Skip to content

Commit

Permalink
soc2 checks
Browse files Browse the repository at this point in the history
  • Loading branch information
@Ajay-sops
Ajay-sops committed Jul 31, 2023
1 parent e2e53b9 commit e8f6f84
Show file tree
Hide file tree
Showing 5 changed files with 212 additions and 4 deletions.
5 changes: 3 additions & 2 deletions examples/complete/main.tf
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
locals {
region = "us-east-2"
environment = "prod"
name = "skaf"
name = "skaf-hello"
additional_tags = {
Owner = "organization_name"
Expires = "Never"
Expand All @@ -18,7 +18,7 @@ module "cis" {
email = "skaf-demo@squareops.com"
cron_expression = "cron(0 22 1,10,20,28 * ? 2023)"
s3_enabled = true
config_enabled = true
config_enabled = false
include_global_resource_types = true
cw_log_enabled = true
alerting_enabled = true
Expand All @@ -29,4 +29,5 @@ module "cis" {
notify_unused_cred_45_days = true
disable_unused_cred_45_days = false
remove_ssl_tls_iam = false
enable_guard_duty = true
}
107 changes: 107 additions & 0 deletions guard-duty.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,107 @@
data "aws_region" "current" {}

data "aws_iam_policy_document" "bucket_pol" {
count = var.enable_guard_duty ? 1 : 0
statement {
sid = "Allow PutObject"
actions = [
"s3:PutObject"
]

resources = [
"${aws_s3_bucket.gd_bucket[0].arn}/*"
]

principals {
type = "Service"
identifiers = ["guardduty.amazonaws.com"]
}
}

statement {
sid = "Allow GetBucketLocation"
actions = [
"s3:GetBucketLocation"
]

resources = [
aws_s3_bucket.gd_bucket[0].arn
]

principals {
type = "Service"
identifiers = ["guardduty.amazonaws.com"]
}
}
}

data "aws_iam_policy_document" "kms_pol" {
count = var.enable_guard_duty ? 1 : 0
statement {
sid = "Allow GuardDuty to encrypt findings"
actions = [
"kms:GenerateDataKey"
]

resources = [
"arn:aws:kms:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:key/*"
]

principals {
type = "Service"
identifiers = ["guardduty.amazonaws.com"]
}
}

statement {
sid = "Allow all users to modify/delete key (test only)"
actions = [
"kms:*"
]

resources = [
"arn:aws:kms:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:key/*"
]

principals {
type = "AWS"
identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
}
}

}

resource "aws_guardduty_detector" "gd" {
count = var.enable_guard_duty ? 1 : 0
enable = true
}

resource "aws_s3_bucket" "gd_bucket" {
count = var.enable_guard_duty ? 1 : 0
bucket = format("%s-gd-findingd-%s", var.name, data.aws_caller_identity.current.account_id)
force_destroy = true
}

resource "aws_s3_bucket_policy" "gd_bucket_policy" {
count = var.enable_guard_duty ? 1 : 0
bucket = aws_s3_bucket.gd_bucket[0].id
policy = data.aws_iam_policy_document.bucket_pol[0].json
}

resource "aws_kms_key" "gd_key" {
count = var.enable_guard_duty ? 1 : 0
description = "Temporary key for AccTest of TF"
deletion_window_in_days = 7
policy = data.aws_iam_policy_document.kms_pol[0].json
}

resource "aws_guardduty_publishing_destination" "gd_destination" {
count = var.enable_guard_duty ? 1 : 0
detector_id = aws_guardduty_detector.gd[0].id
destination_arn = aws_s3_bucket.gd_bucket[0].arn
kms_key_arn = aws_kms_key.gd_key[0].arn

depends_on = [
aws_s3_bucket_policy.gd_bucket_policy,
]
}
50 changes: 50 additions & 0 deletions lambda.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -917,4 +917,54 @@ resource "aws_cloudwatch_event_target" "lambda_target_expire_ssl_tls" {
rule = aws_cloudwatch_event_rule.lambda_trigger_expire_ssl_tls[0].name
arn = aws_lambda_function.lambda_function_expire_ssl_tls[0].arn
target_id = "lambda_target_expire_ssl_tls"
}

# acm certificate expiration check

data "template_file" "lambda_function_script_acm_cert_expire" {
template = file("${path.module}/lambda_code/cc_6_7_acm_cert_expiration_check.py")
vars = {
sns_topic_arn = aws_sns_topic.trail-unauthorised.arn,
}
}
resource "local_file" "lambda_code_acm_cert_expire" {
content = data.template_file.lambda_function_script_acm_cert_expire.rendered
filename = "${path.module}/rendered/acm_cert_expire.py"
}

data "archive_file" "lambda_zip_acm_cert_expire" {
depends_on = [local_file.lambda_code_acm_cert_expire]
type = "zip"
source_dir = "${path.module}/rendered/"
output_path = "${path.module}/lambda_acm_cert_expire.zip"
}

resource "aws_lambda_function" "lambda_function_acm_cert_expire" {
filename = data.archive_file.lambda_zip_acm_cert_expire.output_path
function_name = "acm_cert_expire"
role = aws_iam_role.lambda_role.arn
handler = "acm_cert_expire.lambda_handler"
source_code_hash = data.archive_file.lambda_zip_acm_cert_expire.output_base64sha256
runtime = "python3.9"
timeout = 300
memory_size = 256
}

resource "aws_lambda_permission" "lambda_permission_acm_cert_expire" {
action = "lambda:InvokeFunction"
function_name = aws_lambda_function.lambda_function_acm_cert_expire.arn
principal = "events.amazonaws.com"
source_arn = aws_cloudwatch_event_rule.lambda_trigger_acm_cert_expire.arn
}

resource "aws_cloudwatch_event_rule" "lambda_trigger_acm_cert_expire" {
name = "lambda_trigger_acm_cert_expire"
description = "Trigger for lambda function"
schedule_expression = var.cron_expression
}

resource "aws_cloudwatch_event_target" "lambda_target_acm_cert_expire" {
rule = aws_cloudwatch_event_rule.lambda_trigger_acm_cert_expire.name
arn = aws_lambda_function.lambda_function_acm_cert_expire.arn
target_id = "lambda_target_acm_cert_expire"
}
43 changes: 43 additions & 0 deletions lambda_code/cc_6_7_acm_cert_expiration_check.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
import boto3

def lambda_handler(event, context):
# Initialize the SNS client
sns_client = boto3.client('sns')

# Get the list of active AWS regions
ec2_client = boto3.client('ec2')
regions = [region['RegionName'] for region in ec2_client.describe_regions()['Regions']]

# Iterate through each region
for region in regions:
# Initialize the ACM client for the current region
acm_client = boto3.client('acm', region_name=region)

try:
# List the ACM certificates in the current region
response = acm_client.list_certificates()

# Process each certificate in the region
for certificate in response['CertificateSummaryList']:
certificate_arn = certificate['CertificateArn']

# Get the details of the ACM certificate
certificate_details = acm_client.describe_certificate(CertificateArn=certificate_arn)
certificate_name = certificate_details['Certificate']['DomainName']
expiration_date = certificate_details['Certificate']['NotAfter']

# Compose the email message
subject = f'ACM Certificate Expiration Alert'
message = f'The ACM certificate "{certificate_name}" with ARN {certificate_arn} ' \
f'in region {region} will expire on {expiration_date}.'

# Replace 'your-topic-arn' with the ARN of your SNS topic
topic_arn = 'arn:aws:sns:us-east-1:309017165673:acm-sns-alert'

# Publish the message to the SNS topic
sns_client.publish(TopicArn=topic_arn, Subject=subject, Message=message)

except Exception as e:
print(f'Error in region {region}: {e}')
# Handle any errors that occur during the process
# You can choose to log the error or take appropriate actions based on your use case.
11 changes: 9 additions & 2 deletions variable.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ variable "audit_log_bucket_custom_policy_json" {
# AWS Config
variable "config_enabled" {
type = bool
default = true
default = false
description = "Set it to true to enable AWS Config"
}

Expand Down Expand Up @@ -196,4 +196,11 @@ variable "remove_ssl_tls_iam" {
type = bool
default = false
description = "Remove expire ssl tls cert from IAM"
}
}

variable "enable_guard_duty" {
type = bool
default = true
description = "This will enable guard duty"
}

0 comments on commit e8f6f84

Please sign in to comment.