@@ -645,14 +645,17 @@ Resources:
645645 - Effect : Allow
646646 Action :
647647 - ' sqs:GetQueueAttributes'
648- - ' sqs:ListQueues'
649648 - ' sqs:ReceiveMessage'
650649 - ' sqs:GetQueueUrl'
651650 - ' sqs:SendMessage'
652651 - ' sqs:DeleteMessage'
652+ - ' sqs:changemessagevisibility'
653653 Resource :
654654 - !GetAtt [rCloudTrailQueue, Arn]
655655 - !GetAtt [rGuardDutyQueue, Arn]
656+ - Effect : Allow
657+ Action : ' sqs:ListQueues'
658+ Resource : ' *'
656659 - Effect : Allow
657660 Action :
658661 - ' s3:ListBucket'
@@ -664,9 +667,18 @@ Resources:
664667 - ' s3:GetBucketLogging'
665668 - ' s3:GetLifecycleConfiguration'
666669 - ' s3:GetBucketCORS'
670+ - ' s3:GetObjectVersion'
667671 Resource :
668672 - !Sub ' arn:${AWS::Partition}:s3:::${pGuardDutyBucketName}'
669673 - !Sub ' arn:${AWS::Partition}:s3:::${pCloudTrailBucketName}'
674+ - !Sub ' arn:${AWS::Partition}:s3:::${pGuardDutyBucketName}/*'
675+ - !Sub ' arn:${AWS::Partition}:s3:::${pCloudTrailBucketName}/*'
676+ - Effect : Allow
677+ Action :
678+ - ' kms:Decrypt'
679+ Resource :
680+ - !GetAtt rGetCloudTrailS3BucketKMSKey.KmsKeyId
681+ - !GetAtt rGetGuardDutyS3BucketKMSKey.KmsKeyId
670682 ManagedPolicyName : !Ref pDeepwatchRoleName
671683
672684 rDeepwatchRole :
@@ -690,6 +702,133 @@ Resources:
690702 Path : /
691703 RoleName : !Ref pDeepwatchRoleName
692704
705+ rGetCloudTrailS3BucketKMSKey :
706+ Type : Custom::LambdaCustomResource
707+ Properties :
708+ ServiceToken : !GetAtt rGetS3KmsKeyIdLambdaFunction.Arn
709+ BucketName : !Ref pCloudTrailBucketName
710+
711+ rGetGuardDutyS3BucketKMSKey :
712+ Type : Custom::LambdaCustomResource
713+ Properties :
714+ ServiceToken : !GetAtt rGetS3KmsKeyIdLambdaFunction.Arn
715+ BucketName : !Ref pGuardDutyBucketName
716+
717+ rGetS3KmsKeyIdLambdaFunction :
718+ Metadata :
719+ cfn_nag :
720+ rules_to_suppress :
721+ - id : W58
722+ reason : Lambda role provides access to CloudWatch Logs
723+ - id : W89
724+ reason : Lambda does not need to communicate with VPC resources.
725+ - id : W92
726+ reason : Lambda does not need reserved concurrent executions.
727+ checkov :
728+ skip :
729+ - id : CKV_AWS_115
730+ comment : Lambda does not need reserved concurrent executions.
731+ - id : CKV_AWS_116
732+ comment : DLQ not needed, as Lambda function only triggered by CloudFormation events.
733+ - id : CKV_AWS_117
734+ comment : Lambda does not need to communicate with VPC resources.
735+ Type : AWS::Lambda::Function
736+ Properties :
737+ Description : Get KMS key id of an S3 bucket
738+ Handler : index.lambda_handler
739+ Role : !GetAtt rGetS3KmsKeyIdLambdaRole.Arn
740+ Runtime : python3.10
741+ Timeout : 60
742+ Code :
743+ ZipFile : |
744+ import logging
745+ import os
746+
747+ import boto3
748+ import cfnresponse
749+ from botocore.exceptions import ClientError
750+
751+ LOGGER = logging.getLogger(__name__)
752+ log_level: str = os.environ.get("LOG_LEVEL", "ERROR")
753+ LOGGER.setLevel(log_level)
754+
755+ def get_kms_key(bucket_name):
756+ """
757+ Get KMS Key used to encrypt the S3 bucket.
758+ """
759+ s3_client = boto3.client("s3")
760+ try:
761+ response = s3_client.get_bucket_encryption(Bucket=bucket_name)
762+ kms_key_id = response["ServerSideEncryptionConfiguration"]["Rules"][0]["ApplyServerSideEncryptionByDefault"]["KMSMasterKeyID"]
763+ return kms_key_id
764+ except ClientError as exe:
765+ if exe.response["Error"]["Code"] == "ServerSideEncryptionConfigurationNotFoundError":
766+ return None
767+ else:
768+ raise exe
769+
770+ def lambda_handler(event, context):
771+ """
772+ Lambda Handler.
773+ """
774+ bucket_name = event["ResourceProperties"]["BucketName"]
775+ response_data = {}
776+ try:
777+ data = get_kms_key(bucket_name)
778+ response_data['KmsKeyId'] = data
779+ cfnresponse.send(event, context, cfnresponse.SUCCESS, response_data, None)
780+ except Exception:
781+ LOGGER.exception("Unexpected!")
782+ cfnresponse.send(event, context, cfnresponse.FAILED, response_data, None)
783+
784+ rGetS3KmsKeyIdLogGroup :
785+ DeletionPolicy : Retain
786+ Type : AWS::Logs::LogGroup
787+ UpdateReplacePolicy : Retain
788+ Properties :
789+ RetentionInDays : 400
790+
791+ rGetS3KmsKeyIdLambdaRole :
792+ Type : AWS::IAM::Role
793+ Metadata :
794+ cfn_nag :
795+ rules_to_suppress :
796+ - id : W11
797+ reason : Allow * in resource when required
798+ - id : W28
799+ reason : The role name is defined to identify automation resources
800+ Properties :
801+ AssumeRolePolicyDocument :
802+ Version : 2012-10-17
803+ Statement :
804+ - Effect : Allow
805+ Action : sts:AssumeRole
806+ Principal :
807+ Service :
808+ - lambda.amazonaws.com
809+ Policies :
810+ - PolicyName : org-id
811+ PolicyDocument :
812+ Version : 2012-10-17
813+ Statement :
814+ - Sid : S3BucketPermissions
815+ Effect : Allow
816+ Action : s3:GetEncryptionConfiguration
817+ Resource :
818+ - !Sub ' arn:${AWS::Partition}:s3:::${pGuardDutyBucketName}'
819+ - !Sub ' arn:${AWS::Partition}:s3:::${pCloudTrailBucketName}'
820+ - PolicyName : CloudWatchLogGroup
821+ PolicyDocument :
822+ Version : 2012-10-17
823+ Statement :
824+ - Sid : CloudWatchLogs
825+ Effect : Allow
826+ Action :
827+ - logs:CreateLogGroup
828+ - logs:CreateLogStream
829+ - logs:PutLogEvents
830+ Resource : !Sub arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:*:*:*
831+
693832Outputs :
694833 oCloudTrailQueueArn :
695834 Description : The Arn of the SQS queue for CloudTrail log ingestion, supply to Deepwatch onboarding engineer
0 commit comments