AWSTemplateFormatVersion: "2010-09-09"
Description: Deploys Nubeva SKI & Open Source Tools (qs-1qg4tqp9n)
Metadata:
QuickStartDocumentation:
EntrypointName: "Parameters for launching into an existing VPC"
AWS::CloudFormation::Interface:
ParameterGroups:
- Label:
default: VPC network configuration
Parameters:
- VPCID
- VPCCIDR
- PrivateSubnet1ID
- PrivateSubnet2ID
- RemoteAccessCIDR
- Label:
default: Nubeva configuration
Parameters:
- APIKey
- ArkimeInstall
- WiresharkInstall
- SuricataInstall
- ZeekInstall
- ClientInstall
- ToolAdmin
- ToolPassword
- AddESRole
- Label:
default: Auto Scaling group configuration
Parameters:
- KeyPairName
- NodeInstanceType
- NumberOfNodes
- MaximumNodes
- Label:
default: AWS Quick Start configuration
Parameters:
- QSS3BucketName
- QSS3BucketRegion
- QSS3KeyPrefix
ParameterLabels:
ArkimeInstall:
default: Install Arkime ASG
WiresharkInstall:
default: Install Wireshark ASG
SuricataInstall:
default: Install Suricata ASG
ZeekInstall:
default: Install Zeek ASG
ClientInstall:
default: Install TLS generation clients
AddESRole:
default: Install Elasticsearch service-linked role
ToolAdmin:
default: Administrator name
ToolPassword:
default: Administrator password
KeyPairName:
default: SSH key name
QSS3BucketName:
default: Quick Start S3 bucket name
QSS3BucketRegion:
default: Quick Start S3 bucket Region
QSS3KeyPrefix:
default: Quick Start S3 key prefix
RemoteAccessCIDR:
default: Allowed external access CIDR
NodeInstanceType:
default: Node instance type
NumberOfNodes:
default: Number of nodes
MaximumNodes:
default: Maximum nodes per tool
PrivateSubnet1ID:
default: Private subnet 1 ID
PrivateSubnet2ID:
default: Private subnet 2 ID
VPCID:
default: VPC ID
VPCCIDR:
default: VPC CIDR
APIKey:
default: Nubeva token
Parameters:
ArkimeInstall:
Default: true
AllowedValues:
- true
- false
Description: Choose to install Arkime.
Type: String
WiresharkInstall:
Default: true
AllowedValues:
- true
- false
Description: Choose to install Wireshark.
Type: String
SuricataInstall:
Default: true
AllowedValues:
- true
- false
Description: Choose to install Suricata.
Type: String
ZeekInstall:
Default: true
AllowedValues:
- true
- false
Description: Choose to install Zeek.
Type: String
ClientInstall:
Default: true
AllowedValues:
- true
- false
Description: Choose to install TLS generation clients.
Type: String
AddESRole:
Default: false
AllowedValues:
- true
- false
Description: Choose to install Elasticsearch Service linked role.
Type: String
KeyPairName:
Description: Name of an existing key pair, which allows you
to securely connect to your instance after it launches.
Type: AWS::EC2::KeyPair::KeyName
ToolAdmin:
Description: User name associated with the administrator account for the created tools.
Type: String
Default: tooladmin
MinLength: 4
MaxLength: 16
AllowedPattern: "[a-zA-Z][a-zA-Z0-9]*"
ConstraintDescription: Name must begin with a letter and contain 4-16 alphanumeric characters.
ToolPassword:
Description: Password must contain 8-32 alphanumeric characters.
NoEcho: true
Type: String
MinLength: 8
MaxLength: 32
AllowedPattern: "[a-zA-Z0-9]*"
ConstraintDescription: Password must contain between 8 and 32 alphanumeric characters.
QSS3BucketName:
AllowedPattern: ^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$
ConstraintDescription: The Quick Start bucket name can include numbers, lowercase
letters, uppercase letters, and hyphens (-). It cannot start or end with a
hyphen (-).
Default: aws-quickstart
Description: Name of the S3 bucket for your copy of the Quick Start assets.
Keep the default name unless you are customizing the template.
Changing the name updates code references to point to a new Quick
Start location. This name can include numbers, lowercase letters,
uppercase letters, and hyphens, but do not start or end with a hyphen (-).
See https://aws-quickstart.github.io/option1.html.
Type: String
QSS3BucketRegion:
Default: 'us-east-1'
Description: 'AWS Region where the Quick Start S3 bucket (QSS3BucketName) is
hosted. Keep the default Region unless you are customizing the template.
Changing this Region updates code references to point to a new Quick Start location.
When using your own bucket, specify the Region.
See https://aws-quickstart.github.io/option1.html.'
Type: String
QSS3KeyPrefix:
AllowedPattern: ^[0-9a-zA-Z-/]*$
ConstraintDescription: The Quick Start S3 key prefix can include numbers, lowercase letters,
uppercase letters, hyphens (-), and forward slashes (/). The prefix should
end with a forward slash (/).
Default: quickstart-nubeva-tlsdecrypt/
Description: S3 key prefix that is used to simulate a directory for your copy of the
Quick Start assets. Keep the default prefix unless you are customizing
the template. Changing this prefix updates code references to point to
a new Quick Start location. This prefix can include numbers, lowercase
letters, uppercase letters, hyphens (-), and forward slashes (/). End with
a forward slash. See https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingMetadata.html
and https://aws-quickstart.github.io/option1.html.
Type: String
RemoteAccessCIDR:
AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$
ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/x.
Description: CIDR IP range permitted to access the instances. Set this value to a trusted IP range.
Type: String
NodeInstanceType:
Default: m5.large
AllowedValues:
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.12xlarge
- m5.24xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.18xlarge
- i3.large
- i3.xlarge
- i3.2xlarge
- i3.4xlarge
- i3.8xlarge
- i3.16xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.12xlarge
- r5.24xlarge
ConstraintDescription: Value must be a valid EC2 instance type.
Description: Type of EC2 instance for the node instances.
Type: String
NumberOfNodes:
Default: 1
Description: Number of tool node instances. The default is one for each of the two Availability Zones.
Type: Number
MaximumNodes:
Default: 6
Description: Maximum number of EC2 instance nodes in the tool Auto Scaling group.
Type: String
APIKey:
Description: Token for your Nubeva account.
Type: String
VPCID:
Type: "AWS::EC2::VPC::Id"
Description: ID of your existing VPC (for example, vpc-0343606e).
PrivateSubnet1ID:
Type: "AWS::EC2::Subnet::Id"
Description: ID of the private subnet in Availability Zone 1 in your existing VPC (for example, subnet-fe9a8b32).
PrivateSubnet2ID:
Type: "AWS::EC2::Subnet::Id"
Description: ID of the private subnet in Availability Zone 2 in your existing VPC (for example, subnet-be8b01ea).
VPCCIDR:
AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$
ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
Default: 10.0.0.0/16
Description: CIDR block for the VPC.
Type: String
Conditions:
UsingDefaultBucket: !Equals [!Ref QSS3BucketName, 'aws-quickstart']
ArkimeInstallTrue: !Equals
- !Ref ArkimeInstall
- 'true'
WiresharkInstallTrue: !Equals
- !Ref WiresharkInstall
- 'true'
SuricataInstallTrue: !Equals
- !Ref SuricataInstall
- 'true'
ZeekInstallTrue: !Equals
- !Ref ZeekInstall
- 'true'
ESRoleInstallTrue: !Equals
- !Ref AddESRole
- 'true'
Resources:
BaseESSLR:
Condition: ESRoleInstallTrue
Type: AWS::IAM::ServiceLinkedRole
Properties:
AWSServiceName: es.amazonaws.com
Description: Default Amazon ES linked IAM role
ArkimeStack:
Condition: ArkimeInstallTrue
Type: AWS::CloudFormation::Stack
Properties:
TemplateURL:
!Sub
- 'https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/nubeva-arkime.template.yaml'
- S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion]
S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName]
Parameters:
KeyPairName: !Ref KeyPairName
PrivateSubnet1ID: !Ref PrivateSubnet1ID
PrivateSubnet2ID: !Ref PrivateSubnet2ID
NumberOfNodes: !Ref NumberOfNodes
MaximumNodes: !Ref MaximumNodes
NodeInstanceType: !Ref NodeInstanceType
RemoteAccessCIDR: !Ref RemoteAccessCIDR
VPCID: !Ref VPCID
VPCCIDR: !Ref VPCCIDR
APIKey: !Ref APIKey
ToolAdmin: !Ref ToolAdmin
ToolPassword: !Ref ToolPassword
ClientInstall: !Ref ClientInstall
QSS3BucketName: !Ref QSS3BucketName
QSS3BucketRegion: !Ref QSS3BucketRegion
QSS3KeyPrefix: !Ref QSS3KeyPrefix
SSLdbReadAuth: !Join
- ''
- - Fn::Base64: !Sub
- '{"type":"ddb","domain":"${Domain}","region":"${Region}","ak":"${AccessKey}","sk":"${SecretKey}"}'
- Domain: !Ref NubevaDDBTable
Region: !Ref AWS::Region
AccessKey: !Ref NubevaDecryptorAccessKey
SecretKey: !GetAtt NubevaDecryptorAccessKey.SecretAccessKey
SSLdbWriteAuth: !Join
- ''
- - Fn::Base64: !Sub
- '{"type":"ddb","domain":"${Domain}","region":"${Region}","ak":"${AccessKey}","sk":"${SecretKey}"}'
- Domain: !Ref NubevaDDBTable
Region: !Ref AWS::Region
AccessKey: !Ref NubevaSensorAccessKey
SecretKey: !GetAtt NubevaSensorAccessKey.SecretAccessKey
WiresharkStack:
Condition: WiresharkInstallTrue
Type: AWS::CloudFormation::Stack
Properties:
TemplateURL:
!Sub
- 'https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/nubeva-wireshark.template.yaml'
- S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion]
S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName]
Parameters:
KeyPairName: !Ref KeyPairName
PrivateSubnet1ID: !Ref PrivateSubnet1ID
PrivateSubnet2ID: !Ref PrivateSubnet2ID
NumberOfNodes: !Ref NumberOfNodes
MaximumNodes: !Ref MaximumNodes
NodeInstanceType: !Ref NodeInstanceType
RemoteAccessCIDR: !Ref RemoteAccessCIDR
VPCID: !Ref VPCID
APIKey: !Ref APIKey
# ToolAdmin: !Ref ToolAdmin
# ToolPassword: !Ref ToolPassword
VPCCIDR: !Ref VPCCIDR
ClientInstall: !Ref ClientInstall
QSS3BucketName: !Ref QSS3BucketName
QSS3BucketRegion: !Ref QSS3BucketRegion
QSS3KeyPrefix: !Ref QSS3KeyPrefix
SSLdbReadAuth: !Join
- ''
- - Fn::Base64: !Sub
- '{"type":"ddb","domain":"${Domain}","region":"${Region}","ak":"${AccessKey}","sk":"${SecretKey}"}'
- Domain: !Ref NubevaDDBTable
Region: !Ref AWS::Region
AccessKey: !Ref NubevaDecryptorAccessKey
SecretKey: !GetAtt NubevaDecryptorAccessKey.SecretAccessKey
SSLdbWriteAuth: !Join
- ''
- - Fn::Base64: !Sub
- '{"type":"ddb","domain":"${Domain}","region":"${Region}","ak":"${AccessKey}","sk":"${SecretKey}"}'
- Domain: !Ref NubevaDDBTable
Region: !Ref AWS::Region
AccessKey: !Ref NubevaSensorAccessKey
SecretKey: !GetAtt NubevaSensorAccessKey.SecretAccessKey
SuricataStack:
Condition: SuricataInstallTrue
Type: AWS::CloudFormation::Stack
Properties:
TemplateURL:
!Sub
- 'https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/nubeva-suricata.template.yaml'
- S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion]
S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName]
Parameters:
KeyPairName: !Ref KeyPairName
PrivateSubnet1ID: !Ref PrivateSubnet1ID
PrivateSubnet2ID: !Ref PrivateSubnet2ID
NumberOfNodes: !Ref NumberOfNodes
MaximumNodes: !Ref MaximumNodes
NodeInstanceType: !Ref NodeInstanceType
RemoteAccessCIDR: !Ref RemoteAccessCIDR
VPCID: !Ref VPCID
VPCCIDR: !Ref VPCCIDR
APIKey: !Ref APIKey
ClientInstall: !Ref ClientInstall
QSS3BucketName: !Ref QSS3BucketName
QSS3BucketRegion: !Ref QSS3BucketRegion
QSS3KeyPrefix: !Ref QSS3KeyPrefix
SSLdbReadAuth: !Join
- ''
- - Fn::Base64: !Sub
- '{"type":"ddb","domain":"${Domain}","region":"${Region}","ak":"${AccessKey}","sk":"${SecretKey}"}'
- Domain: !Ref NubevaDDBTable
Region: !Ref AWS::Region
AccessKey: !Ref NubevaDecryptorAccessKey
SecretKey: !GetAtt NubevaDecryptorAccessKey.SecretAccessKey
SSLdbWriteAuth: !Join
- ''
- - Fn::Base64: !Sub
- '{"type":"ddb","domain":"${Domain}","region":"${Region}","ak":"${AccessKey}","sk":"${SecretKey}"}'
- Domain: !Ref NubevaDDBTable
Region: !Ref AWS::Region
AccessKey: !Ref NubevaSensorAccessKey
SecretKey: !GetAtt NubevaSensorAccessKey.SecretAccessKey
ZeekStack:
Condition: ZeekInstallTrue
Type: AWS::CloudFormation::Stack
Properties:
TemplateURL:
!Sub
- 'https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/nubeva-zeek.template.yaml'
- S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion]
S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName]
Parameters:
KeyPairName: !Ref KeyPairName
PrivateSubnet1ID: !Ref PrivateSubnet1ID
PrivateSubnet2ID: !Ref PrivateSubnet2ID
NumberOfNodes: !Ref NumberOfNodes
MaximumNodes: !Ref MaximumNodes
NodeInstanceType: !Ref NodeInstanceType
RemoteAccessCIDR: !Ref RemoteAccessCIDR
VPCID: !Ref VPCID
VPCCIDR: !Ref VPCCIDR
APIKey: !Ref APIKey
ClientInstall: !Ref ClientInstall
QSS3BucketName: !Ref QSS3BucketName
QSS3BucketRegion: !Ref QSS3BucketRegion
QSS3KeyPrefix: !Ref QSS3KeyPrefix
SSLdbReadAuth: !Join
- ''
- - Fn::Base64: !Sub
- '{"type":"ddb","domain":"${Domain}","region":"${Region}","ak":"${AccessKey}","sk":"${SecretKey}"}'
- Domain: !Ref NubevaDDBTable
Region: !Ref AWS::Region
AccessKey: !Ref NubevaDecryptorAccessKey
SecretKey: !GetAtt NubevaDecryptorAccessKey.SecretAccessKey
SSLdbWriteAuth: !Join
- ''
- - Fn::Base64: !Sub
- '{"type":"ddb","domain":"${Domain}","region":"${Region}","ak":"${AccessKey}","sk":"${SecretKey}"}'
- Domain: !Ref NubevaDDBTable
Region: !Ref AWS::Region
AccessKey: !Ref NubevaSensorAccessKey
SecretKey: !GetAtt NubevaSensorAccessKey.SecretAccessKey
NubevaDDBTable:
Type: AWS::DynamoDB::Table
Properties:
AttributeDefinitions:
- AttributeName: "clientrandom"
AttributeType: "S"
KeySchema:
- AttributeName: "clientrandom"
KeyType: "HASH"
BillingMode: PAY_PER_REQUEST
NubevaSKIAdministrator:
Type: AWS::IAM::Group
Properties :
GroupName: !Join
- '-'
- - 'NubevaSKIAdmin'
- !Ref AWS::StackName
NubevaSKISensorUser:
Type: AWS::IAM::User
Properties:
UserName: !Join
- '-'
- - 'NuAgent'
- !Ref AWS::StackName
Path: "/"
NubevaSKIDecryptorUser:
Type: AWS::IAM::User
Properties:
UserName: !Join
- '-'
- - 'NuRx'
- !Ref AWS::StackName
Path: "/"
NubevaSensorAccessKey:
Type: AWS::IAM::AccessKey
Properties:
UserName:
!Ref NubevaSKISensorUser
NubevaDecryptorAccessKey:
Type: AWS::IAM::AccessKey
Properties:
UserName:
!Ref NubevaSKIDecryptorUser
NubevaKeyWriter:
Type: AWS::IAM::Policy
Properties:
Users:
- !Ref NubevaSKISensorUser
PolicyName: !Join
- '-'
- - 'NuKeyWriter'
- !Ref AWS::StackName
PolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Action:
- "dynamodb:PutItem"
- "dynamodb:BatchWriteItem"
Resource: !GetAtt NubevaDDBTable.Arn
NubevaKeyReader:
Type: AWS::IAM::Policy
Properties:
Users:
- !Ref NubevaSKIDecryptorUser
PolicyName: !Join
- '-'
- - 'NuKeyReader'
- !Ref AWS::StackName
PolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Action:
- "dynamodb:GetItem"
- "dynamodb:BatchGetItem"
Resource: !GetAtt NubevaDDBTable.Arn
NubevaKeyAdmin:
Type: AWS::IAM::Policy
Properties:
Groups:
- !Ref NubevaSKIAdministrator
# PolicyName: "NuKeyAdmin"
PolicyName: !Join
- '-'
- - 'NuKeyAdmin'
- !Ref AWS::StackName
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action:
- dynamodb:BatchGetItem
- dynamodb:BatchWriteItem
- dynamodb:ConditionCheckItem
- dynamodb:CreateBackup
- dynamodb:CreateGlobalTable
- dynamodb:CreateTable
- dynamodb:CreateTableReplica
- dynamodb:DeleteBackup
- dynamodb:DeleteItem
- dynamodb:DeleteTable
- dynamodb:DeleteTableReplica
- dynamodb:DescribeBackup
- dynamodb:DescribeContinuousBackups
- dynamodb:DescribeContributorInsights
- dynamodb:DescribeExport
- dynamodb:DescribeGlobalTable
- dynamodb:DescribeGlobalTableSettings
- dynamodb:DescribeKinesisStreamingDestination
- dynamodb:DescribeLimits
- dynamodb:DescribeReservedCapacity
- dynamodb:DescribeReservedCapacityOfferings
- dynamodb:DescribeStream
- dynamodb:DescribeTable
- dynamodb:DescribeTableReplicaAutoScaling
- dynamodb:DescribeTimeToLive
- dynamodb:DisableKinesisStreamingDestination
- dynamodb:EnableKinesisStreamingDestination
- dynamodb:ExportTableToPointInTime
- dynamodb:GetItem
- dynamodb:GetRecords
- dynamodb:GetShardIterator
- dynamodb:ListBackups
- dynamodb:ListContributorInsights
- dynamodb:ListExports
- dynamodb:ListGlobalTables
- dynamodb:ListStreams
- dynamodb:ListTables
- dynamodb:ListTagsOfResource
- dynamodb:PartiQLDelete
- dynamodb:PartiQLInsert
- dynamodb:PartiQLSelect
- dynamodb:PartiQLUpdate
- dynamodb:PurchaseReservedCapacityOfferings
- dynamodb:PutItem
- dynamodb:Query
- dynamodb:RestoreTableFromBackup
- dynamodb:RestoreTableToPointInTime
- dynamodb:Scan
- dynamodb:TagResource
- dynamodb:UntagResource
- dynamodb:UpdateContinuousBackups
- dynamodb:UpdateContributorInsights
- dynamodb:UpdateGlobalTable
- dynamodb:UpdateGlobalTableSettings
- dynamodb:UpdateItem
- dynamodb:UpdateTable
- dynamodb:UpdateTableReplicaAutoScaling
- dynamodb:UpdateTimeToLive
Resource: !GetAtt NubevaDDBTable.Arn