From 420b018ff879a2113e61e8c5ce28f0c203d6f737 Mon Sep 17 00:00:00 2001 From: silavjy <67747632+silavjy@users.noreply.github.com> Date: Mon, 18 Mar 2024 23:12:49 +0100 Subject: [PATCH] 201 gd logs from regions other thatn eu west 1 not being shipped to splunk (#202) * (fix) Updated guardduty all regions to push events to eventbus on seclogaccount, eu-west-1 region. Created manifest file * (fix) replacing target for GD when in seclog account mode from CW log group to event bus * (fix) missing role when account is seclog * (feat) simplified GD stackset template * (feat) update LZ version --- CFN/EC-lz-Config-Guardduty-all-regions.yml | 73 +++------------------- CFN/EC-lz-config-cloudtrail-logging.yml | 7 ++- CFN/EC-lz-config-securityhub-logging.yml | 2 +- EC-SLZ-Version.txt | 2 +- Updates/1.5.10/manifest.json | 22 +++++++ 5 files changed, 36 insertions(+), 70 deletions(-) create mode 100644 Updates/1.5.10/manifest.json diff --git a/CFN/EC-lz-Config-Guardduty-all-regions.yml b/CFN/EC-lz-Config-Guardduty-all-regions.yml index 282b882..3b3ce7f 100644 --- a/CFN/EC-lz-Config-Guardduty-all-regions.yml +++ b/CFN/EC-lz-Config-Guardduty-all-regions.yml @@ -78,17 +78,14 @@ Resources: Key: "aws:PrincipalOrgID" Value: !Ref OrganizationOuId - GuardDutyLogGroup: - Type: AWS::Logs::LogGroup - UpdateReplacePolicy: Retain - Condition: IsSecLogMasterAccount + GuardDutyDetector: + Type: AWS::GuardDuty::Detector Properties: - LogGroupName: !Ref AwsGuardDutyGroupName - RetentionInDays: !Ref LogsRetentionInDays + Enable: true + FindingPublishingFrequency: FIFTEEN_MINUTES AWSEventsInvokeEventBusSecLogRole: Type: AWS::IAM::Role - Condition: IsNotSecLogMasterAccount Properties: Description: "Service Linked role to send messages to event bus of seclog account" AssumeRolePolicyDocument: @@ -110,19 +107,14 @@ Resources: Resource: !Join - '' - - 'arn:aws:events:' - - !Sub "${AWS::Region}:${SecLogMasterAccountId}:" + - !Sub "eu-west-1:${SecLogMasterAccountId}:" - 'event-bus/default' - GuardDutyDetector: - Type: AWS::GuardDuty::Detector - Properties: - Enable: true - FindingPublishingFrequency: FIFTEEN_MINUTES + # Enable notifications for AWS GuardDuty Rule compliance changes in client account to event bus GuardDutyRuleComplianceChangeEvent: Type: AWS::Events::Rule - Condition: IsNotSecLogMasterAccount DependsOn: AWSEventsInvokeEventBusSecLogRole Properties: Name: SECLZ-GuardDuty-Events-CloudWatch-Rule-To-SecLog @@ -136,58 +128,9 @@ Resources: State: ENABLED Targets: - Id: "CrossAccountTargetId" - Arn: !Sub "arn:aws:events:${AWS::Region}:${SecLogMasterAccountId}:event-bus/default" + Arn: !Sub "arn:aws:events:eu-west-1:${SecLogMasterAccountId}:event-bus/default" RoleArn: Fn::GetAtt: - "AWSEventsInvokeEventBusSecLogRole" - "Arn" - - CloudWatchEventsLogGroupRole: - Type: AWS::IAM::Role - Condition: IsSecLogMasterAccount - Properties: - AssumeRolePolicyDocument: - Version: '2012-10-17' - Statement: - - Effect: Allow - Principal: - Service: - - events.amazonaws.com - Action: - - sts:AssumeRole - Policies: - - PolicyName: SECLZ-CloudWatchEvents-policy - PolicyDocument: - Version: '2012-10-17' - Statement: - - Effect: Allow - Action: logs:CreateLogStream - Resource: - - !GetAtt GuardDutyLogGroup.Arn - - Effect: Allow - Action: logs:PutLogEvents - Resource: - - !GetAtt GuardDutyLogGroup.Arn - - - # GuardDuty CloudWatch Event - For GuardDuty - GuardDutyEvents: - Type: AWS::Events::Rule - DependsOn: GuardDutyLogGroup - Condition: IsSecLogMasterAccount - Properties: - Name: SECLZ-GuardDuty-Event - RoleArn: - Fn::GetAtt: - - "CloudWatchEventsLogGroupRole" - - "Arn" - Description: "GuardDuty Event Handler" - EventPattern: - source: - - aws.guardduty - State: ENABLED - Targets: - - - Arn: !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:${GuardDutyLogGroup}" - Id: "AwsGuardDutyCloudWatch-Seclog" - \ No newline at end of file + \ No newline at end of file diff --git a/CFN/EC-lz-config-cloudtrail-logging.yml b/CFN/EC-lz-config-cloudtrail-logging.yml index 8061564..00796a0 100644 --- a/CFN/EC-lz-config-cloudtrail-logging.yml +++ b/CFN/EC-lz-config-cloudtrail-logging.yml @@ -354,9 +354,10 @@ Resources: RecordingGroup: IncludeGlobalResourceTypes: True AllSupported: True - RoleARN: !GetAtt - - ConfigRole - - Arn + RoleARN: + Fn::GetAtt: + - ConfigRole + - Arn DeliveryChannel: Type: 'AWS::Config::DeliveryChannel' diff --git a/CFN/EC-lz-config-securityhub-logging.yml b/CFN/EC-lz-config-securityhub-logging.yml index 9c87db9..a887dde 100644 --- a/CFN/EC-lz-config-securityhub-logging.yml +++ b/CFN/EC-lz-config-securityhub-logging.yml @@ -16,7 +16,7 @@ Parameters: SecurityHubLogsGroupName: Type: AWS::SSM::Parameter::Value - Description: CloudTrail Insights CloudWatch LogGroup name + Description: SecurityHub CloudWatch LogGroup name Default: "/org/member/SecLog_securityhub-groupname" FirehoseDestinationArn: Type: String diff --git a/EC-SLZ-Version.txt b/EC-SLZ-Version.txt index 66e6750..0edd95c 100644 --- a/EC-SLZ-Version.txt +++ b/EC-SLZ-Version.txt @@ -1 +1 @@ -1.5.9 \ No newline at end of file +1.5.10 \ No newline at end of file diff --git a/Updates/1.5.10/manifest.json b/Updates/1.5.10/manifest.json new file mode 100644 index 0000000..e4dd8ea --- /dev/null +++ b/Updates/1.5.10/manifest.json @@ -0,0 +1,22 @@ +{ "version" : "1.5.10", + "regions" : ["ap-northeast-1","ap-northeast-2","ap-northeast-3","ap-south-1","ap-southeast-1","ap-southeast-2","ca-central-1","eu-central-1","eu-north-1","eu-west-1", "eu-west-2","eu-west-3","sa-east-1","us-east-1","us-east-2","us-west-1","us-west-2"], + "tags" : [ + { "Key": "Organization","Value": "EC" }, + { "Key": "Owner","Value": "DIGIT.C.1" }, + { "Key": "Environment","Value": "prod" }, + { "Key": "Criticity","Value": "high" }, + { "Key": "Project","Value": "secLZ" }, + { "Key": "Confidentiality","Value": "confidential" }, + { "Key": "ApplicationRole","Value": "security" } + ], + "accounts" : { + "exclude" : [], + "include" : [] + }, + "stacksets" : { + "SECLZ-Enable-Guardduty-Globally" : { + "update" : true + } + } + +}