From cbd331e23516e41783e615416f285122c966c40e Mon Sep 17 00:00:00 2001 From: matteopasa <146732818+matteopasa@users.noreply.github.com> Date: Tue, 25 Jun 2024 14:35:49 +0200 Subject: [PATCH] feat(eb): add guardduty finding to event bridge rule (SSPROD-41990) (#123) * add guardduty finding to event bridge rule * add variable for event pattern rule * remove new line * new line --- templates_cspm_eventbridge/FullInstall.yaml | 47 +++++--- .../OrgFullInstall.yaml | 74 +++++++++--- templates_eventbridge/EventBridge.yaml | 44 ++++--- templates_eventbridge/OrgEventBridge.yaml | 113 ++++++++++++------ 4 files changed, 191 insertions(+), 87 deletions(-) diff --git a/templates_cspm_eventbridge/FullInstall.yaml b/templates_cspm_eventbridge/FullInstall.yaml index 4bd43fb..f8f0c0e 100644 --- a/templates_cspm_eventbridge/FullInstall.yaml +++ b/templates_cspm_eventbridge/FullInstall.yaml @@ -13,6 +13,7 @@ Metadata: - EventBusARN - EventBridgeRoleName - EventBridgeState + - EventBridgeEventPattern ParameterLabels: RoleName: @@ -27,8 +28,9 @@ Metadata: default: "Integration Name (Sysdig use only)" EventBridgeState: default: "State of the EventBridge Rule (Sysdig use only)" - - + EventBridgeEventPattern: + default: "Event Pattern (Sysdig use only)" + Parameters: RoleName: Type: String @@ -53,6 +55,28 @@ Parameters: - ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS - ENABLED - DISABLED + EventBridgeEventPattern: + Type: String + Description: JSON pattern for the EventBridge rule's event pattern + Default: | + { + "detail-type": [ + "AWS API Call via CloudTrail", + "AWS Console Sign In via CloudTrail", + "AWS Service Event via CloudTrail", + "Object Access Tier Changed", + "Object ACL Updated", + "Object Created", + "Object Deleted", + "Object Restore Completed", + "Object Restore Expired", + "Object Restore Initiated", + "Object Storage Class Changed", + "Object Tags Added", + "Object Tags Deleted", + "GuardDuty Finding" + ] + } Resources: CloudAgentlessRole: @@ -133,22 +157,8 @@ Resources: Type: AWS::Events::Rule Properties: Name: !Ref EventBridgeRoleName - Description: Capture all CloudTrail events - EventPattern: - detail-type: - - 'AWS API Call via CloudTrail' - - 'AWS Console Sign In via CloudTrail' - - 'AWS Service Event via CloudTrail' - - 'Object Access Tier Changed' - - 'Object ACL Updated' - - 'Object Created' - - 'Object Deleted' - - 'Object Restore Completed' - - 'Object Restore Expired' - - 'Object Restore Initiated' - - 'Object Storage Class Changed' - - 'Object Tags Added' - - 'Object Tags Deleted' + Description: Capture events based on the provided event pattern + EventPattern: !Ref EventBridgeEventPattern State: !Ref EventBridgeState Targets: - Id: !Ref EventBridgeRoleName @@ -156,4 +166,3 @@ Resources: RoleArn: !GetAtt - EventBridgeRole - Arn - \ No newline at end of file diff --git a/templates_cspm_eventbridge/OrgFullInstall.yaml b/templates_cspm_eventbridge/OrgFullInstall.yaml index 8e8d222..4f9c766 100644 --- a/templates_cspm_eventbridge/OrgFullInstall.yaml +++ b/templates_cspm_eventbridge/OrgFullInstall.yaml @@ -1,5 +1,6 @@ AWSTemplateFormatVersion: "2010-09-09" Description: IAM Role and EventBridge resources used by Sysdig Secure + Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -14,6 +15,7 @@ Metadata: - Regions - OrganizationUnitIDs - EventBridgeState + - EventBridgeEventPattern ParameterLabels: CSPMRoleName: default: "CSPM Role Name (Sysdig use only)" @@ -30,7 +32,10 @@ Metadata: OrganizationUnitIDs: default: "Organization Unit IDs (Sysdig use only)" EventBridgeState: - default: "State of the EventBridge Rule (Sysdig use only)" + default: "State of the EventBridge Rule (Sysdig use only)" + EventBridgeEventPattern: + default: "Event Pattern (Sysdig use only)" + Parameters: CSPMRoleName: Type: String @@ -61,7 +66,29 @@ Parameters: - ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS - ENABLED - DISABLED - + EventBridgeEventPattern: + Type: String + Description: JSON pattern for the EventBridge rule's event pattern + Default: | + { + "detail-type": [ + "AWS API Call via CloudTrail", + "AWS Console Sign In via CloudTrail", + "AWS Service Event via CloudTrail", + "Object Access Tier Changed", + "Object ACL Updated", + "Object Created", + "Object Deleted", + "Object Restore Completed", + "Object Restore Expired", + "Object Restore Initiated", + "Object Storage Class Changed", + "Object Tags Added", + "Object Tags Deleted", + "GuardDuty Finding" + ] + } + Resources: AdministrationRole: Type: AWS::IAM::Role @@ -357,6 +384,7 @@ Resources: - 'Object Storage Class Changed' - 'Object Tags Added' - 'Object Tags Deleted' + - 'GuardDuty Finding' State: !Sub ${EventBridgeState} Targets: - Id: !Sub ${EventBridgeRoleName} @@ -388,6 +416,8 @@ Resources: ParameterValue: !Ref EventBusARN - ParameterKey: EventBridgeState ParameterValue: !Ref EventBridgeState + - ParameterKey: EventBridgeEventPattern + ParameterValue: !Ref EventBridgeEventPattern StackInstancesGroup: - DeploymentTargets: Accounts: @@ -410,28 +440,36 @@ Resources: AllowedValues: - ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS - ENABLED - - DISABLED + - DISABLED + EventBridgeEventPattern: + Type: String + Description: JSON pattern for the EventBridge rule's event pattern + Default: | + { + "detail-type": [ + "AWS API Call via CloudTrail", + "AWS Console Sign In via CloudTrail", + "AWS Service Event via CloudTrail", + "Object Access Tier Changed", + "Object ACL Updated", + "Object Created", + "Object Deleted", + "Object Restore Completed", + "Object Restore Expired", + "Object Restore Initiated", + "Object Storage Class Changed", + "Object Tags Added", + "Object Tags Deleted", + "GuardDuty Finding" + ] + } Resources: EventBridgeRule: Type: "AWS::Events::Rule" Properties: Name: !Sub ${EventBridgeRoleName} Description: Capture all CloudTrail events - EventPattern: - detail-type: - - 'AWS API Call via CloudTrail' - - 'AWS Console Sign In via CloudTrail' - - 'AWS Service Event via CloudTrail' - - 'Object Access Tier Changed' - - 'Object ACL Updated' - - 'Object Created' - - 'Object Deleted' - - 'Object Restore Completed' - - 'Object Restore Expired' - - 'Object Restore Initiated' - - 'Object Storage Class Changed' - - 'Object Tags Added' - - 'Object Tags Deleted' + EventPattern: !Ref EventBridgeEventPattern State: !Sub ${EventBridgeState} Targets: - Id: !Sub ${EventBridgeRoleName} diff --git a/templates_eventbridge/EventBridge.yaml b/templates_eventbridge/EventBridge.yaml index 1705ed4..500723d 100644 --- a/templates_eventbridge/EventBridge.yaml +++ b/templates_eventbridge/EventBridge.yaml @@ -11,6 +11,8 @@ Metadata: - ExternalID - TrustedIdentity - EventBusARN + - EventBridgeState + - EventBridgeEventPattern ParameterLabels: ExternalID: @@ -23,6 +25,8 @@ Metadata: default: "Integration Name (Sysdig use only)" EventBridgeState: default: "State of the EventBridge Rule (Sysdig use only)" + EventBridgeEventPattern: + default: "Event Pattern (Sysdig use only)" Parameters: EventBridgeRoleName: @@ -45,6 +49,28 @@ Parameters: - ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS - ENABLED - DISABLED + EventBridgeEventPattern: + Type: String + Description: JSON pattern for the EventBridge rule's event pattern + Default: | + { + "detail-type": [ + "AWS API Call via CloudTrail", + "AWS Console Sign In via CloudTrail", + "AWS Service Event via CloudTrail", + "Object Access Tier Changed", + "Object ACL Updated", + "Object Created", + "Object Deleted", + "Object Restore Completed", + "Object Restore Expired", + "Object Restore Initiated", + "Object Storage Class Changed", + "Object Tags Added", + "Object Tags Deleted", + "GuardDuty Finding" + ] + } Resources: EventBridgeRole: @@ -83,25 +109,11 @@ Resources: Properties: Name: !Ref EventBridgeRoleName Description: Capture all CloudTrail events - EventPattern: - detail-type: - - 'AWS API Call via CloudTrail' - - 'AWS Console Sign In via CloudTrail' - - 'AWS Service Event via CloudTrail' - - 'Object Access Tier Changed' - - 'Object ACL Updated' - - 'Object Created' - - 'Object Deleted' - - 'Object Restore Completed' - - 'Object Restore Expired' - - 'Object Restore Initiated' - - 'Object Storage Class Changed' - - 'Object Tags Added' - - 'Object Tags Deleted' + EventPattern: !Ref EventBridgeEventPattern State: !Ref EventBridgeState Targets: - Id: !Ref EventBridgeRoleName Arn: !Ref EventBusARN RoleArn: !GetAtt - EventBridgeRole - - Arn + - Arn diff --git a/templates_eventbridge/OrgEventBridge.yaml b/templates_eventbridge/OrgEventBridge.yaml index 5ce5180..0144a9b 100644 --- a/templates_eventbridge/OrgEventBridge.yaml +++ b/templates_eventbridge/OrgEventBridge.yaml @@ -14,6 +14,7 @@ Metadata: - Regions - OrganizationUnitIDs - EventBridgeState + - EventBridgeEventPattern ParameterLabels: CSPMRoleName: default: "CSPM Role Name (Sysdig use only)" @@ -31,6 +32,8 @@ Metadata: default: "Organization Unit IDs (Sysdig use only)" EventBridgeState: default: "State of the EventBridge Rule (Sysdig use only)" + EventBridgeEventPattern: + default: "Event Pattern (Sysdig use only)" Parameters: CSPMRoleName: Type: String @@ -61,6 +64,28 @@ Parameters: - ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS - ENABLED - DISABLED + EventBridgeEventPattern: + Type: String + Description: JSON pattern for the EventBridge rule's event pattern + Default: | + { + "detail-type": [ + "AWS API Call via CloudTrail", + "AWS Console Sign In via CloudTrail", + "AWS Service Event via CloudTrail", + "Object Access Tier Changed", + "Object ACL Updated", + "Object Created", + "Object Deleted", + "Object Restore Completed", + "Object Restore Expired", + "Object Restore Initiated", + "Object Storage Class Changed", + "Object Tags Added", + "Object Tags Deleted", + "GuardDuty Finding" + ] + } Resources: AdministrationRole: @@ -173,7 +198,9 @@ Resources: - ParameterKey: EventBusARN ParameterValue: !Ref EventBusARN - ParameterKey: EventBridgeState - ParameterValue: !Ref EventBridgeState + ParameterValue: !Ref EventBridgeState + - ParameterKey: EventBridgeEventPattern + ParameterValue: !Ref EventBridgeEventPattern StackInstancesGroup: - DeploymentTargets: Accounts: @@ -196,28 +223,36 @@ Resources: AllowedValues: - ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS - ENABLED - - DISABLED + - DISABLED + EventBridgeEventPattern: + Type: String + Description: JSON pattern for the EventBridge rule's event pattern + Default: | + { + "detail-type": [ + "AWS API Call via CloudTrail", + "AWS Console Sign In via CloudTrail", + "AWS Service Event via CloudTrail", + "Object Access Tier Changed", + "Object ACL Updated", + "Object Created", + "Object Deleted", + "Object Restore Completed", + "Object Restore Expired", + "Object Restore Initiated", + "Object Storage Class Changed", + "Object Tags Added", + "Object Tags Deleted", + "GuardDuty Finding" + ] + } Resources: EventBridgeRule: Type: "AWS::Events::Rule" Properties: Name: !Sub ${EventBridgeRoleName} Description: Capture all CloudTrail events - EventPattern: - detail-type: - - 'AWS API Call via CloudTrail' - - 'AWS Console Sign In via CloudTrail' - - 'AWS Service Event via CloudTrail' - - 'Object Access Tier Changed' - - 'Object ACL Updated' - - 'Object Created' - - 'Object Deleted' - - 'Object Restore Completed' - - 'Object Restore Expired' - - 'Object Restore Initiated' - - 'Object Storage Class Changed' - - 'Object Tags Added' - - 'Object Tags Deleted' + EventPattern: !Ref EventBridgeEventPattern State: !Sub ${EventBridgeState} Targets: - Id: !Sub ${EventBridgeRoleName} @@ -315,7 +350,9 @@ Resources: - ParameterKey: EventBusARN ParameterValue: !Ref EventBusARN - ParameterKey: EventBridgeState - ParameterValue: !Ref EventBridgeState + ParameterValue: !Ref EventBridgeState + - ParameterKey: EventBridgeEventPattern + ParameterValue: !Ref EventBridgeEventPattern StackInstancesGroup: - DeploymentTargets: OrganizationalUnitIds: !Split [ ",", !Ref OrganizationUnitIDs] @@ -337,28 +374,36 @@ Resources: AllowedValues: - ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS - ENABLED - - DISABLED + - DISABLED + EventBridgeEventPattern: + Type: String + Description: JSON pattern for the EventBridge rule's event pattern + Default: | + { + "detail-type": [ + "AWS API Call via CloudTrail", + "AWS Console Sign In via CloudTrail", + "AWS Service Event via CloudTrail", + "Object Access Tier Changed", + "Object ACL Updated", + "Object Created", + "Object Deleted", + "Object Restore Completed", + "Object Restore Expired", + "Object Restore Initiated", + "Object Storage Class Changed", + "Object Tags Added", + "Object Tags Deleted", + "GuardDuty Finding" + ] + } Resources: EventBridgeRule: Type: "AWS::Events::Rule" Properties: Name: !Sub ${EventBridgeRoleName} Description: Capture all CloudTrail events - EventPattern: - detail-type: - - 'AWS API Call via CloudTrail' - - 'AWS Console Sign In via CloudTrail' - - 'AWS Service Event via CloudTrail' - - 'Object Access Tier Changed' - - 'Object ACL Updated' - - 'Object Created' - - 'Object Deleted' - - 'Object Restore Completed' - - 'Object Restore Expired' - - 'Object Restore Initiated' - - 'Object Storage Class Changed' - - 'Object Tags Added' - - 'Object Tags Deleted' + EventPattern: !Ref EventBridgeEventPattern State: !Sub ${EventBridgeState} Targets: - Id: !Sub ${EventBridgeRoleName}