api dest cfts

Author: matteopasa

templates_eventbridge_api_dest/EventBridgeApiDest.yaml

@@ -0,0 +1,159 @@
+AWSTemplateFormatVersion: "2010-09-09"
+Description: EventBridge resources that forward CloudTrail logs to Sysdig Secure via API Destination
+
+Metadata:
+  AWS::CloudFormation::Interface:
+    ParameterGroups:
+      - Label:
+          default: "Sysdig Settings (Do not change)"
+        Parameters:
+          - EventBridgeRoleName
+          - ExternalID
+          - TrustedIdentity
+          - ApiKey
+          - IngestionUrl
+          - RateLimit
+          - EventBridgeState
+          - EventBridgeEventPattern
+
+    ParameterLabels:
+      ExternalID:
+        default: "External ID (Sysdig use only)"
+      TrustedIdentity:
+        default: "Trusted Identity (Sysdig use only)"
+      ApiKey:
+        default: "API Key (Sysdig use only)"
+      IngestionUrl:
+        default: "Ingestion URL (Sysdig use only)"
+      RateLimit:
+        default: "Rate Limit (Sysdig use only)"
+      EventBridgeRoleName:
+        default: "Integration Name (Sysdig use only)"
+      EventBridgeState:
+        default: "State of the EventBridge Rule (Sysdig use only)"
+      EventBridgeEventPattern:
+        default: "Event Pattern (Sysdig use only)"
+
+Parameters:
+  EventBridgeRoleName:
+    Type: String
+    Description: A unique identifier used to create an IAM Role and EventBridge Rule
+  ExternalID:
+    Type: String
+    Description: Sysdig ExternalID required for the policy creation
+  TrustedIdentity:
+    Type: String
+    Description: The Role in Sysdig's AWS Account with permissions to your account
+  ApiKey:
+    Type: String
+    Description: API key for Sysdig Secure authentication
+  IngestionUrl:
+    Type: String
+    Description: Sysdig Secure API ingestion URL
+  RateLimit:
+    Type: Number
+    Description: Maximum invocations per second for the API destination
+    Default: 300
+  EventBridgeState:
+    Type: String
+    Description: The state of the EventBridge Rule
+    Default: ENABLED
+    AllowedValues:
+      - ENABLED
+      - DISABLED
+  EventBridgeEventPattern:
+    Type: String
+    Description: JSON pattern for the EventBridge rule's event pattern
+    Default: |
+      {
+        "detail-type": [
+          "AWS API Call via CloudTrail",
+          "AWS Console Sign In via CloudTrail",
+          "AWS Service Event via CloudTrail",
+          "Object Access Tier Changed",
+          "Object ACL Updated",
+          "Object Created",
+          "Object Deleted",
+          "Object Restore Completed",
+          "Object Restore Expired",
+          "Object Restore Initiated",
+          "Object Storage Class Changed",
+          "Object Tags Added",
+          "Object Tags Deleted",
+          "GuardDuty Finding"
+        ]
+      }
+
+Resources:
+  EventBridgeConnection:
+    Type: AWS::Events::Connection
+    Properties:
+      Name: !Sub ${EventBridgeRoleName}-connection
+      AuthorizationType: API_KEY
+      AuthParameters:
+        ApiKey:
+          Key: X-Api-Key
+          Value: !Ref ApiKey
+
+  EventBridgeApiDestination:
+    Type: AWS::Events::ApiDestination
+    Properties:
+      Name: !Sub ${EventBridgeRoleName}-destination
+      ConnectionArn: !GetAtt EventBridgeConnection.Arn
+      InvocationEndpoint: !Ref IngestionUrl
+      HttpMethod: POST
+      InvocationRateLimitPerSecond: !Ref RateLimit
+
+  EventBridgeRole:
+    Type: AWS::IAM::Role
+    Properties:
+      RoleName: !Ref EventBridgeRoleName
+      AssumeRolePolicyDocument:
+        Statement:
+          - Effect: Allow
+            Principal:
+              Service: events.amazonaws.com
+            Action: 'sts:AssumeRole'
+          - Effect: "Allow"
+            Principal:
+              AWS: !Ref TrustedIdentity
+            Action: "sts:AssumeRole"
+            Condition:
+              StringEquals:
+                sts:ExternalId: !Ref ExternalID
+      Policies:
+        - PolicyName: !Ref EventBridgeRoleName
+          PolicyDocument:
+            Version: "2012-10-17"
+            Statement:
+              - Sid: "InvokeApiDestination"
+                Effect: Allow
+                Action:
+                  - "events:InvokeApiDestination"
+                Resource:
+                  - !Sub "arn:aws:events:*:*:api-destination/${EventBridgeRoleName}-destination/*"
+              - Sid: "CloudTrailEventRuleAccess"
+                Effect: Allow
+                Action:
+                  - "events:DescribeRule"
+                  - "events:ListTargetsByRule"
+                Resource:
+                  - !Sub "arn:aws:events:*:*:rule/${EventBridgeRoleName}"
+              - Sid: "ValidationAccess"
+                Effect: Allow
+                Action:
+                  - "events:DescribeApiDestination"
+                  - "events:DescribeConnection"
+                Resource: "*"
+
+  EventBridgeRule:
+    Type: AWS::Events::Rule
+    Properties:
+      Name: !Ref EventBridgeRoleName
+      Description: Capture all CloudTrail events for Sysdig Secure
+      EventPattern: !Ref EventBridgeEventPattern
+      State: !Ref EventBridgeState
+      Targets:
+        - Id: !Ref EventBridgeRoleName
+          Arn: !GetAtt EventBridgeApiDestination.Arn
+          RoleArn: !GetAtt EventBridgeRole.Arn

templates_eventbridge_api_dest/Makefile

@@ -0,0 +1,74 @@
+# requires AWS_PROFILE
+# bucket must exist, prefix will be created
+S3_BUCKET ?= "s4c-cft"
+S3_PREFIX ?= "test"
+# We need the REGION or the TemplateURLs might be created for a different region, resulting in a deployment error
+S3_REGION ?= "eu-west-1" # ireland
+SECURE_API_TOKEN ?= ""
+STACK_NAME = "EventBridgeApiDestTest"
+STACK_NAME_ORG = "OrgEventBridgeApiDestTest"
+
+.PHONY: packaged-template.yaml
+.PHONY: packaged-template-org.yaml
+
+validate:
+	aws cloudformation validate-template --template-body file://./EventBridgeApiDest.yaml
+	aws cloudformation validate-template --template-body file://./OrgEventBridgeApiDest.yaml
+
+lint:
+	cfn-lint *.yaml
+
+packaged-template.yaml:
+	aws s3 rm s3://$(S3_BUCKET)/event-bridge/single/$(S3_PREFIX) --recursive
+	aws cloudformation package \
+		--region $(S3_REGION) \
+		--template-file EventBridgeApiDest.yaml \
+		--s3-bucket $(S3_BUCKET) \
+		--s3-prefix event-bridge/single/$(S3_PREFIX) \
+		--force-upload \
+		--output-template-file packaged-template.yaml
+
+test: packaged-template.yaml
+	aws cloudformation deploy \
+		--stack-name $(STACK_NAME) \
+		--template-file packaged-template.yaml \
+		--capabilities "CAPABILITY_NAMED_IAM" "CAPABILITY_AUTO_EXPAND" \
+		--parameter-overrides \
+			"SysdigSecureAPIToken=$(SECURE_API_TOKEN)" 
+
+ci: packaged-template.yaml
+	aws s3 cp ./packaged-template.yaml s3://$(S3_BUCKET)/event-bridge/single/$(S3_PREFIX)/entry-point.yaml
+
+clean:
+	aws cloudformation delete-stack --stack-name $(STACK_NAME)
+
+packaged-template-org.yaml:
+	aws s3 rm s3://$(S3_BUCKET)/event-bridge/org/$(S3_PREFIX) --recursive
+	aws cloudformation package \
+		--region $(S3_REGION) \
+		--template-file OrgEventBridgeApiDest.yaml \
+		--s3-bucket $(S3_BUCKET) \
+		--s3-prefix event-bridge/$(S3_PREFIX) \
+		--force-upload \
+		--output-template-file packaged-template-org.yaml
+
+test-org: packaged-template-org.yaml
+	aws cloudformation deploy \
+		--stack-name $(STACK_NAME_ORG) \
+		--template-file packaged-template-org.yaml \
+		--capabilities "CAPABILITY_NAMED_IAM" "CAPABILITY_AUTO_EXPAND" \
+		--parameter-overrides \
+			"SysdigSecureAPIToken=$(SECURE_API_TOKEN)" 
+
+ci-org: packaged-template-org.yaml
+	aws s3 cp ./packaged-template-org.yaml s3://$(S3_BUCKET)/event-bridge/org/$(S3_PREFIX)/entry-point.yaml
+
+clean-org:
+	aws cloudformation delete-stack --stack-name $(STACK_NAME_ORG)	
+	
+#
+# local-test-manual:
+# (have not found a way to do it via cli)
+# aws console > cloudformation > create new stack (template, upload template: select ./templates_ecs/Cloudvision.yaml)
+# note: this will upload the template into an s3 bucket, remember to delete it afterwards 
+#