From e8f6f84a406cfd1e6f315ff2b2e983dd73223775 Mon Sep 17 00:00:00 2001
From: Ajay-sops <ajay@squareops.com>
Date: Mon, 31 Jul 2023 20:14:43 +0530
Subject: [PATCH] soc2 checks

---
 examples/complete/main.tf                     |   5 +-
 guard-duty.tf                                 | 107 ++++++++++++++++++
 lambda.tf                                     |  50 ++++++++
 .../cc_6_7_acm_cert_expiration_check.py       |  43 +++++++
 variable.tf                                   |  11 +-
 5 files changed, 212 insertions(+), 4 deletions(-)
 create mode 100644 guard-duty.tf
 create mode 100644 lambda_code/cc_6_7_acm_cert_expiration_check.py

diff --git a/examples/complete/main.tf b/examples/complete/main.tf
index 6a8cb82..a5f5a01 100644
--- a/examples/complete/main.tf
+++ b/examples/complete/main.tf
@@ -1,7 +1,7 @@
 locals {
   region      = "us-east-2"
   environment = "prod"
-  name        = "skaf"
+  name        = "skaf-hello"
   additional_tags = {
     Owner      = "organization_name"
     Expires    = "Never"
@@ -18,7 +18,7 @@ module "cis" {
   email                            = "skaf-demo@squareops.com"
   cron_expression                  = "cron(0 22 1,10,20,28 * ? 2023)"
   s3_enabled                       = true
-  config_enabled                   = true
+  config_enabled                   = false
   include_global_resource_types    = true
   cw_log_enabled                   = true
   alerting_enabled                 = true
@@ -29,4 +29,5 @@ module "cis" {
   notify_unused_cred_45_days       = true
   disable_unused_cred_45_days      = false
   remove_ssl_tls_iam               = false
+  enable_guard_duty                = true
 }
diff --git a/guard-duty.tf b/guard-duty.tf
new file mode 100644
index 0000000..2fce17e
--- /dev/null
+++ b/guard-duty.tf
@@ -0,0 +1,107 @@
+data "aws_region" "current" {}
+
+data "aws_iam_policy_document" "bucket_pol" {
+  count = var.enable_guard_duty ? 1 : 0
+  statement {
+    sid = "Allow PutObject"
+    actions = [
+      "s3:PutObject"
+    ]
+
+    resources = [
+      "${aws_s3_bucket.gd_bucket[0].arn}/*"
+    ]
+
+    principals {
+      type        = "Service"
+      identifiers = ["guardduty.amazonaws.com"]
+    }
+  }
+
+  statement {
+    sid = "Allow GetBucketLocation"
+    actions = [
+      "s3:GetBucketLocation"
+    ]
+
+    resources = [
+      aws_s3_bucket.gd_bucket[0].arn
+    ]
+
+    principals {
+      type        = "Service"
+      identifiers = ["guardduty.amazonaws.com"]
+    }
+  }
+}
+
+data "aws_iam_policy_document" "kms_pol" {
+  count = var.enable_guard_duty ? 1 : 0
+  statement {
+    sid = "Allow GuardDuty to encrypt findings"
+    actions = [
+      "kms:GenerateDataKey"
+    ]
+
+    resources = [
+      "arn:aws:kms:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:key/*"
+    ]
+
+    principals {
+      type        = "Service"
+      identifiers = ["guardduty.amazonaws.com"]
+    }
+  }
+
+  statement {
+    sid = "Allow all users to modify/delete key (test only)"
+    actions = [
+      "kms:*"
+    ]
+
+    resources = [
+      "arn:aws:kms:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:key/*"
+    ]
+
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
+    }
+  }
+
+}
+
+resource "aws_guardduty_detector" "gd" {
+  count = var.enable_guard_duty ? 1 : 0
+  enable = true
+}
+
+resource "aws_s3_bucket" "gd_bucket" {
+  count = var.enable_guard_duty ? 1 : 0
+  bucket        = format("%s-gd-findingd-%s", var.name, data.aws_caller_identity.current.account_id)
+  force_destroy = true
+}
+
+resource "aws_s3_bucket_policy" "gd_bucket_policy" {
+  count = var.enable_guard_duty ? 1 : 0
+  bucket = aws_s3_bucket.gd_bucket[0].id
+  policy = data.aws_iam_policy_document.bucket_pol[0].json
+}
+
+resource "aws_kms_key" "gd_key" {
+  count = var.enable_guard_duty ? 1 : 0
+  description             = "Temporary key for AccTest of TF"
+  deletion_window_in_days = 7
+  policy                  = data.aws_iam_policy_document.kms_pol[0].json
+}
+
+resource "aws_guardduty_publishing_destination" "gd_destination" {
+  count = var.enable_guard_duty ? 1 : 0
+  detector_id     = aws_guardduty_detector.gd[0].id
+  destination_arn = aws_s3_bucket.gd_bucket[0].arn
+  kms_key_arn     = aws_kms_key.gd_key[0].arn
+
+  depends_on = [
+    aws_s3_bucket_policy.gd_bucket_policy,
+  ]
+}
\ No newline at end of file
diff --git a/lambda.tf b/lambda.tf
index 7890bfc..f1dd9d3 100644
--- a/lambda.tf
+++ b/lambda.tf
@@ -917,4 +917,54 @@ resource "aws_cloudwatch_event_target" "lambda_target_expire_ssl_tls" {
   rule      = aws_cloudwatch_event_rule.lambda_trigger_expire_ssl_tls[0].name
   arn       = aws_lambda_function.lambda_function_expire_ssl_tls[0].arn
   target_id = "lambda_target_expire_ssl_tls"
+}
+
+# acm certificate expiration check
+
+data "template_file" "lambda_function_script_acm_cert_expire" {
+  template = file("${path.module}/lambda_code/cc_6_7_acm_cert_expiration_check.py")
+  vars = {
+    sns_topic_arn = aws_sns_topic.trail-unauthorised.arn,
+  }
+}
+resource "local_file" "lambda_code_acm_cert_expire" {
+  content  = data.template_file.lambda_function_script_acm_cert_expire.rendered
+  filename = "${path.module}/rendered/acm_cert_expire.py"
+}
+
+data "archive_file" "lambda_zip_acm_cert_expire" {
+  depends_on  = [local_file.lambda_code_acm_cert_expire]
+  type        = "zip"
+  source_dir  = "${path.module}/rendered/"
+  output_path = "${path.module}/lambda_acm_cert_expire.zip"
+}
+
+resource "aws_lambda_function" "lambda_function_acm_cert_expire" {
+  filename         = data.archive_file.lambda_zip_acm_cert_expire.output_path
+  function_name    = "acm_cert_expire"
+  role             = aws_iam_role.lambda_role.arn
+  handler          = "acm_cert_expire.lambda_handler"
+  source_code_hash = data.archive_file.lambda_zip_acm_cert_expire.output_base64sha256
+  runtime          = "python3.9"
+  timeout          = 300
+  memory_size      = 256
+}
+
+resource "aws_lambda_permission" "lambda_permission_acm_cert_expire" {
+  action        = "lambda:InvokeFunction"
+  function_name = aws_lambda_function.lambda_function_acm_cert_expire.arn
+  principal     = "events.amazonaws.com"
+  source_arn    = aws_cloudwatch_event_rule.lambda_trigger_acm_cert_expire.arn
+}
+
+resource "aws_cloudwatch_event_rule" "lambda_trigger_acm_cert_expire" {
+  name                = "lambda_trigger_acm_cert_expire"
+  description         = "Trigger for lambda function"
+  schedule_expression = var.cron_expression
+}
+
+resource "aws_cloudwatch_event_target" "lambda_target_acm_cert_expire" {
+  rule      = aws_cloudwatch_event_rule.lambda_trigger_acm_cert_expire.name
+  arn       = aws_lambda_function.lambda_function_acm_cert_expire.arn
+  target_id = "lambda_target_acm_cert_expire"
 }
\ No newline at end of file
diff --git a/lambda_code/cc_6_7_acm_cert_expiration_check.py b/lambda_code/cc_6_7_acm_cert_expiration_check.py
new file mode 100644
index 0000000..0f983bb
--- /dev/null
+++ b/lambda_code/cc_6_7_acm_cert_expiration_check.py
@@ -0,0 +1,43 @@
+import boto3
+
+def lambda_handler(event, context):
+    # Initialize the SNS client
+    sns_client = boto3.client('sns')
+    
+    # Get the list of active AWS regions
+    ec2_client = boto3.client('ec2')
+    regions = [region['RegionName'] for region in ec2_client.describe_regions()['Regions']]
+    
+    # Iterate through each region
+    for region in regions:
+        # Initialize the ACM client for the current region
+        acm_client = boto3.client('acm', region_name=region)
+        
+        try:
+            # List the ACM certificates in the current region
+            response = acm_client.list_certificates()
+            
+            # Process each certificate in the region
+            for certificate in response['CertificateSummaryList']:
+                certificate_arn = certificate['CertificateArn']
+                
+                # Get the details of the ACM certificate
+                certificate_details = acm_client.describe_certificate(CertificateArn=certificate_arn)
+                certificate_name = certificate_details['Certificate']['DomainName']
+                expiration_date = certificate_details['Certificate']['NotAfter']
+                
+                # Compose the email message
+                subject = f'ACM Certificate Expiration Alert'
+                message = f'The ACM certificate "{certificate_name}" with ARN {certificate_arn} ' \
+                          f'in region {region} will expire on {expiration_date}.'
+                
+                # Replace 'your-topic-arn' with the ARN of your SNS topic
+                topic_arn = 'arn:aws:sns:us-east-1:309017165673:acm-sns-alert'
+                
+                # Publish the message to the SNS topic
+                sns_client.publish(TopicArn=topic_arn, Subject=subject, Message=message)
+        
+        except Exception as e:
+            print(f'Error in region {region}: {e}')
+            # Handle any errors that occur during the process
+            # You can choose to log the error or take appropriate actions based on your use case.
diff --git a/variable.tf b/variable.tf
index 6432c12..5fdd984 100644
--- a/variable.tf
+++ b/variable.tf
@@ -37,7 +37,7 @@ variable "audit_log_bucket_custom_policy_json" {
 # AWS Config
 variable "config_enabled" {
   type        = bool
-  default     = true
+  default     = false
   description = "Set it to true to enable AWS Config"
 }
 
@@ -196,4 +196,11 @@ variable "remove_ssl_tls_iam" {
   type        = bool
   default     = false
   description = "Remove expire ssl tls cert from IAM"
-}
\ No newline at end of file
+}
+
+variable "enable_guard_duty" {
+  type        = bool
+  default     = true
+  description = "This will enable guard duty"
+}
+