Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fetch AWS Management Account resources only when explicitly selected #2009

Merged
merged 17 commits into from
Mar 11, 2024
Merged

Fetch AWS Management Account resources only when explicitly selected #2009

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
17 commits
Select commit Hold shift + click to select a range
b7eedbf
do not attach SecurityAudit policy to cloudbeat-root
kubasobon Feb 13, 2024
e2fc1a1
force cloudbeat to always assume cloudbeat-securityaudit role
kubasobon Feb 13, 2024
4ac5efc
add iam:List capabilities to cloudbeat-root policy
kubasobon Feb 13, 2024
3579727
improve account assumption comment
kubasobon Feb 13, 2024
4102fa2
add an option to deselect Management Account scanning
kubasobon Mar 5, 2024
0858e30
implement the rest of account assumption
kubasobon Mar 6, 2024
cc2bbe4
deploy cloudbeat-securityaudit to Management Account conditionally
kubasobon Mar 6, 2024
f698fbd
fix and clean up the solution
kubasobon Mar 6, 2024
2189d64
generate mocks for iam.GetRole
kubasobon Mar 7, 2024
eaad304
use interface, not struct; add mocks
kubasobon Mar 7, 2024
0b91a0f
yaml-lint changes
kubasobon Mar 7, 2024
ea6082a
update comment
kubasobon Mar 7, 2024
d094138
fix YAML formatting (quoted strings)
kubasobon Mar 7, 2024
e5f2e45
remove unused parameter
kubasobon Mar 7, 2024
336ace4
extract pickManagementAccountRole() func
kubasobon Mar 8, 2024
32fa96c
add tests for the new function
kubasobon Mar 8, 2024
2257d7a
Merge branch 'main' into aws-accounts-tag
kubasobon Mar 11, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 7 additions & 7 deletions deploy/cloudformation/ec2-types.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ Resources:
- 2
- !Split
- /
- !Ref "AWS::StackId"
- !Ref AWS::StackId
InstanceType: t4g.nano
ImageId: ami-0a0ae3c8519bff7f0
BlockDeviceMappings:
Expand All @@ -48,7 +48,7 @@ Resources:
- 2
- !Split
- /
- !Ref "AWS::StackId"
- !Ref AWS::StackId
InstanceType: t4g.small
ImageId: ami-062e673cc4273dad8
BlockDeviceMappings:
Expand All @@ -69,7 +69,7 @@ Resources:
- 2
- !Split
- /
- !Ref "AWS::StackId"
- !Ref AWS::StackId
InstanceType: t2.nano
ImageId: ami-09ee771fad415a6d7
BlockDeviceMappings:
Expand All @@ -90,7 +90,7 @@ Resources:
- 2
- !Split
- /
- !Ref "AWS::StackId"
- !Ref AWS::StackId
InstanceType: t2.nano
ImageId: ami-00aa9d3df94c6c354
BlockDeviceMappings:
Expand All @@ -111,7 +111,7 @@ Resources:
- 2
- !Split
- /
- !Ref "AWS::StackId"
- !Ref AWS::StackId
InstanceType: t2.nano
ImageId: ami-089f338f3a2e69431
BlockDeviceMappings:
Expand All @@ -132,7 +132,7 @@ Resources:
- 2
- !Split
- /
- !Ref "AWS::StackId"
- !Ref AWS::StackId
InstanceType: t2.nano
ImageId: ami-04b1c88a6bbd48f8e
BlockDeviceMappings:
Expand All @@ -151,6 +151,6 @@ Resources:
- 2
- !Split
- /
- !Ref "AWS::StackId"
- !Ref AWS::StackId
GroupDescription: Block incoming traffic
SecurityGroupIngress: []
8 changes: 4 additions & 4 deletions deploy/cloudformation/elastic-agent-ec2-cnvm.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@ Resources:
- 2
- !Split
- /
- !Ref "AWS::StackId"
- !Ref AWS::StackId
GroupDescription: Block incoming traffic
SecurityGroupIngress: []

Expand Down Expand Up @@ -110,10 +110,10 @@ Resources:
- 2
- !Split
- /
- !Ref "AWS::StackId"
- !Ref AWS::StackId
Path: /
Roles:
- !Ref "ElasticAgentRole"
- !Ref ElasticAgentRole

# EC2 Instance to run elastic-agent
ElasticAgentEc2Instance:
Expand All @@ -131,7 +131,7 @@ Resources:
- 2
- !Split
- /
- !Ref "AWS::StackId"
- !Ref AWS::StackId
- Key: Task
Value: Vulnerability Management Scanner
ImageId: !Ref LatestAmiId
Expand Down
56 changes: 50 additions & 6 deletions deploy/cloudformation/elastic-agent-ec2-cspm-organization.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,19 @@ Parameters:
Type: CommaDelimitedList
AllowedPattern: ^(ou-[0-9a-z]{4,32}-[a-z0-9]{8,32}|r-[0-9a-z]{4,32})$

ScanManagementAccount:
Description: |
When set to "Yes", the Management Account resources will be scanned,
regardless of selected Organizational Unit IDs. Likewise, when set to
"No", the Management Account resources will not be scanned, even if
the Management Account belongs to a selected Organizational Unit.
Type: String
AllowedValues:
- "Yes"
- "No"
Default: "Yes"
ConstraintDescription: Must specify "Yes" or "No"

LatestAmiId:
Type: AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>
Default: /aws/service/ami-amazon-linux-latest/al2023-ami-minimal-kernel-default-arm64
Expand Down Expand Up @@ -41,6 +54,11 @@ Parameters:
Description: The version of elastic-agent to install
Type: String

Conditions:
ScanManagementAccountEnabled: !Equals
- !Ref ScanManagementAccount
- "Yes"

Resources:

# Security Group for EC2 instance
Expand All @@ -54,7 +72,7 @@ Resources:
- 2
- !Split
- /
- !Ref "AWS::StackId"
- !Ref AWS::StackId
GroupDescription: Block incoming traffic
SecurityGroupIngress: []

Expand All @@ -64,6 +82,9 @@ Resources:
Properties:
RoleName: cloudbeat-root
Description: Role that cloudbeat uses to assume roles in other accounts
Tags:
- Key: cloudbeat_scan_management_account
Value: !Ref ScanManagementAccount
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
Expand All @@ -84,6 +105,14 @@ Resources:
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- iam:GetRole
- iam:ListAccountAliases
- iam:ListGroup
- iam:ListRoles
- iam:ListUsers
Resource: '*'
- Effect: Allow
Action:
- organizations:List*
Expand All @@ -93,8 +122,6 @@ Resources:
Action:
- sts:AssumeRole
Resource: '*'
ManagedPolicyArns:
- arn:aws:iam::aws:policy/SecurityAudit

# Instance profile to attach to EC2 instance
ElasticAgentInstanceProfile:
Expand All @@ -107,10 +134,10 @@ Resources:
- 2
- !Split
- /
- !Ref "AWS::StackId"
- !Ref AWS::StackId
Path: /
Roles:
- !Ref "CloudbeatRootRole"
- !Ref CloudbeatRootRole

# EC2 Instance to run elastic-agent
ElasticAgentEc2Instance:
Expand All @@ -128,7 +155,7 @@ Resources:
- 2
- !Split
- /
- !Ref "AWS::StackId"
- !Ref AWS::StackId
- Key: Task
Value: Organization Cloud Security Posture Management Scanner
ImageId: !Ref LatestAmiId
Expand Down Expand Up @@ -208,6 +235,23 @@ Resources:
ManagedPolicyArns:
- arn:aws:iam::aws:policy/SecurityAudit

CloudbeatManagementAccountAuditRole:
Type: AWS::IAM::Role
Properties:
RoleName: cloudbeat-securityaudit
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
AWS: !GetAtt CloudbeatRootRole.Arn
Action:
- sts:AssumeRole
Path: /
ManagedPolicyArns:
- arn:aws:iam::aws:policy/SecurityAudit
Condition: ScanManagementAccountEnabled

Outputs:
CloudbeatRootRoleArn:
Description: The cloudbeat IAM role in the management account
Expand Down
25 changes: 21 additions & 4 deletions deploy/cloudformation/elastic-agent-ec2-cspm.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@ Resources:
- 2
- !Split
- /
- !Ref "AWS::StackId"
- !Ref AWS::StackId
GroupDescription: Block incoming traffic
SecurityGroupIngress: []

Expand All @@ -67,6 +67,23 @@ Resources:
ManagedPolicyArns:
- arn:aws:iam::aws:policy/SecurityAudit

# IAM Role to assume for Management Account
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This role was missing. Installing to single account resulted in 0 findings.

CloudbeatRootRole:
Type: AWS::IAM::Role
Properties:
RoleName: cloudbeat-root
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
AWS: !GetAtt ElasticAgentRole.Arn
Action:
- sts:AssumeRole
Path: /
ManagedPolicyArns:
- arn:aws:iam::aws:policy/SecurityAudit

# Instance profile to attach to EC2 instance
ElasticAgentInstanceProfile:
Type: AWS::IAM::InstanceProfile
Expand All @@ -78,10 +95,10 @@ Resources:
- 2
- !Split
- /
- !Ref "AWS::StackId"
- !Ref AWS::StackId
Path: /
Roles:
- !Ref "ElasticAgentRole"
- !Ref ElasticAgentRole

# EC2 Instance to run elastic-agent
ElasticAgentEc2Instance:
Expand All @@ -99,7 +116,7 @@ Resources:
- 2
- !Split
- /
- !Ref "AWS::StackId"
- !Ref AWS::StackId
- Key: Task
Value: Cloud Security Posture Management Scanner
ImageId: !Ref LatestAmiId
Expand Down
Loading
Loading