Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create Cloud formation templates for CSPM Agent and SIEM service #118

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Create Cloud formation templates for CSPM Agent and SIEM service #118

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
165a1a8
Create Cloud formation templates for CSPM Agent and SIEM service
lootag Feb 21, 2024
ba5ead2
SIEM policy updates
celaus Mar 12, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions security/cspm/execution/CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
# Changelog

### 0.0.1 / 2024-02-21
* Create cloud formation template
15 changes: 15 additions & 0 deletions security/cspm/execution/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
# CSPM Agent Integration
This cloud formation template creates a role with the permissions that the CSPM agent needs in order to function. It only has one parameter, that is the principal that can assume the created role.

There are two possible ways of using this template:
1. You do not have an AWS organization. In this case you need to run this template against all the accounts that you wish to scan with the CSPM agent, specifying the account id from which the CSPM agent is running as the principal. You're then going to have to provide the agent with the ARNs of the created roles.

2. You have an AWS organization. In this case you're going to have to run the management template against your organization, setting the account from which the CSPM agent is running as the principal. This will create an organization-wide role that the CSPM agent will be able to assume. You're then going to have to run the execution template against all the accounts in the organization, specifying the management role that you creted in the previous step as the principal (you can also use StackSets to accomplish this https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-concepts.html).


## Parameters:

| Parameter | Description | Default Value | Required |
|-----------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------|--------------------|
| Principal | Account ID/Role ARN of the principal | | :heavy_check_mark: |

143 changes: 143 additions & 0 deletions security/cspm/execution/template.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,143 @@
Parameters:
Principal:
Type: String
Description: The AWS account ID or Role ARN of the principal who will assume the role
ConstraintDescription: "Must be a valid AWS account ID or a valid Role ARN"

Resources:
CoralogixCSPMExecutionRole:
Type: AWS::IAM::Role
Properties:
RoleName: Coralogix-CSPM-Execution-Role
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
AWS:
Ref: Principal
Action: sts:AssumeRole
Policies:
- PolicyName: CoralogixCSPMPolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Sid: CSPM
Resource: ["*"]
Effect: Allow
Action:
- access-analyzer:Get*
- access-analyzer:List*
- acm:Describe*
- apigateway:Get*
- application-autoscaling:Describe*
- autoscaling-plans:Describe*
- autoscaling-plans:GetScalingPlanResourceForecastData
- autoscaling:Describe*
- autoscaling:GetPredictiveScalingForecast
- backup:List*
- backup:Get*
- cloudformation:BatchDescribeTypeConfigurations
- cloudformation:Describe*
- cloudformation:DetectStack*
- cloudformation:EstimateTemplateCost
- cloudformation:Get*
- cloudformation:List*
- cloudformation:ValidateTemplate
- cloudfront:DescribeFunction
- cloudfront:Get*
- cloudfront:List*
- cloudtrail:Describe*
- cloudtrail:Get*
- cloudtrail:List*
- cloudtrail:LookupEvents
- cloudwatch:Describe*
- cloudwatch:Get*
- cloudwatch:List*
- dms:Describe*
- dax:DescribeClusters
- dynamodb:ListTables
- ec2:Describe*
- ec2:ExportClientVpn*
- ec2:Get*
- ec2:List*
- ec2:Search*
- ec2messages:Get*
- ecr:Describe*
- ecr:GetRepositoryPolicy
- ecs:Describe*
- ecs:List*
- efs:Describe*
- eks:Describe*
- eks:List*
- elasticache:Describe*
- elasticache:List*
- elasticloadbalancing:Describe*
- elasticfilesystem:List*
- elasticfilesystem:Get*
- elasticfilesystem:Describe*
- elasticmapreduce:Describe*
- elasticmapreduce:Get*
- elasticmapreduce:List*
- elasticmapreduce:ViewEventsFromAllClustersInConsole
- emr-containers:Describe*
- emr-containers:List*
- emr-serverless:Get*
- emr-serverless:List*
- es:Describe*
- es:Get*
- es:List*
- fsx:DescribeFileSystems
- guardduty:ListDetectors
- iam:Generate*
- iam:Get*
- iam:List*
- iam:Simulate*
- imagebuilder:Get*
- imagebuilder:List*
- kms:Describe*
- kms:Get*
- kms:List*
- lambda:Get*
- lambda:List*
- network-firewall:Describe*
- network-firewall:List*
- organizations:Describe*
- organizations:List*
- opensearch:Describe*
- rds:Describe*
- redshift:Describe*
- redshift:List*
- redshift:ViewQueries*
- rolesanywhere:Get*
- rolesanywhere:list*
- route53:Get*
- route53:List*
- route53:TestDNSAnswer
- route53domains:CheckDomain*
- route53domains:Get*
- route53domains:List*
- route53domains:ViewBilling
- s3:Describe*
- s3:List*
- s3:Get*
- securityhub:Describe*
- servicequotas:Get*
- servicequotas:List*
- ses:Describe*
- ses:Get*
- ses:List*
- sqs:Get*
- sqs:List*
- ssm:Describe*
- ssm:Get*
- ssm:List*
- sts:Get*
- tag:Get*
- waf-regional:Get*
- waf-regional:List*
- waf:Get*
- waf:List*
- wafv2:Describe*
- wafv2:Get*
- wafv2:List*,
4 changes: 4 additions & 0 deletions security/cspm/management/CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
# Changelog

### 0.0.1 / 2024-02-21
* Create cloud formation template
11 changes: 11 additions & 0 deletions security/cspm/management/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
# SIEM service Integration - AWS Management Role
This cloud formation template creates an organization-wide role that the CSPM agent can assume in order to scan all the accounts in your organization. It only has one parameter, that is the principal that can assume the created role. This should be set to the AWS account id of the account where the CSPM agent is going to run.


## Parameters:

| Parameter | Description | Default Value | Required |
|-----------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------|--------------------|
| Principal | Account ID of the principal | | :heavy_check_mark: |


31 changes: 31 additions & 0 deletions security/cspm/management/template.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
Parameters:
Principal:
Type: String
Description: The AWS account ID of the principal who will assume the role
ConstraintDescription: "Must be a valid AWS account ID"

Resources:
CoralogixCSPMManagementRole:
Type: AWS::IAM::Role
Properties:
RoleName: Coralogix-CSPM-Management-Role
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
AWS:
Ref: Principal
Action: sts:AssumeRole
Policies:
- PolicyName: CoralogixCSPMManagementRolePolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- organizations:ListAccounts
- iam:CreatePolicy
- iam:DeletePolicy
- iam:AttachRolePolicy
Resource: "*"
4 changes: 4 additions & 0 deletions security/siem/execution/CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
# Changelog

### 0.0.1 / 2024-02-21
* Create cloud formation template
15 changes: 15 additions & 0 deletions security/siem/execution/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
# SIEM service Integration - AWS Execution Role
This cloud formation template creates a role with the permissions that the SIEM service needs in order to function. It only has one parameter, that is the principal that can assume the created role.

There are two possible ways of using this template:
1. You do not have an AWS organization. In this case you need to run this template against all the accounts that you want the SIEM service to enrich your logs with, specifying the Coralogix account id you've been provided as the principal. When you create the SIEM integration on the Coralogix platform, you're going to have to provide the ARNs of the created roles.

2. You have an AWS organization. In this case you're going to have to run the management template against your organization, setting the Coralogix AWS account id that you've been provided as the principal. This will create an organization-wide role that the SIEM service will be able to assume. You're then going to have to run the execution template against all the accounts in the organization, specifying the management role that you creted in the previous step as the principal (you can also use StackSets to accomplish this https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-concepts.html). When you create the SIEM integration on the Coralogix platform, you're only going to have to provide the ARN of the management account.


## Parameters:

| Parameter | Description | Default Value | Required |
|-----------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------|--------------------|
| Principal | Account ID/Role ARN of the principal | | :heavy_check_mark: |

76 changes: 76 additions & 0 deletions security/siem/execution/template.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,76 @@
Parameters:
CoralogixRegionAlias:
Type: String
Description: The Alias for the Coralogix region, possible options are [us1, us2, eu1, eu2, ap1, ap2, custom]
AllowedValues:
- us1
- us2
- eu1
- eu2
- ap1
- ap2
- custom
CustomCoralogixAccount:
Type: String
Description: In case you want to use a custom coralogix account, enter the aws account id that you want to use.
Default: ''

Conditions:
IsRegionUs2: !Equals
- Ref: CoralogixRegionAlias
- us2
IsCustomAccount: !Not
- !Equals
- Ref: CustomCoralogixAccount
- ''

Resources:
CoralogixSIEMExecutionRole:
Type: AWS::IAM::Role
Properties:
RoleName: Coralogix-SIEM-Execution-Role
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
AWS: !Sub
- 'arn:aws:iam::${aws_account_id}:role/siem-service'
- aws_account_id: !If
- IsCustomAccount
- !Ref CustomCoralogixAccount
- !If
- IsRegionUs2
- '739076534691'
- '625240141681'
Action: sts:AssumeRole
Policies:
- PolicyName: CoralogixSIEMPolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Sid: SIEM
Resource: ["*"]
Effect: Allow
Action:
- "s3:GetBucketPublicAccessBlock",
- "s3:GetBucketTagging",
- "ec2:DescribeInstances",
- "lambda:ListFunctions",
- "dynamodb:ListTagsOfResource",
- "s3:GetBucketAcl",
- "ecs:DescribeClusters",
- "s3:GetEncryptionConfiguration",
- "s3:ListAllMyBuckets",
- "lambda:ListTags",
- "dynamodb:DescribeTable",
- "rds:DescribeDBInstances",
- "redshift:DescribeClusters",
- "eks:DescribeCluster",
- "ecs:ListContainerInstances",
- "eks:ListClusters",
- "ec2:DescribeSubnets",
- "s3:GetBucketLocation",
- "rds:DescribeDBClusters",
- "redshift:DescribeClusterParameters",
- "ecs:ListClusters"
4 changes: 4 additions & 0 deletions security/siem/management/CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
# Changelog

### 0.0.1 / 2024-02-21
* Create cloud formation template
11 changes: 11 additions & 0 deletions security/siem/management/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
# SIEM service Integration - AWS Management Role
This cloud formation template creates an organization-wide role that the SIEM service can assume in order to enrich your logs with data coming from all the accounts in your organization. It only has one parameter, that is the principal that can assume the created role. This should be set to the Coralogix AWS account id you've been provided.


## Parameters:

| Parameter | Description | Default Value | Required |
|-----------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------|--------------------|
| Principal | Account ID of the principal | | :heavy_check_mark: |


59 changes: 59 additions & 0 deletions security/siem/management/template.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
Parameters:
CoralogixRegionAlias:
Type: String
Description: The Alias for the Coralogix region, possible options are [us1, us2, eu1, eu2, ap1, ap2, custom]
AllowedValues:
- us1
- us2
- eu1
- eu2
- ap1
- ap2
- custom
CustomCoralogixAccount:
Type: String
Description: In case you want to use a custom coralogix account, enter the aws account id that you want to use.
Default: ''
RoleName:
Type: String
Description: Don't change it! It needs to match the one that was input on the Coralogix form. Corresponds to the name of the AWS IAM role that will be created.
AllowedPattern: '^[a-zA-Z0-9_+=,.@-]+$'
MaxLength: 64
Conditions:
IsRegionUs2: !Equals
- Ref: CoralogixRegionAlias
- us2
IsCustomAccount: !Not
- !Equals
- Ref: CustomCoralogixAccount
- ''

Resources:
CoralogixSIEMManagementRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Ref RoleName
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
AWS: !Sub
- 'arn:aws:iam::${aws_account_id}:role/siem-service'
- aws_account_id: !If
- IsCustomAccount
- !Ref CustomCoralogixAccount
- !If
- IsRegionUs2
- '739076534691'
- '625240141681'
Action: sts:AssumeRole
Policies:
- PolicyName: CoralogixSIEMManagementRolePolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- "organizations:ListAccounts"
Resource: "*"
Loading