[SSPROD-48724] CFT template for VM Workload Scanning (#139)

miguelpais · web-flow · commit f1e5366e7288 · 2024-12-12T08:34:51.000+01:00
diff --git a/modules/Makefile b/modules/Makefile
@@ -11,14 +11,16 @@ PARAM_TRUSTED_IDENTITY ?= arn:aws:iam:::role/$(PARAM_NAME_SUFFIX)
 PARAM_TARGET_EVENT_BUS_ARN ?= arn:aws:events:us-east-1::event-bus/default
 PARAM_BUCKET_ARN ?= arn:aws:s3:::cloudtrail-$(PARAM_NAME_SUFFIX)
 PARAM_REGIONS ?= us-east-1
+PARAM_LAMBDA_SCANNING_ENABLED ?= true
 
 .PHONY: validate lint deploy test clean
 validate: export AWS_PAGER=""
 validate:
-	aws cloudformation validate-template --template-body file://./foundational.cft.yaml
-	aws cloudformation validate-template --template-body file://./log_ingestion.events.cft.yaml
-	aws cloudformation validate-template --template-body file://./log_ingestion.s3.cft.yaml
-	aws cloudformation validate-template --template-body file://./volume_access.cft.yaml
+	aws --region us-east-1 cloudformation validate-template --template-body file://./foundational.cft.yaml
+	aws --region us-east-1 cloudformation validate-template --template-body file://./log_ingestion.events.cft.yaml
+	aws --region us-east-1 cloudformation validate-template --template-body file://./log_ingestion.s3.cft.yaml
+	aws --region us-east-1 cloudformation validate-template --template-body file://./volume_access.cft.yaml
+	aws --region us-east-1 cloudformation validate-template --template-body file://./vm_workload_scanning.cft.yaml
 
 lint:
 	cfn-lint *.cft.yaml
@@ -28,12 +30,14 @@ lint:
 	yq '.Resources.OrganizationRuleStackSet.Properties.TemplateBody' log_ingestion.events.cft.yaml | cfn-lint -
 	yq '.Resources.AccountStackSet.Properties.TemplateBody' volume_access.cft.yaml | cfn-lint -
 	yq '.Resources.OrganizationStackSet.Properties.TemplateBody' volume_access.cft.yaml | cfn-lint -
+	yq '.Resources.ScanningOrgStackSet.Properties.TemplateBody' vm_workload_scanning.cft.yaml | cfn-lint -
 
 publish:
 	aws s3 cp foundational.cft.yaml s3://$(S3_BUCKET)/modules/$(S3_PREFIX)/foundational.cft.yaml
 	aws s3 cp log_ingestion.s3.cft.yaml s3://$(S3_BUCKET)/modules/$(S3_PREFIX)/log_ingestion.s3.cft.yaml
 	aws s3 cp log_ingestion.events.cft.yaml s3://$(S3_BUCKET)/modules/$(S3_PREFIX)/log_ingestion.events.cft.yaml
 	aws s3 cp volume_access.cft.yaml s3://$(S3_BUCKET)/modules/$(S3_PREFIX)/volume_access.cft.yaml
+	aws s3 cp vm_workload_scanning.cft.yaml s3://$(S3_BUCKET)/modules/$(S3_PREFIX)/vm_workload_scanning.cft.yaml
 
 deploy:
 	aws cloudformation deploy \
@@ -83,10 +87,23 @@ deploy:
 			"IsOrganizational=$(PARAM_IS_ORGANIZATIONAL)" \
 			"OrganizationalUnitIDs=$(PARAM_ORGANIZATIONAL_UNIT_IDS)"
 
+	aws cloudformation deploy \
+		--stack-name $(STACK_NAME)-VMWorkloadScanning-$(PARAM_NAME_SUFFIX) \
+		--template-file vm_workload_scanning.cft.yaml \
+		--capabilities "CAPABILITY_NAMED_IAM" "CAPABILITY_AUTO_EXPAND" \
+		--parameter-overrides \
+			"NameSuffix=$(PARAM_NAME_SUFFIX)" \
+			"ExternalID=$(PARAM_EXTERNAL_ID)" \
+			"TrustedIdentity=$(PARAM_TRUSTED_IDENTITY)" \
+			"LambdaScanningEnabled"=$(PARAM_LAMBDA_SCANNING_ENABLED) \
+			"IsOrganizational=$(PARAM_IS_ORGANIZATIONAL)" \
+			"OrganizationalUnitIDs=$(PARAM_ORGANIZATIONAL_UNIT_IDS)"
+
 clean:
 	aws cloudformation delete-stack --stack-name $(STACK_NAME)-Foundational-$(PARAM_NAME_SUFFIX)
 	aws cloudformation delete-stack --stack-name $(STACK_NAME)-LogIngestion-EventBridge-$(PARAM_NAME_SUFFIX)
 	aws cloudformation delete-stack --stack-name $(STACK_NAME)-LogIngestion-S3-$(PARAM_NAME_SUFFIX)
 	aws cloudformation delete-stack --stack-name $(STACK_NAME)-VolumeAccess-$(PARAM_NAME_SUFFIX)
+	aws cloudformation delete-stack --stack-name $(STACK_NAME)-VMWorkloadScanning-$(PARAM_NAME_SUFFIX)
 
 
diff --git a/modules/vm_workload_scanning.cft.yaml b/modules/vm_workload_scanning.cft.yaml
@@ -0,0 +1,260 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Description: Sysdig Secure Agentless Workload Scanning Onboarding
+Metadata:
+  AWS::CloudFormation::Interface:
+    ParameterGroups:
+      - Label:
+          default: Sysdig Assigned Settings (Do not change)
+        Parameters:
+          - NameSuffix
+          - ExternalID
+          - TrustedIdentity
+          - LambdaScanningEnabled
+          - IsOrganizational
+          - OrganizationalUnitIDs
+    ParameterLabels:
+      NameSuffix:
+        default: Name Suffix
+      ExternalID:
+        default: External ID
+      TrustedIdentity:
+        default: Trusted Identity
+      LambdaScanningEnabled:
+        default: Enable Lambda Scanning
+      IsOrganizational:
+        default: Is Organizational Deployment?
+      OrganizationalUnitIDs:
+        default: Organizational Unit IDs
+Parameters:
+  NameSuffix:
+    Type: String
+    Description: Suffix to append to the resource name identifiers
+    AllowedPattern: '[0-9a-z]+'
+    MaxLength: 8
+    MinLength: 4
+  ExternalID:
+    Type: String
+    Description: Sysdig assigned token that proves you own this account
+  TrustedIdentity:
+    Type: String
+    Description: The Role in Sysdig's AWS Account with permissions to your account
+  LambdaScanningEnabled:
+    Type: String
+    Description: Enable Lambda function scanning
+    Default: 'false'
+    AllowedValues:
+      - 'true'
+      - 'false'
+  IsOrganizational:
+    Type: String
+    Description: Whether this is an organizational deployment
+    Default: 'false'
+    AllowedValues:
+      - 'true'
+      - 'false'
+  OrganizationalUnitIDs:
+    Type: CommaDelimitedList
+    Description: Comma-separated list of organizational unit IDs to deploy (required for organizational deployments)
+
+Conditions:
+  IsOrganizational:
+    Fn::Equals:
+      - Ref: IsOrganizational
+      - 'true'
+  IsNotOrganizational:
+    Fn::Equals:
+      - Ref: IsOrganizational
+      - 'false'
+  IsNotOrganizationalAndLambdaEnabled:
+    Fn::And:
+      - Fn::Equals:
+        - Ref: IsOrganizational
+        - 'false'
+      - Fn::Equals:
+        - Ref: LambdaScanningEnabled
+        - 'true'
+
+Resources:
+  ScanningRole:
+    Type: AWS::IAM::Role
+    Condition: IsNotOrganizational
+    Properties:
+      RoleName: !Sub sysdig-vm-workload-scanning-${NameSuffix}
+      AssumeRolePolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Effect: Allow
+            Principal:
+              AWS:
+                Ref: TrustedIdentity
+            Action: ['sts:AssumeRole']
+            Condition:
+              StringEquals:
+                sts:ExternalId:
+                  Ref: ExternalID
+  ECRPolicy:
+    Type: AWS::IAM::Policy
+    Condition: IsNotOrganizational
+    Properties:
+      PolicyName: !Sub sysdig-vm-workload-scanning-${NameSuffix}-ecr
+      Roles:
+        - !Ref ScanningRole
+      PolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Effect: Allow
+            Action:
+              - ecr:GetDownloadUrlForLayer
+              - ecr:BatchGetImage
+              - ecr:BatchCheckLayerAvailability
+              - ecr:ListImages
+              - ecr:GetAuthorizationToken
+            Resource: '*'
+  LambdaPolicy:
+    Type: AWS::IAM::Policy
+    Condition: IsNotOrganizationalAndLambdaEnabled
+    Properties:
+      PolicyName: !Sub sysdig-vm-workload-scanning-${NameSuffix}-lambda
+      Roles:
+        - !Ref ScanningRole
+      PolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Effect: Allow
+            Action:
+              - lambda:GetFunction
+              - lambda:GetFunctionConfiguration
+              - lambda:GetRuntimeManagementConfig
+              - lambda:ListFunctions
+              - lambda:ListTagsForResource
+              - lambda:GetLayerVersionByArn
+              - lambda:GetLayerVersion
+              - lambda:ListLayers
+              - lambda:ListLayerVersions
+            Resource: '*'
+
+
+  ScanningOrgStackSet:
+    Type: AWS::CloudFormation::StackSet
+    Condition: IsOrganizational
+    Properties:
+      StackSetName: !Sub sysdig-vm-workload-scanning-${NameSuffix}
+      Description: Creates IAM roles within an AWS organization for Agentless Workload Scanning
+      PermissionModel: SERVICE_MANAGED
+      Capabilities:
+        - CAPABILITY_NAMED_IAM
+      AutoDeployment:
+        Enabled: true
+        RetainStacksOnAccountRemoval: false
+      ManagedExecution:
+        Active: true
+      OperationPreferences:
+        MaxConcurrentPercentage: 100
+        FailureTolerancePercentage: 90
+        ConcurrencyMode: SOFT_FAILURE_TOLERANCE
+      Parameters:
+        - ParameterKey: NameSuffix
+          ParameterValue:
+            Ref: NameSuffix
+        - ParameterKey: TrustedIdentity
+          ParameterValue:
+            Ref: TrustedIdentity
+        - ParameterKey: ExternalID
+          ParameterValue:
+            Ref: ExternalID
+        - ParameterKey: LambdaScanningEnabled
+          ParameterValue:
+            Ref: LambdaScanningEnabled
+      StackInstancesGroup:
+        - DeploymentTargets:
+            OrganizationalUnitIds: !Ref OrganizationalUnitIDs
+          Regions:
+            - Ref: AWS::Region
+      TemplateBody: |
+        AWSTemplateFormatVersion: "2010-09-09"
+        Description: IAM Role for Agentless Workload Scanning
+        Parameters:
+          NameSuffix:
+            Type: String
+            Description: Suffix to append to the resource name identifiers
+            AllowedPattern: "[0-9a-z]+"
+            MaxLength: 8
+            MinLength: 4
+          TrustedIdentity:
+            Type: String
+            Description: Trusted identity
+          ExternalID:
+            Type: String
+            Description: external ID
+          LambdaScanningEnabled:
+            Type: String
+            Description: Enable Lambda function scanning
+            Default: 'false'
+        Conditions:
+          IsLambdaEnabled:
+            Fn::Equals:
+              - Ref: LambdaScanningEnabled
+              - 'true'
+        Resources:
+          ScanningRole:
+            Type: AWS::IAM::Role
+            Properties:
+              RoleName: !Sub sysdig-vm-workload-scanning-${NameSuffix}
+              AssumeRolePolicyDocument:
+                Version: "2012-10-17"
+                Statement:
+                - Effect: "Allow"
+                  Action: "sts:AssumeRole"
+                  Principal:
+                    AWS: !Ref TrustedIdentity
+                  Condition:
+                    StringEquals:
+                      sts:ExternalId: !Ref ExternalID
+          ECRPolicy:
+            Type: AWS::IAM::Policy
+            Properties:
+              PolicyName: !Sub sysdig-vm-workload-scanning-${NameSuffix}-ecr
+              Roles:
+                - !Ref ScanningRole
+              PolicyDocument:
+                Version: '2012-10-17'
+                Statement:
+                  - Effect: Allow
+                    Action:
+                      - ecr:GetDownloadUrlForLayer
+                      - ecr:BatchGetImage
+                      - ecr:BatchCheckLayerAvailability
+                      - ecr:ListImages
+                      - ecr:GetAuthorizationToken
+                    Resource: '*'
+          LambdaPolicy:
+            Type: AWS::IAM::Policy
+            Condition: IsLambdaEnabled
+            Properties:
+              PolicyName: !Sub sysdig-vm-workload-scanning-${NameSuffix}-lambda
+              Roles:
+                - !Ref ScanningRole
+              PolicyDocument:
+                Version: '2012-10-17'
+                Statement:
+                  - Effect: Allow
+                    Action:
+                      - lambda:GetFunction
+                      - lambda:GetFunctionConfiguration
+                      - lambda:GetRuntimeManagementConfig
+                      - lambda:ListFunctions
+                      - lambda:ListTagsForResource
+                      - lambda:GetLayerVersionByArn
+                      - lambda:GetLayerVersion
+                      - lambda:ListLayers
+                      - lambda:ListLayerVersions
+                    Resource: '*'
+                
+
+
+Outputs:
+  ScanningRoleARN:
+    Description: ARN of the scanning role
+    Value:
+      Fn::Sub: sysdig-vm-workload-scanning-${NameSuffix}
+
diff --git a/modules/vm_workload_scanning.components.json b/modules/vm_workload_scanning.components.json
@@ -0,0 +1,12 @@
+[
+  {
+    "type": "COMPONENT_TRUSTED_ROLE",
+    "instance": "secure-vm-workload-scanning",
+    "version": "v0.1.0",
+    "trustedRoleMetadata": {
+      "aws": {
+        "roleName": "sysdig-vm-workload-scanning-{{NameSuffix}}"
+      }
+    }
+  }
+]
