-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathlog_ingestion.events.cft.yaml
421 lines (421 loc) · 14.4 KB
/
log_ingestion.events.cft.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
AWSTemplateFormatVersion: "2010-09-09"
Description: EventBridge resources that forward CloudTrail logs to Sysdig Secure
Metadata:
AWS::CloudFormation::Interface:
ParameterGroups:
- Label:
default: ""
Parameters:
- RuleEventPattern
- Label:
default: "Sysdig Settings (Do not change)"
Parameters:
- NameSuffix
- ExternalID
- TrustedIdentity
- TargetEventBusARN
- Regions
- RuleState
- IsOrganizational
- OrganizationalUnitIDs
- Partition
ParameterLabels:
NameSuffix:
default: Name Suffix
ExternalID:
default: External ID
TrustedIdentity:
default: Trusted Identity
TargetEventBusARN:
default: Target Event Bus
Regions:
default: Instrumented Regions
RuleState:
default: EventBridge Rule state
RuleEventPattern:
default: EventBridge Rule event pattern
IsOrganizational:
default: Is Organizational
OrganizationalUnitIDs:
default: Organizational Unit IDs
Partition:
default: AWS Partition
Parameters:
NameSuffix:
Type: String
Description: Suffix to append to the resource name identifiers
AllowedPattern: '[0-9a-z]+'
MaxLength: 8
MinLength: 4
ExternalID:
Type: String
Description: Sysdig assigned token that proves you own this account
TrustedIdentity:
Type: String
Description: The Role in Sysdig's AWS Account with permissions to your account
TargetEventBusARN:
Type: String
Description: The destination in Sysdig's AWS account where your events are sent
Regions:
Type: CommaDelimitedList
Description: Comma separated list of regions to monitor with EventBridge
OrganizationalUnitIDs:
Type: CommaDelimitedList
Description: Comma separated list of organizational unit IDs to deploy
RuleState:
Type: String
Description: The state of the EventBridge Rule
Default: ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS
AllowedValues:
- ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS
- ENABLED
- DISABLED
RuleEventPattern:
Type: String
Description: JSON pattern for the EventBridge rule's event pattern
Default: |
{
"detail-type": [
"AWS API Call via CloudTrail",
"AWS Console Sign In via CloudTrail",
"AWS Service Event via CloudTrail",
"Object Access Tier Changed",
"Object ACL Updated",
"Object Created",
"Object Deleted",
"Object Restore Completed",
"Object Restore Expired",
"Object Restore Initiated",
"Object Storage Class Changed",
"Object Tags Added",
"Object Tags Deleted",
"GuardDuty Finding"
]
}
IsOrganizational:
Type: String
Description: Install into an organization
Default: 'false'
AllowedValues:
- 'true'
- 'false'
Partition:
Type: String
Description: AWS Partition of your account or organization to create resources in
Default: 'aws'
Conditions:
IsOrganizational:
Fn::Equals:
- Ref: IsOrganizational
- 'true'
Resources:
AdministrationRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub sysdig-secure-events-stackset-administration-${NameSuffix}
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service: cloudformation.amazonaws.com
Action:
- sts:AssumeRole
Policies:
- PolicyName: !Sub sysdig-secure-events-stackset-execution-${NameSuffix}
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- sts:AssumeRole
Resource:
- !Sub arn:${Partition}:iam:::role/sysdig-secure-events-stackset-execution-${NameSuffix}
ExecutionRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub sysdig-secure-events-stackset-execution-${NameSuffix}
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
AWS:
- !GetAtt AdministrationRole.RoleId
Action:
- sts:AssumeRole
ManagedPolicyArns:
- !Sub arn:${Partition}:iam::aws:policy/AmazonEventBridgeFullAccess
- !Sub arn:${Partition}:iam::aws:policy/AWSCloudFormationFullAccess
EventBridgeRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub sysdig-secure-events-${NameSuffix}
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service: events.amazonaws.com
Action: 'sts:AssumeRole'
- Effect: "Allow"
Principal:
AWS: !Ref TrustedIdentity
Action: "sts:AssumeRole"
Condition:
StringEquals:
sts:ExternalId: !Sub ${ExternalID}
Policies:
- PolicyName: !Sub sysdig-secure-events-${NameSuffix}
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action: 'events:PutEvents'
Resource: !Ref TargetEventBusARN
- Effect: Allow
Action:
- "events:DescribeRule"
- "events:ListTargetsByRule"
Resource:
- !Sub arn:${Partition}:events:*:*:rule/sysdig-secure-events-${NameSuffix}
EventBridgeRuleStackSet:
Type: AWS::CloudFormation::StackSet
Metadata:
cfn-lint:
config:
ignore_checks:
- W3005
DependsOn:
- ExecutionRole
- AdministrationRole
- EventBridgeRole
Properties:
StackSetName: !Sub sysdig-secure-events-rules-${NameSuffix}
AdministrationRoleARN: !GetAtt AdministrationRole.Arn
ExecutionRoleName: !Ref ExecutionRole
Description: EventBridge Resources that forward CloudTrail logs to Sysdig Secure
PermissionModel: SELF_MANAGED
ManagedExecution:
Active: true
Capabilities:
- CAPABILITY_NAMED_IAM
OperationPreferences:
MaxConcurrentPercentage: 100
FailureTolerancePercentage: 90
ConcurrencyMode: SOFT_FAILURE_TOLERANCE
RegionConcurrencyType: PARALLEL
Parameters:
- ParameterKey: Name
ParameterValue: !Sub sysdig-secure-events-${NameSuffix}
- ParameterKey: TargetEventBusARN
ParameterValue: !Ref TargetEventBusARN
- ParameterKey: RuleState
ParameterValue: !Ref RuleState
- ParameterKey: RuleEventPattern
ParameterValue: !Ref RuleEventPattern
- ParameterKey: Partition
ParameterValue: !Ref Partition
StackInstancesGroup:
- DeploymentTargets:
Accounts:
- !Ref AWS::AccountId
Regions: !Ref Regions
TemplateBody: |
AWSTemplateFormatVersion: "2010-09-09"
Description: EventBridge Resources that forward CloudTrail logs to Sysdig Secure
Parameters:
Name:
Type: String
Description: resource name identifier
TargetEventBusARN:
Type: String
Description: The destination in Sysdig's AWS account where your events are sent
RuleState:
Type: String
Description: The state of the EventBridge Rule
Default: ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS
AllowedValues:
- ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS
- ENABLED
- DISABLED
RuleEventPattern:
Type: String
Description: JSON pattern for the EventBridge rule's event pattern
Partition:
Type: String
Description: AWS Partition of your account or organization to create resources in
Resources:
EventBridgeRule:
Type: "AWS::Events::Rule"
Properties:
Name: !Ref Name
Description: Capture all CloudTrail events
EventPattern: !Ref RuleEventPattern
State: !Sub ${RuleState}
Targets:
- Id: !Ref Name
Arn: !Sub ${TargetEventBusARN}
RoleArn: !Sub arn:${Partition}:iam::${AWS::AccountId}:role/${Name}
OrganizationRoleStackSet:
Type: AWS::CloudFormation::StackSet
Condition: IsOrganizational
Properties:
StackSetName: !Sub sysdig-secure-events-organization-roles-${NameSuffix}
Description: IAM Role used to forward CloudTrail logs to Sysdig Secure
PermissionModel: SERVICE_MANAGED
Capabilities:
- "CAPABILITY_NAMED_IAM"
AutoDeployment:
Enabled: true
RetainStacksOnAccountRemoval: false
ManagedExecution:
Active: true
OperationPreferences:
MaxConcurrentPercentage: 100
FailureTolerancePercentage: 90
ConcurrencyMode: SOFT_FAILURE_TOLERANCE
Parameters:
- ParameterKey: Name
ParameterValue: !Sub sysdig-secure-events-${NameSuffix}
- ParameterKey: TrustedIdentity
ParameterValue: !Ref TrustedIdentity
- ParameterKey: ExternalID
ParameterValue: !Ref ExternalID
- ParameterKey: TargetEventBusARN
ParameterValue: !Ref TargetEventBusARN
- ParameterKey: Partition
ParameterValue: !Ref Partition
StackInstancesGroup:
- DeploymentTargets:
OrganizationalUnitIds: !Ref OrganizationalUnitIDs
Regions: [!Ref "AWS::Region"]
TemplateBody: |
AWSTemplateFormatVersion: "2010-09-09"
Description: IAM Role used to forward CloudTrail logs to Sysdig Secure
Parameters:
TrustedIdentity:
Type: String
Description: The Role in Sysdig's AWS Account with permissions to your account
ExternalID:
Type: String
Description: Sysdig ExternalID required for the policy creation
Name:
Type: String
Description: A unique identifier used to create and reference resources
TargetEventBusARN:
Type: String
Description: The destination in Sysdig's AWS account where your events are sent
Partition:
Type: String
Description: AWS Partition of your account or organization to create resources in
Resources:
EventBridgeRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub ${Name}
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service: events.amazonaws.com
Action: 'sts:AssumeRole'
- Effect: "Allow"
Principal:
AWS: !Sub ${TrustedIdentity}
Action: "sts:AssumeRole"
Condition:
StringEquals:
sts:ExternalId: !Sub ${ExternalID}
Policies:
- PolicyName: !Sub ${Name}
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action: 'events:PutEvents'
Resource: !Sub ${TargetEventBusARN}
- Effect: Allow
Action:
- "events:DescribeRule"
- "events:ListTargetsByRule"
Resource:
- !Sub arn:${Partition}:events:*:*:rule/${Name}
OrganizationRuleStackSet:
Type: AWS::CloudFormation::StackSet
Condition: IsOrganizational
DependsOn:
- OrganizationRoleStackSet
Properties:
StackSetName: !Sub sysdig-secure-events-organization-rules-${NameSuffix}
Description: EventBridge Resources that forward CloudTrail logs to Sysdig Secure
PermissionModel: SERVICE_MANAGED
Capabilities:
- "CAPABILITY_NAMED_IAM"
AutoDeployment:
Enabled: true
RetainStacksOnAccountRemoval: false
ManagedExecution:
Active: true
OperationPreferences:
MaxConcurrentPercentage: 100
FailureTolerancePercentage: 90
ConcurrencyMode: SOFT_FAILURE_TOLERANCE
RegionConcurrencyType: PARALLEL
Parameters:
- ParameterKey: Name
ParameterValue: !Sub sysdig-secure-events-${NameSuffix}
- ParameterKey: TargetEventBusARN
ParameterValue: !Ref TargetEventBusARN
- ParameterKey: RuleState
ParameterValue: !Ref RuleState
- ParameterKey: RuleEventPattern
ParameterValue: !Ref RuleEventPattern
- ParameterKey: Partition
ParameterValue: !Ref Partition
StackInstancesGroup:
- DeploymentTargets:
OrganizationalUnitIds: !Ref OrganizationalUnitIDs
Regions: !Ref Regions
TemplateBody: |
AWSTemplateFormatVersion: "2010-09-09"
Description: EventBridge Resources that forward CloudTrail logs to Sysdig Secure
Parameters:
Name:
Type: String
Description: A unique identifier used to create and reference resources
TargetEventBusARN:
Type: String
Description: The destination in Sysdig's AWS account where your events are sent
RuleState:
Type: String
Description: The state of the EventBridge Rule
Default: ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS
AllowedValues:
- ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS
- ENABLED
- DISABLED
RuleEventPattern:
Type: String
Description: JSON pattern for the EventBridge rule's event pattern
Partition:
Type: String
Description: AWS Partition of your account or organization to create resources in
Resources:
EventBridgeRule:
Type: "AWS::Events::Rule"
Properties:
Name: !Ref Name
Description: Capture all CloudTrail events
EventPattern: !Ref RuleEventPattern
State: !Ref RuleState
Targets:
- Id: !Ref Name
Arn: !Ref TargetEventBusARN
RoleArn: !Sub "arn:${Partition}:iam::${AWS::AccountId}:role/${Name}"
Outputs:
EventBridgeRoleARN:
Description: Sysdig Secure EventBridge Role ARN
Value:
Fn::Sub: ${EventBridgeRole.Arn}