p6m7g8 · mergify · Nov 26, 2024 · Nov 26, 2024
diff --git a/VISION.md b/VISION.md
@@ -1,4 +1,5 @@
 # References
+
 https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/welcome.html
 https://github.com/aws-samples/aws-security-reference-architecture-examples
 
@@ -28,149 +29,96 @@ Root
 
 ## Break Glass
 
-- [x] Management Account:
-  - [x] Stack 1: p6-lz-organization
-    - [x] Set IAM Account Alias
-    - [x] Make Org
-  - [x] Stack 2: p6-lz-avm
-    - [x] Make OU
-    - [x] Make accounts
-  - [x] CLI:
-    - [x] Set CDK Context for accountIds
-    - [x] Enable Services
-    - [x] Delegate Administrators
-
-- [ ] Logarchive Account:
-  - [x] Stack 1: p6-lz-logarchive-1
-    - [x] Set IAM Account Alias
-    - [x] Central Bucket
-    - [ ] Security Lake
-  - [ ] Stack 2: Local
-    - [ ] Security Hub
-    - [ ] GuardDuty
-    - [ ] Macie
-    - [x] Config
-    - [ ] Access Analyzer
-    - [ ] Access Logs
-    - [ ] DNS Logs
-    - [ ] Flow Logs
-
-  - [ ] Audit Account
-    - [x] Stack 1
-      - [x] Set IAM Account Alias
-      - [x] CloudWatch Logs for CloudTrail
-      - [x] Org CloudTrail
-    - [x] CLI:
-      - [x] Start Logging
-    - [ ] Stack 2: Source of Truth
-      - [x] Config for Aggregator
-      - [x] Config Aggregator
-      - [x] Security Hub
-      - [x] Inspector
-      - [n] Artifact
-      - [ ] Audit Manager
-      - [ ] Event Bridge
-      - [ ] Firewall Manager
-      - [ ] Lambda (response)
-      - [ ] Detective
-      - [ ] Private CA
-    - [ ] Stack 3: Local
-      - [ ] Security Hub
-      - [ ] GuardDuty
-      - [ ] Macie
-      - [x] Config
-      - [ ] Access Analyzer
-
-  - [ ] Network Account
-    - [ ] Stack 1:
-      - [x] Set IAM Account Alias
-      - [ ] Route53
-      - [ ] CloudFront
-      - [ ] Verified Access
-      - [ ] Shield
-      - [ ] WAF
-      - [ ] VPC Lattice [not transit gw]
-      - [ ] Cert Manager
-      - [ ] RAM
-      - [ ] Resolver DNS
-      - [ ] Network Access Analyzer
-    - [ ] Stack 2: Local
-      - [ ] Security Hub
-      - [ ] GuardDuty
-      - [ ] Macie
-      - [x] Config
-      - [ ] Access Analyzer
-
-  - [ ] Shared Account
-    - [ ] Stack 1:
-      - [x] Set IAM Account Alias
-      - [ ] Identity Center
-      - [ ] Systems Manager
-    - [ ] Stack 2: Local
-      - [ ] Security Hub
-      - [ ] GuardDuty
-      - [ ] Macie
-      - [x] Config
-      - [ ] Access Analyzer
-
-  - [ ] Forensics Account
-    - [ ] Stack 1:
-      - [x] Set IAM Account Alias
-      - [ ] Step Functions -> Lambda -> Instance -> S3
-    - [ ] Stack 2: Local
-      - [ ] Security Hub
-      - [ ] GuardDuty
-      - [ ] Macie
-      - [ ] Config
-      - [ ] Access Analyzer
-
-  - [ ] Management Account:
-    - [ ] Stack 3: Local
-      - [ ] Security Hub
-      - [ ] GuardDuty
-      - [ ] Macie
-      - [x] Config
-      - [ ] Access Analyzer
-
-### Setup PIPELINE
-
-- [ ] Sandbox
-  - [ ] Stack 1:
-    - [x] Set IAM Account Alias
-  - [ ] Stack 2: Local
-    - [ ] Security Hub
-    - [ ] GuardDuty
-    - [ ] Macie
-    - [x] Config
-    - [ ] Access Analyzer
-
-- [ ] Dev
-  - [ ] Stack 1:
-    - [x] Set IAM Account Alias
-  - [ ] Stack 2: Local
-    - [ ] Security Hub
-    - [ ] GuardDuty
-    - [ ] Macie
-    - [x] Config
-    - [ ] Access Analyzer
- [ ] QA
-  - [ ] Stack 1:
-    - [x] Set IAM Account Alias
-  - [ ] Stack 2: Local
-    - [ ] Security Hub
-    - [ ] GuardDuty
-    - [ ] Macie
-    - [x] Config
-    - [ ] Access Analyzer
-- [ ] Prod
-  - [ ] Stack 1:
-    - [x] Set IAM Account Alias
-  - [ ] Stack 2: Local
-    - [ ] Security Hub
-    - [ ] GuardDuty
-    - [ ] Macie
-    - [x] Config
-    - [ ] Access Analyzer
+- p6-lz-management-1-organization
+  - [x] Set IAM Account Alias
+  - [x] Make Org
+- p6-lz-management-1-avm
+  - [x] Make OU
+  - [x] Make accounts
+- p6-lz-logarchive-1
+  - [x] Set IAM Account Alias
+  - [x] Central Bucket
+  - [ ] Security Lake
+- p6-lz-management-2-cloudtrail
+  - [x] Enable CloudTrail for Org
+  - [x] Delegate CloudTrail to Audit
+- p6-lz-management-2-config
+  - [x] Enable Config for Org
+  - [x] Delegate Config to Audit
+- p6-lz-management-2-securityhub
+  - [x] Enable SecurityHub for Org
+  - [x] Delegate SecurityHub to Audit
+- p6-lz-management-2-inspector
+  - [x] Enable Inspector for Org
+  - [x] Delegate Inspector to Audit
+- p6-lz-logarchive-2
+  - [x] Setup Config to go to Central Bucket
+- p6-lz-audit-1
+  - [x] Set IAM Account Alias
+  - [x] CloudWatch Logs for CloudTrail
+  - [x] Org CloudTrail
+- CLI:
+  - Start CloudTrail Logging [cdk bug]
+- p6-lz-audit-2
+  - [x] Config for Aggregator
+  - [x] Config Aggregator
+  - [x] Security Hub
+  - [x] Inspector
+  - [n] Artifact
+  - [ ] Audit Manager
+  - [ ] Event Bridge
+  - [ ] Firewall Manager
+  - [ ] Lambda (response)
+  - [ ] Detective
+  - [ ] Private CA
+- p6-lz-audit-3
+  - [ ] Security Hub
+  - [ ] GuardDuty
+  - [ ] Macie
+  - [x] Config
+  - [ ] Access Analyzer
+- p6-lz-network-1
+  - [x] Set IAM Account Alias
+  - [ ] Route53
+  - [ ] CloudFront
+  - [ ] Verified Access
+  - [ ] Shield
+  - [ ] WAF
+  - [ ] VPC Lattice [not transit gw]
+  - [ ] Cert Manager
+  - [ ] RAM
+  - [ ] Resolver DNS
+  - [ ] Network Access Analyzer
+- p6-lz-network-2
+  - [ ] Security Hub
+  - [ ] GuardDuty
+  - [ ] Macie
+  - [x] Config
+  - [ ] Access Analyzer
+- p6-lz-shared-1
+  - [x] Set IAM Account Alias
+  - [ ] Identity Center
+  - [ ] Systems Manager
+- p6-lz-shared-2
+  - [ ] Security Hub
+  - [ ] GuardDuty
+  - [ ] Macie
+  - [x] Config
+  - [ ] Access Analyzer
+- p6-lz-management-3
+  - [ ] Security Hub
+  - [ ] GuardDuty
+  - [ ] Macie
+  - [x] Config
+  - [ ] Access Analyzer
+- p6-lz-sandbox
+  - [x] VPC
+- p6-lz-dev
+  - [x] VPC
+- p6-lz-qa
+  - [x] VPC
+- p6-lz-prod
+  - [x] VPC
 
 ### Setup SCP
 

diff --git a/bin/p6lzctl b/bin/p6lzctl
@@ -246,10 +246,6 @@ p6_lz_destroy_logarchive() {
 ######################################################################
 p6_lz_destroy_audit() {
 
-  # Piece of Shit -- do not use
-  # p6_h4 "Audit: Inspector"
-  # p6_cirrus_inspector_from_delegated_off
-
   p6_h4 "Audit: CloudTrail"
   p6_cirrus_cloudtrail_trail_delete "p6-lz-"
 
@@ -552,10 +548,6 @@ p6_lz_run_phase_3_audit_account() {
   p6_h3 "Phase 3: Audit-2"
   p6_awscdk_cli_execute $action p6-lz-audit-2
 
-  # Piece of Shit -- do not use
-  # # Inspector
-  # p6_cirrus_organizations_sts_run_as $audit_account_name p6_lz_util_inspector_setup
-
   p6_return_void
 }
 
@@ -725,21 +717,6 @@ p6_lz_run_phase_4_prod_account() {
   p6_return_void
 }
 
-# ######################################################################
-# #<
-# #
-# # Function: p6_lz_util_inspector_setup()
-# #
-# #>
-# ######################################################################
-# p6_lz_util_inspector_setup() {
-
-#   p6_cirrus_inspector_role_service_linked_create
-#   p6_cirrus_inspector_organization_members_enable
-
-#   p6_return_void
-# }
-
 ######################################################################
 #<
 #

diff --git a/node-v22.11.0-linux-x64.tar.xz b/node-v22.11.0-linux-x64.tar.xz
diff --git a/src/constructs/p6-lz-sra-inspector.ts b/src/constructs/p6-lz-sra-inspector.ts
@@ -0,0 +1,79 @@
+import type { Construct } from 'constructs'
+import type { IAccountIds, IShareWithOrg } from '../types'
+import * as cdk from 'aws-cdk-lib'
+import { AwsCustomResource, AwsCustomResourcePolicy, PhysicalResourceId } from 'aws-cdk-lib/custom-resources'
+
+export interface IP6LzSraInspectorProps extends cdk.StackProps, IAccountIds, IShareWithOrg {}
+
+export class P6LzSraInspector extends cdk.Resource {
+  constructor(scope: Construct, id: string, props: IP6LzSraInspectorProps) {
+    super(scope, id)
+
+    const delegation = new AwsCustomResource(this, 'EnableInspector2DelegatedAdmin', {
+      onCreate: {
+        service: 'Inspector2',
+        action: 'enableDelegatedAdminAccount',
+        parameters: {
+          delegatedAdminAccountId: props.auditAccountId,
+        },
+        physicalResourceId: PhysicalResourceId.of(`EnableInspector2DelegatedAdmin-${props.auditAccountId}`),
+      },
+      policy: AwsCustomResourcePolicy.fromSdkCalls({ resources: AwsCustomResourcePolicy.ANY_RESOURCE }),
+    })
+
+    const orgPolicy = new AwsCustomResource(this, 'UpdateInspector2OrgConfig', {
+      onCreate: {
+        service: 'Inspector2',
+        action: 'updateOrganizationConfiguration',
+        parameters: {
+          autoEnable: 'ec2=true,ecr=true,lambda=true',
+        },
+        physicalResourceId: PhysicalResourceId.of('UpdateInspector2OrgConfig-ec2=true,ecr=true,lambda=true'),
+      },
+      onUpdate: {
+        service: 'Inspector2',
+        action: 'updateOrganizationConfiguration',
+        parameters: {
+          autoEnable: 'ec2=true,ecr=true,lambda=true',
+        },
+        physicalResourceId: PhysicalResourceId.of('UpdateInspector2OrgConfig-ec2=true,ecr=true,lambda=true'),
+      },
+      onDelete: {
+        service: 'Inspector2',
+        action: 'updateOrganizationConfiguration',
+        parameters: {
+          autoEnable: 'ec2=false,ecr=false,lambda=false',
+        },
+        physicalResourceId: PhysicalResourceId.of('UpdateInspector2OrgConfig-ec2=false,ecr=false,lambda=false'),
+      },
+      policy: AwsCustomResourcePolicy.fromSdkCalls({ resources: AwsCustomResourcePolicy.ANY_RESOURCE }),
+    })
+    orgPolicy.node.addDependency(delegation)
+
+    const resourceTypes = ['EC2', 'ECR', 'LAMBDA', 'LAMBDA_CODE']
+    const enabled = new AwsCustomResource(this, 'EnableInspector2', {
+      onCreate: {
+        service: 'Inspector2',
+        action: 'enable',
+        parameters: {
+          accountIds: props.principals,
+          resourceTypes,
+        },
+        physicalResourceId: PhysicalResourceId.of(`EnableInspector2-${props.principals.join(',')}-${resourceTypes.join(',')}`),
+      },
+      onUpdate: {
+        service: 'Inspector2',
+        action: 'enable',
+        parameters: {
+          accountIds: props.principals,
+          resourceTypes,
+        },
+        physicalResourceId: PhysicalResourceId.of(`EnableInspector2-${props.principals.join(',')}-${resourceTypes.join(',')}`),
+      },
+      policy: AwsCustomResourcePolicy.fromSdkCalls({ resources: AwsCustomResourcePolicy.ANY_RESOURCE }),
+    })
+    enabled.node.addDependency(orgPolicy)
+
+    // TODO: associate member accounts (1 at a time for rate limiting)
+  }
+}
diff --git a/src/phases.ts b/src/phases.ts
@@ -99,6 +99,7 @@ export function phase3(app: cdk.App, config: any) {
       account: config.accounts.audit.AccountId,
       region: config.env.region,
     },
+    auditAccountId: config.accounts.audit.AccountId,
     principals: config.principals,
   })