From 167ff0e296dcbf11517962587ca4fe6149aec534 Mon Sep 17 00:00:00 2001 From: matteopasa Date: Mon, 24 Mar 2025 12:18:33 +0100 Subject: [PATCH 1/8] api dest cfts --- .../EventBridgeApiDest.yaml | 159 +++++++ templates_eventbridge_api_dest/Makefile | 74 +++ .../OrgEventBridgeApiDest.yaml | 436 ++++++++++++++++++ 3 files changed, 669 insertions(+) create mode 100644 templates_eventbridge_api_dest/EventBridgeApiDest.yaml create mode 100644 templates_eventbridge_api_dest/Makefile create mode 100644 templates_eventbridge_api_dest/OrgEventBridgeApiDest.yaml diff --git a/templates_eventbridge_api_dest/EventBridgeApiDest.yaml b/templates_eventbridge_api_dest/EventBridgeApiDest.yaml new file mode 100644 index 0000000..45d81fd --- /dev/null +++ b/templates_eventbridge_api_dest/EventBridgeApiDest.yaml @@ -0,0 +1,159 @@ +AWSTemplateFormatVersion: "2010-09-09" +Description: EventBridge resources that forward CloudTrail logs to Sysdig Secure via API Destination + +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: "Sysdig Settings (Do not change)" + Parameters: + - EventBridgeRoleName + - ExternalID + - TrustedIdentity + - ApiKey + - IngestionUrl + - RateLimit + - EventBridgeState + - EventBridgeEventPattern + + ParameterLabels: + ExternalID: + default: "External ID (Sysdig use only)" + TrustedIdentity: + default: "Trusted Identity (Sysdig use only)" + ApiKey: + default: "API Key (Sysdig use only)" + IngestionUrl: + default: "Ingestion URL (Sysdig use only)" + RateLimit: + default: "Rate Limit (Sysdig use only)" + EventBridgeRoleName: + default: "Integration Name (Sysdig use only)" + EventBridgeState: + default: "State of the EventBridge Rule (Sysdig use only)" + EventBridgeEventPattern: + default: "Event Pattern (Sysdig use only)" + +Parameters: + EventBridgeRoleName: + Type: String + Description: A unique identifier used to create an IAM Role and EventBridge Rule + ExternalID: + Type: String + Description: Sysdig ExternalID required for the policy creation + TrustedIdentity: + Type: String + Description: The Role in Sysdig's AWS Account with permissions to your account + ApiKey: + Type: String + Description: API key for Sysdig Secure authentication + IngestionUrl: + Type: String + Description: Sysdig Secure API ingestion URL + RateLimit: + Type: Number + Description: Maximum invocations per second for the API destination + Default: 300 + EventBridgeState: + Type: String + Description: The state of the EventBridge Rule + Default: ENABLED + AllowedValues: + - ENABLED + - DISABLED + EventBridgeEventPattern: + Type: String + Description: JSON pattern for the EventBridge rule's event pattern + Default: | + { + "detail-type": [ + "AWS API Call via CloudTrail", + "AWS Console Sign In via CloudTrail", + "AWS Service Event via CloudTrail", + "Object Access Tier Changed", + "Object ACL Updated", + "Object Created", + "Object Deleted", + "Object Restore Completed", + "Object Restore Expired", + "Object Restore Initiated", + "Object Storage Class Changed", + "Object Tags Added", + "Object Tags Deleted", + "GuardDuty Finding" + ] + } + +Resources: + EventBridgeConnection: + Type: AWS::Events::Connection + Properties: + Name: !Sub ${EventBridgeRoleName}-connection + AuthorizationType: API_KEY + AuthParameters: + ApiKey: + Key: X-Api-Key + Value: !Ref ApiKey + + EventBridgeApiDestination: + Type: AWS::Events::ApiDestination + Properties: + Name: !Sub ${EventBridgeRoleName}-destination + ConnectionArn: !GetAtt EventBridgeConnection.Arn + InvocationEndpoint: !Ref IngestionUrl + HttpMethod: POST + InvocationRateLimitPerSecond: !Ref RateLimit + + EventBridgeRole: + Type: AWS::IAM::Role + Properties: + RoleName: !Ref EventBridgeRoleName + AssumeRolePolicyDocument: + Statement: + - Effect: Allow + Principal: + Service: events.amazonaws.com + Action: 'sts:AssumeRole' + - Effect: "Allow" + Principal: + AWS: !Ref TrustedIdentity + Action: "sts:AssumeRole" + Condition: + StringEquals: + sts:ExternalId: !Ref ExternalID + Policies: + - PolicyName: !Ref EventBridgeRoleName + PolicyDocument: + Version: "2012-10-17" + Statement: + - Sid: "InvokeApiDestination" + Effect: Allow + Action: + - "events:InvokeApiDestination" + Resource: + - !Sub "arn:aws:events:*:*:api-destination/${EventBridgeRoleName}-destination/*" + - Sid: "CloudTrailEventRuleAccess" + Effect: Allow + Action: + - "events:DescribeRule" + - "events:ListTargetsByRule" + Resource: + - !Sub "arn:aws:events:*:*:rule/${EventBridgeRoleName}" + - Sid: "ValidationAccess" + Effect: Allow + Action: + - "events:DescribeApiDestination" + - "events:DescribeConnection" + Resource: "*" + + EventBridgeRule: + Type: AWS::Events::Rule + Properties: + Name: !Ref EventBridgeRoleName + Description: Capture all CloudTrail events for Sysdig Secure + EventPattern: !Ref EventBridgeEventPattern + State: !Ref EventBridgeState + Targets: + - Id: !Ref EventBridgeRoleName + Arn: !GetAtt EventBridgeApiDestination.Arn + RoleArn: !GetAtt EventBridgeRole.Arn diff --git a/templates_eventbridge_api_dest/Makefile b/templates_eventbridge_api_dest/Makefile new file mode 100644 index 0000000..6b9f245 --- /dev/null +++ b/templates_eventbridge_api_dest/Makefile @@ -0,0 +1,74 @@ +# requires AWS_PROFILE +# bucket must exist, prefix will be created +S3_BUCKET ?= "s4c-cft" +S3_PREFIX ?= "test" +# We need the REGION or the TemplateURLs might be created for a different region, resulting in a deployment error +S3_REGION ?= "eu-west-1" # ireland +SECURE_API_TOKEN ?= "" +STACK_NAME = "EventBridgeApiDestTest" +STACK_NAME_ORG = "OrgEventBridgeApiDestTest" + +.PHONY: packaged-template.yaml +.PHONY: packaged-template-org.yaml + +validate: + aws cloudformation validate-template --template-body file://./EventBridgeApiDest.yaml + aws cloudformation validate-template --template-body file://./OrgEventBridgeApiDest.yaml + +lint: + cfn-lint *.yaml + +packaged-template.yaml: + aws s3 rm s3://$(S3_BUCKET)/event-bridge/single/$(S3_PREFIX) --recursive + aws cloudformation package \ + --region $(S3_REGION) \ + --template-file EventBridgeApiDest.yaml \ + --s3-bucket $(S3_BUCKET) \ + --s3-prefix event-bridge/single/$(S3_PREFIX) \ + --force-upload \ + --output-template-file packaged-template.yaml + +test: packaged-template.yaml + aws cloudformation deploy \ + --stack-name $(STACK_NAME) \ + --template-file packaged-template.yaml \ + --capabilities "CAPABILITY_NAMED_IAM" "CAPABILITY_AUTO_EXPAND" \ + --parameter-overrides \ + "SysdigSecureAPIToken=$(SECURE_API_TOKEN)" + +ci: packaged-template.yaml + aws s3 cp ./packaged-template.yaml s3://$(S3_BUCKET)/event-bridge/single/$(S3_PREFIX)/entry-point.yaml + +clean: + aws cloudformation delete-stack --stack-name $(STACK_NAME) + +packaged-template-org.yaml: + aws s3 rm s3://$(S3_BUCKET)/event-bridge/org/$(S3_PREFIX) --recursive + aws cloudformation package \ + --region $(S3_REGION) \ + --template-file OrgEventBridgeApiDest.yaml \ + --s3-bucket $(S3_BUCKET) \ + --s3-prefix event-bridge/$(S3_PREFIX) \ + --force-upload \ + --output-template-file packaged-template-org.yaml + +test-org: packaged-template-org.yaml + aws cloudformation deploy \ + --stack-name $(STACK_NAME_ORG) \ + --template-file packaged-template-org.yaml \ + --capabilities "CAPABILITY_NAMED_IAM" "CAPABILITY_AUTO_EXPAND" \ + --parameter-overrides \ + "SysdigSecureAPIToken=$(SECURE_API_TOKEN)" + +ci-org: packaged-template-org.yaml + aws s3 cp ./packaged-template-org.yaml s3://$(S3_BUCKET)/event-bridge/org/$(S3_PREFIX)/entry-point.yaml + +clean-org: + aws cloudformation delete-stack --stack-name $(STACK_NAME_ORG) + +# +# local-test-manual: +# (have not found a way to do it via cli) +# aws console > cloudformation > create new stack (template, upload template: select ./templates_ecs/Cloudvision.yaml) +# note: this will upload the template into an s3 bucket, remember to delete it afterwards +# diff --git a/templates_eventbridge_api_dest/OrgEventBridgeApiDest.yaml b/templates_eventbridge_api_dest/OrgEventBridgeApiDest.yaml new file mode 100644 index 0000000..283d208 --- /dev/null +++ b/templates_eventbridge_api_dest/OrgEventBridgeApiDest.yaml @@ -0,0 +1,436 @@ +AWSTemplateFormatVersion: "2010-09-09" +Description: EventBridge resources with API Destinations that forward CloudTrail logs to Sysdig Secure across AWS Organizations + +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: "Sysdig Settings (Do not change)" + Parameters: + - EventBridgeRoleName + - ExternalID + - TrustedIdentity + - ApiKey + - EndpointUrl + - RateLimit + - Regions + - OrganizationUnitIDs + - EventBridgeState + - EventBridgeEventPattern + + ParameterLabels: + EventBridgeRoleName: + default: "Integration Name (Sysdig use only)" + ExternalID: + default: "External ID (Sysdig use only)" + TrustedIdentity: + default: "Trusted Identity (Sysdig use only)" + ApiKey: + default: "API Key (Sysdig use only)" + EndpointUrl: + default: "Endpoint URL (Sysdig use only)" + RateLimit: + default: "Rate Limit (Sysdig use only)" + Regions: + default: "EventBridge Regions (Sysdig use only)" + OrganizationUnitIDs: + default: "Organization Unit IDs (Sysdig use only)" + EventBridgeState: + default: "State of the EventBridge Rule (Sysdig use only)" + EventBridgeEventPattern: + default: "Event Pattern (Sysdig use only)" + +Parameters: + EventBridgeRoleName: + Type: String + Description: A unique identifier used to create an IAM Role and EventBridge Rule + ExternalID: + Type: String + Description: Sysdig ExternalID required for the policy creation + TrustedIdentity: + Type: String + Description: The Role in Sysdig's AWS Account with permissions to your account + ApiKey: + Type: String + Description: API key for Sysdig Secure authentication + EndpointUrl: + Type: String + Description: Sysdig Secure API endpoint URL + RateLimit: + Type: Number + Description: Maximum invocations per second for the API destination + Default: 300 + Regions: + Type: String + Description: Comma separated list of regions to monitor with EventBridge + OrganizationUnitIDs: + Type: String + Description: Comma separated list of Organization Unit IDs to deploy + EventBridgeState: + Type: String + Description: The state of the EventBridge Rule + Default: ENABLED + AllowedValues: + - ENABLED + - DISABLED + EventBridgeEventPattern: + Type: String + Description: JSON pattern for the EventBridge rule's event pattern + Default: | + { + "detail-type": [ + "AWS API Call via CloudTrail", + "AWS Console Sign In via CloudTrail", + "AWS Service Event via CloudTrail", + "Object Access Tier Changed", + "Object ACL Updated", + "Object Created", + "Object Deleted", + "Object Restore Completed", + "Object Restore Expired", + "Object Restore Initiated", + "Object Storage Class Changed", + "Object Tags Added", + "Object Tags Deleted", + "GuardDuty Finding" + ] + } + +Resources: + # CloudFormation StackSet Administration Role + AdministrationRole: + Type: AWS::IAM::Role + Properties: + RoleName: AWSCloudFormationStackSetAdministrationRole + AssumeRolePolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Principal: + Service: cloudformation.amazonaws.com + Action: + - sts:AssumeRole + Policies: + - PolicyName: AssumeRole-AWSCloudFormationStackSetExecutionRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: + - sts:AssumeRole + Resource: + - "arn:*:iam::*:role/AWSCloudFormationStackSetExecutionRole" + + # CloudFormation StackSet Execution Role + ExecutionRole: + Type: AWS::IAM::Role + Properties: + RoleName: AWSCloudFormationStackSetExecutionRole + AssumeRolePolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Principal: + AWS: + - !GetAtt AdministrationRole.RoleId + Action: + - sts:AssumeRole + ManagedPolicyArns: + - arn:aws:iam::aws:policy/AdministratorAccess + + # EventBridge Role in management account + MgmtAccEventBridgeRole: + Type: AWS::IAM::Role + Properties: + RoleName: !Sub ${EventBridgeRoleName} + AssumeRolePolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: Allow + Principal: + Service: events.amazonaws.com + Action: 'sts:AssumeRole' + - Effect: "Allow" + Principal: + AWS: !Sub ${TrustedIdentity} + Action: "sts:AssumeRole" + Condition: + StringEquals: + sts:ExternalId: !Sub ${ExternalID} + Policies: + - PolicyName: !Sub ${EventBridgeRoleName} + PolicyDocument: + Version: "2012-10-17" + Statement: + - Sid: "InvokeApiDestination" + Effect: Allow + Action: + - "events:InvokeApiDestination" + Resource: + - !Sub "arn:aws:events:*:*:api-destination/${EventBridgeRoleName}-destination/*" + - Sid: "CloudTrailEventRuleAccess" + Effect: Allow + Action: + - "events:DescribeRule" + - "events:ListTargetsByRule" + Resource: + - !Sub "arn:aws:events:*:*:rule/${EventBridgeRoleName}" + - Sid: "ValidationAccess" + Effect: Allow + Action: + - "events:DescribeApiDestination" + - "events:DescribeConnection" + Resource: "*" + + MgmtAccEBRuleStackSet: + Type: AWS::CloudFormation::StackSet + Metadata: + cfn-lint: + config: + ignore_checks: + - W3005 + DependsOn: + - ExecutionRole + - AdministrationRole + Properties: + StackSetName: MgmtAccEBRuleStackSet + AdministrationRoleARN: !GetAtt AdministrationRole.Arn + Description: EventBridge Resources that forward CloudTrail logs to Sysdig Secure + PermissionModel: SELF_MANAGED + ManagedExecution: + Active: true + Capabilities: + - CAPABILITY_NAMED_IAM + OperationPreferences: + MaxConcurrentPercentage: 100 + ConcurrencyMode: SOFT_FAILURE_TOLERANCE + RegionConcurrencyType: PARALLEL + Parameters: + - ParameterKey: EventBridgeRoleName + ParameterValue: !Ref EventBridgeRoleName + - ParameterKey: ApiKey + ParameterValue: !Ref ApiKey + - ParameterKey: EndpointUrl + ParameterValue: !Ref EndpointUrl + - ParameterKey: RateLimit + ParameterValue: !Ref RateLimit + - ParameterKey: EventBridgeState + ParameterValue: !Ref EventBridgeState + - ParameterKey: EventBridgeEventPattern + ParameterValue: !Ref EventBridgeEventPattern + StackInstancesGroup: + - DeploymentTargets: + Accounts: + - !Ref AWS::AccountId + Regions: !Split [ ",", !Ref Regions] + TemplateBody: | + AWSTemplateFormatVersion: "2010-09-09" + Description: EventBridge Resources that forward CloudTrail logs to Sysdig Secure + Parameters: + EventBridgeRoleName: + Type: String + Description: A unique identifier used to create an IAM Role and EventBridge Rule + ApiKey: + Type: String + Description: API key for authentication + EndpointUrl: + Type: String + Description: Target endpoint URL for the API destination + RateLimit: + Type: Number + Description: Maximum invocations per second for the API destination + EventBridgeState: + Type: String + Description: The state of the EventBridge Rule + Default: ENABLED + AllowedValues: + - ENABLED + - DISABLED + EventBridgeEventPattern: + Type: String + Description: JSON pattern for the EventBridge rule's event pattern + Resources: + EventBridgeConnection: + Type: AWS::Events::Connection + Properties: + Name: !Sub ${EventBridgeRoleName}-connection + AuthorizationType: API_KEY + AuthParameters: + ApiKey: + Key: x-api-key + Value: !Ref ApiKey + + EventBridgeApiDestination: + Type: AWS::Events::ApiDestination + Properties: + Name: !Sub ${EventBridgeRoleName}-destination + ConnectionArn: !GetAtt EventBridgeConnection.Arn + InvocationEndpoint: !Ref EndpointUrl + HttpMethod: POST + InvocationRateLimitPerSecond: !Ref RateLimit + + EventBridgeRule: + Type: AWS::Events::Rule + Properties: + Name: !Sub ${EventBridgeRoleName} + Description: Capture all CloudTrail events + EventPattern: !Ref EventBridgeEventPattern + State: !Ref EventBridgeState + Targets: + - Id: !Sub ${EventBridgeRoleName} + Arn: !GetAtt EventBridgeApiDestination.Arn + RoleArn: !Sub "arn:aws:iam::${AWS::AccountId}:role/${EventBridgeRoleName}" + + # StackSet for member accounts - Role deployment + EBRoleStackSet: + Type: AWS::CloudFormation::StackSet + Properties: + StackSetName: EBRoleStackSet + Description: IAM Role used to forward CloudTrail logs to Sysdig Secure + PermissionModel: SERVICE_MANAGED + Capabilities: + - "CAPABILITY_NAMED_IAM" + AutoDeployment: + Enabled: true + RetainStacksOnAccountRemoval: false + ManagedExecution: + Active: true + OperationPreferences: + MaxConcurrentPercentage: 100 + ConcurrencyMode: SOFT_FAILURE_TOLERANCE + Parameters: + - ParameterKey: EventBridgeRoleName + ParameterValue: !Ref EventBridgeRoleName + StackInstancesGroup: + - DeploymentTargets: + OrganizationalUnitIds: !Split [ ",", !Ref OrganizationUnitIDs] + Regions: [!Ref "AWS::Region"] + TemplateBody: | + AWSTemplateFormatVersion: "2010-09-09" + Description: IAM Role used for EventBridge API Destinations + Parameters: + EventBridgeRoleName: + Type: String + Description: A unique identifier used to create IAM Role for EventBridge + Resources: + EventBridgeRole: + Type: AWS::IAM::Role + Properties: + RoleName: !Ref EventBridgeRoleName + AssumeRolePolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: Allow + Principal: + Service: events.amazonaws.com + Action: 'sts:AssumeRole' + Policies: + - PolicyName: !Ref EventBridgeRoleName + PolicyDocument: + Version: "2012-10-17" + Statement: + - Sid: "InvokeApiDestination" + Effect: Allow + Action: + - "events:InvokeApiDestination" + Resource: !Sub "arn:aws:events:*:*:api-destination/${EventBridgeRoleName}-destination/*" + - Sid: "ValidationAccess" + Effect: Allow + Action: + - "events:DescribeApiDestination" + - "events:DescribeConnection" + Resource: "*" + + # StackSet for member accounts - EventBridge resources deployment + EBApiDestStackSet: + Type: AWS::CloudFormation::StackSet + DependsOn: EBRoleStackSet + Properties: + StackSetName: EBApiDestStackSet + Description: EventBridge Resources with API Destinations that forward CloudTrail logs to Sysdig Secure + PermissionModel: SERVICE_MANAGED + Capabilities: + - "CAPABILITY_NAMED_IAM" + AutoDeployment: + Enabled: true + RetainStacksOnAccountRemoval: false + ManagedExecution: + Active: true + OperationPreferences: + MaxConcurrentPercentage: 100 + ConcurrencyMode: SOFT_FAILURE_TOLERANCE + RegionConcurrencyType: PARALLEL + Parameters: + - ParameterKey: EventBridgeRoleName + ParameterValue: !Ref EventBridgeRoleName + - ParameterKey: ApiKey + ParameterValue: !Ref ApiKey + - ParameterKey: EndpointUrl + ParameterValue: !Ref EndpointUrl + - ParameterKey: RateLimit + ParameterValue: !Ref RateLimit + - ParameterKey: EventBridgeState + ParameterValue: !Ref EventBridgeState + - ParameterKey: EventBridgeEventPattern + ParameterValue: !Ref EventBridgeEventPattern + StackInstancesGroup: + - DeploymentTargets: + OrganizationalUnitIds: !Split [ ",", !Ref OrganizationUnitIDs] + Regions: !Split [ ",", !Ref Regions] + TemplateBody: | + AWSTemplateFormatVersion: "2010-09-09" + Description: EventBridge Resources with API Destinations that forward CloudTrail logs to Sysdig Secure + Parameters: + EventBridgeRoleName: + Type: String + Description: A unique identifier used to create an IAM Role and EventBridge Rule + ApiKey: + Type: String + Description: API key for Sysdig Secure authentication + EndpointUrl: + Type: String + Description: Sysdig Secure API endpoint URL + RateLimit: + Type: Number + Description: Maximum invocations per second for the API destination + EventBridgeState: + Type: String + Description: The state of the EventBridge Rule + Default: ENABLED + AllowedValues: + - ENABLED + - DISABLED + EventBridgeEventPattern: + Type: String + Description: JSON pattern for the EventBridge rule's event pattern + Resources: + EventBridgeConnection: + Type: AWS::Events::Connection + Properties: + Name: !Sub ${EventBridgeRoleName}-connection + AuthorizationType: API_KEY + AuthParameters: + ApiKey: + Key: x-api-key + Value: !Ref ApiKey + + EventBridgeApiDestination: + Type: AWS::Events::ApiDestination + Properties: + Name: !Sub ${EventBridgeRoleName}-destination + ConnectionArn: !GetAtt EventBridgeConnection.Arn + InvocationEndpoint: !Ref EndpointUrl + HttpMethod: POST + InvocationRateLimitPerSecond: !Ref RateLimit + + EventBridgeRule: + Type: AWS::Events::Rule + Properties: + Name: !Ref EventBridgeRoleName + Description: Capture all CloudTrail events for Sysdig Secure + EventPattern: !Ref EventBridgeEventPattern + State: !Ref EventBridgeState + Targets: + - Id: !Ref EventBridgeRoleName + Arn: !GetAtt EventBridgeApiDestination.Arn + RoleArn: !Sub "arn:aws:iam::${AWS::AccountId}:role/${EventBridgeRoleName}" From d1f6060eb7ae566df0a6fb5d3d095980d4699f1d Mon Sep 17 00:00:00 2001 From: matteopasa Date: Mon, 24 Mar 2025 15:30:24 +0100 Subject: [PATCH 2/8] small fix --- templates_eventbridge_api_dest/EventBridgeApiDest.yaml | 6 +++--- templates_eventbridge_api_dest/OrgEventBridgeApiDest.yaml | 8 ++++---- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/templates_eventbridge_api_dest/EventBridgeApiDest.yaml b/templates_eventbridge_api_dest/EventBridgeApiDest.yaml index 45d81fd..f05da3d 100644 --- a/templates_eventbridge_api_dest/EventBridgeApiDest.yaml +++ b/templates_eventbridge_api_dest/EventBridgeApiDest.yaml @@ -91,9 +91,9 @@ Resources: Name: !Sub ${EventBridgeRoleName}-connection AuthorizationType: API_KEY AuthParameters: - ApiKey: - Key: X-Api-Key - Value: !Ref ApiKey + ApiKeyAuthParameters: + ApiKeyName: X-Api-Key + ApiKeyValue: !Ref ApiKey EventBridgeApiDestination: Type: AWS::Events::ApiDestination diff --git a/templates_eventbridge_api_dest/OrgEventBridgeApiDest.yaml b/templates_eventbridge_api_dest/OrgEventBridgeApiDest.yaml index 283d208..42af93e 100644 --- a/templates_eventbridge_api_dest/OrgEventBridgeApiDest.yaml +++ b/templates_eventbridge_api_dest/OrgEventBridgeApiDest.yaml @@ -119,7 +119,7 @@ Resources: Action: - sts:AssumeRole Resource: - - "arn:*:iam::*:role/AWSCloudFormationStackSetExecutionRole" + - "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole" # CloudFormation StackSet Execution Role ExecutionRole: @@ -256,9 +256,9 @@ Resources: Name: !Sub ${EventBridgeRoleName}-connection AuthorizationType: API_KEY AuthParameters: - ApiKey: - Key: x-api-key - Value: !Ref ApiKey + ApiKeyAuthParameters: + ApiKeyName: X-Api-Key + ApiKeyValue: !Ref ApiKey EventBridgeApiDestination: Type: AWS::Events::ApiDestination From aeb0ca9cb3a0b1f7e9d23419b3611195c8fecc5e Mon Sep 17 00:00:00 2001 From: matteopasa Date: Tue, 25 Mar 2025 11:56:50 +0100 Subject: [PATCH 3/8] fix event bridge org --- templates_eventbridge/EventBridge.yaml | 78 +++- templates_eventbridge/Makefile | 33 +- templates_eventbridge/OrgEventBridge.yaml | 292 ++++++------ .../packaged-template-org.yaml | 369 +++++++++++++++ .../EventBridgeApiDest.yaml | 159 ------- templates_eventbridge_api_dest/Makefile | 74 --- .../OrgEventBridgeApiDest.yaml | 436 ------------------ 7 files changed, 610 insertions(+), 831 deletions(-) create mode 100644 templates_eventbridge/packaged-template-org.yaml delete mode 100644 templates_eventbridge_api_dest/EventBridgeApiDest.yaml delete mode 100644 templates_eventbridge_api_dest/Makefile delete mode 100644 templates_eventbridge_api_dest/OrgEventBridgeApiDest.yaml diff --git a/templates_eventbridge/EventBridge.yaml b/templates_eventbridge/EventBridge.yaml index 500723d..f05da3d 100644 --- a/templates_eventbridge/EventBridge.yaml +++ b/templates_eventbridge/EventBridge.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: "2010-09-09" -Description: EventBridge resources that forward CloudTrail logs to Sysdig Secure +Description: EventBridge resources that forward CloudTrail logs to Sysdig Secure via API Destination Metadata: AWS::CloudFormation::Interface: @@ -10,7 +10,9 @@ Metadata: - EventBridgeRoleName - ExternalID - TrustedIdentity - - EventBusARN + - ApiKey + - IngestionUrl + - RateLimit - EventBridgeState - EventBridgeEventPattern @@ -19,8 +21,12 @@ Metadata: default: "External ID (Sysdig use only)" TrustedIdentity: default: "Trusted Identity (Sysdig use only)" - EventBusARN: - default: "Target Event Bus (Sysdig use only)" + ApiKey: + default: "API Key (Sysdig use only)" + IngestionUrl: + default: "Ingestion URL (Sysdig use only)" + RateLimit: + default: "Rate Limit (Sysdig use only)" EventBridgeRoleName: default: "Integration Name (Sysdig use only)" EventBridgeState: @@ -38,15 +44,21 @@ Parameters: TrustedIdentity: Type: String Description: The Role in Sysdig's AWS Account with permissions to your account - EventBusARN: + ApiKey: Type: String - Description: The destination in Sysdig's AWS account where your events are sent + Description: API key for Sysdig Secure authentication + IngestionUrl: + Type: String + Description: Sysdig Secure API ingestion URL + RateLimit: + Type: Number + Description: Maximum invocations per second for the API destination + Default: 300 EventBridgeState: Type: String Description: The state of the EventBridge Rule - Default: ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS + Default: ENABLED AllowedValues: - - ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS - ENABLED - DISABLED EventBridgeEventPattern: @@ -73,6 +85,25 @@ Parameters: } Resources: + EventBridgeConnection: + Type: AWS::Events::Connection + Properties: + Name: !Sub ${EventBridgeRoleName}-connection + AuthorizationType: API_KEY + AuthParameters: + ApiKeyAuthParameters: + ApiKeyName: X-Api-Key + ApiKeyValue: !Ref ApiKey + + EventBridgeApiDestination: + Type: AWS::Events::ApiDestination + Properties: + Name: !Sub ${EventBridgeRoleName}-destination + ConnectionArn: !GetAtt EventBridgeConnection.Arn + InvocationEndpoint: !Ref IngestionUrl + HttpMethod: POST + InvocationRateLimitPerSecond: !Ref RateLimit + EventBridgeRole: Type: AWS::IAM::Role Properties: @@ -89,31 +120,40 @@ Resources: Action: "sts:AssumeRole" Condition: StringEquals: - sts:ExternalId: !Ref ExternalID + sts:ExternalId: !Ref ExternalID Policies: - PolicyName: !Ref EventBridgeRoleName PolicyDocument: Version: "2012-10-17" Statement: - - Effect: Allow - Action: 'events:PutEvents' - Resource: !Ref EventBusARN - - Effect: Allow + - Sid: "InvokeApiDestination" + Effect: Allow + Action: + - "events:InvokeApiDestination" + Resource: + - !Sub "arn:aws:events:*:*:api-destination/${EventBridgeRoleName}-destination/*" + - Sid: "CloudTrailEventRuleAccess" + Effect: Allow Action: - "events:DescribeRule" - "events:ListTargetsByRule" Resource: - - !Sub arn:aws:events:*:*:rule/${EventBridgeRoleName} + - !Sub "arn:aws:events:*:*:rule/${EventBridgeRoleName}" + - Sid: "ValidationAccess" + Effect: Allow + Action: + - "events:DescribeApiDestination" + - "events:DescribeConnection" + Resource: "*" + EventBridgeRule: Type: AWS::Events::Rule Properties: Name: !Ref EventBridgeRoleName - Description: Capture all CloudTrail events + Description: Capture all CloudTrail events for Sysdig Secure EventPattern: !Ref EventBridgeEventPattern State: !Ref EventBridgeState Targets: - Id: !Ref EventBridgeRoleName - Arn: !Ref EventBusARN - RoleArn: !GetAtt - - EventBridgeRole - - Arn + Arn: !GetAtt EventBridgeApiDestination.Arn + RoleArn: !GetAtt EventBridgeRole.Arn diff --git a/templates_eventbridge/Makefile b/templates_eventbridge/Makefile index 6fe59c5..96a63c5 100644 --- a/templates_eventbridge/Makefile +++ b/templates_eventbridge/Makefile @@ -1,10 +1,10 @@ # requires AWS_PROFILE # bucket must exist, prefix will be created -S3_BUCKET ?= "s4c-cft" +S3_BUCKET ?= "" S3_PREFIX ?= "test" # We need the REGION or the TemplateURLs might be created for a different region, resulting in a deployment error -S3_REGION ?= "eu-west-1" # ireland -SECURE_API_TOKEN ?= "" +S3_REGION ?= "us-east-1" +SECURE_API_TOKEN ?= "" STACK_NAME = "EventBridgeTest" STACK_NAME_ORG = "OrgEventBridgeTest" @@ -30,11 +30,19 @@ packaged-template.yaml: test: packaged-template.yaml aws cloudformation deploy \ - --stack-name $(STACK_NAME) \ + --stack-name "EventBridgeTest" \ --template-file packaged-template.yaml \ --capabilities "CAPABILITY_NAMED_IAM" "CAPABILITY_AUTO_EXPAND" \ --parameter-overrides \ - "SysdigSecureAPIToken=$(SECURE_API_TOKEN)" + "SysdigSecureAPIToken=" \ + "ApiKey=4ba93f30-c5d2-42e8-9319-c8d23a6b174d" \ + "IngestionUrl=https://ingest-eu1.app.sysdig.com/api/events" \ + "EventBridgeRoleName=SysdigEventBridgeIntegration" \ + "ExternalID=bcacfba7093b0c5fce39ee8012272f07" \ + "TrustedIdentity=arn:aws:iam::064689838359:role/us-east-1-integration01-secure-assume-role" \ + "RateLimit=300" \ + "EventBridgeState=ENABLED" \ + "EventBridgeEventPattern={\"source\":[\"aws.cloudtrail\"]}" ci: packaged-template.yaml aws s3 cp ./packaged-template.yaml s3://$(S3_BUCKET)/event-bridge/single/$(S3_PREFIX)/entry-point.yaml @@ -54,11 +62,22 @@ packaged-template-org.yaml: test-org: packaged-template-org.yaml aws cloudformation deploy \ - --stack-name $(STACK_NAME_ORG) \ + --region "us-east-1" \ + --stack-name "EventBridgeTest" \ --template-file packaged-template-org.yaml \ --capabilities "CAPABILITY_NAMED_IAM" "CAPABILITY_AUTO_EXPAND" \ --parameter-overrides \ - "SysdigSecureAPIToken=$(SECURE_API_TOKEN)" + "SysdigSecureAPIToken=" \ + "ApiKey=4ba93f30-c5d2-42e8-9319-c8d23a6b174d" \ + "IngestionUrl=https://ingest-eu1.app.sysdig.com/api/events" \ + "EventBridgeRoleName=SysdigEventBridgeIntegration" \ + "ExternalID=bcacfba7093b0c5fce39ee8012272f07" \ + "TrustedIdentity=arn:aws:iam::064689838359:role/us-east-1-integration01-secure-assume-role" \ + "RateLimit=300" \ + "OrganizationUnitIDs=ou-s212-x4xr99jl,ou-s212-c5n6dwzt,ou-s212-uihli2xi" \ + "EventBridgeState=ENABLED" \ + "EventBridgeEventPattern={\"source\":[\"aws.cloudtrail\"]}" \ + "Regions=us-east-1,us-west-2" ci-org: packaged-template-org.yaml aws s3 cp ./packaged-template-org.yaml s3://$(S3_BUCKET)/event-bridge/org/$(S3_PREFIX)/entry-point.yaml diff --git a/templates_eventbridge/OrgEventBridge.yaml b/templates_eventbridge/OrgEventBridge.yaml index 50db948..98cf747 100644 --- a/templates_eventbridge/OrgEventBridge.yaml +++ b/templates_eventbridge/OrgEventBridge.yaml @@ -1,31 +1,36 @@ AWSTemplateFormatVersion: "2010-09-09" -Description: EventBridge resources that forward CloudTrail logs to Sysdig Secure +Description: EventBridge resources with API Destinations that forward CloudTrail logs to Sysdig Secure across AWS Organizations + Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: default: "Sysdig Settings (Do not change)" Parameters: - - CSPMRoleName - EventBridgeRoleName - ExternalID - TrustedIdentity - - EventBusARN + - ApiKey + - IngestionUrl + - RateLimit - Regions - OrganizationUnitIDs - EventBridgeState - EventBridgeEventPattern + ParameterLabels: - CSPMRoleName: - default: "CSPM Role Name (Sysdig use only)" EventBridgeRoleName: - default: "Integration Name (Sysdig use only)" + default: "Integration Name (Sysdig use only)" ExternalID: default: "External ID (Sysdig use only)" TrustedIdentity: default: "Trusted Identity (Sysdig use only)" - EventBusARN: - default: "Target Event Bus (Sysdig use only)" + ApiKey: + default: "API Key (Sysdig use only)" + IngestionUrl: + default: "Endpoint URL (Sysdig use only)" + RateLimit: + default: "Rate Limit (Sysdig use only)" Regions: default: "EventBridge Regions (Sysdig use only)" OrganizationUnitIDs: @@ -34,10 +39,8 @@ Metadata: default: "State of the EventBridge Rule (Sysdig use only)" EventBridgeEventPattern: default: "Event Pattern (Sysdig use only)" + Parameters: - CSPMRoleName: - Type: String - Description: Unique role for monitoring AWS accounts EventBridgeRoleName: Type: String Description: A unique identifier used to create an IAM Role and EventBridge Rule @@ -47,9 +50,16 @@ Parameters: TrustedIdentity: Type: String Description: The Role in Sysdig's AWS Account with permissions to your account - EventBusARN: + ApiKey: Type: String - Description: The destination in Sysdig's AWS account where your events are sent + Description: API key for Sysdig Secure authentication + IngestionUrl: + Type: String + Description: Sysdig Secure API endpoint URL + RateLimit: + Type: Number + Description: Maximum invocations per second for the API destination + Default: 300 Regions: Type: String Description: Comma separated list of regions to monitor with EventBridge @@ -59,9 +69,8 @@ Parameters: EventBridgeState: Type: String Description: The state of the EventBridge Rule - Default: ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS + Default: ENABLED AllowedValues: - - ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS - ENABLED - DISABLED EventBridgeEventPattern: @@ -88,6 +97,7 @@ Parameters: } Resources: + # CloudFormation StackSet Administration Role AdministrationRole: Type: AWS::IAM::Role Properties: @@ -109,7 +119,9 @@ Resources: Action: - sts:AssumeRole Resource: - - "arn:*:iam::*:role/AWSCloudFormationStackSetExecutionRole" + - "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole" + + # CloudFormation StackSet Execution Role ExecutionRole: Type: AWS::IAM::Role Properties: @@ -125,22 +137,8 @@ Resources: - sts:AssumeRole ManagedPolicyArns: - arn:aws:iam::aws:policy/AdministratorAccess - MgmtAccCloudAgentlessRole: - Type: "AWS::IAM::Role" - Properties: - RoleName: !Sub ${CSPMRoleName} - AssumeRolePolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: "Allow" - Principal: - AWS: !Sub ${TrustedIdentity} - Action: "sts:AssumeRole" - Condition: - StringEquals: - sts:ExternalId: !Sub ${ExternalID} - ManagedPolicyArns: - - arn:aws:iam::aws:policy/SecurityAudit + + # EventBridge Role in management account MgmtAccEventBridgeRole: Type: AWS::IAM::Role Properties: @@ -158,21 +156,32 @@ Resources: Action: "sts:AssumeRole" Condition: StringEquals: - sts:ExternalId: !Sub ${ExternalID} + sts:ExternalId: !Sub ${ExternalID} Policies: - PolicyName: !Sub ${EventBridgeRoleName} PolicyDocument: Version: "2012-10-17" Statement: - - Effect: Allow - Action: 'events:PutEvents' - Resource: !Sub ${EventBusARN} - - Effect: Allow + - Sid: "InvokeApiDestination" + Effect: Allow + Action: + - "events:InvokeApiDestination" + Resource: + - !Sub "arn:aws:events:*:*:api-destination/${EventBridgeRoleName}-destination/*" + - Sid: "CloudTrailEventRuleAccess" + Effect: Allow Action: - "events:DescribeRule" - "events:ListTargetsByRule" Resource: - - !Sub arn:aws:events:*:*:rule/${EventBridgeRoleName} + - !Sub "arn:aws:events:*:*:rule/${EventBridgeRoleName}" + - Sid: "ValidationAccess" + Effect: Allow + Action: + - "events:DescribeApiDestination" + - "events:DescribeConnection" + Resource: "*" + MgmtAccEBRuleStackSet: Type: AWS::CloudFormation::StackSet Metadata: @@ -199,8 +208,12 @@ Resources: Parameters: - ParameterKey: EventBridgeRoleName ParameterValue: !Ref EventBridgeRoleName - - ParameterKey: EventBusARN - ParameterValue: !Ref EventBusARN + - ParameterKey: ApiKey + ParameterValue: !Ref ApiKey + - ParameterKey: IngestionUrl + ParameterValue: !Ref IngestionUrl + - ParameterKey: RateLimit + ParameterValue: !Ref RateLimit - ParameterKey: EventBridgeState ParameterValue: !Ref EventBridgeState - ParameterKey: EventBridgeEventPattern @@ -217,51 +230,58 @@ Resources: EventBridgeRoleName: Type: String Description: A unique identifier used to create an IAM Role and EventBridge Rule - EventBusARN: + ApiKey: + Type: String + Description: API key for authentication + IngestionUrl: Type: String - Description: The destination in Sysdig's AWS account where your events are sent + Description: Target endpoint URL for the API destination + RateLimit: + Type: Number + Description: Maximum invocations per second for the API destination EventBridgeState: Type: String Description: The state of the EventBridge Rule - Default: ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS + Default: ENABLED AllowedValues: - - ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS - ENABLED - DISABLED EventBridgeEventPattern: Type: String Description: JSON pattern for the EventBridge rule's event pattern - Default: | - { - "detail-type": [ - "AWS API Call via CloudTrail", - "AWS Console Sign In via CloudTrail", - "AWS Service Event via CloudTrail", - "Object Access Tier Changed", - "Object ACL Updated", - "Object Created", - "Object Deleted", - "Object Restore Completed", - "Object Restore Expired", - "Object Restore Initiated", - "Object Storage Class Changed", - "Object Tags Added", - "Object Tags Deleted", - "GuardDuty Finding" - ] - } - Resources: + Resources: + EventBridgeConnection: + Type: AWS::Events::Connection + Properties: + Name: !Sub ${EventBridgeRoleName}-connection + AuthorizationType: API_KEY + AuthParameters: + ApiKeyAuthParameters: + ApiKeyName: X-Api-Key + ApiKeyValue: !Ref ApiKey + + EventBridgeApiDestination: + Type: AWS::Events::ApiDestination + Properties: + Name: !Sub ${EventBridgeRoleName}-destination + ConnectionArn: !GetAtt EventBridgeConnection.Arn + InvocationEndpoint: !Ref IngestionUrl + HttpMethod: POST + InvocationRateLimitPerSecond: !Ref RateLimit + EventBridgeRule: - Type: "AWS::Events::Rule" + Type: AWS::Events::Rule Properties: Name: !Sub ${EventBridgeRoleName} Description: Capture all CloudTrail events EventPattern: !Ref EventBridgeEventPattern - State: !Sub ${EventBridgeState} + State: !Ref EventBridgeState Targets: - Id: !Sub ${EventBridgeRoleName} - Arn: !Sub ${EventBusARN} - RoleArn: !Sub "arn:aws:iam::${AWS::AccountId}:role/${EventBridgeRoleName}" + Arn: !GetAtt EventBridgeApiDestination.Arn + RoleArn: !Sub "arn:aws:iam::${AWS::AccountId}:role/${EventBridgeRoleName}" + + # StackSet for member accounts - Role deployment EBRoleStackSet: Type: AWS::CloudFormation::StackSet Properties: @@ -279,39 +299,24 @@ Resources: MaxConcurrentPercentage: 100 ConcurrencyMode: SOFT_FAILURE_TOLERANCE Parameters: - - ParameterKey: TrustedIdentity - ParameterValue: !Ref TrustedIdentity - - ParameterKey: ExternalID - ParameterValue: !Ref ExternalID - ParameterKey: EventBridgeRoleName ParameterValue: !Ref EventBridgeRoleName - - ParameterKey: EventBusARN - ParameterValue: !Ref EventBusARN StackInstancesGroup: - DeploymentTargets: OrganizationalUnitIds: !Split [ ",", !Ref OrganizationUnitIDs] Regions: [!Ref "AWS::Region"] TemplateBody: | AWSTemplateFormatVersion: "2010-09-09" - Description: IAM Role used to forward CloudTrail logs to Sysdig Secure + Description: IAM Role used for EventBridge API Destinations Parameters: - TrustedIdentity: - Type: String - Description: The Role in Sysdig's AWS Account with permissions to your account - ExternalID: - Type: String - Description: Sysdig ExternalID required for the policy creation EventBridgeRoleName: Type: String - Description: A unique identifier used to create an IAM Role and EventBridge Rule - EventBusARN: - Type: String - Description: The destination in Sysdig's AWS account where your events are sent + Description: A unique identifier used to create IAM Role for EventBridge Resources: EventBridgeRole: Type: AWS::IAM::Role Properties: - RoleName: !Sub ${EventBridgeRoleName} + RoleName: !Ref EventBridgeRoleName AssumeRolePolicyDocument: Version: "2012-10-17" Statement: @@ -319,32 +324,38 @@ Resources: Principal: Service: events.amazonaws.com Action: 'sts:AssumeRole' - - Effect: "Allow" - Principal: - AWS: !Sub ${TrustedIdentity} - Action: "sts:AssumeRole" - Condition: - StringEquals: - sts:ExternalId: !Sub ${ExternalID} Policies: - - PolicyName: !Sub ${EventBridgeRoleName} + - PolicyName: !Ref EventBridgeRoleName PolicyDocument: Version: "2012-10-17" Statement: - - Effect: Allow - Action: 'events:PutEvents' - Resource: !Sub ${EventBusARN} - - Effect: Allow + - Sid: "InvokeApiDestination" + Effect: Allow + Action: + - "events:InvokeApiDestination" + Resource: + - !Sub "arn:aws:events:*:*:api-destination/${EventBridgeRoleName}-destination/*" + - Sid: "CloudTrailEventRuleAccess" + Effect: Allow Action: - "events:DescribeRule" - "events:ListTargetsByRule" Resource: - - !Sub arn:aws:events:*:*:rule/${EventBridgeRoleName} - EBRuleStackSet: + - !Sub "arn:aws:events:*:*:rule/${EventBridgeRoleName}" + - Sid: "ValidationAccess" + Effect: Allow + Action: + - "events:DescribeApiDestination" + - "events:DescribeConnection" + Resource: "*" + + # StackSet for member accounts - EventBridge resources deployment + EBApiDestStackSet: Type: AWS::CloudFormation::StackSet + DependsOn: EBRoleStackSet Properties: - StackSetName: EBRuleStackSet - Description: EventBridge Resources that forward CloudTrail logs to Sysdig Secure + StackSetName: EBApiDestStackSet + Description: EventBridge Resources with API Destinations that forward CloudTrail logs to Sysdig Secure PermissionModel: SERVICE_MANAGED Capabilities: - "CAPABILITY_NAMED_IAM" @@ -360,8 +371,12 @@ Resources: Parameters: - ParameterKey: EventBridgeRoleName ParameterValue: !Ref EventBridgeRoleName - - ParameterKey: EventBusARN - ParameterValue: !Ref EventBusARN + - ParameterKey: ApiKey + ParameterValue: !Ref ApiKey + - ParameterKey: IngestionUrl + ParameterValue: !Ref IngestionUrl + - ParameterKey: RateLimit + ParameterValue: !Ref RateLimit - ParameterKey: EventBridgeState ParameterValue: !Ref EventBridgeState - ParameterKey: EventBridgeEventPattern @@ -372,53 +387,58 @@ Resources: Regions: !Split [ ",", !Ref Regions] TemplateBody: | AWSTemplateFormatVersion: "2010-09-09" - Description: EventBridge Resources that forward CloudTrail logs to Sysdig Secure + Description: EventBridge Resources with API Destinations that forward CloudTrail logs to Sysdig Secure Parameters: EventBridgeRoleName: Type: String Description: A unique identifier used to create an IAM Role and EventBridge Rule - EventBusARN: + ApiKey: Type: String - Description: The destination in Sysdig's AWS account where your events are sent + Description: API key for Sysdig Secure authentication + IngestionUrl: + Type: String + Description: Sysdig Secure API endpoint URL + RateLimit: + Type: Number + Description: Maximum invocations per second for the API destination EventBridgeState: Type: String Description: The state of the EventBridge Rule - Default: ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS + Default: ENABLED AllowedValues: - - ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS - ENABLED - DISABLED EventBridgeEventPattern: Type: String Description: JSON pattern for the EventBridge rule's event pattern - Default: | - { - "detail-type": [ - "AWS API Call via CloudTrail", - "AWS Console Sign In via CloudTrail", - "AWS Service Event via CloudTrail", - "Object Access Tier Changed", - "Object ACL Updated", - "Object Created", - "Object Deleted", - "Object Restore Completed", - "Object Restore Expired", - "Object Restore Initiated", - "Object Storage Class Changed", - "Object Tags Added", - "Object Tags Deleted", - "GuardDuty Finding" - ] - } - Resources: + Resources: + EventBridgeConnection: + Type: AWS::Events::Connection + Properties: + Name: !Sub ${EventBridgeRoleName}-connection + AuthorizationType: API_KEY + AuthParameters: + ApiKeyAuthParameters: + ApiKeyName: X-Api-Key + ApiKeyValue: !Ref ApiKey + + EventBridgeApiDestination: + Type: AWS::Events::ApiDestination + Properties: + Name: !Sub ${EventBridgeRoleName}-destination + ConnectionArn: !GetAtt EventBridgeConnection.Arn + InvocationEndpoint: !Ref IngestionUrl + HttpMethod: POST + InvocationRateLimitPerSecond: !Ref RateLimit + EventBridgeRule: - Type: "AWS::Events::Rule" + Type: AWS::Events::Rule Properties: - Name: !Sub ${EventBridgeRoleName} - Description: Capture all CloudTrail events + Name: !Ref EventBridgeRoleName + Description: Capture all CloudTrail events for Sysdig Secure EventPattern: !Ref EventBridgeEventPattern - State: !Sub ${EventBridgeState} + State: !Ref EventBridgeState Targets: - - Id: !Sub ${EventBridgeRoleName} - Arn: !Sub ${EventBusARN} - RoleArn: !Sub "arn:aws:iam::${AWS::AccountId}:role/${EventBridgeRoleName}" \ No newline at end of file + - Id: !Ref EventBridgeRoleName + Arn: !GetAtt EventBridgeApiDestination.Arn + RoleArn: !Sub "arn:aws:iam::${AWS::AccountId}:role/${EventBridgeRoleName}" diff --git a/templates_eventbridge/packaged-template-org.yaml b/templates_eventbridge/packaged-template-org.yaml new file mode 100644 index 0000000..4939e20 --- /dev/null +++ b/templates_eventbridge/packaged-template-org.yaml @@ -0,0 +1,369 @@ +AWSTemplateFormatVersion: '2010-09-09' +Description: EventBridge resources with API Destinations that forward CloudTrail logs + to Sysdig Secure across AWS Organizations +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: Sysdig Settings (Do not change) + Parameters: + - EventBridgeRoleName + - ExternalID + - TrustedIdentity + - ApiKey + - IngestionUrl + - RateLimit + - Regions + - OrganizationUnitIDs + - EventBridgeState + - EventBridgeEventPattern + ParameterLabels: + EventBridgeRoleName: + default: Integration Name (Sysdig use only) + ExternalID: + default: External ID (Sysdig use only) + TrustedIdentity: + default: Trusted Identity (Sysdig use only) + ApiKey: + default: API Key (Sysdig use only) + IngestionUrl: + default: Endpoint URL (Sysdig use only) + RateLimit: + default: Rate Limit (Sysdig use only) + Regions: + default: EventBridge Regions (Sysdig use only) + OrganizationUnitIDs: + default: Organization Unit IDs (Sysdig use only) + EventBridgeState: + default: State of the EventBridge Rule (Sysdig use only) + EventBridgeEventPattern: + default: Event Pattern (Sysdig use only) +Parameters: + EventBridgeRoleName: + Type: String + Description: A unique identifier used to create an IAM Role and EventBridge Rule + ExternalID: + Type: String + Description: Sysdig ExternalID required for the policy creation + TrustedIdentity: + Type: String + Description: The Role in Sysdig's AWS Account with permissions to your account + ApiKey: + Type: String + Description: API key for Sysdig Secure authentication + IngestionUrl: + Type: String + Description: Sysdig Secure API endpoint URL + RateLimit: + Type: Number + Description: Maximum invocations per second for the API destination + Default: 300 + Regions: + Type: String + Description: Comma separated list of regions to monitor with EventBridge + OrganizationUnitIDs: + Type: String + Description: Comma separated list of Organization Unit IDs to deploy + EventBridgeState: + Type: String + Description: The state of the EventBridge Rule + Default: ENABLED + AllowedValues: + - ENABLED + - DISABLED + EventBridgeEventPattern: + Type: String + Description: JSON pattern for the EventBridge rule's event pattern + Default: "{\n \"detail-type\": [\n \"AWS API Call via CloudTrail\",\n \"\ + AWS Console Sign In via CloudTrail\",\n \"AWS Service Event via CloudTrail\"\ + ,\n \"Object Access Tier Changed\",\n \"Object ACL Updated\",\n \"\ + Object Created\",\n \"Object Deleted\",\n \"Object Restore Completed\"\ + ,\n \"Object Restore Expired\",\n \"Object Restore Initiated\",\n \"\ + Object Storage Class Changed\",\n \"Object Tags Added\",\n \"Object Tags\ + \ Deleted\",\n \"GuardDuty Finding\"\n ]\n}\n" +Resources: + AdministrationRole: + Type: AWS::IAM::Role + Properties: + RoleName: AWSCloudFormationStackSetAdministrationRole + AssumeRolePolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Principal: + Service: cloudformation.amazonaws.com + Action: + - sts:AssumeRole + Policies: + - PolicyName: AssumeRole-AWSCloudFormationStackSetExecutionRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: + - sts:AssumeRole + Resource: + - arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole + ExecutionRole: + Type: AWS::IAM::Role + Properties: + RoleName: AWSCloudFormationStackSetExecutionRole + AssumeRolePolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Principal: + AWS: + - Fn::GetAtt: + - AdministrationRole + - RoleId + Action: + - sts:AssumeRole + ManagedPolicyArns: + - arn:aws:iam::aws:policy/AdministratorAccess + MgmtAccEventBridgeRole: + Type: AWS::IAM::Role + Properties: + RoleName: + Fn::Sub: ${EventBridgeRoleName} + AssumeRolePolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Principal: + Service: events.amazonaws.com + Action: sts:AssumeRole + - Effect: Allow + Principal: + AWS: + Fn::Sub: ${TrustedIdentity} + Action: sts:AssumeRole + Condition: + StringEquals: + sts:ExternalId: + Fn::Sub: ${ExternalID} + Policies: + - PolicyName: + Fn::Sub: ${EventBridgeRoleName} + PolicyDocument: + Version: '2012-10-17' + Statement: + - Sid: InvokeApiDestination + Effect: Allow + Action: + - events:InvokeApiDestination + Resource: + - Fn::Sub: arn:aws:events:*:*:api-destination/${EventBridgeRoleName}-destination/* + - Sid: CloudTrailEventRuleAccess + Effect: Allow + Action: + - events:DescribeRule + - events:ListTargetsByRule + Resource: + - Fn::Sub: arn:aws:events:*:*:rule/${EventBridgeRoleName} + - Sid: ValidationAccess + Effect: Allow + Action: + - events:DescribeApiDestination + - events:DescribeConnection + Resource: '*' + MgmtAccEBRuleStackSet: + Type: AWS::CloudFormation::StackSet + Metadata: + cfn-lint: + config: + ignore_checks: + - W3005 + DependsOn: + - ExecutionRole + - AdministrationRole + Properties: + StackSetName: MgmtAccEBRuleStackSet + AdministrationRoleARN: + Fn::GetAtt: + - AdministrationRole + - Arn + Description: EventBridge Resources that forward CloudTrail logs to Sysdig Secure + PermissionModel: SELF_MANAGED + ManagedExecution: + Active: true + Capabilities: + - CAPABILITY_NAMED_IAM + OperationPreferences: + MaxConcurrentPercentage: 100 + ConcurrencyMode: SOFT_FAILURE_TOLERANCE + RegionConcurrencyType: PARALLEL + Parameters: + - ParameterKey: EventBridgeRoleName + ParameterValue: + Ref: EventBridgeRoleName + - ParameterKey: ApiKey + ParameterValue: + Ref: ApiKey + - ParameterKey: IngestionUrl + ParameterValue: + Ref: IngestionUrl + - ParameterKey: RateLimit + ParameterValue: + Ref: RateLimit + - ParameterKey: EventBridgeState + ParameterValue: + Ref: EventBridgeState + - ParameterKey: EventBridgeEventPattern + ParameterValue: + Ref: EventBridgeEventPattern + StackInstancesGroup: + - DeploymentTargets: + Accounts: + - Ref: AWS::AccountId + Regions: + Fn::Split: + - ',' + - Ref: Regions + TemplateBody: "AWSTemplateFormatVersion: \"2010-09-09\"\nDescription: EventBridge\ + \ Resources that forward CloudTrail logs to Sysdig Secure\nParameters:\n \ + \ EventBridgeRoleName:\n Type: String\n Description: A unique identifier\ + \ used to create an IAM Role and EventBridge Rule\n ApiKey:\n Type: String\n\ + \ Description: API key for authentication\n IngestionUrl:\n Type: String\n\ + \ Description: Target endpoint URL for the API destination\n RateLimit:\n\ + \ Type: Number\n Description: Maximum invocations per second for the\ + \ API destination\n EventBridgeState:\n Type: String\n Description:\ + \ The state of the EventBridge Rule\n Default: ENABLED\n AllowedValues:\n\ + \ - ENABLED\n - DISABLED\n EventBridgeEventPattern:\n Type:\ + \ String\n Description: JSON pattern for the EventBridge rule's event pattern\n\ + Resources:\n EventBridgeConnection:\n Type: AWS::Events::Connection\n\ + \ Properties:\n Name: !Sub ${EventBridgeRoleName}-connection\n \ + \ AuthorizationType: API_KEY\n AuthParameters:\n ApiKeyAuthParameters:\n\ + \ ApiKeyName: X-Api-Key\n ApiKeyValue: !Ref ApiKey\n\n \ + \ EventBridgeApiDestination:\n Type: AWS::Events::ApiDestination\n Properties:\n\ + \ Name: !Sub ${EventBridgeRoleName}-destination\n ConnectionArn:\ + \ !GetAtt EventBridgeConnection.Arn\n InvocationEndpoint: !Ref IngestionUrl\n\ + \ HttpMethod: POST\n InvocationRateLimitPerSecond: !Ref RateLimit\n\ + \n EventBridgeRule:\n Type: AWS::Events::Rule\n Properties:\n \ + \ Name: !Sub ${EventBridgeRoleName}\n Description: Capture all CloudTrail\ + \ events\n EventPattern: !Ref EventBridgeEventPattern\n State: !Ref\ + \ EventBridgeState\n Targets:\n - Id: !Sub ${EventBridgeRoleName}\n\ + \ Arn: !GetAtt EventBridgeApiDestination.Arn\n RoleArn:\ + \ !Sub \"arn:aws:iam::${AWS::AccountId}:role/${EventBridgeRoleName}\"\n" + EBRoleStackSet: + Type: AWS::CloudFormation::StackSet + Properties: + StackSetName: EBRoleStackSet + Description: IAM Role used to forward CloudTrail logs to Sysdig Secure + PermissionModel: SERVICE_MANAGED + Capabilities: + - CAPABILITY_NAMED_IAM + AutoDeployment: + Enabled: true + RetainStacksOnAccountRemoval: false + ManagedExecution: + Active: true + OperationPreferences: + MaxConcurrentPercentage: 100 + ConcurrencyMode: SOFT_FAILURE_TOLERANCE + Parameters: + - ParameterKey: EventBridgeRoleName + ParameterValue: + Ref: EventBridgeRoleName + StackInstancesGroup: + - DeploymentTargets: + OrganizationalUnitIds: + Fn::Split: + - ',' + - Ref: OrganizationUnitIDs + Regions: + - Ref: AWS::Region + TemplateBody: "AWSTemplateFormatVersion: \"2010-09-09\"\nDescription: IAM Role\ + \ used for EventBridge API Destinations\nParameters:\n EventBridgeRoleName:\n\ + \ Type: String\n Description: A unique identifier used to create IAM\ + \ Role for EventBridge\nResources:\n EventBridgeRole:\n Type: AWS::IAM::Role\n\ + \ Properties:\n RoleName: !Ref EventBridgeRoleName\n AssumeRolePolicyDocument:\n\ + \ Version: \"2012-10-17\"\n Statement:\n - Effect:\ + \ Allow\n Principal:\n Service: events.amazonaws.com\n\ + \ Action: 'sts:AssumeRole'\n Policies:\n - PolicyName:\ + \ !Ref EventBridgeRoleName\n PolicyDocument:\n Version:\ + \ \"2012-10-17\"\n Statement:\n - Sid: \"InvokeApiDestination\"\ + \n Effect: Allow\n Action:\n \ + \ - \"events:InvokeApiDestination\"\n Resource:\n \ + \ - !Sub \"arn:aws:events:*:*:api-destination/${EventBridgeRoleName}-destination/*\"\ + \n - Sid: \"CloudTrailEventRuleAccess\"\n Effect:\ + \ Allow\n Action:\n - \"events:DescribeRule\"\ + \n - \"events:ListTargetsByRule\"\n Resource:\n\ + \ - !Sub \"arn:aws:events:*:*:rule/${EventBridgeRoleName}\"\ + \n - Sid: \"ValidationAccess\"\n Effect: Allow\n\ + \ Action:\n - \"events:DescribeApiDestination\"\ + \n - \"events:DescribeConnection\"\n Resource:\ + \ \"*\"\n" + EBApiDestStackSet: + Type: AWS::CloudFormation::StackSet + DependsOn: EBRoleStackSet + Properties: + StackSetName: EBApiDestStackSet + Description: EventBridge Resources with API Destinations that forward CloudTrail + logs to Sysdig Secure + PermissionModel: SERVICE_MANAGED + Capabilities: + - CAPABILITY_NAMED_IAM + AutoDeployment: + Enabled: true + RetainStacksOnAccountRemoval: false + ManagedExecution: + Active: true + OperationPreferences: + MaxConcurrentPercentage: 100 + ConcurrencyMode: SOFT_FAILURE_TOLERANCE + RegionConcurrencyType: PARALLEL + Parameters: + - ParameterKey: EventBridgeRoleName + ParameterValue: + Ref: EventBridgeRoleName + - ParameterKey: ApiKey + ParameterValue: + Ref: ApiKey + - ParameterKey: IngestionUrl + ParameterValue: + Ref: IngestionUrl + - ParameterKey: RateLimit + ParameterValue: + Ref: RateLimit + - ParameterKey: EventBridgeState + ParameterValue: + Ref: EventBridgeState + - ParameterKey: EventBridgeEventPattern + ParameterValue: + Ref: EventBridgeEventPattern + StackInstancesGroup: + - DeploymentTargets: + OrganizationalUnitIds: + Fn::Split: + - ',' + - Ref: OrganizationUnitIDs + Regions: + Fn::Split: + - ',' + - Ref: Regions + TemplateBody: "AWSTemplateFormatVersion: \"2010-09-09\"\nDescription: EventBridge\ + \ Resources with API Destinations that forward CloudTrail logs to Sysdig Secure\n\ + Parameters:\n EventBridgeRoleName:\n Type: String\n Description: A\ + \ unique identifier used to create an IAM Role and EventBridge Rule\n ApiKey:\n\ + \ Type: String\n Description: API key for Sysdig Secure authentication\n\ + \ IngestionUrl:\n Type: String\n Description: Sysdig Secure API endpoint\ + \ URL\n RateLimit:\n Type: Number\n Description: Maximum invocations\ + \ per second for the API destination\n EventBridgeState:\n Type: String\n\ + \ Description: The state of the EventBridge Rule\n Default: ENABLED\n\ + \ AllowedValues:\n - ENABLED\n - DISABLED\n EventBridgeEventPattern:\n\ + \ Type: String\n Description: JSON pattern for the EventBridge rule's\ + \ event pattern\nResources:\n EventBridgeConnection:\n Type: AWS::Events::Connection\n\ + \ Properties:\n Name: !Sub ${EventBridgeRoleName}-connection\n \ + \ AuthorizationType: API_KEY\n AuthParameters:\n ApiKeyAuthParameters:\n\ + \ ApiKeyName: X-Api-Key\n ApiKeyValue: !Ref ApiKey\n\n \ + \ EventBridgeApiDestination:\n Type: AWS::Events::ApiDestination\n Properties:\n\ + \ Name: !Sub ${EventBridgeRoleName}-destination\n ConnectionArn:\ + \ !GetAtt EventBridgeConnection.Arn\n InvocationEndpoint: !Ref IngestionUrl\n\ + \ HttpMethod: POST\n InvocationRateLimitPerSecond: !Ref RateLimit\n\ + \n EventBridgeRule:\n Type: AWS::Events::Rule\n Properties:\n \ + \ Name: !Ref EventBridgeRoleName\n Description: Capture all CloudTrail\ + \ events for Sysdig Secure\n EventPattern: !Ref EventBridgeEventPattern\n\ + \ State: !Ref EventBridgeState\n Targets:\n - Id: !Ref EventBridgeRoleName\n\ + \ Arn: !GetAtt EventBridgeApiDestination.Arn\n RoleArn:\ + \ !Sub \"arn:aws:iam::${AWS::AccountId}:role/${EventBridgeRoleName}\"\n" diff --git a/templates_eventbridge_api_dest/EventBridgeApiDest.yaml b/templates_eventbridge_api_dest/EventBridgeApiDest.yaml deleted file mode 100644 index f05da3d..0000000 --- a/templates_eventbridge_api_dest/EventBridgeApiDest.yaml +++ /dev/null @@ -1,159 +0,0 @@ -AWSTemplateFormatVersion: "2010-09-09" -Description: EventBridge resources that forward CloudTrail logs to Sysdig Secure via API Destination - -Metadata: - AWS::CloudFormation::Interface: - ParameterGroups: - - Label: - default: "Sysdig Settings (Do not change)" - Parameters: - - EventBridgeRoleName - - ExternalID - - TrustedIdentity - - ApiKey - - IngestionUrl - - RateLimit - - EventBridgeState - - EventBridgeEventPattern - - ParameterLabels: - ExternalID: - default: "External ID (Sysdig use only)" - TrustedIdentity: - default: "Trusted Identity (Sysdig use only)" - ApiKey: - default: "API Key (Sysdig use only)" - IngestionUrl: - default: "Ingestion URL (Sysdig use only)" - RateLimit: - default: "Rate Limit (Sysdig use only)" - EventBridgeRoleName: - default: "Integration Name (Sysdig use only)" - EventBridgeState: - default: "State of the EventBridge Rule (Sysdig use only)" - EventBridgeEventPattern: - default: "Event Pattern (Sysdig use only)" - -Parameters: - EventBridgeRoleName: - Type: String - Description: A unique identifier used to create an IAM Role and EventBridge Rule - ExternalID: - Type: String - Description: Sysdig ExternalID required for the policy creation - TrustedIdentity: - Type: String - Description: The Role in Sysdig's AWS Account with permissions to your account - ApiKey: - Type: String - Description: API key for Sysdig Secure authentication - IngestionUrl: - Type: String - Description: Sysdig Secure API ingestion URL - RateLimit: - Type: Number - Description: Maximum invocations per second for the API destination - Default: 300 - EventBridgeState: - Type: String - Description: The state of the EventBridge Rule - Default: ENABLED - AllowedValues: - - ENABLED - - DISABLED - EventBridgeEventPattern: - Type: String - Description: JSON pattern for the EventBridge rule's event pattern - Default: | - { - "detail-type": [ - "AWS API Call via CloudTrail", - "AWS Console Sign In via CloudTrail", - "AWS Service Event via CloudTrail", - "Object Access Tier Changed", - "Object ACL Updated", - "Object Created", - "Object Deleted", - "Object Restore Completed", - "Object Restore Expired", - "Object Restore Initiated", - "Object Storage Class Changed", - "Object Tags Added", - "Object Tags Deleted", - "GuardDuty Finding" - ] - } - -Resources: - EventBridgeConnection: - Type: AWS::Events::Connection - Properties: - Name: !Sub ${EventBridgeRoleName}-connection - AuthorizationType: API_KEY - AuthParameters: - ApiKeyAuthParameters: - ApiKeyName: X-Api-Key - ApiKeyValue: !Ref ApiKey - - EventBridgeApiDestination: - Type: AWS::Events::ApiDestination - Properties: - Name: !Sub ${EventBridgeRoleName}-destination - ConnectionArn: !GetAtt EventBridgeConnection.Arn - InvocationEndpoint: !Ref IngestionUrl - HttpMethod: POST - InvocationRateLimitPerSecond: !Ref RateLimit - - EventBridgeRole: - Type: AWS::IAM::Role - Properties: - RoleName: !Ref EventBridgeRoleName - AssumeRolePolicyDocument: - Statement: - - Effect: Allow - Principal: - Service: events.amazonaws.com - Action: 'sts:AssumeRole' - - Effect: "Allow" - Principal: - AWS: !Ref TrustedIdentity - Action: "sts:AssumeRole" - Condition: - StringEquals: - sts:ExternalId: !Ref ExternalID - Policies: - - PolicyName: !Ref EventBridgeRoleName - PolicyDocument: - Version: "2012-10-17" - Statement: - - Sid: "InvokeApiDestination" - Effect: Allow - Action: - - "events:InvokeApiDestination" - Resource: - - !Sub "arn:aws:events:*:*:api-destination/${EventBridgeRoleName}-destination/*" - - Sid: "CloudTrailEventRuleAccess" - Effect: Allow - Action: - - "events:DescribeRule" - - "events:ListTargetsByRule" - Resource: - - !Sub "arn:aws:events:*:*:rule/${EventBridgeRoleName}" - - Sid: "ValidationAccess" - Effect: Allow - Action: - - "events:DescribeApiDestination" - - "events:DescribeConnection" - Resource: "*" - - EventBridgeRule: - Type: AWS::Events::Rule - Properties: - Name: !Ref EventBridgeRoleName - Description: Capture all CloudTrail events for Sysdig Secure - EventPattern: !Ref EventBridgeEventPattern - State: !Ref EventBridgeState - Targets: - - Id: !Ref EventBridgeRoleName - Arn: !GetAtt EventBridgeApiDestination.Arn - RoleArn: !GetAtt EventBridgeRole.Arn diff --git a/templates_eventbridge_api_dest/Makefile b/templates_eventbridge_api_dest/Makefile deleted file mode 100644 index 6b9f245..0000000 --- a/templates_eventbridge_api_dest/Makefile +++ /dev/null @@ -1,74 +0,0 @@ -# requires AWS_PROFILE -# bucket must exist, prefix will be created -S3_BUCKET ?= "s4c-cft" -S3_PREFIX ?= "test" -# We need the REGION or the TemplateURLs might be created for a different region, resulting in a deployment error -S3_REGION ?= "eu-west-1" # ireland -SECURE_API_TOKEN ?= "" -STACK_NAME = "EventBridgeApiDestTest" -STACK_NAME_ORG = "OrgEventBridgeApiDestTest" - -.PHONY: packaged-template.yaml -.PHONY: packaged-template-org.yaml - -validate: - aws cloudformation validate-template --template-body file://./EventBridgeApiDest.yaml - aws cloudformation validate-template --template-body file://./OrgEventBridgeApiDest.yaml - -lint: - cfn-lint *.yaml - -packaged-template.yaml: - aws s3 rm s3://$(S3_BUCKET)/event-bridge/single/$(S3_PREFIX) --recursive - aws cloudformation package \ - --region $(S3_REGION) \ - --template-file EventBridgeApiDest.yaml \ - --s3-bucket $(S3_BUCKET) \ - --s3-prefix event-bridge/single/$(S3_PREFIX) \ - --force-upload \ - --output-template-file packaged-template.yaml - -test: packaged-template.yaml - aws cloudformation deploy \ - --stack-name $(STACK_NAME) \ - --template-file packaged-template.yaml \ - --capabilities "CAPABILITY_NAMED_IAM" "CAPABILITY_AUTO_EXPAND" \ - --parameter-overrides \ - "SysdigSecureAPIToken=$(SECURE_API_TOKEN)" - -ci: packaged-template.yaml - aws s3 cp ./packaged-template.yaml s3://$(S3_BUCKET)/event-bridge/single/$(S3_PREFIX)/entry-point.yaml - -clean: - aws cloudformation delete-stack --stack-name $(STACK_NAME) - -packaged-template-org.yaml: - aws s3 rm s3://$(S3_BUCKET)/event-bridge/org/$(S3_PREFIX) --recursive - aws cloudformation package \ - --region $(S3_REGION) \ - --template-file OrgEventBridgeApiDest.yaml \ - --s3-bucket $(S3_BUCKET) \ - --s3-prefix event-bridge/$(S3_PREFIX) \ - --force-upload \ - --output-template-file packaged-template-org.yaml - -test-org: packaged-template-org.yaml - aws cloudformation deploy \ - --stack-name $(STACK_NAME_ORG) \ - --template-file packaged-template-org.yaml \ - --capabilities "CAPABILITY_NAMED_IAM" "CAPABILITY_AUTO_EXPAND" \ - --parameter-overrides \ - "SysdigSecureAPIToken=$(SECURE_API_TOKEN)" - -ci-org: packaged-template-org.yaml - aws s3 cp ./packaged-template-org.yaml s3://$(S3_BUCKET)/event-bridge/org/$(S3_PREFIX)/entry-point.yaml - -clean-org: - aws cloudformation delete-stack --stack-name $(STACK_NAME_ORG) - -# -# local-test-manual: -# (have not found a way to do it via cli) -# aws console > cloudformation > create new stack (template, upload template: select ./templates_ecs/Cloudvision.yaml) -# note: this will upload the template into an s3 bucket, remember to delete it afterwards -# diff --git a/templates_eventbridge_api_dest/OrgEventBridgeApiDest.yaml b/templates_eventbridge_api_dest/OrgEventBridgeApiDest.yaml deleted file mode 100644 index 42af93e..0000000 --- a/templates_eventbridge_api_dest/OrgEventBridgeApiDest.yaml +++ /dev/null @@ -1,436 +0,0 @@ -AWSTemplateFormatVersion: "2010-09-09" -Description: EventBridge resources with API Destinations that forward CloudTrail logs to Sysdig Secure across AWS Organizations - -Metadata: - AWS::CloudFormation::Interface: - ParameterGroups: - - Label: - default: "Sysdig Settings (Do not change)" - Parameters: - - EventBridgeRoleName - - ExternalID - - TrustedIdentity - - ApiKey - - EndpointUrl - - RateLimit - - Regions - - OrganizationUnitIDs - - EventBridgeState - - EventBridgeEventPattern - - ParameterLabels: - EventBridgeRoleName: - default: "Integration Name (Sysdig use only)" - ExternalID: - default: "External ID (Sysdig use only)" - TrustedIdentity: - default: "Trusted Identity (Sysdig use only)" - ApiKey: - default: "API Key (Sysdig use only)" - EndpointUrl: - default: "Endpoint URL (Sysdig use only)" - RateLimit: - default: "Rate Limit (Sysdig use only)" - Regions: - default: "EventBridge Regions (Sysdig use only)" - OrganizationUnitIDs: - default: "Organization Unit IDs (Sysdig use only)" - EventBridgeState: - default: "State of the EventBridge Rule (Sysdig use only)" - EventBridgeEventPattern: - default: "Event Pattern (Sysdig use only)" - -Parameters: - EventBridgeRoleName: - Type: String - Description: A unique identifier used to create an IAM Role and EventBridge Rule - ExternalID: - Type: String - Description: Sysdig ExternalID required for the policy creation - TrustedIdentity: - Type: String - Description: The Role in Sysdig's AWS Account with permissions to your account - ApiKey: - Type: String - Description: API key for Sysdig Secure authentication - EndpointUrl: - Type: String - Description: Sysdig Secure API endpoint URL - RateLimit: - Type: Number - Description: Maximum invocations per second for the API destination - Default: 300 - Regions: - Type: String - Description: Comma separated list of regions to monitor with EventBridge - OrganizationUnitIDs: - Type: String - Description: Comma separated list of Organization Unit IDs to deploy - EventBridgeState: - Type: String - Description: The state of the EventBridge Rule - Default: ENABLED - AllowedValues: - - ENABLED - - DISABLED - EventBridgeEventPattern: - Type: String - Description: JSON pattern for the EventBridge rule's event pattern - Default: | - { - "detail-type": [ - "AWS API Call via CloudTrail", - "AWS Console Sign In via CloudTrail", - "AWS Service Event via CloudTrail", - "Object Access Tier Changed", - "Object ACL Updated", - "Object Created", - "Object Deleted", - "Object Restore Completed", - "Object Restore Expired", - "Object Restore Initiated", - "Object Storage Class Changed", - "Object Tags Added", - "Object Tags Deleted", - "GuardDuty Finding" - ] - } - -Resources: - # CloudFormation StackSet Administration Role - AdministrationRole: - Type: AWS::IAM::Role - Properties: - RoleName: AWSCloudFormationStackSetAdministrationRole - AssumeRolePolicyDocument: - Version: 2012-10-17 - Statement: - - Effect: Allow - Principal: - Service: cloudformation.amazonaws.com - Action: - - sts:AssumeRole - Policies: - - PolicyName: AssumeRole-AWSCloudFormationStackSetExecutionRole - PolicyDocument: - Version: 2012-10-17 - Statement: - - Effect: Allow - Action: - - sts:AssumeRole - Resource: - - "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole" - - # CloudFormation StackSet Execution Role - ExecutionRole: - Type: AWS::IAM::Role - Properties: - RoleName: AWSCloudFormationStackSetExecutionRole - AssumeRolePolicyDocument: - Version: 2012-10-17 - Statement: - - Effect: Allow - Principal: - AWS: - - !GetAtt AdministrationRole.RoleId - Action: - - sts:AssumeRole - ManagedPolicyArns: - - arn:aws:iam::aws:policy/AdministratorAccess - - # EventBridge Role in management account - MgmtAccEventBridgeRole: - Type: AWS::IAM::Role - Properties: - RoleName: !Sub ${EventBridgeRoleName} - AssumeRolePolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: Allow - Principal: - Service: events.amazonaws.com - Action: 'sts:AssumeRole' - - Effect: "Allow" - Principal: - AWS: !Sub ${TrustedIdentity} - Action: "sts:AssumeRole" - Condition: - StringEquals: - sts:ExternalId: !Sub ${ExternalID} - Policies: - - PolicyName: !Sub ${EventBridgeRoleName} - PolicyDocument: - Version: "2012-10-17" - Statement: - - Sid: "InvokeApiDestination" - Effect: Allow - Action: - - "events:InvokeApiDestination" - Resource: - - !Sub "arn:aws:events:*:*:api-destination/${EventBridgeRoleName}-destination/*" - - Sid: "CloudTrailEventRuleAccess" - Effect: Allow - Action: - - "events:DescribeRule" - - "events:ListTargetsByRule" - Resource: - - !Sub "arn:aws:events:*:*:rule/${EventBridgeRoleName}" - - Sid: "ValidationAccess" - Effect: Allow - Action: - - "events:DescribeApiDestination" - - "events:DescribeConnection" - Resource: "*" - - MgmtAccEBRuleStackSet: - Type: AWS::CloudFormation::StackSet - Metadata: - cfn-lint: - config: - ignore_checks: - - W3005 - DependsOn: - - ExecutionRole - - AdministrationRole - Properties: - StackSetName: MgmtAccEBRuleStackSet - AdministrationRoleARN: !GetAtt AdministrationRole.Arn - Description: EventBridge Resources that forward CloudTrail logs to Sysdig Secure - PermissionModel: SELF_MANAGED - ManagedExecution: - Active: true - Capabilities: - - CAPABILITY_NAMED_IAM - OperationPreferences: - MaxConcurrentPercentage: 100 - ConcurrencyMode: SOFT_FAILURE_TOLERANCE - RegionConcurrencyType: PARALLEL - Parameters: - - ParameterKey: EventBridgeRoleName - ParameterValue: !Ref EventBridgeRoleName - - ParameterKey: ApiKey - ParameterValue: !Ref ApiKey - - ParameterKey: EndpointUrl - ParameterValue: !Ref EndpointUrl - - ParameterKey: RateLimit - ParameterValue: !Ref RateLimit - - ParameterKey: EventBridgeState - ParameterValue: !Ref EventBridgeState - - ParameterKey: EventBridgeEventPattern - ParameterValue: !Ref EventBridgeEventPattern - StackInstancesGroup: - - DeploymentTargets: - Accounts: - - !Ref AWS::AccountId - Regions: !Split [ ",", !Ref Regions] - TemplateBody: | - AWSTemplateFormatVersion: "2010-09-09" - Description: EventBridge Resources that forward CloudTrail logs to Sysdig Secure - Parameters: - EventBridgeRoleName: - Type: String - Description: A unique identifier used to create an IAM Role and EventBridge Rule - ApiKey: - Type: String - Description: API key for authentication - EndpointUrl: - Type: String - Description: Target endpoint URL for the API destination - RateLimit: - Type: Number - Description: Maximum invocations per second for the API destination - EventBridgeState: - Type: String - Description: The state of the EventBridge Rule - Default: ENABLED - AllowedValues: - - ENABLED - - DISABLED - EventBridgeEventPattern: - Type: String - Description: JSON pattern for the EventBridge rule's event pattern - Resources: - EventBridgeConnection: - Type: AWS::Events::Connection - Properties: - Name: !Sub ${EventBridgeRoleName}-connection - AuthorizationType: API_KEY - AuthParameters: - ApiKeyAuthParameters: - ApiKeyName: X-Api-Key - ApiKeyValue: !Ref ApiKey - - EventBridgeApiDestination: - Type: AWS::Events::ApiDestination - Properties: - Name: !Sub ${EventBridgeRoleName}-destination - ConnectionArn: !GetAtt EventBridgeConnection.Arn - InvocationEndpoint: !Ref EndpointUrl - HttpMethod: POST - InvocationRateLimitPerSecond: !Ref RateLimit - - EventBridgeRule: - Type: AWS::Events::Rule - Properties: - Name: !Sub ${EventBridgeRoleName} - Description: Capture all CloudTrail events - EventPattern: !Ref EventBridgeEventPattern - State: !Ref EventBridgeState - Targets: - - Id: !Sub ${EventBridgeRoleName} - Arn: !GetAtt EventBridgeApiDestination.Arn - RoleArn: !Sub "arn:aws:iam::${AWS::AccountId}:role/${EventBridgeRoleName}" - - # StackSet for member accounts - Role deployment - EBRoleStackSet: - Type: AWS::CloudFormation::StackSet - Properties: - StackSetName: EBRoleStackSet - Description: IAM Role used to forward CloudTrail logs to Sysdig Secure - PermissionModel: SERVICE_MANAGED - Capabilities: - - "CAPABILITY_NAMED_IAM" - AutoDeployment: - Enabled: true - RetainStacksOnAccountRemoval: false - ManagedExecution: - Active: true - OperationPreferences: - MaxConcurrentPercentage: 100 - ConcurrencyMode: SOFT_FAILURE_TOLERANCE - Parameters: - - ParameterKey: EventBridgeRoleName - ParameterValue: !Ref EventBridgeRoleName - StackInstancesGroup: - - DeploymentTargets: - OrganizationalUnitIds: !Split [ ",", !Ref OrganizationUnitIDs] - Regions: [!Ref "AWS::Region"] - TemplateBody: | - AWSTemplateFormatVersion: "2010-09-09" - Description: IAM Role used for EventBridge API Destinations - Parameters: - EventBridgeRoleName: - Type: String - Description: A unique identifier used to create IAM Role for EventBridge - Resources: - EventBridgeRole: - Type: AWS::IAM::Role - Properties: - RoleName: !Ref EventBridgeRoleName - AssumeRolePolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: Allow - Principal: - Service: events.amazonaws.com - Action: 'sts:AssumeRole' - Policies: - - PolicyName: !Ref EventBridgeRoleName - PolicyDocument: - Version: "2012-10-17" - Statement: - - Sid: "InvokeApiDestination" - Effect: Allow - Action: - - "events:InvokeApiDestination" - Resource: !Sub "arn:aws:events:*:*:api-destination/${EventBridgeRoleName}-destination/*" - - Sid: "ValidationAccess" - Effect: Allow - Action: - - "events:DescribeApiDestination" - - "events:DescribeConnection" - Resource: "*" - - # StackSet for member accounts - EventBridge resources deployment - EBApiDestStackSet: - Type: AWS::CloudFormation::StackSet - DependsOn: EBRoleStackSet - Properties: - StackSetName: EBApiDestStackSet - Description: EventBridge Resources with API Destinations that forward CloudTrail logs to Sysdig Secure - PermissionModel: SERVICE_MANAGED - Capabilities: - - "CAPABILITY_NAMED_IAM" - AutoDeployment: - Enabled: true - RetainStacksOnAccountRemoval: false - ManagedExecution: - Active: true - OperationPreferences: - MaxConcurrentPercentage: 100 - ConcurrencyMode: SOFT_FAILURE_TOLERANCE - RegionConcurrencyType: PARALLEL - Parameters: - - ParameterKey: EventBridgeRoleName - ParameterValue: !Ref EventBridgeRoleName - - ParameterKey: ApiKey - ParameterValue: !Ref ApiKey - - ParameterKey: EndpointUrl - ParameterValue: !Ref EndpointUrl - - ParameterKey: RateLimit - ParameterValue: !Ref RateLimit - - ParameterKey: EventBridgeState - ParameterValue: !Ref EventBridgeState - - ParameterKey: EventBridgeEventPattern - ParameterValue: !Ref EventBridgeEventPattern - StackInstancesGroup: - - DeploymentTargets: - OrganizationalUnitIds: !Split [ ",", !Ref OrganizationUnitIDs] - Regions: !Split [ ",", !Ref Regions] - TemplateBody: | - AWSTemplateFormatVersion: "2010-09-09" - Description: EventBridge Resources with API Destinations that forward CloudTrail logs to Sysdig Secure - Parameters: - EventBridgeRoleName: - Type: String - Description: A unique identifier used to create an IAM Role and EventBridge Rule - ApiKey: - Type: String - Description: API key for Sysdig Secure authentication - EndpointUrl: - Type: String - Description: Sysdig Secure API endpoint URL - RateLimit: - Type: Number - Description: Maximum invocations per second for the API destination - EventBridgeState: - Type: String - Description: The state of the EventBridge Rule - Default: ENABLED - AllowedValues: - - ENABLED - - DISABLED - EventBridgeEventPattern: - Type: String - Description: JSON pattern for the EventBridge rule's event pattern - Resources: - EventBridgeConnection: - Type: AWS::Events::Connection - Properties: - Name: !Sub ${EventBridgeRoleName}-connection - AuthorizationType: API_KEY - AuthParameters: - ApiKey: - Key: x-api-key - Value: !Ref ApiKey - - EventBridgeApiDestination: - Type: AWS::Events::ApiDestination - Properties: - Name: !Sub ${EventBridgeRoleName}-destination - ConnectionArn: !GetAtt EventBridgeConnection.Arn - InvocationEndpoint: !Ref EndpointUrl - HttpMethod: POST - InvocationRateLimitPerSecond: !Ref RateLimit - - EventBridgeRule: - Type: AWS::Events::Rule - Properties: - Name: !Ref EventBridgeRoleName - Description: Capture all CloudTrail events for Sysdig Secure - EventPattern: !Ref EventBridgeEventPattern - State: !Ref EventBridgeState - Targets: - - Id: !Ref EventBridgeRoleName - Arn: !GetAtt EventBridgeApiDestination.Arn - RoleArn: !Sub "arn:aws:iam::${AWS::AccountId}:role/${EventBridgeRoleName}" From 190322f346a10962079d3f42adaf9259f9edbb17 Mon Sep 17 00:00:00 2001 From: matteopasa Date: Tue, 25 Mar 2025 12:09:34 +0100 Subject: [PATCH 4/8] cspm plus eb api dest --- templates_cspm_eventbridge/FullInstall.yaml | 71 ++++++++++++++++----- 1 file changed, 55 insertions(+), 16 deletions(-) diff --git a/templates_cspm_eventbridge/FullInstall.yaml b/templates_cspm_eventbridge/FullInstall.yaml index f8f0c0e..87203c1 100644 --- a/templates_cspm_eventbridge/FullInstall.yaml +++ b/templates_cspm_eventbridge/FullInstall.yaml @@ -10,7 +10,9 @@ Metadata: - RoleName - ExternalID - TrustedIdentity - - EventBusARN + - ApiKey + - IngestionUrl + - RateLimit - EventBridgeRoleName - EventBridgeState - EventBridgeEventPattern @@ -22,8 +24,12 @@ Metadata: default: "External ID (Sysdig use only)" TrustedIdentity: default: "Trusted Identity (Sysdig use only)" - EventBusARN: - default: "Target Event Bus (Sysdig use only)" + ApiKey: + default: "API Key (Sysdig use only)" + IngestionUrl: + default: "Ingestion URL (Sysdig use only)" + RateLimit: + default: "Rate Limit (Sysdig use only)" EventBridgeRoleName: default: "Integration Name (Sysdig use only)" EventBridgeState: @@ -44,9 +50,16 @@ Parameters: TrustedIdentity: Type: String Description: The Role in Sysdig's AWS Account with permissions to your account - EventBusARN: + ApiKey: Type: String - Description: The destination in Sysdig's AWS account where your events are sent + Description: API key for Sysdig Secure authentication + IngestionUrl: + Type: String + Description: Sysdig Secure API ingestion URL + RateLimit: + Type: Number + Description: Maximum invocations per second for the API destination + Default: 300 EventBridgeState: Type: String Description: The state of the EventBridge Rule @@ -122,6 +135,26 @@ Resources: - Effect: "Allow" Action: "account:GetContactInformation" Resource: "*" + + EventBridgeConnection: + Type: AWS::Events::Connection + Properties: + Name: !Sub ${EventBridgeRoleName}-connection + AuthorizationType: API_KEY + AuthParameters: + ApiKeyAuthParameters: + ApiKeyName: X-Api-Key + ApiKeyValue: !Ref ApiKey + + EventBridgeApiDestination: + Type: AWS::Events::ApiDestination + Properties: + Name: !Sub ${EventBridgeRoleName}-destination + ConnectionArn: !GetAtt EventBridgeConnection.Arn + InvocationEndpoint: !Ref IngestionUrl + HttpMethod: POST + InvocationRateLimitPerSecond: !Ref RateLimit + EventBridgeRole: Type: AWS::IAM::Role Properties: @@ -138,21 +171,29 @@ Resources: Action: "sts:AssumeRole" Condition: StringEquals: - sts:ExternalId: !Ref ExternalID + sts:ExternalId: !Ref ExternalID Policies: - PolicyName: !Ref EventBridgeRoleName PolicyDocument: Version: "2012-10-17" Statement: - - Effect: Allow - Action: 'events:PutEvents' - Resource: !Ref EventBusARN - - Effect: Allow + - Sid: "InvokeApiDestination" + Effect: Allow + Action: "events:InvokeApiDestination" + Resource: !GetAtt EventBridgeApiDestination.Arn + - Sid: "CloudTrailEventRuleAccess" + Effect: Allow Action: - "events:DescribeRule" - "events:ListTargetsByRule" - Resource: - - !Sub arn:aws:events:*:*:rule/${EventBridgeRoleName} + Resource: !Sub "arn:aws:events:*:*:rule/${EventBridgeRoleName}" + - Sid: "ValidationAccess" + Effect: Allow + Action: + - "events:DescribeApiDestination" + - "events:DescribeConnection" + Resource: "*" + EventBridgeRule: Type: AWS::Events::Rule Properties: @@ -162,7 +203,5 @@ Resources: State: !Ref EventBridgeState Targets: - Id: !Ref EventBridgeRoleName - Arn: !Ref EventBusARN - RoleArn: !GetAtt - - EventBridgeRole - - Arn + Arn: !GetAtt EventBridgeApiDestination.Arn + RoleArn: !GetAtt EventBridgeRole.Arn From f3fd29d2f5a1af93e1bc8018ff52a31ba42cdb57 Mon Sep 17 00:00:00 2001 From: matteopasa Date: Tue, 25 Mar 2025 12:23:59 +0100 Subject: [PATCH 5/8] update org cspm eb --- .../OrgFullInstall.yaml | 216 +++++++++++------- 1 file changed, 138 insertions(+), 78 deletions(-) diff --git a/templates_cspm_eventbridge/OrgFullInstall.yaml b/templates_cspm_eventbridge/OrgFullInstall.yaml index bf29b4d..480f73b 100644 --- a/templates_cspm_eventbridge/OrgFullInstall.yaml +++ b/templates_cspm_eventbridge/OrgFullInstall.yaml @@ -11,7 +11,9 @@ Metadata: - EventBridgeRoleName - ExternalID - TrustedIdentity - - EventBusARN + - ApiKey + - IngestionUrl + - RateLimit - Regions - OrganizationUnitIDs - EventBridgeState @@ -25,8 +27,12 @@ Metadata: default: "External ID (Sysdig use only)" TrustedIdentity: default: "Trusted Identity (Sysdig use only)" - EventBusARN: - default: "Target Event Bus (Sysdig use only)" + ApiKey: + default: "API Key (Sysdig use only)" + IngestionUrl: + default: "Endpoint URL (Sysdig use only)" + RateLimit: + default: "Rate Limit (Sysdig use only)" Regions: default: "EventBridge Regions (Sysdig use only)" OrganizationUnitIDs: @@ -49,9 +55,16 @@ Parameters: TrustedIdentity: Type: String Description: The Role in Sysdig's AWS Account with permissions to your account - EventBusARN: + ApiKey: Type: String - Description: The destination in Sysdig's AWS account where your events are sent + Description: API key for Sysdig Secure authentication + IngestionUrl: + Type: String + Description: Sysdig Secure API endpoint URL + RateLimit: + Type: Number + Description: Maximum invocations per second for the API destination + Default: 300 Regions: Type: String Description: Comma separated list of regions to monitor with EventBridge @@ -192,15 +205,25 @@ Resources: PolicyDocument: Version: "2012-10-17" Statement: - - Effect: Allow - Action: 'events:PutEvents' - Resource: !Sub ${EventBusARN} - - Effect: Allow + - Sid: "InvokeApiDestination" + Effect: Allow + Action: + - "events:InvokeApiDestination" + Resource: + - !Sub "arn:aws:events:*:*:api-destination/${EventBridgeRoleName}-destination/*" + - Sid: "CloudTrailEventRuleAccess" + Effect: Allow Action: - "events:DescribeRule" - "events:ListTargetsByRule" Resource: - - !Sub arn:aws:events:*:*:rule/${EventBridgeRoleName} + - !Sub "arn:aws:events:*:*:rule/${EventBridgeRoleName}" + - Sid: "ValidationAccess" + Effect: Allow + Action: + - "events:DescribeApiDestination" + - "events:DescribeConnection" + Resource: "*" RolesStackSet: Type: AWS::CloudFormation::StackSet Properties: @@ -317,15 +340,25 @@ Resources: PolicyDocument: Version: "2012-10-17" Statement: - - Effect: Allow - Action: 'events:PutEvents' - Resource: !Sub ${EventBusARN} - - Effect: Allow + - Sid: "InvokeApiDestination" + Effect: Allow + Action: + - "events:InvokeApiDestination" + Resource: + - !Sub "arn:aws:events:*:*:api-destination/${EventBridgeRoleName}-destination/*" + - Sid: "CloudTrailEventRuleAccess" + Effect: Allow Action: - "events:DescribeRule" - "events:ListTargetsByRule" Resource: - - !Sub arn:aws:events:*:*:rule/${EventBridgeRoleName} + - !Sub "arn:aws:events:*:*:rule/${EventBridgeRoleName}" + - Sid: "ValidationAccess" + Effect: Allow + Action: + - "events:DescribeApiDestination" + - "events:DescribeConnection" + Resource: "*" EBRuleStackSet: Type: AWS::CloudFormation::StackSet Properties: @@ -346,58 +379,76 @@ Resources: Parameters: - ParameterKey: EventBridgeRoleName ParameterValue: !Ref EventBridgeRoleName - - ParameterKey: EventBusARN - ParameterValue: !Ref EventBusARN + - ParameterKey: ApiKey + ParameterValue: !Ref ApiKey + - ParameterKey: IngestionUrl + ParameterValue: !Ref IngestionUrl + - ParameterKey: RateLimit + ParameterValue: !Ref RateLimit - ParameterKey: EventBridgeState ParameterValue: !Ref EventBridgeState + - ParameterKey: EventBridgeEventPattern + ParameterValue: !Ref EventBridgeEventPattern StackInstancesGroup: - DeploymentTargets: OrganizationalUnitIds: !Split [ ",", !Ref OrganizationUnitIDs] Regions: !Split [ ",", !Ref Regions] TemplateBody: | AWSTemplateFormatVersion: "2010-09-09" - Description: EventBridge Resources that forward CloudTrail logs to Sysdig Secure + Description: EventBridge Resources with API Destinations that forward CloudTrail logs to Sysdig Secure Parameters: EventBridgeRoleName: Type: String Description: A unique identifier used to create an IAM Role and EventBridge Rule - EventBusARN: + ApiKey: + Type: String + Description: API key for Sysdig Secure authentication + IngestionUrl: Type: String - Description: The destination in Sysdig's AWS account where your events are sent + Description: Sysdig Secure API endpoint URL + RateLimit: + Type: Number + Description: Maximum invocations per second for the API destination EventBridgeState: Type: String Description: The state of the EventBridge Rule - Default: ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS + Default: ENABLED AllowedValues: - - ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS - ENABLED - - DISABLED - Resources: + - DISABLED + EventBridgeEventPattern: + Type: String + Description: JSON pattern for the EventBridge rule's event pattern + Resources: + EventBridgeConnection: + Type: AWS::Events::Connection + Properties: + Name: !Sub ${EventBridgeRoleName}-connection + AuthorizationType: API_KEY + AuthParameters: + ApiKeyAuthParameters: + ApiKeyName: X-Api-Key + ApiKeyValue: !Ref ApiKey + + EventBridgeApiDestination: + Type: AWS::Events::ApiDestination + Properties: + Name: !Sub ${EventBridgeRoleName}-destination + ConnectionArn: !GetAtt EventBridgeConnection.Arn + InvocationEndpoint: !Ref IngestionUrl + HttpMethod: POST + InvocationRateLimitPerSecond: !Ref RateLimit + EventBridgeRule: - Type: "AWS::Events::Rule" + Type: AWS::Events::Rule Properties: - Name: !Sub ${EventBridgeRoleName} - Description: Capture all CloudTrail events - EventPattern: - detail-type: - - 'AWS API Call via CloudTrail' - - 'AWS Console Sign In via CloudTrail' - - 'AWS Service Event via CloudTrail' - - 'Object Access Tier Changed' - - 'Object ACL Updated' - - 'Object Created' - - 'Object Deleted' - - 'Object Restore Completed' - - 'Object Restore Expired' - - 'Object Restore Initiated' - - 'Object Storage Class Changed' - - 'Object Tags Added' - - 'Object Tags Deleted' - - 'GuardDuty Finding' - State: !Sub ${EventBridgeState} + Name: !Ref EventBridgeRoleName + Description: Capture all CloudTrail events for Sysdig Secure + EventPattern: !Ref EventBridgeEventPattern + State: !Ref EventBridgeState Targets: - - Id: !Sub ${EventBridgeRoleName} - Arn: !Sub ${EventBusARN} + - Id: !Ref EventBridgeRoleName + Arn: !GetAtt EventBridgeApiDestination.Arn RoleArn: !Sub "arn:aws:iam::${AWS::AccountId}:role/${EventBridgeRoleName}" MgmtAccEBRuleStackSet: Type: AWS::CloudFormation::StackSet @@ -425,16 +476,20 @@ Resources: Parameters: - ParameterKey: EventBridgeRoleName ParameterValue: !Ref EventBridgeRoleName - - ParameterKey: EventBusARN - ParameterValue: !Ref EventBusARN + - ParameterKey: ApiKey + ParameterValue: !Ref ApiKey + - ParameterKey: IngestionUrl + ParameterValue: !Ref IngestionUrl + - ParameterKey: RateLimit + ParameterValue: !Ref RateLimit - ParameterKey: EventBridgeState ParameterValue: !Ref EventBridgeState - ParameterKey: EventBridgeEventPattern - ParameterValue: !Ref EventBridgeEventPattern + ParameterValue: !Ref EventBridgeEventPattern StackInstancesGroup: - DeploymentTargets: - Accounts: - - !Ref AWS::AccountId + Accounts: + - !Ref AWS::AccountId Regions: !Split [ ",", !Ref Regions] TemplateBody: | AWSTemplateFormatVersion: "2010-09-09" @@ -443,48 +498,53 @@ Resources: EventBridgeRoleName: Type: String Description: A unique identifier used to create an IAM Role and EventBridge Rule - EventBusARN: + ApiKey: + Type: String + Description: API key for authentication + IngestionUrl: Type: String - Description: The destination in Sysdig's AWS account where your events are sent + Description: Target endpoint URL for the API destination + RateLimit: + Type: Number + Description: Maximum invocations per second for the API destination EventBridgeState: Type: String Description: The state of the EventBridge Rule - Default: ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS + Default: ENABLED AllowedValues: - - ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS - ENABLED - DISABLED EventBridgeEventPattern: Type: String Description: JSON pattern for the EventBridge rule's event pattern - Default: | - { - "detail-type": [ - "AWS API Call via CloudTrail", - "AWS Console Sign In via CloudTrail", - "AWS Service Event via CloudTrail", - "Object Access Tier Changed", - "Object ACL Updated", - "Object Created", - "Object Deleted", - "Object Restore Completed", - "Object Restore Expired", - "Object Restore Initiated", - "Object Storage Class Changed", - "Object Tags Added", - "Object Tags Deleted", - "GuardDuty Finding" - ] - } - Resources: + Resources: + EventBridgeConnection: + Type: AWS::Events::Connection + Properties: + Name: !Sub ${EventBridgeRoleName}-connection + AuthorizationType: API_KEY + AuthParameters: + ApiKeyAuthParameters: + ApiKeyName: X-Api-Key + ApiKeyValue: !Ref ApiKey + + EventBridgeApiDestination: + Type: AWS::Events::ApiDestination + Properties: + Name: !Sub ${EventBridgeRoleName}-destination + ConnectionArn: !GetAtt EventBridgeConnection.Arn + InvocationEndpoint: !Ref IngestionUrl + HttpMethod: POST + InvocationRateLimitPerSecond: !Ref RateLimit + EventBridgeRule: - Type: "AWS::Events::Rule" + Type: AWS::Events::Rule Properties: Name: !Sub ${EventBridgeRoleName} Description: Capture all CloudTrail events EventPattern: !Ref EventBridgeEventPattern - State: !Sub ${EventBridgeState} + State: !Ref EventBridgeState Targets: - Id: !Sub ${EventBridgeRoleName} - Arn: !Sub ${EventBusARN} + Arn: !GetAtt EventBridgeApiDestination.Arn RoleArn: !Sub "arn:aws:iam::${AWS::AccountId}:role/${EventBridgeRoleName}" \ No newline at end of file From 2e320fe19e35bdd5197e3e8ce72909ca103d3e72 Mon Sep 17 00:00:00 2001 From: matteopasa Date: Tue, 25 Mar 2025 12:25:02 +0100 Subject: [PATCH 6/8] update policies --- templates_cspm_eventbridge/OrgFullInstall.yaml | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/templates_cspm_eventbridge/OrgFullInstall.yaml b/templates_cspm_eventbridge/OrgFullInstall.yaml index 480f73b..1c69558 100644 --- a/templates_cspm_eventbridge/OrgFullInstall.yaml +++ b/templates_cspm_eventbridge/OrgFullInstall.yaml @@ -249,8 +249,6 @@ Resources: ParameterValue: !Ref ExternalID - ParameterKey: EventBridgeRoleName ParameterValue: !Ref EventBridgeRoleName - - ParameterKey: EventBusARN - ParameterValue: !Ref EventBusARN StackInstancesGroup: - DeploymentTargets: OrganizationalUnitIds: !Split [ ",", !Ref OrganizationUnitIDs] @@ -270,10 +268,7 @@ Resources: Description: Sysdig ExternalID required for the policy creation EventBridgeRoleName: Type: String - Description: A unique identifier used to create an IAM Role and EventBridge Rule - EventBusARN: - Type: String - Description: The destination in Sysdig's AWS account where your events are sent + Description: A unique identifier used to create an IAM Role and EventBridge Rule Resources: CloudAgentlessRole: Type: "AWS::IAM::Role" From cc80661daab23b567b8172747c71a0f486349c4f Mon Sep 17 00:00:00 2001 From: matteopasa Date: Tue, 25 Mar 2025 14:24:44 +0100 Subject: [PATCH 7/8] fix lint --- templates_cspm_eventbridge/OrgFullInstall.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates_cspm_eventbridge/OrgFullInstall.yaml b/templates_cspm_eventbridge/OrgFullInstall.yaml index 1c69558..a1dcb7e 100644 --- a/templates_cspm_eventbridge/OrgFullInstall.yaml +++ b/templates_cspm_eventbridge/OrgFullInstall.yaml @@ -124,7 +124,7 @@ Resources: Action: - sts:AssumeRole Resource: - - "arn:*:iam::*:role/AWSCloudFormationStackSetExecutionRole" + - "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole" ExecutionRole: Type: AWS::IAM::Role Properties: From a5c38d2a29c3ae7b72bfc85a6492c1b643eef154 Mon Sep 17 00:00:00 2001 From: matteopasa Date: Thu, 27 Mar 2025 16:48:09 +0100 Subject: [PATCH 8/8] add cloudwatch permissions --- templates_cspm_eventbridge/FullInstall.yaml | 1 + templates_cspm_eventbridge/OrgFullInstall.yaml | 2 ++ templates_eventbridge/EventBridge.yaml | 1 + templates_eventbridge/OrgEventBridge.yaml | 2 ++ 4 files changed, 6 insertions(+) diff --git a/templates_cspm_eventbridge/FullInstall.yaml b/templates_cspm_eventbridge/FullInstall.yaml index 87203c1..e5e8b6e 100644 --- a/templates_cspm_eventbridge/FullInstall.yaml +++ b/templates_cspm_eventbridge/FullInstall.yaml @@ -192,6 +192,7 @@ Resources: Action: - "events:DescribeApiDestination" - "events:DescribeConnection" + - "cloudwatch:GetMetricStatistics" Resource: "*" EventBridgeRule: diff --git a/templates_cspm_eventbridge/OrgFullInstall.yaml b/templates_cspm_eventbridge/OrgFullInstall.yaml index a1dcb7e..b98edab 100644 --- a/templates_cspm_eventbridge/OrgFullInstall.yaml +++ b/templates_cspm_eventbridge/OrgFullInstall.yaml @@ -223,6 +223,7 @@ Resources: Action: - "events:DescribeApiDestination" - "events:DescribeConnection" + - "cloudwatch:GetMetricStatistics" Resource: "*" RolesStackSet: Type: AWS::CloudFormation::StackSet @@ -353,6 +354,7 @@ Resources: Action: - "events:DescribeApiDestination" - "events:DescribeConnection" + - "cloudwatch:GetMetricStatistics" Resource: "*" EBRuleStackSet: Type: AWS::CloudFormation::StackSet diff --git a/templates_eventbridge/EventBridge.yaml b/templates_eventbridge/EventBridge.yaml index f05da3d..d2a7636 100644 --- a/templates_eventbridge/EventBridge.yaml +++ b/templates_eventbridge/EventBridge.yaml @@ -144,6 +144,7 @@ Resources: Action: - "events:DescribeApiDestination" - "events:DescribeConnection" + - "cloudwatch:GetMetricStatistics" Resource: "*" EventBridgeRule: diff --git a/templates_eventbridge/OrgEventBridge.yaml b/templates_eventbridge/OrgEventBridge.yaml index 98cf747..4584ace 100644 --- a/templates_eventbridge/OrgEventBridge.yaml +++ b/templates_eventbridge/OrgEventBridge.yaml @@ -180,6 +180,7 @@ Resources: Action: - "events:DescribeApiDestination" - "events:DescribeConnection" + - "cloudwatch:GetMetricStatistics" Resource: "*" MgmtAccEBRuleStackSet: @@ -347,6 +348,7 @@ Resources: Action: - "events:DescribeApiDestination" - "events:DescribeConnection" + - "cloudwatch:GetMetricStatistics" Resource: "*" # StackSet for member accounts - EventBridge resources deployment