Skip to content

Commit

Permalink
Fetch AWS Management Account resources only when explicitly selected (#…
Browse files Browse the repository at this point in the history 
…2009)
  • Loading branch information
@kubasobon
kubasobon authored Mar 11, 2024
1 parent ad2719f commit 1d38cd2
Show file tree
Hide file tree
Showing 11 changed files with 559 additions and 33 deletions.
14 changes: 7 additions & 7 deletions deploy/cloudformation/ec2-types.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ Resources:
- 2
- !Split
- /
- !Ref "AWS::StackId"
- !Ref AWS::StackId
InstanceType: t4g.nano
ImageId: ami-0a0ae3c8519bff7f0
BlockDeviceMappings:
Expand All @@ -48,7 +48,7 @@ Resources:
- 2
- !Split
- /
- !Ref "AWS::StackId"
- !Ref AWS::StackId
InstanceType: t4g.small
ImageId: ami-062e673cc4273dad8
BlockDeviceMappings:
Expand All @@ -69,7 +69,7 @@ Resources:
- 2
- !Split
- /
- !Ref "AWS::StackId"
- !Ref AWS::StackId
InstanceType: t2.nano
ImageId: ami-09ee771fad415a6d7
BlockDeviceMappings:
Expand All @@ -90,7 +90,7 @@ Resources:
- 2
- !Split
- /
- !Ref "AWS::StackId"
- !Ref AWS::StackId
InstanceType: t2.nano
ImageId: ami-00aa9d3df94c6c354
BlockDeviceMappings:
Expand All @@ -111,7 +111,7 @@ Resources:
- 2
- !Split
- /
- !Ref "AWS::StackId"
- !Ref AWS::StackId
InstanceType: t2.nano
ImageId: ami-089f338f3a2e69431
BlockDeviceMappings:
Expand All @@ -132,7 +132,7 @@ Resources:
- 2
- !Split
- /
- !Ref "AWS::StackId"
- !Ref AWS::StackId
InstanceType: t2.nano
ImageId: ami-04b1c88a6bbd48f8e
BlockDeviceMappings:
Expand All @@ -151,6 +151,6 @@ Resources:
- 2
- !Split
- /
- !Ref "AWS::StackId"
- !Ref AWS::StackId
GroupDescription: Block incoming traffic
SecurityGroupIngress: []
8 changes: 4 additions & 4 deletions deploy/cloudformation/elastic-agent-ec2-cnvm.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@ Resources:
- 2
- !Split
- /
- !Ref "AWS::StackId"
- !Ref AWS::StackId
GroupDescription: Block incoming traffic
SecurityGroupIngress: []

Expand Down Expand Up @@ -110,10 +110,10 @@ Resources:
- 2
- !Split
- /
- !Ref "AWS::StackId"
- !Ref AWS::StackId
Path: /
Roles:
- !Ref "ElasticAgentRole"
- !Ref ElasticAgentRole

# EC2 Instance to run elastic-agent
ElasticAgentEc2Instance:
Expand All @@ -131,7 +131,7 @@ Resources:
- 2
- !Split
- /
- !Ref "AWS::StackId"
- !Ref AWS::StackId
- Key: Task
Value: Vulnerability Management Scanner
ImageId: !Ref LatestAmiId
Expand Down
56 changes: 50 additions & 6 deletions deploy/cloudformation/elastic-agent-ec2-cspm-organization.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,19 @@ Parameters:
Type: CommaDelimitedList
AllowedPattern: ^(ou-[0-9a-z]{4,32}-[a-z0-9]{8,32}|r-[0-9a-z]{4,32})$

ScanManagementAccount:
Description: |
When set to "Yes", the Management Account resources will be scanned,
regardless of selected Organizational Unit IDs. Likewise, when set to
"No", the Management Account resources will not be scanned, even if
the Management Account belongs to a selected Organizational Unit.
Type: String
AllowedValues:
- "Yes"
- "No"
Default: "Yes"
ConstraintDescription: Must specify "Yes" or "No"

LatestAmiId:
Type: AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>
Default: /aws/service/ami-amazon-linux-latest/al2023-ami-minimal-kernel-default-arm64
Expand Down Expand Up @@ -41,6 +54,11 @@ Parameters:
Description: The version of elastic-agent to install
Type: String

Conditions:
ScanManagementAccountEnabled: !Equals
- !Ref ScanManagementAccount
- "Yes"

Resources:

# Security Group for EC2 instance
Expand All @@ -54,7 +72,7 @@ Resources:
- 2
- !Split
- /
- !Ref "AWS::StackId"
- !Ref AWS::StackId
GroupDescription: Block incoming traffic
SecurityGroupIngress: []

Expand All @@ -64,6 +82,9 @@ Resources:
Properties:
RoleName: cloudbeat-root
Description: Role that cloudbeat uses to assume roles in other accounts
Tags:
- Key: cloudbeat_scan_management_account
Value: !Ref ScanManagementAccount
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
Expand All @@ -84,6 +105,14 @@ Resources:
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- iam:GetRole
- iam:ListAccountAliases
- iam:ListGroup
- iam:ListRoles
- iam:ListUsers
Resource: '*'
- Effect: Allow
Action:
- organizations:List*
Expand All @@ -93,8 +122,6 @@ Resources:
Action:
- sts:AssumeRole
Resource: '*'
ManagedPolicyArns:
- arn:aws:iam::aws:policy/SecurityAudit

# Instance profile to attach to EC2 instance
ElasticAgentInstanceProfile:
Expand All @@ -107,10 +134,10 @@ Resources:
- 2
- !Split
- /
- !Ref "AWS::StackId"
- !Ref AWS::StackId
Path: /
Roles:
- !Ref "CloudbeatRootRole"
- !Ref CloudbeatRootRole

# EC2 Instance to run elastic-agent
ElasticAgentEc2Instance:
Expand All @@ -128,7 +155,7 @@ Resources:
- 2
- !Split
- /
- !Ref "AWS::StackId"
- !Ref AWS::StackId
- Key: Task
Value: Organization Cloud Security Posture Management Scanner
ImageId: !Ref LatestAmiId
Expand Down Expand Up @@ -208,6 +235,23 @@ Resources:
ManagedPolicyArns:
- arn:aws:iam::aws:policy/SecurityAudit
CloudbeatManagementAccountAuditRole:
Type: AWS::IAM::Role
Properties:
RoleName: cloudbeat-securityaudit
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
AWS: !GetAtt CloudbeatRootRole.Arn
Action:
- sts:AssumeRole
Path: /
ManagedPolicyArns:
- arn:aws:iam::aws:policy/SecurityAudit
Condition: ScanManagementAccountEnabled

Outputs:
CloudbeatRootRoleArn:
Description: The cloudbeat IAM role in the management account
Expand Down
25 changes: 21 additions & 4 deletions deploy/cloudformation/elastic-agent-ec2-cspm.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@ Resources:
- 2
- !Split
- /
- !Ref "AWS::StackId"
- !Ref AWS::StackId
GroupDescription: Block incoming traffic
SecurityGroupIngress: []

Expand All @@ -67,6 +67,23 @@ Resources:
ManagedPolicyArns:
- arn:aws:iam::aws:policy/SecurityAudit

# IAM Role to assume for Management Account
CloudbeatRootRole:
Type: AWS::IAM::Role
Properties:
RoleName: cloudbeat-root
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
AWS: !GetAtt ElasticAgentRole.Arn
Action:
- sts:AssumeRole
Path: /
ManagedPolicyArns:
- arn:aws:iam::aws:policy/SecurityAudit

# Instance profile to attach to EC2 instance
ElasticAgentInstanceProfile:
Type: AWS::IAM::InstanceProfile
Expand All @@ -78,10 +95,10 @@ Resources:
- 2
- !Split
- /
- !Ref "AWS::StackId"
- !Ref AWS::StackId
Path: /
Roles:
- !Ref "ElasticAgentRole"
- !Ref ElasticAgentRole

# EC2 Instance to run elastic-agent
ElasticAgentEc2Instance:
Expand All @@ -99,7 +116,7 @@ Resources:
- 2
- !Split
- /
- !Ref "AWS::StackId"
- !Ref AWS::StackId
- Key: Task
Value: Cloud Security Posture Management Scanner
ImageId: !Ref LatestAmiId
Expand Down
Loading

0 comments on commit 1d38cd2

Please sign in to comment.