feat(volume_access): regional roles

Author: cgeers

modules/Makefile

@@ -26,9 +26,8 @@ lint:
 	yq '.Resources.EventBridgeRuleStackSet.Properties.TemplateBody' log_ingestion.events.cft.yaml | cfn-lint -
 	yq '.Resources.OrganizationRoleStackSet.Properties.TemplateBody' log_ingestion.events.cft.yaml | cfn-lint -
 	yq '.Resources.OrganizationRuleStackSet.Properties.TemplateBody' log_ingestion.events.cft.yaml | cfn-lint -
-	yq '.Resources.ScanningKmsKeyStackSet.Properties.TemplateBody' volume_access.cft.yaml | cfn-lint -
-	yq '.Resources.OrganizationRoleStackSet.Properties.TemplateBody' volume_access.cft.yaml | cfn-lint -
-	yq '.Resources.OrganizationKMSKeyStackSet.Properties.TemplateBody' volume_access.cft.yaml | cfn-lint -
+	yq '.Resources.AccountStackSet.Properties.TemplateBody' volume_access.cft.yaml | cfn-lint -
+	yq '.Resources.OrganizationStackSet.Properties.TemplateBody' volume_access.cft.yaml | cfn-lint -
 
 publish:
 	aws s3 cp foundational.cft.yaml s3://$(S3_BUCKET)/modules/$(S3_PREFIX)/foundational.cft.yaml

modules/volume_access.cft.yaml

@@ -66,88 +66,7 @@ Conditions:
     - Ref: IsOrganizational
     - 'true'
 
-Resources:
-  ScanningRole:
-    Type: AWS::IAM::Role
-    Properties:
-      RoleName: !Sub sysdig-secure-scanning-${NameSuffix}
-      AssumeRolePolicyDocument:
-        Version: "2012-10-17"
-        Statement:
-        - Effect: "Allow"
-          Principal:
-            AWS: !Ref TrustedIdentity
-          Action: "sts:AssumeRole"
-          Condition:
-            StringEquals:
-              sts:ExternalId: !Ref ExternalID
-      Policies:
-      - PolicyName: !Sub sysdig-secure-scanning-${NameSuffix}
-        PolicyDocument:
-          Version: "2012-10-17"
-          Statement:
-          - Sid: "Read"
-            Effect: "Allow"
-            Action: 
-            - "ec2:Describe*"
-            Resource: "*"
-          - Sid: "AllowKMSKeysListing"
-            Effect: "Allow"
-            Action:
-            - "kms:ListKeys"
-            - "kms:ListAliases"
-            - "kms:ListResourceTags"
-            Resource: "*"
-          - Sid: "AllowKMSEncryptDecrypt"
-            Effect: "Allow"
-            Action:
-            - "kms:DescribeKey"
-            - "kms:Encrypt"
-            - "kms:Decrypt"
-            - "kms:ReEncrypt*"
-            - "kms:GenerateDataKey*"
-            - "kms:CreateGrant"
-            Resource: "*"
-            Condition:
-              StringLike:
-                "kms:ViaService": "ec2.*.amazonaws.com"
-          - Sid: "CreateTaggedSnapshotFromVolume"
-            Effect: "Allow"
-            Action:
-            - "ec2:CreateSnapshot"
-            Resource: "*"
-          - Sid: "CopySnapshots"
-            Effect: "Allow"
-            Action:
-            - "ec2:CopySnapshot"
-            Resource: "*"
-          - Sid: "SnapshotTags"
-            Effect: "Allow"
-            Action:
-            - "ec2:CreateTags"
-            Resource: "*"
-            Condition:
-              StringEquals:
-                "ec2:CreateAction": ["CreateSnapshot", "CopySnapshot"]
-                "aws:RequestTag/CreatedBy": "Sysdig"
-          - Sid: "ec2SnapshotShare"
-            Effect: "Allow"
-            Action:
-            - "ec2:ModifySnapshotAttribute"
-            Resource: "*"
-            Condition:
-              StringEqualsIgnoreCase:
-                "aws:ResourceTag/CreatedBy": "Sysdig"
-              StringEquals:
-                "ec2:Add/userId": !Ref ScanningAccountID
-          - Sid: "ec2SnapshotDelete"
-            Effect: "Allow"
-            Action:
-            - "ec2:DeleteSnapshot"
-            Resource: "*"
-            Condition:
-              StringEqualsIgnoreCase:
-                "aws:ResourceTag/CreatedBy": "Sysdig"    
+Resources:        
   AdministrationRole:
     Type: AWS::IAM::Role
     Properties:
@@ -186,10 +105,11 @@ Resources:
       ManagedPolicyArns:
       - arn:aws:iam::aws:policy/AWSKeyManagementServicePowerUser
       - arn:aws:iam::aws:policy/AWSCloudFormationFullAccess
-  ScanningKmsKeyStackSet:
+      - arn:aws:iam::aws:policy/IAMFullAccess
+  AccountStackSet:
     Type: AWS::CloudFormation::StackSet
     Properties:
-      StackSetName: !Sub sysdig-secure-scanning-kms-${NameSuffix}
+      StackSetName: !Sub sysdig-secure-scanning-account-${NameSuffix}
       Description: "A CloudFormation template that creates a KMS key in the account where it is launched, and grants permissions to the specified IAM role"
       AdministrationRoleARN: !GetAtt AdministrationRole.Arn
       ExecutionRoleName: !Ref ExecutionRole
@@ -208,6 +128,10 @@ Resources:
         ParameterValue: !Ref NameSuffix
       - ParameterKey: ScanningAccountID
         ParameterValue: !Ref ScanningAccountID
+      - ParameterKey: TrustedIdentity
+        ParameterValue: !Ref TrustedIdentity
+      - ParameterKey: ExternalID
+        ParameterValue: !Ref ExternalID
       StackInstancesGroup:
       - DeploymentTargets:
           Accounts: 
@@ -226,7 +150,94 @@ Resources:
           ScanningAccountID:
             Type: String
             Description: The AWS Account ID of the Sysdig Scanning Account  
+          TrustedIdentity:
+            Type: String
+            Description: The Role in Sysdig's AWS Account with permissions to your account
+          ExternalID:
+            Type: String
+            Description: Sysdig assigned token that proves you own this account
         Resources:
+          ScanningRole:
+            Type: AWS::IAM::Role
+            Properties:
+              RoleName: !Sub sysdig-secure-scanning-${NameSuffix}-${AWS::Region}
+              AssumeRolePolicyDocument:
+                Version: "2012-10-17"
+                Statement:
+                - Effect: "Allow"
+                  Principal:
+                    AWS: !Ref TrustedIdentity
+                  Action: "sts:AssumeRole"
+                  Condition:
+                    StringEquals:
+                      sts:ExternalId: !Ref ExternalID
+              Policies:
+              - PolicyName: !Sub sysdig-secure-scanning-${NameSuffix}
+                PolicyDocument:
+                  Version: "2012-10-17"
+                  Statement:
+                  - Sid: "Read"
+                    Effect: "Allow"
+                    Action: 
+                    - "ec2:Describe*"
+                    Resource: "*"
+                  - Sid: "AllowKMSKeysListing"
+                    Effect: "Allow"
+                    Action:
+                    - "kms:ListKeys"
+                    - "kms:ListAliases"
+                    - "kms:ListResourceTags"
+                    Resource: "*"
+                  - Sid: "AllowKMSEncryptDecrypt"
+                    Effect: "Allow"
+                    Action:
+                    - "kms:DescribeKey"
+                    - "kms:Encrypt"
+                    - "kms:Decrypt"
+                    - "kms:ReEncrypt*"
+                    - "kms:GenerateDataKey*"
+                    - "kms:CreateGrant"
+                    Resource: "*"
+                    Condition:
+                      StringLike:
+                        "kms:ViaService": "ec2.*.amazonaws.com"
+                  - Sid: "CreateTaggedSnapshotFromVolume"
+                    Effect: "Allow"
+                    Action:
+                    - "ec2:CreateSnapshot"
+                    Resource: "*"
+                  - Sid: "CopySnapshots"
+                    Effect: "Allow"
+                    Action:
+                    - "ec2:CopySnapshot"
+                    Resource: "*"
+                  - Sid: "SnapshotTags"
+                    Effect: "Allow"
+                    Action:
+                    - "ec2:CreateTags"
+                    Resource: "*"
+                    Condition:
+                      StringEquals:
+                        "ec2:CreateAction": ["CreateSnapshot", "CopySnapshot"]
+                        "aws:RequestTag/CreatedBy": "Sysdig"
+                  - Sid: "ec2SnapshotShare"
+                    Effect: "Allow"
+                    Action:
+                    - "ec2:ModifySnapshotAttribute"
+                    Resource: "*"
+                    Condition:
+                      StringEqualsIgnoreCase:
+                        "aws:ResourceTag/CreatedBy": "Sysdig"
+                      StringEquals:
+                        "ec2:Add/userId": !Ref ScanningAccountID
+                  - Sid: "ec2SnapshotDelete"
+                    Effect: "Allow"
+                    Action:
+                    - "ec2:DeleteSnapshot"
+                    Resource: "*"
+                    Condition:
+                      StringEqualsIgnoreCase:
+                        "aws:ResourceTag/CreatedBy": "Sysdig"
           ScanningKmsKey:
             Type: 'AWS::KMS::Key'
             Properties:
@@ -242,7 +253,7 @@ Resources:
                   Principal:
                     AWS:
                     - !Sub arn:aws:iam::${ScanningAccountID}:root
-                    - !Sub arn:aws:iam::${AWS::AccountId}:role/sysdig-secure-scanning-${NameSuffix}
+                    - !GetAtt ScanningRole.Arn
                   Action:
                   - "kms:Encrypt"
                   - "kms:Decrypt"
@@ -265,12 +276,12 @@ Resources:
             Properties:
               AliasName: !Sub alias/sysdig-secure-scanning-${NameSuffix}
               TargetKeyId: !Ref ScanningKmsKey
-  OrganizationRoleStackSet:
+  OrganizationStackSet:
     Type: AWS::CloudFormation::StackSet
     Condition: IsOrganizational
     Properties:
-      StackSetName: !Sub sysdig-secure-scanning-organization-roles-${NameSuffix}
-      Description: IAM Role used to create IAM roles scan organization accounts/regions
+      StackSetName: !Sub sysdig-secure-scanning-organization-${NameSuffix}
+      Description: Installs KMS key, alias, and IAM role for use with Sysdig Agentless Scanning
       PermissionModel: SERVICE_MANAGED
       Capabilities:
       - "CAPABILITY_NAMED_IAM"
@@ -283,6 +294,7 @@ Resources:
         MaxConcurrentPercentage: 100
         FailureTolerancePercentage: 90
         ConcurrencyMode: SOFT_FAILURE_TOLERANCE
+        RegionConcurrencyType: PARALLEL
       Parameters:
       - ParameterKey: NameSuffix
         ParameterValue: !Ref NameSuffix
@@ -295,7 +307,7 @@ Resources:
       StackInstancesGroup:
       - DeploymentTargets:
           OrganizationalUnitIds: !Ref OrganizationalUnitIDs
-        Regions: [!Ref "AWS::Region"]
+        Regions: !Ref Regions
       TemplateBody: |
         AWSTemplateFormatVersion: "2010-09-09"
         Description: IAM Role used by Sysdig Secure Vulnerability Scanning
@@ -319,7 +331,7 @@ Resources:
           ScanningRole:
             Type: AWS::IAM::Role
             Properties:
-              RoleName: !Sub sysdig-secure-scanning-${NameSuffix}
+              RoleName: !Sub sysdig-secure-scanning-${NameSuffix}-${AWS::Region}
               AssumeRolePolicyDocument:
                 Version: "2012-10-17"
                 Statement:
@@ -397,50 +409,6 @@ Resources:
                     Condition:
                       StringEqualsIgnoreCase:
                         "aws:ResourceTag/CreatedBy": "Sysdig" 
-  OrganizationKMSKeyStackSet:
-    Type: AWS::CloudFormation::StackSet
-    Condition: IsOrganizational
-    DependsOn: 
-    - OrganizationRoleStackSet
-    Properties:
-      StackSetName: !Sub sysdig-secure-scanning-organization-kmskey-${NameSuffix}
-      Description: IAM Role used to create KMS Keys to scan organization accounts/regions
-      PermissionModel: SERVICE_MANAGED
-      Capabilities:
-      - "CAPABILITY_NAMED_IAM"
-      AutoDeployment:
-        Enabled: true
-        RetainStacksOnAccountRemoval: false         
-      ManagedExecution:
-        Active: true        
-      OperationPreferences:
-        MaxConcurrentPercentage: 100
-        FailureTolerancePercentage: 90
-        ConcurrencyMode: SOFT_FAILURE_TOLERANCE
-        RegionConcurrencyType: PARALLEL
-      Parameters:
-      - ParameterKey: NameSuffix
-        ParameterValue: !Ref NameSuffix
-      - ParameterKey: ScanningAccountID
-        ParameterValue: !Ref ScanningAccountID
-      StackInstancesGroup:
-      - DeploymentTargets:
-          OrganizationalUnitIds: !Ref OrganizationalUnitIDs
-        Regions: !Ref Regions
-      TemplateBody: |
-        AWSTemplateFormatVersion: "2010-09-09"
-        Description: "Template to create KMS Key and Alias for Sysdig Agentless Scanning"
-        Parameters: 
-          NameSuffix:
-            Type: String
-            Description: Suffix to append to the resource name identifiers
-            AllowedPattern: '[0-9a-z]+'
-            MaxLength: 8
-            MinLength: 4
-          ScanningAccountID:
-            Type: String
-            Description: The AWS Account ID of the Sysdig Scanning Account  
-        Resources:
           ScanningKmsKey:
             Type: 'AWS::KMS::Key'
             Properties:
@@ -456,7 +424,7 @@ Resources:
                   Principal:
                     AWS:
                     - !Sub arn:aws:iam::${ScanningAccountID}:root
-                    - !Sub arn:aws:iam::${AWS::AccountId}:role/sysdig-secure-scanning-${NameSuffix}
+                    - !GetAtt ScanningRole.Arn
                   Action:
                   - "kms:Encrypt"
                   - "kms:Decrypt"

modules/volume_access.components.json

@@ -6,7 +6,8 @@
         "aws": {
             "roleName": "sysdig-secure-scanning-{{NameSuffix}}"
         }
-    }
+    },
+    "version": "v0.2.0"
   },
   {
     "type": "COMPONENT_CRYPTO_KEY",