-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathwazuh.ts
112 lines (105 loc) · 3.54 KB
/
wazuh.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
import { Peer } from "aws-cdk-lib/aws-ec2";
import type { IVpc } from "aws-cdk-lib/aws-ec2";
import { isSingletonPresentInStack } from "../../../utils/singleton";
import type { GuStack } from "../../core";
import { GuBaseSecurityGroup } from "./base";
/**
* A security group to allow a Wazuh agent on an EC2 instance to communicate with the outside.
* This is implemented as a singleton, meaning only one resource will be created in a stack.
* If there are multiple apps in the stack, they will re-use this resource.
*
* The logicalId will always be "WazuhSecurityGroup".
*
* Will create a resource like this:
*
* ```yaml
* WazuhSecurityGroup:
* Type: AWS::EC2::SecurityGroup
* Properties:
* GroupDescription: Allow outbound traffic from wazuh agent to manager
* VpcId:
* Ref: VpcId
* SecurityGroupEgress:
* - Description: Wazuh event logging
* IpProtocol: tcp
* FromPort: 1514
* ToPort: 1514
* CidrIp: 0.0.0.0/0
* - Description: Wazuh agent registration
* IpProtocol: tcp
* FromPort: 1515
* ToPort: 1515
* CidrIp: 0.0.0.0/0
* ```
*
* Which will then get used like this:
*
* ```yaml
* InstanceRoleForAppA:
* Type: AWS::IAM::Role
* Properties:
* SecurityGroups:
* - Ref: WazuhSecurityGroup
*
* InstanceRoleForAppB:
* Type: AWS::IAM::Role
* Properties:
* SecurityGroups:
* - Ref: WazuhSecurityGroup
* ```
*
* Usage within a stack:
* ```typescript
* GuWazuhAccess.getInstance(this, vpc);
* ```
*
* @see https://github.com/guardian/security-hq/blob/main/hq/markdown/wazuh.md
*/
export class GuWazuhAccess extends GuBaseSecurityGroup {
private static instance: GuWazuhAccess | undefined;
private constructor(scope: GuStack, vpc: IVpc) {
super(scope, "WazuhSecurityGroup", {
vpc,
/*
The group description of a security group is stateful.
Be careful about changing this!
See https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html#cfn-ec2-securitygroup-groupdescription
*/
description: "Allow outbound traffic from wazuh agent to manager",
allowAllOutbound: false,
egresses: [
{ range: Peer.anyIpv4(), port: 1514, description: "Wazuh event logging" },
{ range: Peer.anyIpv4(), port: 1515, description: "Wazuh agent registration" },
],
});
/*
Replacing in-use security groups is difficult as it requires careful orchestration with instances.
Fix the logicalId to "WazuhSecurityGroup" regardless of new or migrating stack.
This makes it:
- easier for YAML defined stacks to move to GuCDK as the resource will be kept
- easier for stacks already using GuCDK to upgrade versions
*/
scope.overrideLogicalId(this, {
logicalId: "WazuhSecurityGroup",
reason: "Avoid tricky security group replacement during a YAML to GuCDK migration.",
});
}
/**
* GuWazuhAccess is implemented as a singleton meaning only one instance will be created for the entire stack.
* If there are multiple apps in the stack, they will re-use this resource.
*
* Usage:
* ```typescript
* GuWazuhAccess.getInstance(this, vpc);
* ```
*
* @param stack the stack to add this security group to
* @param vpc the vpc to add this security group to
*/
public static getInstance(stack: GuStack, vpc: IVpc): GuWazuhAccess {
if (!this.instance || !isSingletonPresentInStack(stack, this.instance)) {
this.instance = new GuWazuhAccess(stack, vpc);
}
return this.instance;
}
}