-
Notifications
You must be signed in to change notification settings - Fork 14
/
Copy pathaws-inspector-cf.yaml
140 lines (132 loc) · 5.89 KB
/
aws-inspector-cf.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
AWSTemplateFormatVersion: "2010-09-09"
Description: "AWS-Inspector-Quickstart"
Parameters:
AMI:
Description: AMI ID
Type: AWS::EC2::Image::Id
KeyPair:
Description: Key pair to launch ec2 instance
Type: AWS::EC2::KeyPair::KeyName
SubnetId:
Description: Subnet ID to launch instance for scanning
Type: AWS::EC2::Subnet::Id
ec2tag:
Description: Tag for ec2 instances for scanning
Type: String
ScanLength:
Type: Number
Description: Duration of Inspector Scan in seconds
Default: 180
CommitId:
Type: String
Description: Duration of Inspector Scan in seconds
Mappings:
RegionMap:
us-east-1:
CommonVul: arn:aws:inspector:us-east-1:316112463485:rulespackage/0-gEjTy7T7
CIS: arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8
SecurityBest: arn:aws:inspector:us-east-1:316112463485:rulespackage/0-R01qwB5Q
us-east-2:
CommonVul: arn:aws:inspector:us-east-2:646659390643:rulespackage/0-JnA8Zp85
CIS: arn:aws:inspector:us-east-2:646659390643:rulespackage/0-m8r61nnh
SecurityBest: arn:aws:inspector:us-east-2:646659390643:rulespackage/0-AxKmMHPX
us-west-1:
CommonVul: arn:aws:inspector:us-west-1:166987590008:rulespackage/0-TKgzoVOa
CIS: arn:aws:inspector:us-west-1:166987590008:rulespackage/0-xUY8iRqX
SecurityBest: arn:aws:inspector:us-west-1:166987590008:rulespackage/0-byoQRFYm
us-west-2:
CommonVul: arn:aws:inspector:us-west-2:758058086616:rulespackage/0-9hgA516p
CIS: arn:aws:inspector:us-west-2:758058086616:rulespackage/0-H5hpSawc
SecurityBest: arn:aws:inspector:us-west-2:758058086616:rulespackage/0-JJOtZiqQ
ap-south-1:
CommonVul: arn:aws:inspector:ap-south-1:162588757376:rulespackage/0-LqnJE9dO
CIS: arn:aws:inspector:ap-south-1:162588757376:rulespackage/0-PSUlX14m
SecurityBest: arn:aws:inspector:ap-south-1:162588757376:rulespackage/0-fs0IZZBj
ap-northeast-2:
CommonVul: arn:aws:inspector:ap-northeast-2:526946625049:rulespackage/0-PoGHMznc
CIS: arn:aws:inspector:ap-northeast-2:526946625049:rulespackage/0-T9srhg1z
SecurityBest: arn:aws:inspector:ap-northeast-2:526946625049:rulespackage/0-2WRpmi4n
ap-southeast-2:
CommonVul: arn:aws:inspector:ap-southeast-2:454640832652:rulespackage/0-D5TGAxiR
CIS: arn:aws:inspector:ap-southeast-2:454640832652:rulespackage/0-Vkd2Vxjq
SecurityBest: arn:aws:inspector:ap-southeast-2:454640832652:rulespackage/0-asL6HRgN
ap-northeast-1:
CommonVul: arn:aws:inspector:ap-northeast-1:406045910587:rulespackage/0-gHP9oWNT
CIS: arn:aws:inspector:ap-northeast-1:406045910587:rulespackage/0-7WNjqgGu
SecurityBest: arn:aws:inspector:ap-northeast-1:406045910587:rulespackage/0-bBUQnxMq
eu-central-1:
CommonVul: arn:aws:inspector:eu-central-1:537503971621:rulespackage/0-wNqHa8M9
CIS: arn:aws:inspector:eu-central-1:537503971621:rulespackage/0-nZrAVuv8
SecurityBest: arn:aws:inspector:eu-central-1:537503971621:rulespackage/0-ZujVHEPB
eu-west-1:
CommonVul: arn:aws:inspector:eu-west-1:357557129151:rulespackage/0-ubA5XvBh
CIS: arn:aws:inspector:eu-west-1:357557129151:rulespackage/0-sJBhCr0F
SecurityBest: arn:aws:inspector:eu-west-1:357557129151:rulespackage/0-SnojL3Z6
eu-west-2:
CommonVul: arn:aws:inspector:eu-west-2:146838936955:rulespackage/0-kZGCqcE1
CIS: arn:aws:inspector:eu-west-2:146838936955:rulespackage/0-IeCjwf1W
SecurityBest: arn:aws:inspector:eu-west-2:146838936955:rulespackage/0-XApUiSaP
eu-north-1:
CommonVul: arn:aws:inspector:eu-north-1:453420244670:rulespackage/0-IgdgIewd
CIS: arn:aws:inspector:eu-north-1:453420244670:rulespackage/0-Yn8jlX7f
SecurityBest: arn:aws:inspector:eu-north-1:453420244670:rulespackage/0-HfBQSbSf
us-gov-east-1:
CommonVul: arn:aws-us-gov:inspector:us-gov-east-1:206278770380:rulespackage/0-3IFKFuOb
CIS: arn:aws-us-gov:inspector:us-gov-east-1:206278770380:rulespackage/0-pTLCdIww
SecurityBest: arn:aws-us-gov:inspector:us-gov-east-1:206278770380:rulespackage/0-vlgEGcVD
us-gov-west-1:
CommonVul: arn:aws-us-gov:inspector:us-gov-west-1:850862329162:rulespackage/0-4oQgcI4G
CIS: arn:aws-us-gov:inspector:us-gov-west-1:850862329162:rulespackage/0-Ac4CFOuc
SecurityBest: aarn:aws-us-gov:inspector:us-gov-west-1:850862329162:rulespackage/0-rOTGqe5G
Resources:
InspectorEC2Instance:
Type: AWS::EC2::Instance
Properties:
ImageId: !Ref AMI
InstanceType: t2.micro
KeyName: !Ref KeyPair
SubnetId: !Ref SubnetId
Tags:
- Key: Name
Value: !Ref ec2tag
InspectorResourceGroup:
Type: AWS::Inspector::ResourceGroup
Properties:
ResourceGroupTags:
- Key: Name
Value: !Ref ec2tag
InspectorAssessmentTarget:
Type: AWS::Inspector::AssessmentTarget
Properties:
ResourceGroupArn: !Ref InspectorResourceGroup
InspectorAssessmentTemplate:
Type: AWS::Inspector::AssessmentTemplate
Properties:
AssessmentTargetArn: !Ref InspectorAssessmentTarget
DurationInSeconds: !Ref ScanLength
RulesPackageArns:
- !FindInMap [RegionMap, !Ref "AWS::Region", CommonVul]
- !FindInMap [RegionMap, !Ref "AWS::Region", CIS]
- !FindInMap [RegionMap, !Ref "AWS::Region", SecurityBest]
UserAttributesForFindings:
- Key: Name
Value: !Ref ec2tag
- Key: StackName
Value: !Ref "AWS::StackName"
- Key: CommitId
Value: !Ref CommitId
- Key: AMI_ID
Value: !Ref AMI
Outputs:
ResourceGroup:
Description: Inspector Resource Group
Value: !GetAtt InspectorResourceGroup.Arn
AssessmentTarget:
Description: Inspector Assessment Target
Value: !GetAtt InspectorAssessmentTarget.Arn
AssessmentTemplate:
Description: Inspector Assessment Template
Value: !GetAtt InspectorAssessmentTemplate.Arn
CommitId:
Description: Commit Id
Value: !Ref CommitId