sysdiglabs
diff --git a/‎use-cases/README.md
Lines changed: 6 additions & 1 deletion b/‎use-cases/README.md
Lines changed: 6 additions & 1 deletion
diff --git a/‎use-cases/nontf-org-three-cross-account-k8s-theat-compliance.md renamed to ‎use-cases/manual-org-three-cross-account-k8s-theat-compliance.md
Lines changed: 15 additions & 5 deletions b/‎use-cases/nontf-org-three-cross-account-k8s-theat-compliance.md renamed to ‎use-cases/manual-org-three-cross-account-k8s-theat-compliance.md
Lines changed: 15 additions & 5 deletions
diff --git a/‎use-cases/manual-org-three-way.md
Lines changed: 282 additions & 0 deletions b/‎use-cases/manual-org-three-way.md
Lines changed: 282 additions & 0 deletions
diff --git a/‎use-cases/org-three-cross-account-s3-event-forward.md
Lines changed: 11 additions & 1 deletion b/‎use-cases/org-three-cross-account-s3-event-forward.md
Lines changed: 11 additions & 1 deletion
diff --git a/‎use-cases/resources/manual-org-three-way.png
98.3 KB b/‎use-cases/resources/manual-org-three-way.png
98.3 KB
@@ -4,11 +4,16 @@
 
 Current examples were developed for simple use-case scenarios. 
 
-New use-cases are appearing and once we consolidate an standard scenario, we will create new examples to accommodate new requirements.
+New use-cases are appearing and once we consolidate a standard scenario, we will create new examples to accommodate new requirements.
 
 Check [current use-case list](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/tree/master/use-cases), or use the [questionnaire](./_questionnaire.md) to let us know your needs
 
+Secure for cloud is served through Terraform for [AWS](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud) 
+[GCP](https://github.com/sysdiglabs/terraform-google-secure-for-cloud) and [Azure](https://github.com/sysdiglabs/terraform-azurerm-secure-for-cloud) clouds, 
+and for AWS in [Cloudformation](https://github.com/sysdiglabs/aws-templates-secure-for-cloud) too.
 
+If not Terraform nor Cloudformation suits, take a look at the `manual-*` prefixed use-cases.
+ 
 
 ## Use-Case summary
 
 
@@ -30,7 +30,7 @@ Note:
 - All event ingestion resource (cloudtrail-sns, and cloudtrail-s3 bucket) live in same `AWS_REGION` AWS region.
   Otherwise, contact us, so we can alleviate this limitation.
 
-![three-way k8s setup](./resources/org-three-way.png)
+![three-way k8s setup](./resources/org-three-way-with-sns.png)
 
 
 We suggest to
@@ -44,21 +44,30 @@ We suggest to
 <!--
 
 all in same region
-management account - cloudtrail
+management account - cloudtrail (no kms for quick test)
 log archive account - s3, sns, sqs
 
 0.1 Provision an S3 bucket in the selected region and allow cloudtrail access
 {
     "Version": "2012-10-17",
     "Statement": [
         {
-            "Sid": "AllowCloudtrailToPutS3",
+            "Sid": "Statement1",
             "Effect": "Allow",
             "Principal": {
                 "Service": "cloudtrail.amazonaws.com"
             },
             "Action": "s3:PutObject",
-            "Resource": "arn:aws:s3:::irutest-neo4j/*"
+            "Resource": "S3_ARN/*"
+        },
+        {
+            "Sid": "Statement2",
+            "Effect": "Allow",
+            "Principal": {
+                "Service": "cloudtrail.amazonaws.com"
+            },
+            "Action": "s3:GetBucketAcl",
+            "Resource": "S3_ARN"
         }
     ]
 }
@@ -73,7 +82,7 @@ log archive account - s3, sns, sqs
       "Action": [
         "SNS:Publish"
       ],
-      "Resource": "S3_ARN"
+      "Resource": "ARN_SNS"
     }
 -->
 
@@ -363,3 +372,4 @@ You should get success or the reason of failure.
 
 - [Official Docs Check Guide](https://docs.sysdig.com/en/docs/installation/sysdig-secure-for-cloud/deploy-sysdig-secure-for-cloud-on-gcp/#confirm-the-services-are-working)
 - [Forcing events](https://github.com/sysdiglabs/terraform-google-secure-for-cloud#forcing-events)
+
@@ -0,0 +1,282 @@
+# Secure for Cloud - Organizational Cloudtrail with S3 in a different account
+
+## Use-Case explanation
+
+**Current User Setup**
+
+- Secure for Cloud organizational setup, meaning 
+  - Management Account level AWS Organizational Cloudtrail
+  - Cloudtrail has SNS activated
+- In this use-case, the S3 bucket is not in the management account of the organization, but on a different logging 
+  account
+- Compute cluster available (EKS or ECS) for Sysdig workload to deployment
+- Permission provisioning will be performed manually with several IAM Roles
+
+**Sysdig Secure for Cloud [Features](https://docs.sysdig.com/en/docs/installation/sysdig-secure-for-cloud/)**
+- Threat-Detection
+- Posture; Compliance + Identity Access Management
+<br/><br/>
+
+## Suggested building-blocks
+
+### 1. **Compliance setup** on Sysdig backend and AWS Accounts
+
+On each member-account where compliance wants to be checked, we need to provide a role for Sysdig to be able to impersonate and
+perform `SecurityAudit` tasks.
+
+In addition, we must make Sysdig aware of this accounts and role. 
+We will guide you to provide, on the Sysdig Secure SaaS backend, the following resources:
+- a cloud-account for each member account of your organization where compliance is wanted to be checked
+- a task that will run "aws_foundations_bench-1.3.0" schema on previously defined accounts
+
+Perform the following steps.
+- 1.1 Provision Sysdig Secure SaaS Backend with the [sysdig_cloud_compliance_provisioning.sh](../../utils/sysdig_cloud_compliance_provisioning.sh) script.
+  - Review and provide required values before launching
+  - Gather `TrustIdentity` and `ExternalId` values.
+- 1.2 Now create `SysdigComplianceRole` on each member account, using [Sysdig Compliance IAM policy](../../general_templates/ComplianceAgentlessRole.yaml) as guidance
+and using the values gathered in previous step.
+<br/><br/>
+
+### 2. Prepare **EKS/ECS SysdigComputeRole**
+
+First let's review permission schema.
+![permission schema](./manual-org-three-way.png)
+
+In further steps, we will deploy Sysdig compute workload inside an EKS/ECS cluster.
+
+We are going to need a `SysdigComputeRole` (attached to the compute service), to configure some permissions to be 
+able to fetch the required data. 
+
+- for **EKS** cluster, create a `SysdigComputeRole` role for the IAM authentication setup mapping, or if you want to 
+  quickly test it, just make use of the `eks_nodes` role generated by default in EKS.
+- for **ECS** cluster create a `SysdigComputeRole`, with the Trust relationship to allow ECS-Task usage
+  ```
+  {
+      "Version": "2012-10-17",
+      "Statement": [
+          {
+              "Sid": "",
+              "Effect": "Allow",
+              "Principal": {
+                  "Service": "ecs-tasks.amazonaws.com"
+              },
+              "Action": "sts:AssumeRole"
+          }
+      ]
+  }
+  ```
+
+<br/><br/>
+### 3. **Cloudtrail SQS**
+
+In order to ingest cloudtrail events we will need a queue endpoint.
+Access your cloudtrail and activate SNS notification if it's not already available.
+
+Now **create** an SQS queue (in the same region as the SNS, and in the same account as where the EKS/ECS cluster is), and subscribe the SNS topic to it.
+Because these two resources (SNS and SQS) are in different account, you will need to give permissions in the SNS for 
+the SQS to be able to `SNS:Subscribe` it.
+<!--
+    {
+      "Sid": "Subscribe",
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": "*"
+      },
+      "Action": "SNS:Subscribe",
+      "Resource": "arn:aws:sns:eu-west-3:237944556329:irutest-3-cross-account"
+    }
+-->
+
+If SQS and EKS/ECS cluster are within the same account, you will only need to give **permissions** to either 
+SysdigCompute IAM role (`ARN_SYSDIG_COMPUTE_ROLE`) or SQS.
+
+[Otherwise, you will need to provide permissions for both](https://aws.amazon.com/premiumsupport/knowledge-center/sqs-accessdenied-errors/#Amazon_SQS_access_policy_and_IAM_policy) <br/>
+Use following snipped if required
+```txt
+ {
+      "Sid": "AllowSysdigProcessSQS",
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": "<ARN_SYSDIG_COMPUTE_ROLE>"
+      },
+      "Action": [
+        "SQS:ReceiveMessage",
+        "SQS:DeleteMessage"
+      ],
+      "Resource": "<ARN_CLOUTRAIL_SNS_SQS>"
+    }
+```
+<br/><br/>
+
+### 4. **Cross-Account Access Role**
+
+This step provisions a role for `SysdigComputeRole` be able to assume, and access resources outside the account, 
+such as S3 buckets.
+
+Create a `SysdigS3AccessRole` and setup a Trust Relationship, for Sysdig Compute role to be able to assume it.
+```
+{
+    "Sid": "AllowSysdigAssumeRole",
+    "Effect": "Allow",
+    "Principal": {
+        "AWS": "<ARN_SYSDIG_COMPUTE_ROLE>"
+    },
+    "Action": "sts:AssumeRole"
+}
+```
+<br/><br/>
+
+### 5. **Cross-Account Access Setup for S3**
+
+In the previously created `SysdigS3AccessRole`, we're gonna enable it to acces the `ARN_CLOUDTRAIL_S3` bucket where the events are stored
+Give the following **permission** Statement 
+```
+ {
+    "Sid": "AllowSysdigReadS3",
+    "Effect": "Allow",
+    "Action": [
+        "s3:GetObject"
+    ],
+    "Resource": "<ARN_CLOUDTRAIL_S3>/*"
+}
+```
+
+
+Now we will need to perform same **permissions setup on the S3 bucket**. Add following Statement to the **Bucket policy**
+
+```text
+{
+    "Sid": "AllowSysdigReadS3",
+    "Effect": "Allow",
+    "Principal": {
+        "AWS": "<ARN_SYSDIG_S3_ACCESS_ROLE>"
+    },
+    "Action": "s3:GetObject",
+    "Resource": "<ARN_CLOUDTRAIL_S3>/*"
+}
+```
+<br/><br/>
+
+
+### 6. **Sysdig Compute** Workload deployment
+
+Following Step2. We will setup `SysdigComputeRole`, to be able to perform required actions by Secure for Cloud 
+compute; work with the SQS and access S3 resources (this last one via assumeRole).
+
+```text
+{
+    "Version": "2012-10-17",
+    "Statement": [
+	    {
+            "Effect": "Allow",
+            "Action": [
+                "SQS:ReceiveMessage",
+                "SQS:DeleteMessage"              
+            ],
+            "Resource": "<ARN_CLOUDTRAIL_SNS_SQS>"
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "sts:AssumeRole"
+            ],
+            "Resource": "<ARN_SYSDIG_S3_ACCESS_ROLE>"
+        }
+    ]
+}
+```
+
+Now we will deploy the compute component, depending on the compute service
+
+#### A) EKS
+
+If using Kubernetes, we will make use of the [Sysdig cloud-connector helm chart](https://charts.sysdig.
+com/charts/cloud-connector/) component.
+
+Provided the following `values.yaml` template
+```helm
+-- values.yaml suggestion
+sysdig:
+  url: "https://secure.sysdig.com"
+  secureAPIToken: "SYSDIG_API_TOKEN"
+telemetryDeploymentMethod: "helm_aws_k8s_org"		# not required but would help us
+aws:
+    region: <SQS-AWS-REGION>
+ingestors:
+    - cloudtrail-sns-sqs: 
+        queueURL:"<URL_CLOUDTRAIL_SNS_SQS>"             # step 3 
+        assumeRole:"<ARN_ROLE_SYSDIG_S3_ACCESS>"        # step 4
+```
+
+We will install it
+```shell
+$ helm upgrade --install --create-namespace -n sysdig-cloud-connector sysdig-cloud-connector sysdig/cloud-connector -f values.yaml
+```
+
+Test it
+```shell
+$ kubectl logs -f -n sysdig-cloud-connector deployment/sysdig-cloud-connector
+```
+
+And if desired uninstall it
+```shell
+$ helm uninstall -n sysdig-cloud-connector sysdig-cloud-connector
+```
+
+#### B) ECS
+
+If using , AWS ECS (Elastic Container Service), we will create a new Fargate Task.
+
+- TaskRole: Use previously created `SysdigComputeRole`
+- Task memory (GB): 0.5 and Task CPU (vCPU: 0.25 will suffice
+- Container definition:  
+  - Image: `quay.io/sysdig/cloud-connector:latest`
+  - Port Mappings; bind port 5000:5000 tcp protocol
+  - Environment variables
+    - SECURE_URL
+    - SECURE_API_TOKEN
+    - CONFIG:  A base64 encoded configuration of the cloud-connector service
+    ```
+    logging: info
+    rules: []
+    ingestors:
+        - cloudtrail-sns-sqs: 
+            queueURL: <URL_CLOUDTRAIL_SNS_SQS> 
+            assumeRole: <ARN_ROLE_SYSDIG_S3_ACCESS>
+    ```
+<!--
+
+AWS Systems Manager
+Application Manager
+CustomGroup: iru
+
+
+AWS::SSM::Parameter
+Type: SecureString
+Data type: text
+
+In ContainerDefinition, secrets
+- SECURE_API_TOKEN, `secretName`
+
+
+ExecutionRole
+{
+"Version": "2012-10-17",
+"Statement": [
+{
+"Sid": "",
+"Effect": "Allow",
+"Action": "ssm:GetParameters",
+"Resource": "arn:aws:ssm:eu-west-3:**:parameter/**"
+}
+]
+}
+-->
+
+
+## Testing
+
+Check within Sysdig Secure
+- Integrations > Cloud Accounts
+- Posture > Compliance  for the compliance task schedule
+- Insights > Cloud Activity
@@ -36,7 +36,7 @@ This use case will cover
 <!--
 
 all in same region
-management account - cloudtrail
+management account - cloudtrail (no kms for quick test)
 log archive account - s3, sns, sqs
 
 0.1 Provision an S3 bucket in the selected region and allow cloudtrail access
@@ -51,6 +51,15 @@ log archive account - s3, sns, sqs
             },
             "Action": "s3:PutObject",
             "Resource": "S3_ARN/*"
+        },
+        {
+            "Sid": "Statement2",
+            "Effect": "Allow",
+            "Principal": {
+                "Service": "cloudtrail.amazonaws.com"
+            },
+            "Action": "s3:GetBucketAcl",
+            "Resource": "S3_ARN"
         }
     ]
 }
@@ -254,3 +263,4 @@ Suggested steps
    - Posture > Identity and Access Management - Overview
    - Posture > Compliance - AWS
    - Insights > Cloud Activity
+