forked from deep-security/aws-config
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathaws-config.cftemplate
162 lines (155 loc) · 6.01 KB
/
aws-config.cftemplate
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "AWS CloudFormation template to create custom AWS Config rules that interact with the Trend Micro Deep Security Manager. You will be billed for the AWS resources used if you create a stack from this template.",
"Parameters": {
"SourceBucket": {
"Description": "Name of the S3 bucket that you have stored the rule zip files in.",
"Type": "String",
"MinLength": "1",
"MaxLength": "255"
},
"SourcePrefix": {
"Description": "Location in the S3 bucket where you have stored the rule zip files.",
"Type": "String",
"MinLength": "1",
"MaxLength": "255"
}
},
"Resources": {
"dsDoesInstanceHavePolicyLambda": {
"Type": "AWS::Lambda::Function",
"Properties": {
"Code": {
"S3Bucket": { "Ref": "SourceBucket" },
"S3Key": { "Fn::Join": [ "", [ { "Ref": "SourcePrefix" }, "/ds-DoesInstanceHavePolicy.zip"]]}
},
"Description": "Custom AWS Config rule that checks with the Trend Micro Deep Security Manager to see if the named policy is in effect. See https://github.com/deep-security/aws-config for more details.",
"Handler": "dsDoesInstanceHavePolicy.aws_config_rule_handler",
"MemorySize": "128",
"Role": { "Fn::GetAtt": [ "dsConfigRuleRole", "Arn" ] } ,
"Runtime": "python2.7",
"Timeout": 60
}
},
"dsIsInstanceClearLambda": {
"Type": "AWS::Lambda::Function",
"Properties": {
"Code": {
"S3Bucket": { "Ref": "SourceBucket" },
"S3Key": { "Fn::Join": [ "", [ { "Ref": "SourcePrefix" }, "/ds-IsInstanceClear.zip"]]}
},
"Description": "Custom AWS Config rule that checks with the Trend Micro Deep Security Manager to see if the instance is clear of any alerts, warnings, or errors. See https://github.com/deep-security/aws-config for more details.",
"Handler": "dsIsInstanceClear.aws_config_rule_handler",
"MemorySize": "128",
"Role": { "Fn::GetAtt": [ "dsConfigRuleRole", "Arn" ] } ,
"Runtime": "python2.7",
"Timeout": 60
}
},
"dsIsInstanceProtectedByLambda": {
"Type": "AWS::Lambda::Function",
"Properties": {
"Code": {
"S3Bucket": { "Ref": "SourceBucket" },
"S3Key": { "Fn::Join": [ "", [ { "Ref": "SourcePrefix" }, "/ds-IsInstanceProtectedBy.zip"]]}
},
"Description": "Custom AWS Config rule that checks with the Trend Micro Deep Security Manager to see if the instance is protected using the specified security control. See https://github.com/deep-security/aws-config for more details.",
"Handler": "dsIsInstanceProtectedBy.aws_config_rule_handler",
"MemorySize": "128",
"Role": { "Fn::GetAtt": [ "dsConfigRuleRole", "Arn" ] } ,
"Runtime": "python2.7",
"Timeout": 60
}
},
"dsIsInstanceProtectedByAntiMalwareLambda": {
"Type": "AWS::Lambda::Function",
"Properties": {
"Code": {
"S3Bucket": { "Ref": "SourceBucket" },
"S3Key": { "Fn::Join": [ "", [ { "Ref": "SourcePrefix" }, "/ds-IsInstanceProtectedByAntiMalware.zip"]]}
},
"Description": "Custom AWS Config rule that checks with the Trend Micro Deep Security Manager to see if the instance is protected using the anti-malware security control. See https://github.com/deep-security/aws-config for more details.",
"Handler": "dsIsInstanceProtectedByAntiMalware.aws_config_rule_handler",
"MemorySize": "128",
"Role": { "Fn::GetAtt": [ "dsConfigRuleRole", "Arn" ] } ,
"Runtime": "python2.7",
"Timeout": 60
}
},
"dsConfigRuleRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [ {
"Sid": "AllowLambdaAssumeRole",
"Effect": "Allow",
"Principal": { "Service": "lambda.amazonaws.com" },
"Action": "sts:AssumeRole"
} ]
},
"Policies": [ {
"PolicyName": "dsConfigRulePolicy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "1",
"Action": [
"kms:Decrypt"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Sid": "2",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::bucket/path/to/objects/*"
},
{
"Sid": "3",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogStreams"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Sid": "4",
"Action": [
"config:PutEvaluations"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
} ]
}
}
},
"Outputs": {
"dsDoesInstanceHavePolicyLambda": {
"Description": "ARN for the dsDoesInstanceHavePolicy lambda",
"Value": { "Fn::GetAtt": [ "dsDoesInstanceHavePolicyLambda", "Arn" ] }
},
"dsIsInstanceClearLambda": {
"Description": "ARN for the dsIsInstanceClearLambda lambda",
"Value": { "Fn::GetAtt": [ "dsIsInstanceClearLambda", "Arn" ] }
},
"dsIsInstanceProtectedByLambda": {
"Description": "ARN for the dsIsInstanceProtectedByLambda lambda",
"Value": { "Fn::GetAtt": [ "dsIsInstanceProtectedByLambda", "Arn" ] }
},
"dsIsInstanceProtectedByAntiMalwareLambda": {
"Description": "ARN for the dsIsInstanceProtectedByAntiMalwareLambda lambda",
"Value": { "Fn::GetAtt": [ "dsIsInstanceProtectedByAntiMalwareLambda", "Arn" ] }
}
}
}