diff --git a/.project_automation/functional_tests/entrypoint.sh b/.project_automation/functional_tests/entrypoint.sh index fda5377..e247470 100755 --- a/.project_automation/functional_tests/entrypoint.sh +++ b/.project_automation/functional_tests/entrypoint.sh @@ -29,12 +29,12 @@ run_test() { unset AWS_DEFAULT_REGION if [ -z "$1" ]; then echo "Running e2e test: ALL" - taskcat test run -n - .project_automation/functional_tests/scoutsuite/scoutsuite.sh + taskcat test run + # .project_automation/functional_tests/scoutsuite/scoutsuite.sh else echo "Running e2e test: $1" - taskcat test run -n -t $1 - .project_automation/functional_tests/scoutsuite/scoutsuite.sh + taskcat test run -t $1 + # .project_automation/functional_tests/scoutsuite/scoutsuite.sh fi } diff --git a/.taskcat.yml b/.taskcat.yml index c249bf1..b747509 100644 --- a/.taskcat.yml +++ b/.taskcat.yml @@ -24,7 +24,6 @@ tests: FalconSecret: $[taskcat_ssm_/crowdstrike/falcon_secret] DockerAPIToken: $[taskcat_ssm_/crowdstrike/falcon_docker_api_token] FalconCID: $[taskcat_ssm_/crowdstrike/falcon_cod] - EventBusAccount: $[taskcat_ssm_/crowdstrike/eventbus_account] SourceS3BucketName: $[taskcat_autobucket] S3BucketRegion: $[taskcat_current_region] ProvisionOU: $[taskcat_ssm_/crowdstrike/provision-ou] diff --git a/VERSION b/VERSION index 795460f..56130fb 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -v1.1.0 +v1.1.1 diff --git a/guide/content/deployment-steps.md b/guide/content/deployment-steps.md index 7f23c79..d6416cc 100644 --- a/guide/content/deployment-steps.md +++ b/guide/content/deployment-steps.md @@ -61,7 +61,6 @@ description: Deployment steps. * **FalconCID**: Your CrowdStrike Falcon CID with checksum. (eg. ********************************-ab) * **DockerAPIToken**: Your Falcon Docker API Token * **OrganizationId**: Your AWS Organization ID (eg. o-********) - * **EventBusAccount**: The account to centralize EKS Protection resources. This account must be the Organization Management Account or a Delegated Administrator. * **EventBusName**: Name of the centralized EventBus. Default is `crowdstrike-eks-eventbus` * **EventBridgeRoleName**: Name of the EventBridge IAM role. Default is `crowdstrike-eks-eventbridge-role` * **EKSExecutionRoleName**: Name of the Target Execution IAM role. Default is `crowdstrike-eks-execution-role` diff --git a/lambda_functions/source/register-organization/lambda.py b/lambda_functions/source/register-organization/lambda.py index d7f58fd..72f447c 100644 --- a/lambda_functions/source/register-organization/lambda.py +++ b/lambda_functions/source/register-organization/lambda.py @@ -22,7 +22,7 @@ SUCCESS = "SUCCESS" FAILED = "FAILED" -VERSION = "1.0.0" +VERSION = "1.1.1" NAME = "crowdstrike-cloud-abi" USERAGENT = ("%s/%s" % (NAME, VERSION)) diff --git a/templates/crowdstrike_init_stack.yaml b/templates/crowdstrike_init_stack.yaml index dd664e5..8b68cfd 100644 --- a/templates/crowdstrike_init_stack.yaml +++ b/templates/crowdstrike_init_stack.yaml @@ -77,7 +77,6 @@ Metadata: - EKSProtection - FalconCID - DockerAPIToken - - EventBusAccount - EventBusName - EventBridgeRoleName - EKSExecutionRoleName @@ -184,8 +183,6 @@ Metadata: default: Falcon CID DockerAPIToken: default: Falcon Docker API Token - EventBusAccount: - default: EKS Protection Account EventBusName: default: Name of EventBus EventBridgeRoleName: @@ -427,10 +424,6 @@ Parameters: NoEcho: true Description: Your Falcon Docker API Token Default: "DockerAPIToken" - EventBusAccount: - Description: The account to centralize EKS Protection resources. This account must be the Organization Management Account or a Delegated Administrator. - Type: String - Default: "111111111111" EventBusName: Type: String Description: Name of the centralized EventBus @@ -481,10 +474,13 @@ Mappings: CloudMap: us1: BaseURL: "https://api.crowdstrike.com" + CrowdStrikeCloud: us-1 us2: BaseURL: "https://api.us-2.crowdstrike.com" + CrowdStrikeCloud: us-2 eu1: BaseURL: "https://api.eu-1.crowdstrike.com" + CrowdStrikeCloud: eu-1 Conditions: CreateIOAResources: !Equals [ !Ref 'EnableIOA', true ] @@ -1388,7 +1384,7 @@ Resources: Environment: Variables: LOG_LEVEL: "INFO" - EVENTBUS_ACCOUNT: !Ref EventBusAccount + EVENTBUS_ACCOUNT: !Ref AWS::AccountId EKS_PROTECTION: !Ref EKSProtection Code: S3Bucket: !Ref StagingS3Bucket @@ -1443,43 +1439,25 @@ Resources: Resource: !Sub arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/${OrgIdLambdaFunctionName}:log-stream:* # EKS Protection - RootRolesStackSet: + RootRolesStack: + Type: 'AWS::CloudFormation::Stack' Condition: EnableEKSProtection - Type: AWS::CloudFormation::StackSet + DeletionPolicy: Delete + UpdateReplacePolicy: Delete Properties: - StackSetName: crowdstrike-eks-protection-root-roles - Capabilities: - - CAPABILITY_NAMED_IAM - AdministrationRoleARN: !GetAtt StackSetAdministrationRole.Arn - ExecutionRoleName: !Ref StackSetExecRole - Parameters: - - ParameterKey: CodeBuildProjectName - ParameterValue: !Ref CodeBuildProjectName - - ParameterKey: CodeBuildRoleName - ParameterValue: !Ref CodeBuildRoleName - - ParameterKey: EventBridgeRoleName - ParameterValue: !Ref EventBridgeRoleName - - ParameterKey: EKSExecutionRoleName - ParameterValue: !Ref EKSExecutionRoleName - - ParameterKey: StagingS3Bucket - ParameterValue: !Ref StagingS3Bucket - - ParameterKey: EventBusName - ParameterValue: !Ref EventBusName - - ParameterKey: PermissionsBoundary - ParameterValue: !Ref PermissionsBoundary - PermissionModel: SELF_MANAGED - StackInstancesGroup: - - DeploymentTargets: - AccountFilterType: NONE - Accounts: - - !Ref EventBusAccount - Regions: - - !Ref AWS::Region TemplateURL: !Sub https://${SourceS3BucketName}.s3.${S3BucketRegion}.amazonaws.com/${SourceS3BucketNamePrefix}/templates/eks-root-roles.yml + Parameters: + CodeBuildProjectName: !Ref CodeBuildProjectName + CodeBuildRoleName: !Ref CodeBuildRoleName + EventBridgeRoleName: !Ref EventBridgeRoleName + EKSExecutionRoleName: !Ref EKSExecutionRoleName + StagingS3Bucket: !Ref StagingS3Bucket + EventBusName: !Ref EventBusName + PermissionsBoundary: !Ref PermissionsBoundary EKSTargetRolesStackSet: Condition: EnableEKSProtection - DependsOn: RootRolesStackSet + DependsOn: RootRolesStack Type: AWS::CloudFormation::StackSet Properties: StackSetName: crowdstrike-eks-protection-target-roles @@ -1491,7 +1469,7 @@ Resources: - ParameterKey: EventBridgeRoleName ParameterValue: !Ref EventBridgeRoleName - ParameterKey: EventBusAccount - ParameterValue: !Ref EventBusAccount + ParameterValue: !Ref AWS::AccountId - ParameterKey: EventBusName ParameterValue: !Ref EventBusName - ParameterKey: CodeBuildRoleName @@ -1499,6 +1477,7 @@ Resources: - ParameterKey: PermissionsBoundary ParameterValue: !Ref PermissionsBoundary PermissionModel: SERVICE_MANAGED + CallAs: !If [ IsDelegatedAdmin, 'DELEGATED_ADMIN', 'SELF' ] AutoDeployment: Enabled: true RetainStacksOnAccountRemoval: false @@ -1514,72 +1493,43 @@ Resources: - !Ref AWS::Region TemplateURL: !Sub https://${SourceS3BucketName}.s3.${S3BucketRegion}.amazonaws.com/${SourceS3BucketNamePrefix}/templates/eks-target-roles-stackset.yml - RootEKSProtectionStackSet: + RootEKSProtectionStack: + Type: 'AWS::CloudFormation::Stack' Condition: EnableEKSProtection DependsOn: EKSTargetRolesStackSet - Type: AWS::CloudFormation::StackSet + DeletionPolicy: Delete + UpdateReplacePolicy: Delete Properties: - StackSetName: crowdstrike-eks-protection-root-protection - Capabilities: - - CAPABILITY_NAMED_IAM - AdministrationRoleARN: !GetAtt StackSetAdministrationRole.Arn - ExecutionRoleName: !Ref StackSetExecRole - Parameters: - - ParameterKey: StagingS3Bucket - ParameterValue: !Ref StagingS3Bucket - - ParameterKey: Backend - ParameterValue: !Ref Backend - - ParameterKey: Registry - ParameterValue: !Ref Registry - - ParameterKey: EnableKAC - ParameterValue: !Ref EnableKAC - - ParameterKey: CrowdStrikeCloud - ParameterValue: !Ref CSCloud - - ParameterKey: EventBusName - ParameterValue: !Ref EventBusName - - ParameterKey: OrganizationId - ParameterValue: !GetAtt OrgIdLambdaCustomResource.organization_id - - ParameterKey: FalconClientId - ParameterValue: !Ref FalconClientID - - ParameterKey: FalconClientSecret - ParameterValue: !Ref FalconSecret - - ParameterKey: KubernetesUserName - ParameterValue: !Ref KubernetesUserName - - ParameterKey: FalconCID - ParameterValue: !Ref FalconCID - - ParameterKey: DockerAPIToken - ParameterValue: !Ref DockerAPIToken - - ParameterKey: EKSExecutionRoleName - ParameterValue: !Ref EKSExecutionRoleName - - ParameterKey: CodeBuildProjectName - ParameterValue: !Ref CodeBuildProjectName - - ParameterKey: CodeBuildRoleName - ParameterValue: !Ref CodeBuildRoleName - - ParameterKey: VpcCIDR - ParameterValue: '10.192.0.0/16' - - ParameterKey: PublicSubnet1CIDR - ParameterValue: '10.192.10.0/24' - - ParameterKey: PublicSubnet2CIDR - ParameterValue: '10.192.11.0/24' - - ParameterKey: PrivateSubnet1CIDR - ParameterValue: '10.192.20.0/24' - - ParameterKey: PrivateSubnet2CIDR - ParameterValue: '10.192.21.0/24' - PermissionModel: SELF_MANAGED - StackInstancesGroup: - - DeploymentTargets: - AccountFilterType: NONE - Accounts: - - !Ref EventBusAccount - OrganizationalUnitIds: - - !GetAtt OrgIdLambdaCustomResource.eventbus_account_ou - Regions: - - !Ref AWS::Region TemplateURL: !Sub https://${SourceS3BucketName}.s3.${S3BucketRegion}.amazonaws.com/${SourceS3BucketNamePrefix}/templates/eks-protection-stack.yml + Parameters: + StagingS3Bucket: !Ref StagingS3Bucket + Backend: !Ref Backend + Registry: !Ref Registry + EnableKAC: !Ref EnableKAC + CrowdStrikeCloud: !FindInMap + - CloudMap + - !Ref CSCloud + - CrowdStrikeCloud + EventBusName: !Ref EventBusName + OrganizationId: !GetAtt OrgIdLambdaCustomResource.organization_id + FalconClientId: !Ref FalconClientID + FalconClientSecret: !Ref FalconSecret + KubernetesUserName: !Ref KubernetesUserName + FalconCID: !Ref FalconCID + DockerAPIToken: !Ref DockerAPIToken + EKSExecutionRoleName: !Ref EKSExecutionRoleName + CodeBuildProjectName: !Ref CodeBuildProjectName + CodeBuildRoleName: !Ref CodeBuildRoleName + SourceS3BucketNamePrefix: !Ref SourceS3BucketNamePrefix + VpcCIDR: '10.192.0.0/16' + PublicSubnet1CIDR: '10.192.10.0/24' + PublicSubnet2CIDR: '10.192.11.0/24' + PrivateSubnet1CIDR: '10.192.20.0/24' + PrivateSubnet2CIDR: '10.192.21.0/24' EKSEventBridgeStackSet: Condition: EnableEKSProtection - DependsOn: RootEKSProtectionStackSet + DependsOn: RootEKSProtectionStack Type: AWS::CloudFormation::StackSet Properties: StackSetName: crowdstrike-eks-protection-eventbridge @@ -1587,12 +1537,13 @@ Resources: - ParameterKey: EventBusName ParameterValue: !Ref EventBusName - ParameterKey: EventBusAccount - ParameterValue: !Ref EventBusAccount + ParameterValue: !Ref AWS::AccountId - ParameterKey: EventBusRegion ParameterValue: !Ref AWS::Region - ParameterKey: EventBridgeRoleName ParameterValue: !Ref EventBridgeRoleName PermissionModel: SERVICE_MANAGED + CallAs: !If [ IsDelegatedAdmin, 'DELEGATED_ADMIN', 'SELF' ] AutoDeployment: Enabled: true RetainStacksOnAccountRemoval: true diff --git a/templates/eks-protection-stack.yml b/templates/eks-protection-stack.yml index ee348b7..a59cdbd 100644 --- a/templates/eks-protection-stack.yml +++ b/templates/eks-protection-stack.yml @@ -164,7 +164,7 @@ Resources: project_name: !Ref CodeBuildProjectName artifact_bucket: !Ref StagingS3Bucket lambda_switch_role: !Ref EKSExecutionRoleName - Handler: lambda_function.lambda_handler + Handler: lambda.lambda_handler MemorySize: 128 Role: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${EKSExecutionRoleName} Runtime: python3.11 @@ -205,7 +205,7 @@ Resources: project_name: !Ref CodeBuildProjectName artifact_bucket: !Ref StagingS3Bucket lambda_switch_role: !Ref EKSExecutionRoleName - Handler: lambda_function.lambda_handler + Handler: lambda.lambda_handler MemorySize: 128 Role: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${EKSExecutionRoleName} Runtime: python3.11