A set of AWS Config Rules to help ensure that your AWS deployments are leveraging the protection of Deep Security. These rules help centralize your compliance information in one place, AWS Config.
During execution, the AWS Lambda functions will query the Deep Security API. To do this, they require a Deep Security login with permissions.
You should set up a dedicated use account for API access. To configure the account with the minimum privileges (which reduces the risk if the credentials are exposed) required by this integration, follow the steps below.
- In Deep Security, go to Administration > User Manager > Roles.
- Click New. Create a new role with a unique, meaningful name.
- Under Access Type, select Allow Access to web services API.
- Under Access Type, deselect Allow Access to Deep Security Manager User Interface.
- On the Computer Rights tab, select either All Computers or Selected Computers, ensuring that only the greyed-out View right (under Allow Users to) is selected.
- On the Policy Rights tab, select Selected Policies. Verify that no policies are selected. (The role does not grant rights for any policies.)
- On the User Rights tab, select Change own password and contact information only.
- On the *Other Rights tab, verify that the default options remain, with only View-Only and Hide permissions.
- Go to Administration > User Manager > Users.
- Click New. Create a new user with a unique, meaningful name.
- Select the role that you created in the previous section.
Configuration settings -
deploy.configImportant: These settings must be updated accordingly before deploy
STACK_NAME: CloudFormation stack name for all lambda and Config rule resourcesLAMBDA_BUCKET: S3 bucket name where Lambda source code is uploadedLAMBDA_PREFIX: S3 object prefix withinLAMBDA_BUCKETCONFIG_BUCKET: S3 bucket name where AWS Config to store history and filesCONFIG_PREFIX: S3 object prefix withinCONFIG_BUCKETDS_HOSTNAME: Deep Security Manager host nameDS_PORT: Deep Security Manager host portDS_TENANT: Deep Security tenant name if there is oneDS_IGNORE_SSL_VALIDATION: Whether to validate SSL connection to Deep Security ManagerDS_USERNAME_PARAM_STORE_KEY: SSM Parameter Store key to retrieve Deep Security usernameDS_PASSWORD_PARAM_STORE_KEY: SSM Parameter Store key to retrieve Deep Security passwordDS_POLICY: Policy name to check used byDoesInstanceHavePolicyLambdaDS_CONTROL: Control name to check used byIsInstanceProtectedByLambdaPrerequisite
- AWS SAM CLI command line tools (instructions)
- Properly configured AWS credentials locally for executing AWS CLI
- Python 2.7
Steps
- Run
./deploy.shUnit Tests
- Run
pytest -s -vv tests/unitPublish to AWS Serverless Application Repository
- Run
./publish.sh
With circleci
Configuration settings -
circleciproject
- Add variables from
deploy.configasEnvironment Variablesincircleciproject- Add AWS credentials and region information as
Environment Variablesincircleciproject
Checks to see if the current instance is protected by Deep Security Anti-Malware controls. Anti-malware must be "on" and in "real-time" mode for the rule to be considered compliant.
Lambda handler: dsIsInstanceProtectedByAntiMalware.aws_config_rule_handler
| Rule Parameter | Expected Value Type | Description |
|---|---|---|
| dsUsernameKey | string | SSM Parameter Store key to retrive username of the Deep Security account to use for querying anti-malware status |
| dsPasswordKey | string | SSM Parameter Store key to retrive password for the Deep Security account to use for querying anti-malware status. |
| dsPasswordEncryptionContext | string or URI | The encryption context used to encrypt the dsPassword. If this parameter is given, the rule will include the encryption context information when decrypting the dsPassword value. Requires dsPasswordKey to be useful. See [Protecting Your Deep Security Manager API Password](#protecting-your-deep-security-manager-api-password) below for more details.
|
| dsTenant | string | Optional as long as dsHostname is specified. Indicates which tenant to sign in to within Deep Security |
| dsHostname | string | Optional as long as dsTenant is specified. Defaults to Deep Security as a Service. Indicates which Deep Security manager the rule should sign in to |
| dsPort | int | Optional. Defaults to 443. Indicates the port to connect to the Deep Security manager on |
| dsIgnoreSslValidation | boolean (true or false) | Optional. Use only when connecting to a Deep Security manager that is using a self-signed SSL certificate |
During execution, this rule sign in to the Deep Security API. You should setup a dedicated API access account to do this. Deep Security contains a robust role-based access control (RBAC) framework which you can use to ensure that this set of credentials has the least amount of privileges to success.
This rule requires view access to one or more computers within Deep Security.
Checks to see if the current instance is protected by any of Deep Security's controls. Controls must be "on" and set to their strongest setting (a/k/a "real-time" or "prevention") in order for the rule to be considered compliant.
This is the generic version of IsInstanceProtectedByAntiMalware.
Lambda handler: dsIsInstanceProtectedBy.aws_config_rule_handler
| Rule Parameter | Expected Value Type | Description |
|---|---|---|
| dsUsernameKey | string | SSM Parameter Store key to retrive username of the Deep Security account to use for querying anti-malware status |
| dsPasswordKey | string | SSM Parameter Store key to retrive password for the Deep Security account to use for querying anti-malware status. |
| dsPasswordEncryptionContext | string or URI | The encryption context used to encrypt the dsPassword. If this parameter is given, the rule will include the encryption context information when decrypting the dsPassword value. Requires dsPasswordKey to be useful. See [Protecting Your Deep Security Manager API Password](#protecting-your-deep-security-manager-api-password) below for more details.
|
| dsTenant | string | Optional as long as dsHostname is specified. Indicates which tenant to sign in to within Deep Security |
| dsHostname | string | Optional as long as dsTenant is specified. Defaults to Deep Security as a Service. Indicates which Deep Security manager the rule should sign in to |
| dsPort | int | Optional. Defaults to 443. Indicates the port to connect to the Deep Security manager on |
| dsIgnoreSslValidation | boolean (true or false) | Optional. Use only when connecting to a Deep Security manager that is using a self-signed SSL certificate |
| dsControl | string | The name of the control to verify. Must be one of [ anti_malware, web_reputation, firewall, intrusion_prevention, integrity_monitoring, log_inspection ] |
During execution, this rule signs in to the Deep Security API. You should setup a dedicated API access account to do this. Deep Security contains a robust role-based access control (RBAC) framework which you can use to ensure that this set of credentials has the least amount of privileges to success.
This rule requires view access to one or more computers within Deep Security.
Checks to see if the current instance is protected by a specific Deep Security policy.
Lambda handler: dsDoesInstanceHavePolicy.aws_config_rule_handler
| Rule Parameter | Expected Value Type | Description |
|---|---|---|
| dsUsernameKey | string | SSM Parameter Store key to retrive username of the Deep Security account to use for querying anti-malware status |
| dsPasswordKey | string | SSM Parameter Store key to retrive password for the Deep Security account to use for querying anti-malware status. |
| dsPasswordEncryptionContext | string or URI | The encryption context used to encrypt the dsPassword. If this parameter is given, the rule will include the encryption context information when decrypting the dsPassword value. Requires dsPasswordKey to be useful. See [Protecting Your Deep Security Manager API Password](#protecting-your-deep-security-manager-api-password) below for more details.
|
| dsTenant | string | Optional as long as dsHostname is specified. Indicates which tenant to sign in to within Deep Security |
| dsHostname | string | Optional as long as dsTenant is specified. Defaults to Deep Security as a Service. Indicates which Deep Security manager the rule should sign in to |
| dsPort | int | Optional. Defaults to 443. Indicates the port to connect to the Deep Security manager on |
| dsIgnoreSslValidation | boolean (true or false) | Optional. Use only when connecting to a Deep Security manager that is using a self-signed SSL certificate |
| dsPolicy | string | The name of the policy to verify |
During execution, this rule signs in to the Deep Security API. You should setup a dedicated API access account to do this. Deep Security contains a robust role-based access control (RBAC) framework which you can use to ensure that this set of credentials has the least amount of privileges to success.
This rule requires view access to one or more computers within Deep Security.
Checks to see if the current instance is has any warnings, alerts, or errors in Deep Security. An instance is compliant if it does not have any warnings, alerts, or errors (a/k/a compliant, which means everything is working as expected with no active security alerts).
Lambda handler: dsIsInstanceClear.aws_config_rule_handler
| Rule Parameter | Expected Value Type | Description |
|---|---|---|
| dsUsernameKey | string | SSM Parameter Store key to retrive username of the Deep Security account to use for querying anti-malware status |
| dsPasswordKey | string | SSM Parameter Store key to retrive password for the Deep Security account to use for querying anti-malware status. |
| dsPasswordEncryptionContext | string or URI | The encryption context used to encrypt the dsPassword. If this parameter is given, the rule will include the encryption context information when decrypting the dsPassword value. Requires dsPasswordKey to be useful. See [Protecting Your Deep Security Manager API Password](#protecting-your-deep-security-manager-api-password) below for more details.
|
| dsTenant | string | Optional as long as dsHostname is specified. Indicates which tenant to sign in to within Deep Security |
| dsHostname | string | Optional as long as dsTenant is specified. Defaults to Deep Security as a Service. Indicates which Deep Security manager the rule should sign in to |
| dsPort | int | Optional. Defaults to 443. Indicates the port to connect to the Deep Security manager on |
| dsIgnoreSslValidation | boolean (true or false) | Optional. Use only when connecting to a Deep Security manager that is using a self-signed SSL certificate |
During execution, this rule signs in to the Deep Security API. You should setup a dedicated API access account to do this. Deep Security contains a robust role-based access control (RBAC) framework which you can use to ensure that this set of credentials has the least amount of privileges to success.
This rule requires view access to one or more computers within Deep Security.
This is an Open Source community project. Project contributors may be able to help, depending on their time and availability. Please be specific about what you're trying to do, your system, and steps to reproduce the problem.
For bug reports or feature requests, please open an issue. You are welcome to contribute.
Official support from Trend Micro is not available. Individual contributors may be Trend Micro employees, but are not official support.
We accept contributions from the community. To submit changes:
- Fork this repository.
- Create a new feature branch.
- Make your changes.
- Submit a pull request with an explanation of your changes or additions.
We will review and work with you to release the code.