2.209.0

cado-security · Dec 24, 2024 · 9945373 · 9945373
1 parent 4a5761e
commit 9945373
Show file tree

Hide file tree

Showing 9 changed files with 206 additions and 30 deletions.
diff --git a/aws_deprecated/aws_roles/main.tf b/aws_deprecated/aws_roles/main.tf
@@ -437,15 +437,8 @@ resource "aws_iam_role_policy" "policy" {
 			"Sid": "RequiredForGuardDutyMonitoring",
 			"Effect": "Allow",
 			"Action": [
-				"guardduty:ListIPSets",
-				"guardduty:ListThreatIntelSets",
 				"guardduty:ListDetectors",
-				"guardduty:ListOrganizationAdminAccounts",
 				"guardduty:ListFindings",
-				"guardduty:ListFilters",
-				"guardduty:ListPublishingDestinations",
-				"guardduty:ListInvitations",
-				"guardduty:ListMembers",
 				"guardduty:GetFindings"
 			],
 			"Resource": "*"

diff --git a/aws_v2/modules/iam/main.tf b/aws_v2/modules/iam/main.tf
@@ -166,9 +166,7 @@ resource "aws_iam_role_policy" "instance_policy" {
             "Action": [
                 "s3:PutObject",
                 "s3:GetObject",
-                "s3:RestoreObject",
-                "s3:PutObjectTagging",
-                "s3:GetObjectTagging"
+                "s3:RestoreObject"
             ],
             "Resource": "arn:aws:s3:::${var.s3_bucket_id}/*"
         },
@@ -280,9 +278,7 @@ resource "aws_iam_role_policy" "policy" {
             "Action": [
                 "s3:PutObject",
                 "s3:GetObject",
-                "s3:RestoreObject",
-                "s3:PutObjectTagging",
-                "s3:GetObjectTagging"
+                "s3:RestoreObject"
             ],
             "Resource": "arn:aws:s3:::${var.s3_bucket_id}/*"
         },
@@ -316,7 +312,6 @@ resource "aws_iam_role_policy" "policy" {
                 "s3:ListAllMyBuckets",
                 "s3:GetObject",
                 "s3:RestoreObject",
-                "s3:GetObjectTagging",
                 "s3:ListBucket",
                 "s3:GetBucketLocation"
             ],
@@ -521,15 +516,8 @@ resource "aws_iam_role_policy" "policy" {
             "Sid": "RequiredForGuardDutyMonitoring",
             "Effect": "Allow",
             "Action": [
-                "guardduty:ListIPSets",
-                "guardduty:ListThreatIntelSets",
                 "guardduty:ListDetectors",
-                "guardduty:ListOrganizationAdminAccounts",
                 "guardduty:ListFindings",
-                "guardduty:ListFilters",
-                "guardduty:ListPublishingDestinations",
-                "guardduty:ListInvitations",
-                "guardduty:ListMembers",
                 "guardduty:GetFindings"
             ],
             "Resource": "*"

diff --git a/azure/azure_transient/main.tf b/azure/azure_transient/main.tf
@@ -6,12 +6,18 @@ variable "deploy_nfs" {
   default     = true
 }
 
-variable "image_id" {
+variable "blob_url" {
   type        = string
   description = "Cado Response VHD blobstore URL"
   default     = ""
 }
 
+variable "image_id" {
+  type        = string
+  description = "A fully scoped resource id for a cado image e.g. /subscriptions/{ID}/resourceGroups/{NAME}/providers/Microsoft.Compute/images/cadoresponse"
+  default     = ""
+}
+
 variable "ip_pattern_https" {
   type        = list(string)
   description = "Incoming IPs permitted to access https. CIDR or source IP range or * to match any IP."
@@ -122,14 +128,15 @@ data "azurerm_client_config" "current" {}
 // Network
 
 resource "azurerm_image" "image" {
+  count               = var.image_id != "" ? 0 : 1 # if image_id is set, we won't need an image from a blob
   name                = "cado_response"
   location            = data.azurerm_resource_group.group.location
   resource_group_name = data.azurerm_resource_group.group.name
 
   os_disk {
     os_type  = "Linux"
     os_state = "Generalized"
-    blob_uri = var.image_id # azurerm_storage_blob.vhd.url
+    blob_uri = var.blob_url # azurerm_storage_blob.vhd.url
     size_gb  = 30
   }
 }
@@ -298,7 +305,7 @@ resource "azurerm_linux_virtual_machine" "vm" {
 
   tags = var.tags
 
-  source_image_id = azurerm_image.image.id
+  source_image_id = var.image_id != "" ? var.image_id : azurerm_image.image[0].id
 }
 
 resource "azurerm_virtual_machine_data_disk_attachment" "data_disk_attachment" {

diff --git a/azure/cado/main.tf b/azure/cado/main.tf
@@ -27,12 +27,18 @@ variable "deploy_acquisition_permissions" {
   default     = true
 }
 
-variable "image_id" {
+variable "blob_url" {
   type        = string
   description = "Cado Response VHD blobstore URL"
   default     = "<VHD BLOBSTORE URL FROM YOUR STORAGE ACCOUNT>"
 }
 
+variable "image_id" {
+  type        = string
+  description = "A fully scoped resource id for a cado image e.g. /subscriptions/{ID}/resourceGroups/{NAME}/providers/Microsoft.Compute/images/cadoresponse"
+  default     = ""
+}
+
 variable "ip_pattern_https" {
   type        = list(string)
   description = "Incoming IPs permitted to access https. CIDR or source IP range or * to match any IP."
@@ -155,6 +161,7 @@ module "azure_persistent" {
 module "azure_transient" {
   source                         = "./../azure_transient"
   resource_group                 = var.resource_group
+  blob_url                       = var.blob_url
   image_id                       = var.image_id
   ip_pattern_https               = var.ip_pattern_https
   deploy_nfs                     = var.deploy_nfs

diff --git a/cross-account/CrossAccountPolicy.yaml b/cross-account/CrossAccountPolicy.yaml
@@ -39,7 +39,6 @@ Statement:
   - s3:ListAllMyBuckets
   - s3:GetObject
   - s3:RestoreObject
-  - s3:GetObjectTagging
   - s3:ListBucket
   - s3:GetBucketLocation
   Resource: '*'

diff --git a/cross-account/CrossAccountStackSet.yaml b/cross-account/CrossAccountStackSet.yaml
@@ -73,7 +73,6 @@ Resources:
           - s3:ListAllMyBuckets
           - s3:GetObject
           - s3:RestoreObject
-          - s3:GetObjectTagging
           - s3:ListBucket
           - s3:GetBucketLocation
           Resource: '*'

diff --git a/new-roles/AWSInstanceRole.json b/new-roles/AWSInstanceRole.json
@@ -0,0 +1,186 @@
+[
+  {
+    "Sid": "IAM",
+    "Effect": "Allow",
+    "Action": [
+      "sts:AssumeRole",
+      "iam:GetInstanceProfile",
+      "iam:GetRole",
+      "iam:ListAttachedRolePolicies",
+      "iam:ListInstanceProfilesForRole",
+      "iam:ListRolePolicies",
+      "iam:PassRole",
+      "sts:GetCallerIdentity",
+      "sts:GetSessionToken"
+    ],
+    "Resource": "arn:aws:iam::*:role/*CadoResponse*"
+  },
+  {
+    "Sid": "RequiredForSecretsManagement",
+    "Effect": "Allow",
+    "Action": [
+      "secretsmanager:PutSecretValue",
+      "secretsmanager:CreateSecret",
+      "secretsmanager:GetSecretValue",
+      "secretsmanager:TagResource"
+    ],
+    "Resource": "*",
+    "Condition": {
+      "StringLike": {
+        "aws:ResourceTag/Name": "CadoResponse*"
+      }
+    }
+  },
+  {
+    "Sid": "RequiredForWorkers",
+    "Effect": "Allow",
+    "Action": [
+      "ec2:DeleteVolume",
+      "ec2:DeleteSnapshot",
+      "ec2:TerminateInstances",
+      "ec2:AttachVolume",
+      "ec2:DetachVolume",
+      "ec2:StopInstances",
+      "ec2:StartInstances",
+      "ec2:RunInstances",
+      "ec2:DescribeInstances",
+      "ec2:DescribeInstanceStatus",
+      "ec2:CreateTags",
+      "ec2:DescribeAddresses",
+      "ec2:AssociateAddress"
+    ],
+    "Resource": "*"
+  },
+  {
+    "Sid": "RequiredForWorkersAndUpdatesIAM",
+    "Effect": "Allow",
+    "Action": [
+      "iam:PassRole"
+    ],
+    "Resource": "arn:aws:iam::*:role/*CadoResponse*"
+  },
+  {
+    "Sid": "RequiredForNativeUpdates",
+    "Effect": "Allow",
+    "Action": [
+      "ec2:DeleteVolume",
+      "ec2:DeleteSnapshot",
+      "ec2:TerminateInstances",
+      "ec2:AttachVolume",
+      "ec2:DetachVolume",
+      "ec2:StopInstances",
+      "ec2:StartInstances",
+      "ec2:RunInstances",
+      "ec2:CreateTags",
+      "ec2:DescribeInstanceStatus",
+      "ec2:DescribeInstances",
+      "ec2:DescribeAddresses",
+      "ec2:AssociateAddress",
+      "ec2:DescribeImages",
+      "ec2:DescribeVolumes",
+      "ec2:DescribeInstanceAttribute"
+    ],
+    "Resource": "*"
+  },
+  {
+    "Sid": "RequiredForNativeUpdatesWithALB",
+    "Effect": "Allow",
+    "Action": [
+      "elasticloadbalancing:DescribeTargetHealth",
+      "elasticloadbalancing:DescribeTargetGroups",
+      "elasticloadbalancing:RegisterTargets",
+      "elasticloadbalancing:DeregisterTargets"
+    ],
+    "Resource": "*"
+  },
+  {
+    "Sid": "RequiredForCadoHostAndPreservation",
+    "Effect": "Allow",
+    "Action": [
+      "s3:PutObject",
+      "s3:GetObject",
+      "s3:RestoreObject"
+    ],
+    "Resource": {
+      "Fn::Join": [
+        "",
+        [
+          "arn:aws:s3:::",
+          {
+            "Ref": "CadoS3BucketAlt"
+          },
+          "/*"
+        ]
+      ]
+    }
+  },
+  {
+    "Sid": "RequiredForCadoHostAndPreservation2",
+    "Effect": "Allow",
+    "Action": [
+      "s3:ListAllMyBuckets",
+      "s3:ListBucket",
+      "s3:GetBucketLocation"
+    ],
+    "Resource": {
+      "Fn::Join": [
+        "",
+        [
+          "arn:aws:s3:::",
+          {
+            "Ref": "CadoS3BucketAlt"
+          }
+        ]
+      ]
+    }
+  },
+  {
+    "Sid": "RequiredForHealthChecks",
+    "Effect": "Allow",
+    "Action": [
+      "s3:PutObject",
+      "ec2:DescribeInstanceTypes",
+      "ec2:DescribeSecurityGroups",
+      "cloudtrail:ListTrails",
+      "servicequotas:GetServiceQuota",
+      "cloudwatch:GetMetricData",
+      "cloudtrail:GetTrailStatus",
+      "iam:GetRolePolicy"
+    ],
+    "Resource": "*"
+  },
+  {
+    "Sid": "RequiredForCloudWatchAgent",
+    "Effect": "Allow",
+    "Action": [
+      "logs:CreateLogGroup",
+      "logs:CreateLogStream",
+      "logs:PutLogEvents"
+    ],
+    "Resource": {
+      "Fn::If": [
+        "ConfigureCloudWatch",
+        {
+          "Fn::Join": [
+            ":",
+            [
+              "arn:aws:logs",
+              {
+                "Ref": "AWS::Region"
+              },
+              {
+                "Ref": "AWS::AccountId"
+              },
+              "log-group",
+              {
+                "Ref": "CadoLogGroup"
+              },
+              "*"
+            ]
+          ]
+        },
+        "*"
+      ]
+    }
+  }
+]
diff --git a/new-roles/AWSInstanceRole.yaml b/new-roles/AWSInstanceRole.yaml
@@ -83,8 +83,6 @@ Properties:
       - s3:PutObject
       - s3:GetObject
       - s3:RestoreObject
-      - s3:PutObjectTagging
-      - s3:GetObjectTagging
       Resource:
         Fn::Join:
         - ''

diff --git a/new-roles/AcquisitionPolicy.yaml b/new-roles/AcquisitionPolicy.yaml
@@ -15,7 +15,6 @@ Statement:
   - s3:ListAllMyBuckets
   - s3:GetObject
   - s3:RestoreObject
-  - s3:GetObjectTagging
   - s3:ListBucket
   - s3:GetBucketLocation
   Resource: '*'