Skip to content
/ cloud-based-sensor Public
generated from cds-snc/project-template

Infrastructure configuration to manage CCCS's Cloud Based Sensor in AWS accounts

cyber.gc.ca/en/host-based-sensors

License

MIT license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

cds-snc/cloud-based-sensor

BranchesTags

Repository files navigation

Cloud Based Sensor

Infrastructure to support the Canadian Centre for Cyber Security (CCCS) Cloud Based Sensor (CBS) integration with AWS accounts. The flow is as follows:

  1. Each AWS satellite account has an S3 bucket that collects service and access logs.
  2. This satellite bucket replicates its objects to a central log archive bucket.
  3. CBS pulls objects from the log archive bucket to scan for threats.

This repo uses Terraform and Terragrunt to define and manage the satellite and central account AWS resources.

Setup

We use a bootstrap pattern to onboard new accounts so that we can create the OpenID Connect IAM roles that are used by our Terraform GitHub Actions. The following is only required once per account.

Central account

  1. Export an AWS access key for the central account.
  2. Run ./bootstrap/central_account_iam/bootstrap.sh.
  3. Run terragrunt init in ./terragrunt/env/central/central_account.
  4. Import the bootstrapped role and IAM identity provider to the Terraform state:
terragrunt import \
    module.gh_oidc_roles.aws_iam_role.this[0] \
    ConfigTerraformAdministratorRole
terragrunt import \
    module.gh_oidc_roles.aws_iam_openid_connect_provider.github \
    ${GITHUB_OIDC_PROVIDER_ARN}

Satellite account

  1. Export an AWS access key for the satellite account.
  2. Run ./bootstrap/satellite_account_iam/bootstrap.sh.
  3. Create a Pull Request with the new account ID added to ./satellite_accounts.

Log archive structure

Note: Cloudtrail logs are now centralized in the o-gfiiyvq1tj folder. This is the central Log Archive bucket name that all accounts log their Cloudtrail data to when they are created. After April 2022 the cloudtrail_logs folder will be empty as we only keep data for 14 days and no new data will be sent.

cbs-log-archive-bucket/
├─ [cloudtrail_logs]/
│  ├─ [AWSLogs]/
│  │  ├─ [aws_account_id]
│  │  │  ├─ file
│  │  │  ├─ ...
│  │  │  
├─ [lb_logs]/
│  ├─ [AWSLogs]/
│  │  ├─ [aws_account_id]
│  │  │  ├─ file
│  │  │  ├─ ...
│  │  │  
├─ [o-gfiiyvq1tj]/
│  ├─ [AWSLogs]/
│  │  ├─ [aws_account_id]
│  │  │  ├─ file
│  │  │  ├─ ...
│  │  │ 
├─ [vpc_flow_logs]/
│  ├─ [AWSLogs]/
│  │  ├─ [aws_account_id]
│  │  │  ├─ file
│  │  │  ├─ ...
│  │  │  
├─ [waf_acl_logs]/
│  ├─ [AWSLogs]/
│  │  ├─ [aws_account_id]
│  │  │  ├─ file
│  │  │  ├─ ...

About

Infrastructure configuration to manage CCCS's Cloud Based Sensor in AWS accounts

cyber.gc.ca/en/host-based-sensors

Resources

Readme

License

MIT license

Code of conduct

Code of conduct

Security policy

Security policy
Activity
Custom properties

Stars

0 stars

Watchers

8 watching

Forks

0 forks
Report repository

Releases 1

v1.0.0 Latest
Apr 12, 2023

Packages

No packages published

Contributors 8

Languages