-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathcontinous-onboarding-stack.yaml
149 lines (137 loc) · 4.28 KB
/
continous-onboarding-stack.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
AWSTemplateFormatVersion: 2010-09-09
Description: >
Resources needed to continuously onboard all the AWS accounts under one Organization to CloudGuard
####################################################################################
Parameters:
LambdaRate:
Description: >
The rate (frequency) that determines when CloudWatch Events runs the rule that
triggers the Lambda function.
Default: rate(1 hour)
AllowedValues:
- rate(1 hour)
- rate(1 day)
- rate(7 days)
Type: String
CloudGuardAPIID:
Description: >
The CloudGuard Service Access ID to use
Type: String
CloudGuardAPISecret:
Description: >
The CloudGuard Service Access Key to use
Type: String
NoEcho: true
OrganizationRole:
Description: >
The IAM Role name to assume in each child account
Default: OrganizationAccountAccessRole
Type: String
CloudGuardMode:
Description: >
CloudGuard mode to onboard your AWS accounts as
Default: readonly
AllowedValues:
- readonly
- readwrite
Type: String
CloudGuardRegion:
Description: >
Where does your CloudGuard Tenant reside?
Default: Europe
AllowedValues:
- Europe
- America
Type: String
####################################################################################
Resources:
LambdaExecutionRole:
Type: "AWS::IAM::Role"
Properties:
RoleName: CloudGuardOnboardingRole
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AWSOrganizationsReadOnlyAccess
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
Policies:
- PolicyName: CloudGuardCustomPolicy
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- sts:*
- iam:ListPolicies
- iam:GetRole*
- iam:ListRole*
- iam:PutRolePolicy
- iam:CreateRole
- iam:AttachRolePolicy
- iam:CreatePolicy
- cloudformation:List*
- cloudformation:Create*
- cloudformation:Describe*
Resource: '*'
- PolicyName: CloudGuardAPISecretPolicy
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- 'secretsmanager:GetSecretValue'
Resource: arn:aws:secretsmanager:*:*:secret:CloudGuardAPIKeys-*
CloudGuardAPIKeys:
Type: AWS::SecretsManager::Secret
Properties:
Description: String
Name: CloudGuardAPIKeys
SecretString:
!Sub '{"AccessId":"${CloudGuardAPIID}","Secret":"${CloudGuardAPISecret}"}'
LambdaSchedule:
Type: "AWS::Events::Rule"
Properties:
Name: CloudGuardOnboardingSchedule
Description: >
A schedule for the CloudGuard Onboarding Lambda function
ScheduleExpression: !Ref LambdaRate
State: ENABLED
Targets:
- Arn: !Sub ${LambdaFunction.Arn}
Id: LambdaSchedule
LambdaSchedulePermission:
Type: "AWS::Lambda::Permission"
Properties:
Action: 'lambda:InvokeFunction'
FunctionName: !Sub ${LambdaFunction.Arn}
Principal: 'events.amazonaws.com'
SourceArn: !Sub ${LambdaSchedule.Arn}
LambdaFunction:
Type: "AWS::Lambda::Function"
Properties:
FunctionName: CloudGuardOnboardingFunction
Description: >
Lambda function that onboard account in CloudGuard CSPM
Code:
S3Bucket: cspm-onboarding
S3Key: lambda-onboarding-code-v3.zip
Handler: d9_onboard_aws.main
MemorySize: 128
Role: !Sub ${LambdaExecutionRole.Arn}
Runtime: python3.8
Timeout: 300
Environment:
Variables:
mode: organizations
ignore_failures: False
region_name: eu-west-1
role_name: !Ref OrganizationRole
d9mode: !Ref CloudGuardMode
CloudGuardRegion: !Ref CloudGuardRegion