From 96c5b13bce82cb731cb15640f47bb5aa55b972f4 Mon Sep 17 00:00:00 2001 From: ievgeniia ieromenko Date: Mon, 30 Sep 2024 14:38:56 -0400 Subject: [PATCH 1/4] adding macie classification job --- .../solutions/macie/macie_org/README.md | 2 +- .../manifest.yaml | 7 +++ .../parameters/sra-macie-org-main-ssm.json | 12 +++++- .../macie/macie_org/lambda/src/app.py | 10 +++++ .../macie/macie_org/lambda/src/macie.py | 43 ++++++++++++++++++- .../sra-macie-org-configuration-role.yaml | 10 +++++ .../sra-macie-org-configuration.yaml | 29 +++++++++++++ .../templates/sra-macie-org-main-ssm.yaml | 29 +++++++++++++ aws_sra_examples/terraform/common/main.tf | 3 ++ .../terraform/solutions/macie/README.md | 5 ++- .../solutions/macie/configuration/invoke.tf | 10 ++++- .../macie/configuration/variables.tf | 18 ++++++++ .../macie/configuration_role/main.tf | 16 ++++++- .../terraform/solutions/macie/main.tf | 3 ++ .../terraform/solutions/macie/variables.tf | 18 ++++++++ aws_sra_examples/terraform/solutions/main.tf | 3 ++ .../terraform/solutions/variables.tf | 18 ++++++++ 17 files changed, 228 insertions(+), 8 deletions(-) diff --git a/aws_sra_examples/solutions/macie/macie_org/README.md b/aws_sra_examples/solutions/macie/macie_org/README.md index 3c50afe3..2eb85cca 100644 --- a/aws_sra_examples/solutions/macie/macie_org/README.md +++ b/aws_sra_examples/solutions/macie/macie_org/README.md @@ -14,7 +14,7 @@ Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License- ## Introduction The Macie Organization solution will enable Amazon Macie by delegating administration to a member account within the Organization Management Account and configuring Macie within the delegated administrator account for all the existing and future AWS -Organization accounts. Macie is also configured to send the findings to a central S3 bucket encrypted with a KMS key. +Organization accounts. Macie is also configured to send the findings to a central S3 bucket encrypted with a KMS key. Additionally, a daily Macie classification job can be created to analyze objects in Amazon Simple Storage Service (Amazon S3) general purpose buckets. --- diff --git a/aws_sra_examples/solutions/macie/macie_org/customizations_for_aws_control_tower/manifest.yaml b/aws_sra_examples/solutions/macie/macie_org/customizations_for_aws_control_tower/manifest.yaml index e9d877aa..aac5a2d1 100644 --- a/aws_sra_examples/solutions/macie/macie_org/customizations_for_aws_control_tower/manifest.yaml +++ b/aws_sra_examples/solutions/macie/macie_org/customizations_for_aws_control_tower/manifest.yaml @@ -33,6 +33,13 @@ resources: parameter_value: INFO - parameter_key: pSRAAlarmEmail parameter_value: '' + - parameter_key: pCreateMacieJob + parameter_value: 'true' + - parameter_key: pExcludesTagKey + parameter_value: 'sra-exclude-from-default-job' + - parameter_key: pMacieJobName + parameter_value: 'sra-macie-classification-job' + deploy_method: stack_set deployment_targets: accounts: diff --git a/aws_sra_examples/solutions/macie/macie_org/customizations_for_aws_control_tower/parameters/sra-macie-org-main-ssm.json b/aws_sra_examples/solutions/macie/macie_org/customizations_for_aws_control_tower/parameters/sra-macie-org-main-ssm.json index d75214dc..b1d63f2c 100644 --- a/aws_sra_examples/solutions/macie/macie_org/customizations_for_aws_control_tower/parameters/sra-macie-org-main-ssm.json +++ b/aws_sra_examples/solutions/macie/macie_org/customizations_for_aws_control_tower/parameters/sra-macie-org-main-ssm.json @@ -44,7 +44,15 @@ "ParameterValue": "" }, { - "ParameterKey": "pSRAStagingS3BucketName", - "ParameterValue": "" + "ParameterKey": "pCreateMacieJob", + "ParameterValue": "true" + }, + { + "ParameterKey": "pExcludesTagKey", + "ParameterValue": "sra-exclude-from-default-job" + }, + { + "ParameterKey": "pMacieJobName", + "ParameterValue": "sra-macie-classification-job" } ] \ No newline at end of file diff --git a/aws_sra_examples/solutions/macie/macie_org/lambda/src/app.py b/aws_sra_examples/solutions/macie/macie_org/lambda/src/app.py index c51d432e..ec64bd08 100644 --- a/aws_sra_examples/solutions/macie/macie_org/lambda/src/app.py +++ b/aws_sra_examples/solutions/macie/macie_org/lambda/src/app.py @@ -12,6 +12,7 @@ Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-Identifier: MIT-0 """ + from __future__ import annotations import json @@ -92,6 +93,10 @@ def process_create_update_event(params: dict, regions: list) -> None: params["KMS_KEY_ARN"], params["FINDING_PUBLISHING_FREQUENCY"], ) + if params["CREATE_MACIE_JOB"]: + macie.create_macie_job( + params["CONFIGURATION_ROLE_NAME"], params["DELEGATED_ADMIN_ACCOUNT_ID"], regions, params["MACIE_JOB_NAME"], params["TAG_KEY"] + ) def parameter_pattern_validator(parameter_name: str, parameter_value: str, pattern: str) -> None: @@ -147,7 +152,12 @@ def get_validated_parameters(event: CloudFormationCustomResourceEvent) -> dict: pattern=r"^arn:(aws[a-zA-Z-]*){1}:sns:[a-z0-9-]+:\d{12}:[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$", ) parameter_pattern_validator("MANAGEMENT_ACCOUNT_ID", params.get("MANAGEMENT_ACCOUNT_ID", ""), pattern=r"^\d{12}$") + parameter_pattern_validator("CREATE_MACIE_JOB", params.get("CREATE_MACIE_JOB", ""), pattern=r"^true|false$") + parameter_pattern_validator("MACIE_JOB_NAME", params.get("MACIE_JOB_NAME", ""), pattern=r"^[\w-]{1,500}$") + parameter_pattern_validator("TAG_KEY", params.get("TAG_KEY", ""), pattern=r"^[\w-]{1,64}$") + # Convert true/false string parameters to boolean + params.update({"CREATE_MACIE_JOB": (params["CREATE_MACIE_JOB"] == "true")}) return params diff --git a/aws_sra_examples/solutions/macie/macie_org/lambda/src/macie.py b/aws_sra_examples/solutions/macie/macie_org/lambda/src/macie.py index 5e2e863b..5e420789 100644 --- a/aws_sra_examples/solutions/macie/macie_org/lambda/src/macie.py +++ b/aws_sra_examples/solutions/macie/macie_org/lambda/src/macie.py @@ -21,7 +21,7 @@ if TYPE_CHECKING: from mypy_boto3_macie2 import Macie2Client - from mypy_boto3_macie2.type_defs import ListOrganizationAdminAccountsResponseTypeDef + from mypy_boto3_macie2.type_defs import CreateClassificationJobRequestRequestTypeDef, ListOrganizationAdminAccountsResponseTypeDef from mypy_boto3_organizations import OrganizationsClient from mypy_boto3_sns import SNSClient @@ -180,6 +180,47 @@ def enable_macie( LOGGER.info(f"Macie already enabled in {region}.") +def create_macie_job(configuration_role_name: str, admin_account_id: str, regions: list, job_name: str, tag_key: str) -> None: + """Create Macie job. + + Args: + configuration_role_name: Configuration Role Name + admin_account_id: Delegated administrator account id + regions: AWS Region List + job_name: Macie job name + tag_key: Macie job tag key for bucket criteria + """ + kwargs: CreateClassificationJobRequestRequestTypeDef = { # type: ignore[typeddict-item] + "description": "SRA Macie job (Daily)", + "jobType": "SCHEDULED", + "initialRun": True, + "name": job_name, + "managedDataIdentifierSelector": "ALL", + "s3JobDefinition": { + "bucketCriteria": { + "excludes": {"and": [{"tagCriterion": {"comparator": "EQ", "tagValues": [{"key": tag_key, "value": "True"}]}}]} + } + }, + "samplingPercentage": 100, + "scheduleFrequency": {"dailySchedule": {}}, + "tags": {"sra-solution": "sra-macie-org"} + } + account_session: boto3.Session = boto3.Session() + + if configuration_role_name: + account_session = common.assume_role(configuration_role_name, "sra-enable-macie", admin_account_id) + for region in regions: + regional_client: Macie2Client = account_session.client("macie2", region_name=region, config=BOTO3_CONFIG) + try: + response = regional_client.create_classification_job(**kwargs) + LOGGER.debug({"API_Call": "macie2:CreateClassificationJob", "API_Response": response}) + LOGGER.info(f"Created Macie classification job '{job_name}' in {region}") + except ClientError as e: + error_code = e.response["Error"]["Code"] + if error_code == "ResourceInUseException": + LOGGER.info(f"Macie classification job '{job_name}' already exists in {region}") + + def process_delete_event(params: dict, regions: list, account_ids: list, include_members: bool = False) -> None: """Delete Macie solution resources. diff --git a/aws_sra_examples/solutions/macie/macie_org/templates/sra-macie-org-configuration-role.yaml b/aws_sra_examples/solutions/macie/macie_org/templates/sra-macie-org-configuration-role.yaml index 30b7ca7b..2ce4009b 100644 --- a/aws_sra_examples/solutions/macie/macie_org/templates/sra-macie-org-configuration-role.yaml +++ b/aws_sra_examples/solutions/macie/macie_org/templates/sra-macie-org-configuration-role.yaml @@ -114,6 +114,7 @@ Resources: - macie2:PutClassificationExportConfiguration - macie2:UpdateMacieSession - macie2:UpdateOrganizationConfiguration + - macie2:TagResource Resource: '*' - Sid: MacieMember @@ -124,6 +125,15 @@ Resources: - macie2:DisassociateMember - macie2:GetMember Resource: !Sub arn:${AWS::Partition}:macie2:*:${AWS::AccountId}:* + + - Sid: MacieClassifications + Effect: Allow + Action: + - macie2:CreateClassificationJob + Resource: '*' + Condition: + StringEquals: + aws:ResourceTag/sra-solution: !Ref pSRASolutionName Tags: - Key: sra-solution diff --git a/aws_sra_examples/solutions/macie/macie_org/templates/sra-macie-org-configuration.yaml b/aws_sra_examples/solutions/macie/macie_org/templates/sra-macie-org-configuration.yaml index 5b50c4d3..abb3c454 100644 --- a/aws_sra_examples/solutions/macie/macie_org/templates/sra-macie-org-configuration.yaml +++ b/aws_sra_examples/solutions/macie/macie_org/templates/sra-macie-org-configuration.yaml @@ -38,6 +38,9 @@ Metadata: - pFindingPublishingFrequency - pKMSKeyArn - pPublishingDestinationBucketName + - pCreateMacieJob + - pMacieJobName + - pExcludesTagKey - Label: default: General Lambda Function Properties @@ -52,6 +55,8 @@ Metadata: default: Control Tower Regions Only pCreateLambdaLogGroup: default: Create Lambda Log Group + pCreateMacieJob: + default: Create Macie job pDelegatedAdminAccountId: default: Delegated Admin Account ID pDisableMacie: @@ -60,6 +65,8 @@ Metadata: default: Disable Macie Role Name pEnabledRegions: default: Enabled Regions + pExcludesTagKey: + default: Tag Key pFindingPublishingFrequency: default: Finding Publishing Frequency pKMSKeyArn: @@ -70,6 +77,8 @@ Metadata: default: Lambda Log Group Retention pLambdaLogLevel: default: Lambda Log Level + pMacieJobName: + default: Macie Job Name pMacieOrgConfigurationRoleName: default: Configuration Role Name pMacieOrgLambdaFunctionName: @@ -100,6 +109,11 @@ Parameters: Indicates whether a CloudWatch Log Group should be explicitly created for the Lambda function, to allow for setting a Log Retention and/or KMS Key for encryption. Type: String + pCreateMacieJob: + AllowedValues: ['true', 'false'] + Default: 'true' + Description: Indicates whether to create a Macie classification job with a daily schedule. + Type: String pDelegatedAdminAccountId: AllowedPattern: '^\d{12}$' ConstraintDescription: Must be 12 digits @@ -123,6 +137,12 @@ Parameters: us-east-1,ap-southeast-2) Description: Enabled regions (AWS regions, separated by commas). Leave blank to enable all regions. Type: String + pExcludesTagKey: + AllowedPattern: '^[\w-]{1,64}$' + ConstraintDescription: Max 64 alphanumeric characters. Also special characters supported [_, -] + Default: sra-exclude-from-default-job + Description: A key for a tag-based condition that determines which buckets to exclude from the job. To exclude the bucket set the value of this tag to 'True'. + Type: String pFindingPublishingFrequency: AllowedValues: [FIFTEEN_MINUTES, ONE_HOUR, SIX_HOURS] Default: FIFTEEN_MINUTES @@ -150,6 +170,12 @@ Parameters: Default: INFO Description: Lambda Function Logging Level Type: String + pMacieJobName: + AllowedPattern: '^[\w-]{1,500}$' + ConstraintDescription: Max 500 alphanumeric characters. Also special characters supported [_, -] + Default: sra-macie-classification-job + Description: A custom name for the job. + Type: String pMacieOrgConfigurationRoleName: AllowedPattern: '^[\w+=,.@-]{1,64}$' ConstraintDescription: Max 64 alphanumeric characters. Also special characters supported [+, =, ., @, -] @@ -449,6 +475,9 @@ Resources: MANAGEMENT_ACCOUNT_ID: !Ref AWS::AccountId PUBLISHING_DESTINATION_BUCKET_NAME: !Ref pPublishingDestinationBucketName SNS_TOPIC_ARN: !Ref rMacieOrgTopic + CREATE_MACIE_JOB: !Ref pCreateMacieJob + MACIE_JOB_NAME: !Ref pMacieJobName + TAG_KEY: !Ref pExcludesTagKey rMacieOrgTopic: Type: AWS::SNS::Topic diff --git a/aws_sra_examples/solutions/macie/macie_org/templates/sra-macie-org-main-ssm.yaml b/aws_sra_examples/solutions/macie/macie_org/templates/sra-macie-org-main-ssm.yaml index 831542e3..0c575aa6 100644 --- a/aws_sra_examples/solutions/macie/macie_org/templates/sra-macie-org-main-ssm.yaml +++ b/aws_sra_examples/solutions/macie/macie_org/templates/sra-macie-org-main-ssm.yaml @@ -46,6 +46,9 @@ Metadata: - pEnabledRegions - pFindingPublishingFrequency - pOrganizationId + - pCreateMacieJob + - pMacieJobName + - pExcludesTagKey - Label: default: General Lambda Function Properties @@ -66,10 +69,14 @@ Metadata: default: Control Tower Regions Only pCreateLambdaLogGroup: default: Create Lambda Log Group + pCreateMacieJob: + default: Create Macie Job pDisableMacie: default: Disable Macie in All Accounts pEnabledRegions: default: (Optional) Enabled Regions + pExcludesTagKey: + default: Tag Key pFindingPublishingFrequency: default: Finding Publishing Frequency pLambdaLogGroupKmsKey: @@ -80,6 +87,8 @@ Metadata: default: Lambda Log Level pLogArchiveAccountId: default: Log Archive Account ID + pMacieJobName: + default: Macie Job Name pMacieOrgDeliveryBucketPrefix: default: Macie Delivery Bucket Prefix pMacieOrgDeliveryKeyAlias: @@ -127,6 +136,11 @@ Parameters: Indicates whether a CloudWatch Log Group should be explicitly created for the Lambda function, to allow for setting a Log Retention and/or KMS Key for encryption. Type: String + pCreateMacieJob: + AllowedValues: ['true', 'false'] + Default: 'true' + Description: Indicates whether to create a Macie classification job with a daily schedule. + Type: String pDisableMacie: AllowedValues: ['true', 'false'] Default: 'false' @@ -140,11 +154,23 @@ Parameters: Default: '' Description: (Optional) Enabled regions (AWS regions, separated by commas). Leave blank to enable all regions. Type: String + pExcludesTagKey: + AllowedPattern: '^[\w-]{1,64}$' + ConstraintDescription: Max 64 alphanumeric characters. Also special characters supported [_, -] + Default: sra-exclude-from-default-job + Description: A key for a tag-based condition that determines which buckets to exclude from the job. To exclude the bucket set the value of this tag to 'True'. + Type: String pFindingPublishingFrequency: AllowedValues: [FIFTEEN_MINUTES, ONE_HOUR, SIX_HOURS] Default: FIFTEEN_MINUTES Description: Finding publishing frequency Type: String + pMacieJobName: + AllowedPattern: '^[\w-]{1,500}$' + ConstraintDescription: Max 500 alphanumeric characters. Also special characters supported [_, -] + Default: sra-macie-classification-job + Description: A custom name for the job. + Type: String pMacieOrgDeliveryBucketPrefix: AllowedPattern: '^$|^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$' ConstraintDescription: @@ -395,6 +421,9 @@ Resources: pPublishingDestinationBucketName: !Sub ${pMacieOrgDeliveryBucketPrefix}-${pLogArchiveAccountId}-${AWS::Region} pSRAAlarmEmail: !Ref pSRAAlarmEmail pSRAStagingS3BucketName: !Ref pSRAStagingS3BucketName + pCreateMacieJob: !Ref pCreateMacieJob + pMacieJobName: !Ref pMacieJobName + pExcludesTagKey: !Ref pExcludesTagKey Tags: - Key: sra-solution Value: !Ref pSRASolutionName diff --git a/aws_sra_examples/terraform/common/main.tf b/aws_sra_examples/terraform/common/main.tf index 3fc18857..624a4f03 100644 --- a/aws_sra_examples/terraform/common/main.tf +++ b/aws_sra_examples/terraform/common/main.tf @@ -181,6 +181,9 @@ resource "local_file" "config_file_creation" { ######################################################################## disable_macie = false macie_finding_publishing_frequency = "FIFTEEN_MINUTES" + create_macie_job = "true" + macie_job_name = "sra-macie-classification-job" + macie_excludes_tag_key = "sra-exclude-from-default-job" ######################################################################## # CloudTrail Settings diff --git a/aws_sra_examples/terraform/solutions/macie/README.md b/aws_sra_examples/terraform/solutions/macie/README.md index a782e831..ae94c4ec 100644 --- a/aws_sra_examples/terraform/solutions/macie/README.md +++ b/aws_sra_examples/terraform/solutions/macie/README.md @@ -25,7 +25,7 @@ Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License- ## Introduction -This Terraform module deploys the Inspector AWS SRA solution. +This Terraform module deploys the Macie AWS SRA solution. The common pre-requisite solution must be installed, in the management account, prior to installing this solution. @@ -158,6 +158,9 @@ Please navigate to the [installing the AWS SRA Solutions](./../../README.md#inst | [home\_region](#input\_home\_region) | Name of the Control Tower home region | `string` | n/a | yes | | [log\_archive\_account\_id](#input\_log\_archive\_account\_id) | AWS Account ID of the Control Tower Log Archive account. | `string` | n/a | yes | | [macie\_finding\_publishing\_frequency](#input\_macie\_finding\_publishing\_frequency) | Macie finding publishing frequency | `string` | n/a | yes | +| [create\_macie\_job](#input\_create\_macie\_job) | Indicates whether to create a Macie classification job with a daily schedule | `string` | "true" | yes | +| [macie\_job\_name](#input\_macie\_job\_name) | A custom name for the job | `string` | "sra-macie-classification-job" | yes | +| [macie\_excludes\_tag\_key](#input\macie\_excludes\_tag\_key) | A key for a tag-based condition that determines which buckets to exclude from the job. To exclude the bucket set the value of this tag to 'True' | `string` | "sra-exclude-from-default-job" | yes | | [macie\_org\_configuration\_role\_name](#input\_macie\_org\_configuration\_role\_name) | Configuration IAM Role Name | `string` | `"sra-macie-org-configuration"` | no | | [macie\_org\_lambda\_role\_name](#input\_macie\_org\_lambda\_role\_name) | Lambda Role Name | `string` | `"sra-macie-org-lambda"` | no | | [management\_account\_id](#input\_management\_account\_id) | Organization Management Account ID | `string` | n/a | yes | diff --git a/aws_sra_examples/terraform/solutions/macie/configuration/invoke.tf b/aws_sra_examples/terraform/solutions/macie/configuration/invoke.tf index 0fa2302a..0ec4189c 100644 --- a/aws_sra_examples/terraform/solutions/macie/configuration/invoke.tf +++ b/aws_sra_examples/terraform/solutions/macie/configuration/invoke.tf @@ -22,7 +22,10 @@ resource "aws_lambda_invocation" "lambda_invoke" { "MANAGEMENT_ACCOUNT_ID" : "${var.p_management_account_id}", "CONFIGURATION_ROLE_NAME" : "${var.p_macie_org_configuration_role_name}", "FINDING_PUBLISHING_FREQUENCY" : "${var.p_finding_publishing_frequency}", - "ENABLED_REGIONS" : "${var.p_enabled_regions}" + "ENABLED_REGIONS" : "${var.p_enabled_regions}", + "CREATE_MACIE_JOB" : "${var.p_create_macie_job}", + "MACIE_JOB_NAME" : "${var.p_macie_job_name}", + "TAG_KEY" : "${var.p_macie_excludes_tag_key}" } }) } @@ -46,7 +49,10 @@ resource "aws_lambda_invocation" "lambda_disable_invoke" { "MANAGEMENT_ACCOUNT_ID" : "${var.p_management_account_id}", "CONFIGURATION_ROLE_NAME" : "${var.p_macie_org_configuration_role_name}", "FINDING_PUBLISHING_FREQUENCY" : "${var.p_finding_publishing_frequency}", - "ENABLED_REGIONS" : "${var.p_enabled_regions}" + "ENABLED_REGIONS" : "${var.p_enabled_regions}", + "CREATE_MACIE_JOB" : "${var.p_create_macie_job}", + "MACIE_JOB_NAME" : "${var.p_macie_job_name}", + "TAG_KEY" : "${var.p_macie_excludes_tag_key}" } }) } diff --git a/aws_sra_examples/terraform/solutions/macie/configuration/variables.tf b/aws_sra_examples/terraform/solutions/macie/configuration/variables.tf index 17b306fe..b24c6c31 100644 --- a/aws_sra_examples/terraform/solutions/macie/configuration/variables.tf +++ b/aws_sra_examples/terraform/solutions/macie/configuration/variables.tf @@ -48,6 +48,24 @@ variable "p_finding_publishing_frequency" { default = "FIFTEEN_MINUTES" } +variable "p_create_macie_job" { + description = "Indicates whether to create a Macie classification job with a daily schedule." + type = string + default = "true" +} + +variable "p_macie_job_name" { + description = "A custom name for the job." + type = string + default = "sra-macie-classification-job" +} + +variable "p_macie_excludes_tag_key" { + description = "A key for a tag-based condition that determines which buckets to exclude from the job. To exclude the bucket set the value of this tag to 'True'." + type = string + default = "sra-exclude-from-default-job" +} + variable "p_kms_key_arn" { description = "Logging S3 bucket KMS Key ARN" type = string diff --git a/aws_sra_examples/terraform/solutions/macie/configuration_role/main.tf b/aws_sra_examples/terraform/solutions/macie/configuration_role/main.tf index b23159b7..41039e4b 100644 --- a/aws_sra_examples/terraform/solutions/macie/configuration_role/main.tf +++ b/aws_sra_examples/terraform/solutions/macie/configuration_role/main.tf @@ -60,7 +60,8 @@ resource "aws_iam_policy" "macie_org_policy" { "macie2:ListOrganizationAdminAccounts", "macie2:PutClassificationExportConfiguration", "macie2:UpdateMacieSession", - "macie2:UpdateOrganizationConfiguration" + "macie2:UpdateOrganizationConfiguration", + "macie2:TagResource" ], Resource = "*" }, @@ -74,6 +75,19 @@ resource "aws_iam_policy" "macie_org_policy" { "macie2:GetMember" ], Resource = "arn:${data.aws_partition.current.partition}:macie2:*:${var.audit_account_id}:*" + }, + { + Sid = "MacieClassifications", + Effect = "Allow", + Action = [ + "macie2:CreateClassificationJob", + ], + Resource = "*", + Condition = { + StringEquals = { + "aws:ResourceTag/sra-solution" = var.sra_solution_name + } + } } ] }) diff --git a/aws_sra_examples/terraform/solutions/macie/main.tf b/aws_sra_examples/terraform/solutions/macie/main.tf index a1be4601..1f6fc283 100644 --- a/aws_sra_examples/terraform/solutions/macie/main.tf +++ b/aws_sra_examples/terraform/solutions/macie/main.tf @@ -79,4 +79,7 @@ module "macie_configuration" { p_publishing_destination_bucket_name = module.delivery_s3_bucket[0].macie_delivery_bucket_name disable_macie = var.disable_macie p_finding_publishing_frequency = var.macie_finding_publishing_frequency + p_create_macie_job = var.create_macie_job + p_macie_job_name = var.macie_job_name + p_macie_excludes_tag_key = var.macie_excludes_tag_key } diff --git a/aws_sra_examples/terraform/solutions/macie/variables.tf b/aws_sra_examples/terraform/solutions/macie/variables.tf index 2e921b0c..3526ff9e 100644 --- a/aws_sra_examples/terraform/solutions/macie/variables.tf +++ b/aws_sra_examples/terraform/solutions/macie/variables.tf @@ -55,3 +55,21 @@ variable "macie_finding_publishing_frequency" { description = "Macie finding publishing frequency" type = string } + +variable "create_macie_job" { + description = "Indicates whether to create a Macie classification job with a daily schedule." + type = string + default = "true" +} + +variable "macie_job_name" { + description = "A custom name for the job." + type = string + default = "sra-macie-classification-job" +} + +variable "macie_excludes_tag_key" { + description = "A key for a tag-based condition that determines which buckets to exclude from the job. To exclude the bucket set the value of this tag to 'True'." + type = string + default = "sra-exclude-from-default-job" +} \ No newline at end of file diff --git a/aws_sra_examples/terraform/solutions/main.tf b/aws_sra_examples/terraform/solutions/main.tf index 637ae028..d341f9bd 100644 --- a/aws_sra_examples/terraform/solutions/main.tf +++ b/aws_sra_examples/terraform/solutions/main.tf @@ -130,6 +130,9 @@ module "macie" { organization_id = var.organization_id macie_finding_publishing_frequency = var.macie_finding_publishing_frequency disable_macie = var.disable_macie + create_macie_job = var.create_macie_job + macie_job_name = var.macie_job_name + macie_excludes_tag_key = var.macie_excludes_tag_key } module "cloudtrail" { diff --git a/aws_sra_examples/terraform/solutions/variables.tf b/aws_sra_examples/terraform/solutions/variables.tf index cbbd67e3..d5d9bb2c 100644 --- a/aws_sra_examples/terraform/solutions/variables.tf +++ b/aws_sra_examples/terraform/solutions/variables.tf @@ -335,6 +335,24 @@ variable "disable_macie" { description = "Update to 'true' to disable Macie in all accounts and regions before deleting the TF." } +variable "create_macie_job" { + description = "Indicates whether to create a Macie classification job with a daily schedule." + type = string + default = "true" +} + +variable "macie_job_name" { + description = "A custom name for the job." + type = string + default = "sra-macie-classification-job" +} + +variable "macie_excludes_tag_key" { + description = "A key for a tag-based condition that determines which buckets to exclude from the job. To exclude the bucket set the value of this tag to 'True'." + type = string + default = "sra-exclude-from-default-job" +} + ######################################################################## # CloudTrail Configurations ######################################################################## From 26f234608580010f886fff00c9b4a547bcf4cdfd Mon Sep 17 00:00:00 2001 From: ievgeniia ieromenko Date: Mon, 7 Oct 2024 09:58:05 -0400 Subject: [PATCH 2/4] linting fixes --- .../solutions/macie/macie_org/lambda/src/macie.py | 2 +- .../solutions/macie/configuration_role/main.tf | 10 +++++++++- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/aws_sra_examples/solutions/macie/macie_org/lambda/src/macie.py b/aws_sra_examples/solutions/macie/macie_org/lambda/src/macie.py index 5e420789..06c34734 100644 --- a/aws_sra_examples/solutions/macie/macie_org/lambda/src/macie.py +++ b/aws_sra_examples/solutions/macie/macie_org/lambda/src/macie.py @@ -180,7 +180,7 @@ def enable_macie( LOGGER.info(f"Macie already enabled in {region}.") -def create_macie_job(configuration_role_name: str, admin_account_id: str, regions: list, job_name: str, tag_key: str) -> None: +def create_macie_job(configuration_role_name: str, admin_account_id: str, regions: list, job_name: str, tag_key: str) -> None: # noqa: ECE001 """Create Macie job. Args: diff --git a/aws_sra_examples/terraform/solutions/macie/configuration_role/main.tf b/aws_sra_examples/terraform/solutions/macie/configuration_role/main.tf index 41039e4b..54dcbb9a 100644 --- a/aws_sra_examples/terraform/solutions/macie/configuration_role/main.tf +++ b/aws_sra_examples/terraform/solutions/macie/configuration_role/main.tf @@ -31,6 +31,7 @@ resource "aws_iam_role" "macie_org_configuration_role" { } resource "aws_iam_policy" "macie_org_policy" { + #checkov:skip=CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions" name = "sra-macie-org-policy" description = "Policy for Macie Org Configuration Role" @@ -61,7 +62,6 @@ resource "aws_iam_policy" "macie_org_policy" { "macie2:PutClassificationExportConfiguration", "macie2:UpdateMacieSession", "macie2:UpdateOrganizationConfiguration", - "macie2:TagResource" ], Resource = "*" }, @@ -88,6 +88,14 @@ resource "aws_iam_policy" "macie_org_policy" { "aws:ResourceTag/sra-solution" = var.sra_solution_name } } + }, + { + Sid = "MacieTagResource", + Effect = "Allow", + Action = [ + "macie2:TagResource", + ], + Resource = "*" } ] }) From aff6cd988d661a877fb7655d95be25cf7f21067b Mon Sep 17 00:00:00 2001 From: ievgeniia ieromenko Date: Tue, 8 Oct 2024 14:20:59 -0400 Subject: [PATCH 3/4] flake8 fixes --- .../solutions/macie/macie_org/lambda/src/macie.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/aws_sra_examples/solutions/macie/macie_org/lambda/src/macie.py b/aws_sra_examples/solutions/macie/macie_org/lambda/src/macie.py index 06c34734..63cb74dc 100644 --- a/aws_sra_examples/solutions/macie/macie_org/lambda/src/macie.py +++ b/aws_sra_examples/solutions/macie/macie_org/lambda/src/macie.py @@ -180,7 +180,7 @@ def enable_macie( LOGGER.info(f"Macie already enabled in {region}.") -def create_macie_job(configuration_role_name: str, admin_account_id: str, regions: list, job_name: str, tag_key: str) -> None: # noqa: ECE001 +def create_macie_job(configuration_role_name: str, admin_account_id: str, regions: list, job_name: str, tag_key: str) -> None: """Create Macie job. Args: @@ -190,7 +190,7 @@ def create_macie_job(configuration_role_name: str, admin_account_id: str, region job_name: Macie job name tag_key: Macie job tag key for bucket criteria """ - kwargs: CreateClassificationJobRequestRequestTypeDef = { # type: ignore[typeddict-item] + kwargs: CreateClassificationJobRequestRequestTypeDef = { # type: ignore[typeddict-item] # noqa: ECE001 "description": "SRA Macie job (Daily)", "jobType": "SCHEDULED", "initialRun": True, From 5174101b007494cceca74eeda3da8c6a4ae824a0 Mon Sep 17 00:00:00 2001 From: ievgeniia ieromenko Date: Tue, 8 Oct 2024 14:25:35 -0400 Subject: [PATCH 4/4] black fixes --- .../solutions/macie/macie_org/lambda/src/macie.py | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/aws_sra_examples/solutions/macie/macie_org/lambda/src/macie.py b/aws_sra_examples/solutions/macie/macie_org/lambda/src/macie.py index 63cb74dc..728621d6 100644 --- a/aws_sra_examples/solutions/macie/macie_org/lambda/src/macie.py +++ b/aws_sra_examples/solutions/macie/macie_org/lambda/src/macie.py @@ -7,6 +7,7 @@ Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-Identifier: MIT-0 """ + from __future__ import annotations import json @@ -197,13 +198,11 @@ def create_macie_job(configuration_role_name: str, admin_account_id: str, region "name": job_name, "managedDataIdentifierSelector": "ALL", "s3JobDefinition": { - "bucketCriteria": { - "excludes": {"and": [{"tagCriterion": {"comparator": "EQ", "tagValues": [{"key": tag_key, "value": "True"}]}}]} - } + "bucketCriteria": {"excludes": {"and": [{"tagCriterion": {"comparator": "EQ", "tagValues": [{"key": tag_key, "value": "True"}]}}]}} }, "samplingPercentage": 100, "scheduleFrequency": {"dailySchedule": {}}, - "tags": {"sra-solution": "sra-macie-org"} + "tags": {"sra-solution": "sra-macie-org"}, } account_session: boto3.Session = boto3.Session()