update org cspm eb

matteopasa · matteopasa · commit f3fd29d2f5a1 · 2025-03-25T12:23:59.000+01:00
diff --git a/templates_cspm_eventbridge/OrgFullInstall.yaml b/templates_cspm_eventbridge/OrgFullInstall.yaml
@@ -11,7 +11,9 @@ Metadata:
           - EventBridgeRoleName
           - ExternalID
           - TrustedIdentity
-          - EventBusARN
+          - ApiKey
+          - IngestionUrl
+          - RateLimit
           - Regions
           - OrganizationUnitIDs
           - EventBridgeState
@@ -25,8 +27,12 @@ Metadata:
         default: "External ID (Sysdig use only)"
       TrustedIdentity:
         default: "Trusted Identity (Sysdig use only)"
-      EventBusARN:
-        default: "Target Event Bus (Sysdig use only)"
+      ApiKey:
+        default: "API Key (Sysdig use only)"
+      IngestionUrl:
+        default: "Endpoint URL (Sysdig use only)"
+      RateLimit:
+        default: "Rate Limit (Sysdig use only)"
       Regions:
         default: "EventBridge Regions (Sysdig use only)"
       OrganizationUnitIDs:
@@ -49,9 +55,16 @@ Parameters:
   TrustedIdentity:
     Type: String
     Description: The Role in Sysdig's AWS Account with permissions to your account
-  EventBusARN:
+  ApiKey:
     Type: String
-    Description: The destination in Sysdig's AWS account where your events are sent
+    Description: API key for Sysdig Secure authentication
+  IngestionUrl:
+    Type: String
+    Description: Sysdig Secure API endpoint URL
+  RateLimit:
+    Type: Number
+    Description: Maximum invocations per second for the API destination
+    Default: 300
   Regions:
     Type: String
     Description: Comma separated list of regions to monitor with EventBridge    
@@ -192,15 +205,25 @@ Resources:
           PolicyDocument:
             Version: "2012-10-17"
             Statement:
-              - Effect: Allow
-                Action: 'events:PutEvents'
-                Resource: !Sub ${EventBusARN}
-              - Effect: Allow
+              - Sid: "InvokeApiDestination"
+                Effect: Allow
+                Action:
+                  - "events:InvokeApiDestination"
+                Resource:
+                  - !Sub "arn:aws:events:*:*:api-destination/${EventBridgeRoleName}-destination/*"
+              - Sid: "CloudTrailEventRuleAccess"
+                Effect: Allow
                 Action:
                   - "events:DescribeRule"
                   - "events:ListTargetsByRule"
                 Resource:
-                  - !Sub arn:aws:events:*:*:rule/${EventBridgeRoleName}
+                  - !Sub "arn:aws:events:*:*:rule/${EventBridgeRoleName}"
+              - Sid: "ValidationAccess"
+                Effect: Allow
+                Action:
+                  - "events:DescribeApiDestination"
+                  - "events:DescribeConnection"
+                Resource: "*"
   RolesStackSet:
     Type: AWS::CloudFormation::StackSet
     Properties:
@@ -317,15 +340,25 @@ Resources:
                   PolicyDocument:
                     Version: "2012-10-17"
                     Statement:
-                      - Effect: Allow
-                        Action: 'events:PutEvents'
-                        Resource: !Sub ${EventBusARN}
-                      - Effect: Allow
+                      - Sid: "InvokeApiDestination"
+                        Effect: Allow
+                        Action:
+                          - "events:InvokeApiDestination"
+                        Resource:
+                          - !Sub "arn:aws:events:*:*:api-destination/${EventBridgeRoleName}-destination/*"
+                      - Sid: "CloudTrailEventRuleAccess"
+                        Effect: Allow
                         Action:
                           - "events:DescribeRule"
                           - "events:ListTargetsByRule"
                         Resource:
-                          - !Sub arn:aws:events:*:*:rule/${EventBridgeRoleName}
+                          - !Sub "arn:aws:events:*:*:rule/${EventBridgeRoleName}"
+                      - Sid: "ValidationAccess"
+                        Effect: Allow
+                        Action:
+                          - "events:DescribeApiDestination"
+                          - "events:DescribeConnection"
+                        Resource: "*"
   EBRuleStackSet:
     Type: AWS::CloudFormation::StackSet
     Properties:
@@ -346,58 +379,76 @@ Resources:
       Parameters:
         - ParameterKey: EventBridgeRoleName
           ParameterValue: !Ref EventBridgeRoleName
-        - ParameterKey: EventBusARN
-          ParameterValue: !Ref EventBusARN
+        - ParameterKey: ApiKey
+          ParameterValue: !Ref ApiKey
+        - ParameterKey: IngestionUrl
+          ParameterValue: !Ref IngestionUrl
+        - ParameterKey: RateLimit
+          ParameterValue: !Ref RateLimit
         - ParameterKey: EventBridgeState
           ParameterValue: !Ref EventBridgeState
+        - ParameterKey: EventBridgeEventPattern
+          ParameterValue: !Ref EventBridgeEventPattern
       StackInstancesGroup:
         - DeploymentTargets:
             OrganizationalUnitIds: !Split [ ",", !Ref OrganizationUnitIDs]
           Regions: !Split [ ",", !Ref Regions]
       TemplateBody: |
         AWSTemplateFormatVersion: "2010-09-09"
-        Description: EventBridge Resources that forward CloudTrail logs to Sysdig Secure
+        Description: EventBridge Resources with API Destinations that forward CloudTrail logs to Sysdig Secure
         Parameters:
           EventBridgeRoleName:
             Type: String
             Description: A unique identifier used to create an IAM Role and EventBridge Rule
-          EventBusARN:
+          ApiKey:
+            Type: String
+            Description: API key for Sysdig Secure authentication
+          IngestionUrl:
             Type: String
-            Description: The destination in Sysdig's AWS account where your events are sent 
+            Description: Sysdig Secure API endpoint URL
+          RateLimit:
+            Type: Number
+            Description: Maximum invocations per second for the API destination
           EventBridgeState:
             Type: String
             Description: The state of the EventBridge Rule
-            Default: ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS
+            Default: ENABLED
             AllowedValues:
-              - ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS
               - ENABLED
-              - DISABLED                        
-        Resources:           
+              - DISABLED
+          EventBridgeEventPattern:
+            Type: String
+            Description: JSON pattern for the EventBridge rule's event pattern
+        Resources:
+          EventBridgeConnection:
+            Type: AWS::Events::Connection
+            Properties:
+              Name: !Sub ${EventBridgeRoleName}-connection
+              AuthorizationType: API_KEY
+              AuthParameters:
+                ApiKeyAuthParameters:
+                  ApiKeyName: X-Api-Key
+                  ApiKeyValue: !Ref ApiKey
+
+          EventBridgeApiDestination:
+            Type: AWS::Events::ApiDestination
+            Properties:
+              Name: !Sub ${EventBridgeRoleName}-destination
+              ConnectionArn: !GetAtt EventBridgeConnection.Arn
+              InvocationEndpoint: !Ref IngestionUrl
+              HttpMethod: POST
+              InvocationRateLimitPerSecond: !Ref RateLimit
+
           EventBridgeRule:
-            Type: "AWS::Events::Rule"
+            Type: AWS::Events::Rule
             Properties:
-              Name: !Sub ${EventBridgeRoleName}
-              Description: Capture all CloudTrail events
-              EventPattern:
-                detail-type:
-                  - 'AWS API Call via CloudTrail'
-                  - 'AWS Console Sign In via CloudTrail'
-                  - 'AWS Service Event via CloudTrail'
-                  - 'Object Access Tier Changed'
-                  - 'Object ACL Updated'
-                  - 'Object Created'
-                  - 'Object Deleted'
-                  - 'Object Restore Completed'
-                  - 'Object Restore Expired'
-                  - 'Object Restore Initiated'
-                  - 'Object Storage Class Changed'
-                  - 'Object Tags Added'
-                  - 'Object Tags Deleted'
-                  - 'GuardDuty Finding'
-              State: !Sub ${EventBridgeState}
+              Name: !Ref EventBridgeRoleName
+              Description: Capture all CloudTrail events for Sysdig Secure
+              EventPattern: !Ref EventBridgeEventPattern
+              State: !Ref EventBridgeState
               Targets:
-                - Id: !Sub ${EventBridgeRoleName}
-                  Arn: !Sub ${EventBusARN}
+                - Id: !Ref EventBridgeRoleName
+                  Arn: !GetAtt EventBridgeApiDestination.Arn
                   RoleArn: !Sub "arn:aws:iam::${AWS::AccountId}:role/${EventBridgeRoleName}"
   MgmtAccEBRuleStackSet:
     Type: AWS::CloudFormation::StackSet
@@ -425,16 +476,20 @@ Resources:
       Parameters:
         - ParameterKey: EventBridgeRoleName
           ParameterValue: !Ref EventBridgeRoleName
-        - ParameterKey: EventBusARN
-          ParameterValue: !Ref EventBusARN
+        - ParameterKey: ApiKey
+          ParameterValue: !Ref ApiKey
+        - ParameterKey: IngestionUrl
+          ParameterValue: !Ref IngestionUrl
+        - ParameterKey: RateLimit
+          ParameterValue: !Ref RateLimit
         - ParameterKey: EventBridgeState
           ParameterValue: !Ref EventBridgeState
         - ParameterKey: EventBridgeEventPattern
-          ParameterValue: !Ref EventBridgeEventPattern
+          ParameterValue: !Ref EventBridgeEventPattern                     
       StackInstancesGroup:
         - DeploymentTargets:
-            Accounts:
-              - !Ref AWS::AccountId
+            Accounts: 
+              - !Ref AWS::AccountId             
           Regions: !Split [ ",", !Ref Regions]
       TemplateBody: |
         AWSTemplateFormatVersion: "2010-09-09"
@@ -443,48 +498,53 @@ Resources:
           EventBridgeRoleName:
             Type: String
             Description: A unique identifier used to create an IAM Role and EventBridge Rule
-          EventBusARN:
+          ApiKey:
+            Type: String
+            Description: API key for authentication
+          IngestionUrl:
             Type: String
-            Description: The destination in Sysdig's AWS account where your events are sent
+            Description: Target endpoint URL for the API destination
+          RateLimit:
+            Type: Number
+            Description: Maximum invocations per second for the API destination
           EventBridgeState:
             Type: String
             Description: The state of the EventBridge Rule
-            Default: ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS
+            Default: ENABLED
             AllowedValues:
-              - ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS
               - ENABLED
               - DISABLED
           EventBridgeEventPattern:
             Type: String
             Description: JSON pattern for the EventBridge rule's event pattern
-            Default: |
-              {
-                "detail-type": [
-                  "AWS API Call via CloudTrail",
-                  "AWS Console Sign In via CloudTrail",
-                  "AWS Service Event via CloudTrail",
-                  "Object Access Tier Changed",
-                  "Object ACL Updated",
-                  "Object Created",
-                  "Object Deleted",
-                  "Object Restore Completed",
-                  "Object Restore Expired",
-                  "Object Restore Initiated",
-                  "Object Storage Class Changed",
-                  "Object Tags Added",
-                  "Object Tags Deleted",
-                  "GuardDuty Finding"
-                ]
-              }
-        Resources:           
+        Resources:
+          EventBridgeConnection:
+            Type: AWS::Events::Connection
+            Properties:
+              Name: !Sub ${EventBridgeRoleName}-connection
+              AuthorizationType: API_KEY
+              AuthParameters:
+                ApiKeyAuthParameters:
+                  ApiKeyName: X-Api-Key
+                  ApiKeyValue: !Ref ApiKey
+
+          EventBridgeApiDestination:
+            Type: AWS::Events::ApiDestination
+            Properties:
+              Name: !Sub ${EventBridgeRoleName}-destination
+              ConnectionArn: !GetAtt EventBridgeConnection.Arn
+              InvocationEndpoint: !Ref IngestionUrl
+              HttpMethod: POST
+              InvocationRateLimitPerSecond: !Ref RateLimit
+
           EventBridgeRule:
-            Type: "AWS::Events::Rule"
+            Type: AWS::Events::Rule
             Properties:
               Name: !Sub ${EventBridgeRoleName}
               Description: Capture all CloudTrail events
               EventPattern: !Ref EventBridgeEventPattern
-              State: !Sub ${EventBridgeState}
+              State: !Ref EventBridgeState
               Targets:
                 - Id: !Sub ${EventBridgeRoleName}
-                  Arn: !Sub ${EventBusARN}
+                  Arn: !GetAtt EventBridgeApiDestination.Arn
                   RoleArn: !Sub "arn:aws:iam::${AWS::AccountId}:role/${EventBridgeRoleName}"
