aws-ia · ryanjpayne · Dec 2, 2024 · Dec 2, 2024 · Dec 2, 2024 · Dec 2, 2024
diff --git a/guide/content/architecture.md b/guide/content/architecture.md
@@ -64,4 +64,21 @@ Deploying this ABI solution with default parameters builds the following archite
         * IAM Role for CodeBuild Execution
         * EventBridge Rule to send cluster events to centralized EventBus
 
+### DSPM
+* If you enable DSPM:
+    * In the primary region of all child accounts:
+        * IAM Role for CloudFormation execution
+        * IAM Role for integration with DSPM service
+        * IAM Role for Ec2 Instance operations (read-only)
+        * IAM Role for Lambda execution
+        * Secret to store Falcon API key
+        * Lambda Function to deploy CloudFormation across regions
+        * Instance Profile
+    * In all active regions of all child accounts:
+        * VPC with all required subnets, route tables, policies and 
+        * KMS Key
+        * Redshift Subnet Group
+        * IAM Instance Profile for data scanner EC2 instances
+        * EC2 Instance (ephemeral) created at scan-time to scan S3 Buckets
+
 **Next:** Choose [Deployment options](/deployment-options/index.html).
diff --git a/guide/content/costandlicenses.md b/guide/content/costandlicenses.md
@@ -11,7 +11,7 @@ description: Cost of the solution and licenses required.
 
 
 ### AWS service cost
-In addition to the CrowdStrike Falcon cost, consider costs associated with the AWS services you choose and the scale of your operations. AWS services such as CloudTrail, Lambda, Amazon S3, and AWS Key Management Service (AWS KMS) may have associated costs.
+In addition to the CrowdStrike Falcon cost, consider costs associated with the AWS services you choose and the scale of your operations. AWS services such as EventBridge, CloudTrail, Lambda, Amazon S3, and AWS Key Management Service (AWS KMS) may have associated costs.
 
 ### ABI cost and licenses
 

diff --git a/guide/content/deployment-steps.md b/guide/content/deployment-steps.md
@@ -70,6 +70,9 @@ description: Deployment steps.
             * **Registry**: Source Falcon Image from CrowdStrike or mirror to ECR.  Allowed values are `crowdstrike` or `ecr`.  Default is `crowdstrike`
             * **Backend**: kernel or bpf for Daemonset Sensor.  Allowed Values are `kernel` or `bpf`.  Default is `kernel`
             * **EnableKAC**: Deploy Kubernetes Admission Controller (KAC).  For more info see https://falcon.crowdstrike.com/documentation/page/aa4fccee/container-security#s41cbec3
+        * DSPM
+            * **EnableDSPM**: Whether to deploy DSPM
+            * **DSPMRegions**: Which regions to enable for DSPM
 
 3. Select both of the following capabilities and choose **Submit** to launch the stack.
 

diff --git a/guide/content/how-it-works.md b/guide/content/how-it-works.md
@@ -61,4 +61,13 @@ This is accoomplished by
 5. Lambda function to be triggered by CreateCluster and invoke codebuild against new clusters.
 6. CodeBuild project to update access entries, pull CrowdStrike images and deploy Falcon Operator/Sensor.
 
+### DSPM
+Data security posture management (DSPM) identifies which of your Amazon S3 buckets contain sensitive data, such as personal information and credit card info. DSPM scans a sample of the data in all S3 buckets in your registered AWS environments every 3 months to discover and classify the data in those S3 buckets, making it easier to prioritize your security efforts.
+
+When DSPM performs a scan, it creates a data scanner using a c6a.2xlarge Amazon EC2 instance in the Amazon Virtual Private Cloud (VPC) that was created in your AWS account when you enabled DSPM. The data scanner discovers and classifies a sample of the data in the S3 buckets in your account and sends only classification labels and tags to CrowdStrike. Your data never leaves your environment. 
+
+1. VPC in each region to run Data Scanner instance
+2. IAM Role with trust to DSPM service to create Ec2 Instance at scan time
+3. Leat privilege permissions applied to Ec2 to allow for S3 Scanning
+
 **Next:** Choose [Architecture](/architecture/index.html).
diff --git a/guide/content/terminologies.md b/guide/content/terminologies.md
@@ -14,6 +14,7 @@ description: Terminolgies used in this guide.
 * **CrowdStrike API client:** CrowdStrike Falcon API client authentication credentials for interaction with CrowdStike APIs via OAuth 2.0 token. Includes an API client ID and API client secret.
 * **CrowdStrike event bus:** The AWS event bus in CrowdStrike's environment for receiving events and providing the data to CrowdStrike Cloud Security service.
 * **CSPM policies:** A set of rules defined to detect misconfigurations of the cloud resources (IOMs) or to detect suspicious behavior patterns (IOAs).
+* **DSPM:** Data security posture management identifies which of your Amazon S3 buckets contain sensitive data
 * **Indicator of attack (IOA):** A pattern of suspicious behavior that suggests an attack might be underway. In CrowdStrike Cloud Security, IOAs are labeled as findings.
 * **Indicator of misconfiguration (IOM):** A configuration setting that doesn’t follow recommended security guidelines and might become a security vulnerability in a cloud environment. In CrowdStrike Cloud Security, IOMs are labeled as findings.
 * **Registration:** Enroll your AWS account ID with the CrowdStrike Cloud Security service.

diff --git a/guide/content/troubleshooting.md b/guide/content/troubleshooting.md
@@ -29,4 +29,7 @@ For troubleshooting common ABI issues, refer to the [ABI Reference Guide](https:
 2. Check the CodeBuild Execution logs for ```crowdstrike-eks-codebuild```.
 3. Check the Falcon Operator logs on the cluster.  See [Operator Troubleshooting](https://github.com/CrowdStrike/falcon-operator/blob/main/docs/install_guide.md).
 
+#### DSPM
+See falcon documentation for detailed troubleshooting information [here](https://falcon.crowdstrike.com/documentation/page/efd9a6d9/troubleshooting-and-maintenance-for-aws-accounts#j47ce12b).
+
 **Next:** Choose [Feedback](/feedback/index.html).
diff --git a/lambda_functions/source/register-organization/lambda.py b/lambda_functions/source/register-organization/lambda.py
@@ -30,6 +30,7 @@
 SECRET_STORE_REGION = os.environ['secret_region']
 EXCLUDE_REGIONS = os.environ['exclude_regions']
 EXISTING_CLOUDTRAIL = eval(os.environ['existing_cloudtrail'])
+ENABLE_DSPM = eval(os.environ['enable_dspm'])
 AWS_REGION = os.environ['AWS_REGION']
 CS_CLOUD = os.environ['cs_cloud']
 AWS_ACCOUNT_TYPE = os.environ['aws_account_type']
@@ -163,26 +164,41 @@ def lambda_handler(event, context):
             if event['RequestType'] in ['Create']:
                 logger.info('Event = %s' % event)
                 if EXISTING_CLOUDTRAIL:
-                    response = falcon.create_aws_account(account_id=aws_account_id,
-                                                        organization_id=org_id,
-                                                        behavior_assessment_enabled=True,
-                                                        sensor_management_enabled=True,
-                                                        use_existing_cloudtrail=EXISTING_CLOUDTRAIL,
-                                                        user_agent=USERAGENT,
-                                                        is_master=True,
-                                                        account_type=AWS_ACCOUNT_TYPE
-                                                        )
+                    payload = {
+                        "resources": [
+                            {
+                                "account_id": aws_account_id,
+                                "account_type": AWS_ACCOUNT_TYPE,
+                                "behavior_assessment_enabled": True,
+                                "dspm_enabled": ENABLE_DSPM,
+                                "dspm_role": 'CrowdStrikeDSPMIntegrationRole',
+                                "is_master": True,
+                                'organization_id': org_id,
+                                "sensor_management_enabled": True,
+                                "use_existing_cloudtrail": EXISTING_CLOUDTRAIL,
+                                "user_agent": USERAGENT
+                            }
+                        ]
+                    }
                 else:
-                    response = falcon.create_aws_account(account_id=aws_account_id,
-                                                        organization_id=org_id,
-                                                        behavior_assessment_enabled=True,
-                                                        sensor_management_enabled=True,
-                                                        use_existing_cloudtrail=EXISTING_CLOUDTRAIL,
-                                                        cloudtrail_region=AWS_REGION,
-                                                        user_agent=USERAGENT,
-                                                        is_master=True,
-                                                        account_type=AWS_ACCOUNT_TYPE
-                                                        )
+                    payload = {
+                        "resources": [
+                            {
+                                "account_id": aws_account_id,
+                                "account_type": AWS_ACCOUNT_TYPE,
+                                "behavior_assessment_enabled": True,
+                                "cloudtrail_region": AWS_REGION,
+                                "dspm_enabled": ENABLE_DSPM,
+                                "dspm_role": 'CrowdStrikeDSPMIntegrationRole',
+                                "is_master": True,
+                                'organization_id': org_id,
+                                "sensor_management_enabled": True,
+                                "use_existing_cloudtrail": EXISTING_CLOUDTRAIL,
+                                "user_agent": USERAGENT
+                            }
+                        ]
+                    }
+                response = falcon.create_aws_account(body=payload)
                 logger.info('Response: %s' % response)
                 if response['status_code'] == 201:
                     cs_account = response['body']['resources'][0]['intermediate_role_arn'].rsplit('::')[1]
@@ -191,7 +207,8 @@ def lambda_handler(event, context):
                         "iam_role_name": response['body']['resources'][0]['iam_role_arn'].rsplit('/')[1],
                         "intermediate_role_arn": response['body']['resources'][0]['intermediate_role_arn'],
                         "cs_role_name": response['body']['resources'][0]['intermediate_role_arn'].rsplit('/')[1],
-                        "external_id": response['body']['resources'][0]['external_id']
+                        "external_id": response['body']['resources'][0]['external_id'],
+                        "dspm_role_arn": response['body']['resources'][0]['dspm_role_arn']
                     }
                     if not EXISTING_CLOUDTRAIL:
                         response_d['cs_bucket_name'] = response['body']['resources'][0]['aws_cloudtrail_bucket_name']
@@ -221,7 +238,8 @@ def lambda_handler(event, context):
                         "iam_role_name": response['body']['resources'][0]['iam_role_arn'].rsplit('/')[1],
                         "intermediate_role_arn": response['body']['resources'][0]['intermediate_role_arn'],
                         "cs_role_name": response['body']['resources'][0]['intermediate_role_arn'].rsplit('/')[1],
-                        "external_id": response['body']['resources'][0]['external_id']
+                        "external_id": response['body']['resources'][0]['external_id'],
+                        "dspm_role_arn": response['body']['resources'][0]['dspm_role_arn']
                     }
                     if not EXISTING_CLOUDTRAIL:
                         response_d['cs_bucket_name'] = response['body']['resources'][0]['aws_cloudtrail_bucket_name']