AWSTemplateFormatVersion: '2010-09-09' Description: 'Step 3 - This template should be deployed in all regions of all the application accounts where Inspector assessment will be conducted.' Mappings: RulesPackagesAmazonInspectorArns: us-east-1: CIS: arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8 CVE: arn:aws:inspector:us-east-1:316112463485:rulespackage/0-gEjTy7T7 NR: arn:aws:inspector:us-east-1:316112463485:rulespackage/0-PmNV0Tcd RBA: arn:aws:inspector:us-east-1:316112463485:rulespackage/0-gBONHN9h SBP: arn:aws:inspector:us-east-1:316112463485:rulespackage/0-R01qwB5Q us-east-2: CIS: arn:aws:inspector:us-east-2:646659390643:rulespackage/0-m8r61nnh CVE: arn:aws:inspector:us-east-2:646659390643:rulespackage/0-JnA8Zp85 NR: arn:aws:inspector:us-east-2:646659390643:rulespackage/0-cE4kTR30 RBA: arn:aws:inspector:us-east-2:646659390643:rulespackage/0-UCYZFKPV SBP: arn:aws:inspector:us-east-2:646659390643:rulespackage/0-AxKmMHPX us-west-1: CIS: arn:aws:inspector:us-west-1:166987590008:rulespackage/0-xUY8iRqX CVE: arn:aws:inspector:us-west-1:166987590008:rulespackage/0-TKgzoVOa NR: arn:aws:inspector:us-west-1:166987590008:rulespackage/0-TxmXimXF RBA: arn:aws:inspector:us-west-1:166987590008:rulespackage/0-yeYxlt0x SBP: arn:aws:inspector:us-west-1:166987590008:rulespackage/0-byoQRFYm us-west-2: CIS: arn:aws:inspector:us-west-2:758058086616:rulespackage/0-H5hpSawc CVE: arn:aws:inspector:us-west-2:758058086616:rulespackage/0-9hgA516p NR: arn:aws:inspector:us-west-2:758058086616:rulespackage/0-rD1z6dpl RBA: arn:aws:inspector:us-west-2:758058086616:rulespackage/0-vg5GGHSD SBP: arn:aws:inspector:us-west-2:758058086616:rulespackage/0-JJOtZiqQ Parameters: CentralSecurityAccountID: Type: String Description: Account ID of the Central Audit Account CWERuleNameToAttachSNSTopicToInspector: Type: String Description: The event rule that will trigger regional lambda to add SNS Topic to a newly created Inspector Template for asset scanning Default: 'Rule-AttachInspector-to-SNSTopic' CWERuleNameToStartInspectorScan: Type: String Description: The event rule that will start Inspector run at a scheduled interval Default: 'Rule-InspectorScanStartEvent' InspectorRunSchedule: Type: String Description: 'The schedule at which Inspector runs, can be a cron [Format - cron(fields)] or rate expression [Format - rate(value unit)]' Default: 'rate(1 day)' InspectorRunDuration: Type: String Description: 'The duration of the assessment run in seconds (Min - 15 mins ~ 900 | Max - 24 hours ~86400 | Recommended - 1 hour ~ 3600)' Default: 900 InspectorToSNSLambdaRoleName: Type: String Description: Name of the execution role (not ARN, created in Step 2) that is assumed by regional Lambda function to attach a SNS topic to an Inspector template Default: Attach-SNS-to-Inspector-Lambda.iamrole InspectorEventRoleName: Type: String Description: Name of the role (not ARN, created in Step 2) that is assumed by CloudWatch Event to start a scheduled Inspector run Default: Event-to-start-InspectorRun.iamrole RegionalSNSTopicName: Type: String Description: Name of the regional SNS Topic of Audit account (created in Step 1) that notifies SQS on Inspector findings reported in its region of all application accounts Default: Inspector-to-SQS-topic InspectorTemplateTaggingKey: Type: String Description: The tag key that will be attached only to a specific Inspector template that is creared in an region for scanning the regional assets (EC2 instances) Default: ScanType InspectorTemplateTaggingValue: Type: String Description: The tag value that will be attached only to a specific Inspector template that is creared in an region for scanning the regional assets (EC2 instances) Default: 'ScheduledRun-across-Fleet' EC2AssessmentTargetName: Type: String Description: The tag value that will be attached only to a specific Inspector template that is creared in an region for scanning the regional assets (EC2 instances) Default: 'All EC2 Targets - For Scheduled Scan' EC2AssessmentTemplateName: Type: String Description: The tag value that will be attached only to a specific Inspector template that is creared in an region for scanning the regional assets (EC2 instances) Default: 'ScheduledAssessmentTemplate' Resources: AttachInspec2SNSLambda: Type: 'AWS::Lambda::Function' Properties: Code: ZipFile: | import boto3 import json import os import re def lambda_handler(event, context): centralAcctId = os.environ['centralAcctId'] snsTopicName = os.environ['snsTopicName'] tagKey = os.environ['tagKey'] tagValue = os.environ['tagValue'] message = event['detail']['requestParameters']['userAttributesForFindings'] for inner_field in message: if(inner_field['key'] == tagKey and inner_field['value'] == tagValue): template_arn = event['detail']['responseElements']['assessmentTemplateArn'] p = re.compile("^arn:aws:inspector:([^:]+):([^:]+):(.+)$") findingRegion = p.match(template_arn).group(1) findingAcct = p.match(template_arn).group(2) client_inspector = boto3.client('inspector', region_name=findingRegion) update_template = client_inspector.subscribe_to_event( resourceArn = template_arn, event = 'FINDING_REPORTED', topicArn = "arn:aws:sns:" + findingRegion + ":" + centralAcctId + ":" + snsTopicName ) Description: 'This regional function attaches an Inspector template (of each region of every application account) to the same region SNS topic (of central audit account)' Environment: Variables: centralAcctId: !Ref CentralSecurityAccountID snsTopicName: !Ref RegionalSNSTopicName tagKey: !Ref InspectorTemplateTaggingKey tagValue: !Ref InspectorTemplateTaggingValue FunctionName: 'Attach-Inspector-to-SNS-Lambda' Handler: 'index.lambda_handler' Role: !Sub 'arn:aws:iam::${AWS::AccountId}:role/${InspectorToSNSLambdaRoleName}' Runtime: 'python3.7' Timeout: 25 AttachInspec2SNSTriggerRule: Type: AWS::Events::Rule Properties: Description: "Trigger lambda to add SNS Topic to the created Inspector Template" Name: !Ref CWERuleNameToAttachSNSTopicToInspector EventPattern: source: - "aws.inspector" detail-type: - "AWS API Call via CloudTrail" detail: eventSource: - "inspector.amazonaws.com" eventName: - "CreateAssessmentTemplate" State: "ENABLED" Targets: - Arn: !GetAtt AttachInspec2SNSLambda.Arn Id: "lambda2AddSNSTopic" LambdaInvokePermission: Type: AWS::Lambda::Permission Properties: FunctionName: !GetAtt AttachInspec2SNSLambda.Arn Action: 'lambda:InvokeFunction' Principal: events.amazonaws.com SourceArn: !GetAtt AttachInspec2SNSTriggerRule.Arn allEC2targets: Type: AWS::Inspector::AssessmentTarget Properties: AssessmentTargetName: !Ref EC2AssessmentTargetName scheduledassessmenttemplate: Type: AWS::Inspector::AssessmentTemplate Properties: AssessmentTargetArn: !GetAtt allEC2targets.Arn AssessmentTemplateName: !Ref EC2AssessmentTemplateName DurationInSeconds: !Ref InspectorRunDuration RulesPackageArns: - !FindInMap - RulesPackagesAmazonInspectorArns - !Ref 'AWS::Region' - CVE - !FindInMap - RulesPackagesAmazonInspectorArns - !Ref 'AWS::Region' - SBP UserAttributesForFindings: #This key-value pair is used inside the Lambda - Attach-Inspector-to-SNS-Lambda to determine which new Inspector template should be attached to the SNS topic. Not any new Inspector template should be attached to the SNS topic. - Key: !Ref InspectorTemplateTaggingKey Value: !Ref InspectorTemplateTaggingValue DependsOn: - AttachInspec2SNSLambda - AttachInspec2SNSTriggerRule - LambdaInvokePermission ScanSchedule: Type: AWS::Events::Rule Properties: Description: "The scheduled interval at which Inspector assessment run is conducted" Name: !Ref CWERuleNameToStartInspectorScan ScheduleExpression: !Ref InspectorRunSchedule State: "ENABLED" Targets: - Arn: !GetAtt scheduledassessmenttemplate.Arn Id: "InspectorScan" RoleArn: !Sub 'arn:aws:iam::${AWS::AccountId}:role/{InspectorEventRoleName}' DependsOn: - AttachInspec2SNSLambda - AttachInspec2SNSTriggerRule - LambdaInvokePermission