AWSTemplateFormatVersion: 2010-09-09 # Added a comment for the first time. Parameters: VPC1CidrBlock: Type: String Default: 10.0.0.0/16 Description: Enter a CIDR range for the Snort VPC. SN1CidrBlock: Type: String Default: 10.0.1.0/24 Description: Enter a CIDR range for the VPC. SN2CidrBlock: Type: String Default: 10.0.2.0/24 Description: Enter a CIDR range for the VPC. LinuxImageId: Type: String Default: '' Description: Enter the AMI ID for the Snort Sensor. FireHoseS3BufferSize: Type: Number Default: 5 Description: Enter the buffer size in MB for the Kinesis Firehose destination bucket. FireHoseS3BufferTime: Type: Number Default: 300 Description: Enter the buffer time in seconds for the Kinesis Firehose destination bucket. AmiID: Type: AWS::SSM::Parameter::Value Description: 'The ID of the AMI.' Default: /aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2 Mappings: {} Conditions: {} Outputs: {} Resources: VPC1: Type: 'AWS::EC2::VPC' Properties: CidrBlock: !Ref VPC1CidrBlock EnableDnsSupport: 'true' EnableDnsHostnames: 'true' Tags: - Key: Name Value: snort-vpc SN1: Type: 'AWS::EC2::Subnet' Properties: VpcId: !Ref VPC1 CidrBlock: !Ref SN1CidrBlock Tags: - Key: Name Value: snort-prv-sn SN2: Type: 'AWS::EC2::Subnet' Properties: VpcId: !Ref VPC1 CidrBlock: !Ref SN2CidrBlock MapPublicIpOnLaunch: true Tags: - Key: Name Value: snort-pub-sn InternetGateway: Type: AWS::EC2::InternetGateway Properties: Tags: - Key: Name Value: snort-igw InternetGatewayAttachment: Type: AWS::EC2::VPCGatewayAttachment Properties: InternetGatewayId: !Ref InternetGateway VpcId: !Ref VPC1 EIP: DependsOn: InternetGatewayAttachment Type: AWS::EC2::EIP Properties: Domain: vpc Tags: - Key: Name Value: snort-igw-eip NatGateway: Type: AWS::EC2::NatGateway Properties: AllocationId: !GetAtt EIP.AllocationId SubnetId: !Ref SN2 Tags: - Key: Name Value: snort-ngw PublicRouteTable: Type: AWS::EC2::RouteTable Properties: VpcId: !Ref VPC1 Tags: - Key: Name Value: snort-pub-rt DefaultPublicRoute: Type: AWS::EC2::Route DependsOn: InternetGatewayAttachment Properties: RouteTableId: !Ref PublicRouteTable DestinationCidrBlock: 0.0.0.0/0 GatewayId: !Ref InternetGateway PublicSubnetRouteTableAssociation: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: !Ref PublicRouteTable SubnetId: !Ref SN2 PrivateRouteTable: Type: AWS::EC2::RouteTable Properties: VpcId: !Ref VPC1 Tags: - Key: Name Value: snort-prv-rt DefaultPrivateRoute: Type: AWS::EC2::Route Properties: RouteTableId: !Ref PrivateRouteTable DestinationCidrBlock: 0.0.0.0/0 NatGatewayId: !Ref NatGateway PrivateSubnetRouteTableAssociation: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: !Ref PrivateRouteTable SubnetId: !Ref SN1 SnortSensor: Type: 'AWS::EC2::Instance' Properties: NetworkInterfaces: - NetworkInterfaceId: !Ref SnortSensorEth0 DeviceIndex: '0' - NetworkInterfaceId: !Ref SnortSensorEth1 DeviceIndex: '1' InstanceType: t3.small ImageId: !Ref LinuxImageId UserData: Fn::Base64: !Sub | #!/bin/bash -xe yum update -y # Set up the target adapter and decapsulate the vxlan traffic sudo ip link add vxlan0 type vxlan id 1111 group 239.1.1.1 dev eth1 dstport 4789 sudo ip link set vxlan0 up Tags: - Key: "Name" Value: "SnortSensor" - Key: "SSMType" Value: "SnortSensor" - Key: "SSMManaged" Value: "True" IamInstanceProfile: !Ref SSMInstanceProfile WebServerInstance: Type: AWS::EC2::Instance Properties: NetworkInterfaces: - NetworkInterfaceId: !Ref WebServerEth0 DeviceIndex: '0' InstanceType: t3.small IamInstanceProfile: !Ref SSMInstanceProfile ImageId: !Ref AmiID Tags: - Key: "Name" Value: "WebServer" - Key: "SSMType" Value: "WebServer" - Key: "SSMManaged" Value: "True" UserData: Fn::Base64: | #!/bin/bash yum update -y yum install -y httpd php systemctl start httpd systemctl enable httpd usermod -a -G apache ec2-user chown -R ec2-user:apache /var/www chmod 2775 /var/www find /var/www -type d -exec chmod 2775 {} \; find /var/www -type f -exec chmod 0664 {} \; # PHP script to display Instance ID and Availability Zone cat << 'EOF' > /var/www/html/index.php

EC2 Instance ID:

Availability Zone:

EOF SnortPacketData: Type: 'AWS::S3::Bucket' Properties: {} SnortAlertData: Type: 'AWS::S3::Bucket' Properties: {} SnortPacketStream: Type: AWS::KinesisFirehose::DeliveryStream Properties: DeliveryStreamName: aws-snort-demo-SnortPacketStream S3DestinationConfiguration: BucketARN: !GetAtt SnortPacketData.Arn BufferingHints: IntervalInSeconds: !Ref FireHoseS3BufferTime SizeInMBs: !Ref FireHoseS3BufferSize CompressionFormat: GZIP RoleARN: !GetAtt KinesisIAMRole.Arn SnortAlertStream: Type: AWS::KinesisFirehose::DeliveryStream Properties: DeliveryStreamName: aws-snort-demo-SnortAlertStream S3DestinationConfiguration: BucketARN: !GetAtt SnortAlertData.Arn BufferingHints: IntervalInSeconds: !Ref FireHoseS3BufferTime SizeInMBs: !Ref FireHoseS3BufferSize CompressionFormat: GZIP RoleARN: !GetAtt KinesisIAMRole.Arn KinesisIAMRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: firehose.amazonaws.com Action: 'sts:AssumeRole' KinesisIAMPolicy: Type: AWS::IAM::Policy Properties: PolicyName: aws-snort-demo-kinesis-policy PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - 's3:AbortMultipartUpload' - 's3:GetBucketLocation' - 's3:GetObject' - 's3:ListBucket' - 's3:ListBucketMultipartUploads' - 's3:PutObject' Resource: - !Join - '' - - 'arn:aws:s3:::' - !Ref SnortPacketData - !Join - '' - - 'arn:aws:s3:::' - !Ref SnortPacketData - '*' - !Join - '' - - 'arn:aws:s3:::' - !Ref SnortAlertData - !Join - '' - - 'arn:aws:s3:::' - !Ref SnortAlertData - '*' Roles: - !Ref KinesisIAMRole SSMInstanceProfile: Type: AWS::IAM::InstanceProfile Properties: InstanceProfileName: SSMInstanceProfile Roles: - !Ref SSMInstanceRole SSMInstanceRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: ec2.amazonaws.com Action: 'sts:AssumeRole' ManagedPolicyArns: - arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore - arn:aws:iam::aws:policy/AmazonS3FullAccess - arn:aws:iam::aws:policy/AmazonKinesisFirehoseFullAccess - arn:aws:iam::aws:policy/CloudWatchFullAccess CodeDeployRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: codedeploy.amazonaws.com Action: 'sts:AssumeRole' ManagedPolicyArns: - arn:aws:iam::aws:policy/service-role/AWSCodeDeployRole SnortApplicationDeploy: Type: AWS::CodeDeploy::Application Properties: ApplicationName: SnortDeployApplication ComputePlatform: Server SnortDeployGroup: Type: AWS::CodeDeploy::DeploymentGroup Properties: ApplicationName: !Ref SnortApplicationDeploy ServiceRoleArn: !GetAtt CodeDeployRole.Arn DeploymentStyle: DeploymentType: IN_PLACE DeploymentOption: WITHOUT_TRAFFIC_CONTROL Ec2TagFilters: - Key: "SSMType" Value: "SnortSensor" Type: "KEY_AND_VALUE" SnortConfigPipeline: Type: 'AWS::CodePipeline::Pipeline' Properties: Name: SnortConfigPipeline RoleArn: !GetAtt - CodePipelineServiceRole - Arn Stages: - Name: Source Actions: - Name: SourceAction ActionTypeId: Category: Source Owner: AWS Version: 1 Provider: CodeCommit OutputArtifacts: - Name: SourceOutput Configuration: BranchName: master RepositoryName: !GetAtt SnortConfigRepo.Name PollForSourceChanges: false RunOrder: 1 - Name: Beta Actions: - Name: BetaAction InputArtifacts: - Name: SourceOutput ActionTypeId: Category: Deploy Owner: AWS Version: 1 Provider: CodeDeploy Configuration: ApplicationName: !Ref SnortApplicationDeploy DeploymentGroupName: !Ref SnortDeployGroup RunOrder: 1 ArtifactStore: Type: S3 Location: !Ref CodePipelineArtifactStoreBucket SSMEndPoint: Type: AWS::EC2::VPCEndpoint Properties: PrivateDnsEnabled: 'true' SecurityGroupIds: - !Ref SG1 ServiceName: !Join - '' - - 'com.amazonaws.' - !Ref 'AWS::Region' - '.ssm' SubnetIds: - !Ref SN1 VpcId: !Ref VPC1 VpcEndpointType: Interface SSMMessagesEndPoint: Type: AWS::EC2::VPCEndpoint Properties: PrivateDnsEnabled: 'true' SecurityGroupIds: - !Ref SG1 ServiceName: !Join - '' - - 'com.amazonaws.' - !Ref 'AWS::Region' - '.ssmmessages' SubnetIds: - !Ref SN1 VpcId: !Ref VPC1 VpcEndpointType: Interface EC2MessagesEndPoint: Type: AWS::EC2::VPCEndpoint Properties: PrivateDnsEnabled: 'true' SecurityGroupIds: - !Ref SG1 ServiceName: !Join - '' - - 'com.amazonaws.' - !Ref 'AWS::Region' - '.ec2messages' SubnetIds: - !Ref SN1 VpcId: !Ref VPC1 VpcEndpointType: Interface EC2EndPoint: Type: AWS::EC2::VPCEndpoint Properties: PrivateDnsEnabled: 'true' SecurityGroupIds: - !Ref SG1 ServiceName: !Join - '' - - 'com.amazonaws.' - !Ref 'AWS::Region' - '.ec2' SubnetIds: - !Ref SN1 VpcId: !Ref VPC1 VpcEndpointType: Interface SG1: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Allow all VpcId: !Ref VPC1 SecurityGroupIngress: - IpProtocol: -1 FromPort: -1 ToPort: -1 CidrIp: 0.0.0.0/0 Tags: - Key: Name Value: snort-sg WebSG: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Allow all VpcId: !Ref VPC1 SecurityGroupIngress: - IpProtocol: -1 FromPort: -1 ToPort: -1 CidrIp: 0.0.0.0/0 Tags: - Key: Name Value: web-sg AthenaQueryResultsBucket: Type: 'AWS::S3::Bucket' Properties: {} SnortConfigure: Type: 'AWS::SSM::Document' Properties: DocumentType: Automation Content: description: >- # SnortInstallAndConfigure This document sets up all the custom configuration for snort. It pulls the files from GitHub. schemaVersion: '0.3' parameters: InstanceId: type: StringList mainSteps: - name: ConfigureSnort action: 'aws:runCommand' inputs: DocumentName: AWS-RunShellScript InstanceIds: - '{{InstanceId}}' Parameters: commands: - >- sudo cp /home/ssm-user/aws-reinvent-2019-builders-session-opn215/etc/rc.d/init.d/snortd /etc/rc.d/init.d/snortd - sudo cp /home/ssm-user/aws-reinvent-2019-builders-session-opn215/etc/snort/snort.conf /etc/snort/snort.conf - sudo cp /home/ssm-user/aws-reinvent-2019-builders-session-opn215/etc/sysconfig/snort /etc/sysconfig/snort - sudo cp /home/ssm-user/aws-reinvent-2019-builders-session-opn215/etc/snort/rules/local.rules /etc/snort/rules/local.rules - sudo cp /home/ssm-user/aws-reinvent-2019-builders-session-opn215/etc/snort/rules/community.rules /etc/snort/rules/community.rules - sudo cp /home/ssm-user/aws-reinvent-2019-builders-session-opn215/etc/snort/rules/white_list.rules /etc/snort/rules/white_list.rules - sudo cp /home/ssm-user/aws-reinvent-2019-builders-session-opn215/etc/snort/rules/black_list.rules /etc/snort/rules/black_list.rules description: Update all the Snort configuration files from GitHub repo. onFailure: Continue SnortTrafficSession: DependsOn: WebServerInstance Type: AWS::EC2::TrafficMirrorSession Properties: Description: Snort Traffic Session NetworkInterfaceId: !Ref WebServerEth0 SessionNumber: 1 TrafficMirrorFilterId: !Ref SnortTrafficFilter TrafficMirrorTargetId: !Ref SnortTrafficTarget VirtualNetworkId: 1111 Tags: - Key: Name Value: web-to-snort-session SnortTrafficFilter: Type: AWS::EC2::TrafficMirrorFilter Properties: Description: Snort Sensor trafic mirror filter. Tags: - Key: Name Value: web-to-snort-filter SnortTrafficFilterRule: Type: AWS::EC2::TrafficMirrorFilterRule Properties: Description: Rule to allow all traffic to go to Snort. DestinationCidrBlock: 0.0.0.0/0 SourceCidrBlock: 0.0.0.0/0 TrafficDirection: ingress RuleNumber: 1 RuleAction: accept TrafficMirrorFilterId: !Ref SnortTrafficFilter SnortTrafficTarget: DependsOn: SnortSensor Type: AWS::EC2::TrafficMirrorTarget Properties: Description: Snort Sensor traffic mirror target. NetworkInterfaceId: !Ref SnortSensorEth1 Tags: - Key: Name Value: snort-sensor-target SnortSensorEth0: Type: AWS::EC2::NetworkInterface Properties: Tags: - Key: Name Value: snort-sensor-eth0 Description: Snort Sensor primary adapter GroupSet: - !Ref SG1 SubnetId: !Ref SN1 SnortSensorEth1: Type: AWS::EC2::NetworkInterface Properties: Tags: - Key: Name Value: snort-sensor-eth1 Description: Snort Sensor secondary adapter GroupSet: - !Ref SG1 SubnetId: !Ref SN1 WebServerEth0: Type: AWS::EC2::NetworkInterface Properties: Tags: - Key: Name Value: web-server-eth0 Description: Web Server primary adapter GroupSet: - !Ref WebSG SubnetId: !Ref SN2 SnortConfigRepo: Type: AWS::CodeCommit::Repository Properties: RepositoryName: SnortConfigRepo RepositoryDescription: This is a repository for the SnortSensor configuration and rules files. CodePipelineServiceRole: Type: 'AWS::IAM::Role' Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: - codepipeline.amazonaws.com Action: 'sts:AssumeRole' Path: / Policies: - PolicyName: AWS-CodePipeline-Service-3 PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - 'codecommit:CancelUploadArchive' - 'codecommit:GetBranch' - 'codecommit:GetCommit' - 'codecommit:GetUploadArchiveStatus' - 'codecommit:UploadArchive' Resource: '*' - Effect: Allow Action: - 'codedeploy:CreateDeployment' - 'codedeploy:GetApplicationRevision' - 'codedeploy:GetDeployment' - 'codedeploy:GetDeploymentConfig' - 'codedeploy:RegisterApplicationRevision' Resource: '*' - Effect: Allow Action: - 'codebuild:BatchGetBuilds' - 'codebuild:StartBuild' Resource: '*' - Effect: Allow Action: - 'devicefarm:ListProjects' - 'devicefarm:ListDevicePools' - 'devicefarm:GetRun' - 'devicefarm:GetUpload' - 'devicefarm:CreateUpload' - 'devicefarm:ScheduleRun' Resource: '*' - Effect: Allow Action: - 'lambda:InvokeFunction' - 'lambda:ListFunctions' Resource: '*' - Effect: Allow Action: - 'iam:PassRole' Resource: '*' - Effect: Allow Action: - 'elasticbeanstalk:*' - 'ec2:*' - 'elasticloadbalancing:*' - 'autoscaling:*' - 'cloudwatch:*' - 's3:*' - 'sns:*' - 'cloudformation:*' - 'rds:*' - 'sqs:*' - 'ecs:*' Resource: '*' CodePipelineArtifactStoreBucket: Type: 'AWS::S3::Bucket' CodePipelineArtifactStoreBucketPolicy: Type: 'AWS::S3::BucketPolicy' Properties: Bucket: !Ref CodePipelineArtifactStoreBucket PolicyDocument: Version: 2012-10-17 Statement: - Sid: DenyUnEncryptedObjectUploads Effect: Deny Principal: '*' Action: 's3:PutObject' Resource: !Join - '' - - !GetAtt - CodePipelineArtifactStoreBucket - Arn - /* Condition: StringNotEquals: 's3:x-amz-server-side-encryption': 'aws:kms' - Sid: DenyInsecureConnections Effect: Deny Principal: '*' Action: 's3:*' Resource: !Join - '' - - !GetAtt - CodePipelineArtifactStoreBucket - Arn - /* Condition: Bool: 'aws:SecureTransport': false