Cloudformation and Error handling

README.md

@@ -28,36 +28,56 @@ The design is:
 
 ## Deployment
 
-### Configure Deep Security to Send Events to Amazon SNS
-
-To configure Deep Security Manager to send all events to Amazon SNS, follow the steps in the [Deep Security Help Center](https://help.deepsecurity.trendmicro.com/sns.html).
-
-By default, this configuration sends all Deep Security events to the specified Amazon SNS topic. You can [filter what events are sent](https://help.deepsecurity.trendmicro.com/Events-Alerts/sns-json-config.html) using a simple JSON policy language (very similar to AWS IAM).
-
-This integration only uses a subset of Deep Security events. Essentially only sending critical and high severity events to AWS Security Hub by default. This class of events is more closely related to the core concept of an AWS Security Hub finding.
-
-**Caution:** If you use the Deep Security event policy language to prevent sending relevant events to an Amazon SNS topic, those events won't show up in the AWS Security Hub. This is unlikely to happen but something to be aware of if you're filtering the event stream outbound from your Deep Security installation.
+### Create the code package
+
+For the lambda to work you must make sure you run python2.7 and boto3 >= 1.9.68!
+This can be achieved by performing the following in this directory:
+```bash
+mkdir package
+pip install boto3 --target package/
+cd package
+zip -r9 ../lambdacode.zip .
+cd ../
+zip -g lambdacode.zip lambda_function.py
+```
+Now make the code available in a S3 bucket:
+```bash
+aws s3api put-object --body lambdacode.zip --key deepsecurity.zip --bucket <bucketname>
+```
 
 ### Configure AWS Security Hub
 
 AWS Security Hub is available as an open preview. Simply access the service from the AWS Management Console and click "Enable Security Hub".
 
 ![Enable AWS Security Hub](docs/enable-security-hub.png)
 
-This will walk you through the initial process of setting up the required permissions and structures to support the AWS Security Hub. 
+This will walk you through the initial process of setting up the required permissions and structures to support the AWS Security Hub.
 
 Once that initial step is complete, you need to subscribe to Trend Micro's Deep Security in order to permit the service to receive events from your Deep Security installation.
 
 ![Subscribe to Trend Micro:Deep Security](docs/subscribe-to-deep-security.png)
 
-### Configure the AWS Lambda Function
+### Stack deployment
+A [cloudformation template](cloudformation.yaml) has been provided to deploy most of the needed components.
+```bash
+aws cloudformation create-stack --stack-name <stackname> --template-body file://cloudformation.yaml
+```
+**parameters**
+Default values are provided but should be customized
 
-Using the CloudFormation template in this repository, you can easily deploy the required AWS Lambda function and assign the proper permissions via the AWS IAM execution role.
+**sns topic**
+The next stage will require you to send all events from Deep Security Manager to SNS. This stack has already created
+the sns topic and the arn can be found in it's outputs. The user for the accesskey must still be created.
 
-The code requires these permissions to run:
+### Configure Deep Security to Send Events to Amazon SNS
+
+To configure Deep Security Manager to send all events to Amazon SNS, follow the steps in the [Deep Security Help Center](https://help.deepsecurity.trendmicro.com/sns.html).
+
+By default, this configuration sends all Deep Security events to the specified Amazon SNS topic. You can [filter what events are sent](https://help.deepsecurity.trendmicro.com/Events-Alerts/sns-json-config.html) using a simple JSON policy language (very similar to AWS IAM).
+
+This integration only uses a subset of Deep Security events. Essentially only sending critical and high severity events to AWS Security Hub by default. This class of events is more closely related to the core concept of an AWS Security Hub finding.
 
-- read access to the target Amazon SNS topic that Deep Security is sending events to
-- write access to the AWS Security Hub API, specifically the ImportFindings function calls
+**Caution:** If you use the Deep Security event policy language to prevent sending relevant events to an Amazon SNS topic, those events won't show up in the AWS Security Hub. This is unlikely to happen but something to be aware of if you're filtering the event stream outbound from your Deep Security installation.
 
 ### Configuring AWS IAM Permissions
 
@@ -107,15 +127,15 @@ In order to properly select events to send to the AWS Security Hub, this integra
 
 ## Support
 
-This is an Open Source community project. Project contributors may be able to help, 
-depending on their time and availability. Please be specific about what you're 
+This is an Open Source community project. Project contributors may be able to help,
+depending on their time and availability. Please be specific about what you're
 trying to do, your system, and steps to reproduce the problem.
 
-For bug reports or feature requests, please 
-[open an issue](https://github.com/deep-security/serverless-kms-grants/issues). 
+For bug reports or feature requests, please
+[open an issue](https://github.com/deep-security/serverless-kms-grants/issues).
 You are welcome to [contribute](#contribute).
 
-Official support from Trend Micro is not available. Individual contributors may be 
+Official support from Trend Micro is not available. Individual contributors may be
 Trend Micro employees, but are not official support.
 
 ## Contribute
@@ -127,4 +147,4 @@ We accept contributions from the community. To submit changes:
 1. Make your changes.
 1. Submit a pull request with an explanation of your changes or additions.
 
-We will review and work with you to release the code.
+We will review and work with you to release the code.

cloudformation.yaml

@@ -0,0 +1,123 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Description: 'Create components for the TD integration'
+
+Parameters:
+  TopicName:
+    Description: The name for the sns topic that will receive the TD alerts
+    Type: String
+    Default: "deepsecurity-alerts"
+  IAMRoleName:
+    Description: Name for the role of the lambda
+    Type: String
+    Default: role-deepsecurity-securityhub-lambda
+  IAMPolName:
+    Description: Name for the policy attached to the role of the lambda
+    Type: String
+    Default: policy-deepsecurity-securityhub-lambda
+  BucketName:
+    Description: Name of the bucket in which the lambda code (zip) is stored
+    Type: String
+    Default: deepsecurity-bucket
+  LambdaName:
+    Type: String
+    Default: lambda-deepsecurity-securityhub
+    Description: Name of the lambda function
+  Owner:
+    Type: String
+    Default: [email protected]
+    Description: Name of the owner of the application (You)
+
+
+Resources:
+  # Role for the lambda function to use
+  IAMRole:
+    Type: AWS::IAM::Role
+    Properties:
+      AssumeRolePolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Effect: "Allow"
+            Principal:
+              Service:
+                - "lambda.amazonaws.com"
+            Action:
+              - "sts:AssumeRole"
+      RoleName: !Ref IAMRoleName
+
+  # Policy for the lambda iam role
+  IAMPolicy:
+    Type: AWS::IAM::Policy
+    Properties:
+      Roles:
+        - !Ref IAMRole
+      PolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          # Statement to be able to log
+          - Effect: Allow
+            Action:
+              - "logs:*"
+            Resource:
+              - "*"
+          # Allow securityhub batch-import
+          - Effect: "Allow"
+            Action:
+              - "securityhub:BatchImportFindings"
+            Resource:
+              - "*"
+          # Allow sns
+          - Effect: "Allow"
+            Action:
+              - "sns:*"
+            Resource:
+              - !Ref SNSTopic
+      PolicyName: !Ref IAMPolName
+
+  # Lambda function that will run the code to send the appropriate events to
+  # Security Hub
+  LambdaFunction:
+    Type: AWS::Lambda::Function
+    Properties:
+      Code:
+        S3Bucket: !Ref BucketName
+        S3Key: 'deepsecurity.zip'
+      Description: Filters events from deepsecurity and passes relevant ones to Security Hub
+      FunctionName: !Ref LambdaName
+      Handler: "lambda_handler"
+      MemorySize: 128
+      Role: !GetAtt IAMRole.Arn
+      Runtime: "python2.7"
+      Timeout: 60  # Two minutes
+      Tags:
+        - Key: Name
+          Value: !Ref LambdaName
+        - Key: Owner
+          Value: !Ref Owner
+        - Key: Application
+          Value: "Deepsecurity"
+
+  # SNS Topic to which Deep Security should send the alerts
+  SNSTopic:
+    Type: AWS::SNS::Topic
+    Properties:
+      DisplayName: !Ref TopicName
+      TopicName:  !Ref TopicName
+
+  TopicSubscription:
+    Type: "AWS::SNS::Subscription"
+    Properties:
+      Endpoint: !GetAtt LambdaFunction.Arn
+      Protocol: lambda
+      TopicArn: !Ref SNSTopic
+
+Outputs:
+  TopicArn:
+    Description: ARN of the sns topic created
+    Value: !Ref SNSTopic
+    Export:
+      Name: !Sub "${AWS::StackName}-TopicArn"
+  RoleArn:
+    Description: ARN of the iam role created
+    Value: !GetAtt IAMRole.Arn
+    Export:
+      Name: !Sub "${AWS::StackName}-RoleArn"