|
| 1 | +{ |
| 2 | + "AWSTemplateFormatVersion": "2010-09-09", |
| 3 | + "Description": "This stack integrates Microsoft Sentinel with AWS Route 53 Resolver Query Logs by creating an IAM role, S3 bucket, and SQS queue.", |
| 4 | + "Parameters": { |
| 5 | + "QueryLogConfigName": { |
| 6 | + "Type": "String", |
| 7 | + "Default": "SentinelRoute53QueryLogConfig", |
| 8 | + "Description": "Name for the Route 53 Resolver Query Logging Configuration" |
| 9 | + }, |
| 10 | + "VpcId": { |
| 11 | + "Type": "AWS::EC2::VPC::Id", |
| 12 | + "Description": "VPC to associate with Route53 Resolver Query Log Config" |
| 13 | + }, |
| 14 | + "AwsRoleName": { |
| 15 | + "Type": "String", |
| 16 | + "Description": "Enter the ARN name for the role. The name must start with 'OIDC_', otherwise the connector will not function properly.", |
| 17 | + "AllowedPattern": "OIDC_[-_a-zA-Z0-9]+", |
| 18 | + "Default": "OIDC_MicrosoftSentinelRoute53Role" |
| 19 | + }, |
| 20 | + "BucketName": { |
| 21 | + "Type": "String", |
| 22 | + "AllowedPattern": "^[a-z0-9][a-z0-9-.]{1,61}[a-z0-9]$", |
| 23 | + "Description": "Enter the name of the S3 bucket for storing Route 53 query logs.", |
| 24 | + "Default": "microsoft-sentinel-rout53-logs" |
| 25 | + }, |
| 26 | + "SentinelSQSQueueName": { |
| 27 | + "Type": "String", |
| 28 | + "Default": "MicrosoftSentinelRoute53Sqs", |
| 29 | + "Description": "Enter the name for the SQS Queue." |
| 30 | + }, |
| 31 | + "SentinelWorkspaceId": { |
| 32 | + "Type": "String", |
| 33 | + "Description": "Enter the Microsoft Sentinel Workspace ID" |
| 34 | + }, |
| 35 | + "CreateNewBucket": { |
| 36 | + "Type": "String", |
| 37 | + "AllowedValues": [ |
| 38 | + "true", |
| 39 | + "false" |
| 40 | + ], |
| 41 | + "Default": "true", |
| 42 | + "Description": "Set to 'false' to use an existing S3 Bucket." |
| 43 | + } |
| 44 | + }, |
| 45 | + "Conditions": { |
| 46 | + "CreateNewBucketCondition": { |
| 47 | + "Fn::Equals": [ |
| 48 | + { |
| 49 | + "Ref": "CreateNewBucket" |
| 50 | + }, |
| 51 | + "true" |
| 52 | + ] |
| 53 | + } |
| 54 | + }, |
| 55 | + "Resources": { |
| 56 | + "SentinelWebIdentityBasedRole": { |
| 57 | + "Type": "AWS::IAM::Role", |
| 58 | + "Properties": { |
| 59 | + "RoleName": { |
| 60 | + "Ref": "AwsRoleName" |
| 61 | + }, |
| 62 | + "AssumeRolePolicyDocument": { |
| 63 | + "Fn::Sub": "{\"Version\": \"2012-10-17\",\"Statement\": [{\"Effect\": \"Allow\",\"Principal\": {\"Federated\": \"arn:aws:iam::${AWS::AccountId}:oidc-provider/sts.windows.net/33e01921-4d64-4f8c-a055-5bdaffd5e33d/\"},\"Action\": \"sts:AssumeRoleWithWebIdentity\",\"Condition\": {\"StringEquals\": {\"sts.windows.net/33e01921-4d64-4f8c-a055-5bdaffd5e33d/:aud\": \"api://1462b192-27f7-4cb9-8523-0f4ecb54b47e\",\"sts:RoleSessionName\": \"MicrosoftSentinel_${SentinelWorkspaceId}\"}}}]}" |
| 64 | + }, |
| 65 | + "Policies": [ |
| 66 | + { |
| 67 | + "PolicyName": "Route53QueryLogsPolicy", |
| 68 | + "PolicyDocument": { |
| 69 | + "Version": "2012-10-17", |
| 70 | + "Statement": [ |
| 71 | + { |
| 72 | + "Sid": "ReadS3QueryLogs", |
| 73 | + "Action": [ |
| 74 | + "s3:GetObject" |
| 75 | + ], |
| 76 | + "Resource": { |
| 77 | + "Fn::Sub": "arn:aws:s3:::${BucketName}/*" |
| 78 | + }, |
| 79 | + "Effect": "Allow" |
| 80 | + } |
| 81 | + ] |
| 82 | + } |
| 83 | + } |
| 84 | + ] |
| 85 | + } |
| 86 | + }, |
| 87 | + "S3Bucket": { |
| 88 | + "Type": "AWS::S3::Bucket", |
| 89 | + "Condition": "CreateNewBucketCondition", |
| 90 | + "DeletionPolicy": "Retain", |
| 91 | + "Properties": { |
| 92 | + "BucketName": { |
| 93 | + "Ref": "BucketName" |
| 94 | + }, |
| 95 | + "NotificationConfiguration": { |
| 96 | + "QueueConfigurations": [ |
| 97 | + { |
| 98 | + "Queue": { |
| 99 | + "Fn::GetAtt": [ |
| 100 | + "SentinelSQSQueue", |
| 101 | + "Arn" |
| 102 | + ] |
| 103 | + }, |
| 104 | + "Event": "s3:ObjectCreated:*", |
| 105 | + "Filter": { |
| 106 | + "S3Key": { |
| 107 | + "Rules": [ |
| 108 | + { |
| 109 | + "Name": "prefix", |
| 110 | + "Value": { |
| 111 | + "Fn::Sub": "AWSLogs/${AWS::AccountId}/vpcdnsquerylogs/" |
| 112 | + } |
| 113 | + }, |
| 114 | + { |
| 115 | + "Name": "suffix", |
| 116 | + "Value": ".gz" |
| 117 | + } |
| 118 | + ] |
| 119 | + } |
| 120 | + } |
| 121 | + } |
| 122 | + ] |
| 123 | + } |
| 124 | + } |
| 125 | + }, |
| 126 | + "S3BucketPolicy": { |
| 127 | + "Type": "AWS::S3::BucketPolicy", |
| 128 | + "Properties": { |
| 129 | + "Bucket": { |
| 130 | + "Ref": "BucketName" |
| 131 | + }, |
| 132 | + "PolicyDocument": { |
| 133 | + "Version": "2012-10-17", |
| 134 | + "Statement": [ |
| 135 | + { |
| 136 | + "Sid": "AWSLogDeliveryWrite", |
| 137 | + "Effect": "Allow", |
| 138 | + "Principal": { |
| 139 | + "Service": "delivery.logs.amazonaws.com" |
| 140 | + }, |
| 141 | + "Action": "s3:PutObject", |
| 142 | + "Resource": { |
| 143 | + "Fn::Sub": "arn:aws:s3:::${BucketName}/AWSLogs/${AWS::AccountId}/*" |
| 144 | + }, |
| 145 | + "Condition": { |
| 146 | + "StringEquals": { |
| 147 | + "s3:x-amz-acl": "bucket-owner-full-control", |
| 148 | + "aws:SourceAccount": [ |
| 149 | + { |
| 150 | + "Fn::Sub": "${AWS::AccountId}" |
| 151 | + } |
| 152 | + ] |
| 153 | + }, |
| 154 | + "ArnLike": { |
| 155 | + "aws:SourceArn": { |
| 156 | + "Fn::Sub": "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:*" |
| 157 | + } |
| 158 | + } |
| 159 | + } |
| 160 | + }, |
| 161 | + { |
| 162 | + "Sid": "AllowArnReadAccess", |
| 163 | + "Effect": "Allow", |
| 164 | + "Principal": { |
| 165 | + "AWS": { |
| 166 | + "Fn::Sub": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${AwsRoleName}" |
| 167 | + } |
| 168 | + }, |
| 169 | + "Action": "s3:GetObject", |
| 170 | + "Resource": { |
| 171 | + "Fn::Sub": "arn:${AWS::Partition}:s3:::${BucketName}/*" |
| 172 | + } |
| 173 | + } |
| 174 | + ] |
| 175 | + } |
| 176 | + } |
| 177 | + }, |
| 178 | + "Route53ResolverQueryLogConfig": { |
| 179 | + "Type": "AWS::Route53Resolver::ResolverQueryLoggingConfig", |
| 180 | + "Condition": "CreateNewBucketCondition", |
| 181 | + "DependsOn": "S3Bucket", |
| 182 | + "Properties": { |
| 183 | + "Name": { |
| 184 | + "Ref": "QueryLogConfigName" |
| 185 | + }, |
| 186 | + "DestinationArn": { |
| 187 | + "Fn::Sub": "arn:aws:s3:::${BucketName}" |
| 188 | + } |
| 189 | + } |
| 190 | + }, |
| 191 | + "Route53ResolverQueryLogConfigAssociation": { |
| 192 | + "Type": "AWS::Route53Resolver::ResolverQueryLoggingConfigAssociation", |
| 193 | + "Condition": "CreateNewBucketCondition", |
| 194 | + "DependsOn": [ |
| 195 | + "Route53ResolverQueryLogConfig", |
| 196 | + "S3Bucket" |
| 197 | + ], |
| 198 | + "Properties": { |
| 199 | + "ResolverQueryLogConfigId": { |
| 200 | + "Ref": "Route53ResolverQueryLogConfig" |
| 201 | + }, |
| 202 | + "ResourceId": { |
| 203 | + "Ref": "VpcId" |
| 204 | + } |
| 205 | + } |
| 206 | + }, |
| 207 | + "SentinelSQSQueue": { |
| 208 | + "Type": "AWS::SQS::Queue", |
| 209 | + "Properties": { |
| 210 | + "QueueName": { |
| 211 | + "Fn::Sub": "${SentinelSQSQueueName}-${BucketName}" |
| 212 | + }, |
| 213 | + "Tags": [ |
| 214 | + { |
| 215 | + "Key": "Bucket", |
| 216 | + "Value": { |
| 217 | + "Ref": "BucketName" |
| 218 | + } |
| 219 | + } |
| 220 | + ] |
| 221 | + } |
| 222 | + }, |
| 223 | + "SentinelSQSQueuePolicyForS3": { |
| 224 | + "Type": "AWS::SQS::QueuePolicy", |
| 225 | + "Properties": { |
| 226 | + "PolicyDocument": { |
| 227 | + "Statement": [ |
| 228 | + { |
| 229 | + "Sid": "Allow S3 to send notification messages to SQS queue", |
| 230 | + "Action": [ |
| 231 | + "SQS:SendMessage" |
| 232 | + ], |
| 233 | + "Effect": "Allow", |
| 234 | + "Resource": { |
| 235 | + "Fn::GetAtt": [ |
| 236 | + "SentinelSQSQueue", |
| 237 | + "Arn" |
| 238 | + ] |
| 239 | + }, |
| 240 | + "Principal": { |
| 241 | + "Service": [ |
| 242 | + "s3.amazonaws.com" |
| 243 | + ] |
| 244 | + }, |
| 245 | + "Condition": { |
| 246 | + "StringEquals": { |
| 247 | + "aws:SourceAccount": { |
| 248 | + "Fn::Sub": "${AWS::AccountId}" |
| 249 | + } |
| 250 | + }, |
| 251 | + "ArnLike": { |
| 252 | + "aws:SourceArn": { |
| 253 | + "Fn::Sub": "arn:${AWS::Partition}:s3:*:*:${BucketName}" |
| 254 | + } |
| 255 | + } |
| 256 | + } |
| 257 | + }, |
| 258 | + { |
| 259 | + "Sid": "Allow Assumed role to read/delete/change visibility of SQS messages and get queue url.", |
| 260 | + "Action": [ |
| 261 | + "SQS:ChangeMessageVisibility", |
| 262 | + "SQS:DeleteMessage", |
| 263 | + "SQS:ReceiveMessage", |
| 264 | + "SQS:GetQueueUrl" |
| 265 | + ], |
| 266 | + "Effect": "Allow", |
| 267 | + "Resource": { |
| 268 | + "Fn::GetAtt": [ |
| 269 | + "SentinelSQSQueue", |
| 270 | + "Arn" |
| 271 | + ] |
| 272 | + }, |
| 273 | + "Principal": { |
| 274 | + "AWS": [ |
| 275 | + { |
| 276 | + "Fn::GetAtt": [ |
| 277 | + "SentinelWebIdentityBasedRole", |
| 278 | + "Arn" |
| 279 | + ] |
| 280 | + } |
| 281 | + ] |
| 282 | + } |
| 283 | + } |
| 284 | + ] |
| 285 | + }, |
| 286 | + "Queues": [ |
| 287 | + { |
| 288 | + "Ref": "SentinelSQSQueue" |
| 289 | + } |
| 290 | + ] |
| 291 | + } |
| 292 | + } |
| 293 | + }, |
| 294 | + "Outputs": { |
| 295 | + "SentinelRoleArn": { |
| 296 | + "Value": { |
| 297 | + "Fn::GetAtt": [ |
| 298 | + "SentinelWebIdentityBasedRole", |
| 299 | + "Arn" |
| 300 | + ] |
| 301 | + }, |
| 302 | + "Description": "Role ARN for Sentinel Role that is inserted into Amazon Web Service S3 Connector in the Sentinel Data Connectors portal." |
| 303 | + }, |
| 304 | + "SentinelSQSQueueURL": { |
| 305 | + "Description": "AWS SQS Queue URL that is inserted into Amazon Web Service S3 Connector in the Sentinel Data Connectors portal.", |
| 306 | + "Value": { |
| 307 | + "Ref": "SentinelSQSQueue" |
| 308 | + } |
| 309 | + }, |
| 310 | + "SentinelSQSQueueArn": { |
| 311 | + "Description": "Log destination ARN to be used when setting up other accounts to exports logs", |
| 312 | + "Value": { |
| 313 | + "Fn::GetAtt": [ |
| 314 | + "SentinelSQSQueue", |
| 315 | + "Arn" |
| 316 | + ] |
| 317 | + } |
| 318 | + }, |
| 319 | + "SentinelSQSQueueName": { |
| 320 | + "Description": "SQS Name", |
| 321 | + "Value": { |
| 322 | + "Fn::GetAtt": [ |
| 323 | + "SentinelSQSQueue", |
| 324 | + "QueueName" |
| 325 | + ] |
| 326 | + } |
| 327 | + } |
| 328 | + } |
| 329 | +} |
0 commit comments