Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cortex cleanup #8239

Merged
merged 1 commit into from
Oct 10, 2024
Merged

Cortex cleanup #8239

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 0 additions & 5 deletions source/runbooks/integration-with-protective-monitoring.html.md.erb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,11 +43,6 @@ The Cortex XSIAM application consumes data using S3 as a preferential source fro

The Cortex XSIAM application receives Network Firewall `alert` logs by way of an Amazon Data Stream configured in the `core-network-services` account.

## Known Maintenance Requirements

- While an access key and secret key are currently in use, we have prepared an AWS IAM role that the Cortex application can assume so that we can retire the keys.
- This role - `cortex_xsiam*` - is available in the `core-logging` account and has the same IAM policy as the `cortex_xsiam` user.

## Known Contacts:

- Leonardo Marini - Leonardo.Marini@justice.gov.uk. Contractor who implements the Cortex Xsiam endpoints that receive the Firehose transfers. (https://www.paloaltonetworks.com/cortex/cortex-xsiam)
Expand Down
16 changes: 2 additions & 14 deletions terraform/environments/core-logging/cortex.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -224,24 +224,12 @@ data "aws_kms_alias" "secrets" {
name = "alias/secrets_key"
}

resource "aws_iam_user" "cortex_xsiam_user" {
#checkov:skip=CKV_AWS_273: This has been agreed by the TA that for this purpose an IAM user account can be used.
name = "cortex_xsiam_user"
tags = local.tags
}

resource "aws_iam_policy" "cortex_user_policy" {
resource "aws_iam_policy" "cortex_xsiam_policy" {
name = "cortex-user-policy"
description = "Allows the access to the created SQS queue"
policy = data.aws_iam_policy_document.cortex_user_policy.json
}

resource "aws_iam_user_policy_attachment" "sqs_queue_read_policy_attachment" {
#checkov:skip=CKV_AWS_40: User account only has a single purpose so no role or group is needed
user = aws_iam_user.cortex_xsiam_user.name
policy_arn = aws_iam_policy.cortex_user_policy.arn
}

resource "aws_iam_role" "cortex_xsiam_role" {
description = "Role utilised by Palo Alto Cortex XSIAM"
name_prefix = "cortex_xsiam"
Expand All @@ -250,6 +238,6 @@ resource "aws_iam_role" "cortex_xsiam_role" {
}

resource "aws_iam_role_policy_attachment" "cortex_xsiam_role" {
policy_arn = aws_iam_policy.cortex_user_policy.arn
policy_arn = aws_iam_policy.cortex_xsiam_policy.arn
role = aws_iam_role.cortex_xsiam_role.name
}