Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* add(module): new module * chore(modules): split into multiple modules * fix(bug): missing chars * fix(bugs): missing policies * chore(documentation): for changes and additions * fix(bugs): and a few additions * rem(prints): leftovers from debugging * chore(lambda): code optimization * add(test): lambda function test through pytest * add(automation): for implemetation in masses or remotely * fix(bug): functions not properly called
- Loading branch information
Showing
21 changed files
with
655 additions
and
7 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
|
||
import json | ||
import boto3 | ||
import sys | ||
import os | ||
|
||
#print('Loading function') | ||
""" Function to define Lambda Handler """ | ||
|
||
def lambda_handler(event, context): | ||
#print(event) | ||
try: | ||
if event['detail']['eventName'] == 'StopLogging': | ||
if 'topic' in os.environ: | ||
client = boto3.client('cloudtrail') | ||
response = client.start_logging(Name=event['detail']['requestParameters']['name']) | ||
client = boto3.client('sns') | ||
response = client.publish( | ||
TopicArn=os.environ['topic'], | ||
Message=json.dumps({'default': json.dumps(event['detail'])}), | ||
MessageStructure='json' | ||
) | ||
else: | ||
print("lambda test loads") | ||
return event['detail']['eventName'] | ||
else: | ||
print(event['detail']['eventName']) | ||
except Exception as e: | ||
print(e) | ||
#sys.exit(); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
#!/usr/bin/env python3 | ||
import pytest | ||
import security_alerts | ||
|
||
example = {'version': '0', 'id': '06ca5e7a-3b6c-0a85-0dc1-c963d8bd31f4', 'detail-type': 'AWS API Call via CloudTrail', 'source': 'aws.cloudtrail', 'account': '707767160287', 'time': '2019-09-12T19:33:22Z', 'region': 'us-east-1', 'resources': [], 'detail': {'eventVersion': '1.05', 'userIdentity': {'type': 'AssumedRole', 'principalId': 'AROAICHVNMYIWEFXZIRDW:fauzi-csoc', 'arn': 'arn:aws:sts::707767160287:assumed-role/csoc_adminvm/fauzi-csoc', 'accountId': '707767160287', 'accessKeyId': 'ASIA2JSRVZXPWWDZ6A5N', 'sessionContext': {'sessionIssuer': {'type': 'Role', 'principalId': 'AROAICHVNMYIWEFXZIRDW', 'arn': 'arn:aws:iam::707767160287:role/csoc_adminvm', 'accountId': '707767160287', 'userName': 'csoc_adminvm'}, 'webIdFederationData': {}, 'attributes': {'mfaAuthenticated': 'true', 'creationDate': '2019-09-12T19:31:40Z'}}}, 'eventTime': '2019-09-12T19:33:22Z', 'eventSource': 'cloudtrail.amazonaws.com', 'eventName': 'StopLogging', 'awsRegion': 'us-east-1', 'sourceIPAddress': '128.135.61.125', 'userAgent': 'console.amazonaws.com', 'requestParameters': {'name': 'arn:aws:cloudtrail:us-east-1:707767160287:trail/cdistest_management_trail'}, 'responseElements': None, 'requestID': '8e0bdee5-8626-4ad4-b5cf-29bada7bef17', 'eventID': '0da7164e-a62d-4bda-811c-4facfbc55df4', 'readOnly': False, 'eventType': 'AwsApiCall'}} | ||
|
||
def test_answer(): | ||
assert security_alerts.lambda_handler(example,'') | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
126 changes: 126 additions & 0 deletions
126
tf_files/aws/modules/account-management-logs/event-alerts.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,126 @@ | ||
|
||
|
||
module "cloudwatch-events" { | ||
source = "../cloudwatch-events/" | ||
cwe_rule_name = "${var.account_name}-cloudtrail-StopLogging" | ||
cwe_rule_description = "Lets check if someone dares to stop logging" | ||
cwe_target_arn = "${module.alerting-lambda.function_arn}" | ||
cwe_rule_pattern = <<EOP | ||
{ | ||
"source": [ | ||
"aws.cloudtrail" | ||
], | ||
"detail": { | ||
"eventName": [ | ||
"StopLogging" | ||
] | ||
} | ||
} | ||
EOP | ||
# depends_on = ["module.alerting-lambda"] | ||
} | ||
|
||
module "alerting-lambda" { | ||
source = "../lambda-function/" | ||
lambda_function_file = "${path.module}/../../../../files/lambda/security_alerts.py" | ||
lambda_function_name = "${var.account_name}-security-alert-lambda" | ||
lambda_function_description = "Checking for things that should or might not happend" | ||
lambda_function_iam_role_arn = "${module.role-for-lambda.role_arn}" | ||
lambda_function_env = {"topic"="arn:aws:sns:us-east-1:433568766270:planx-csoc-alerts-for-bsd-security"} | ||
lambda_function_handler = "security_alerts.lambda_handler" | ||
} | ||
|
||
module "role-for-lambda" { | ||
source = "../iam-role/" | ||
role_name = "${var.account_name}-security-alert-role" | ||
role_description = "Role for the alerting lambda function" | ||
role_assume_role_policy = <<EOP | ||
{ | ||
"Version": "2012-10-17", | ||
"Statement": [ | ||
{ | ||
"Sid": "", | ||
"Effect": "Allow", | ||
"Principal": { | ||
"Service": "lambda.amazonaws.com" | ||
}, | ||
"Action": "sts:AssumeRole" | ||
} | ||
] | ||
} | ||
EOP | ||
} | ||
|
||
data "aws_iam_policy_document" "sns_access" { | ||
statement { | ||
actions = [ | ||
"SNS:Publish", | ||
"SNS:GetTopicAttributes", | ||
] | ||
effect = "Allow" | ||
#resources = ["arn:aws:sns:us-east-1:433568766270:planx-csoc-alerts-for-bsd-securitys"] | ||
resources = ["*"] | ||
} | ||
} | ||
|
||
|
||
data "aws_iam_policy_document" "cloudtrail_access" { | ||
|
||
statement { | ||
actions = [ | ||
"cloudtrail:DescribeTrails", | ||
"cloudtrail:LookupEvents", | ||
"cloudtrail:GetTrailStatus", | ||
"cloudtrail:ListTags", | ||
"cloudtrail:StartLogging" | ||
] | ||
effect = "Allow" | ||
resources = ["*"] | ||
} | ||
} | ||
|
||
data "aws_iam_policy_document" "cloudwatchlogs_access" { | ||
|
||
statement { | ||
actions = [ | ||
"logs:List*", | ||
"logs:Get*", | ||
"logs:CreateLogGroup", | ||
"logs:CreateLogStream", | ||
"logs:PutLogEvents" | ||
] | ||
effect = "Allow" | ||
resources = ["*"] | ||
} | ||
} | ||
|
||
|
||
resource "aws_iam_role_policy" "lambda_policy_SNS" { | ||
name = "${var.account_name}-security-alert-policy-for-SNS" | ||
policy = "${data.aws_iam_policy_document.sns_access.json}" | ||
role = "${module.role-for-lambda.role_id}" | ||
} | ||
|
||
|
||
resource "aws_iam_role_policy" "lambda_policy_CT" { | ||
name = "${var.account_name}-security-alert-policy-for-CloudTrail" | ||
policy = "${data.aws_iam_policy_document.cloudtrail_access.json}" | ||
role = "${module.role-for-lambda.role_id}" | ||
} | ||
|
||
resource "aws_iam_role_policy" "lambda_policy_CWL" { | ||
name = "${var.account_name}-security-alert-policy-for-CloudWatchLogs" | ||
policy = "${data.aws_iam_policy_document.cloudwatchlogs_access.json}" | ||
role = "${module.role-for-lambda.role_id}" | ||
} | ||
|
||
#resource "aws_iam_role_policy_attachment" "cloudwatch_access" { | ||
# policy_arn = "arn:aws:iam::aws:policy/CloudWatchLogsFullAccess" | ||
# role = "${module.role-for-lambda.role_id}" | ||
#} | ||
|
||
#resource "aws_iam_role_policy_attachment" "trail_access" { | ||
# policy_arn = "arn:aws:iam::aws:policy/AWSCloudTrailFullAccess" | ||
# role = "${module.role-for-lambda.role_id}" | ||
#} | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
|
||
# Let's create the event first | ||
resource "aws_cloudwatch_event_rule" "event_rule" { | ||
name = "${var.cwe_rule_name}" | ||
description = "${var.cwe_rule_description}" | ||
|
||
event_pattern = "${var.cwe_rule_pattern}" | ||
} | ||
|
||
|
||
resource "aws_cloudwatch_event_target" "sns" { | ||
rule = "${aws_cloudwatch_event_rule.event_rule.name}" | ||
# target_id = "SendToLambda" | ||
arn = "${var.cwe_target_arn}" | ||
} | ||
|
||
|
||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
|
||
output "event_rule" { | ||
value = "${aws_cloudwatch_event_rule.event_rule.name}" | ||
} | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
|
||
variable "cwe_rule_name" { | ||
description = "Name of the rule" | ||
} | ||
|
||
variable "cwe_rule_description" { | ||
description = "Brief description of the rule to use" | ||
default = "" | ||
} | ||
|
||
variable "cwe_rule_pattern" { | ||
description = "Patter that the rule will use" | ||
default = "" | ||
} | ||
|
||
variable "cwe_target_id" { | ||
description = "ID or name to use, if empty, something randon will be used" | ||
default = "" | ||
} | ||
|
||
variable "cwe_target_arn" { | ||
description = "ARN of the target that this event will trigger" | ||
} | ||
|
Oops, something went wrong.