-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathaws-swc.template
118 lines (108 loc) · 3.6 KB
/
aws-swc.template
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
Description: This template provides first time Stealthwatch cloud integration with a single VPC. The integration happens in 3 steps.
1) Create an S3 bucket to store VPC flow logs.
2) Create an IAM role and associate IAM policies to it to allow Stealthwatch Cloud the permission to S3 bucket and other resources.
3) Copy the Cloudformation output(IAM Role ARN and S3 Bucket Name) and add it to Stealthwatch cloud portal.
Parameters:
VPCID:
Type: AWS::EC2::VPC::Id
Description: Select the VPC that you want to monitor using Stealthwatch cloud.
S3BucketName:
Type: String
Description: Name the S3 bucket to be created to store VPC flow logs.
ExternalID:
Type: String
Description: The Stealthwatch cloud Observable ID.
Resources:
S3Bucket:
Type: AWS::S3::Bucket
DeletionPolicy: Retain
Properties:
BucketName: !Ref S3BucketName
VPCFlowLogDeliveryToS3:
Type: AWS::EC2::FlowLog
Properties:
ResourceId: !Ref VPCID
ResourceType: VPC
TrafficType: ALL
LogDestination: !GetAtt S3Bucket.Arn
LogDestinationType: s3
LogFormat: '${version} ${account-id} ${interface-id} ${srcaddr} ${dstaddr} ${srcport} ${dstport} ${protocol} ${packets} ${bytes} ${start} ${end} ${action} ${log-status} ${vpc-id} ${subnet-id} ${instance-id} ${tcp-flags} ${type} ${pkt-srcaddr} ${pkt-dstaddr}'
MaxAggregationInterval: 60
ObservableRole:
Type: "AWS::IAM::Role"
Properties:
RoleName: 'Obsrvble_role'
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Action: sts:AssumeRole
Condition:
StringEquals:
sts:ExternalId:
Ref: ExternalID
Effect: Allow
Principal:
AWS: "arn:aws:iam::757972810156:root"
Path: "/"
ObservablePolicy:
Type: 'AWS::IAM::Policy'
Properties:
PolicyName: 'Obsrvble_policy'
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- "autoscaling:Describe*"
- "cloudtrail:LookupEvents"
- "cloudwatch:Get*"
- "cloudwatch:List*"
- "ec2:Describe*"
- "elasticache:Describe*"
- "elasticache:List*"
- "elasticloadbalancing:Describe*"
- "guardduty:Get*"
- "guardduty:List*"
- "iam:Get*"
- "iam:List*"
- "inspector:*"
- "rds:Describe*"
- "rds:List*"
- "redshift:Describe*"
- "workspaces:Describe*"
- "route53:List*"
- "logs:Describe*"
- "logs:GetLogEvents"
- "logs:FilterLogEvents"
- "logs:PutSubscriptionFilter"
- "logs:DeleteSubscriptionFilter"
Resource: '*'
Roles:
-
Ref: "ObservableRole"
Observables3Policy:
Type: 'AWS::IAM::Policy'
Properties:
PolicyName: 'Obsrvble_s3policy'
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- "s3:ListBucket"
- "s3:GetBucketLocation"
Resource: !GetAtt S3Bucket.Arn
- Effect: Allow
Action:
- "s3:GetObject"
Resource: !Join ["/", [!GetAtt S3Bucket.Arn, "*"]]
Roles:
-
Ref: "ObservableRole"
Outputs:
ObservableRole:
Description: Stealthwatch Role ARN
Value: !GetAtt ObservableRole.Arn
S3Bucket:
Description: S3 Bucket Name
Value: !Ref S3Bucket