feat: Enhance compliance (#49)

* Specify ingress ports for SecurityGroups
* Add S3 Access Logging to the Cloudtrail bucket
* Add S3 Public Access Block configuration

Author: tembleking

.gitignore

@@ -1,2 +1,3 @@
 packaged-template.yaml
 *.zip
+.idea/

templates/CloudBench.yaml

@@ -214,7 +214,17 @@ Resources:
       GroupDescription: CloudBench workload Security Group
       SecurityGroupIngress:
         - CidrIp: 0.0.0.0/0
-          IpProtocol: "-1"
+          IpProtocol: "tcp"
+          FromPort: 80
+          ToPort: 80
+        - CidrIp: 0.0.0.0/0
+          IpProtocol: "tcp"
+          FromPort: 443
+          ToPort: 443
+        - CidrIp: 0.0.0.0/0
+          IpProtocol: "tcp"
+          FromPort: 7000
+          ToPort: 7000
       Tags:
         - Key: Name
           Value: !Sub "${AWS::StackName}-CloudBench"

templates/CloudConnector.yaml

@@ -220,7 +220,18 @@ Resources:
       GroupDescription: CloudConnector workload Security Group
       SecurityGroupIngress:
         - CidrIp: 0.0.0.0/0
-          IpProtocol: "-1"
+          IpProtocol: "tcp"
+          FromPort: 80
+          ToPort: 80
+        - CidrIp: 0.0.0.0/0
+          IpProtocol: "tcp"
+          FromPort: 443
+          ToPort: 443
+        - CidrIp: 0.0.0.0/0
+          IpProtocol: "tcp"
+          FromPort: 5000
+          ToPort: 5000
+
       Tags:
         - Key: Name
           Value: !Sub "${AWS::StackName}-CloudConnector"

templates/CloudScanning.yaml

@@ -240,7 +240,17 @@ Resources:
       GroupDescription: CloudScanning workload Security Group
       SecurityGroupIngress:
         - CidrIp: 0.0.0.0/0
-          IpProtocol: "-1"
+          IpProtocol: "tcp"
+          FromPort: 80
+          ToPort: 80
+        - CidrIp: 0.0.0.0/0
+          IpProtocol: "tcp"
+          FromPort: 443
+          ToPort: 443
+        - CidrIp: 0.0.0.0/0
+          IpProtocol: "tcp"
+          FromPort: 5000
+          ToPort: 5000
       Tags:
         - Key: Name
           Value: !Sub "${AWS::StackName}-CloudScanning"

templates/CloudTrail.yaml

@@ -15,6 +15,23 @@ Resources:
         Rules:
           - ExpirationInDays: !Ref CloudTrailLogRetention
             Status: Enabled
+      PublicAccessBlockConfiguration:
+        BlockPublicAcls: true
+        BlockPublicPolicy: true
+        IgnorePublicAcls: true
+        RestrictPublicBuckets: true
+      LoggingConfiguration:
+        DestinationBucketName: !Ref CloudTrailLoggingBucket
+        LogFilePrefix: sysdig-cloudtrail-bucket-logs
+  CloudTrailLoggingBucket:
+    Type: AWS::S3::Bucket
+    Properties:
+      AccessControl: LogDeliveryWrite
+      PublicAccessBlockConfiguration:
+        BlockPublicAcls: true
+        BlockPublicPolicy: true
+        IgnorePublicAcls: true
+        RestrictPublicBuckets: true
 
   BucketPolicy:
     Type: AWS::S3::BucketPolicy

templates/CloudVision.yaml

@@ -134,6 +134,23 @@ Resources:
     Properties:
       VersioningConfiguration:
         Status: Enabled
+      PublicAccessBlockConfiguration:
+        BlockPublicAcls: true
+        BlockPublicPolicy: true
+        IgnorePublicAcls: true
+        RestrictPublicBuckets: true
+      LoggingConfiguration:
+        DestinationBucketName: !Ref SysdigConfigLoggingBucket
+        LogFilePrefix: sysdig-config-bucket-logs
+  SysdigConfigLoggingBucket:
+    Type: AWS::S3::Bucket
+    Properties:
+      AccessControl: LogDeliveryWrite
+      PublicAccessBlockConfiguration:
+        BlockPublicAcls: true
+        BlockPublicPolicy: true
+        IgnorePublicAcls: true
+        RestrictPublicBuckets: true
 
   SysdigSecureAPITokenParameter:
     Type: AWS::SSM::Parameter