Add support in org scenario

Author: lorenzo-merici

templates_cloudlogs/OrgCloudLogs.yaml

@@ -1,9 +1,7 @@
 AWSTemplateFormatVersion: "2010-09-09"
 Description: >
   CloudFormation organizational template for provisioning
-  the necessary resources for the `cloud-logs`
-  component and the read-only role required to itneract with
-  the target organizational environment.
+  the necessary resources for the `cloud-logs` component and the read-only role required to interact with the target organizational environment.
 
 Metadata:
   AWS::CloudFormation::Interface:
@@ -16,6 +14,9 @@ Metadata:
           - ExternalID
           - TrustedIdentity
           - BucketARN
+          - CreateTopic
+          - TopicARN
+          - Endpoint
 
     ParameterLabels:
       CSPMRoleName:
@@ -28,23 +29,44 @@ Metadata:
         default: "Trusted Identity (Sysdig use only)"
       BucketARN:
         default: "Bucket ARN"
+      CreateTopic:
+        default: "Create SNS Topic"
+      TopicARN:
+        default: "SNS Topic ARN"
+      Endpoint:
+        default: "Sysdig Secure endpoint"
 
 Parameters:
   CSPMRoleName:
     Type: String
     Description: The name of the read-only IAM Role that Sysdig will use to interact with the target environment
   CloudLogsRoleName:
     Type: String
-    Description: The name of the IAM Role that will enable access to the Cloudtrail logs.
+    Description: The name of the IAM Role that will enable access to the CloudTrail logs.
   ExternalID:
     Type: String
     Description: Random string generated unique to a customer.
   TrustedIdentity:
     Type: String
-    Description: The name of Sysdig trusted identity.
+    Description: The name of Sysdig's trusted identity.
   BucketARN:
     Type: String
-    Description: The ARN of your s3 bucket associated with your Cloudtrail trail.
+    Description: The ARN of your S3 bucket associated with your CloudTrail trail.
+  CreateTopic:
+    Type: String
+    AllowedValues:
+      - "true"
+      - "false"
+    Default: "false"
+    Description: "Whether to create a new SNS Topic for CloudTrail notifications."
+  TopicARN:
+    Type: String
+    Default: ""
+    Description: "The ARN of an existing SNS Topic. If CreateTopic is true, this will be used as the name of the new topic."
+  Endpoint:
+    Type: String
+    Default: ""
+    Description: "Sysdig Secure endpoint to receive CloudTrail notifications."
 
 Resources:
   CloudLogsRole:
@@ -62,6 +84,7 @@ Resources:
             Condition:
               StringEquals:
                 "sts:ExternalId": !Ref ExternalID
+
   CloudLogsRolePolicies:
     Type: "AWS::IAM::Policy"
     Properties:
@@ -84,7 +107,8 @@ Resources:
               - !Sub '${BucketARN}'
               - !Sub '${BucketARN}/*'
       Roles:
-        - Ref: "CloudLogsRole"
+        - !Ref CloudLogsRole
+
   CloudAgentlessRole:
     Type: "AWS::IAM::Role"
     Properties:
@@ -101,3 +125,44 @@ Resources:
                 sts:ExternalId: !Ref ExternalID
       ManagedPolicyArns:
         - arn:aws:iam::aws:policy/SecurityAudit
+
+  CloudTrailNotificationsTopic:
+    Condition: CreateSNSTopic
+    Type: "AWS::SNS::Topic"
+    Properties:
+      TopicName: !Select [ 5, !Split [ ":", !Ref TopicARN ] ]
+
+  CloudTrailNotificationsSubscription:
+    Type: "AWS::SNS::Subscription"
+    Properties:
+      TopicArn: !If [ CreateSNSTopic, !Ref CloudTrailNotificationsTopic, !Ref TopicARN ]
+      Protocol: "https"
+      Endpoint: !Ref Endpoint
+
+  CloudTrailNotificationsPolicy:
+    Condition: CreateSNSTopic
+    Type: "AWS::SNS::TopicPolicy"
+    Properties:
+      Topics:
+        - !Ref CloudTrailNotificationsTopic
+      PolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Sid: "AllowCloudTrailPublish"
+            Effect: "Allow"
+            Principal:
+              Service: "cloudtrail.amazonaws.com"
+            Action: "SNS:Publish"
+            Resource: !Ref CloudTrailNotificationsTopic
+
+Conditions:
+  CreateSNSTopic: !Equals [!Ref CreateTopic, "true"]
+
+Outputs:
+  RoleARN:
+    Description: "The ARN of the IAM Role created for CloudTrail logs."
+    Value: !GetAtt CloudLogsRole.Arn
+
+  TopicARN:
+    Description: "The ARN of the SNS Topic created for CloudTrail notifications."
+    Value: !If [CreateSNSTopic, !Ref CloudTrailNotificationsTopic, !Ref TopicARN]