201 gd logs from regions other thatn eu west 1 not being shipped to s…

…plunk (#202) * (fix) Updated guardduty all regions to push events to eventbus on seclogaccount, eu-west-1 region. Created manifest file * (fix) replacing target for GD when in seclog account mode from CW log group to event bus * (fix) missing role when account is seclog * (feat) simplified GD stackset template * (feat) update LZ version
digitc1 · Mar 18, 2024 · 420b018 · 420b018
1 parent ea5e540
commit 420b018
Show file tree

Hide file tree

Showing 5 changed files with 36 additions and 70 deletions.
diff --git a/CFN/EC-lz-Config-Guardduty-all-regions.yml b/CFN/EC-lz-Config-Guardduty-all-regions.yml
@@ -78,17 +78,14 @@ Resources:
           Key: "aws:PrincipalOrgID"
           Value: !Ref OrganizationOuId
 
-  GuardDutyLogGroup:
-    Type: AWS::Logs::LogGroup
-    UpdateReplacePolicy: Retain
-    Condition: IsSecLogMasterAccount
+  GuardDutyDetector:
+    Type: AWS::GuardDuty::Detector
     Properties:
-      LogGroupName: !Ref AwsGuardDutyGroupName
-      RetentionInDays: !Ref LogsRetentionInDays
+        Enable: true
+        FindingPublishingFrequency: FIFTEEN_MINUTES
 
   AWSEventsInvokeEventBusSecLogRole:
     Type: AWS::IAM::Role
-    Condition: IsNotSecLogMasterAccount
     Properties: 
       Description: "Service Linked role to send messages to event bus of seclog account"
       AssumeRolePolicyDocument:
@@ -110,19 +107,14 @@ Resources:
                 Resource: !Join 
                   - ''
                   - - 'arn:aws:events:'
-                    - !Sub "${AWS::Region}:${SecLogMasterAccountId}:"
+                    - !Sub "eu-west-1:${SecLogMasterAccountId}:"
                     - 'event-bus/default'
 
-  GuardDutyDetector:
-    Type: AWS::GuardDuty::Detector
-    Properties:
-        Enable: true
-        FindingPublishingFrequency: FIFTEEN_MINUTES
+
 
   # Enable notifications for AWS GuardDuty Rule compliance changes in client account to event bus
   GuardDutyRuleComplianceChangeEvent:
     Type: AWS::Events::Rule
-    Condition: IsNotSecLogMasterAccount
     DependsOn: AWSEventsInvokeEventBusSecLogRole
     Properties:
       Name: SECLZ-GuardDuty-Events-CloudWatch-Rule-To-SecLog
@@ -136,58 +128,9 @@ Resources:
       State: ENABLED
       Targets:
       - Id: "CrossAccountTargetId"
-        Arn: !Sub "arn:aws:events:${AWS::Region}:${SecLogMasterAccountId}:event-bus/default"
+        Arn: !Sub "arn:aws:events:eu-west-1:${SecLogMasterAccountId}:event-bus/default"
         RoleArn: 
           Fn::GetAtt: 
           - "AWSEventsInvokeEventBusSecLogRole"
           - "Arn"
-
-  CloudWatchEventsLogGroupRole:
-    Type: AWS::IAM::Role
-    Condition: IsSecLogMasterAccount
-    Properties:
-      AssumeRolePolicyDocument:
-        Version: '2012-10-17'
-        Statement:
-          - Effect: Allow
-            Principal:
-              Service:
-                - events.amazonaws.com
-            Action:
-              - sts:AssumeRole
-      Policies:
-        - PolicyName: SECLZ-CloudWatchEvents-policy
-          PolicyDocument:
-            Version: '2012-10-17'
-            Statement:
-            - Effect: Allow
-              Action: logs:CreateLogStream
-              Resource:
-              - !GetAtt GuardDutyLogGroup.Arn
-            - Effect: Allow
-              Action: logs:PutLogEvents
-              Resource:
-              - !GetAtt GuardDutyLogGroup.Arn
-
-
-  # GuardDuty CloudWatch Event - For GuardDuty
-  GuardDutyEvents: 
-    Type: AWS::Events::Rule
-    DependsOn: GuardDutyLogGroup
-    Condition: IsSecLogMasterAccount
-    Properties: 
-      Name: SECLZ-GuardDuty-Event
-      RoleArn: 
-        Fn::GetAtt: 
-        - "CloudWatchEventsLogGroupRole"
-        - "Arn"
-      Description: "GuardDuty Event Handler"
-      EventPattern: 
-        source:
-        - aws.guardduty
-      State: ENABLED
-      Targets:
-        -
-          Arn: !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:${GuardDutyLogGroup}"
-          Id: "AwsGuardDutyCloudWatch-Seclog"
-
+
diff --git a/CFN/EC-lz-config-cloudtrail-logging.yml b/CFN/EC-lz-config-cloudtrail-logging.yml
@@ -354,9 +354,10 @@ Resources:
       RecordingGroup:
         IncludeGlobalResourceTypes: True
         AllSupported: True
-      RoleARN: !GetAtt 
-      - ConfigRole
-      - Arn
+      RoleARN: 
+        Fn::GetAtt: 
+        - ConfigRole
+        - Arn
 
   DeliveryChannel:
     Type: 'AWS::Config::DeliveryChannel'

diff --git a/CFN/EC-lz-config-securityhub-logging.yml b/CFN/EC-lz-config-securityhub-logging.yml
@@ -16,7 +16,7 @@ Parameters:
 
   SecurityHubLogsGroupName:
     Type: AWS::SSM::Parameter::Value<String>
-    Description: CloudTrail Insights CloudWatch LogGroup name
+    Description: SecurityHub CloudWatch LogGroup name
     Default: "/org/member/SecLog_securityhub-groupname"
   FirehoseDestinationArn:
     Type: String

diff --git a/EC-SLZ-Version.txt b/EC-SLZ-Version.txt
@@ -1 +1 @@
-1.5.9
+1.5.10
diff --git a/Updates/1.5.10/manifest.json b/Updates/1.5.10/manifest.json
@@ -0,0 +1,22 @@
+{   "version" : "1.5.10",
+    "regions" : ["ap-northeast-1","ap-northeast-2","ap-northeast-3","ap-south-1","ap-southeast-1","ap-southeast-2","ca-central-1","eu-central-1","eu-north-1","eu-west-1", "eu-west-2","eu-west-3","sa-east-1","us-east-1","us-east-2","us-west-1","us-west-2"],
+    "tags" : [
+        { "Key": "Organization","Value": "EC" },
+        { "Key": "Owner","Value": "DIGIT.C.1" },
+        { "Key": "Environment","Value": "prod" },
+        { "Key": "Criticity","Value": "high" },
+        { "Key": "Project","Value": "secLZ" },
+        { "Key": "Confidentiality","Value": "confidential" },
+        { "Key": "ApplicationRole","Value": "security" }
+    ],
+    "accounts" : {
+        "exclude" : [],
+        "include" : []
+    },
+    "stacksets" : {
+        "SECLZ-Enable-Guardduty-Globally" : {
+            "update" : true
+        }
+    }
+
+}