From 4cdfdaf754b860e9641a18ddfbabe9f883332781 Mon Sep 17 00:00:00 2001 From: Chris Farris Date: Wed, 13 Sep 2023 17:27:51 -0400 Subject: [PATCH] Consolidate the templates for Audit & Responder roles and stackset --- cloudformation/AuditRole-Template.yaml | 123 +------------ cloudformation/ResponderRole-Template.yaml | 167 ++++++++++++++++++ ...aml => SecurityRole-StackSetTemplate.yaml} | 29 +-- 3 files changed, 190 insertions(+), 129 deletions(-) create mode 100644 cloudformation/ResponderRole-Template.yaml rename cloudformation/{AuditRole-StackSetTemplate.yaml => SecurityRole-StackSetTemplate.yaml} (73%) diff --git a/cloudformation/AuditRole-Template.yaml b/cloudformation/AuditRole-Template.yaml index 16e99a3..04cd9d4 100644 --- a/cloudformation/AuditRole-Template.yaml +++ b/cloudformation/AuditRole-Template.yaml @@ -1,4 +1,4 @@ -# Copyright 2018-2021 Chris Farris +# Copyright 2018-2023 Chris Farris # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -19,7 +19,7 @@ Description: This template creates a cross account role for audit & security too Parameters: - AuditorAccountNumber: + TrustedAccountNumber: Description: The 12 digit AWS account number to grant access to. Default: '123456789012' MinLength: '12' @@ -29,16 +29,9 @@ Parameters: RoleName: Description: The name of the Audit Role to be created - Default: 'Auditor' - Type: String - - ResponderRoleName: - Description: The name of the Incident Responder Role to be created. Or NONE to skip creating an IR Role - Default: 'NONE' + Default: 'security-audit' Type: String -Conditions: - CreateResponderRole: !Not [!Equals [ !Ref ResponderRoleName, "NONE"]] Resources: AuditorCrossAccountRole: @@ -57,7 +50,7 @@ Resources: Sid: '' Effect: Allow Principal: - AWS: !Join ['', ['arn:aws:iam::', !Ref 'AuditorAccountNumber',':root']] + AWS: !Sub "arn:aws:iam::${TrustedAccountNumber}:root" Policies: - PolicyName: MissingPermissions PolicyDocument: @@ -106,118 +99,10 @@ Resources: - "freetier:Get*" Resource: "*" - - ResponderCrossAccountRole: - Type: AWS::IAM::Role - Condition: CreateResponderRole - Properties: - RoleName: !Ref ResponderRoleName - ManagedPolicyArns: - - arn:aws:iam::aws:policy/SecurityAudit - - arn:aws:iam::aws:policy/ReadOnlyAccess - - arn:aws:iam::aws:policy/AWSAccountManagementReadOnlyAccess - Path: / - AssumeRolePolicyDocument: - Version: '2012-10-17' - Statement: - - Action: sts:AssumeRole - Sid: '' - Effect: Allow - Principal: - AWS: !Join ['', ['arn:aws:iam::', !Ref 'AuditorAccountNumber',':root']] - Policies: - - PolicyName: IAMSimulateResources - PolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: "Allow" - Action: "iam:Simulate*" - Resource: "*" - - PolicyName: ContainmentActions - PolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: "Allow" - Action: - # required to create an untracked security group - - "ec2:CreateSecurityGroup" - # Allow modification of SG Rules - - "ec2:AuthorizeSecurityGroupEgress" - - "ec2:AuthorizeSecurityGroupIngress" - - "ec2:RevokeSecurityGroupEgress" - - "ec2:RevokeSecurityGroupIngress" - # Allow Enable IMDSv2 - - "ec2:ModifyInstanceMetadataOptions" - # Allow attaching a new SG to an Instance - - "ec2:ModifyInstanceAttribute" - - "ec2:ModifyNetworkInterfaceAttribute" - # Stop rogue Instances - - "ec2:StopInstances" - # Disable Access Keys - - "iam:UpdateAccessKey" - # Apply a Deny policy to a role - - "iam:PutRolePolicy" - Resource: "*" - - Sid: EvidenceCollection - Effect: "Allow" - Action: - - "ec2:CopySnapshot" - - "ec2:CreateSnapshot" - - "ec2:CreateSnapshots" - - "ec2:DeleteSnapshots" - - "ec2:ModifySnapshotAttribute" - - "ec2:CreateTags" - Resource: "*" - - PolicyName: SecurityAuditTools - PolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: "Allow" - Action: - - "cloudshell:*" - - "guardduty:*" - - "health:*" - - "inspector:*" - - "macie:*" - - "securityhub:*" - - "support:*" - - "trustedAdvisor:*" - - "wafv2:*" - Resource: "*" - - PolicyName: BillingAuditPermissions - PolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: "Allow" - Action: - - "aws-portal:View*" # Legacy Perm going away - - "ce:*" # Full Access to Cost Explorer - - "account:Get*" - - "billing:Get*" - - "payments:List*" - - "payments:Get*" - - "tax:List*" - - "tax:Get*" - - "consolidatedbilling:Get*" - - "consolidatedbilling:List*" - - "invoicing:List*" - - "invoicing:Get*" - - "cur:Get*" - - "cur:Validate*" - - "freetier:Get*" - Resource: "*" - - Outputs: RoleARN: Description: The ARN of the Audit role that can be assumed by the other account. Value: !GetAtt AuditorCrossAccountRole.Arn - ResponderRoleARN: - Condition: CreateResponderRole - Description: The ARN of the Responder role that can be assumed by the other account. - Value: !GetAtt ResponderCrossAccountRole.Arn - - TemplateVersion: Value: 1.3.0 diff --git a/cloudformation/ResponderRole-Template.yaml b/cloudformation/ResponderRole-Template.yaml new file mode 100644 index 0000000..62969d4 --- /dev/null +++ b/cloudformation/ResponderRole-Template.yaml @@ -0,0 +1,167 @@ +# Copyright 2018-2023 Chris Farris +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +AWSTemplateFormatVersion: '2010-09-09' +Description: This template creates a least-privledge cross-account role incident response + +# TemplateSource: https://github.com/jchrisfarris/aws-account-automation/blob/master/cloudformation/ResponderRole-Template.yaml + +Parameters: + + TrustedAccountNumber: + Description: The 12 digit AWS account number to grant access to. + Default: '123456789012' + MinLength: '12' + AllowedPattern: '[0-9]+' + MaxLength: '12' + Type: String + + RoleName: + Description: The name of the Role to be created + Default: 'incident-responder' + Type: String + +Resources: + ResponderCrossAccountRole: + Type: AWS::IAM::Role + Properties: + RoleName: !Ref RoleName + ManagedPolicyArns: + - arn:aws:iam::aws:policy/SecurityAudit + - arn:aws:iam::aws:policy/ReadOnlyAccess + - arn:aws:iam::aws:policy/AWSAccountManagementReadOnlyAccess + Path: / + AssumeRolePolicyDocument: + Version: '2012-10-17' + Statement: + - Action: sts:AssumeRole + Sid: '' + Effect: Allow + Principal: + AWS: !Sub "arn:aws:iam::${TrustedAccountNumber}:root" + Policies: + - PolicyName: MissingAuditingPermissions + PolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: "Allow" + Action: + - "iam:Simulate*" + - "ce:*" + - "aws-portal:View*" + - "sts:DecodeAuthorizationMessage" + Resource: "*" + - PolicyName: ContainmentActions + PolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: "Allow" + Action: + # required to create an untracked security group + - "ec2:CreateSecurityGroup" + # Allow modification of SG Rules + - "ec2:AuthorizeSecurityGroupEgress" + - "ec2:AuthorizeSecurityGroupIngress" + - "ec2:RevokeSecurityGroupEgress" + - "ec2:RevokeSecurityGroupIngress" + # Allow Enable IMDSv2 + - "ec2:ModifyInstanceMetadataOptions" + # Allow attaching a new SG to an Instance + - "ec2:ModifyInstanceAttribute" + - "ec2:ModifyNetworkInterfaceAttribute" + # Stop rogue Instances + - "ec2:StopInstances" + # Disable Access Keys + - "iam:UpdateAccessKey" + # Apply a Deny policy to a role + - "iam:PutRolePolicy" + # Undo the above + - "iam:DetachRolePolicy" + - "iam:DeleteRolePolicy" + # WAF! + - "wafv2:*" + Resource: "*" + - Sid: EvidenceCollection + Effect: "Allow" + Action: + - "ec2:CopySnapshot" + - "ec2:CreateSnapshot" + - "ec2:CreateSnapshots" + - "ec2:DeleteSnapshots" + - "ec2:ModifySnapshotAttribute" + - "ec2:CreateTags" + Resource: "*" + - PolicyName: SecurityAuditTools + PolicyDocument: + Version: "2012-10-17" + Statement: + - Sid: SecurityTools + Effect: "Allow" + Action: + - "trustedAdvisor:*" + - "access-analyzer:*" + - "guardduty:*" + - "health:*" + - "inspector:*" + - "support:*" + - "securityhub:*" + Resource: "*" + - Sid: CloudShell + Effect: "Allow" + Action: + - "cloudshell:*" + Resource: "*" + - Sid: Macie + Effect: "Allow" + Action: + - "macie2:*" + - "pricing:GetProducts" # Required for Macie + Resource: "*" + - Sid: Athena + Effect: "Allow" + Action: + - "athena:*" + - "glue:*" # Needed for Athena + - "s3:*" # Needed for Athena + Resource: "*" + - PolicyName: BillingAuditPermissions + PolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: "Allow" + Action: + - "aws-portal:View*" # Legacy Perm going away + - "ce:*" # Full Access to Cost Explorer + - "account:Get*" + - "billing:Get*" + - "payments:List*" + - "payments:Get*" + - "tax:List*" + - "tax:Get*" + - "consolidatedbilling:Get*" + - "consolidatedbilling:List*" + - "invoicing:List*" + - "invoicing:Get*" + - "cur:Get*" + - "cur:Validate*" + - "freetier:Get*" + Resource: "*" + +Outputs: + RoleARN: + Description: The ARN of the Responder role that can be assumed by the other account. + Value: !GetAtt ResponderCrossAccountRole.Arn + + TemplateVersion: + Value: 1.1.0 diff --git a/cloudformation/AuditRole-StackSetTemplate.yaml b/cloudformation/SecurityRole-StackSetTemplate.yaml similarity index 73% rename from cloudformation/AuditRole-StackSetTemplate.yaml rename to cloudformation/SecurityRole-StackSetTemplate.yaml index 7783ab4..9bd9f11 100644 --- a/cloudformation/AuditRole-StackSetTemplate.yaml +++ b/cloudformation/SecurityRole-StackSetTemplate.yaml @@ -13,12 +13,12 @@ # limitations under the License. AWSTemplateFormatVersion: '2010-09-09' -Description: Deploy the a Security Audit Role in all account in your Organization -# TemplateSource: https://github.com/primeharbor/aws-account-automation/blob/master/cloudformation/AuditRole-StackSetTemplate.yaml +Description: Deploy A Security Role to all account in your Organization +# TemplateSource: https://github.com/jchrisfarris/aws-account-automation/blob/master/cloudformation/SecurityRole-StackSetTemplate.yaml Parameters: - AuditorAccountNumber: + TrustedAccountNumber: Description: The 12 digit AWS account number to grant access to. Default: '123456789012' MinLength: '12' @@ -28,13 +28,16 @@ Parameters: RoleName: Description: The name of the Role to be created - Default: 'Auditor' + Default: 'Security-Audit' Type: String pTemplateURL: Description: Location of the S3 Template to deploy as the StackSet Type: String Default: https://s3.amazonaws.com/pht-cloudformation/aws-account-automation/AuditRole-Template.yaml + AllowedValues: + - "https://s3.amazonaws.com/pht-cloudformation/aws-account-automation/AuditRole-Template.yaml" + - "https://s3.amazonaws.com/pht-cloudformation/aws-account-automation/ResponderRole-Template.yaml" pTemplateObjectVersion: Description: Version ID of the Template to Deploy @@ -47,7 +50,7 @@ Parameters: Resources: - AuditRoleStackSet: + SecurityRoleStackSet: Type: AWS::CloudFormation::StackSet Properties: # AdministrationRoleARN: String @@ -60,11 +63,11 @@ Resources: Description: Organizational StackSet to Deploy Security Account Audit Role # ExecutionRoleName: String OperationPreferences: - FailureTolerancePercentage: 100 + FailureTolerancePercentage: 0 MaxConcurrentPercentage: 100 Parameters: - - ParameterKey: AuditorAccountNumber - ParameterValue: !Ref AuditorAccountNumber + - ParameterKey: TrustedAccountNumber + ParameterValue: !Ref TrustedAccountNumber - ParameterKey: RoleName ParameterValue: !Ref RoleName PermissionModel: SERVICE_MANAGED @@ -75,9 +78,15 @@ Resources: Regions: - us-east-1 StackSetName: !Sub "${AWS::StackName}-StackSet" - TemplateURL: !Sub "${pTemplateURL}?versionId=${pTemplateObjectVersion}" + TemplateURL: !Ref pTemplateURL Outputs: TemplateVersion: - Value: "1.1.0" \ No newline at end of file + Value: "1.1.0" + + TemplateURL: + Value: !Ref pTemplateURL + + TemplateVersion: + Value: !Ref pTemplateObjectVersion \ No newline at end of file