SEMPER Extension Policy Documentation

This is the documentation of the SEMPER Extension Policy-Types.

Extension policies allow you a policy based extension of the finding json for post-processing stages.

Required Semper Version: >=1.18.0

Extension Section in the Policy Repository

The SEMPER Extension Policies are stored in the "30_extension" folder of the Policy-Repository:

SEMPER Extension Policies in the Repository

└───30_extension/
    │   extension_policy1.json
    │   extension_policy2.json
    │   ...

Sample policies:

Folder: /30_extension

SEMPER Extension Policy Elements

The generic structure of a SEMPER Extension Policies looks like this:

{
  ...
  "extension": {
    "policyScope": <policyScopePattern>,
    "findingPattern":<findingPattern>,
    "extensionBlock": {
      <extensionIdentifier>: [{extensionPolicy}]
    }
  }
  ...
}

Key	Value-Type	Comment
extension	object	Determines the SEMPER Extension Policy
.policyScope	object	(optional) Each Security Finding has an originating account and an AWS region of the emitting resource. As described in this chapter Section policyScope you can limit the application of a SEMPER policy to a specific account- and region-context.
.findingPattern	object	According to the ACAI JSON-Pattern Engine.
.extensionBlock	object	Security Findings that match the findingPattern will be extended by the extensionBlock-JSON.

Use-Case SQS Fan-Out

The concept of this use-case is, that SQS URLs can be specified, where the processed Security Finding will be sent to. The SQS Consumer (Lambda) will receive the full JSON of the processed Security Finding and can take the full context to determine further steps. Examples are:

Auto Remediation
Notification of Workload-Owners
Notification of Security-Team

JSON-Key: "sqsFanOut"

{
  ...
  "extension": {
    ...
    "extensionBlock": {
      "sqsFanOut": [
        {
          "sqsName": "ar-close-sg-ports-trigger"
          ...
        },
        {
          "sqsUrl": "https://sqs.eu-central-1.amazonaws.com/*accountId*/notify-technical-account-owner-trigger"
          ...
        }        
      ]
    }
  }
  ...
}

Key	Value-Type	Comment
extension	object
.extensionBlock	object	Security Findings that match the findingPattern will be extended by the extensionBlock-JSON.
..sqsFanOut	list	The list of SQS Fan-Out specifications that will be executed in parallel.
...sqsUrl	string	(conflicts with sqsName) Security Finding will be sent to the specified SQS URL.
...sqsName	string	(conflicts with sqsURL) Security Finding will be sent to the specified SQS Name in the SEMPER region of the Core Security account.
...Dynmamic Key	string	(optional) For the processor of the further context information can be provided.

Use-Case Send to AWS Security Hub

By specifying this extension block, you can create a Security Hub Finding based on the processed SEMPER Security Finding.

JSON-Key: "sendToSecurityHub"

{
  ...
  "extension": {
    ...
    "extensionBlock": {
      "sendToSecurityHub": {
        "findingTitle": "SEMPER Finding Title",
        "findingSevertiy": 20,
        "findingComplianceStatus" : "FAILED",
        "findingResource" : {
          "id": "raw.detail.requestParameters.groupId",
          "type": "AwsEc2SecurityGroup"
        }
      }        
    }
  }
  ...
}

Key	Value-Type	Comment
extension	object
.extensionBlock	object	Security Findings that match the findingPattern will be extended by the extensionBlock-JSON.
..sendToSecurityHub	object
...findingTitle	string	(optional, default = 'SEMPER Finding')
...findingDescription	string	(optional)
...findingSevertiy	number	(optional, default = 20) according to AWS documentation.
...findingComplianceStatus	string	(optional, default = FAILED) according to AWS documentation.
...findingResource	object	(optional)
....id	string	(optional, default = '') you can self-reference the JSON of the processed Security Finding. Example: 'raw.detail.requestParameters.keyId'
....type	string	(optional, default = 'AwsAccount') according to AWS documentation.

Samples of Extension Policies

Sample 1

{
  "metaData": {
    "domain": "extension",
    "title": "Auto-Remediation of TCP-Ports 22 & 3389 for CIDR range /24",
    ...
  },
  "extension": {
    "policyScope": {
      ...
    },
    "findingPattern": {
      ...
    },
    "extensionBlock": {
      "sqsFanOut": [
        {
          "sqsName": "ar-detect-sg-ports-trigger"
        }
      ]
    }
  }
}

Sample 2

{
  "metaData": {
    "domain": "extension",
    "title": "AWS Account root-user was used",
    ...
  },
  "extension": {
    "findingPattern": {
      "detail-type": [
        "AWS API Call via CloudTrail",
        "AWS Console Sign In via CloudTrail"
      ],
      "detail": {
        "userIdentity": {
          "type": "Root"
        }
      }
    },
    "extensionBlock": {
      "sqsFanOut": [
        {
          "sqsName": "instant-alarm-trigger"
        }
      ],
      "sendToSecurityHub": {
        "findingTitle": "Usage of root-user",
        "findingSevertiy": 95,
        "findingComplianceStatus" : "FAILED",
      }        
    }
  }
}