Use AWS Systems Manager Inventory with Resource Data Sync.

[ep-93]

User Story

As a Mod Platform Engineer
I want to have a singular place where information is stored on each account and what is running in them
So that security can look at anything outdated if required and more.

To start we will run this monthly but with an option to run on an adhoc basis.

Value / Purpose

POC discussed, and agreed that we should begin to roll this out to all accounts

#7725

Context / Background

As a product manager I want to be able to understand what we have running on the platform and where there are vulnerabilities - for example when a component is no longer in support or if there is a security incident related to that component. We can then advise application teams of potential issues.

I also need a way to be able to provide security teams with the relevant information allowing them to contact application teams directly.

This ticket is to look to see if we can use AWS Systems Manager Inventory with Resource Data Sync as a tool to satisfy this requirement. The theory is we can gather information about software installed on all instances that have SSM agent installed/activated. We can then use Resource Data Sync to gather all inventory information for multiple accounts/regions into a central s3 bucket that can then be queried by Athena or any other visualisation tool -see https://docs.aws.amazon.com/systems-manager/latest/userguide/inventory-create-resource-data-sync.html
This way we can query what software and packages are deployed across the platform and help to identify the impact of any security vulnerabilities

Useful Contacts

Edd Proctor

Additional Information

We should make this optional but included by default

Definition of Done

• S3 Bucket created in organisation-security account.
• In bootstrap, roll out the roles and policies required for accounts to datasync to the mod platform bucket.
• Athena database created in Mod platform account.

What types of logs etc that are copied are not in this ticket, just setting up what is required.

[richgreen-moj]

Whilst working on #8517 to create a resource data sync in the mod platform bootstrap - I've noticed that our accounts already seem to have an inventory collection and resource data sync set up which is sending data to a bucket in the organisation-security account.

UPDATE:
This was not the case. It turns out the inventory collection and data sync I found are a result of us having enabled the AWS Inspector service in the baseline. It creates a similar setup and sends info to a bucket created by the service which we are unable to interact with.

But there is also a resource data sync being set up on a conditional basis for some of our accounts, I think related to gathering oracle licensing data. This is being fed into a central bucket in organisation-security

modernisation-platform/terraform/environments/bootstrap/member-bootstrap/ssm.tf

Lines 119 to 129 in eeef063

	# # sync ssm data to the S3 bucket created in the stack
	# # https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-inventory-resource-data-sync.html
	resource "aws_ssm_resource_data_sync" "security_account" {
	count = contains(local.ssm_resource_sync_opt_in, terraform.workspace) ? 1 : 0
	name = "OrgSecurityDataSync"
	s3_destination {
	bucket_name = local.environment_management.ssm_resource_sync_bucket_name
	region = "eu-west-2"
	kms_key_arn = local.environment_management.ssm_resource_sync_kms_arn
	}
	}

and..

5e19a80

I wonder if I should merge this into what I've been looking at as part of the ticket.

[richgreen-moj]

After a chat today we decided the s3 bucket ought to live in the organisation-security account. Also despite the similarities in what has been provisioned already for gathering licensing info in that account (see comment above) I will continue to deploy a separate bucket/resource sync for now and we can decide to merge this at a later date if required.

[richgreen-moj]

When rolling out the resource data sync via the bootstrap I've encountered an error

131 accounts have already got 5 resource data syncs which is an account limit.

I'll look into if this limit can be raised or what the best next steps are.

[richgreen-moj]

Moving this to blocked as i'm unable to deploy resource data sync to all Mod Platform accounts due to account limits being reached for at least 50% of accounts.

To resolve this some more work/investigation needs to go into discovering where the existing resource data syncs originate from and whether they are still in use.

The data syncs seem to have been created by the AWS license Manager service, they possibly originated form CloudFormation stacks that have been deployed both in the root and org-security accounts.

I've raised a case with AWS support to see if they can provide any more insights.

[richgreen-moj]

Issue #8624 has ben raised to investigate this further. I suggest we park this ticket until that work has been carried out.