Skip to content

Commit

Permalink
inet check, cloudwatch dashboard and logs, IAM least privilege
Browse files Browse the repository at this point in the history
  • Loading branch information
@dackbusch
dackbusch committed Jun 24, 2021
1 parent ea919e0 commit e1bad04
Show file tree
Hide file tree
Showing 6 changed files with 230 additions and 53 deletions.
2 changes: 1 addition & 1 deletion README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ or by [Contacting Qumulo Sales](http://discover.qumulo.com/cloud-calc-contact.ht
## Usage

**IMPORTANT:** The `master` branch is used in `source` just as an example. In your code, do not pin to `master` because there may be breaking changes between releases.
Instead pin to a release tag (e.g. `?ref=tags/x.y.z`).
Instead pin to a release tag (e.g. `?ref=tags/vx.y`).

For architectural details, resource requirements, deployment instructions, and configuration options see the [deployment guide](./docs/aws-sa-waf-cluster.pdf).

Expand Down
22 changes: 15 additions & 7 deletions cfn/provisioning-node-nodc.cft.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -185,16 +185,23 @@ Resources:
Statement:
- Effect: Allow
Action:
- "kms:*"
- "ec2:*"
- "cloudformation:SetStackPolicy"
- "ec2:DeleteTags"
- "ec2:CreateTags"
- "ec2:DescribeVolumes"
- "iam:GenerateCredentialReport"
- "iam:GenerateServiceLastAccessedDetails"
- "iam:Get*"
- "iam:List*"
- "iam:SimulateCustomPolicy"
- "iam:Get*"
- "iam:GenerateServiceLastAccessedDetails"
- "iam:SimulatePrincipalPolicy"
- "ssm:*"
- "cloudformation:SetStackPolicy"
- "iam:SimulateCustomPolicy"
- "kms:Decrypt"
- "kms:PutKeyPolicy"
- "kms:GetKeyPolicy"
- "ssm:ListInstanceAssociations"
- "ssm:GetParameter"
- "ssm:PutParameter"
- "ssm:UpdateInstanceInformation"
Resource: "*"

ProvisionerProfile:
Expand Down Expand Up @@ -480,6 +487,7 @@ Resources:
$qq_host auth_modify_role --role $sc_username -G PRIVILEGE_NETWORK_READ
$qq_host auth_assign_role --role $sc_username --trustee $sc_username
$qq_host network_mod_network --network-id 1 --floating-ip-ranges $float_ips
$qq_host audit_set_cloudwatch_config --enable --log-group-name /qumulo/${StackName} --region ${Region}
$qq_host change_password -o ${ClusterPwd} -p $admin_password

if [ -z "${CMK}" ]; then
Expand Down
17 changes: 13 additions & 4 deletions cfn/qiam.cft.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,10 +45,19 @@ Resources:
Statement:
- Effect: Allow
Action:
- "ec2:*"
- "cloudwatch:*"
- "kms:*"
- "s3:*"
- "cloudwatch:DeleteAlarms"
- "cloudwatch:PutMetricAlarm"
- "ec2:DescribeInstances"
- "ec2:AssignPrivateIpAddresses"
- "ec2:UnassignPrivateIpAddresses"
- "kms:Decrypt"
- "kms:GenerateDataKeyWithoutPlaintext"
- "kms:ReEncryptFrom"
- "kms:ReEncryptTo"
- "kms:DescribeKey"
- "kms:CreateGrant"
- "logs:PutLogEvents"
- "logs:CreateLogStream"
Resource: "*"

QumuloAccessProfile:
Expand Down
222 changes: 184 additions & 38 deletions cfn/resource-group.cft.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,24 +22,35 @@ AWSTemplateFormatVersion: "2010-09-09"
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.

Description: This template creates an resource group for the QSTACK for easy filtering in Cloud Watch
Description: This template creates an resource group, audit log group, and dashboard for the QSTACK for easy filtering and monitoring in Cloud Watch

Parameters:
QClusterName:
Type: String
QStackID:
Type: String
QStackName:
Type: String
Type: String
TopStackName:
Type: String
QAuditLog:
Type: String
AllFlash:
Type: String
Region:
Type: String

Conditions:
HDD: !Not
- !Equals
- !Ref AllFlash
- AF

CreateLog: !Not
- !Equals
- !Ref QAuditLog
- "NO"

Resources:
ClusterRG:
Type: "AWS::ResourceGroups::Group"
Expand Down Expand Up @@ -83,41 +94,170 @@ Resources:
- !Sub "${QStackName}-st1"
- !Sub "${QStackName}-sc1"

# DashboardSideBySide:
# Type: AWS::CloudWatch::Dashboard
# Properties:
# DashboardName: !Sub "${TopStackName}-Qumulo-Cluster"
# DashboardBody: '{"widgets":[
# {
# "type":"metric",
# "x":0,"y":0,
# "width":12,
# "height":6,
# "properties":
# {
# "metrics":[["AWS/EC2","CPUUtilization","InstanceId","i-xyz"]],
# "period":300,
# "stat":"Average",
# "region":"us-west-2",
# "title":"EC2 Instance CPU"
# }
# },
# {
# "type":"metric",
# "x":12,
# "y":0,
# "width":12,
# "height":6,
# "properties":
# {
# "metrics":[["AWS/S3","BucketSizeBytes","BucketName","mybucket"]],
# "period":86400,
# "stat":"Maximum",
# "region":"us-west-2",
# "title":"MyBucketName bytes"
# }
# }
# ]}'
ClusterLogGroup:
Type: "AWS::Logs::LogGroup"
Condition: CreateLog
Properties:
LogGroupName: !Sub "/qumulo/${TopStackName}"

ClusterDashboard:
Type: "AWS::CloudWatch::Dashboard"
Properties:
DashboardName: !Sub "Qumulo-Cluster-${QStackName}"
DashboardBody: !Sub '{
"widgets": [
{
"type": "metric",
"x": 15,
"y": 0,
"width": 9,
"height": 6,
"properties": {
"metrics": [
[ "Qumulo/Metrics", "FileSystemFreeCapacity", "ClusterName", "${QClusterName}", { "id": "m2" } ]
],
"view": "timeSeries",
"stacked": false,
"region": "${Region}",
"title": "File System Available Capacity",
"period": 300,
"stat": "Average",
"yAxis": {
"left": {
"label": ""
}
}
}
},
{
"type": "metric",
"x": 9,
"y": 0,
"width": 6,
"height": 3,
"properties": {
"metrics": [
[ "Qumulo/Metrics", "RemainingNodeFailures", "ClusterName", "${QClusterName}" ]
],
"view": "singleValue",
"region": "${Region}",
"title": "EC2 Instance Protection",
"period": 300,
"stat": "Minimum"
}
},
{
"type": "metric",
"x": 0,
"y": 0,
"width": 9,
"height": 3,
"properties": {
"metrics": [
[ "Qumulo/Metrics", "TotalNodeCount", "ClusterName", "${QClusterName}" ],
[ ".", "HealthyNodeCount", ".", "." ]
],
"view": "singleValue",
"region": "${Region}",
"title": "Cluster EC2 Instances",
"period": 300,
"stat": "Minimum"
}
},
{
"type": "metric",
"x": 0,
"y": 3,
"width": 9,
"height": 3,
"properties": {
"metrics": [
[ "Qumulo/Metrics", "FailedDriveCount", "ClusterName", "${QClusterName}" ]
],
"view": "singleValue",
"region": "${Region}",
"title": "Failed EBS Volumes",
"period": 300,
"stat": "Maximum"
}
},
{
"type": "metric",
"x": 9,
"y": 3,
"width": 6,
"height": 3,
"properties": {
"metrics": [
[ "Qumulo/Metrics", "RemainingDriveFailures", "ClusterName", "${QClusterName}" ]
],
"view": "singleValue",
"region": "${Region}",
"title": "EBS Volume Protection",
"period": 300,
"stat": "Minimum"
}
},
{
"type": "metric",
"x": 0,
"y": 6,
"width": 9,
"height": 6,
"properties": {
"metrics": [
[ "Qumulo/Metrics", "ProtocolReadThroughput", "ClusterName", "${QClusterName}" ],
[ ".", "ProtocolWriteThroughput", ".", "." ]
],
"view": "timeSeries",
"stacked": false,
"region": "${Region}",
"title": "Protocol Throughput",
"period": 60,
"stat": "Average"
}
},
{
"type": "metric",
"x": 15,
"y": 6,
"width": 9,
"height": 6,
"properties": {
"metrics": [
[ "Qumulo/Metrics", "ProtocolReadLatency", "ClusterName", "${QClusterName}" ],
[ ".", "ProtocolWriteLatency", ".", "." ],
[ ".", "ProtocolMetadataLatency", ".", "." ]
],
"view": "timeSeries",
"stacked": false,
"region": "${Region}",
"title": "Protocol Latency",
"period": 60,
"stat": "Average"
}
},
{
"type": "metric",
"x": 9,
"y": 6,
"width": 6,
"height": 6,
"properties": {
"metrics": [
[ "Qumulo/Metrics", "ProtocolReadOps", "ClusterName", "${QClusterName}" ],
[ ".", "ProtocolWriteOps", ".", "." ]
],
"view": "timeSeries",
"stacked": false,
"region": "${Region}",
"title": "Protocol IOPS",
"period": 60,
"stat": "Average"
}
}
]
}'

Outputs:
QumuloClusterRG:
Expand All @@ -126,4 +266,10 @@ Outputs:
Value: !Ref ClusterRGSSD
QumuloClusterHDDRG:
Condition: HDD
Value: !Ref ClusterRGHDD
Value: !Ref ClusterRGHDD
QumuloCluserCloudWatchDashboard:
Value: !Ref ClusterDashboard
QumuloClusterLogGroup:
Condition: CreateLog
Value: !Ref ClusterLogGroup

Binary file modified docs/aws-sa-waf-cluster.pdf
View file
Binary file not shown.
Loading

0 comments on commit e1bad04

Please sign in to comment.