- Updated readme.md with new guidance
- Updated deployment-template to account for the changes
Reason for Change(s):
- Authentication with access keys is not secure or robust - this changes allows for best practice authentication without having to rotate or store keys.
Version Updated:
- Required only for Detections/Analytic Rule templates
- See guidance below
Testing Completed:
- Tested in multiple environments and works - fixed multiple bugs with authentication timing out etc.
Checked that the validations are passing and have addressed any issues that are present:
- See guidance below
Guidance <- remove section before submitting
Before submitting this PR please ensure that you have read the following sections and filled out the changes, reason for change and testing complete sections:
Thank you for your contribution to the Microsoft Sentinel Github repo.
Details of the code changes in your submitted PR. Providing descriptions for pull requests ensures there is context to changes being made and greatly enhances the code review process. Providing associated Issues that this resolves also easily connects the reason.
Change(s):
- Updated syntax for XYZ.yaml
Reason for Change(s):
- New schema used for XYZ.yaml
- Resolves ISSUE #1234
Version updated:
- Yes
- Detections/Analytic Rule templates are required to have the version updated
The code should have been tested in a Microsoft Sentinel environment that does not have any custom parsers, functions or tables, so that you validate no incorrect syntax and execution functions properly. If your submission requires a custom parser or function, it must be submitted with the PR.
Testing Completed:
- Yes/No/Need Help
Note: If updating a detection, you must update the version field.
Before the submission has been made, please look at running the KQL and Yaml Validation Checks locally. https://github.com/Azure/Azure-Sentinel#run-kql-validation-locally
Checked that the validations are passing and have addressed any issues that are present:
- Yes/No/Need Help
Note: Let us know if you have tried fixing the validation error and need help.
References:
@infernuxmonster : We wanted to check on the status of PR #5255 . PR is pending from more than 60 days. Let us know if any assistance is required for this PR. As Per our standard operating procedures if no response is received in the next 7 business days we will close this PR. Thank you for your cooperation.
@v-spadarthi - I've updated everything now, the errors reported by the bot should not be an actual issue.
@infernuxmonster checks is falling please take a look. thanks!!!
Not sure what you want me to do here @v-marimanda - I've commented on both checks.
- https://github.com/Azure/Azure-Sentinel/pull/5255#discussion_r968142686
assumed_role_object is set to the output of sts_client.assume_role_with_web_identity:
assumed_role_object=sts_client.assume_role_with_web_identity(
RoleArn=self.role_arn,
RoleSessionName=self.role_session_name,
WebIdentityToken=self.web_identity_token
)
After that we call the variable:
credentials=assumed_role_object['Credentials']
- https://github.com/Azure/Azure-Sentinel/pull/5255#discussion_r968143821
Here as well, we set token in the following code:
try:
managed_identity = ManagedIdentityCredential()
azure_cli = AzureCliCredential()
default_azure_credential = DefaultAzureCredential(exclude_shared_token_cache_credential=True)
credential_chain = ChainedTokenCredential(managed_identity, azure_cli, default_azure_credential)
token_meta = credential_chain.get_token(client_id)
token = token_meta.token
except azure.core.exceptions.ClientAuthenticationError as error:
logging.info ("Authenticating to Azure AD: %s" % error)
Then we call it a few lines later:
securityHubSession = SecurityHubClient(aws_role_arn, aws_role_session_name, aws_region_name, token)
In both of these instances the variables are defined and set inside a try-catch (except), maybe that is the issue, but the idea is that the script should throw errors if it fails to set the token or the assumed_role_object because they are vital to the running of the script.
Hey, sorry, missed this. Will fix ASAP.
tor. 8. sep. 2022, 22:05 skrev NikTripathi @.***>:
@v-spadarthi https://github.com/v-spadarthi Please do the needful
— Reply to this email directly, view it on GitHub https://github.com/Azure/Azure-Sentinel/pull/5255#issuecomment-1241177433, or unsubscribe https://github.com/notifications/unsubscribe-auth/AJFE7JARQFGI2EHHB7KG2YDV5JBJ3ANCNFSM5YJSOKZA . You are receiving this because you were mentioned.Message ID: @.***>