feat(AWS): Initial commit of aws template

All AWS resources provision assuming net-new deployment
updating naming convention of cross-account policy

Signed-off-by: Scott Ford <scott.ford@lacework.net>

.gitignore

@@ -13,6 +13,7 @@ crash.log
 # version control.
 #
 # example.tfvars
+*.tfvars
 
 # Ignore override files as they are usually used to override resources locally and so
 # are not checked in

aws/README.md

@@ -0,0 +1,34 @@
+# Lacework for AWS
+The following are the manual steps to connect an AWS account into Lacework
+
+### Step 1: Create CloudTrail Trail
+From the AWS console select “CloudTrail”
+From the left navbar select “Trails” and then the blue  “Create Trail” button
+Enter a trail name
+NOTE: Is is an AWS security best practice to apply trail to all regions
+From the “Storage location” section at the bottom of the page
+Select to create a new S3 bucket of use an existing bucket
+Create new SNS Topic and enter a topic name
+Click blue “Create” button on the bottom right of the page
+
+### Step 2; Create SQS Queue
+From AWS console go to the Simple Queue Service(SQS)
+Click the blue “Create New Queue”
+Enter queue name
+Standard Queue type is fine
+Click blue “Quick-Create Queue” from bottom right of page
+From the SQS queue list click to select the new queue you’ve created and then click the grey “Queue Actions” button and select “Subscribe Queue to SNS Topic”
+Choose the SNS Topic created with the CloudTrail trail
+
+### Step 3: Create IAM (Cross-Account)Role (Enhance for govcloud)
+From the AWS console go to Services > Security, Identity, & Compliance > IAM. The Welcome to Identity and Access Management page
+From the left nav bar select “Roles” which will display the IAM Roles
+Select the Blue “Create Role” button
+You will have the choice of 4 types of Trusted Entities. Select “Another AWS Account”
+(More info on this role type can be found here >> https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html?icmpid=docs_iam_console)
+		From here you will need the following
+The AWS account ID that is using the cross account role
+This is the Lacework AWS caller account ID
+434813966438
+Under “Options” click in the box to enable “Require external ID (Best practice when a third party will assume this role)”
+Create an External ID

aws/main.tf

@@ -0,0 +1,237 @@
+////////////////////////////////
+// Terraform Provider AWS
+terraform {
+  required_version = ">= 0.12.0" 
+}
+
+provider "aws" {
+  region                  = var.aws_region
+  profile                 = var.aws_profile
+  shared_credentials_file = file(var.credentials_file)
+}
+
+resource "random_id" "instance_id" {
+  byte_length = 4
+}
+
+
+data "aws_caller_identity" "current" {}
+
+resource "aws_s3_bucket" "lacework_cloudtrail_bucket" {
+  bucket        = "${var.bucket_name}-${random_id.instance_id.hex}"
+  force_destroy = true
+}
+
+resource "aws_s3_bucket_policy" "lacework_cloudtrail_bucket_policy" {
+  bucket = aws_s3_bucket.lacework_cloudtrail_bucket.id
+
+  policy = <<POLICY
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "AWSCloudTrailAclCheck20150319",
+            "Effect": "Allow",
+            "Principal": {
+              "Service": "cloudtrail.amazonaws.com"
+            },
+            "Action": "s3:GetBucketAcl",
+            "Resource": "arn:aws:s3:::${aws_s3_bucket.lacework_cloudtrail_bucket.id}"
+        },
+        {
+            "Sid": "AWSCloudTrailWrite20150319",
+            "Effect": "Allow",
+            "Principal": {
+              "Service": "cloudtrail.amazonaws.com"
+            },
+            "Action": "s3:PutObject",
+            "Resource": "arn:aws:s3:::${aws_s3_bucket.lacework_cloudtrail_bucket.id}/AWSLogs/${data.aws_caller_identity.current.account_id}/*",
+            "Condition": {
+                "StringEquals": {
+                    "s3:x-amz-acl": "bucket-owner-full-control"
+                }
+            }
+        }
+    ]
+}
+POLICY
+}
+
+resource "aws_sns_topic" "lacework_cloudtrail_sns_topic" {
+  name = var.sns_topic_name
+}
+
+resource "aws_sqs_queue" "lacework_cloudtrail_sqs_queue" {
+  name = var.sqs_queue_name
+}
+
+resource "aws_sns_topic_policy" "default" {
+  arn = aws_sns_topic.lacework_cloudtrail_sns_topic.arn
+
+  policy = <<POLICY
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "AWSCloudTrailSNSPolicy20131101",
+            "Effect": "Allow",
+            "Principal": {
+                "Service": "cloudtrail.amazonaws.com"
+            },
+            "Action": "SNS:Publish",
+            "Resource": "${aws_sns_topic.lacework_cloudtrail_sns_topic.id}"
+        }
+    ]
+}
+POLICY
+}
+
+resource "aws_sqs_queue_policy" "lacework_sqs_queue_policy" {
+  queue_url = aws_sqs_queue.lacework_cloudtrail_sqs_queue.id
+
+  policy = <<POLICY
+{
+  "Version": "2012-10-17",
+  "Id": "lacework_sqs_policy_${random_id.instance_id.hex}",
+  "Statement": [
+    {
+      "Sid": "AllowLaceworkSNSTopicToSendMessage",
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": "*"
+      },
+      "Action": "SQS:SendMessage",
+      "Resource": "${aws_sqs_queue.lacework_cloudtrail_sqs_queue.arn}",
+      "Condition": {
+        "ArnEquals": {
+          "aws:SourceArn": "${aws_sns_topic.lacework_cloudtrail_sns_topic.id}"
+        }
+      }
+    }
+  ]
+}
+POLICY
+}
+
+resource "aws_sns_topic_subscription" "lacework_sns_topic_sub" {
+  topic_arn = aws_sns_topic.lacework_cloudtrail_sns_topic.arn
+  protocol  = "sqs"
+  endpoint  = aws_sqs_queue.lacework_cloudtrail_sqs_queue.arn
+}
+
+resource "aws_cloudtrail" "lacework_cloudtrail" {
+  name                          = var.cloudtrail_name
+  s3_bucket_name                = aws_s3_bucket.lacework_cloudtrail_bucket.id
+  include_global_service_events = true
+  is_multi_region_trail         = true
+  sns_topic_name                = aws_sns_topic.lacework_cloudtrail_sns_topic.id
+  depends_on                    = [aws_s3_bucket_policy.lacework_cloudtrail_bucket_policy, aws_s3_bucket.lacework_cloudtrail_bucket]
+}
+
+resource "aws_iam_role" "lacework_iam_role" {
+  name = "lacework_iam_role"
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": {
+    "Effect": "Allow",
+    "Principal": {
+      "AWS": "arn:aws:iam::434813966438:root"
+    },
+    "Action": "sts:AssumeRole"
+  }
+}
+EOF
+}
+
+resource "aws_iam_role_policy_attachment" "security_audit_iam_role_policy_attachment" {
+  role       = aws_iam_role.lacework_iam_role.name
+  policy_arn = "arn:aws:iam::aws:policy/SecurityAudit"
+}
+
+resource "aws_iam_policy" "cross_account_policy" {
+  name        = "lacework-cross-account-policy"
+  description = "A cross account policy to allow Lacework to pull config and cloudtrail"
+
+  policy = <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Action": [
+                "sqs:GetQueueAttributes",
+                "sqs:GetQueueUrl",
+                "sqs:DeleteMessage",
+                "sqs:ReceiveMessage"
+            ],
+            "Resource": [
+                "${aws_sqs_queue.lacework_cloudtrail_sqs_queue.arn}"
+            ],
+            "Effect": "Allow",
+            "Sid": "ConsumeNotifications"
+        },
+        {
+            "Condition": {
+                "StringLike": {
+                    "s3:prefix": [
+                        "*AWSLogs/"
+                    ]
+                }
+            },
+            "Action": [
+                "s3:ListBucket"
+            ],
+            "Resource": [
+                "${aws_s3_bucket.lacework_cloudtrail_bucket.arn}"
+            ],
+            "Effect": "Allow",
+            "Sid": "ListLogFiles"
+        },
+        {
+            "Action": [
+                "s3:Get*"
+            ],
+            "Resource": [
+                "${aws_s3_bucket.lacework_cloudtrail_bucket.arn}/*"
+            ],
+            "Effect": "Allow",
+            "Sid": "ReadLogFiles"
+        },
+        {
+            "Action": [
+                "iam:ListAccountAliases"
+            ],
+            "Resource": "*",
+            "Effect": "Allow",
+            "Sid": "GetAccountAlias"
+        },
+        {
+            "Action": [
+                "cloudtrail:DescribeTrails",
+                "cloudtrail:GetTrailTopics",
+                "cloudtrail:GetTrailStatus",
+                "cloudtrail:ListPublicKeys",
+                "s3:GetBucketAcl",
+                "s3:GetBucketPolicy",
+                "s3:ListAllMyBuckets",
+                "s3:GetBucketLocation",
+                "s3:GetBucketLogging",
+                "sns:GetSubscriptionAttributes",
+                "sns:GetTopicAttributes",
+                "sns:ListSubscriptions",
+                "sns:ListSubscriptionsByTopic",
+                "sns:ListTopics"
+            ],
+            "Resource": "*",
+            "Effect": "Allow",
+            "Sid": "Debug"
+        }
+    ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy_attachment" "lacework_crossaccount_iam_role_policy_attachment" {
+  role       = aws_iam_role.lacework_iam_role.name
+  policy_arn = aws_iam_policy.cross_account_policy.arn 
+}

aws/output.tf

@@ -0,0 +1,23 @@
+output "cloud_trail_id" {
+  value = aws_cloudtrail.lacework_cloudtrail.id
+}
+
+output "s3_bucket_id" {
+  value = aws_s3_bucket.lacework_cloudtrail_bucket.id
+}
+
+output "sns_topic_id" {
+  value = aws_sns_topic.lacework_cloudtrail_sns_topic.id
+}
+
+output "sqs_sqs_id" {
+  value = aws_sqs_queue.lacework_cloudtrail_sqs_queue.id
+}
+
+output "sqs_sqs_arn" {
+  value = aws_sqs_queue.lacework_cloudtrail_sqs_queue.arn
+}
+
+output "iam_role_id" {
+  value = aws_iam_role.lacework_iam_role.id
+}

aws/variables.tf

@@ -0,0 +1,56 @@
+////////////////////////////////
+// AWS Connection
+
+variable "aws_profile" {
+  type = string
+}
+
+variable "aws_region" {}
+
+variable "credentials_file" {
+  default = "~/.aws/credentials"
+}
+
+////////////////////////////////
+// ENV
+
+variable "bucket_name" {
+  default = "lacework-cloudtrail-bucket"
+}
+
+variable "sns_topic_name" {
+  default = "lacework-sns-topic"
+}
+
+variable "sqs_queue_name" {
+  default = "lacework-sqs-queue"
+}
+
+variable "cloudtrail_name" {
+  default = "lacework-cloudtrail"
+}
+
+
+
+////////////////////////////////
+// Tags
+
+variable "tag_customer" {}
+
+variable "tag_project" {}
+
+variable "tag_name" {}
+
+variable "tag_dept" {}
+
+variable "tag_contact" {}
+
+variable "tag_application" {}
+
+variable "tag_ttl" {
+  default = 4
+}
+
+variable "aws_key_pair_file" {}
+
+variable "aws_key_pair_name" {}