-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathdeep-security.yml
278 lines (278 loc) · 10.5 KB
/
deep-security.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
Transform: AWS::Serverless-2016-10-31
Description: AWS CloudFormation template to create custom AWS Config rules that interact
with the Trend Micro Deep Security Manager. You will be billed for the AWS resources
used if you create a stack from this template.
Parameters:
ConfigBucket:
Description: Name of the S3 bucket for AWS Config to store history and files
Type: String
MinLength: 1
MaxLength: 255
ConfigPrefix:
Description: Object prefix inside config bucket
Type: String
MinLength: 1
MaxLength: 255
DSUsernameKey:
Description: Parameter Store key name for Deep Security Manager username
Type: String
DSPasswordKey:
Description: Parameter Store key name for Deep Security Manager password
Type: String
DSHostname:
Description: Deep Security Manager hostname
Type: String
DSPort:
Description: Deep Security Manager port
Type: Number
Default: 443
DSTenant:
Description: Deep Security tenant name
Type: String
Default: ''
DSIgnoreSslValidation:
Description: Whether to ignore SSL validation on connection
Type: String
Default: false
DSPolicy:
Description: Deep Security policy to check against
Type: String
DSControl:
Description: Deep Security protection name to check against
Type: String
AllowedValues: [ anti_malware, web_reputation, firewall, intrusion_prevention, integrity_monitoring, log_inspection ]
Metadata:
AWS::ServerlessRepo::Application:
Name: Deep-Security-Config-Rules
Description: A set of AWS Config Rules to help ensure that your AWS deployments are leveraging the protection of Deep Security.
These rules help centralize your compliance information in one place, AWS Config.
Author: Trend Micro
SpdxLicenseId: Apache-2.0
LicenseUrl: LICENSE
ReadmeUrl: README.md
Labels: ['trendmicro', 'deepsecurity', 'security', 'config']
HomePageUrl: https://github.com/deep-security/aws-config
SemanticVersion: 0.0.1
SourceCodeUrl: https://github.com/deep-security/aws-config
Resources:
dsDoesInstanceHavePolicyLambda:
Type: AWS::Serverless::Function
Properties:
CodeUri: rules/ds-DoesInstanceHavePolicy
Description: Custom AWS Config rule that checks with the Trend Micro Deep Security
Manager to see if the named policy is in effect. See https://github.com/deep-security/aws-config
for more details.
Handler: dsDoesInstanceHavePolicy.aws_config_rule_handler
Role: !GetAtt dsConfigRuleRole.Arn
Runtime: python3.7
Timeout: 60
dsDoesInstanceHavePolicyLambdaPermission:
Type: AWS::Lambda::Permission
Properties:
FunctionName: !GetAtt dsDoesInstanceHavePolicyLambda.Arn
Action: lambda:InvokeFunction
Principal: config.amazonaws.com
dsIsInstanceClearLambda:
Type: AWS::Serverless::Function
Properties:
CodeUri: rules/ds-IsInstanceClear
Description: Custom AWS Config rule that checks with the Trend Micro Deep Security
Manager to see if the instance is clear of any alerts, warnings, or errors.
See https://github.com/deep-security/aws-config for more details.
Handler: dsIsInstanceClear.aws_config_rule_handler
Role: !GetAtt dsConfigRuleRole.Arn
Runtime: python3.7
Timeout: 60
dsIsInstanceClearLambdaPermission:
Type: AWS::Lambda::Permission
Properties:
FunctionName: !GetAtt dsIsInstanceClearLambda.Arn
Action: lambda:InvokeFunction
Principal: config.amazonaws.com
dsIsInstanceProtectedByLambda:
Type: AWS::Serverless::Function
Properties:
CodeUri: rules/ds-IsInstanceProtectedBy
Description: Custom AWS Config rule that checks with the Trend Micro Deep Security
Manager to see if the instance is protected using the specified security control.
See https://github.com/deep-security/aws-config for more details.
Handler: dsIsInstanceProtectedBy.aws_config_rule_handler
Role: !GetAtt dsConfigRuleRole.Arn
Runtime: python3.7
Timeout: 60
dsIsInstanceProtectedByLambdaPermission:
Type: AWS::Lambda::Permission
Properties:
FunctionName: !GetAtt dsIsInstanceProtectedByLambda.Arn
Action: lambda:InvokeFunction
Principal: config.amazonaws.com
dsIsInstanceProtectedByAntiMalwareLambda:
Type: AWS::Serverless::Function
Properties:
CodeUri: rules/ds-IsInstanceProtectedByAntiMalware
Description: Custom AWS Config rule that checks with the Trend Micro Deep Security
Manager to see if the instance is protected using the anti-malware security
control. See https://github.com/deep-security/aws-config for more details.
Handler: dsIsInstanceProtectedByAntiMalware.aws_config_rule_handler
Role: !GetAtt dsConfigRuleRole.Arn
Runtime: python3.7
Timeout: 60
dsIsInstanceProtectedByAntiMalwareLambdaPermission:
Type: AWS::Lambda::Permission
Properties:
FunctionName: !GetAtt dsIsInstanceProtectedByAntiMalwareLambda.Arn
Action: lambda:InvokeFunction
Principal: config.amazonaws.com
dsConfigRuleRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: sts:AssumeRole
Policies:
- PolicyName: dsConfigRulePolicy
PolicyDocument:
Statement:
- Action:
- ssm:GetParameter
Effect: Allow
Resource:
- !Sub arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/*
- Action:
- kms:Decrypt
Effect: Allow
Resource: '*'
- Action:
- s3:GetObject
Effect: Allow
Resource: !Sub arn:aws:s3:::${ConfigBucket}/${ConfigPrefix}/*
- Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
- logs:DescribeLogStreams
Effect: Allow
Resource: '*'
- Action:
- config:PutEvaluations
Effect: Allow
Resource: '*'
dsDoesInstanceHavePolicyRule:
Type: AWS::Config::ConfigRule
Properties:
Description: This rule checks with the Trend Micro Deep Security
Manager to see if the named policy is in effect.
Scope:
ComplianceResourceTypes:
- AWS::EC2::Instance
Source:
Owner: CUSTOM_LAMBDA
SourceIdentifier: !GetAtt dsDoesInstanceHavePolicyLambda.Arn
SourceDetails:
- EventSource: aws.config
MessageType: ConfigurationItemChangeNotification
- EventSource: aws.config
MessageType: OversizedConfigurationItemChangeNotification
InputParameters:
dsUsernameKey: !Ref DSUsernameKey
dsPasswordKey: !Ref DSPasswordKey
dsHostname: !Ref DSHostname
dsPort: !Ref DSPort
dsTenant: !Ref DSTenant
dsIgnoreSslValidation: !Ref DSIgnoreSslValidation
dsPolicy: !Ref DSPolicy
DependsOn:
- dsDoesInstanceHavePolicyLambdaPermission
dsIsInstanceClearRule:
Type: AWS::Config::ConfigRule
Properties:
Description: This rule checks with the Trend Micro Deep Security Manager to see
if the instance is clear of any alerts, warnings, or errors.
Scope:
ComplianceResourceTypes:
- AWS::EC2::Instance
Source:
Owner: CUSTOM_LAMBDA
SourceIdentifier: !GetAtt dsIsInstanceClearLambda.Arn
SourceDetails:
- EventSource: aws.config
MessageType: ConfigurationItemChangeNotification
- EventSource: aws.config
MessageType: OversizedConfigurationItemChangeNotification
InputParameters:
dsUsernameKey: !Ref DSUsernameKey
dsPasswordKey: !Ref DSPasswordKey
dsHostname: !Ref DSHostname
dsPort: !Ref DSPort
dsTenant: !Ref DSTenant
dsIgnoreSslValidation: !Ref DSIgnoreSslValidation
DependsOn:
- dsIsInstanceClearLambdaPermission
dsIsInstanceProtectedByRule:
Type: AWS::Config::ConfigRule
Properties:
Description: This rule checks with the Trend Micro Deep Security
Manager to see if the instance is protected using the specified security control.
Scope:
ComplianceResourceTypes:
- AWS::EC2::Instance
Source:
Owner: CUSTOM_LAMBDA
SourceIdentifier: !GetAtt dsIsInstanceProtectedByLambda.Arn
SourceDetails:
- EventSource: aws.config
MessageType: ConfigurationItemChangeNotification
- EventSource: aws.config
MessageType: OversizedConfigurationItemChangeNotification
InputParameters:
dsUsernameKey: !Ref DSUsernameKey
dsPasswordKey: !Ref DSPasswordKey
dsHostname: !Ref DSHostname
dsPort: !Ref DSPort
dsTenant: !Ref DSTenant
dsIgnoreSslValidation: !Ref DSIgnoreSslValidation
dsControl: !Ref DSControl
DependsOn:
- dsIsInstanceProtectedByLambdaPermission
dsIsInstanceProtectedByAntiMalwareRule:
Type: AWS::Config::ConfigRule
Properties:
Description: This rule checks with the Trend Micro Deep Security
Manager to see if the instance is protected using the anti-malware security
control.
Scope:
ComplianceResourceTypes:
- AWS::EC2::Instance
Source:
Owner: CUSTOM_LAMBDA
SourceIdentifier: !GetAtt dsIsInstanceProtectedByAntiMalwareLambda.Arn
SourceDetails:
- EventSource: aws.config
MessageType: ConfigurationItemChangeNotification
- EventSource: aws.config
MessageType: OversizedConfigurationItemChangeNotification
InputParameters:
dsUsernameKey: !Ref DSUsernameKey
dsPasswordKey: !Ref DSPasswordKey
dsHostname: !Ref DSHostname
dsPort: !Ref DSPort
dsTenant: !Ref DSTenant
dsIgnoreSslValidation: !Ref DSIgnoreSslValidation
DependsOn:
- dsIsInstanceProtectedByAntiMalwareLambdaPermission
Outputs:
dsDoesInstanceHavePolicyLambda:
Description: ARN for the dsDoesInstanceHavePolicy lambda
Value: !GetAtt dsDoesInstanceHavePolicyLambda.Arn
dsIsInstanceClearLambda:
Description: ARN for the dsIsInstanceClearLambda lambda
Value: !GetAtt dsIsInstanceClearLambda.Arn
dsIsInstanceProtectedByLambda:
Description: ARN for the dsIsInstanceProtectedByLambda lambda
Value: !GetAtt dsIsInstanceProtectedByLambda.Arn
dsIsInstanceProtectedByAntiMalwareLambda:
Description: ARN for the dsIsInstanceProtectedByAntiMalwareLambda lambda
Value: !GetAtt dsIsInstanceProtectedByAntiMalwareLambda.Arn