[PRMP 862] Implement an AWS Transfer Family kill switch (#512)

Co-authored-by: Robert Gaskin <[email protected]>

Author: PedroSoaresNHS

infrastructure/lambda-transfer-kill-switch.tf

@@ -0,0 +1,32 @@
+module "transfer_family_kill_switch_lambda" {
+  source  = "./modules/lambda"
+  name    = "TransferFamilyKillSwitch"
+  handler = "handlers.transfer_family_kill_switch_handler.lambda_handler"
+
+  iam_role_policy_documents = [
+    aws_iam_policy.transfer_family_kill_switch.policy,
+    data.aws_iam_policy.aws_lambda_vpc_access_execution_role.policy,
+  ]
+
+  kms_deletion_window = var.kms_deletion_window
+
+  lambda_environment_variables = {
+    WORKSPACE                 = terraform.workspace
+    STAGING_STORE_BUCKET_NAME = "${terraform.workspace}-${var.staging_store_bucket_name}"
+  }
+
+  is_gateway_integration_needed = false
+  is_invoked_from_gateway       = false
+
+  vpc_subnet_ids         = length(data.aws_security_groups.virus_scanner_api.ids) == 1 ? module.ndr-vpc-ui.private_subnets : []
+  vpc_security_group_ids = length(data.aws_security_groups.virus_scanner_api.ids) == 1 ? [data.aws_security_groups.virus_scanner_api.ids[0]] : []
+
+  depends_on = [
+    aws_iam_policy.transfer_family_kill_switch,
+    # aws_transfer_server.your_transfer_server,  # if transfer family is ever defined in terraform
+    aws_api_gateway_rest_api.ndr_doc_store_api,
+    module.ndr-bulk-staging-store,
+    module.ndr-lloyd-george-store,
+    module.lloyd_george_reference_dynamodb_table,
+  ]
+}

infrastructure/policies.tf

@@ -67,3 +67,45 @@ resource "aws_iam_policy" "administrator_permission_restrictions" {
     Workspace = "core"
   }
 }
+
+resource "aws_iam_policy" "transfer_family_kill_switch" {
+  name        = "${terraform.workspace}-transfer-family-kill-switch"
+  description = "Permissions for Transfer kill switch Lambda"
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Sid    = "DescribeAndStopTransferServers",
+        Effect = "Allow",
+        Action = [
+          "transfer:DescribeServer",
+          "transfer:StopServer",
+        ],
+        Resource = [
+          "arn:aws:transfer:${var.region}:${data.aws_caller_identity.current.account_id}:server/*",
+        ]
+      },
+      {
+        Sid    = "ListTransferServers",
+        Effect = "Allow",
+        Action = [
+          "transfer:ListServers",
+        ],
+        Resource = "*"
+      },
+      {
+        Sid    = "PublishTransferFamilyKillSwitchMetrics",
+        Effect = "Allow",
+        Action = [
+          "cloudwatch:PutMetricData",
+        ],
+        Resource = "*",
+        Condition = {
+          StringEquals = {
+            "cloudwatch:namespace" = "Custom/TransferFamilyKillSwitch"
+          }
+        }
+      }
+    ]
+  })
+}

infrastructure/transfer_alarms.tf

@@ -0,0 +1,28 @@
+resource "aws_cloudwatch_metric_alarm" "transfer_family_kill_switch_stopped_server" {
+  alarm_name          = "${terraform.workspace}_transfer_family_kill_switch_stopped"
+  namespace           = "Custom/TransferFamilyKillSwitch"
+  metric_name         = "ServerStopped"
+  statistic           = "Sum"
+  period              = 60 #check every 10 mins
+  evaluation_periods  = 1
+  comparison_operator = "GreaterThanThreshold"
+  threshold           = 0
+  treat_missing_data  = "notBreaching"
+
+  dimensions = {
+    Workspace = terraform.workspace
+  }
+
+  alarm_description = "Alarm when the Transfer Family kill switch stops a server in workspace ${terraform.workspace}."
+
+  alarm_actions = [module.sqs_alarm_lambda_topic.arn]
+  ok_actions    = [module.sqs_alarm_lambda_topic.arn]
+
+  tags = {
+    Name         = "${terraform.workspace}_transfer_family_kill_switch_stopped"
+    severity     = "high"
+    alarm_group  = "${terraform.workspace}-transfer-family-kill-switch"
+    alarm_metric = "ServerStopped"
+    is_kpi       = "false"
+  }
+}

infrastructure/virusscanner.tf

@@ -103,3 +103,24 @@ resource "aws_sns_topic_subscription" "proactive_virus_scanning_notifications" {
     "scanResult" : ["Infected", "Error", "Unscannable", "Suspicious"]
   })
 }
+
+resource "aws_sns_topic_subscription" "proactive_virus_scanning_kill_switch" {
+  count     = local.is_production ? 1 : 0
+  topic_arn = module.cloud_storage_security[0].proactive_notifications_topic_arn
+  protocol  = "lambda"
+  endpoint  = module.transfer_family_kill_switch_lambda.lambda_arn
+
+  filter_policy = jsonencode({
+    "notificationType" : ["scanResult"],
+    "scanResult" : ["Infected", "Error", "Unscannable", "Suspicious"]
+  })
+}
+
+resource "aws_lambda_permission" "allow_sns_invoke_transfer_family_kill_switch" {
+  count         = local.is_production ? 1 : 0
+  statement_id  = "AllowExecutionFromVirusScanSNS"
+  action        = "lambda:InvokeFunction"
+  function_name = module.transfer_family_kill_switch_lambda.lambda_arn
+  principal     = "sns.amazonaws.com"
+  source_arn    = module.cloud_storage_security[0].proactive_notifications_topic_arn
+}