Merge branch 'Orgs-2023'

primeharbor · May 16, 2023 · 64df32d · 64df32d
2 parents afc383e + 5d7a451
commit 64df32d
Show file tree

Hide file tree

Showing 13 changed files with 240 additions and 37 deletions.
diff --git a/cloudformation/AWSConfigAggregator-Template.yaml b/cloudformation/AWSConfigAggregator-Template.yaml
@@ -14,7 +14,7 @@
 
 AWSTemplateFormatVersion: '2010-09-09'
 Description: Configure The Organizational Config Service Aggregator and Conformance Pack Infrastructure
-# TemplateSource: https://github.com/jchrisfarris/aws-account-automation/blob/master/cloudformation/AWSConfigAggregator-Template.yaml
+# TemplateSource: https://github.com/primeharbor/aws-account-automation/blob/master/cloudformation/AWSConfigAggregator-Template.yaml
 
 Parameters:
 

diff --git a/cloudformation/AWSConfigRecorder-StackSetTemplate.yaml b/cloudformation/AWSConfigRecorder-StackSetTemplate.yaml
@@ -14,7 +14,7 @@
 
 AWSTemplateFormatVersion: '2010-09-09'
 Description: Deploy the AWS Config Service Recorder in this region and send recorded events to central bucket
-# TemplateSource: https://github.com/jchrisfarris/aws-account-automation/blob/master/cloudformation/AWSConfigRecorder-StackSetTemplate.yaml
+# TemplateSource: https://github.com/primeharbor/aws-account-automation/blob/master/cloudformation/AWSConfigRecorder-StackSetTemplate.yaml
 
 Parameters:
 

diff --git a/cloudformation/AWSConfigRecorder-Template.yaml b/cloudformation/AWSConfigRecorder-Template.yaml
@@ -14,7 +14,7 @@
 
 AWSTemplateFormatVersion: '2010-09-09'
 Description: Deploy the AWS Config Service Recorder in this region and send recorded events to central bucket
-# TemplateSource: https://github.com/jchrisfarris/aws-account-automation/blob/master/cloudformation/AWSConfigRecorder-Template.yaml
+# TemplateSource: https://github.com/primeharbor/aws-account-automation/blob/master/cloudformation/AWSConfigRecorder-Template.yaml
 
 Parameters:
 

diff --git a/cloudformation/AuditRole-StackSetTemplate.yaml b/cloudformation/AuditRole-StackSetTemplate.yaml
@@ -14,7 +14,7 @@
 
 AWSTemplateFormatVersion: '2010-09-09'
 Description: Deploy the a Security Audit Role in all account in your Organization
-# TemplateSource: https://github.com/jchrisfarris/aws-account-automation/blob/master/cloudformation/AuditRole-StackSetTemplate.yaml
+# TemplateSource: https://github.com/primeharbor/aws-account-automation/blob/master/cloudformation/AuditRole-StackSetTemplate.yaml
 
 Parameters:
 

diff --git a/cloudformation/AuditRole-Template.yaml b/cloudformation/AuditRole-Template.yaml
@@ -15,7 +15,7 @@
 AWSTemplateFormatVersion: '2010-09-09'
 Description: This template creates a cross account role for audit & security tool management from a dedicated security account
 
-# TemplateSource: https://github.com/jchrisfarris/aws-account-automation/blob/master/cloudformation/AuditRole-Template.yaml
+# TemplateSource: https://github.com/primeharbor/aws-account-automation/blob/master/cloudformation/AuditRole-Template.yaml
 
 Parameters:
 

diff --git a/cloudformation/OrgCloudTrail-Template.yaml b/cloudformation/OrgCloudTrail-Template.yaml
@@ -1,5 +1,7 @@
 AWSTemplateFormatVersion: '2010-09-09'
 Description: Deploys a CloudTrail configuration in a Organizational Payer account. This assumes a pre-configured S3 Bucket in a security or logging account
+# TemplateSource: https://github.com/primeharbor/aws-account-automation/blob/master/cloudformation/OrgCloudTrail-Template.yaml
+# S3-Source: https://s3.amazonaws.com/pht-cloudformation/aws-account-automation/OrgCloudTrail-Template.yaml
 
 Parameters:
 
@@ -30,9 +32,27 @@ Parameters:
       - false
     Default: false
 
+  pCloudTrailLogGroupName:
+    Type: String
+    Default: CloudTrail/DefaultLogGroup
+
+  pCloudTrailLogGroupRetention:
+    Type: String
+    Default: 365
+
+  pSendToCloudWatch:
+    Type: String
+    Description: Boolean to send events to CloudWatch Logs
+    AllowedValues:
+      - true
+      - false
+    Default: false      
+
+
 Conditions:
   cEnableEventsTopic: !Equals [!Ref 'pEnableEventsTopic', 'true']
   cEnableDataEvents: !Equals [!Ref 'pEnableDataTrails', 'true']
+  cSendToCloudWatch: !Equals [!Ref 'pSendToCloudWatch', 'true']
 
 
 Resources:
@@ -47,12 +67,50 @@ Resources:
       EnableLogFileValidation: true
       IncludeGlobalServiceEvents: true
       IsMultiRegionTrail: true
+      IsOrganizationTrail: true
       SnsTopicName: !If [cEnableEventsTopic, !GetAtt CloudTrailTopic.TopicName, !Ref AWS::NoValue ]
+      CloudWatchLogsRoleArn: !If [cSendToCloudWatch, !GetAtt CloudTrailToCloudWatchLogsRole.Arn, !Ref AWS::NoValue ] 
+      CloudWatchLogsLogGroupArn: !If [cSendToCloudWatch, !GetAtt CloudTrailLogGroup.Arn, !Ref AWS::NoValue ] 
       # EventSelectors:
       #   - IncludeManagementEvents: true
       #     ReadWriteType: WriteOnly
 
-
+  # Define a Log Group to Send the Cloudtrail Events to CloudWatch Logs
+  CloudTrailToCloudWatchLogsRole:
+    Type: "AWS::IAM::Role"
+    Condition: cSendToCloudWatch
+    Properties: 
+      Path: "/"
+      AssumeRolePolicyDocument: 
+        Version: "2012-10-17"
+        Statement: 
+          - Effect: "Allow"
+            Principal: 
+              Service: 
+                - "cloudtrail.amazonaws.com"
+            Action: 
+              - "sts:AssumeRole"
+      Policies:
+        - PolicyName: SendtoCloudWatchLogs
+          PolicyDocument: 
+            Version: '2012-10-17'
+            Statement:
+            - Sid: AWSCloudTrailCreateLogStream
+              Effect: Allow
+              Action: logs:CreateLogStream
+              Resource: !Sub arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:${pCloudTrailLogGroupName}:log-stream:*
+            - Sid: AWSCloudTrailPutLogEvents20141101
+              Effect: Allow
+              Action: logs:PutLogEvents
+              Resource: !Sub arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:${pCloudTrailLogGroupName}:log-stream:*
+
+  CloudTrailLogGroup:
+    Type: "AWS::Logs::LogGroup"
+    Condition: cSendToCloudWatch
+    DeletionPolicy: Retain
+    Properties: 
+      LogGroupName: !Ref pCloudTrailLogGroupName
+      RetentionInDays: !Ref pCloudTrailLogGroupRetention
 
   CloudTrailTopic:
     Type: AWS::SNS::Topic
@@ -61,7 +119,6 @@ Resources:
       DisplayName: !Sub "${AWS::StackName}-ModifyEventsTopic"
       TopicName: !Sub "${AWS::StackName}-ModifyEventsTopic"
 
-
   CloudTrailPolicy:
     Type: AWS::SNS::TopicPolicy
     Condition: cEnableEventsTopic
@@ -121,5 +178,13 @@ Outputs:
     Description: Arn of the SNS Topic attached to the Org Event Trail
     Value: !Ref CloudTrailTopic
 
+  CloudTrailLogGroup:
+    Value: !Ref pCloudTrailLogGroupName
+    Description: Location in CloudWatch Logs where the CT Events are sent
+
+  CloudTrailLogGroupArn:
+    Value: !GetAtt CloudTrailLogGroup.Arn
+    Description: ARN Location in CloudWatch Logs where the CT Events are sent
+
   TemplateVersion:
-    Value: 1.0.0
+    Value: 1.1.0
diff --git a/cloudformation/OrgCloudTrailBucket-Template.yaml b/cloudformation/OrgCloudTrailBucket-Template.yaml
@@ -1,14 +1,10 @@
 AWSTemplateFormatVersion: '2010-09-09'
 Description: Deploy S3 Buckets for recieving AWS Org CloudTrail Events
-# TemplateSource: https://github.com/jchrisfarris/pht-private-artifacts/blob/master/content/cloudformation/OrgTrails-Bucket-Template.yaml
+# TemplateSource: https://github.com/primeharbor/aws-account-automation/blob/master/cloudformation/OrgCloudTrailBucket-Template.yaml
+# S3-Source: https://s3.amazonaws.com/pht-cloudformation/aws-account-automation/OrgCloudTrailBucket-Template.yaml
 
 Parameters:
 
-  pSecurityAccountIDs:
-    Description: Account IDs to allow to read any S3 Object (useful for security account, etc)
-    Type: CommaDelimitedList
-    Default: "None"
-
   pCloudtrailEventBucketName:
     Description: Name of the bucket to create for storing the CloudTrail Events
     Type: String
@@ -27,7 +23,6 @@ Parameters:
 
 Conditions:
   cOrgAccess: !Not [!Equals [!Ref pOrganizationId, "o-xxxnonexxx"]]
-  cSecurityAccountAccess: !Not [!Contains [!Ref pSecurityAccountIDs, "NONE"]]
 
 Resources:
 
@@ -94,21 +89,6 @@ Resources:
             StringEquals:
               s3:x-amz-acl: bucket-owner-full-control
 
-        # Only add this statement if a security account is defined
-        - Fn::If:
-          - cSecurityAccountAccess
-          - Sid: SecurityAccountRead
-            Action:
-            - s3:Get*
-            - s3:List*
-            Effect: Allow
-            Resource:
-              - !Sub "arn:aws:s3:::${pCloudtrailEventBucketName}/*"
-              - !Sub "arn:aws:s3:::${pCloudtrailEventBucketName}"
-            Principal:
-              AWS: !Ref pSecurityAccountIDs
-          - !Ref AWS::NoValue
-
         # Only add this statement if a Org ID is provided
         - Fn::If:
           - cOrgAccess
@@ -149,12 +129,6 @@ Resources:
             Service: cloudtrail.amazonaws.com
           Resource: '*'
           Action: SNS:Publish
-        - Sid: AWSCloudTrailSNSPolicy2
-          Effect: Allow
-          Principal:
-            AWS: !Ref pSecurityAccountIDs
-          Resource: '*'
-          Action: sns:Subscribe
         - Sid: AllowBucketPublish
           Effect: Allow
           Principal:

diff --git a/cloudformation/SecurityAlertChatBot-Template.yaml b/cloudformation/SecurityAlertChatBot-Template.yaml
@@ -0,0 +1,75 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Description: Configure a Slack Chatbot for an account
+# TemplateSource: https://github.com/primeharbor/aws-account-automation/blob/master/cloudformation/SecurityAlertChatBot-Template.yaml
+# S3-Source: https://s3.amazonaws.com/pht-cloudformation/aws-account-automation/SecurityAlertChatBot-Template.yaml
+
+
+Parameters:
+
+  pChatBotWorkspaceId:
+    Description: pre-created Workspace ID
+    Type: String
+
+  pSlackChannelId:
+    Description: To get the ID, open Slack, right click on the channel name in the left pane, then choose Copy Link.
+    Type: String
+
+  pSnsTopicName:
+    Description: Name of the SNS Topic which will send events to ChatBot & Slack
+    Type: String
+
+Resources:
+
+  #
+  # Chat Bot
+  #
+  Chatbot:
+    Type: AWS::Chatbot::SlackChannelConfiguration
+    Properties:
+      ConfigurationName: !Sub "${AWS::StackName}-Chatbot"
+      # GuardrailPolicies:
+      #   - String
+      IamRoleArn: !GetAtt ChatbotRole.Arn
+      LoggingLevel: INFO
+      SlackChannelId: !Ref pSlackChannelId
+      SlackWorkspaceId: !Ref pChatBotWorkspaceId
+      SnsTopicArns:
+        - !GetAtt SlackSNSTopic.TopicArn
+      # UserRoleRequired: Boolean
+
+  SlackSNSTopic:
+    Type: AWS::SNS::Topic
+    Properties:
+      DisplayName: !Sub "${AWS::StackName}-topic"
+      TopicName: !Ref pSnsTopicName
+
+  ChatbotRole:
+    Type: AWS::IAM::Role
+    Properties:
+      AssumeRolePolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+        - Effect: Allow
+          Principal:
+            Service:
+            - chatbot.amazonaws.com
+          Action:
+          - sts:AssumeRole
+      Path: /
+      # ManagedPolicyArns:
+      #   - TBD
+      Policies:
+      - PolicyName: Logging
+        PolicyDocument:
+          Version: '2012-10-17'
+          Statement:
+          - Resource: '*'
+            Action:
+            - logs:*
+            Effect: Allow
+
+
+Outputs:
+
+  ChatbotTopicArn:
+    Value: !GetAtt SlackSNSTopic.TopicArn
diff --git a/scripts/configure_guardduty_admin_account.sh b/scripts/configure_guardduty_admin_account.sh
@@ -11,7 +11,7 @@ for r in $REGIONS ; do
   DETECTOR=`aws guardduty list-detectors --query DetectorIds[] --output text --region $r `
   if [ -z $DETECTOR ] ; then
     echo "No detector in $r, creating one"
-    DETECTOR=`aws guardduty create-detector  --output text --region $r --finding-publishing-frequency ONE_HOUR --enable`
+    DETECTOR=`aws guardduty create-detector  --output text --region $r --finding-publishing-frequency FIFTEEN_MINUTES --enable`
     if [ -z $DETECTOR ] ; then
       echo "Failed to create a detector in $r. Aborting script"
       exit 1

diff --git a/scripts/configure_inspector_admin_account.sh b/scripts/configure_inspector_admin_account.sh
@@ -0,0 +1,28 @@
+#!/bin/bash
+
+# Script to enable Inspector in each region in the Delegated Admin Account
+
+# We need to get a list of the accounts to then add as members. This actually comes from the Organizations API which we now have access to as a Delegated Admin Child
+ACCOUNT_LIST=`aws organizations list-accounts --query Accounts[].Id --output text`
+ME=`aws sts get-caller-identity --query Account --output text`
+
+trap "exit 1" SIGINT
+
+REGIONS=`aws ec2 describe-regions --query 'Regions[].[RegionName]' --output text`
+for r in $REGIONS ; do
+  echo "Associating accounts in $r"
+
+  for a in $ACCOUNT_LIST ; do
+    if [ $a != $ME ] ; then
+      aws inspector2 associate-member --account-id $a --region $r --output text
+    fi
+  done
+
+  echo "Enable Inspector in this delegated Admin account"
+  aws inspector2 enable --resource-types EC2 --account-ids $ACCOUNT_LIST --output text --region $r --no-paginate
+  sleep 10
+
+  echo "Update the org config to auto-enable new accounts"
+  aws inspector2 update-organization-configuration --auto-enable ec2=true,ecr=false,lambda=false --region $r
+
+done
diff --git a/scripts/configure_securityhub_admin_account.sh b/scripts/configure_securityhub_admin_account.sh
@@ -0,0 +1,26 @@
+#!/bin/bash
+
+# Script to enable SecurityHub in each region in the Delegated Admin Account
+
+# We need to get a list of the accounts to then add as members. This actually comes from the Organizations API which we now have access to as a Delegated Admin Child
+aws organizations list-accounts | jq '[ .Accounts[] | { AccountId: .Id, Email: .Email } ]' > ACCOUNT_INFO.txt
+
+REGIONS=`aws ec2 describe-regions --query 'Regions[].[RegionName]' --output text`
+for r in $REGIONS ; do
+  echo "Enabling SecurityHub Delegated Admin in $r"
+
+  # Enable Security Hub in this delegated Admin account
+  aws securityhub enable-security-hub --no-enable-default-standards --output text --region $r
+
+  # Update the org config to auto-enable new accounts
+  aws securityhub update-organization-configuration --auto-enable --region $r
+
+  # Add all of the existing accounts
+  aws securityhub create-members --account-details file://ACCOUNT_INFO.txt --region $r
+
+  # Configure the Consolidated controls and enable all the controls for the enabled frameworks
+  aws securityhub update-security-hub-configuration --auto-enable-controls --control-finding-generator SECURITY_CONTROL --region $r
+done
+
+# cleanup
+rm ACCOUNT_INFO.txt
diff --git a/scripts/enable_inspector_delegation.sh b/scripts/enable_inspector_delegation.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+# Script to enable Delegated Admin in a payer account for all Regions
+
+SECURITY_ACCOUNT=$1
+
+if [ -z $SECURITY_ACCOUNT ] ; then
+	echo "Usage: $0 <security_account_id>"
+	exit 1
+fi
+
+REGIONS=`aws ec2 describe-regions --query 'Regions[].[RegionName]' --output text`
+for r in $REGIONS ; do
+  echo "Enabling Inspector Delegated Admin in $r"
+  aws inspector2 enable-delegated-admin-account --delegated-admin-account-id $SECURITY_ACCOUNT --region $r
+
+done
diff --git a/scripts/enable_securityhub_delegation.sh b/scripts/enable_securityhub_delegation.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+# Script to enable Delegated Admin in a payer account for all Regions
+
+SECURITY_ACCOUNT=$1
+
+if [ -z $SECURITY_ACCOUNT ] ; then
+	echo "Usage: $0 <security_account_id>"
+	exit 1
+fi
+
+REGIONS=`aws ec2 describe-regions --query 'Regions[].[RegionName]' --output text`
+for r in $REGIONS ; do
+  echo "Enabling SecurityHub Delegated Admin in $r"
+  aws securityhub enable-organization-admin-account --admin-account-id $SECURITY_ACCOUNT --region $r
+  aws securityhub enable-security-hub --no-enable-default-standards --output text --region $r 
+
+done