Skip to content

Commit

Permalink
Merge pull request #71 from CrowdStrike/FIX-eks-protection
Browse files Browse the repository at this point in the history 
Fix eks protection
  • Loading branch information
@gcasilva
gcasilva authored Nov 14, 2024
2 parents 1573fce + b03a0d9 commit 23ef784
Show file tree
Hide file tree
Showing 7 changed files with 59 additions and 110 deletions.
8 changes: 4 additions & 4 deletions .project_automation/functional_tests/entrypoint.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,12 +29,12 @@ run_test() {
unset AWS_DEFAULT_REGION
if [ -z "$1" ]; then
echo "Running e2e test: ALL"
taskcat test run -n
.project_automation/functional_tests/scoutsuite/scoutsuite.sh
taskcat test run
# .project_automation/functional_tests/scoutsuite/scoutsuite.sh
else
echo "Running e2e test: $1"
taskcat test run -n -t $1
.project_automation/functional_tests/scoutsuite/scoutsuite.sh
taskcat test run -t $1
# .project_automation/functional_tests/scoutsuite/scoutsuite.sh
fi
}

Expand Down
1 change: 0 additions & 1 deletion .taskcat.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,6 @@ tests:
FalconSecret: $[taskcat_ssm_/crowdstrike/falcon_secret]
DockerAPIToken: $[taskcat_ssm_/crowdstrike/falcon_docker_api_token]
FalconCID: $[taskcat_ssm_/crowdstrike/falcon_cod]
EventBusAccount: $[taskcat_ssm_/crowdstrike/eventbus_account]
SourceS3BucketName: $[taskcat_autobucket]
S3BucketRegion: $[taskcat_current_region]
ProvisionOU: $[taskcat_ssm_/crowdstrike/provision-ou]
Expand Down
2 changes: 1 addition & 1 deletion VERSION
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
v1.1.0
v1.1.1
1 change: 0 additions & 1 deletion guide/content/deployment-steps.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,6 @@ description: Deployment steps.
* **FalconCID**: Your CrowdStrike Falcon CID with checksum. (eg. ********************************-ab)
* **DockerAPIToken**: Your Falcon Docker API Token
* **OrganizationId**: Your AWS Organization ID (eg. o-********)
* **EventBusAccount**: The account to centralize EKS Protection resources. This account must be the Organization Management Account or a Delegated Administrator.
* **EventBusName**: Name of the centralized EventBus. Default is `crowdstrike-eks-eventbus`
* **EventBridgeRoleName**: Name of the EventBridge IAM role. Default is `crowdstrike-eks-eventbridge-role`
* **EKSExecutionRoleName**: Name of the Target Execution IAM role. Default is `crowdstrike-eks-execution-role`
Expand Down
2 changes: 1 addition & 1 deletion lambda_functions/source/register-organization/lambda.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@
SUCCESS = "SUCCESS"
FAILED = "FAILED"

VERSION = "1.0.0"
VERSION = "1.1.1"
NAME = "crowdstrike-cloud-abi"
USERAGENT = ("%s/%s" % (NAME, VERSION))

Expand Down
151 changes: 51 additions & 100 deletions templates/crowdstrike_init_stack.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -77,7 +77,6 @@ Metadata:
- EKSProtection
- FalconCID
- DockerAPIToken
- EventBusAccount
- EventBusName
- EventBridgeRoleName
- EKSExecutionRoleName
Expand Down Expand Up @@ -184,8 +183,6 @@ Metadata:
default: Falcon CID
DockerAPIToken:
default: Falcon Docker API Token
EventBusAccount:
default: EKS Protection Account
EventBusName:
default: Name of EventBus
EventBridgeRoleName:
Expand Down Expand Up @@ -427,10 +424,6 @@ Parameters:
NoEcho: true
Description: Your Falcon Docker API Token
Default: "DockerAPIToken"
EventBusAccount:
Description: The account to centralize EKS Protection resources. This account must be the Organization Management Account or a Delegated Administrator.
Type: String
Default: "111111111111"
EventBusName:
Type: String
Description: Name of the centralized EventBus
Expand Down Expand Up @@ -481,10 +474,13 @@ Mappings:
CloudMap:
us1:
BaseURL: "https://api.crowdstrike.com"
CrowdStrikeCloud: us-1
us2:
BaseURL: "https://api.us-2.crowdstrike.com"
CrowdStrikeCloud: us-2
eu1:
BaseURL: "https://api.eu-1.crowdstrike.com"
CrowdStrikeCloud: eu-1

Conditions:
CreateIOAResources: !Equals [ !Ref 'EnableIOA', true ]
Expand Down Expand Up @@ -1388,7 +1384,7 @@ Resources:
Environment:
Variables:
LOG_LEVEL: "INFO"
EVENTBUS_ACCOUNT: !Ref EventBusAccount
EVENTBUS_ACCOUNT: !Ref AWS::AccountId
EKS_PROTECTION: !Ref EKSProtection
Code:
S3Bucket: !Ref StagingS3Bucket
Expand Down Expand Up @@ -1443,43 +1439,25 @@ Resources:
Resource: !Sub arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/${OrgIdLambdaFunctionName}:log-stream:*

# EKS Protection
RootRolesStackSet:
RootRolesStack:
Type: 'AWS::CloudFormation::Stack'
Condition: EnableEKSProtection
Type: AWS::CloudFormation::StackSet
DeletionPolicy: Delete
UpdateReplacePolicy: Delete
Properties:
StackSetName: crowdstrike-eks-protection-root-roles
Capabilities:
- CAPABILITY_NAMED_IAM
AdministrationRoleARN: !GetAtt StackSetAdministrationRole.Arn
ExecutionRoleName: !Ref StackSetExecRole
Parameters:
- ParameterKey: CodeBuildProjectName
ParameterValue: !Ref CodeBuildProjectName
- ParameterKey: CodeBuildRoleName
ParameterValue: !Ref CodeBuildRoleName
- ParameterKey: EventBridgeRoleName
ParameterValue: !Ref EventBridgeRoleName
- ParameterKey: EKSExecutionRoleName
ParameterValue: !Ref EKSExecutionRoleName
- ParameterKey: StagingS3Bucket
ParameterValue: !Ref StagingS3Bucket
- ParameterKey: EventBusName
ParameterValue: !Ref EventBusName
- ParameterKey: PermissionsBoundary
ParameterValue: !Ref PermissionsBoundary
PermissionModel: SELF_MANAGED
StackInstancesGroup:
- DeploymentTargets:
AccountFilterType: NONE
Accounts:
- !Ref EventBusAccount
Regions:
- !Ref AWS::Region
TemplateURL: !Sub https://${SourceS3BucketName}.s3.${S3BucketRegion}.amazonaws.com/${SourceS3BucketNamePrefix}/templates/eks-root-roles.yml
Parameters:
CodeBuildProjectName: !Ref CodeBuildProjectName
CodeBuildRoleName: !Ref CodeBuildRoleName
EventBridgeRoleName: !Ref EventBridgeRoleName
EKSExecutionRoleName: !Ref EKSExecutionRoleName
StagingS3Bucket: !Ref StagingS3Bucket
EventBusName: !Ref EventBusName
PermissionsBoundary: !Ref PermissionsBoundary

EKSTargetRolesStackSet:
Condition: EnableEKSProtection
DependsOn: RootRolesStackSet
DependsOn: RootRolesStack
Type: AWS::CloudFormation::StackSet
Properties:
StackSetName: crowdstrike-eks-protection-target-roles
Expand All @@ -1491,14 +1469,15 @@ Resources:
- ParameterKey: EventBridgeRoleName
ParameterValue: !Ref EventBridgeRoleName
- ParameterKey: EventBusAccount
ParameterValue: !Ref EventBusAccount
ParameterValue: !Ref AWS::AccountId
- ParameterKey: EventBusName
ParameterValue: !Ref EventBusName
- ParameterKey: CodeBuildRoleName
ParameterValue: !Ref CodeBuildRoleName
- ParameterKey: PermissionsBoundary
ParameterValue: !Ref PermissionsBoundary
PermissionModel: SERVICE_MANAGED
CallAs: !If [ IsDelegatedAdmin, 'DELEGATED_ADMIN', 'SELF' ]
AutoDeployment:
Enabled: true
RetainStacksOnAccountRemoval: false
Expand All @@ -1514,85 +1493,57 @@ Resources:
- !Ref AWS::Region
TemplateURL: !Sub https://${SourceS3BucketName}.s3.${S3BucketRegion}.amazonaws.com/${SourceS3BucketNamePrefix}/templates/eks-target-roles-stackset.yml

RootEKSProtectionStackSet:
RootEKSProtectionStack:
Type: 'AWS::CloudFormation::Stack'
Condition: EnableEKSProtection
DependsOn: EKSTargetRolesStackSet
Type: AWS::CloudFormation::StackSet
DeletionPolicy: Delete
UpdateReplacePolicy: Delete
Properties:
StackSetName: crowdstrike-eks-protection-root-protection
Capabilities:
- CAPABILITY_NAMED_IAM
AdministrationRoleARN: !GetAtt StackSetAdministrationRole.Arn
ExecutionRoleName: !Ref StackSetExecRole
Parameters:
- ParameterKey: StagingS3Bucket
ParameterValue: !Ref StagingS3Bucket
- ParameterKey: Backend
ParameterValue: !Ref Backend
- ParameterKey: Registry
ParameterValue: !Ref Registry
- ParameterKey: EnableKAC
ParameterValue: !Ref EnableKAC
- ParameterKey: CrowdStrikeCloud
ParameterValue: !Ref CSCloud
- ParameterKey: EventBusName
ParameterValue: !Ref EventBusName
- ParameterKey: OrganizationId
ParameterValue: !GetAtt OrgIdLambdaCustomResource.organization_id
- ParameterKey: FalconClientId
ParameterValue: !Ref FalconClientID
- ParameterKey: FalconClientSecret
ParameterValue: !Ref FalconSecret
- ParameterKey: KubernetesUserName
ParameterValue: !Ref KubernetesUserName
- ParameterKey: FalconCID
ParameterValue: !Ref FalconCID
- ParameterKey: DockerAPIToken
ParameterValue: !Ref DockerAPIToken
- ParameterKey: EKSExecutionRoleName
ParameterValue: !Ref EKSExecutionRoleName
- ParameterKey: CodeBuildProjectName
ParameterValue: !Ref CodeBuildProjectName
- ParameterKey: CodeBuildRoleName
ParameterValue: !Ref CodeBuildRoleName
- ParameterKey: VpcCIDR
ParameterValue: '10.192.0.0/16'
- ParameterKey: PublicSubnet1CIDR
ParameterValue: '10.192.10.0/24'
- ParameterKey: PublicSubnet2CIDR
ParameterValue: '10.192.11.0/24'
- ParameterKey: PrivateSubnet1CIDR
ParameterValue: '10.192.20.0/24'
- ParameterKey: PrivateSubnet2CIDR
ParameterValue: '10.192.21.0/24'
PermissionModel: SELF_MANAGED
StackInstancesGroup:
- DeploymentTargets:
AccountFilterType: NONE
Accounts:
- !Ref EventBusAccount
OrganizationalUnitIds:
- !GetAtt OrgIdLambdaCustomResource.eventbus_account_ou
Regions:
- !Ref AWS::Region
TemplateURL: !Sub https://${SourceS3BucketName}.s3.${S3BucketRegion}.amazonaws.com/${SourceS3BucketNamePrefix}/templates/eks-protection-stack.yml
Parameters:
StagingS3Bucket: !Ref StagingS3Bucket
Backend: !Ref Backend
Registry: !Ref Registry
EnableKAC: !Ref EnableKAC
CrowdStrikeCloud: !FindInMap
- CloudMap
- !Ref CSCloud
- CrowdStrikeCloud
EventBusName: !Ref EventBusName
OrganizationId: !GetAtt OrgIdLambdaCustomResource.organization_id
FalconClientId: !Ref FalconClientID
FalconClientSecret: !Ref FalconSecret
KubernetesUserName: !Ref KubernetesUserName
FalconCID: !Ref FalconCID
DockerAPIToken: !Ref DockerAPIToken
EKSExecutionRoleName: !Ref EKSExecutionRoleName
CodeBuildProjectName: !Ref CodeBuildProjectName
CodeBuildRoleName: !Ref CodeBuildRoleName
SourceS3BucketNamePrefix: !Ref SourceS3BucketNamePrefix
VpcCIDR: '10.192.0.0/16'
PublicSubnet1CIDR: '10.192.10.0/24'
PublicSubnet2CIDR: '10.192.11.0/24'
PrivateSubnet1CIDR: '10.192.20.0/24'
PrivateSubnet2CIDR: '10.192.21.0/24'

EKSEventBridgeStackSet:
Condition: EnableEKSProtection
DependsOn: RootEKSProtectionStackSet
DependsOn: RootEKSProtectionStack
Type: AWS::CloudFormation::StackSet
Properties:
StackSetName: crowdstrike-eks-protection-eventbridge
Parameters:
- ParameterKey: EventBusName
ParameterValue: !Ref EventBusName
- ParameterKey: EventBusAccount
ParameterValue: !Ref EventBusAccount
ParameterValue: !Ref AWS::AccountId
- ParameterKey: EventBusRegion
ParameterValue: !Ref AWS::Region
- ParameterKey: EventBridgeRoleName
ParameterValue: !Ref EventBridgeRoleName
PermissionModel: SERVICE_MANAGED
CallAs: !If [ IsDelegatedAdmin, 'DELEGATED_ADMIN', 'SELF' ]
AutoDeployment:
Enabled: true
RetainStacksOnAccountRemoval: true
Expand Down
4 changes: 2 additions & 2 deletions templates/eks-protection-stack.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -164,7 +164,7 @@ Resources:
project_name: !Ref CodeBuildProjectName
artifact_bucket: !Ref StagingS3Bucket
lambda_switch_role: !Ref EKSExecutionRoleName
Handler: lambda_function.lambda_handler
Handler: lambda.lambda_handler
MemorySize: 128
Role: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${EKSExecutionRoleName}
Runtime: python3.11
Expand Down Expand Up @@ -205,7 +205,7 @@ Resources:
project_name: !Ref CodeBuildProjectName
artifact_bucket: !Ref StagingS3Bucket
lambda_switch_role: !Ref EKSExecutionRoleName
Handler: lambda_function.lambda_handler
Handler: lambda.lambda_handler
MemorySize: 128
Role: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${EKSExecutionRoleName}
Runtime: python3.11
Expand Down

0 comments on commit 23ef784

Please sign in to comment.