SIEM policy updates

celaus · celaus · commit ba5ead260ead · 2024-03-12T16:35:48.000+01:00
diff --git a/security/siem/execution/template.yml b/security/siem/execution/template.yml
@@ -1,8 +1,28 @@
 Parameters:
-  Principal:
+  CoralogixRegionAlias:
     Type: String
-    Description: The AWS account ID or Role ARN of the principal who will assume the role
-    ConstraintDescription: "Must be a valid AWS account ID or a valid Role ARN"
+    Description: The Alias for the Coralogix region, possible options are [us1, us2, eu1, eu2, ap1, ap2, custom]
+    AllowedValues:
+      - us1
+      - us2
+      - eu1
+      - eu2
+      - ap1
+      - ap2
+      - custom
+  CustomCoralogixAccount:
+    Type: String
+    Description: In case you want to use a custom coralogix account, enter the aws account id that you want to use.
+    Default: ''
+
+Conditions:
+  IsRegionUs2: !Equals
+    - Ref: CoralogixRegionAlias
+    - us2
+  IsCustomAccount: !Not
+    - !Equals
+      - Ref: CustomCoralogixAccount
+      - ''
 
 Resources:
   CoralogixSIEMExecutionRole:
@@ -14,8 +34,15 @@ Resources:
         Statement:
           - Effect: Allow
             Principal:
-              AWS:
-                Ref: Principal
+              AWS: !Sub
+                - 'arn:aws:iam::${aws_account_id}:role/siem-service'
+                - aws_account_id: !If
+                    - IsCustomAccount
+                    - !Ref CustomCoralogixAccount
+                    - !If
+                      - IsRegionUs2
+                      - '739076534691'
+                      - '625240141681'
             Action: sts:AssumeRole
       Policies:
         - PolicyName: CoralogixSIEMPolicy
@@ -26,17 +53,24 @@ Resources:
                 Resource: ["*"]
                 Effect: Allow
                 Action:
-                  - "s3:GetBucketPublicAccessBlock"
-                  - "s3:GetBucketTagging"
-                  - "ec2:DescribeInstances"
-                  - "dynamodb:ListTagsOfResource"
-                  - "s3:GetBucketAcl"
-                  - "s3:GetEncryptionConfiguration"
-                  - "dynamodb:DescribeTable"
-                  - "rds:DescribeDBInstances"
-                  - "redshift:DescribeClusters"
-                  - "eks:DescribeCluster"
-                  - "eks:ListClusters"
-                  - "ec2:DescribeSubnets"
-                  - "s3:GetBucketLocation"
-                  - "redshift:DescribeClusterParameters"
+                  - "s3:GetBucketPublicAccessBlock",
+                  - "s3:GetBucketTagging",
+                  - "ec2:DescribeInstances",
+                  - "lambda:ListFunctions",
+                  - "dynamodb:ListTagsOfResource",
+                  - "s3:GetBucketAcl",
+                  - "ecs:DescribeClusters",
+                  - "s3:GetEncryptionConfiguration",
+                  - "s3:ListAllMyBuckets",
+                  - "lambda:ListTags",
+                  - "dynamodb:DescribeTable",
+                  - "rds:DescribeDBInstances",
+                  - "redshift:DescribeClusters",
+                  - "eks:DescribeCluster",
+                  - "ecs:ListContainerInstances",
+                  - "eks:ListClusters",
+                  - "ec2:DescribeSubnets",
+                  - "s3:GetBucketLocation",
+                  - "rds:DescribeDBClusters",
+                  - "redshift:DescribeClusterParameters",
+                  - "ecs:ListClusters"
diff --git a/security/siem/management/template.yml b/security/siem/management/template.yml
@@ -1,21 +1,52 @@
 Parameters:
-  Principal:
+  CoralogixRegionAlias:
     Type: String
-    Description: The AWS account ID of the principal who will assume the role
-    ConstraintDescription: "Must be a valid AWS account ID"
+    Description: The Alias for the Coralogix region, possible options are [us1, us2, eu1, eu2, ap1, ap2, custom]
+    AllowedValues:
+      - us1
+      - us2
+      - eu1
+      - eu2
+      - ap1
+      - ap2
+      - custom
+  CustomCoralogixAccount:
+    Type: String
+    Description: In case you want to use a custom coralogix account, enter the aws account id that you want to use.
+    Default: ''
+  RoleName:
+    Type: String
+    Description: Don't change it! It needs to match the one that was input on the Coralogix form. Corresponds to the name of the AWS IAM role that will be created.
+    AllowedPattern: '^[a-zA-Z0-9_+=,.@-]+$'
+    MaxLength: 64
+Conditions:
+  IsRegionUs2: !Equals
+    - Ref: CoralogixRegionAlias
+    - us2
+  IsCustomAccount: !Not
+    - !Equals
+      - Ref: CustomCoralogixAccount
+      - ''
 
 Resources:
   CoralogixSIEMManagementRole:
     Type: AWS::IAM::Role
     Properties:
-      RoleName: Coralogix-SIEM-Management-Role
+      RoleName: !Ref RoleName
       AssumeRolePolicyDocument:
         Version: "2012-10-17"
         Statement:
           - Effect: Allow
             Principal:
-              AWS:
-                Ref: Principal
+              AWS: !Sub
+                - 'arn:aws:iam::${aws_account_id}:role/siem-service'
+                - aws_account_id: !If
+                    - IsCustomAccount
+                    - !Ref CustomCoralogixAccount
+                    - !If
+                      - IsRegionUs2
+                      - '739076534691'
+                      - '625240141681'
             Action: sts:AssumeRole
       Policies:
         - PolicyName: CoralogixSIEMManagementRolePolicy
@@ -24,8 +55,5 @@ Resources:
             Statement:
               - Effect: Allow
                 Action:
-                  - organizations:ListAccounts
-                  - iam:CreatePolicy
-                  - iam:DeletePolicy
-                  - iam:AttachRolePolicy
+                  - "organizations:ListAccounts"
                 Resource: "*"
