Skip to content

Commit

Permalink
Create Cloud formation templates for CSPM Agent and SIEM service
Browse files Browse the repository at this point in the history
  • Loading branch information
@lootag
lootag committed Feb 22, 2024
1 parent b25633f commit b862542
Show file tree
Hide file tree
Showing 12 changed files with 291 additions and 0 deletions.
4 changes: 4 additions & 0 deletions security/cspm/execution/CHANGELOG.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
# Changelog

### 0.0.1 / 2024-02-21
* Create cloud formation template
15 changes: 15 additions & 0 deletions security/cspm/execution/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
# CSPM Agent Integration
This cloud formation template creates a role with the permissions that the CSPM agent needs in order to function. It only has one parameter, that is the principal that can assume the created role.

There are two possible ways of using this template:
1. You do not have an AWS organization. In this case you need to run this template against all the accounts that you wish to scan with the CSPM agent, specifying the account id from which the CSPM agent is running as the principal. You're then going to have to provide the agent with the ARNs of the created roles.

2. You have an AWS organization. In this case you're going to have to run the management template against your organization, setting the account from which the CSPM agent is running as the principal. This will create an organization-wide role that the CSPM agent will be able to assume. You're then going to have to run the execution template against all the accounts in the organization, specifying the management role that you creted in the previous step as the principal (you can also use StackSets to accomplish this https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-concepts.html).


## Parameters:

| Parameter | Description | Default Value | Required |
|-----------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------|--------------------|
| Principal | Account ID/Role ARN of the principal | | :heavy_check_mark: |

143 changes: 143 additions & 0 deletions security/cspm/execution/template.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,143 @@
Parameters:
Principal:
Type: String
Description: The AWS account ID or Role ARN of the principal who will assume the role
ConstraintDescription: "Must be a valid AWS account ID or a valid Role ARN"

Resources:
CoralogixCSPMExecutionRole:
Type: AWS::IAM::Role
Properties:
RoleName: Coralogix-CSPM-Execution-Role
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
AWS:
Ref: Principal
Action: sts:AssumeRole
Policies:
- PolicyName: CoralogixCSPMPolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Sid: CSPM
Resource: ["*"]
Effect: Allow
Action:
- access-analyzer:Get*
- access-analyzer:List*
- acm:Describe*
- apigateway:Get*
- application-autoscaling:Describe*
- autoscaling-plans:Describe*
- autoscaling-plans:GetScalingPlanResourceForecastData
- autoscaling:Describe*
- autoscaling:GetPredictiveScalingForecast
- backup:List*
- backup:Get*
- cloudformation:BatchDescribeTypeConfigurations
- cloudformation:Describe*
- cloudformation:DetectStack*
- cloudformation:EstimateTemplateCost
- cloudformation:Get*
- cloudformation:List*
- cloudformation:ValidateTemplate
- cloudfront:DescribeFunction
- cloudfront:Get*
- cloudfront:List*
- cloudtrail:Describe*
- cloudtrail:Get*
- cloudtrail:List*
- cloudtrail:LookupEvents
- cloudwatch:Describe*
- cloudwatch:Get*
- cloudwatch:List*
- dms:Describe*
- dax:DescribeClusters
- dynamodb:ListTables
- ec2:Describe*
- ec2:ExportClientVpn*
- ec2:Get*
- ec2:List*
- ec2:Search*
- ec2messages:Get*
- ecr:Describe*
- ecr:GetRepositoryPolicy
- ecs:Describe*
- ecs:List*
- efs:Describe*
- eks:Describe*
- eks:List*
- elasticache:Describe*
- elasticache:List*
- elasticloadbalancing:Describe*
- elasticfilesystem:List*
- elasticfilesystem:Get*
- elasticfilesystem:Describe*
- elasticmapreduce:Describe*
- elasticmapreduce:Get*
- elasticmapreduce:List*
- elasticmapreduce:ViewEventsFromAllClustersInConsole
- emr-containers:Describe*
- emr-containers:List*
- emr-serverless:Get*
- emr-serverless:List*
- es:Describe*
- es:Get*
- es:List*
- fsx:DescribeFileSystems
- guardduty:ListDetectors
- iam:Generate*
- iam:Get*
- iam:List*
- iam:Simulate*
- imagebuilder:Get*
- imagebuilder:List*
- kms:Describe*
- kms:Get*
- kms:List*
- lambda:Get*
- lambda:List*
- network-firewall:Describe*
- network-firewall:List*
- organizations:Describe*
- organizations:List*
- opensearch:Describe*
- rds:Describe*
- redshift:Describe*
- redshift:List*
- redshift:ViewQueries*
- rolesanywhere:Get*
- rolesanywhere:list*
- route53:Get*
- route53:List*
- route53:TestDNSAnswer
- route53domains:CheckDomain*
- route53domains:Get*
- route53domains:List*
- route53domains:ViewBilling
- s3:Describe*
- s3:List*
- s3:Get*
- securityhub:Describe*
- servicequotas:Get*
- servicequotas:List*
- ses:Describe*
- ses:Get*
- ses:List*
- sqs:Get*
- sqs:List*
- ssm:Describe*
- ssm:Get*
- ssm:List*
- sts:Get*
- tag:Get*
- waf-regional:Get*
- waf-regional:List*
- waf:Get*
- waf:List*
- wafv2:Describe*
- wafv2:Get*
- wafv2:List*,
4 changes: 4 additions & 0 deletions security/cspm/management/CHANGELOG.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
# Changelog

### 0.0.1 / 2024-02-21
* Create cloud formation template
11 changes: 11 additions & 0 deletions security/cspm/management/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
# SIEM service Integration - AWS Management Role
This cloud formation template creates an organization-wide role that the CSPM agent can assume in order to scan all the accounts in your organization. It only has one parameter, that is the principal that can assume the created role. This should be set to the AWS account id of the account where the CSPM agent is going to run.


## Parameters:

| Parameter | Description | Default Value | Required |
|-----------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------|--------------------|
| Principal | Account ID of the principal | | :heavy_check_mark: |


19 changes: 19 additions & 0 deletions security/cspm/management/template.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
Parameters:
Principal:
Type: String
Description: The AWS account ID of the principal who will assume the role
ConstraintDescription: "Must be a valid AWS account ID"

Resources:
CoralogixCSPMManagementRole:
Type: AWS::IAM::Role
Properties:
RoleName: Coralogix-CSPM-Management-Role
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
AWS:
Ref: Principal
Action: sts:AssumeRole
4 changes: 4 additions & 0 deletions security/siem/execution/CHANGELOG.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
# Changelog

### 0.0.1 / 2024-02-21
* Create cloud formation template
15 changes: 15 additions & 0 deletions security/siem/execution/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
# SIEM service Integration - AWS Execution Role
This cloud formation template creates a role with the permissions that the SIEM service needs in order to function. It only has one parameter, that is the principal that can assume the created role.

There are two possible ways of using this template:
1. You do not have an AWS organization. In this case you need to run this template against all the accounts that you want the SIEM service to enrich your logs with, specifying the Coralogix account id you've been provided as the principal. When you create the SIEM integration on the Coralogix platform, you're going to have to provide the ARNs of the created roles.

2. You have an AWS organization. In this case you're going to have to run the management template against your organization, setting the Coralogix AWS account id that you've been provided as the principal. This will create an organization-wide role that the SIEM service will be able to assume. You're then going to have to run the execution template against all the accounts in the organization, specifying the management role that you creted in the previous step as the principal (you can also use StackSets to accomplish this https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-concepts.html). When you create the SIEM integration on the Coralogix platform, you're only going to have to provide the ARN of the management account.


## Parameters:

| Parameter | Description | Default Value | Required |
|-----------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------|--------------------|
| Principal | Account ID/Role ARN of the principal | | :heavy_check_mark: |

42 changes: 42 additions & 0 deletions security/siem/execution/template.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
Parameters:
Principal:
Type: String
Description: The AWS account ID or Role ARN of the principal who will assume the role
ConstraintDescription: "Must be a valid AWS account ID or a valid Role ARN"

Resources:
CoralogixSIEMExecutionRole:
Type: AWS::IAM::Role
Properties:
RoleName: Coralogix-SIEM-Execution-Role
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
AWS:
Ref: Principal
Action: sts:AssumeRole
Policies:
- PolicyName: CoralogixSIEMPolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Sid: SIEM
Resource: ["*"]
Effect: Allow
Action:
- "s3:GetBucketPublicAccessBlock"
- "s3:GetBucketTagging"
- "ec2:DescribeInstances"
- "dynamodb:ListTagsOfResource"
- "s3:GetBucketAcl"
- "s3:GetEncryptionConfiguration"
- "dynamodb:DescribeTable"
- "rds:DescribeDBInstances"
- "redshift:DescribeClusters"
- "eks:DescribeCluster"
- "eks:ListClusters"
- "ec2:DescribeSubnets"
- "s3:GetBucketLocation"
- "redshift:DescribeClusterParameters"
4 changes: 4 additions & 0 deletions security/siem/management/CHANGELOG.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
# Changelog

### 0.0.1 / 2024-02-21
* Create cloud formation template
11 changes: 11 additions & 0 deletions security/siem/management/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
# SIEM service Integration - AWS Management Role
This cloud formation template creates an organization-wide role that the SIEM service can assume in order to enrich your logs with data coming from all the accounts in your organization. It only has one parameter, that is the principal that can assume the created role. This should be set to the Coralogix AWS account id you've been provided.


## Parameters:

| Parameter | Description | Default Value | Required |
|-----------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------|--------------------|
| Principal | Account ID of the principal | | :heavy_check_mark: |


19 changes: 19 additions & 0 deletions security/siem/management/template.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
Parameters:
Principal:
Type: String
Description: The AWS account ID of the principal who will assume the role
ConstraintDescription: "Must be a valid AWS accoun"

Resources:
CoralogixSIEMManagementRole:
Type: AWS::IAM::Role
Properties:
RoleName: Coralogix-SIEM-Management-Role
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
AWS:
Ref: Principal
Action: sts:AssumeRole

0 comments on commit b862542

Please sign in to comment.