Skip to content

Commit

Permalink
Release/1.1.1 (#10)
Browse files Browse the repository at this point in the history 
* Correctionon master account id and typo in the list of regions

* Fixed issue with retrieval account email in script ./SH/EC-Invite-from-SecLog-Account.sh

* added NOSOC integration CFT files

* Update CFT and script for optional SECLOG integration with splunk.

* Script fixes.

* Updated parameter management on EC-Setup-Client.sh

Added Disable-Seclog-Splunk.sh script to remove Seplunk-SecLog integration.
Update Update-Seclog-splunk.sh script to new parameter scheme.

* Minor fix on CFT param.

* Added policy for denying non ssl-requests for s3 buckets

* Fixed parameter check on EC-Update-Seclog-Splunk and
EC-Disable-Seclog-Splunk

* chmod 755  EC-Disable-SecLog-Splunk.sh and EC-Update-SecLog-Splunk.sh

* Fixed params for CFT (firehose ARN) and default values set for KMS CFT

* Set default parameter to null on all CFT that require firehose_arn
Updated policies for s3 bucket fix

* Fixes for guarduty cft - integration with splunk selector

* Update status check on update scripts for lz 1.1.1

* Minor fixes on update scripts
update parameter check on guardduty detectto cft

* Update to put parameter on upda scripts

* Review of conditional resources on guardduty-deector CFT

* Fixed issue with yaml on s3 bucket CFT

* Conditionality fix for full install of LZ 1.1.1

Co-authored-by: leonalt <laurent.leonard@ext.ec.europa.eu>
  • Loading branch information
@silavjy @laurentleonard
silavjy and laurentleonard authored Aug 27, 2020
1 parent 3ae3975 commit 66d0251
Show file tree
Hide file tree
Showing 11 changed files with 701 additions and 326 deletions.
8 changes: 4 additions & 4 deletions CFN/EC-lz-Cloudtrail-kms-key.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,22 +41,22 @@ Parameters:
DirectorateGeneral:
Description: ''
Type: String
Default: ''
Default: 'n/a'

BusinessUnit:
Description: ''
Type: String
Default: ''
Default: 'n/a'

OwnerId:
Description: ''
Type: String
Default: ''
Default: 'n/a'

DataClassification:
Description: ''
Type: String
Default: ''
Default: 'n/a'

Mappings: {}

Expand Down
12 changes: 12 additions & 0 deletions CFN/EC-lz-config-cloudtrail-logging.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,13 @@ Parameters:
AllowedValues:
- true
- false
EnableSecLogForCloudTrailParam:
Type: String
Description: "Enable SecLog integration for CloudTrail?"
Default: true
AllowedValues:
- true
- false
ConfigDeliverySnapshotFrequency:
Type: String
Description: "Frequency of config snapshots being delivered to SecLog account"
Expand All @@ -85,6 +92,7 @@ Parameters:
AllowedValues: [1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653]
FirehoseDestinationArn:
Type: String
Default: ""
Description: The ARN of the firehose stream aggregating the logs in the DIGIT C2 Log Aggregation Central Account
# AccountIdList:
# Type: AWS::SSM::Parameter::Value<CommaDelimitedList>
Expand All @@ -102,6 +110,9 @@ Conditions:
- !Equals
- !Ref AWS::AccountId
- !Ref SecLogMasterAccountId
EnableSecLogForCloudTrail: !Equals
- !Ref EnableSecLogForCloudTrailParam
- 'true'

Mappings: {}

Expand Down Expand Up @@ -130,6 +141,7 @@ Resources:
RetentionInDays: !Ref LogsRetentionInDays
SecurityHubSubscriptionFilter:
Type: AWS::Logs::SubscriptionFilter
Condition: EnableSecLogForCloudTrail
Properties:
DestinationArn: !Ref 'FirehoseDestinationArn'
FilterPattern: ''
Expand Down
1 change: 1 addition & 0 deletions CFN/EC-lz-config-securityhub-logging.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ Parameters:
Description: CloudWatch LogGroup name for Security Hub cloudwatch events
FirehoseDestinationArn:
Type: String
Default: ""
Description: The ARN of the firehose stream aggregating the logs in the DIGIT C2 Log Aggregation Central Account
LogsRetentionInDays:
Description: 'Specifies the number of days you want to retain CloudTrail log events in the CloudWatch Logs.'
Expand Down
27 changes: 22 additions & 5 deletions CFN/EC-lz-guardDuty-detector.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ Parameters:
Description: CloudWatch LogGroup name for AWS config cloudwatch events
FirehoseDestinationArn:
Type: String
Default: arn:aws:logs:eu-west-1:189111522208:destination:digit-splunk-dgtest-awslogs-dest
Default: ""
Description: The ARN of the firehose stream aggregating the logs in the DIGIT C2 Log Aggregation Central Account
SNSNotificationTopic:
Type: AWS::SSM::Parameter::Value<String>
Expand All @@ -40,12 +40,27 @@ Parameters:
Type: AWS::SSM::Parameter::Value<String>
Default: /org/member/SecLogMasterAccountId
Description: "Contains account id of SecLogMaster"
EnableSecLogIntegrationFoGuardDutyParam:
Type: String
Description: "Enable SecLog integration for GuardDuty?"
Default: 'true'
AllowedValues:
- 'true'
- 'false'

Conditions:
IsSecLogMasterAccount: !Equals
- !Ref AWS::AccountId
- !Ref SecLogMasterAccountId

IsSecLogMasterAccountWithSOCIntegration: !And
- !Equals
- !Ref AWS::AccountId
- !Ref SecLogMasterAccountId
- !Equals
- !Ref EnableSecLogIntegrationFoGuardDutyParam
- 'true'

Resources:
AwsConfigLogGroup:
Type: AWS::Logs::LogGroup
Expand All @@ -56,6 +71,7 @@ Resources:

AwsConfigSubscriptionFilter:
Type: AWS::Logs::SubscriptionFilter
Condition: IsSecLogMasterAccountWithSOCIntegration
Properties:
DestinationArn: !Ref 'FirehoseDestinationArn'
FilterPattern: ''
Expand All @@ -69,6 +85,7 @@ Resources:

CloudWatchEventsLogGroupRole:
Type: AWS::IAM::Role
Condition: IsSecLogMasterAccountWithSOCIntegration
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Expand All @@ -94,20 +111,20 @@ Resources:
- !GetAtt AwsConfigLogGroup.Arn

# GuardDuty CloudWatch Event - For GuardDuty
GuardDutyEvent:
GuardDutyEvents:
Type: AWS::Events::Rule
Condition: IsSecLogMasterAccount
Properties:
Name: SECLZ-GuardDuty-Event
Description: "GuardDuty Event Handler"
EventPattern:
source:
- aws.guardduty
State: ENABLED
Targets:
Targets:
-
Arn: !Ref SNSNotificationTopic
Id: "GuardDutySNSTopic-SecLog"
-
Arn: !GetAtt AwsConfigLogGroup.Arn
Id: "AwsConfigCloudWatch-Seclog"
Id: "AwsConfigCloudWatch-Seclog"

54 changes: 53 additions & 1 deletion CFN/EC-lz-s3-buckets.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -146,6 +146,21 @@ Resources:
Condition:
StringEquals:
"s3:x-amz-acl": "bucket-owner-full-control"
-
Sid: "AWSCloudTrailgBucketSSL"
Action: s3:*
Principal:
Service: cloudtrail.amazonaws.com
Effect: Deny
Resource:
Fn::Join:
- ""
-
- !GetAtt CloudTrailBucket.Arn
- "/*"
Condition:
Bool:
"aws:SecureTransport": "false"


# -------------------
Expand Down Expand Up @@ -237,7 +252,21 @@ Resources:
Condition:
StringEquals:
"s3:x-amz-acl": "bucket-owner-full-control"

-
Sid: "AWSConfigBucketSSL"
Action: "s3:*"
Principal:
Service: config.amazonaws.com
Effect: Deny
Resource:
Fn::Join:
- ""
-
- !GetAtt ConfigBucket.Arn
- "/*"
Condition:
Bool:
"aws:SecureTransport": "false"

# -------------------
# AccessLogs Bucket
Expand Down Expand Up @@ -270,6 +299,29 @@ Resources:
IgnorePublicAcls: true
RestrictPublicBuckets: true

AccessLogsPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket:
Ref: AccessLogsBucket
PolicyDocument:
Statement:
-
Sid: "AWSAccessLogsBucketSSL"
Action: "s3:*"
Effect: Deny
Principal:
Service: cloudwatch.amazonaws.com
Resource:
Fn::Join:
- ""
-
- !GetAtt AccessLogsBucket.Arn
- "/*"
Condition:
Bool:
"aws:SecureTransport": "false"

Outputs:
ConfigBucket:
Description: Bucket for storing config-logs
Expand Down
Loading

0 comments on commit 66d0251

Please # to comment.