diff --git a/modules/Makefile b/modules/Makefile index 88dfe9e..f37021a 100644 --- a/modules/Makefile +++ b/modules/Makefile @@ -26,9 +26,8 @@ lint: yq '.Resources.EventBridgeRuleStackSet.Properties.TemplateBody' log_ingestion.events.cft.yaml | cfn-lint - yq '.Resources.OrganizationRoleStackSet.Properties.TemplateBody' log_ingestion.events.cft.yaml | cfn-lint - yq '.Resources.OrganizationRuleStackSet.Properties.TemplateBody' log_ingestion.events.cft.yaml | cfn-lint - - yq '.Resources.ScanningKmsKeyStackSet.Properties.TemplateBody' volume_access.cft.yaml | cfn-lint - - yq '.Resources.OrganizationRoleStackSet.Properties.TemplateBody' volume_access.cft.yaml | cfn-lint - - yq '.Resources.OrganizationKMSKeyStackSet.Properties.TemplateBody' volume_access.cft.yaml | cfn-lint - + yq '.Resources.AccountStackSet.Properties.TemplateBody' volume_access.cft.yaml | cfn-lint - + yq '.Resources.OrganizationStackSet.Properties.TemplateBody' volume_access.cft.yaml | cfn-lint - publish: aws s3 cp foundational.cft.yaml s3://$(S3_BUCKET)/modules/$(S3_PREFIX)/foundational.cft.yaml diff --git a/modules/volume_access.cft.yaml b/modules/volume_access.cft.yaml index d21204e..c5e1438 100644 --- a/modules/volume_access.cft.yaml +++ b/modules/volume_access.cft.yaml @@ -66,88 +66,7 @@ Conditions: - Ref: IsOrganizational - 'true' -Resources: - ScanningRole: - Type: AWS::IAM::Role - Properties: - RoleName: !Sub sysdig-secure-scanning-${NameSuffix} - AssumeRolePolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: "Allow" - Principal: - AWS: !Ref TrustedIdentity - Action: "sts:AssumeRole" - Condition: - StringEquals: - sts:ExternalId: !Ref ExternalID - Policies: - - PolicyName: !Sub sysdig-secure-scanning-${NameSuffix} - PolicyDocument: - Version: "2012-10-17" - Statement: - - Sid: "Read" - Effect: "Allow" - Action: - - "ec2:Describe*" - Resource: "*" - - Sid: "AllowKMSKeysListing" - Effect: "Allow" - Action: - - "kms:ListKeys" - - "kms:ListAliases" - - "kms:ListResourceTags" - Resource: "*" - - Sid: "AllowKMSEncryptDecrypt" - Effect: "Allow" - Action: - - "kms:DescribeKey" - - "kms:Encrypt" - - "kms:Decrypt" - - "kms:ReEncrypt*" - - "kms:GenerateDataKey*" - - "kms:CreateGrant" - Resource: "*" - Condition: - StringLike: - "kms:ViaService": "ec2.*.amazonaws.com" - - Sid: "CreateTaggedSnapshotFromVolume" - Effect: "Allow" - Action: - - "ec2:CreateSnapshot" - Resource: "*" - - Sid: "CopySnapshots" - Effect: "Allow" - Action: - - "ec2:CopySnapshot" - Resource: "*" - - Sid: "SnapshotTags" - Effect: "Allow" - Action: - - "ec2:CreateTags" - Resource: "*" - Condition: - StringEquals: - "ec2:CreateAction": ["CreateSnapshot", "CopySnapshot"] - "aws:RequestTag/CreatedBy": "Sysdig" - - Sid: "ec2SnapshotShare" - Effect: "Allow" - Action: - - "ec2:ModifySnapshotAttribute" - Resource: "*" - Condition: - StringEqualsIgnoreCase: - "aws:ResourceTag/CreatedBy": "Sysdig" - StringEquals: - "ec2:Add/userId": !Ref ScanningAccountID - - Sid: "ec2SnapshotDelete" - Effect: "Allow" - Action: - - "ec2:DeleteSnapshot" - Resource: "*" - Condition: - StringEqualsIgnoreCase: - "aws:ResourceTag/CreatedBy": "Sysdig" +Resources: AdministrationRole: Type: AWS::IAM::Role Properties: @@ -186,11 +105,12 @@ Resources: ManagedPolicyArns: - arn:aws:iam::aws:policy/AWSKeyManagementServicePowerUser - arn:aws:iam::aws:policy/AWSCloudFormationFullAccess - ScanningKmsKeyStackSet: + - arn:aws:iam::aws:policy/IAMFullAccess + AccountStackSet: Type: AWS::CloudFormation::StackSet Properties: - StackSetName: !Sub sysdig-secure-scanning-kms-${NameSuffix} - Description: "A CloudFormation template that creates a KMS key in the account where it is launched, and grants permissions to the specified IAM role" + StackSetName: !Sub sysdig-secure-scanning-account-${NameSuffix} + Description: "Creates a KMS key with an associated IAM role, unique per region within the target account" AdministrationRoleARN: !GetAtt AdministrationRole.Arn ExecutionRoleName: !Ref ExecutionRole PermissionModel: SELF_MANAGED @@ -208,6 +128,10 @@ Resources: ParameterValue: !Ref NameSuffix - ParameterKey: ScanningAccountID ParameterValue: !Ref ScanningAccountID + - ParameterKey: TrustedIdentity + ParameterValue: !Ref TrustedIdentity + - ParameterKey: ExternalID + ParameterValue: !Ref ExternalID StackInstancesGroup: - DeploymentTargets: Accounts: @@ -226,7 +150,112 @@ Resources: ScanningAccountID: Type: String Description: The AWS Account ID of the Sysdig Scanning Account + TrustedIdentity: + Type: String + Description: The Role in Sysdig's AWS Account with permissions to your account + ExternalID: + Type: String + Description: Sysdig assigned token that proves you own this account Resources: + ScanningRole: + Type: AWS::IAM::Role + Properties: + RoleName: !Sub sysdig-secure-scanning-${NameSuffix}-${AWS::Region} + AssumeRolePolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: "Allow" + Principal: + AWS: !Ref TrustedIdentity + Action: "sts:AssumeRole" + Condition: + StringEquals: + sts:ExternalId: !Ref ExternalID + Policies: + - PolicyName: !Sub sysdig-secure-scanning-${NameSuffix} + PolicyDocument: + Version: "2012-10-17" + Statement: + - Sid: "Read" + Effect: "Allow" + Action: + - "ec2:Describe*" + Resource: "*" + Condition: + StringEquals: + "aws:RequestedRegion": !Ref AWS::Region + - Sid: "AllowKMSKeysListing" + Effect: "Allow" + Action: + - "kms:ListKeys" + - "kms:ListAliases" + - "kms:ListResourceTags" + Resource: "*" + Condition: + StringEquals: + "aws:RequestedRegion": !Ref AWS::Region + - Sid: "AllowKMSEncryptDecrypt" + Effect: "Allow" + Action: + - "kms:DescribeKey" + - "kms:Encrypt" + - "kms:Decrypt" + - "kms:ReEncrypt*" + - "kms:GenerateDataKey*" + - "kms:CreateGrant" + Resource: "*" + Condition: + StringLike: + "kms:ViaService": "ec2.*.amazonaws.com" + StringEquals: + "aws:RequestedRegion": !Ref AWS::Region + - Sid: "CreateTaggedSnapshotFromVolume" + Effect: "Allow" + Action: + - "ec2:CreateSnapshot" + Resource: "*" + Condition: + StringEquals: + "aws:RequestedRegion": !Ref AWS::Region + - Sid: "CopySnapshots" + Effect: "Allow" + Action: + - "ec2:CopySnapshot" + Resource: "*" + Condition: + StringEquals: + "aws:RequestedRegion": !Ref AWS::Region + - Sid: "SnapshotTags" + Effect: "Allow" + Action: + - "ec2:CreateTags" + Resource: "*" + Condition: + StringEquals: + "ec2:CreateAction": ["CreateSnapshot", "CopySnapshot"] + "aws:RequestTag/CreatedBy": "Sysdig" + "aws:RequestedRegion": !Ref AWS::Region + - Sid: "ec2SnapshotShare" + Effect: "Allow" + Action: + - "ec2:ModifySnapshotAttribute" + Resource: "*" + Condition: + StringEqualsIgnoreCase: + "aws:ResourceTag/CreatedBy": "Sysdig" + StringEquals: + "ec2:Add/userId": !Ref ScanningAccountID + "aws:RequestedRegion": !Ref AWS::Region + - Sid: "ec2SnapshotDelete" + Effect: "Allow" + Action: + - "ec2:DeleteSnapshot" + Resource: "*" + Condition: + StringEqualsIgnoreCase: + "aws:ResourceTag/CreatedBy": "Sysdig" + StringEquals: + "aws:RequestedRegion": !Ref AWS::Region ScanningKmsKey: Type: 'AWS::KMS::Key' Properties: @@ -242,7 +271,7 @@ Resources: Principal: AWS: - !Sub arn:aws:iam::${ScanningAccountID}:root - - !Sub arn:aws:iam::${AWS::AccountId}:role/sysdig-secure-scanning-${NameSuffix} + - !GetAtt ScanningRole.Arn Action: - "kms:Encrypt" - "kms:Decrypt" @@ -265,12 +294,12 @@ Resources: Properties: AliasName: !Sub alias/sysdig-secure-scanning-${NameSuffix} TargetKeyId: !Ref ScanningKmsKey - OrganizationRoleStackSet: + OrganizationStackSet: Type: AWS::CloudFormation::StackSet Condition: IsOrganizational Properties: - StackSetName: !Sub sysdig-secure-scanning-organization-roles-${NameSuffix} - Description: IAM Role used to create IAM roles scan organization accounts/regions + StackSetName: !Sub sysdig-secure-scanning-organization-${NameSuffix} + Description: Installs KMS key, alias, and IAM role for use with Sysdig Agentless Scanning PermissionModel: SERVICE_MANAGED Capabilities: - "CAPABILITY_NAMED_IAM" @@ -283,6 +312,7 @@ Resources: MaxConcurrentPercentage: 100 FailureTolerancePercentage: 90 ConcurrencyMode: SOFT_FAILURE_TOLERANCE + RegionConcurrencyType: PARALLEL Parameters: - ParameterKey: NameSuffix ParameterValue: !Ref NameSuffix @@ -295,7 +325,7 @@ Resources: StackInstancesGroup: - DeploymentTargets: OrganizationalUnitIds: !Ref OrganizationalUnitIDs - Regions: [!Ref "AWS::Region"] + Regions: !Ref Regions TemplateBody: | AWSTemplateFormatVersion: "2010-09-09" Description: IAM Role used by Sysdig Secure Vulnerability Scanning @@ -319,7 +349,7 @@ Resources: ScanningRole: Type: AWS::IAM::Role Properties: - RoleName: !Sub sysdig-secure-scanning-${NameSuffix} + RoleName: !Sub sysdig-secure-scanning-${NameSuffix}-${AWS::Region} AssumeRolePolicyDocument: Version: "2012-10-17" Statement: @@ -340,6 +370,9 @@ Resources: Action: - "ec2:Describe*" Resource: "*" + Condition: + StringEquals: + "aws:RequestedRegion": !Ref AWS::Region - Sid: "AllowKMSKeysListing" Effect: "Allow" Action: @@ -347,6 +380,9 @@ Resources: - "kms:ListAliases" - "kms:ListResourceTags" Resource: "*" + Condition: + StringEquals: + "aws:RequestedRegion": !Ref AWS::Region - Sid: "AllowKMSEncryptDecrypt" Effect: "Allow" Action: @@ -360,16 +396,24 @@ Resources: Condition: StringLike: "kms:ViaService": "ec2.*.amazonaws.com" + StringEquals: + "aws:RequestedRegion": !Ref AWS::Region - Sid: "CreateTaggedSnapshotFromVolume" Effect: "Allow" Action: - "ec2:CreateSnapshot" Resource: "*" + Condition: + StringEquals: + "aws:RequestedRegion": !Ref AWS::Region - Sid: "CopySnapshots" Effect: "Allow" Action: - "ec2:CopySnapshot" Resource: "*" + Condition: + StringEquals: + "aws:RequestedRegion": !Ref AWS::Region - Sid: "SnapshotTags" Effect: "Allow" Action: @@ -379,6 +423,7 @@ Resources: StringEquals: "ec2:CreateAction": ["CreateSnapshot", "CopySnapshot"] "aws:RequestTag/CreatedBy": "Sysdig" + "aws:RequestedRegion": !Ref AWS::Region - Sid: "ec2SnapshotShare" Effect: "Allow" Action: @@ -389,6 +434,7 @@ Resources: "aws:ResourceTag/CreatedBy": "Sysdig" StringEquals: "ec2:Add/userId": !Ref ScanningAccountID + "aws:RequestedRegion": !Ref AWS::Region - Sid: "ec2SnapshotDelete" Effect: "Allow" Action: @@ -397,50 +443,8 @@ Resources: Condition: StringEqualsIgnoreCase: "aws:ResourceTag/CreatedBy": "Sysdig" - OrganizationKMSKeyStackSet: - Type: AWS::CloudFormation::StackSet - Condition: IsOrganizational - DependsOn: - - OrganizationRoleStackSet - Properties: - StackSetName: !Sub sysdig-secure-scanning-organization-kmskey-${NameSuffix} - Description: IAM Role used to create KMS Keys to scan organization accounts/regions - PermissionModel: SERVICE_MANAGED - Capabilities: - - "CAPABILITY_NAMED_IAM" - AutoDeployment: - Enabled: true - RetainStacksOnAccountRemoval: false - ManagedExecution: - Active: true - OperationPreferences: - MaxConcurrentPercentage: 100 - FailureTolerancePercentage: 90 - ConcurrencyMode: SOFT_FAILURE_TOLERANCE - RegionConcurrencyType: PARALLEL - Parameters: - - ParameterKey: NameSuffix - ParameterValue: !Ref NameSuffix - - ParameterKey: ScanningAccountID - ParameterValue: !Ref ScanningAccountID - StackInstancesGroup: - - DeploymentTargets: - OrganizationalUnitIds: !Ref OrganizationalUnitIDs - Regions: !Ref Regions - TemplateBody: | - AWSTemplateFormatVersion: "2010-09-09" - Description: "Template to create KMS Key and Alias for Sysdig Agentless Scanning" - Parameters: - NameSuffix: - Type: String - Description: Suffix to append to the resource name identifiers - AllowedPattern: '[0-9a-z]+' - MaxLength: 8 - MinLength: 4 - ScanningAccountID: - Type: String - Description: The AWS Account ID of the Sysdig Scanning Account - Resources: + StringEquals: + "aws:RequestedRegion": !Ref AWS::Region ScanningKmsKey: Type: 'AWS::KMS::Key' Properties: @@ -456,7 +460,7 @@ Resources: Principal: AWS: - !Sub arn:aws:iam::${ScanningAccountID}:root - - !Sub arn:aws:iam::${AWS::AccountId}:role/sysdig-secure-scanning-${NameSuffix} + - !GetAtt ScanningRole.Arn Action: - "kms:Encrypt" - "kms:Decrypt" diff --git a/modules/volume_access.components.json b/modules/volume_access.components.json index 8303d2b..7d328a6 100644 --- a/modules/volume_access.components.json +++ b/modules/volume_access.components.json @@ -6,7 +6,8 @@ "aws": { "roleName": "sysdig-secure-scanning-{{NameSuffix}}" } - } + }, + "version": "v0.2.0" }, { "type": "COMPONENT_CRYPTO_KEY",