sysdiglabs
diff --git a/‎templates_eventbridge/EventBridge.yaml‎
Lines changed: 59 additions & 19 deletions b/‎templates_eventbridge/EventBridge.yaml‎
Lines changed: 59 additions & 19 deletions
diff --git a/‎templates_eventbridge/Makefile‎
Lines changed: 26 additions & 7 deletions b/‎templates_eventbridge/Makefile‎
Lines changed: 26 additions & 7 deletions
@@ -1,5 +1,5 @@
 AWSTemplateFormatVersion: "2010-09-09"
-Description: EventBridge resources that forward CloudTrail logs to Sysdig Secure
+Description: EventBridge resources that forward CloudTrail logs to Sysdig Secure via API Destination
 
 Metadata:
   AWS::CloudFormation::Interface:
@@ -10,7 +10,9 @@ Metadata:
           - EventBridgeRoleName
           - ExternalID
           - TrustedIdentity
-          - EventBusARN
+          - ApiKey
+          - IngestionUrl
+          - RateLimit
           - EventBridgeState
           - EventBridgeEventPattern
 
@@ -19,8 +21,12 @@ Metadata:
         default: "External ID (Sysdig use only)"
       TrustedIdentity:
         default: "Trusted Identity (Sysdig use only)"
-      EventBusARN:
-        default: "Target Event Bus (Sysdig use only)"
+      ApiKey:
+        default: "API Key (Sysdig use only)"
+      IngestionUrl:
+        default: "Ingestion URL (Sysdig use only)"
+      RateLimit:
+        default: "Rate Limit (Sysdig use only)"
       EventBridgeRoleName:
         default: "Integration Name (Sysdig use only)"
       EventBridgeState:
@@ -38,15 +44,21 @@ Parameters:
   TrustedIdentity:
     Type: String
     Description: The Role in Sysdig's AWS Account with permissions to your account
-  EventBusARN:
+  ApiKey:
     Type: String
-    Description: The destination in Sysdig's AWS account where your events are sent
+    Description: API key for Sysdig Secure authentication
+  IngestionUrl:
+    Type: String
+    Description: Sysdig Secure API ingestion URL
+  RateLimit:
+    Type: Number
+    Description: Maximum invocations per second for the API destination
+    Default: 300
   EventBridgeState:
     Type: String
     Description: The state of the EventBridge Rule
-    Default: ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS
+    Default: ENABLED
     AllowedValues:
-      - ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS
       - ENABLED
       - DISABLED
   EventBridgeEventPattern:
@@ -73,6 +85,25 @@ Parameters:
       }
 
 Resources:
+  EventBridgeConnection:
+    Type: AWS::Events::Connection
+    Properties:
+      Name: !Sub ${EventBridgeRoleName}-connection
+      AuthorizationType: API_KEY
+      AuthParameters:
+        ApiKeyAuthParameters:
+          ApiKeyName: X-Api-Key
+          ApiKeyValue: !Ref ApiKey
+
+  EventBridgeApiDestination:
+    Type: AWS::Events::ApiDestination
+    Properties:
+      Name: !Sub ${EventBridgeRoleName}-destination
+      ConnectionArn: !GetAtt EventBridgeConnection.Arn
+      InvocationEndpoint: !Ref IngestionUrl
+      HttpMethod: POST
+      InvocationRateLimitPerSecond: !Ref RateLimit
+
   EventBridgeRole:
     Type: AWS::IAM::Role
     Properties:
@@ -89,31 +120,40 @@ Resources:
             Action: "sts:AssumeRole"
             Condition:
               StringEquals:
-                sts:ExternalId: !Ref ExternalID           
+                sts:ExternalId: !Ref ExternalID
       Policies:
         - PolicyName: !Ref EventBridgeRoleName
           PolicyDocument:
             Version: "2012-10-17"
             Statement:
-              - Effect: Allow
-                Action: 'events:PutEvents'
-                Resource: !Ref EventBusARN
-              - Effect: Allow
+              - Sid: "InvokeApiDestination"
+                Effect: Allow
+                Action:
+                  - "events:InvokeApiDestination"
+                Resource:
+                  - !Sub "arn:aws:events:*:*:api-destination/${EventBridgeRoleName}-destination/*"
+              - Sid: "CloudTrailEventRuleAccess"
+                Effect: Allow
                 Action:
                   - "events:DescribeRule"
                   - "events:ListTargetsByRule"
                 Resource:
-                  - !Sub arn:aws:events:*:*:rule/${EventBridgeRoleName}
+                  - !Sub "arn:aws:events:*:*:rule/${EventBridgeRoleName}"
+              - Sid: "ValidationAccess"
+                Effect: Allow
+                Action:
+                  - "events:DescribeApiDestination"
+                  - "events:DescribeConnection"
+                Resource: "*"
+
   EventBridgeRule:
     Type: AWS::Events::Rule
     Properties:
       Name: !Ref EventBridgeRoleName
-      Description: Capture all CloudTrail events
+      Description: Capture all CloudTrail events for Sysdig Secure
       EventPattern: !Ref EventBridgeEventPattern
       State: !Ref EventBridgeState
       Targets:
         - Id: !Ref EventBridgeRoleName
-          Arn: !Ref EventBusARN
-          RoleArn: !GetAtt
-            - EventBridgeRole
-            - Arn
+          Arn: !GetAtt EventBridgeApiDestination.Arn
+          RoleArn: !GetAtt EventBridgeRole.Arn
@@ -1,10 +1,10 @@
 # requires AWS_PROFILE
 # bucket must exist, prefix will be created
-S3_BUCKET ?= "s4c-cft"
+S3_BUCKET ?= "<your bucket>"
 S3_PREFIX ?= "test"
 # We need the REGION or the TemplateURLs might be created for a different region, resulting in a deployment error
-S3_REGION ?= "eu-west-1" # ireland
-SECURE_API_TOKEN ?= ""
+S3_REGION ?= "us-east-1"
+SECURE_API_TOKEN ?= "<sysdig token>"
 STACK_NAME = "EventBridgeTest"
 STACK_NAME_ORG = "OrgEventBridgeTest"
 
@@ -30,11 +30,19 @@ packaged-template.yaml:
 
 test: packaged-template.yaml
 	aws cloudformation deploy \
-		--stack-name $(STACK_NAME) \
+		--stack-name "EventBridgeTest" \
 		--template-file packaged-template.yaml \
 		--capabilities "CAPABILITY_NAMED_IAM" "CAPABILITY_AUTO_EXPAND" \
 		--parameter-overrides \
-			"SysdigSecureAPIToken=$(SECURE_API_TOKEN)" 
+			"SysdigSecureAPIToken=<sysdig token>" \
+			"ApiKey=4ba93f30-c5d2-42e8-9319-c8d23a6b174d" \
+			"IngestionUrl=https://ingest-eu1.app.sysdig.com/api/events" \
+			"EventBridgeRoleName=SysdigEventBridgeIntegration" \
+			"ExternalID=bcacfba7093b0c5fce39ee8012272f07" \
+			"TrustedIdentity=arn:aws:iam::064689838359:role/us-east-1-integration01-secure-assume-role" \
+			"RateLimit=300" \
+			"EventBridgeState=ENABLED" \
+			"EventBridgeEventPattern={\"source\":[\"aws.cloudtrail\"]}"
 
 ci: packaged-template.yaml
 	aws s3 cp ./packaged-template.yaml s3://$(S3_BUCKET)/event-bridge/single/$(S3_PREFIX)/entry-point.yaml
@@ -54,11 +62,22 @@ packaged-template-org.yaml:
 
 test-org: packaged-template-org.yaml
 	aws cloudformation deploy \
-		--stack-name $(STACK_NAME_ORG) \
+		--region "us-east-1" \
+		--stack-name "EventBridgeTest" \
 		--template-file packaged-template-org.yaml \
 		--capabilities "CAPABILITY_NAMED_IAM" "CAPABILITY_AUTO_EXPAND" \
 		--parameter-overrides \
-			"SysdigSecureAPIToken=$(SECURE_API_TOKEN)" 
+			"SysdigSecureAPIToken=<sysdig token>" \
+			"ApiKey=4ba93f30-c5d2-42e8-9319-c8d23a6b174d" \
+			"IngestionUrl=https://ingest-eu1.app.sysdig.com/api/events" \
+			"EventBridgeRoleName=SysdigEventBridgeIntegration" \
+			"ExternalID=bcacfba7093b0c5fce39ee8012272f07" \
+			"TrustedIdentity=arn:aws:iam::064689838359:role/us-east-1-integration01-secure-assume-role" \
+			"RateLimit=300" \
+			"OrganizationUnitIDs=ou-s212-x4xr99jl,ou-s212-c5n6dwzt,ou-s212-uihli2xi" \
+			"EventBridgeState=ENABLED" \
+			"EventBridgeEventPattern={\"source\":[\"aws.cloudtrail\"]}" \
+			"Regions=us-east-1,us-west-2"
 
 ci-org: packaged-template-org.yaml
 	aws s3 cp ./packaged-template-org.yaml s3://$(S3_BUCKET)/event-bridge/org/$(S3_PREFIX)/entry-point.yaml