AWS Security Hub analytic pipeline Cloud formation
Whilst I am able to run and complete a sample app in AWS CDK, When trying to follow the blog post on Security Hub pipeline I am consistently getting module errors for aws_cdk.
Is there any ability to be provided cloudformation for what the cdk script is trying to establish?
Hi User! I'm the author of this blog post and I'm happy to help.
Can you provide more information as to the issues/error you are experiencing? You can provide more details either here or in an issue via Github. While we've had multiple customer deploy this successfully across multiple regions, I love to learn how I can improve your experience.
Unfortunately, in this case, because CDK code deploys both containers and lambda functions as part of the
cdk deploy, I cannot simply turn over generated cloudformation.
Thanks for the prompt reply. Appreciate you taking the time to reach out regarding this issue. Thank you for the informaiton regarding containers and lambda's, I understand how a cloudformation would not suffice in this case.
I thought that the problem is on my side. I first followed an example, checking my installation of CDK with sample-app as this was my first time using it. I confirmed that I was able to bootstrap the CDK and deploy it to ap-southeast-2 my default region and I had required permissions.
I then moved onto the blog post after I had finished with sample-app but after setting up the .venv, activating it, and installing the requirements I am only able to get a traceback error.
"Traceback (most recent call last): File "app.py", line 3, in <module> from aws_cdk import core as cdk ModuleNotFoundError: No module named 'aws_cdk'"
I'm on Windows so, I have removed python and reinstalled, downgraded python to 3.8, tried to run the venv from both command promp and powershell, have tried to include system site packages in my pyvenv.cfg but nothing so far has worked the way it worked for me in the sample app.
Hi there, AWS Support Engineer here. Another way to quickly test out the blog solution is to spin up a Cloud9 environment, this way you can have a clean CDK IDE with all requirements installed in just a few minutes.
Thanks Zhiyuan, this suggested fixed my initial problem!
Based upon your traceback, it appears as though your
pip install -r requirements.txt command is not installing the dependencies correct. You can troubleshooting this using the
pip freeze command. The result of a
pip freeze should look something like the following.
attrs==21.4.0 aws-cdk.assets==1.149.0 aws-cdk.aws-acmpca==1.149.0 aws-cdk.aws-apigateway==1.149.0 aws-cdk.aws-applicationautoscaling==1.149.0 aws-cdk.aws-autoscaling==1.149.0 aws-cdk.aws-autoscaling-common==1.149.0 aws-cdk.aws-autoscaling-hooktargets==1.149.0 aws-cdk.aws-certificatemanager==1.149.0 aws-cdk.aws-cloudformation==1.149.0 aws-cdk.aws-cloudfront==1.149.0 aws-cdk.aws-cloudwatch==1.149.0 aws-cdk.aws-codebuild==1.149.0 aws-cdk.aws-codecommit==1.149.0 aws-cdk.aws-codeguruprofiler==1.149.0 aws-cdk.aws-codepipeline==1.149.0 aws-cdk.aws-codestarnotifications==1.149.0 aws-cdk.aws-cognito==1.149.0 aws-cdk.aws-ec2==1.149.0 aws-cdk.aws-ecr==1.149.0 aws-cdk.aws-ecr-assets==1.149.0 aws-cdk.aws-ecs==1.149.0 aws-cdk.aws-efs==1.149.0 aws-cdk.aws-elasticloadbalancing==1.149.0 aws-cdk.aws-elasticloadbalancingv2==1.149.0 aws-cdk.aws-events==1.149.0 aws-cdk.aws-events-targets==1.149.0 aws-cdk.aws-globalaccelerator==1.149.0 aws-cdk.aws-glue==1.149.0 aws-cdk.aws-iam==1.149.0 aws-cdk.aws-kinesis==1.149.0 aws-cdk.aws-kinesisfirehose==1.149.0 aws-cdk.aws-kms==1.149.0 aws-cdk.aws-lambda==1.149.0 aws-cdk.aws-lambda-python==1.149.0 aws-cdk.aws-logs==1.149.0 aws-cdk.aws-route53==1.149.0 aws-cdk.aws-route53-targets==1.149.0 aws-cdk.aws-s3==1.149.0 aws-cdk.aws-s3-assets==1.149.0 aws-cdk.aws-s3-notifications==1.149.0 aws-cdk.aws-sam==1.149.0 aws-cdk.aws-secretsmanager==1.149.0 aws-cdk.aws-securityhub==1.149.0 aws-cdk.aws-servicediscovery==1.149.0 aws-cdk.aws-signer==1.149.0 aws-cdk.aws-sns==1.149.0 aws-cdk.aws-sns-subscriptions==1.149.0 aws-cdk.aws-sqs==1.149.0 aws-cdk.aws-ssm==1.149.0 aws-cdk.aws-stepfunctions==1.149.0 aws-cdk.cloud-assembly-schema==1.149.0 aws-cdk.core==1.149.0 aws-cdk.custom-resources==1.149.0 aws-cdk.cx-api==1.149.0 aws-cdk.region-info==1.149.0 boto3==1.21.21 botocore==1.24.21 cattrs==1.10.0 constructs==3.3.245 jmespath==1.0.0 jsii==1.55.1 publication==0.0.3 python-dateutil==2.8.2 s3transfer==0.5.2 six==1.16.0 typing_extensions==4.1.1 urllib3==1.26.9
You mentioned you are on windows. Are you running via Powershell Command Line or cmd? The virtual env command (
% .venv/Scripts/activate.bat) is a bat file which runs via the cmd prompt. It looks like Powershell users can use
.venv/bin/Activate.ps1 to activate the virtual environment.
Although I was getting the correct pip freeze and was utilising the correct activate script I was still unable to get my local environment working.
I did take Zhiyuan_L's suggestion though and was able to get much further using Cloud9.
I changed the app.py to only include ap-southeast-2 as that is the primary region and where we already monitor the organizations SecurityHub findings from. I have been able to get 2/3 stacks deployed, however the aggregator stack failed as we were already using ap-southeast-2 as our aggregation point for all other regions. The following image is what i ran into - https://i.postimg.cc/tTSXtP9z/stackfail.png
Is there a way to remove this step and use our existing set up aggregation? I presume this stack contains other important components that required and not just configuring the SecurityHub aggregator.
Any insight would be much appreciated.
Security HUB RDS snapshots cannot be public findingasked 5 months ago
Small Charge for Security Hub every dayAccepted Answerasked 6 months ago
Security Hub and Cloudwatch EventsAccepted Answerasked 3 years ago
Cannot add AWS Management Account as member of Security HubAccepted Answerasked 4 months ago
Required Advise for Cloud Security Assessmentasked 5 months ago
Security Hub Master Invites Not Receivedasked 2 years ago
AWS Security Hub analytic pipeline Cloud formationAccepted Answerasked 4 months ago
Security Hub - AWS Foundational Security Best PracticesAccepted Answerasked 4 months ago
Security Hub log findingsAccepted Answerasked 2 years ago
S3 SSL security hub check failsasked 23 days ago