diff --git a/templates_cspm_eventbridge/FullInstall.yaml b/templates_cspm_eventbridge/FullInstall.yaml index f8f0c0e..e5e8b6e 100644 --- a/templates_cspm_eventbridge/FullInstall.yaml +++ b/templates_cspm_eventbridge/FullInstall.yaml @@ -10,7 +10,9 @@ Metadata: - RoleName - ExternalID - TrustedIdentity - - EventBusARN + - ApiKey + - IngestionUrl + - RateLimit - EventBridgeRoleName - EventBridgeState - EventBridgeEventPattern @@ -22,8 +24,12 @@ Metadata: default: "External ID (Sysdig use only)" TrustedIdentity: default: "Trusted Identity (Sysdig use only)" - EventBusARN: - default: "Target Event Bus (Sysdig use only)" + ApiKey: + default: "API Key (Sysdig use only)" + IngestionUrl: + default: "Ingestion URL (Sysdig use only)" + RateLimit: + default: "Rate Limit (Sysdig use only)" EventBridgeRoleName: default: "Integration Name (Sysdig use only)" EventBridgeState: @@ -44,9 +50,16 @@ Parameters: TrustedIdentity: Type: String Description: The Role in Sysdig's AWS Account with permissions to your account - EventBusARN: + ApiKey: Type: String - Description: The destination in Sysdig's AWS account where your events are sent + Description: API key for Sysdig Secure authentication + IngestionUrl: + Type: String + Description: Sysdig Secure API ingestion URL + RateLimit: + Type: Number + Description: Maximum invocations per second for the API destination + Default: 300 EventBridgeState: Type: String Description: The state of the EventBridge Rule @@ -122,6 +135,26 @@ Resources: - Effect: "Allow" Action: "account:GetContactInformation" Resource: "*" + + EventBridgeConnection: + Type: AWS::Events::Connection + Properties: + Name: !Sub ${EventBridgeRoleName}-connection + AuthorizationType: API_KEY + AuthParameters: + ApiKeyAuthParameters: + ApiKeyName: X-Api-Key + ApiKeyValue: !Ref ApiKey + + EventBridgeApiDestination: + Type: AWS::Events::ApiDestination + Properties: + Name: !Sub ${EventBridgeRoleName}-destination + ConnectionArn: !GetAtt EventBridgeConnection.Arn + InvocationEndpoint: !Ref IngestionUrl + HttpMethod: POST + InvocationRateLimitPerSecond: !Ref RateLimit + EventBridgeRole: Type: AWS::IAM::Role Properties: @@ -138,21 +171,30 @@ Resources: Action: "sts:AssumeRole" Condition: StringEquals: - sts:ExternalId: !Ref ExternalID + sts:ExternalId: !Ref ExternalID Policies: - PolicyName: !Ref EventBridgeRoleName PolicyDocument: Version: "2012-10-17" Statement: - - Effect: Allow - Action: 'events:PutEvents' - Resource: !Ref EventBusARN - - Effect: Allow + - Sid: "InvokeApiDestination" + Effect: Allow + Action: "events:InvokeApiDestination" + Resource: !GetAtt EventBridgeApiDestination.Arn + - Sid: "CloudTrailEventRuleAccess" + Effect: Allow Action: - "events:DescribeRule" - "events:ListTargetsByRule" - Resource: - - !Sub arn:aws:events:*:*:rule/${EventBridgeRoleName} + Resource: !Sub "arn:aws:events:*:*:rule/${EventBridgeRoleName}" + - Sid: "ValidationAccess" + Effect: Allow + Action: + - "events:DescribeApiDestination" + - "events:DescribeConnection" + - "cloudwatch:GetMetricStatistics" + Resource: "*" + EventBridgeRule: Type: AWS::Events::Rule Properties: @@ -162,7 +204,5 @@ Resources: State: !Ref EventBridgeState Targets: - Id: !Ref EventBridgeRoleName - Arn: !Ref EventBusARN - RoleArn: !GetAtt - - EventBridgeRole - - Arn + Arn: !GetAtt EventBridgeApiDestination.Arn + RoleArn: !GetAtt EventBridgeRole.Arn diff --git a/templates_cspm_eventbridge/OrgFullInstall.yaml b/templates_cspm_eventbridge/OrgFullInstall.yaml index bf29b4d..b98edab 100644 --- a/templates_cspm_eventbridge/OrgFullInstall.yaml +++ b/templates_cspm_eventbridge/OrgFullInstall.yaml @@ -11,7 +11,9 @@ Metadata: - EventBridgeRoleName - ExternalID - TrustedIdentity - - EventBusARN + - ApiKey + - IngestionUrl + - RateLimit - Regions - OrganizationUnitIDs - EventBridgeState @@ -25,8 +27,12 @@ Metadata: default: "External ID (Sysdig use only)" TrustedIdentity: default: "Trusted Identity (Sysdig use only)" - EventBusARN: - default: "Target Event Bus (Sysdig use only)" + ApiKey: + default: "API Key (Sysdig use only)" + IngestionUrl: + default: "Endpoint URL (Sysdig use only)" + RateLimit: + default: "Rate Limit (Sysdig use only)" Regions: default: "EventBridge Regions (Sysdig use only)" OrganizationUnitIDs: @@ -49,9 +55,16 @@ Parameters: TrustedIdentity: Type: String Description: The Role in Sysdig's AWS Account with permissions to your account - EventBusARN: + ApiKey: Type: String - Description: The destination in Sysdig's AWS account where your events are sent + Description: API key for Sysdig Secure authentication + IngestionUrl: + Type: String + Description: Sysdig Secure API endpoint URL + RateLimit: + Type: Number + Description: Maximum invocations per second for the API destination + Default: 300 Regions: Type: String Description: Comma separated list of regions to monitor with EventBridge @@ -111,7 +124,7 @@ Resources: Action: - sts:AssumeRole Resource: - - "arn:*:iam::*:role/AWSCloudFormationStackSetExecutionRole" + - "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole" ExecutionRole: Type: AWS::IAM::Role Properties: @@ -192,15 +205,26 @@ Resources: PolicyDocument: Version: "2012-10-17" Statement: - - Effect: Allow - Action: 'events:PutEvents' - Resource: !Sub ${EventBusARN} - - Effect: Allow + - Sid: "InvokeApiDestination" + Effect: Allow + Action: + - "events:InvokeApiDestination" + Resource: + - !Sub "arn:aws:events:*:*:api-destination/${EventBridgeRoleName}-destination/*" + - Sid: "CloudTrailEventRuleAccess" + Effect: Allow Action: - "events:DescribeRule" - "events:ListTargetsByRule" Resource: - - !Sub arn:aws:events:*:*:rule/${EventBridgeRoleName} + - !Sub "arn:aws:events:*:*:rule/${EventBridgeRoleName}" + - Sid: "ValidationAccess" + Effect: Allow + Action: + - "events:DescribeApiDestination" + - "events:DescribeConnection" + - "cloudwatch:GetMetricStatistics" + Resource: "*" RolesStackSet: Type: AWS::CloudFormation::StackSet Properties: @@ -226,8 +250,6 @@ Resources: ParameterValue: !Ref ExternalID - ParameterKey: EventBridgeRoleName ParameterValue: !Ref EventBridgeRoleName - - ParameterKey: EventBusARN - ParameterValue: !Ref EventBusARN StackInstancesGroup: - DeploymentTargets: OrganizationalUnitIds: !Split [ ",", !Ref OrganizationUnitIDs] @@ -247,10 +269,7 @@ Resources: Description: Sysdig ExternalID required for the policy creation EventBridgeRoleName: Type: String - Description: A unique identifier used to create an IAM Role and EventBridge Rule - EventBusARN: - Type: String - Description: The destination in Sysdig's AWS account where your events are sent + Description: A unique identifier used to create an IAM Role and EventBridge Rule Resources: CloudAgentlessRole: Type: "AWS::IAM::Role" @@ -317,15 +336,26 @@ Resources: PolicyDocument: Version: "2012-10-17" Statement: - - Effect: Allow - Action: 'events:PutEvents' - Resource: !Sub ${EventBusARN} - - Effect: Allow + - Sid: "InvokeApiDestination" + Effect: Allow + Action: + - "events:InvokeApiDestination" + Resource: + - !Sub "arn:aws:events:*:*:api-destination/${EventBridgeRoleName}-destination/*" + - Sid: "CloudTrailEventRuleAccess" + Effect: Allow Action: - "events:DescribeRule" - "events:ListTargetsByRule" Resource: - - !Sub arn:aws:events:*:*:rule/${EventBridgeRoleName} + - !Sub "arn:aws:events:*:*:rule/${EventBridgeRoleName}" + - Sid: "ValidationAccess" + Effect: Allow + Action: + - "events:DescribeApiDestination" + - "events:DescribeConnection" + - "cloudwatch:GetMetricStatistics" + Resource: "*" EBRuleStackSet: Type: AWS::CloudFormation::StackSet Properties: @@ -346,58 +376,76 @@ Resources: Parameters: - ParameterKey: EventBridgeRoleName ParameterValue: !Ref EventBridgeRoleName - - ParameterKey: EventBusARN - ParameterValue: !Ref EventBusARN + - ParameterKey: ApiKey + ParameterValue: !Ref ApiKey + - ParameterKey: IngestionUrl + ParameterValue: !Ref IngestionUrl + - ParameterKey: RateLimit + ParameterValue: !Ref RateLimit - ParameterKey: EventBridgeState ParameterValue: !Ref EventBridgeState + - ParameterKey: EventBridgeEventPattern + ParameterValue: !Ref EventBridgeEventPattern StackInstancesGroup: - DeploymentTargets: OrganizationalUnitIds: !Split [ ",", !Ref OrganizationUnitIDs] Regions: !Split [ ",", !Ref Regions] TemplateBody: | AWSTemplateFormatVersion: "2010-09-09" - Description: EventBridge Resources that forward CloudTrail logs to Sysdig Secure + Description: EventBridge Resources with API Destinations that forward CloudTrail logs to Sysdig Secure Parameters: EventBridgeRoleName: Type: String Description: A unique identifier used to create an IAM Role and EventBridge Rule - EventBusARN: + ApiKey: + Type: String + Description: API key for Sysdig Secure authentication + IngestionUrl: Type: String - Description: The destination in Sysdig's AWS account where your events are sent + Description: Sysdig Secure API endpoint URL + RateLimit: + Type: Number + Description: Maximum invocations per second for the API destination EventBridgeState: Type: String Description: The state of the EventBridge Rule - Default: ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS + Default: ENABLED AllowedValues: - - ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS - ENABLED - - DISABLED - Resources: + - DISABLED + EventBridgeEventPattern: + Type: String + Description: JSON pattern for the EventBridge rule's event pattern + Resources: + EventBridgeConnection: + Type: AWS::Events::Connection + Properties: + Name: !Sub ${EventBridgeRoleName}-connection + AuthorizationType: API_KEY + AuthParameters: + ApiKeyAuthParameters: + ApiKeyName: X-Api-Key + ApiKeyValue: !Ref ApiKey + + EventBridgeApiDestination: + Type: AWS::Events::ApiDestination + Properties: + Name: !Sub ${EventBridgeRoleName}-destination + ConnectionArn: !GetAtt EventBridgeConnection.Arn + InvocationEndpoint: !Ref IngestionUrl + HttpMethod: POST + InvocationRateLimitPerSecond: !Ref RateLimit + EventBridgeRule: - Type: "AWS::Events::Rule" + Type: AWS::Events::Rule Properties: - Name: !Sub ${EventBridgeRoleName} - Description: Capture all CloudTrail events - EventPattern: - detail-type: - - 'AWS API Call via CloudTrail' - - 'AWS Console Sign In via CloudTrail' - - 'AWS Service Event via CloudTrail' - - 'Object Access Tier Changed' - - 'Object ACL Updated' - - 'Object Created' - - 'Object Deleted' - - 'Object Restore Completed' - - 'Object Restore Expired' - - 'Object Restore Initiated' - - 'Object Storage Class Changed' - - 'Object Tags Added' - - 'Object Tags Deleted' - - 'GuardDuty Finding' - State: !Sub ${EventBridgeState} + Name: !Ref EventBridgeRoleName + Description: Capture all CloudTrail events for Sysdig Secure + EventPattern: !Ref EventBridgeEventPattern + State: !Ref EventBridgeState Targets: - - Id: !Sub ${EventBridgeRoleName} - Arn: !Sub ${EventBusARN} + - Id: !Ref EventBridgeRoleName + Arn: !GetAtt EventBridgeApiDestination.Arn RoleArn: !Sub "arn:aws:iam::${AWS::AccountId}:role/${EventBridgeRoleName}" MgmtAccEBRuleStackSet: Type: AWS::CloudFormation::StackSet @@ -425,16 +473,20 @@ Resources: Parameters: - ParameterKey: EventBridgeRoleName ParameterValue: !Ref EventBridgeRoleName - - ParameterKey: EventBusARN - ParameterValue: !Ref EventBusARN + - ParameterKey: ApiKey + ParameterValue: !Ref ApiKey + - ParameterKey: IngestionUrl + ParameterValue: !Ref IngestionUrl + - ParameterKey: RateLimit + ParameterValue: !Ref RateLimit - ParameterKey: EventBridgeState ParameterValue: !Ref EventBridgeState - ParameterKey: EventBridgeEventPattern - ParameterValue: !Ref EventBridgeEventPattern + ParameterValue: !Ref EventBridgeEventPattern StackInstancesGroup: - DeploymentTargets: - Accounts: - - !Ref AWS::AccountId + Accounts: + - !Ref AWS::AccountId Regions: !Split [ ",", !Ref Regions] TemplateBody: | AWSTemplateFormatVersion: "2010-09-09" @@ -443,48 +495,53 @@ Resources: EventBridgeRoleName: Type: String Description: A unique identifier used to create an IAM Role and EventBridge Rule - EventBusARN: + ApiKey: Type: String - Description: The destination in Sysdig's AWS account where your events are sent + Description: API key for authentication + IngestionUrl: + Type: String + Description: Target endpoint URL for the API destination + RateLimit: + Type: Number + Description: Maximum invocations per second for the API destination EventBridgeState: Type: String Description: The state of the EventBridge Rule - Default: ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS + Default: ENABLED AllowedValues: - - ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS - ENABLED - DISABLED EventBridgeEventPattern: Type: String Description: JSON pattern for the EventBridge rule's event pattern - Default: | - { - "detail-type": [ - "AWS API Call via CloudTrail", - "AWS Console Sign In via CloudTrail", - "AWS Service Event via CloudTrail", - "Object Access Tier Changed", - "Object ACL Updated", - "Object Created", - "Object Deleted", - "Object Restore Completed", - "Object Restore Expired", - "Object Restore Initiated", - "Object Storage Class Changed", - "Object Tags Added", - "Object Tags Deleted", - "GuardDuty Finding" - ] - } - Resources: + Resources: + EventBridgeConnection: + Type: AWS::Events::Connection + Properties: + Name: !Sub ${EventBridgeRoleName}-connection + AuthorizationType: API_KEY + AuthParameters: + ApiKeyAuthParameters: + ApiKeyName: X-Api-Key + ApiKeyValue: !Ref ApiKey + + EventBridgeApiDestination: + Type: AWS::Events::ApiDestination + Properties: + Name: !Sub ${EventBridgeRoleName}-destination + ConnectionArn: !GetAtt EventBridgeConnection.Arn + InvocationEndpoint: !Ref IngestionUrl + HttpMethod: POST + InvocationRateLimitPerSecond: !Ref RateLimit + EventBridgeRule: - Type: "AWS::Events::Rule" + Type: AWS::Events::Rule Properties: Name: !Sub ${EventBridgeRoleName} Description: Capture all CloudTrail events EventPattern: !Ref EventBridgeEventPattern - State: !Sub ${EventBridgeState} + State: !Ref EventBridgeState Targets: - Id: !Sub ${EventBridgeRoleName} - Arn: !Sub ${EventBusARN} + Arn: !GetAtt EventBridgeApiDestination.Arn RoleArn: !Sub "arn:aws:iam::${AWS::AccountId}:role/${EventBridgeRoleName}" \ No newline at end of file diff --git a/templates_eventbridge/EventBridge.yaml b/templates_eventbridge/EventBridge.yaml index 500723d..d2a7636 100644 --- a/templates_eventbridge/EventBridge.yaml +++ b/templates_eventbridge/EventBridge.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: "2010-09-09" -Description: EventBridge resources that forward CloudTrail logs to Sysdig Secure +Description: EventBridge resources that forward CloudTrail logs to Sysdig Secure via API Destination Metadata: AWS::CloudFormation::Interface: @@ -10,7 +10,9 @@ Metadata: - EventBridgeRoleName - ExternalID - TrustedIdentity - - EventBusARN + - ApiKey + - IngestionUrl + - RateLimit - EventBridgeState - EventBridgeEventPattern @@ -19,8 +21,12 @@ Metadata: default: "External ID (Sysdig use only)" TrustedIdentity: default: "Trusted Identity (Sysdig use only)" - EventBusARN: - default: "Target Event Bus (Sysdig use only)" + ApiKey: + default: "API Key (Sysdig use only)" + IngestionUrl: + default: "Ingestion URL (Sysdig use only)" + RateLimit: + default: "Rate Limit (Sysdig use only)" EventBridgeRoleName: default: "Integration Name (Sysdig use only)" EventBridgeState: @@ -38,15 +44,21 @@ Parameters: TrustedIdentity: Type: String Description: The Role in Sysdig's AWS Account with permissions to your account - EventBusARN: + ApiKey: Type: String - Description: The destination in Sysdig's AWS account where your events are sent + Description: API key for Sysdig Secure authentication + IngestionUrl: + Type: String + Description: Sysdig Secure API ingestion URL + RateLimit: + Type: Number + Description: Maximum invocations per second for the API destination + Default: 300 EventBridgeState: Type: String Description: The state of the EventBridge Rule - Default: ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS + Default: ENABLED AllowedValues: - - ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS - ENABLED - DISABLED EventBridgeEventPattern: @@ -73,6 +85,25 @@ Parameters: } Resources: + EventBridgeConnection: + Type: AWS::Events::Connection + Properties: + Name: !Sub ${EventBridgeRoleName}-connection + AuthorizationType: API_KEY + AuthParameters: + ApiKeyAuthParameters: + ApiKeyName: X-Api-Key + ApiKeyValue: !Ref ApiKey + + EventBridgeApiDestination: + Type: AWS::Events::ApiDestination + Properties: + Name: !Sub ${EventBridgeRoleName}-destination + ConnectionArn: !GetAtt EventBridgeConnection.Arn + InvocationEndpoint: !Ref IngestionUrl + HttpMethod: POST + InvocationRateLimitPerSecond: !Ref RateLimit + EventBridgeRole: Type: AWS::IAM::Role Properties: @@ -89,31 +120,41 @@ Resources: Action: "sts:AssumeRole" Condition: StringEquals: - sts:ExternalId: !Ref ExternalID + sts:ExternalId: !Ref ExternalID Policies: - PolicyName: !Ref EventBridgeRoleName PolicyDocument: Version: "2012-10-17" Statement: - - Effect: Allow - Action: 'events:PutEvents' - Resource: !Ref EventBusARN - - Effect: Allow + - Sid: "InvokeApiDestination" + Effect: Allow + Action: + - "events:InvokeApiDestination" + Resource: + - !Sub "arn:aws:events:*:*:api-destination/${EventBridgeRoleName}-destination/*" + - Sid: "CloudTrailEventRuleAccess" + Effect: Allow Action: - "events:DescribeRule" - "events:ListTargetsByRule" Resource: - - !Sub arn:aws:events:*:*:rule/${EventBridgeRoleName} + - !Sub "arn:aws:events:*:*:rule/${EventBridgeRoleName}" + - Sid: "ValidationAccess" + Effect: Allow + Action: + - "events:DescribeApiDestination" + - "events:DescribeConnection" + - "cloudwatch:GetMetricStatistics" + Resource: "*" + EventBridgeRule: Type: AWS::Events::Rule Properties: Name: !Ref EventBridgeRoleName - Description: Capture all CloudTrail events + Description: Capture all CloudTrail events for Sysdig Secure EventPattern: !Ref EventBridgeEventPattern State: !Ref EventBridgeState Targets: - Id: !Ref EventBridgeRoleName - Arn: !Ref EventBusARN - RoleArn: !GetAtt - - EventBridgeRole - - Arn + Arn: !GetAtt EventBridgeApiDestination.Arn + RoleArn: !GetAtt EventBridgeRole.Arn diff --git a/templates_eventbridge/Makefile b/templates_eventbridge/Makefile index 6fe59c5..96a63c5 100644 --- a/templates_eventbridge/Makefile +++ b/templates_eventbridge/Makefile @@ -1,10 +1,10 @@ # requires AWS_PROFILE # bucket must exist, prefix will be created -S3_BUCKET ?= "s4c-cft" +S3_BUCKET ?= "" S3_PREFIX ?= "test" # We need the REGION or the TemplateURLs might be created for a different region, resulting in a deployment error -S3_REGION ?= "eu-west-1" # ireland -SECURE_API_TOKEN ?= "" +S3_REGION ?= "us-east-1" +SECURE_API_TOKEN ?= "" STACK_NAME = "EventBridgeTest" STACK_NAME_ORG = "OrgEventBridgeTest" @@ -30,11 +30,19 @@ packaged-template.yaml: test: packaged-template.yaml aws cloudformation deploy \ - --stack-name $(STACK_NAME) \ + --stack-name "EventBridgeTest" \ --template-file packaged-template.yaml \ --capabilities "CAPABILITY_NAMED_IAM" "CAPABILITY_AUTO_EXPAND" \ --parameter-overrides \ - "SysdigSecureAPIToken=$(SECURE_API_TOKEN)" + "SysdigSecureAPIToken=" \ + "ApiKey=4ba93f30-c5d2-42e8-9319-c8d23a6b174d" \ + "IngestionUrl=https://ingest-eu1.app.sysdig.com/api/events" \ + "EventBridgeRoleName=SysdigEventBridgeIntegration" \ + "ExternalID=bcacfba7093b0c5fce39ee8012272f07" \ + "TrustedIdentity=arn:aws:iam::064689838359:role/us-east-1-integration01-secure-assume-role" \ + "RateLimit=300" \ + "EventBridgeState=ENABLED" \ + "EventBridgeEventPattern={\"source\":[\"aws.cloudtrail\"]}" ci: packaged-template.yaml aws s3 cp ./packaged-template.yaml s3://$(S3_BUCKET)/event-bridge/single/$(S3_PREFIX)/entry-point.yaml @@ -54,11 +62,22 @@ packaged-template-org.yaml: test-org: packaged-template-org.yaml aws cloudformation deploy \ - --stack-name $(STACK_NAME_ORG) \ + --region "us-east-1" \ + --stack-name "EventBridgeTest" \ --template-file packaged-template-org.yaml \ --capabilities "CAPABILITY_NAMED_IAM" "CAPABILITY_AUTO_EXPAND" \ --parameter-overrides \ - "SysdigSecureAPIToken=$(SECURE_API_TOKEN)" + "SysdigSecureAPIToken=" \ + "ApiKey=4ba93f30-c5d2-42e8-9319-c8d23a6b174d" \ + "IngestionUrl=https://ingest-eu1.app.sysdig.com/api/events" \ + "EventBridgeRoleName=SysdigEventBridgeIntegration" \ + "ExternalID=bcacfba7093b0c5fce39ee8012272f07" \ + "TrustedIdentity=arn:aws:iam::064689838359:role/us-east-1-integration01-secure-assume-role" \ + "RateLimit=300" \ + "OrganizationUnitIDs=ou-s212-x4xr99jl,ou-s212-c5n6dwzt,ou-s212-uihli2xi" \ + "EventBridgeState=ENABLED" \ + "EventBridgeEventPattern={\"source\":[\"aws.cloudtrail\"]}" \ + "Regions=us-east-1,us-west-2" ci-org: packaged-template-org.yaml aws s3 cp ./packaged-template-org.yaml s3://$(S3_BUCKET)/event-bridge/org/$(S3_PREFIX)/entry-point.yaml diff --git a/templates_eventbridge/OrgEventBridge.yaml b/templates_eventbridge/OrgEventBridge.yaml index 50db948..4584ace 100644 --- a/templates_eventbridge/OrgEventBridge.yaml +++ b/templates_eventbridge/OrgEventBridge.yaml @@ -1,31 +1,36 @@ AWSTemplateFormatVersion: "2010-09-09" -Description: EventBridge resources that forward CloudTrail logs to Sysdig Secure +Description: EventBridge resources with API Destinations that forward CloudTrail logs to Sysdig Secure across AWS Organizations + Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: default: "Sysdig Settings (Do not change)" Parameters: - - CSPMRoleName - EventBridgeRoleName - ExternalID - TrustedIdentity - - EventBusARN + - ApiKey + - IngestionUrl + - RateLimit - Regions - OrganizationUnitIDs - EventBridgeState - EventBridgeEventPattern + ParameterLabels: - CSPMRoleName: - default: "CSPM Role Name (Sysdig use only)" EventBridgeRoleName: - default: "Integration Name (Sysdig use only)" + default: "Integration Name (Sysdig use only)" ExternalID: default: "External ID (Sysdig use only)" TrustedIdentity: default: "Trusted Identity (Sysdig use only)" - EventBusARN: - default: "Target Event Bus (Sysdig use only)" + ApiKey: + default: "API Key (Sysdig use only)" + IngestionUrl: + default: "Endpoint URL (Sysdig use only)" + RateLimit: + default: "Rate Limit (Sysdig use only)" Regions: default: "EventBridge Regions (Sysdig use only)" OrganizationUnitIDs: @@ -34,10 +39,8 @@ Metadata: default: "State of the EventBridge Rule (Sysdig use only)" EventBridgeEventPattern: default: "Event Pattern (Sysdig use only)" + Parameters: - CSPMRoleName: - Type: String - Description: Unique role for monitoring AWS accounts EventBridgeRoleName: Type: String Description: A unique identifier used to create an IAM Role and EventBridge Rule @@ -47,9 +50,16 @@ Parameters: TrustedIdentity: Type: String Description: The Role in Sysdig's AWS Account with permissions to your account - EventBusARN: + ApiKey: Type: String - Description: The destination in Sysdig's AWS account where your events are sent + Description: API key for Sysdig Secure authentication + IngestionUrl: + Type: String + Description: Sysdig Secure API endpoint URL + RateLimit: + Type: Number + Description: Maximum invocations per second for the API destination + Default: 300 Regions: Type: String Description: Comma separated list of regions to monitor with EventBridge @@ -59,9 +69,8 @@ Parameters: EventBridgeState: Type: String Description: The state of the EventBridge Rule - Default: ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS + Default: ENABLED AllowedValues: - - ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS - ENABLED - DISABLED EventBridgeEventPattern: @@ -88,6 +97,7 @@ Parameters: } Resources: + # CloudFormation StackSet Administration Role AdministrationRole: Type: AWS::IAM::Role Properties: @@ -109,7 +119,9 @@ Resources: Action: - sts:AssumeRole Resource: - - "arn:*:iam::*:role/AWSCloudFormationStackSetExecutionRole" + - "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole" + + # CloudFormation StackSet Execution Role ExecutionRole: Type: AWS::IAM::Role Properties: @@ -125,22 +137,8 @@ Resources: - sts:AssumeRole ManagedPolicyArns: - arn:aws:iam::aws:policy/AdministratorAccess - MgmtAccCloudAgentlessRole: - Type: "AWS::IAM::Role" - Properties: - RoleName: !Sub ${CSPMRoleName} - AssumeRolePolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: "Allow" - Principal: - AWS: !Sub ${TrustedIdentity} - Action: "sts:AssumeRole" - Condition: - StringEquals: - sts:ExternalId: !Sub ${ExternalID} - ManagedPolicyArns: - - arn:aws:iam::aws:policy/SecurityAudit + + # EventBridge Role in management account MgmtAccEventBridgeRole: Type: AWS::IAM::Role Properties: @@ -158,21 +156,33 @@ Resources: Action: "sts:AssumeRole" Condition: StringEquals: - sts:ExternalId: !Sub ${ExternalID} + sts:ExternalId: !Sub ${ExternalID} Policies: - PolicyName: !Sub ${EventBridgeRoleName} PolicyDocument: Version: "2012-10-17" Statement: - - Effect: Allow - Action: 'events:PutEvents' - Resource: !Sub ${EventBusARN} - - Effect: Allow + - Sid: "InvokeApiDestination" + Effect: Allow + Action: + - "events:InvokeApiDestination" + Resource: + - !Sub "arn:aws:events:*:*:api-destination/${EventBridgeRoleName}-destination/*" + - Sid: "CloudTrailEventRuleAccess" + Effect: Allow Action: - "events:DescribeRule" - "events:ListTargetsByRule" Resource: - - !Sub arn:aws:events:*:*:rule/${EventBridgeRoleName} + - !Sub "arn:aws:events:*:*:rule/${EventBridgeRoleName}" + - Sid: "ValidationAccess" + Effect: Allow + Action: + - "events:DescribeApiDestination" + - "events:DescribeConnection" + - "cloudwatch:GetMetricStatistics" + Resource: "*" + MgmtAccEBRuleStackSet: Type: AWS::CloudFormation::StackSet Metadata: @@ -199,8 +209,12 @@ Resources: Parameters: - ParameterKey: EventBridgeRoleName ParameterValue: !Ref EventBridgeRoleName - - ParameterKey: EventBusARN - ParameterValue: !Ref EventBusARN + - ParameterKey: ApiKey + ParameterValue: !Ref ApiKey + - ParameterKey: IngestionUrl + ParameterValue: !Ref IngestionUrl + - ParameterKey: RateLimit + ParameterValue: !Ref RateLimit - ParameterKey: EventBridgeState ParameterValue: !Ref EventBridgeState - ParameterKey: EventBridgeEventPattern @@ -217,51 +231,58 @@ Resources: EventBridgeRoleName: Type: String Description: A unique identifier used to create an IAM Role and EventBridge Rule - EventBusARN: + ApiKey: + Type: String + Description: API key for authentication + IngestionUrl: Type: String - Description: The destination in Sysdig's AWS account where your events are sent + Description: Target endpoint URL for the API destination + RateLimit: + Type: Number + Description: Maximum invocations per second for the API destination EventBridgeState: Type: String Description: The state of the EventBridge Rule - Default: ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS + Default: ENABLED AllowedValues: - - ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS - ENABLED - DISABLED EventBridgeEventPattern: Type: String Description: JSON pattern for the EventBridge rule's event pattern - Default: | - { - "detail-type": [ - "AWS API Call via CloudTrail", - "AWS Console Sign In via CloudTrail", - "AWS Service Event via CloudTrail", - "Object Access Tier Changed", - "Object ACL Updated", - "Object Created", - "Object Deleted", - "Object Restore Completed", - "Object Restore Expired", - "Object Restore Initiated", - "Object Storage Class Changed", - "Object Tags Added", - "Object Tags Deleted", - "GuardDuty Finding" - ] - } - Resources: + Resources: + EventBridgeConnection: + Type: AWS::Events::Connection + Properties: + Name: !Sub ${EventBridgeRoleName}-connection + AuthorizationType: API_KEY + AuthParameters: + ApiKeyAuthParameters: + ApiKeyName: X-Api-Key + ApiKeyValue: !Ref ApiKey + + EventBridgeApiDestination: + Type: AWS::Events::ApiDestination + Properties: + Name: !Sub ${EventBridgeRoleName}-destination + ConnectionArn: !GetAtt EventBridgeConnection.Arn + InvocationEndpoint: !Ref IngestionUrl + HttpMethod: POST + InvocationRateLimitPerSecond: !Ref RateLimit + EventBridgeRule: - Type: "AWS::Events::Rule" + Type: AWS::Events::Rule Properties: Name: !Sub ${EventBridgeRoleName} Description: Capture all CloudTrail events EventPattern: !Ref EventBridgeEventPattern - State: !Sub ${EventBridgeState} + State: !Ref EventBridgeState Targets: - Id: !Sub ${EventBridgeRoleName} - Arn: !Sub ${EventBusARN} - RoleArn: !Sub "arn:aws:iam::${AWS::AccountId}:role/${EventBridgeRoleName}" + Arn: !GetAtt EventBridgeApiDestination.Arn + RoleArn: !Sub "arn:aws:iam::${AWS::AccountId}:role/${EventBridgeRoleName}" + + # StackSet for member accounts - Role deployment EBRoleStackSet: Type: AWS::CloudFormation::StackSet Properties: @@ -279,39 +300,24 @@ Resources: MaxConcurrentPercentage: 100 ConcurrencyMode: SOFT_FAILURE_TOLERANCE Parameters: - - ParameterKey: TrustedIdentity - ParameterValue: !Ref TrustedIdentity - - ParameterKey: ExternalID - ParameterValue: !Ref ExternalID - ParameterKey: EventBridgeRoleName ParameterValue: !Ref EventBridgeRoleName - - ParameterKey: EventBusARN - ParameterValue: !Ref EventBusARN StackInstancesGroup: - DeploymentTargets: OrganizationalUnitIds: !Split [ ",", !Ref OrganizationUnitIDs] Regions: [!Ref "AWS::Region"] TemplateBody: | AWSTemplateFormatVersion: "2010-09-09" - Description: IAM Role used to forward CloudTrail logs to Sysdig Secure + Description: IAM Role used for EventBridge API Destinations Parameters: - TrustedIdentity: - Type: String - Description: The Role in Sysdig's AWS Account with permissions to your account - ExternalID: - Type: String - Description: Sysdig ExternalID required for the policy creation EventBridgeRoleName: Type: String - Description: A unique identifier used to create an IAM Role and EventBridge Rule - EventBusARN: - Type: String - Description: The destination in Sysdig's AWS account where your events are sent + Description: A unique identifier used to create IAM Role for EventBridge Resources: EventBridgeRole: Type: AWS::IAM::Role Properties: - RoleName: !Sub ${EventBridgeRoleName} + RoleName: !Ref EventBridgeRoleName AssumeRolePolicyDocument: Version: "2012-10-17" Statement: @@ -319,32 +325,39 @@ Resources: Principal: Service: events.amazonaws.com Action: 'sts:AssumeRole' - - Effect: "Allow" - Principal: - AWS: !Sub ${TrustedIdentity} - Action: "sts:AssumeRole" - Condition: - StringEquals: - sts:ExternalId: !Sub ${ExternalID} Policies: - - PolicyName: !Sub ${EventBridgeRoleName} + - PolicyName: !Ref EventBridgeRoleName PolicyDocument: Version: "2012-10-17" Statement: - - Effect: Allow - Action: 'events:PutEvents' - Resource: !Sub ${EventBusARN} - - Effect: Allow + - Sid: "InvokeApiDestination" + Effect: Allow + Action: + - "events:InvokeApiDestination" + Resource: + - !Sub "arn:aws:events:*:*:api-destination/${EventBridgeRoleName}-destination/*" + - Sid: "CloudTrailEventRuleAccess" + Effect: Allow Action: - "events:DescribeRule" - "events:ListTargetsByRule" Resource: - - !Sub arn:aws:events:*:*:rule/${EventBridgeRoleName} - EBRuleStackSet: + - !Sub "arn:aws:events:*:*:rule/${EventBridgeRoleName}" + - Sid: "ValidationAccess" + Effect: Allow + Action: + - "events:DescribeApiDestination" + - "events:DescribeConnection" + - "cloudwatch:GetMetricStatistics" + Resource: "*" + + # StackSet for member accounts - EventBridge resources deployment + EBApiDestStackSet: Type: AWS::CloudFormation::StackSet + DependsOn: EBRoleStackSet Properties: - StackSetName: EBRuleStackSet - Description: EventBridge Resources that forward CloudTrail logs to Sysdig Secure + StackSetName: EBApiDestStackSet + Description: EventBridge Resources with API Destinations that forward CloudTrail logs to Sysdig Secure PermissionModel: SERVICE_MANAGED Capabilities: - "CAPABILITY_NAMED_IAM" @@ -360,8 +373,12 @@ Resources: Parameters: - ParameterKey: EventBridgeRoleName ParameterValue: !Ref EventBridgeRoleName - - ParameterKey: EventBusARN - ParameterValue: !Ref EventBusARN + - ParameterKey: ApiKey + ParameterValue: !Ref ApiKey + - ParameterKey: IngestionUrl + ParameterValue: !Ref IngestionUrl + - ParameterKey: RateLimit + ParameterValue: !Ref RateLimit - ParameterKey: EventBridgeState ParameterValue: !Ref EventBridgeState - ParameterKey: EventBridgeEventPattern @@ -372,53 +389,58 @@ Resources: Regions: !Split [ ",", !Ref Regions] TemplateBody: | AWSTemplateFormatVersion: "2010-09-09" - Description: EventBridge Resources that forward CloudTrail logs to Sysdig Secure + Description: EventBridge Resources with API Destinations that forward CloudTrail logs to Sysdig Secure Parameters: EventBridgeRoleName: Type: String Description: A unique identifier used to create an IAM Role and EventBridge Rule - EventBusARN: + ApiKey: Type: String - Description: The destination in Sysdig's AWS account where your events are sent + Description: API key for Sysdig Secure authentication + IngestionUrl: + Type: String + Description: Sysdig Secure API endpoint URL + RateLimit: + Type: Number + Description: Maximum invocations per second for the API destination EventBridgeState: Type: String Description: The state of the EventBridge Rule - Default: ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS + Default: ENABLED AllowedValues: - - ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS - ENABLED - DISABLED EventBridgeEventPattern: Type: String Description: JSON pattern for the EventBridge rule's event pattern - Default: | - { - "detail-type": [ - "AWS API Call via CloudTrail", - "AWS Console Sign In via CloudTrail", - "AWS Service Event via CloudTrail", - "Object Access Tier Changed", - "Object ACL Updated", - "Object Created", - "Object Deleted", - "Object Restore Completed", - "Object Restore Expired", - "Object Restore Initiated", - "Object Storage Class Changed", - "Object Tags Added", - "Object Tags Deleted", - "GuardDuty Finding" - ] - } - Resources: + Resources: + EventBridgeConnection: + Type: AWS::Events::Connection + Properties: + Name: !Sub ${EventBridgeRoleName}-connection + AuthorizationType: API_KEY + AuthParameters: + ApiKeyAuthParameters: + ApiKeyName: X-Api-Key + ApiKeyValue: !Ref ApiKey + + EventBridgeApiDestination: + Type: AWS::Events::ApiDestination + Properties: + Name: !Sub ${EventBridgeRoleName}-destination + ConnectionArn: !GetAtt EventBridgeConnection.Arn + InvocationEndpoint: !Ref IngestionUrl + HttpMethod: POST + InvocationRateLimitPerSecond: !Ref RateLimit + EventBridgeRule: - Type: "AWS::Events::Rule" + Type: AWS::Events::Rule Properties: - Name: !Sub ${EventBridgeRoleName} - Description: Capture all CloudTrail events + Name: !Ref EventBridgeRoleName + Description: Capture all CloudTrail events for Sysdig Secure EventPattern: !Ref EventBridgeEventPattern - State: !Sub ${EventBridgeState} + State: !Ref EventBridgeState Targets: - - Id: !Sub ${EventBridgeRoleName} - Arn: !Sub ${EventBusARN} - RoleArn: !Sub "arn:aws:iam::${AWS::AccountId}:role/${EventBridgeRoleName}" \ No newline at end of file + - Id: !Ref EventBridgeRoleName + Arn: !GetAtt EventBridgeApiDestination.Arn + RoleArn: !Sub "arn:aws:iam::${AWS::AccountId}:role/${EventBridgeRoleName}" diff --git a/templates_eventbridge/packaged-template-org.yaml b/templates_eventbridge/packaged-template-org.yaml new file mode 100644 index 0000000..4939e20 --- /dev/null +++ b/templates_eventbridge/packaged-template-org.yaml @@ -0,0 +1,369 @@ +AWSTemplateFormatVersion: '2010-09-09' +Description: EventBridge resources with API Destinations that forward CloudTrail logs + to Sysdig Secure across AWS Organizations +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: Sysdig Settings (Do not change) + Parameters: + - EventBridgeRoleName + - ExternalID + - TrustedIdentity + - ApiKey + - IngestionUrl + - RateLimit + - Regions + - OrganizationUnitIDs + - EventBridgeState + - EventBridgeEventPattern + ParameterLabels: + EventBridgeRoleName: + default: Integration Name (Sysdig use only) + ExternalID: + default: External ID (Sysdig use only) + TrustedIdentity: + default: Trusted Identity (Sysdig use only) + ApiKey: + default: API Key (Sysdig use only) + IngestionUrl: + default: Endpoint URL (Sysdig use only) + RateLimit: + default: Rate Limit (Sysdig use only) + Regions: + default: EventBridge Regions (Sysdig use only) + OrganizationUnitIDs: + default: Organization Unit IDs (Sysdig use only) + EventBridgeState: + default: State of the EventBridge Rule (Sysdig use only) + EventBridgeEventPattern: + default: Event Pattern (Sysdig use only) +Parameters: + EventBridgeRoleName: + Type: String + Description: A unique identifier used to create an IAM Role and EventBridge Rule + ExternalID: + Type: String + Description: Sysdig ExternalID required for the policy creation + TrustedIdentity: + Type: String + Description: The Role in Sysdig's AWS Account with permissions to your account + ApiKey: + Type: String + Description: API key for Sysdig Secure authentication + IngestionUrl: + Type: String + Description: Sysdig Secure API endpoint URL + RateLimit: + Type: Number + Description: Maximum invocations per second for the API destination + Default: 300 + Regions: + Type: String + Description: Comma separated list of regions to monitor with EventBridge + OrganizationUnitIDs: + Type: String + Description: Comma separated list of Organization Unit IDs to deploy + EventBridgeState: + Type: String + Description: The state of the EventBridge Rule + Default: ENABLED + AllowedValues: + - ENABLED + - DISABLED + EventBridgeEventPattern: + Type: String + Description: JSON pattern for the EventBridge rule's event pattern + Default: "{\n \"detail-type\": [\n \"AWS API Call via CloudTrail\",\n \"\ + AWS Console Sign In via CloudTrail\",\n \"AWS Service Event via CloudTrail\"\ + ,\n \"Object Access Tier Changed\",\n \"Object ACL Updated\",\n \"\ + Object Created\",\n \"Object Deleted\",\n \"Object Restore Completed\"\ + ,\n \"Object Restore Expired\",\n \"Object Restore Initiated\",\n \"\ + Object Storage Class Changed\",\n \"Object Tags Added\",\n \"Object Tags\ + \ Deleted\",\n \"GuardDuty Finding\"\n ]\n}\n" +Resources: + AdministrationRole: + Type: AWS::IAM::Role + Properties: + RoleName: AWSCloudFormationStackSetAdministrationRole + AssumeRolePolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Principal: + Service: cloudformation.amazonaws.com + Action: + - sts:AssumeRole + Policies: + - PolicyName: AssumeRole-AWSCloudFormationStackSetExecutionRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: + - sts:AssumeRole + Resource: + - arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole + ExecutionRole: + Type: AWS::IAM::Role + Properties: + RoleName: AWSCloudFormationStackSetExecutionRole + AssumeRolePolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Principal: + AWS: + - Fn::GetAtt: + - AdministrationRole + - RoleId + Action: + - sts:AssumeRole + ManagedPolicyArns: + - arn:aws:iam::aws:policy/AdministratorAccess + MgmtAccEventBridgeRole: + Type: AWS::IAM::Role + Properties: + RoleName: + Fn::Sub: ${EventBridgeRoleName} + AssumeRolePolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Principal: + Service: events.amazonaws.com + Action: sts:AssumeRole + - Effect: Allow + Principal: + AWS: + Fn::Sub: ${TrustedIdentity} + Action: sts:AssumeRole + Condition: + StringEquals: + sts:ExternalId: + Fn::Sub: ${ExternalID} + Policies: + - PolicyName: + Fn::Sub: ${EventBridgeRoleName} + PolicyDocument: + Version: '2012-10-17' + Statement: + - Sid: InvokeApiDestination + Effect: Allow + Action: + - events:InvokeApiDestination + Resource: + - Fn::Sub: arn:aws:events:*:*:api-destination/${EventBridgeRoleName}-destination/* + - Sid: CloudTrailEventRuleAccess + Effect: Allow + Action: + - events:DescribeRule + - events:ListTargetsByRule + Resource: + - Fn::Sub: arn:aws:events:*:*:rule/${EventBridgeRoleName} + - Sid: ValidationAccess + Effect: Allow + Action: + - events:DescribeApiDestination + - events:DescribeConnection + Resource: '*' + MgmtAccEBRuleStackSet: + Type: AWS::CloudFormation::StackSet + Metadata: + cfn-lint: + config: + ignore_checks: + - W3005 + DependsOn: + - ExecutionRole + - AdministrationRole + Properties: + StackSetName: MgmtAccEBRuleStackSet + AdministrationRoleARN: + Fn::GetAtt: + - AdministrationRole + - Arn + Description: EventBridge Resources that forward CloudTrail logs to Sysdig Secure + PermissionModel: SELF_MANAGED + ManagedExecution: + Active: true + Capabilities: + - CAPABILITY_NAMED_IAM + OperationPreferences: + MaxConcurrentPercentage: 100 + ConcurrencyMode: SOFT_FAILURE_TOLERANCE + RegionConcurrencyType: PARALLEL + Parameters: + - ParameterKey: EventBridgeRoleName + ParameterValue: + Ref: EventBridgeRoleName + - ParameterKey: ApiKey + ParameterValue: + Ref: ApiKey + - ParameterKey: IngestionUrl + ParameterValue: + Ref: IngestionUrl + - ParameterKey: RateLimit + ParameterValue: + Ref: RateLimit + - ParameterKey: EventBridgeState + ParameterValue: + Ref: EventBridgeState + - ParameterKey: EventBridgeEventPattern + ParameterValue: + Ref: EventBridgeEventPattern + StackInstancesGroup: + - DeploymentTargets: + Accounts: + - Ref: AWS::AccountId + Regions: + Fn::Split: + - ',' + - Ref: Regions + TemplateBody: "AWSTemplateFormatVersion: \"2010-09-09\"\nDescription: EventBridge\ + \ Resources that forward CloudTrail logs to Sysdig Secure\nParameters:\n \ + \ EventBridgeRoleName:\n Type: String\n Description: A unique identifier\ + \ used to create an IAM Role and EventBridge Rule\n ApiKey:\n Type: String\n\ + \ Description: API key for authentication\n IngestionUrl:\n Type: String\n\ + \ Description: Target endpoint URL for the API destination\n RateLimit:\n\ + \ Type: Number\n Description: Maximum invocations per second for the\ + \ API destination\n EventBridgeState:\n Type: String\n Description:\ + \ The state of the EventBridge Rule\n Default: ENABLED\n AllowedValues:\n\ + \ - ENABLED\n - DISABLED\n EventBridgeEventPattern:\n Type:\ + \ String\n Description: JSON pattern for the EventBridge rule's event pattern\n\ + Resources:\n EventBridgeConnection:\n Type: AWS::Events::Connection\n\ + \ Properties:\n Name: !Sub ${EventBridgeRoleName}-connection\n \ + \ AuthorizationType: API_KEY\n AuthParameters:\n ApiKeyAuthParameters:\n\ + \ ApiKeyName: X-Api-Key\n ApiKeyValue: !Ref ApiKey\n\n \ + \ EventBridgeApiDestination:\n Type: AWS::Events::ApiDestination\n Properties:\n\ + \ Name: !Sub ${EventBridgeRoleName}-destination\n ConnectionArn:\ + \ !GetAtt EventBridgeConnection.Arn\n InvocationEndpoint: !Ref IngestionUrl\n\ + \ HttpMethod: POST\n InvocationRateLimitPerSecond: !Ref RateLimit\n\ + \n EventBridgeRule:\n Type: AWS::Events::Rule\n Properties:\n \ + \ Name: !Sub ${EventBridgeRoleName}\n Description: Capture all CloudTrail\ + \ events\n EventPattern: !Ref EventBridgeEventPattern\n State: !Ref\ + \ EventBridgeState\n Targets:\n - Id: !Sub ${EventBridgeRoleName}\n\ + \ Arn: !GetAtt EventBridgeApiDestination.Arn\n RoleArn:\ + \ !Sub \"arn:aws:iam::${AWS::AccountId}:role/${EventBridgeRoleName}\"\n" + EBRoleStackSet: + Type: AWS::CloudFormation::StackSet + Properties: + StackSetName: EBRoleStackSet + Description: IAM Role used to forward CloudTrail logs to Sysdig Secure + PermissionModel: SERVICE_MANAGED + Capabilities: + - CAPABILITY_NAMED_IAM + AutoDeployment: + Enabled: true + RetainStacksOnAccountRemoval: false + ManagedExecution: + Active: true + OperationPreferences: + MaxConcurrentPercentage: 100 + ConcurrencyMode: SOFT_FAILURE_TOLERANCE + Parameters: + - ParameterKey: EventBridgeRoleName + ParameterValue: + Ref: EventBridgeRoleName + StackInstancesGroup: + - DeploymentTargets: + OrganizationalUnitIds: + Fn::Split: + - ',' + - Ref: OrganizationUnitIDs + Regions: + - Ref: AWS::Region + TemplateBody: "AWSTemplateFormatVersion: \"2010-09-09\"\nDescription: IAM Role\ + \ used for EventBridge API Destinations\nParameters:\n EventBridgeRoleName:\n\ + \ Type: String\n Description: A unique identifier used to create IAM\ + \ Role for EventBridge\nResources:\n EventBridgeRole:\n Type: AWS::IAM::Role\n\ + \ Properties:\n RoleName: !Ref EventBridgeRoleName\n AssumeRolePolicyDocument:\n\ + \ Version: \"2012-10-17\"\n Statement:\n - Effect:\ + \ Allow\n Principal:\n Service: events.amazonaws.com\n\ + \ Action: 'sts:AssumeRole'\n Policies:\n - PolicyName:\ + \ !Ref EventBridgeRoleName\n PolicyDocument:\n Version:\ + \ \"2012-10-17\"\n Statement:\n - Sid: \"InvokeApiDestination\"\ + \n Effect: Allow\n Action:\n \ + \ - \"events:InvokeApiDestination\"\n Resource:\n \ + \ - !Sub \"arn:aws:events:*:*:api-destination/${EventBridgeRoleName}-destination/*\"\ + \n - Sid: \"CloudTrailEventRuleAccess\"\n Effect:\ + \ Allow\n Action:\n - \"events:DescribeRule\"\ + \n - \"events:ListTargetsByRule\"\n Resource:\n\ + \ - !Sub \"arn:aws:events:*:*:rule/${EventBridgeRoleName}\"\ + \n - Sid: \"ValidationAccess\"\n Effect: Allow\n\ + \ Action:\n - \"events:DescribeApiDestination\"\ + \n - \"events:DescribeConnection\"\n Resource:\ + \ \"*\"\n" + EBApiDestStackSet: + Type: AWS::CloudFormation::StackSet + DependsOn: EBRoleStackSet + Properties: + StackSetName: EBApiDestStackSet + Description: EventBridge Resources with API Destinations that forward CloudTrail + logs to Sysdig Secure + PermissionModel: SERVICE_MANAGED + Capabilities: + - CAPABILITY_NAMED_IAM + AutoDeployment: + Enabled: true + RetainStacksOnAccountRemoval: false + ManagedExecution: + Active: true + OperationPreferences: + MaxConcurrentPercentage: 100 + ConcurrencyMode: SOFT_FAILURE_TOLERANCE + RegionConcurrencyType: PARALLEL + Parameters: + - ParameterKey: EventBridgeRoleName + ParameterValue: + Ref: EventBridgeRoleName + - ParameterKey: ApiKey + ParameterValue: + Ref: ApiKey + - ParameterKey: IngestionUrl + ParameterValue: + Ref: IngestionUrl + - ParameterKey: RateLimit + ParameterValue: + Ref: RateLimit + - ParameterKey: EventBridgeState + ParameterValue: + Ref: EventBridgeState + - ParameterKey: EventBridgeEventPattern + ParameterValue: + Ref: EventBridgeEventPattern + StackInstancesGroup: + - DeploymentTargets: + OrganizationalUnitIds: + Fn::Split: + - ',' + - Ref: OrganizationUnitIDs + Regions: + Fn::Split: + - ',' + - Ref: Regions + TemplateBody: "AWSTemplateFormatVersion: \"2010-09-09\"\nDescription: EventBridge\ + \ Resources with API Destinations that forward CloudTrail logs to Sysdig Secure\n\ + Parameters:\n EventBridgeRoleName:\n Type: String\n Description: A\ + \ unique identifier used to create an IAM Role and EventBridge Rule\n ApiKey:\n\ + \ Type: String\n Description: API key for Sysdig Secure authentication\n\ + \ IngestionUrl:\n Type: String\n Description: Sysdig Secure API endpoint\ + \ URL\n RateLimit:\n Type: Number\n Description: Maximum invocations\ + \ per second for the API destination\n EventBridgeState:\n Type: String\n\ + \ Description: The state of the EventBridge Rule\n Default: ENABLED\n\ + \ AllowedValues:\n - ENABLED\n - DISABLED\n EventBridgeEventPattern:\n\ + \ Type: String\n Description: JSON pattern for the EventBridge rule's\ + \ event pattern\nResources:\n EventBridgeConnection:\n Type: AWS::Events::Connection\n\ + \ Properties:\n Name: !Sub ${EventBridgeRoleName}-connection\n \ + \ AuthorizationType: API_KEY\n AuthParameters:\n ApiKeyAuthParameters:\n\ + \ ApiKeyName: X-Api-Key\n ApiKeyValue: !Ref ApiKey\n\n \ + \ EventBridgeApiDestination:\n Type: AWS::Events::ApiDestination\n Properties:\n\ + \ Name: !Sub ${EventBridgeRoleName}-destination\n ConnectionArn:\ + \ !GetAtt EventBridgeConnection.Arn\n InvocationEndpoint: !Ref IngestionUrl\n\ + \ HttpMethod: POST\n InvocationRateLimitPerSecond: !Ref RateLimit\n\ + \n EventBridgeRule:\n Type: AWS::Events::Rule\n Properties:\n \ + \ Name: !Ref EventBridgeRoleName\n Description: Capture all CloudTrail\ + \ events for Sysdig Secure\n EventPattern: !Ref EventBridgeEventPattern\n\ + \ State: !Ref EventBridgeState\n Targets:\n - Id: !Ref EventBridgeRoleName\n\ + \ Arn: !GetAtt EventBridgeApiDestination.Arn\n RoleArn:\ + \ !Sub \"arn:aws:iam::${AWS::AccountId}:role/${EventBridgeRoleName}\"\n"