Skip to content

AWS Cloudformation templates and python codes for security blog post on How to centralize and visualize multi-account Amazon Inspector findings with Amazon Elasticsearch and Amazon S3

License

Notifications You must be signed in to change notification settings

aws-samples/aws-multi-account-inspector-to-es-s3-blogpost-2020

Blog Post - Centralize and visualize multi-account Amazon Inspector findings with Amazon Elasticsearch and Amazon S3

This repository contains the source code along with automation templates for the AWS Security Blog post deploying a solution to to centrally analyze and monitor the vulnerability posture of EC2 instances across multiple regions of multiple accounts in your AWS environment. This will help you to send security finidngs generated by Amazon Inspector directly to Amazon ES for visualization in Kibana and to Amazon S3 for additional storage in a centralized architecture.

In this repository you will find all the AWS CloudFormation templates that will build this solution in your AWS environment. Additionally you will need to download the zip file that contains a Lambda function code which needs to be stored in an S3 bucket for deployment

Overview of the CloudFormation Templates

Central-SecurityAcnt-BaseTemplate.yaml - This template creates the following resources in the central security account:

  1. An SNS topic and topic policy in all those regions mapping to the regions of application accounts where Inspector scan will be conducted.
  2. A SQS Queue with queue policy in the primary region where the regional SNS topics send the Inspector findings as messages.
  3. A Dead Letter Queue in the primary region where failed messages will be stored if the messages are not delivered to the main SQS Queue.
  4. IAM Role and Policy used by the Lambda function of every region in every account to associate an SNS topic to the created Inspector template.
  5. SNS Subscription for the SQS Queue.
  6. A Lambda function (can be termed as the main function) in the primary region which is trigerred by the SQS Queue to send Inspector findings from all regions of all application accounts to the centralized Elasticsearch domain and S3 bucket. The function code - Inspector-to-S3ES-crossAcnt.py is above 4096 characters hence it is compressed with all the dependent python modules in a zip file - Inspector-to-S3ES-crossAcnt.zip. To check on the dependent python modules refer to the folder - lambda-dependencies
  7. An IAM role and policy used as the lambda execution role.
  8. A lambda trigger that associates the SQS queue with the lambda function (both being in the same primary region).

ApplicationAcnts-RolesTemplate.yml - This template creates the following global resources in the primary region of all application accounts:

  1. An IAM role and policy to start an Inspector Assessement run in that account based on an scheduled interval.
  2. An IAM role and policy that is used as a cross-account role to be assumed by the central security account's lambda execution role for fetching details from the Inspector scans in the application accounts
  3. An IAM role and policy used as the execution role for a regional lambda function created in all application accounts to attach the regional Inspector assessment template of application accounts to the same region SNS topic but in central security account.

InspectorRun-SetupTemplate.yml - This template creates the following resources in all those regions of all application accounts where Inspector assessment scan is performed:

  1. A Lambda trigger that associates the regional lambda function with the CloudWatch event
  2. An Inspector assessment target group per region that comprises all the EC2 instances of that region.
  3. An Inspector assessment template that performs Inspector scan on the assessment target group of intances
  4. A regional Lambda function that is used to attach the Amazon Inspector assessment template (created in application accounts) to the cross-account Amazon SNS topic (created in security account), all within the same Region. This function is needed because Amazon Inspector templates can only be attached to SNS topics in the same account via the AWS Management Console or AWS Command Line Interface (AWS CLI).
  5. A CloudWatch event in every region that triggers the regional lambda function when the Amazon Inspector assessment template with a specific user-defined tag is created for the first time in that region
  6. A time based CloudWatch event to start the Inspector assessment template at a scheduled interval

Security

See CONTRIBUTING for more information.

License

This library is licensed under the MIT-0 License. See the LICENSE file.

About

AWS Cloudformation templates and python codes for security blog post on How to centralize and visualize multi-account Amazon Inspector findings with Amazon Elasticsearch and Amazon S3

Topics

Resources

License

Code of conduct

Security policy

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages