This lambda is designed to handle the API for Customers, Tenants, Accounts, Rulesets, Rule Sources and Account Regions configurations
-
GET: Get customer (s) data-
Get customer with a specific name:
Request url:
/customers/display_name=EPAM SystemsResponse body:
{ "items": [ { "activation_date": "2021-08-23T09:13:58.520262", "owner": "[email protected]", "display_name": "EPAM Systems" } ] } -
Get all customers available:
Request url:
/customersResponse body:
{ "items": [ { "activation_date": "2021-08-23T10:08:27.775913", "owner": "[email protected]", "display_name": "TEST_CUSTOMER" }, { "activation_date": "2021-08-23T09:13:58.520262", "owner": "[email protected]", "display_name": "EPAM Systems" } ] }
-
-
POST: Create new customerRequest body:
{ "display_name": "TEST_CUSTOMER_3", "owner": "[email protected]", "contacts": { // Optional "primary": [ "contact1", "contact2" ], "manager": [ "contact3" ] } }
Response body:
{ "items": [ { "display_name": "TEST_CUSTOMER_2", "activation_date": "2021-08-26T08:45:35.670257", "owner": "[email protected]" } ] } -
PATCHUpdate customer
Request body:{ "display_name": "TEST_CUSTOMER_2", "owner": "new owner", // Optional "contacts": { // Optional "primary": [ "contact1", "contact2", "contact3" ], "manager": [ "contact3" ] } }
Response Body:
{ "items": [ { "activation_date": "2021-08-26T08:48:17.929975", "owner": "new owner", "display_name": "TEST_CUSTOMER_2" } ] }
-
DELETEDelete customer Request body:{ "display_name": "TEST_CUSTOMER_2" }
Response body:
{ "message": "customer with name 'TEST_CUSTOMER_2' has been deleted" }
-
GET: Get tenant(s) data-
Get tenant with a specific name:
Request url:
/tenants/display_name=TEST_TENANTResponse body:
{ "items": [ { "inherit": true, "activation_date": "2021-08-23T09:15:37.241766", "customer_display_name": "EPAM Systems", "display_name": "TEST_TENANT" } ] }
-
Get all tenants:
Request url:
/tenants/display_name=TEST_TENANTResponse body:
{ "items": [ { "inherit": true, "activation_date": "2021-08-23T09:15:37.241766", "customer_display_name": "EPAM Systems", "display_name": "TEST_TENANT" }, { "inherit": true, "activation_date": "2021-08-23T13:45:02.435954", "customer_display_name": "EPAM Systems", "display_name": "AWS-MSTR-DEV2" }, { "inherit": true, "activation_date": "2021-08-23T13:46:41.676827", "customer_display_name": "EPAM Systems", "display_name": "AWS-MSTR-RES" } ] }
-
-
POST: Create new tenantRequest body:
{ "display_name": "TEST_TENANT_2", "customer": "EPAM Systems", "inherit": true }
Response body:
{ "items": [ { "inherit": true, "display_name": "TEST_TENANT_2", "activation_date": "2021-08-26T09:07:24.986016", "customer_display_name": "EPAM Systems" } ] }
-
PATCH: Update tenantRequest body:
{ "display_name": "TEST_TENANT_2", "inherit": false }
Response body:
{ "items": [ { "inherit": false, "activation_date": "2021-08-26T09:07:24.986016", "customer_display_name": "EPAM Systems", "display_name": "TEST_TENANT_2" } ] }
-
DELETE: Delete tenantRequest body:
{ "display_name": "TEST_TENANT_2" }
Response body:
{ "message": "tenant with id 'TEST_TENANT_2' has been deleted" }
-
GET: Get account(s) data-
Get accounts with a specific name:
Request url:
/accounts/display_name=AWS-MSTR-DEV2Response body:
{ "items": [ { "inherit": true, "regions": [ "ap-northeast-1", "eu-west-1", "eu-central-1" ], "customer_display_name": "EPAM Systems", "tenant_display_name": "AWS-MSTR-DEV2", "display_name": "AWS-MSTR-DEV2", "cloud": "aws", "activation_date": "2021-08-23T13:45:03.875694" } ] }
-
Get all accounts:
Request url:
/accountsResponse body:
{ "items": [ { "inherit": true, "regions": [ "ap-northeast-1", "eu-west-1", "eu-central-1" ], "customer_display_name": "EPAM Systems", "tenant_display_name": "AWS-MSTR-DEV2", "cloud": "aws", "display_name": "AWS-MSTR-DEV2", "activation_date": "2021-08-23T13:45:03.875694" }, { "inherit": true, "activation_date": "2021-08-23T13:46:42.456993", "regions": [ "ap-northeast-1", "eu-west-1" ], "customer_display_name": "EPAM Systems", "tenant_display_name": "AWS-MSTR-RES", "cloud": "aws", "display_name": "AWS-MSTR-RES" } ] }
-
-
POSTCreate accountRequest body:
{ "display_name": "TEST_ACCOUNT", "tenant": "TEST_TENANT", // Existing Tenant name "customer": "EPAM Systems", // Existing Customer name "inherit": true, // marks to inherit configuration from tenant "cloud": "aws" // Available options: aws/azure/gcp }
Response body:
{ "items": [ { "inherit": true, "display_name": "TEST_ACCOUNT", "activation_date": "2021-08-26T09:14:22.208535", "cloud": "aws", "customer_display_name": "EPAM Systems", "tenant_display_name": "TEST_TENANT" } ] }
-
PATCHUpdate account Request body:{ "display_name": "TEST_ACCOUNT", "cloud": "gcp", "inherit": false }
Response body:
{ "items": [ { "inherit": false, "activation_date": "2021-08-26T09:14:22.208535", "customer_display_name": "EPAM Systems", "tenant_display_name": "TEST_TENANT", "display_name": "TEST_ACCOUNT", "cloud": "gcp" } ] }
-
DELETEDelete account Request body:{ "display_name": "TEST_ACCOUNT" }
Response body:
{ "message": "account with name 'TEST_ACCOUNT' has been deleted" }
Request paths:
rule-source
-
Request query:
display_name=EPAM SystemsResponse body:
{ "items": [ { "git_ref": "master", "git_rules_prefix": "/", "git_access_type": "TOKEN", "git_url": "https://git.epam.com/epmc-sec/cloudlab/cloud_custodian/poc/custodian-epam-cloud", "git_project_id": "102030", "git_access_secret": "caas.3aa91ba4-4d10-4a04-b66f-a88e1f4f5335.2021.08.25.08.43.45.rules_repo_secret" } ] }
-
Request body:
{ , "git_access_secret": "{SECRET_VALUE}", "git_access_type" : "TOKEN", "git_project_id": "102030", "git_ref": "master", "git_rules_prefix": "/", "git_url": "https://git.epam.com/epmc-sec/cloudlab/cloud_custodian/poc/custodian-epam-cloud" }
Response body:
{ "items": [ { "customer": "CUSTOMER", "git_ref": "master", "git_rules_prefix": "/", "git_url": "https://git.epam.com/epmc-sec/cloudlab/cloud_custodian/poc/custodian-epam-cloud", } ] }
-
Request body:
{ "git_access_secret": "{NEW_SECRET_VALUE}", //Optional "git_access_type": "TOKEN", //Optional "git_project_id": "102031", //Optional "git_ref": "develop", //Optional "git_rules_prefix": "/rules", //Optional "git_url": "https://git.epam.com/epmc-sec/cloudlab/cloud_custodian/poc/custodian-epam-cloud" //Optional }
Response body:
{ "items": [ { "customer": "CUSTOMER", "git_ref": "develop", "git_rules_prefix": "/rules", "git_url": "https://git.epam.com/epmc-sec/cloudlab/cloud_custodian/poc/custodian-epam-cloud" } ] }
-
Request body:
{ "id": "00000" }
Response body:
{ "message": "Rule source with id '00000' has been removed from customer 'CUSTOMER'" }
Request paths:
rulesetsrulesets/content
-
-
Get all rulesets available Response Body:
{ "items": [ { "customer": "$CUSTOMER", "name": "FULL_AWS", "version": "1.0", "cloud": "AWS", "rules_number": 330, "status_code": "READY_TO_SCAN", "status_reason": "Assembled successfully", "event_driven": false, "active": true, "status_last_update_time": "2022-05-25T12:04:57.703215" }, { ... }, { ... } ] }
-
Get all rulesets with the given name
Request query:name=FULL_AWSResponse body:
{ "items": [ { "customer": "$CUSTOMER", "name": "FULL_AWS", "version": "2.0", "cloud": "AWS", "rules_number": 300, "status_code": "READY_TO_SCAN", "status_reason": "Assembled successfully", "event_driven": false, "active": true, "status_last_update_time": "2022-05-25T12:04:57.703215" }, { "customer": "$CUSTOMER", "name": "FULL_AWS", "version": "1.0", "cloud": "AWS", "rules_number": 330, "status_code": "READY_TO_SCAN", "status_reason": "Assembled successfully", "event_driven": false, "active": false, "status_last_update_time": "2022-04-25T11:04:53.000215" } ] }
-
Get specific version of ruleset:
Request query
name=FULL_AWS version=2Response body:
{ "items": [ { "customer": "$CUSTOMER", "name": "FULL_AWS", "version": "2.0", "cloud": "AWS", "rules_number": 300, "status_code": "READY_TO_SCAN", "status_reason": "Assembled successfully", "event_driven": false, "active": true, "status_last_update_time": "2022-05-25T12:04:57.703215" } ] }
-
Get only active rulesets:
Request query
active=trueResponse body:
{ "items": [ { "customer": "$CUSTOMER", "name": "FULL_AWS", "version": "2.0", "cloud": "AWS", "rules_number": 300, "status_code": "READY_TO_SCAN", "status_reason": "Assembled successfully", "event_driven": false, "active": true, "status_last_update_time": "2022-05-25T12:04:57.703215" }, { ... "active": true, ... } ] }
-
Get rulesets with the given cloud:
Request query
cloud=AZUREResponse body:
{ "items": [ { "customer": "$CUSTOMER", "name": "FULL_AZURE", "version": "3.0", "cloud": "AZURE", "rules_number": 100, "status_code": "READY_TO_SCAN", "status_reason": "Assembled successfully", "event_driven": false, "active": false, "status_last_update_time": "2022-05-11T11:01:11.703215" } ] }
-
-
Request body:
{ "name": "test_ruleset", // Required "version": 1.0, // Required "cloud": "AWS", // Required "rules": [ // Optional "epam-aws-088-http_load_balancer_certificate_expire_in_one_week_1.0", "epam-aws-090_use_secure_ciphers_in_cloudfront_distribution_1.0" ], "active": true, // Optional "event_driven": false, // Optional "standard": "HIPAA", // Optional, indicates to grab all rules for specific security standard "full_cloud": True // Optional, indicate to grab all available rules for specified CP }
Response body:
{ "items": [ { "name": "test_ruleset", "version": "1.0", "active": true, "cloud": "aws", "rules_number": 2, "event_driven": false, } ] }
-
Request body:
{ "name": "test_ruleset", // Required "version": 1.0, // Required "cloud": "AWS", // Required "active": false, // Optional "rules_to_attach":[ // Optional "epam-aws-094-ensure_mfa_is_enabled_for_the_root_account_1.0" ], "rules_to_detach": [ // Optional "epam-aws-088-http_load_balancer_certificate_expire_in_one_week_1.0" ] }
Response body:
{ "items": [ { "name": "test_ruleset", "active": false, "version": "1.0", "cloud": "aws", "rules_number": 2, "event_driven": false, } ] }
-
Request body:
{ "name": "test_ruleset", // Required "version": 1.0 // Required }
Response body:
{ "message": "Ruleset with id 'test_ruleset_1.0' has been deleted from AWS cloud configuration of customer with display name EPAM Systems" }
-
Request path:
rulesets/contentRequest body:
```json5 { "name": "test_ruleset", // Required "version": 1.0 // Required } ```Response Body:
```json5 { "message": "https://bucket-name.s3.amazonaws.com/PRESIGNED_URL" } ```
Request path: accounts/regions
-
-
Get all available account regions Request query:
display_name=AWS-MSTR-DEV2Response body:
{ "items": [ { "name": "ap-northeast-1", "activation_date": "2021-08-23T13:45:04.475283", "state": "ACTIVE" }, { "name": "eu-west-1", "activation_date": "2021-08-23T13:45:05.015372", "state": "ACTIVE" }, { "name": "eu-central-1", "activation_date": "2021-08-23T13:45:05.515418", "state": "ACTIVE" } ] }
-
Get specific region Request query:
display_name=AWS-MSTR-DEV2 name=eu-west-1
Response body:
{ "items": [ { "name": "ap-northeast-1", "activation_date": "2021-08-23T13:45:04.475283", "state": "ACTIVE" }, { "name": "eu-west-1", "activation_date": "2021-08-23T13:45:05.015372", "state": "ACTIVE" }, { "name": "eu-central-1", "activation_date": "2021-08-23T13:45:05.515418", "state": "INACTIVE" } ] }
-
-
Request body:
{ "display_name": "AWS-MSTR-DEV2", "name": "eu-central-1", "state": "ACTIVE" }
Response body:
{ "items": [ { "name": "eu-central-1", "state": "ACTIVE", "activation_date": "2021-08-26T14:06:37.791951" } ] }
-
Request body:
{ "display_name": "AWS-MSTR-DEV2", "name": "eu-central-1", "state": "INACTIVE" }
Response body:
{ "items": [ { "name": "eu-central-1", "activation_date": "2021-08-26T14:06:37.791951", "state": "INACTIVE" } ] }
-
Request body:
{ "display_name": "AWS-MSTR-DEV2", "name": "eu-central-1", }
Response body:
{ "message": "Region with name 'eu-central-1' has been removed from account with display name 'AWS-MSTR-DEV2'" }
-
Request query:
customer=EPAM Systems // Customer name to describe rules limit=3 // Optional, max number of rules in the response offset=10 // Optional, offset resultsResponse body:
{ "items": [ { "version": "1.0", "customer": "EPAM Systems", "description": "Ensure that SSL/TLS certificates stored in AWS IAM are renewed month before expiry.\n", "id": "epam-aws-089-http_load_balancer_certificate_expire_in_one_month_1.0", "name": "epam-aws-089-http_load_balancer_certificate_expire_in_one_month", "cloud": "AWS", "updated_date": "2021-07-08T20:45:49.000+00:00" }, { "version": "1.0", "customer": "EPAM Systems", "description": "Enforce the use of secure ciphers TLS v1.2 in a CloudFront Distribution certificate configuration\n", "id": "epam-aws-090_use_secure_ciphers_in_cloudfront_distribution_1.0", "name": "epam-aws-090_use_secure_ciphers_in_cloudfront_distribution", "cloud": "AWS", "updated_date": "2021-05-26T16:48:06.000+00:00" }, { "version": "1.0", "customer": "EPAM Systems", "description": "Remove Weak Ciphers for Load Balancer\n", "id": "epam-aws-092-remove_weak_ciphers_for_load_balancer_1.0", "name": "epam-aws-092-remove_weak_ciphers_for_load_balancer", "cloud": "AWS", "updated_date": "2021-06-02T14:49:26.000+00:00" } ] }
-
Request body:
{ "customer": "EPAM Systems", "rule_id": "epam-aws-080-bucket_policy_allows_https_requests_1.0" }If
rule_idnot specified, all customer rules will be deleted.If
customerandrule_idnot specified, all available rules will be deleted. Only for system admin user.Response body:
{ "message": "Rule with id \'epam-aws-080-bucket_policy_allows_https_requests_1.0\' has been deleted" }
-
Request query:
customer=EPAM Systems name=admin_policy // OptionalResponse body:
{ "items": [ { "customer": "EPAM Systems", "name": "admin_policy", "permissions": [ "system:update_meta", "system:create_backup", "system:update_metrics", "iam:describe_policy", "iam:create_policy", "iam:update_policy", "iam:remove_policy", "iam:describe_role", "iam:create_role", "iam:update_role", "iam:remove_role", "iam:remove_policy_cache", "iam:remove_role_cache", "rule:describe_rule", "rule:create_rule", "rule:update_rule", "rule:remove_rule", "run:initiate_run", "run:terminate_run", "run:get_report", "run:describe_report", "run:describe_job", "user:describe_role", "user:assign_role", "user:update_role", "user:unassign_role", "user:describe_customer", "user:assign_customer", "user:update_customer", "user:unassign_customer", "account:describe_account", "account:create_account", "account:update_account", "account:remove_account", "account:describe_region", "account:create_region", "account:update_region", "account:remove_region", "tenant:describe_tenant", "tenant:create_tenant", "tenant:update_tenant", "tenant:remove_tenant", "customer:describe_customer", "ruleset:describe_ruleset", "ruleset:create_ruleset", "ruleset:update_ruleset", "ruleset:remove_ruleset", "rule_source:describe_rule_source", "rule_source:create_rule_source", "rule_source:update_rule_source", "rule_source:remove_rule_source" ] }, { "customer": "EPAM Systems", "name": "policy_name", "permissions": [ "customer:update_customer", "account:describe_account", "account:create_account", "account:update_account", "account:remove_account", "account:describe_rule_source", "account:create_rule_source", "account:update_rule_source", "account:remove_rule_source" ] } ] }
-
Request body:
{ "name": "test_policy", "customer": "EPAM Systems", "permissions": ["customer:describe_customer"] }
Response body:
{ "items": [ { "customer": "EPAM Systems", "name": "test_policy", "permissions": [ "customer:describe_customer" ] } ] }
-
Request body:
{ "customer": "EPAM Systems", "name": "test_policy", "permissions_to_attach": [ "account:describe_account" ], "permissions_to_detach": [ "customer:describe_customer" ] }
Response body:
{ "items": [ { "customer": "EPAM Systems", "name": "test_policy", "permissions": [ "account:describe_account" ] } ] }
-
{ "customer": "EPAM Systems", "name": "test_policy" }
{ "message": "policy with name 'test_policy' from customer 'EPAM Systems' has been deleted" }
Request query:
customer=EPAM Systems
name=admin_role // Optional
Response body:
{
"items": [
{
"expiration": "2021-11-21T09:14:42.938267",
"customer": "EPAM Systems",
"policies": [
"admin_policy"
],
"name": "admin_role"
}
]
}-
Request body:
{ "customer": "EPAM Systems", "policies": [ "admin_policy", "test_policy" ], "name": "test_role" }
Response body:
{ "items": [ { "customer": "EPAM Systems", "name": "test_role", "policies": [ "admin_policy", "test_policy" ], "expiration": "2021-11-24T14:29:47.862558" } ] }
-
Request body:
{ "customer": "EPAM Systems", "name": "test_role", "policies_to_attach": [ "test_policy2" ], "policies_to_detach": [ "test_policy" ] }
Response body:
{ "items": [ { "expiration": "2021-11-24T14:29:47.862558", "customer": "EPAM Systems", "policies": [ "test_policy2", "admin_policy" ], "name": "test_role" } ] }
-
Request body:
{ "customer": "EPAM Systems", "name": "test_role" }
Response body:
{ "message": "role with name 'test_role' from customer 'EPAM Systems' has been deleted" }
Request query:
cloud=AWS|GCP|AZURE //Optional
cloud_identifier=ID // Optional
Response body:
{
"items": [
{
"cloud_identifier": "111111111111",
"cloud": "aws",
"enabled": true,
"trusted_role_arn": "arn:aws:iam::111111111111:role/Test"
},
...
{
"cloud_identifier": "222222222222",
"cloud": "aws",
"enabled": false,
"trusted_role_arn": "arn:aws:iam::222222222222:role/Role"
}
]
}-
Request body:
{ "cloud": "AWS"|"GCP"|"AZURE", "cloud_identifier": "ID", "trusted_role_arn": "ARN", // Optional "enabled": true|false //Optional }
-
Request body:
{ "cloud": "AWS"|"GCP"|"AZURE", "cloud_identifier": "ID", "trusted_role_arn": "ARN", // Optional "enabled": true|false //Optional }
-
Request body:
{ "cloud": "AWS"|"GCP"|"AZURE", "cloud_identifier": "ID", }
Response body:
{ "message": "credentials-manager with next fields: AWS, ID has been deleted" }
Request query:
customers=[customers] //Optional
license_key=KEY // Optional
-
Request body:
{ "customer": "AWS"|"GCP"|"AZURE", //required "license_key": "ID" //required }
-
Request body:
{ "license_key": "KEY", //required "customer": "CUSTOMER" }
-
Request body:
{ "license_key": "KEY" //required }
-
Request body:
{ "target_user": "username", //required "tenants": ["tenant1", "tenant2"] //required }
-
Request body:
{ "target_user": "username" //required }
-
Request body:
{ "target_user": "username", //required "tenants": ["tenant1", "tenant2"], //required if "all" not specified "all": true|false }
This lambda uses the following resource:
- CaaSRules - the table used to store rules data;
- Customers, Tenants, CaaSRulesets, CaaSRuleSources - tables with customer, tenant, account, ruleset and rule source configurations
- CaaSRoles, CaaSPolicies - the tables used by service to get and store data about roles and policies;
- CaaSJobs - the table used by service to store data about scans;
- CaaSSettings - the table used by service to get and store settings data;
- CaaSUsers - the table used by service to store user data;
Lambda can create and remove SSM parameters with git_access_secret token for
rule sources
caas_user_pool_name- Cognito user pool name for custodian users;
- Allow: batch:SubmitJob
- Allow: batch:TerminateJob
- Allow: lambda:InvokeFunction
- Allow: sts:AssumeRole
- Allow: ssm:PutParameter
- Allow: ssm:DeleteParameter
- Allow: ssm:GetParameter
- Allow: xray:PutTraceSegments
- Allow: xray:PutTelemetryRecords
- Allow: logs:CreateLogGroup
- Allow: logs:CreateLogStream
- Allow: logs:PutLogEvents
- Allow: cognito-idp:AdminDeleteUserAttributes
- Allow: cognito-idp:ListUsers
- Allow: cognito-idp:AdminRespondToAuthChallenge
- Allow: cognito-idp:SignUp
- Allow: cognito-idp:ListUserPoolClients
- Allow: cognito-idp:ListUserPools
- Allow: cognito-idp:AdminCreateUser
- Allow: cognito-idp:AdminUpdateUserAttributes
- Allow: cognito-idp:AdminInitiateAuth
- Allow: cognito-idp:AdminSetUserPassword
- Allow: dynamodb:GetItem
- Allow: dynamodb:*
- Allow: s3:Get*
- Allow: s3:List*