diff --git a/util/ec2-automation/one-time-or-continuous-monitoring-template.yaml-WIP b/util/ec2-automation/one-time-or-continuous-monitoring-template.yaml-WIP deleted file mode 100644 index b80526c9..00000000 --- a/util/ec2-automation/one-time-or-continuous-monitoring-template.yaml-WIP +++ /dev/null @@ -1,369 +0,0 @@ ---- -Description: Stack for AWS resources to run Prowler scan -AWSTemplateFormatVersion: "2010-09-09" - -Parameters: - ServiceName: - Description: 'Specifies the service name used within component naming' - Type: String - Default: 'prowler' - - LogsRetentionInDays: - Description: 'Specifies the number of days you want to retain CloudWatch log events in the specified log group.' - Type: Number - Default: 3 - AllowedValues: [1, 3, 5, 7, 14, 30, 60] - - ProwlerOptions: - Description: 'Options to pass to Prowler command. For all options see ./prowler -h' - Type: String - Default: '-r eu-west-1 -f eu-west-1 -M text,junit-xml,html -c check11,check12,check13,check14' - - ProwlerSchedule: - Description: The time when Prowler will run in cron format. Default is daily at 22:00h/10PM - Type: String - Default: '0 22 * * *' - - ProwlerInstanceType: - Description: Enter Instance Type - Type: String - Default: t2.micro - - Ec2ImageId: - Type: AWS::SSM::Parameter::Value - Description: Latest AMI ID for Amazon Linux 2 (via AWS Publis SSM Parameters. See https://tinyurl.com/aws-public-ssm-parameters. - Default: /aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-ebs - - Ec2InstanceKeyName: - Description: The name of key pair - Type: AWS::EC2::KeyPair::KeyName - - SecurityGroupIds: - Description: Security group IDs - Type: CommaDelimitedList - - SubnetIds: - Description: VPC subnet IDs - Type: CommaDelimitedList - -Resources: - - ReportBucket: - Type: AWS::S3::Bucket - Properties: - BucketName: !Sub 'prowler-reports-${AWS::Region}-${AWS::AccountId}' - AccessControl: Private - BucketEncryption: - ServerSideEncryptionConfiguration: - - ServerSideEncryptionByDefault: - SSEAlgorithm: AES256 - PublicAccessBlockConfiguration: - BlockPublicAcls: true - BlockPublicPolicy: true - IgnorePublicAcls: true - RestrictPublicBuckets: true - VersioningConfiguration: - Status: Enabled - # LoggingConfiguration: - # DestinationBucketName: !Sub "my-access-log-bucket-${AWS::Region}-${AWS::AccountId}" - # LogFilePrefix: !Sub "${ProwlerReportBucket}/" - LifecycleConfiguration: - Rules: - - Id: AutoDelete - Status: Enabled - NoncurrentVersionExpirationInDays: 30 - ExpirationInDays: 365 - Transition: - TransitionInDays: 30 - StorageClass: STANDARD_IA - - ReportBucketPolicy: - Type: "AWS::S3::BucketPolicy" - Properties: - Bucket: !Ref ReportBucket - PolicyDocument: - Statement: - - Sid: DenyDelete - Effect: Deny - Principal: "*" - Action: s3:Delete* - Resource: - - !Sub "${ReportBucket.Arn}/*" - - Sid: S3ForceSSL - Effect: Deny - Principal: '*' - Action: '*' - Resource: - - !Join ['', ['arn:aws:s3:::', !Ref 'ReportBucket', '/*']] - Condition: - Bool: - aws:SecureTransport: 'false' - - Sid: ForceUploadEcryption - Effect: Deny - Principal: '*' - Action: 's3:PutObject' - Condition: - 'Null': - s3:x-amz-server-side-encryption: 'true' - Resource: - - !Sub "${ReportBucket.Arn}" - - !Sub "${ReportBucket.Arn}/*" - - InstanceProfile: - Type: AWS::IAM::InstanceProfile - Properties: - Path: "/" - Roles: - - !Ref InstanceRole - - InstanceRole: - Type: AWS::IAM::Role - Properties: - Path: "/" - RoleName: !Sub "${ServiceName}-prowler-role" - MaxSessionDuration: 10800 - AssumeRolePolicyDocument: - Version: 2012-10-17 - Statement: - - Effect: Allow - Principal: - Service: - - ec2.amazonaws.com - Action: - - sts:AssumeRole - ManagedPolicyArns: - - "arn:aws:iam::aws:policy/job-function/ViewOnlyAccess" - - "arn:aws:iam::aws:policy/SecurityAudit" - - 'arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore' - Policies: - - PolicyName: ProwlerAdditionsPolicy - PolicyDocument: - Version: 2012-10-17 - Statement: - - Sid: AllowMoreReadForProwler - Action: - - "access-analyzer:List*" - - "apigateway:Get*" - - "apigatewayv2:Get*" - - "aws-marketplace:ViewSubscriptions" - - "dax:ListTables" - - "ds:ListAuthorizedApplications" - - "ds:DescribeRoles" - - "ec2:GetEbsEncryptionByDefault" - - "ecr:Describe*" - - "lambda:GetAccountSettings" - - "lambda:GetFunction" - - "lambda:GetFunctionConfiguration" - - "lambda:GetLayerVersionPolicy" - - "lambda:GetPolicy" - - "opsworks-cm:Describe*" - - "opsworks:Describe*" - - "secretsmanager:ListSecretVersionIds" - - "sns:List*" - - "sqs:ListQueueTags" - - "states:ListActivities" - - "support:Describe*" - - "tag:GetTagKeys" - Effect: "Allow" - Resource: "*" - - PolicyName: LogGroup - PolicyDocument: - Version: 2012-10-17 - Statement: - - Effect: Allow - Action: - - logs:CreateLogStream - - logs:CreateLogGroup - - logs:PutLogEvents - Resource: !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:${ProwlerLogGroup}:*' - - PolicyName: CloudWatchMetrics - PolicyDocument: - Version: 2012-10-17 - Statement: - - Effect: Allow - Action: - - cloudwatch:PutMetricData - Resource: "*" - - PolicyName: ProwlerMaintenancePolicy - PolicyDocument: - Version: "2012-10-17" - Statement: - # - Sid: AllowAssumeProwlerRole - # Effect: Allow - # Action: - # - "sts:AssumeRole" - # Resource: !Sub "arn:aws:iam::${AWS::AccountId}:role/application/prod-prowler-role" - - Sid: AllowScaleDownAutoScalingGroup - Effect: Allow - Action: - - "autoscaling:DescribeAutoScalingGroups" - - "autoscaling:DescribeAutoScalingInstances" - - "autoscaling:SetDesiredCapacity" - Resource: "*" - - Sid: AllowDescribeRegions - Effect: Allow - Action: - - "ec2:DescribeRegions" - Resource: "*" - - Sid: SSMSessionManager - Effect: Allow - Action: - - ec2messages:* - - ssmmessages:* - - ssm:* - Resource: "*" - # - Sid: SlackNotification - # Effect: Allow - # Action: - # - events:PutEvents - # Resource: !Sub "arn:aws:events:${AWS::Region}:${AWS::AccountId}:event-bus/default" - - Sid: AllowUploadReport - Effect: Allow - Action: - - "s3:PutObject" - Resource: - - !Sub "${ReportBucket.Arn}/*" - - ProwlerLogGroup: - Type: 'AWS::Logs::LogGroup' - Properties: - LogGroupName: !Sub "${ServiceName}-${AWS::StackName}" - RetentionInDays: !Ref LogsRetentionInDays - - Ec2InstanceLaunchTemplate: - Type: AWS::EC2::LaunchTemplate - Metadata: - AWS::CloudFormation::Init: - config: - files: - /opt/prowler.sh: - content: !Sub | - #!/usr/bin/env bash - set -e - - # export AWS_DEFAULT_REGION=${AWS::Region} - # export AWS_PARTITION=aws - - # declare -A ACCOUNTS - # ACCOUNTS[ssvc]='798980982229' - # ACCOUNTS[prod]='579842252590' - # ACCOUNTS[uat]='990839841794' - - # TOKEN=$(curl -s -X PUT -H "X-aws-ec2-metadata-token-ttl-seconds: 360" "http://169.254.169.254/latest/api/token") - # INSTANCE_ID=$(curl -s -H "X-aws-ec2-metadata-token:$TOKEN" "http://169.254.169.254/latest/meta-data/instance-id") - # ASG_NAME=$(aws autoscaling describe-auto-scaling-instances --instance-ids $INSTANCE_ID --query 'AutoScalingInstances[0].AutoScalingGroupName' --output text) - # ENVIRONMENT=$(aws autoscaling describe-auto-scaling-groups --auto-scaling-group-names $ASG_NAME --query 'AutoScalingGroups[0].Tags[?Key==`ScanTarget`]|[0].Value' --output text) - - # PROWLER_REPORT="${!ENVIRONMENT}_prowler_report_$(date +%d%m%Y).csv" - # REPORT_S3_LOCATION="${ReportBucket}" - - # cd /opt/prowler - # /opt/prowler/prowler -f eu-west-1 -c check12 -M text,html,csv - # aws s3 cp --sse AES256 /opt/prowler/prowler/output/*.{html,csv} s3://$REPORT_S3_LOCATION/ - - # /opt/prowler/prowler -A "${!ACCOUNTS[$ENVIRONMENT]}" \ - # -R "application/${!ENVIRONMENT}-prowler-role" \ - # -T 10800 \ - # -m 500 \ - # -r ${AWS::Region} \ - # -E extra79,extra710,extra712,extra757,extra758,extra770,extra774 \ - # -b -q -M csv | tee -a $PROWLER_REPORT - - # Upload to S3 - # aws s3 cp $PROWLER_REPORT $REPORT_S3_LOCATION --sse - - # Send Slack notification - # message="Prowler scan for \`${!ENVIRONMENT}\` completed. Please check report from \`${!REPORT_S3_LOCATION}\`." - # aws events put-events --entries "[{\"Source\":\"myorg:slack\",\"DetailType\":\"hello\",\"Detail\":\"{\\\"username\\\":\\\"Prowler Scanner\\\",\\\"avatar\\\":\\\":aws:\\\",\\\"channel\\\":\\\"#t-fs-calabash\\\",\\\"text\\\":\\\"${!message}\\\"}\"}]" - - # Scale Down Auto Scaling Group - # aws autoscaling set-desired-capacity --auto-scaling-group-name $ASG_NAME --desired-capacity 0 - mode: '000755' - owner: root - group: root - Properties: - LaunchTemplateData: - SecurityGroupIds: !Ref SecurityGroupIds - MetadataOptions: - HttpEndpoint: enabled - HttpTokens: optional - TagSpecifications: - - ResourceType: instance - Tags: - - Key: Name - Value: !Ref 'AWS::StackName' - UserData: - Fn::Base64: !Sub | - #cloud-config - runcmd: - - while ! curl --connect-timeout 1 -s http://169.254.169.254/ > /dev/null; do echo "-- waiting for instance network to wake up ..."; done - - /opt/aws/bin/cfn-init -v --stack ${AWS::StackName} --resource Ec2InstanceLaunchTemplate --region ${AWS::Region} - - yum update -y - - yum install -y python3-pip git jq - - pip3 install detect-secrets - - git clone https://github.com/toniblyx/prowler.git /opt/prowler - - export AWS_DEFAULT_REGION=${AWS::Region} - - export REPORT_S3_LOCATION=${ReportBucket} - - export TOKEN=$(curl -s -X PUT -H "X-aws-ec2-metadata-token-ttl-seconds: 360" "http://169.254.169.254/latest/api/token") - - export INSTANCE_ID=$(curl -s -H "X-aws-ec2-metadata-token:$TOKEN" "http://169.254.169.254/latest/meta-data/instance-id") - - export ASG_NAME=$(aws autoscaling describe-auto-scaling-instances --instance-ids $INSTANCE_ID --query 'AutoScalingInstances[0].AutoScalingGroupName' --output text) - - export ENVIRONMENT=$(aws autoscaling describe-auto-scaling-groups --auto-scaling-group-names $ASG_NAME --query 'AutoScalingGroups[0].Tags[?Key==`ScanTarget`]|[0].Value' --output text) - - cd /opt/prowler - - /opt/prowler/prowler -f eu-west-1 -c check12 -M text,html,csv - - aws s3 cp --sse AES256 /opt/prowler/prowler/output/*.{html,csv} s3://$REPORT_S3_LOCATION/ - - aws autoscaling set-desired-capacity --auto-scaling-group-name $ASG_NAME --desired-capacity 0 - - /opt/aws/bin/cfn-signal -e 0 --stack ${AWS::StackName} --resource ASGroup --region ${AWS::Region} - InstanceInitiatedShutdownBehavior: terminate - IamInstanceProfile: - Name: !Ref InstanceProfile - KeyName: !Ref 'Ec2InstanceKeyName' - ImageId: !Ref 'Ec2ImageId' - InstanceType: !Ref ProwlerInstanceType - BlockDeviceMappings: - - DeviceName: /dev/xvda - Ebs: - Encrypted: true - KmsKeyId: alias/aws/ebs - VolumeType: standard - DeleteOnTermination: true - VolumeSize: 8 - InstanceMarketOptions: - MarketType: spot - SpotOptions: - SpotInstanceType: one-time - MaxPrice: 0.006 - - ProwlerAutoScalingGroup: - Type: AWS::AutoScaling::AutoScalingGroup - UpdatePolicy: - AutoScalingReplacingUpdate: - WillReplace: true - Properties: - VPCZoneIdentifier: !Ref SubnetIds - LaunchTemplate: - LaunchTemplateId: !Ref 'Ec2InstanceLaunchTemplate' - Version: !GetAtt 'Ec2InstanceLaunchTemplate.LatestVersionNumber' - MinSize: 1 - MaxSize: 1 - HealthCheckGracePeriod: 300 - HealthCheckType: EC2 - Tags: - - Key: Name - Value: !Sub "${AWS::StackName}" - PropagateAtLaunch: true - - ProwlerScheduledScaleUp: - Type: AWS::AutoScaling::ScheduledAction - Properties: - AutoScalingGroupName: !Ref ProwlerAutoScalingGroup - DesiredCapacity: 1 - MaxSize: 1 - MinSize: 0 - Recurrence: !Ref ProwlerSchedule - -Outputs: - ReportBucket: - Description: Report Bucket Name - Value: !Ref 'ReportBucket' - Export: - Name: !Sub 'prowler-reports-${AWS::Region}-${AWS::AccountId}' \ No newline at end of file