Skip to content

Commit

Permalink
feat(eb): add guardduty finding to event bridge rule (SSPROD-41990) (#…
Browse files Browse the repository at this point in the history 
…123)

* add guardduty finding to event bridge rule

* add variable for event pattern rule

* remove new line

* new line
  • Loading branch information
@matteopasa
matteopasa committed Jun 25, 2024
1 parent d5baab4 commit cbd331e
Show file tree
Hide file tree
Showing 4 changed files with 191 additions and 87 deletions.
47 changes: 28 additions & 19 deletions templates_cspm_eventbridge/FullInstall.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ Metadata:
- EventBusARN
- EventBridgeRoleName
- EventBridgeState
- EventBridgeEventPattern

ParameterLabels:
RoleName:
Expand All @@ -27,8 +28,9 @@ Metadata:
default: "Integration Name (Sysdig use only)"
EventBridgeState:
default: "State of the EventBridge Rule (Sysdig use only)"


EventBridgeEventPattern:
default: "Event Pattern (Sysdig use only)"

Parameters:
RoleName:
Type: String
Expand All @@ -53,6 +55,28 @@ Parameters:
- ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS
- ENABLED
- DISABLED
EventBridgeEventPattern:
Type: String
Description: JSON pattern for the EventBridge rule's event pattern
Default: |
{
"detail-type": [
"AWS API Call via CloudTrail",
"AWS Console Sign In via CloudTrail",
"AWS Service Event via CloudTrail",
"Object Access Tier Changed",
"Object ACL Updated",
"Object Created",
"Object Deleted",
"Object Restore Completed",
"Object Restore Expired",
"Object Restore Initiated",
"Object Storage Class Changed",
"Object Tags Added",
"Object Tags Deleted",
"GuardDuty Finding"
]
}
Resources:
CloudAgentlessRole:
Expand Down Expand Up @@ -133,27 +157,12 @@ Resources:
Type: AWS::Events::Rule
Properties:
Name: !Ref EventBridgeRoleName
Description: Capture all CloudTrail events
EventPattern:
detail-type:
- 'AWS API Call via CloudTrail'
- 'AWS Console Sign In via CloudTrail'
- 'AWS Service Event via CloudTrail'
- 'Object Access Tier Changed'
- 'Object ACL Updated'
- 'Object Created'
- 'Object Deleted'
- 'Object Restore Completed'
- 'Object Restore Expired'
- 'Object Restore Initiated'
- 'Object Storage Class Changed'
- 'Object Tags Added'
- 'Object Tags Deleted'
Description: Capture events based on the provided event pattern
EventPattern: !Ref EventBridgeEventPattern
State: !Ref EventBridgeState
Targets:
- Id: !Ref EventBridgeRoleName
Arn: !Ref EventBusARN
RoleArn: !GetAtt
- EventBridgeRole
- Arn

74 changes: 56 additions & 18 deletions templates_cspm_eventbridge/OrgFullInstall.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
AWSTemplateFormatVersion: "2010-09-09"
Description: IAM Role and EventBridge resources used by Sysdig Secure

Metadata:
AWS::CloudFormation::Interface:
ParameterGroups:
Expand All @@ -14,6 +15,7 @@ Metadata:
- Regions
- OrganizationUnitIDs
- EventBridgeState
- EventBridgeEventPattern
ParameterLabels:
CSPMRoleName:
default: "CSPM Role Name (Sysdig use only)"
Expand All @@ -30,7 +32,10 @@ Metadata:
OrganizationUnitIDs:
default: "Organization Unit IDs (Sysdig use only)"
EventBridgeState:
default: "State of the EventBridge Rule (Sysdig use only)"
default: "State of the EventBridge Rule (Sysdig use only)"
EventBridgeEventPattern:
default: "Event Pattern (Sysdig use only)"

Parameters:
CSPMRoleName:
Type: String
Expand Down Expand Up @@ -61,7 +66,29 @@ Parameters:
- ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS
- ENABLED
- DISABLED

EventBridgeEventPattern:
Type: String
Description: JSON pattern for the EventBridge rule's event pattern
Default: |
{
"detail-type": [
"AWS API Call via CloudTrail",
"AWS Console Sign In via CloudTrail",
"AWS Service Event via CloudTrail",
"Object Access Tier Changed",
"Object ACL Updated",
"Object Created",
"Object Deleted",
"Object Restore Completed",
"Object Restore Expired",
"Object Restore Initiated",
"Object Storage Class Changed",
"Object Tags Added",
"Object Tags Deleted",
"GuardDuty Finding"
]
}
Resources:
AdministrationRole:
Type: AWS::IAM::Role
Expand Down Expand Up @@ -357,6 +384,7 @@ Resources:
- 'Object Storage Class Changed'
- 'Object Tags Added'
- 'Object Tags Deleted'
- 'GuardDuty Finding'
State: !Sub ${EventBridgeState}
Targets:
- Id: !Sub ${EventBridgeRoleName}
Expand Down Expand Up @@ -388,6 +416,8 @@ Resources:
ParameterValue: !Ref EventBusARN
- ParameterKey: EventBridgeState
ParameterValue: !Ref EventBridgeState
- ParameterKey: EventBridgeEventPattern
ParameterValue: !Ref EventBridgeEventPattern
StackInstancesGroup:
- DeploymentTargets:
Accounts:
Expand All @@ -410,28 +440,36 @@ Resources:
AllowedValues:
- ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS
- ENABLED
- DISABLED
- DISABLED
EventBridgeEventPattern:
Type: String
Description: JSON pattern for the EventBridge rule's event pattern
Default: |
{
"detail-type": [
"AWS API Call via CloudTrail",
"AWS Console Sign In via CloudTrail",
"AWS Service Event via CloudTrail",
"Object Access Tier Changed",
"Object ACL Updated",
"Object Created",
"Object Deleted",
"Object Restore Completed",
"Object Restore Expired",
"Object Restore Initiated",
"Object Storage Class Changed",
"Object Tags Added",
"Object Tags Deleted",
"GuardDuty Finding"
]
}
Resources:
EventBridgeRule:
Type: "AWS::Events::Rule"
Properties:
Name: !Sub ${EventBridgeRoleName}
Description: Capture all CloudTrail events
EventPattern:
detail-type:
- 'AWS API Call via CloudTrail'
- 'AWS Console Sign In via CloudTrail'
- 'AWS Service Event via CloudTrail'
- 'Object Access Tier Changed'
- 'Object ACL Updated'
- 'Object Created'
- 'Object Deleted'
- 'Object Restore Completed'
- 'Object Restore Expired'
- 'Object Restore Initiated'
- 'Object Storage Class Changed'
- 'Object Tags Added'
- 'Object Tags Deleted'
EventPattern: !Ref EventBridgeEventPattern
State: !Sub ${EventBridgeState}
Targets:
- Id: !Sub ${EventBridgeRoleName}
Expand Down
44 changes: 28 additions & 16 deletions templates_eventbridge/EventBridge.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,8 @@ Metadata:
- ExternalID
- TrustedIdentity
- EventBusARN
- EventBridgeState
- EventBridgeEventPattern

ParameterLabels:
ExternalID:
Expand All @@ -23,6 +25,8 @@ Metadata:
default: "Integration Name (Sysdig use only)"
EventBridgeState:
default: "State of the EventBridge Rule (Sysdig use only)"
EventBridgeEventPattern:
default: "Event Pattern (Sysdig use only)"

Parameters:
EventBridgeRoleName:
Expand All @@ -45,6 +49,28 @@ Parameters:
- ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS
- ENABLED
- DISABLED
EventBridgeEventPattern:
Type: String
Description: JSON pattern for the EventBridge rule's event pattern
Default: |
{
"detail-type": [
"AWS API Call via CloudTrail",
"AWS Console Sign In via CloudTrail",
"AWS Service Event via CloudTrail",
"Object Access Tier Changed",
"Object ACL Updated",
"Object Created",
"Object Deleted",
"Object Restore Completed",
"Object Restore Expired",
"Object Restore Initiated",
"Object Storage Class Changed",
"Object Tags Added",
"Object Tags Deleted",
"GuardDuty Finding"
]
}
Resources:
EventBridgeRole:
Expand Down Expand Up @@ -83,25 +109,11 @@ Resources:
Properties:
Name: !Ref EventBridgeRoleName
Description: Capture all CloudTrail events
EventPattern:
detail-type:
- 'AWS API Call via CloudTrail'
- 'AWS Console Sign In via CloudTrail'
- 'AWS Service Event via CloudTrail'
- 'Object Access Tier Changed'
- 'Object ACL Updated'
- 'Object Created'
- 'Object Deleted'
- 'Object Restore Completed'
- 'Object Restore Expired'
- 'Object Restore Initiated'
- 'Object Storage Class Changed'
- 'Object Tags Added'
- 'Object Tags Deleted'
EventPattern: !Ref EventBridgeEventPattern
State: !Ref EventBridgeState
Targets:
- Id: !Ref EventBridgeRoleName
Arn: !Ref EventBusARN
RoleArn: !GetAtt
- EventBridgeRole
- Arn
- Arn
Loading

0 comments on commit cbd331e

Please sign in to comment.