Merge branch 'main' into ephemeral_project-updates

.gitmodules

@@ -0,0 +1,6 @@
+[submodule "submodules/cfn-abi-amazon-guardduty"]
+	path = submodules/cfn-abi-amazon-guardduty
+	url = https://github.com/aws-ia/cfn-abi-amazon-guardduty
+[submodule "submodules/cfn-abi-aws-cloudtrail"]
+	path = submodules/cfn-abi-aws-cloudtrail
+	url = https://github.com/aws-ia/cfn-abi-aws-cloudtrail

.taskcat.yml

@@ -1,33 +1,18 @@
 project:
-  name: update-me-to-project-repo-name
-  owner: quickstart@amazon.com
+  name: cfn-abi-ibmsecurity-qradar
+  owner: durgadas@ibm.com
   package_lambda: false
+  shorten_stack_name: true
+  s3_regional_buckets: false
   regions:
-  - ap-northeast-1
-  - ap-northeast-2
-  - ap-southeast-1
-  - ap-southeast-2
-  - eu-central-1
-  - eu-west-1
-  - sa-east-1
-  - us-east-1
-  - us-west-1
-  - us-west-2
+    - us-east-1
+
 tests:
-  sample:
+  launch-qradar-main:
     parameters:
-      Param1: 'Inputs to Stack'
-      # Examples: of other taskcat dynamic input parameters for more into see http://taskcat.io
-      #
-      #      AvailabilityZones: $[taskcat_genaz_3]
-      #      ByteValue: 1
-      #      PasswordA: $[taskcat_genpass_8A]
-      #      PasswordB: $[taskcat_genpass_32S]
-      #      RandomNumber: $[taskcat_random-numbers]
-      #      RandomString: $[taskcat_random-string]
-      #      StackName: TestStack
-      #      UUID: $[taskcat_genuuid]
-      #
+      pSRASourceS3BucketName: $[taskcat_autobucket]
+      pSRAS3BucketRegion: $[taskcat_current_region]
+      pSRAStagingS3KeyPrefix: $[taskcat_project_name]
     regions:
-    - us-east-1
-    template: templates/sample-workload.template.yaml
+      - us-east-1
+    template: templates/abi-enable-qradar-integration.yaml

scripts/cleanup_config.json

@@ -0,0 +1,70 @@
+[
+  {
+    "Type": "S3_BUCKET",
+    "Filter": "sra-guardduty-org-delivery-",
+    "Account": "log_account"
+  },
+  {
+    "Type": "S3_BUCKET",
+    "Filter": "cfn-abi-amazon-guardduty-"
+  },
+  {
+    "Type": "S3_BUCKET",
+    "Filter": "sra-gd-staging-"
+  },
+  {
+    "Type": "S3_BUCKET",
+    "Filter": "tcat-"
+  },
+  {
+    "Type": "SSM_PARAMETER",
+    "Filter": "/sra/gd/"
+  },
+  {
+    "Type": "STACK",
+    "Filter": "tCaT-enable-cloudtrail-ssm-"
+  },
+  {
+    "Type": "STACK",
+    "Filter": "tCaT-stage-ctrail-content-local-"
+  },
+  {
+    "Type": "STACK",
+    "Filter": "org-level-trail-dataevent-only"
+  },
+  {
+    "Type": "STACK",
+    "Filter": "org-level-trail-with-mgmt-events"
+  },
+  {
+    "Type": "S3_BUCKET",
+    "Filter": "sra-cloudtrail-staging-"
+  },
+  {
+    "Type": "S3_BUCKET",
+    "Filter": "sra-org-trail-logs-",
+    "Account": "log_account"
+  },
+  {
+    "Type": "S3_BUCKET",
+    "Filter": "cfn-abi-aws-cloudtrail-"
+  },
+  {
+    "Type": "SSM_PARAMETER",
+    "Filter": "/sra/ctrail/"
+  },
+  {
+    "Type": "LOG_GROUP",
+    "Filter": "sra/sra-org-trail"
+  },
+  {
+    "Type": "LOG_GROUP",
+    "Filter": "/aws/lambda/sra-ct-s3",
+    "Account": "log_account"
+  },
+  {
+    "Type": "LOG_GROUP",
+    "Filter": "/aws/lambda/sra-gd-s3",
+    "Account": "log_account"
+  }
+]

scripts/cleanup_config.py

@@ -20,7 +20,6 @@
 S3 = SESSION.client('s3')
 STS = SESSION.client('sts')
 ORG  = SESSION.client('organizations')
-GD  = SESSION.client('guardduty')
 
 STACKSTATUS = [ 'ROLLBACK_FAILED', 'ROLLBACK_COMPLETE', 'DELETE_FAILED', 'DELETE_COMPLETE']
 
@@ -235,15 +234,13 @@ def get_temp_credentials(aws_account, role_name='AWSControlTowerExecution'):
             print('Error assuming role: %s', role_arn)
 
     return result
-
 def establish_remote_session(account):
     '''
     Establish remote session
     '''
 
     roles = ['AWSControlTowerExecution', 'OrganizationAccountAccessRole']
     result = None
-
     for role in roles:
         sts_creds = get_temp_credentials(account, role)
         if sts_creds:
@@ -253,7 +250,6 @@ def establish_remote_session(account):
             aws_session_token=sts_creds['SessionToken']
             )
             break
-
     return result
 
 def get_log_archive_account(parameter_name='/sra/gd/control-tower/log-archive-account-id'):
@@ -272,7 +268,7 @@ def get_list_of_accounts():
     for page in paginator.paginate():
         accounts += page['Accounts']
     return accounts
-
+    
 def get_account_id(filters='Log Archive'):
     '''
     Get log account ID
@@ -309,7 +305,6 @@ def delete_cw_logs(filters='sra/sra-org-trail', account=None):
         print('Account-ID: %s', account)
     else:
         cwlogs = SESSION.client('logs')
-
     log_groups = list_cw_lognames(context=cwlogs)
     print(filters)
     for log_group_name in log_groups:
@@ -323,40 +318,43 @@ def get_management_account_id():
     '''
     return ORG.describe_organization()['Organization']['MasterAccountId']
 
-def get_list_of_detectors():
+def get_list_of_detectors(gd_client):
     '''
     Get list of GuardDuty detectors
     '''
     detectors = []
-    paginator = GD.get_paginator('list_detectors')
+    paginator = gd_client.get_paginator('list_detectors')
     for page in paginator.paginate():
         detectors += page['DetectorIds']
     return detectors
-
 def delete_detector():
     '''
     Delete the GuardDuty detectors in all accounts in the organization in the current region
     '''
     accounts = get_list_of_accounts()
     mgt_acct_id = get_management_account_id()
-
-    for account in accounts:
+    #print(mgt_acct_id)
+
+    for account in accounts: 
+        #print(account['Id'])
         if mgt_acct_id != account['Id']:
             session = establish_remote_session(account['Id'])
             if session:
                 gd_client = session.client('guardduty')
+                print("Creating GD session in %s", account['Id'])
             else:
                 print('Unable to establish session for account: %s', account['Id'])
                 gd_client = None
         else: # Management account
             gd_client = boto3.client('guardduty')
-
         if gd_client:
-            detector_ids = get_list_of_detectors()
+            detector_ids = get_list_of_detectors(gd_client)
+            print("Detector IDs")
+            print(detector_ids)
             for det_id in detector_ids:
+                print(det_id)
                 print('Deleting GuardDuty Detector in %s', account['Id'])
                 gd_client.delete_detector(DetectorId=det_id)
-
 def run_cleanup(config):
     '''
     Run the cleanup
@@ -387,7 +385,6 @@ def run_cleanup(config):
         else:
             print('Invalid type in cleanup_config.json: %s', item['Type'])
 
-
 if __name__ == '__main__':
     PARSER = argparse.ArgumentParser(prog='cleanup_config.py',
                                      usage='%(prog)s [-C | -h]',

templates/abi-enable-qradar-integration.yaml

@@ -0,0 +1,119 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: QRadar Integration
+
+Parameters:
+  PrincipalArn:
+    Type: String
+    Description: ARN of the principal that can assume the role
+    Default: ''
+  pSRASourceS3BucketName:
+    AllowedPattern: '^([\w.-]{1,900})$|^(\/[\w.-]{1,900})*[\w.-]{1,900}$'
+    ConstraintDescription: Must be alphanumeric or special characters [., _, -]. In addition, the slash character ( / ) used to delineate hierarchies in parameter names.
+    Default: aws-abi-pilot
+    Description: Source bucket for all templates and artefacts that will get copied into staging bucket
+    Type: String
+  pSRAS3BucketRegion:
+    AllowedPattern: ^[a-z][a-z]-[a-z]*-[0-9]*$
+    Type: String
+    Default: us-east-1
+  pSRAStagingS3KeyPrefix:
+    AllowedPattern: ^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$
+    Type: String
+    Default: cfn-abi-ibmsecurity-qradar
+
+Resources:
+  CloudTrailIntegrationStack:
+    Type: AWS::CloudFormation::Stack
+    DeletionPolicy: Delete
+    UpdateReplacePolicy: Delete
+    Properties:
+      TemplateURL: !Sub https://${pSRASourceS3BucketName}.s3.${pSRAS3BucketRegion}.${AWS::URLSuffix}/${pSRAStagingS3KeyPrefix}/templates/enable-integrations/enable-cloudtrail-integrations.yaml
+      Parameters:
+        pSRAS3BucketRegion: !Ref pSRAS3BucketRegion
+        pSRASourceS3BucketName: !Ref pSRASourceS3BucketName
+        pSRAStagingS3KeyPrefix: !Ref pSRAStagingS3KeyPrefix
+
+  GuardDutyIntegrationStack:
+    Type: AWS::CloudFormation::Stack
+    DeletionPolicy: Delete
+    UpdateReplacePolicy: Delete
+    Properties:
+      TemplateURL: !Sub https://${pSRASourceS3BucketName}.s3.${pSRAS3BucketRegion}.${AWS::URLSuffix}/${pSRAStagingS3KeyPrefix}/templates/enable-integrations/enable-guardduty-integrations.yaml
+      Parameters:
+        pSRASourceS3BucketName: !Ref pSRASourceS3BucketName
+        pSRAStagingS3KeyPrefix: !Ref pSRAStagingS3KeyPrefix
+        pSRAS3BucketRegion: !Ref pSRAS3BucketRegion
+        pLogArchiveAccountId:
+          !GetAtt [CloudTrailIntegrationStack, Outputs.oLogArchiveAccountId]
+
+  SetupIAMRoleStack:
+    Type: AWS::CloudFormation::StackSet
+    Properties:
+      StackSetName: qradar-setup-iam-role-stack
+      AdministrationRoleARN: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/service-role/AWSControlTowerStackSetRole
+      CallAs: SELF
+      Description: Setup necessary IAM roles needed for the QRadar application to access the services
+      ExecutionRoleName: AWSControlTowerExecution
+      Capabilities:
+        - CAPABILITY_NAMED_IAM
+      ManagedExecution:
+        Active: true
+      OperationPreferences:
+        FailureTolerancePercentage: 0
+        MaxConcurrentPercentage: 100
+        RegionConcurrencyType: PARALLEL
+      PermissionModel: SELF_MANAGED
+      StackInstancesGroup:
+        - DeploymentTargets:
+            Accounts:
+              - !GetAtt [
+                  CloudTrailIntegrationStack,
+                  Outputs.oLogArchiveAccountId,
+                ]
+          Regions:
+            - !Ref AWS::Region
+      TemplateURL: !Sub https://${pSRASourceS3BucketName}.s3.${pSRAS3BucketRegion}.${AWS::URLSuffix}/${pSRAStagingS3KeyPrefix}/templates/enable-integrations/setup-iam-role.yaml
+      Parameters:
+        - ParameterKey: PrincipalArn
+          ParameterValue: !Ref PrincipalArn
+        - ParameterKey: LogArchiveAccountId
+          ParameterValue:
+            !GetAtt [CloudTrailIntegrationStack, Outputs.oLogArchiveAccountId]
+        - ParameterKey: AuditAccountId
+          ParameterValue:
+            !GetAtt [CloudTrailIntegrationStack, Outputs.oAuditAccountId]
+        - ParameterKey: CloudTrailSQSArn
+          ParameterValue:
+            !GetAtt [CloudTrailIntegrationStack, Outputs.oCloudTrailSQSQueueArn]
+        - ParameterKey: GuardDutySQSArn
+          ParameterValue:
+            !GetAtt [GuardDutyIntegrationStack, Outputs.oGuardDutySQSQueueArn]
+        - ParameterKey: CloudTrailBucket
+          ParameterValue:
+            !GetAtt [
+              CloudTrailIntegrationStack,
+              Outputs.oOrganizationCloudTrailS3BucketArn,
+            ]
+        - ParameterKey: GuardDutyFindingsBucket
+          ParameterValue:
+            !GetAtt [
+              GuardDutyIntegrationStack,
+              Outputs.oPublishingDestinationBucketArn,
+            ]
+      Tags:
+        - Key: sra-solution
+          Value: !Ref pSRAStagingS3KeyPrefix
+
+Outputs:
+  QRadarCloudTrailSQSQueueUrl:
+    Description: SQS URL for the CloudTrail events
+    Value: !GetAtt [CloudTrailIntegrationStack, Outputs.oCloudTrailSQSQueueURL]
+  QRadarGuardDutyFindingsSQSQueueUrl:
+    Description: SQS URL for the GuardDuty findings
+    Value: !GetAtt [GuardDutyIntegrationStack, Outputs.oGuardDutySQSQueueURL]
+  QRadarIAMRoleArn:
+    Description: The ARN of the QRadar IAM role
+    Value: !Sub 'arn:aws:iam::${CloudTrailIntegrationStack.Outputs.oLogArchiveAccountId}:role/QRadarRole'
+  QRadarRegion:
+    Description: AWS Region where the SQS queues and bucket resides.
+    Value: !Ref AWS::Region