forked from stelligent/aws-inspector-quickstart
-
Notifications
You must be signed in to change notification settings - Fork 0
/
aws-inspector-cf.yaml
123 lines (117 loc) · 3.63 KB
/
aws-inspector-cf.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
AWSTemplateFormatVersion: "2010-09-09"
Description: "AWS-Inspector-Quickstart"
Parameters:
amiId:
Type: AWS::EC2::Image::Id
keyPair:
Description: Key pair to launch ec2 instance
Type: String
Default: iopp-poc1
networkStackName:
Type: String
Default: cfn02-network
securityStackName:
Type: String
Default: cfn03-security
instanceName:
Description: Tag for ec2 instances for scanning
Type: String
createdBy:
Type: String
scanLength:
Type: Number
Description: Duration of Inspector Scan in seconds
Default: 180
branchName:
Type: String
Mappings:
RegionMap:
eu-west-1:
CommonVul: arn:aws:inspector:eu-west-1:357557129151:rulespackage/0-ubA5XvBh
CIS: arn:aws:inspector:eu-west-1:357557129151:rulespackage/0-sJBhCr0F
SecurityBest: arn:aws:inspector:eu-west-1:357557129151:rulespackage/0-SnojL3Z6
Resources:
inspectorInstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Roles:
- !Ref inspectorInstanceIamRole
inspectorInstanceIamRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action:
- sts:AssumeRole
Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
- {"Fn::ImportValue": !Sub "${securityStackName}-${AWS::Region}-puppet-agent-managed-policy"}
InspectorEC2Instance:
Type: AWS::EC2::Instance
Properties:
ImageId: !Ref amiId
InstanceType: t2.medium
IamInstanceProfile: !Ref inspectorInstanceProfile
KeyName: !Ref keyPair
SubnetId: {"Fn::ImportValue": !Sub "${networkStackName}-${AWS::Region}-privateAZaId"}
SecurityGroupIds:
- {"Fn::ImportValue": !Sub "${securityStackName}-${AWS::Region}-sgMonitoringRestrictedAccess"}
Tags:
- Key: Name
Value: !Ref instanceName
- Key: Team
Value: Infrastructure
- Key: Created By
Value: !Ref createdBy
UserData:
Fn::Base64: |+
!#/bin/bash
sudo yum update -y
systemctl start amazon-ssm-agent.service
systemctl status awsagent.service
exit 0
InspectorResourceGroup:
Type: AWS::Inspector::ResourceGroup
Properties:
ResourceGroupTags:
- Key: Name
Value: !Ref instanceName
InspectorAssessmentTarget:
Type: AWS::Inspector::AssessmentTarget
Properties:
ResourceGroupArn: !Ref InspectorResourceGroup
InspectorAssessmentTemplate:
Type: AWS::Inspector::AssessmentTemplate
Properties:
AssessmentTargetArn: !Ref InspectorAssessmentTarget
DurationInSeconds: !Ref scanLength
RulesPackageArns:
- !FindInMap [RegionMap, !Ref "AWS::Region", CommonVul]
- !FindInMap [RegionMap, !Ref "AWS::Region", CIS]
- !FindInMap [RegionMap, !Ref "AWS::Region", SecurityBest]
UserAttributesForFindings:
- Key: Name
Value: !Ref instanceName
- Key: StackName
Value: !Ref "AWS::StackName"
- Key: branchName
Value: !Ref branchName
- Key: AMI_ID
Value: !Ref amiId
Outputs:
ResourceGroup:
Description: Inspector Resource Group
Value: !GetAtt InspectorResourceGroup.Arn
AssessmentTarget:
Description: Inspector Assessment Target
Value: !GetAtt InspectorAssessmentTarget.Arn
AssessmentTemplate:
Description: Inspector Assessment Template
Value: !GetAtt InspectorAssessmentTemplate.Arn
branchName:
Description: Branch Name
Value: !Ref branchName