-
Notifications
You must be signed in to change notification settings - Fork 3
/
InspectorRun-SetupTemplate.yml
186 lines (184 loc) · 8.87 KB
/
InspectorRun-SetupTemplate.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
AWSTemplateFormatVersion: '2010-09-09'
Description: 'Step 3 - This template should be deployed in all regions of all the application accounts where Inspector assessment will be conducted.'
Mappings:
RulesPackagesAmazonInspectorArns:
us-east-1:
CIS: arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8
CVE: arn:aws:inspector:us-east-1:316112463485:rulespackage/0-gEjTy7T7
NR: arn:aws:inspector:us-east-1:316112463485:rulespackage/0-PmNV0Tcd
RBA: arn:aws:inspector:us-east-1:316112463485:rulespackage/0-gBONHN9h
SBP: arn:aws:inspector:us-east-1:316112463485:rulespackage/0-R01qwB5Q
us-east-2:
CIS: arn:aws:inspector:us-east-2:646659390643:rulespackage/0-m8r61nnh
CVE: arn:aws:inspector:us-east-2:646659390643:rulespackage/0-JnA8Zp85
NR: arn:aws:inspector:us-east-2:646659390643:rulespackage/0-cE4kTR30
RBA: arn:aws:inspector:us-east-2:646659390643:rulespackage/0-UCYZFKPV
SBP: arn:aws:inspector:us-east-2:646659390643:rulespackage/0-AxKmMHPX
us-west-1:
CIS: arn:aws:inspector:us-west-1:166987590008:rulespackage/0-xUY8iRqX
CVE: arn:aws:inspector:us-west-1:166987590008:rulespackage/0-TKgzoVOa
NR: arn:aws:inspector:us-west-1:166987590008:rulespackage/0-TxmXimXF
RBA: arn:aws:inspector:us-west-1:166987590008:rulespackage/0-yeYxlt0x
SBP: arn:aws:inspector:us-west-1:166987590008:rulespackage/0-byoQRFYm
us-west-2:
CIS: arn:aws:inspector:us-west-2:758058086616:rulespackage/0-H5hpSawc
CVE: arn:aws:inspector:us-west-2:758058086616:rulespackage/0-9hgA516p
NR: arn:aws:inspector:us-west-2:758058086616:rulespackage/0-rD1z6dpl
RBA: arn:aws:inspector:us-west-2:758058086616:rulespackage/0-vg5GGHSD
SBP: arn:aws:inspector:us-west-2:758058086616:rulespackage/0-JJOtZiqQ
Parameters:
CentralSecurityAccountID:
Type: String
Description: Account ID of the Central Audit Account
CWERuleNameToAttachSNSTopicToInspector:
Type: String
Description: The event rule that will trigger regional lambda to add SNS Topic to a newly created Inspector Template for asset scanning
Default: 'Rule-AttachInspector-to-SNSTopic'
CWERuleNameToStartInspectorScan:
Type: String
Description: The event rule that will start Inspector run at a scheduled interval
Default: 'Rule-InspectorScanStartEvent'
InspectorRunSchedule:
Type: String
Description: 'The schedule at which Inspector runs, can be a cron [Format - cron(fields)] or rate expression [Format - rate(value unit)]'
Default: 'rate(1 day)'
InspectorRunDuration:
Type: String
Description: 'The duration of the assessment run in seconds (Min - 15 mins ~ 900 | Max - 24 hours ~86400 | Recommended - 1 hour ~ 3600)'
Default: 900
InspectorToSNSLambdaRoleName:
Type: String
Description: Name of the execution role (not ARN, created in Step 2) that is assumed by regional Lambda function to attach a SNS topic to an Inspector template
Default: Attach-SNS-to-Inspector-Lambda.iamrole
InspectorEventRoleName:
Type: String
Description: Name of the role (not ARN, created in Step 2) that is assumed by CloudWatch Event to start a scheduled Inspector run
Default: Event-to-start-InspectorRun.iamrole
RegionalSNSTopicName:
Type: String
Description: Name of the regional SNS Topic of Audit account (created in Step 1) that notifies SQS on Inspector findings reported in its region of all application accounts
Default: Inspector-to-SQS-topic
InspectorTemplateTaggingKey:
Type: String
Description: The tag key that will be attached only to a specific Inspector template that is creared in an region for scanning the regional assets (EC2 instances)
Default: ScanType
InspectorTemplateTaggingValue:
Type: String
Description: The tag value that will be attached only to a specific Inspector template that is creared in an region for scanning the regional assets (EC2 instances)
Default: 'ScheduledRun-across-Fleet'
EC2AssessmentTargetName:
Type: String
Description: The tag value that will be attached only to a specific Inspector template that is creared in an region for scanning the regional assets (EC2 instances)
Default: 'All EC2 Targets - For Scheduled Scan'
EC2AssessmentTemplateName:
Type: String
Description: The tag value that will be attached only to a specific Inspector template that is creared in an region for scanning the regional assets (EC2 instances)
Default: 'ScheduledAssessmentTemplate'
Resources:
AttachInspec2SNSLambda:
Type: 'AWS::Lambda::Function'
Properties:
Code:
ZipFile: |
import boto3
import json
import os
import re
def lambda_handler(event, context):
centralAcctId = os.environ['centralAcctId']
snsTopicName = os.environ['snsTopicName']
tagKey = os.environ['tagKey']
tagValue = os.environ['tagValue']
message = event['detail']['requestParameters']['userAttributesForFindings']
for inner_field in message:
if(inner_field['key'] == tagKey and inner_field['value'] == tagValue):
template_arn = event['detail']['responseElements']['assessmentTemplateArn']
p = re.compile("^arn:aws:inspector:([^:]+):([^:]+):(.+)$")
findingRegion = p.match(template_arn).group(1)
findingAcct = p.match(template_arn).group(2)
client_inspector = boto3.client('inspector', region_name=findingRegion)
update_template = client_inspector.subscribe_to_event(
resourceArn = template_arn,
event = 'FINDING_REPORTED',
topicArn = "arn:aws:sns:" + findingRegion + ":" + centralAcctId + ":" + snsTopicName
)
Description: 'This regional function attaches an Inspector template (of each region of every application account) to the same region SNS topic (of central audit account)'
Environment:
Variables:
centralAcctId: !Ref CentralSecurityAccountID
snsTopicName: !Ref RegionalSNSTopicName
tagKey: !Ref InspectorTemplateTaggingKey
tagValue: !Ref InspectorTemplateTaggingValue
FunctionName: 'Attach-Inspector-to-SNS-Lambda'
Handler: 'index.lambda_handler'
Role: !Sub 'arn:aws:iam::${AWS::AccountId}:role/${InspectorToSNSLambdaRoleName}'
Runtime: 'python3.7'
Timeout: 25
AttachInspec2SNSTriggerRule:
Type: AWS::Events::Rule
Properties:
Description: "Trigger lambda to add SNS Topic to the created Inspector Template"
Name: !Ref CWERuleNameToAttachSNSTopicToInspector
EventPattern:
source:
- "aws.inspector"
detail-type:
- "AWS API Call via CloudTrail"
detail:
eventSource:
- "inspector.amazonaws.com"
eventName:
- "CreateAssessmentTemplate"
State: "ENABLED"
Targets:
- Arn: !GetAtt AttachInspec2SNSLambda.Arn
Id: "lambda2AddSNSTopic"
LambdaInvokePermission:
Type: AWS::Lambda::Permission
Properties:
FunctionName: !GetAtt AttachInspec2SNSLambda.Arn
Action: 'lambda:InvokeFunction'
Principal: events.amazonaws.com
SourceArn: !GetAtt AttachInspec2SNSTriggerRule.Arn
allEC2targets:
Type: AWS::Inspector::AssessmentTarget
Properties:
AssessmentTargetName: !Ref EC2AssessmentTargetName
scheduledassessmenttemplate:
Type: AWS::Inspector::AssessmentTemplate
Properties:
AssessmentTargetArn: !GetAtt allEC2targets.Arn
AssessmentTemplateName: !Ref EC2AssessmentTemplateName
DurationInSeconds: !Ref InspectorRunDuration
RulesPackageArns:
- !FindInMap
- RulesPackagesAmazonInspectorArns
- !Ref 'AWS::Region'
- CVE
- !FindInMap
- RulesPackagesAmazonInspectorArns
- !Ref 'AWS::Region'
- SBP
UserAttributesForFindings: #This key-value pair is used inside the Lambda - Attach-Inspector-to-SNS-Lambda to determine which new Inspector template should be attached to the SNS topic. Not any new Inspector template should be attached to the SNS topic.
-
Key: !Ref InspectorTemplateTaggingKey
Value: !Ref InspectorTemplateTaggingValue
DependsOn:
- AttachInspec2SNSLambda
- AttachInspec2SNSTriggerRule
- LambdaInvokePermission
ScanSchedule:
Type: AWS::Events::Rule
Properties:
Description: "The scheduled interval at which Inspector assessment run is conducted"
Name: !Ref CWERuleNameToStartInspectorScan
ScheduleExpression: !Ref InspectorRunSchedule
State: "ENABLED"
Targets:
- Arn: !GetAtt scheduledassessmenttemplate.Arn
Id: "InspectorScan"
RoleArn: !Sub 'arn:aws:iam::${AWS::AccountId}:role/{InspectorEventRoleName}'
DependsOn:
- AttachInspec2SNSLambda
- AttachInspec2SNSTriggerRule
- LambdaInvokePermission