-
Notifications
You must be signed in to change notification settings - Fork 42
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Cloudformation direct access key (#2123)
- Loading branch information
1 parent
8f30981
commit 72baecd
Showing
5 changed files
with
283 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
174 changes: 174 additions & 0 deletions
174
deploy/cloudformation/elastic-agent-direct-access-key-cspm-organization.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,174 @@ | ||
AWSTemplateFormatVersion: "2010-09-09" | ||
|
||
Description: Creates elastic-agent cspm user, role, and access key, and outputs the access key | ||
|
||
Parameters: | ||
OrganizationalUnitIds: | ||
Description: | | ||
Comma-separated list of organizational units to deploy the IAM roles to. | ||
Specify the unique IDs of the organizational units where the roles should be deployed. | ||
Example: ou-abc123,ou-def456,ou-ghi789 | ||
Type: CommaDelimitedList | ||
AllowedPattern: ^(ou-[0-9a-z]{4,32}-[a-z0-9]{8,32}|r-[0-9a-z]{4,32})$ | ||
|
||
ScanManagementAccount: | ||
Description: | | ||
When set to "Yes", the Management Account resources will be scanned, | ||
regardless of selected Organizational Unit IDs. Likewise, when set to | ||
"No", the Management Account resources will not be scanned, even if | ||
the Management Account belongs to a selected Organizational Unit. | ||
Type: String | ||
AllowedValues: | ||
- "Yes" | ||
- "No" | ||
Default: "Yes" | ||
ConstraintDescription: Must specify "Yes" or "No" | ||
|
||
Conditions: | ||
ScanManagementAccountEnabled: !Equals | ||
- !Ref ScanManagementAccount | ||
- "Yes" | ||
|
||
Resources: | ||
ElasticCSPMUser: | ||
Type: AWS::IAM::User | ||
Properties: | ||
UserName: !Join | ||
- '-' | ||
- - elasticagent-user-cspm | ||
- !Select | ||
- 2 | ||
- !Split | ||
- / | ||
- !Ref AWS::StackId | ||
Path: / | ||
|
||
CloudbeatRootRole: | ||
Type: AWS::IAM::Role | ||
Properties: | ||
RoleName: cloudbeat-root | ||
Description: Role that cloudbeat uses to assume roles in other accounts | ||
Tags: | ||
- Key: cloudbeat_scan_management_account | ||
Value: !Ref ScanManagementAccount | ||
AssumeRolePolicyDocument: | ||
Version: "2012-10-17" | ||
Statement: | ||
- Effect: Allow | ||
Principal: | ||
AWS: !Ref AWS::AccountId | ||
Action: | ||
- sts:AssumeRole | ||
- Effect: Allow | ||
Principal: | ||
AWS: !GetAtt ElasticCSPMUser.Arn | ||
Action: | ||
- sts:AssumeRole | ||
- Effect: Allow | ||
Principal: | ||
Service: | ||
- ec2.amazonaws.com | ||
Action: | ||
- sts:AssumeRole | ||
Path: / | ||
Policies: | ||
- PolicyName: cloudbeat-root-permissions | ||
PolicyDocument: | ||
Version: "2012-10-17" | ||
Statement: | ||
- Effect: Allow | ||
Action: | ||
- iam:GetRole | ||
- iam:ListAccountAliases | ||
- iam:ListGroup | ||
- iam:ListRoles | ||
- iam:ListUsers | ||
Resource: '*' | ||
- Effect: Allow | ||
Action: | ||
- organizations:List* | ||
- organizations:Describe* | ||
Resource: '*' | ||
- Effect: Allow | ||
Action: | ||
- sts:AssumeRole | ||
Resource: '*' | ||
|
||
CloudbeatRoleStackSet: | ||
Type: AWS::CloudFormation::StackSet | ||
Properties: | ||
StackSetName: cloudbeat-role-stackset | ||
Description: StackSet for deploying the cloudbeat-securityaudit IAM role to member accounts in the specified organizational units. | ||
AutoDeployment: | ||
Enabled: true | ||
RetainStacksOnAccountRemoval: false | ||
Capabilities: | ||
- CAPABILITY_NAMED_IAM | ||
ManagedExecution: | ||
Active: true | ||
Parameters: | ||
- ParameterKey: RootRoleArn | ||
ParameterValue: !GetAtt CloudbeatRootRole.Arn | ||
PermissionModel: SERVICE_MANAGED | ||
StackInstancesGroup: | ||
- DeploymentTargets: | ||
OrganizationalUnitIds: !Ref OrganizationalUnitIds | ||
Regions: | ||
- !Ref AWS::Region | ||
TemplateBody: | | ||
AWSTemplateFormatVersion: '2010-09-09' | ||
Description: Creates IAM roles needed for multi-account access | ||
Parameters: | ||
RootRoleArn: | ||
Type: String | ||
Resources: | ||
CloudbeatMemberRole: | ||
Type: 'AWS::IAM::Role' | ||
Properties: | ||
RoleName: cloudbeat-securityaudit | ||
AssumeRolePolicyDocument: | ||
Version: '2012-10-17' | ||
Statement: | ||
- Effect: Allow | ||
Principal: | ||
AWS: !Ref RootRoleArn | ||
Action: | ||
- sts:AssumeRole | ||
Path: / | ||
ManagedPolicyArns: | ||
- arn:aws:iam::aws:policy/SecurityAudit | ||
CloudbeatManagementAccountAuditRole: | ||
Type: AWS::IAM::Role | ||
Properties: | ||
RoleName: cloudbeat-securityaudit | ||
AssumeRolePolicyDocument: | ||
Version: "2012-10-17" | ||
Statement: | ||
- Effect: Allow | ||
Principal: | ||
AWS: !GetAtt CloudbeatRootRole.Arn | ||
Action: | ||
- sts:AssumeRole | ||
Path: / | ||
ManagedPolicyArns: | ||
- arn:aws:iam::aws:policy/SecurityAudit | ||
Condition: ScanManagementAccountEnabled | ||
|
||
ElasticCSPMAccessKey: | ||
Type: AWS::IAM::AccessKey | ||
Properties: | ||
UserName: !Ref ElasticCSPMUser | ||
|
||
Outputs: | ||
AccessKeyId: | ||
Description: Access Key ID | ||
Value: !Ref ElasticCSPMAccessKey | ||
Export: | ||
Name: AccessKeyId | ||
|
||
SecretAccessKey: | ||
Description: Secret Access Key | ||
Value: !GetAtt ElasticCSPMAccessKey.SecretAccessKey | ||
Export: | ||
Name: SecretAccessKey |
39 changes: 39 additions & 0 deletions
39
deploy/cloudformation/elastic-agent-direct-access-key-cspm.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,39 @@ | ||
AWSTemplateFormatVersion: "2010-09-09" | ||
|
||
Description: Creates elastic-agent cspm user, role, and access key, and outputs the access key | ||
|
||
Parameters: {} | ||
|
||
Resources: | ||
ElasticCSPMUser: | ||
Type: AWS::IAM::User | ||
Properties: | ||
UserName: !Join | ||
- '-' | ||
- - elasticagent-user-cspm | ||
- !Select | ||
- 2 | ||
- !Split | ||
- / | ||
- !Ref AWS::StackId | ||
ManagedPolicyArns: | ||
- arn:aws:iam::aws:policy/SecurityAudit | ||
Path: / | ||
|
||
ElasticCSPMAccessKey: | ||
Type: AWS::IAM::AccessKey | ||
Properties: | ||
UserName: !Ref ElasticCSPMUser | ||
|
||
Outputs: | ||
AccessKeyId: | ||
Description: Access Key ID | ||
Value: !Ref ElasticCSPMAccessKey | ||
Export: | ||
Name: AccessKeyId | ||
|
||
SecretAccessKey: | ||
Description: Secret Access Key | ||
Value: !GetAtt ElasticCSPMAccessKey.SecretAccessKey | ||
Export: | ||
Name: SecretAccessKey |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters