Skip to content

[aws-ints] defaulting extended_resource_collection to true in organization template #157

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jvanbrie merged 1 commit into from
Nov 6, 2024
Merged

[aws-ints] defaulting extended_resource_collection to true in organization template #157

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
84 changes: 64 additions & 20 deletions aws_organizations/main_organizations.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,15 @@ Parameters:
Disable this if you only want to collect tags or resource configuration information from this AWS account,
and do not want to use Datadog Infrastructure Monitoring.
Default: false
DisableResourceCollection:
Type: String
AllowedValues:
- true
- false
Description: >-
Disabling resource collection for this account will lead to a loss in visibility into your AWS services.
Disable this if you do not want to collect configuration information for the resources in this AWS account.
Default: false
CloudSecurityPostureManagement:
Type: String
AllowedValues:
Expand All @@ -51,12 +60,24 @@ Parameters:
Datadog CSPM is a product that automatically detects resource misconfigurations in your AWS account according to
industry benchmarks. More info: https://www.datadoghq.com/product/security-platform/cloud-security-posture-management/
Default: false

Rules:
ResourceCollectionValidState:
Assertions:
- Assert:
Fn::Not:
- Fn::And:
- Fn::Equals:
- Ref: DisableResourceCollection
- 'true'
- Fn::Equals:
- Ref: CloudSecurityPostureManagement
- 'true'
AssertDescription: CloudSecurityPostureManagement requires ResourceCollection, must enable ResourceCollection
Conditions:
ShouldInstallCSPMPolicy:
ResourceCollectionPermissions:
Fn::Equals:
- Ref: CloudSecurityPostureManagement
- true
- !Ref DisableResourceCollection
- false
IsAP1:
Fn::Equals:
- !Ref DatadogSite
Expand All @@ -78,7 +99,6 @@ Resources:
Path: "/"
ManagedPolicyArns:
- !Sub "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"

DatadogAPICall:
Type: "Custom::DatadogAPICall"
Properties:
Expand All @@ -91,6 +111,7 @@ Resources:
HostTags: [ !Sub "aws_account:${AWS::AccountId}" ]
CloudSecurityPostureManagement: !Ref CloudSecurityPostureManagement
DisableMetricCollection: !Ref DisableMetricCollection
DisableResourceCollection: !Ref DisableResourceCollection
DatadogAPICallFunction:
Type: "AWS::Lambda::Function"
Properties:
Expand Down Expand Up @@ -123,6 +144,7 @@ Resources:
host_tags = event['ResourceProperties']['HostTags']
cspm = event['ResourceProperties']['CloudSecurityPostureManagement']
metrics_disabled = event['ResourceProperties']['DisableMetricCollection']
resource_collection_disabled = event['ResourceProperties']['DisableResourceCollection']

# Make the url Request
url = 'https://api.' + api_url + '/api/v1/integration/aws'
Expand All @@ -134,6 +156,7 @@ Resources:
values["host_tags"] = host_tags
values["cspm_resource_collection_enabled"] = cspm == "true"
values["metrics_collection_enabled"] = metrics_disabled == "false"
values["extended_resource_collection_enabled"] = resource_collection_disabled == "false"

headers = {
'DD-API-KEY': api_key,
Expand Down Expand Up @@ -261,7 +284,7 @@ Resources:
'sts:ExternalId': !GetAtt DatadogAPICall.ExternalId
Path: /
RoleName: !Ref IAMRoleName
ManagedPolicyArns: !If [ ShouldInstallCSPMPolicy, [ !Sub "arn:${AWS::Partition}:iam::aws:policy/SecurityAudit" ], !Ref AWS::NoValue ]
ManagedPolicyArns: !If [ ResourceCollectionPermissions, [ !Sub "arn:${AWS::Partition}:iam::aws:policy/SecurityAudit" ], !Ref AWS::NoValue ]
Policies:
- PolicyName: DatadogAWSIntegrationPolicy
PolicyDocument:
Expand All @@ -273,7 +296,11 @@ Resources:
- 'apigateway:GET'
- 'autoscaling:Describe*'
- 'backup:List*'
- 'backup:ListRecoveryPointsByBackupVault'
- 'bcm-data-exports:GetExport'
- 'bcm-data-exports:ListExports'
- 'budgets:ViewBudget'
- 'cassandra:Select'
- 'cloudfront:GetDistributionConfig'
- 'cloudfront:ListDistributions'
- 'cloudtrail:DescribeTrails'
Expand All @@ -282,73 +309,89 @@ Resources:
- 'cloudwatch:Describe*'
- 'cloudwatch:Get*'
- 'cloudwatch:List*'
- 'codedeploy:List*'
- 'codedeploy:BatchGet*'
- 'codedeploy:List*'
- 'cur:DescribeReportDefinitions'
- 'directconnect:Describe*'
- 'dynamodb:List*'
- 'dynamodb:Describe*'
- 'dynamodb:List*'
- 'ec2:Describe*'
- 'ec2:GetSnapshotBlockPublicAccessState'
- 'ec2:GetTransitGatewayPrefixListReferences'
- 'ec2:SearchTransitGatewayRoutes'
- 'ecs:Describe*'
- 'ecs:List*'
- 'elasticache:Describe*'
- 'elasticache:List*'
- 'elasticfilesystem:DescribeAccessPoints'
- 'elasticfilesystem:DescribeFileSystems'
- 'elasticfilesystem:DescribeTags'
- 'elasticfilesystem:DescribeAccessPoints'
- 'elasticloadbalancing:Describe*'
- 'elasticmapreduce:List*'
- 'elasticmapreduce:Describe*'
- 'es:ListTags'
- 'es:ListDomainNames'
- 'elasticmapreduce:List*'
- 'es:DescribeElasticsearchDomains'
- 'es:ListDomainNames'
- 'es:ListTags'
- 'events:CreateEventBus'
- 'fsx:DescribeFileSystems'
- 'fsx:ListTagsForResource'
- 'health:DescribeEvents'
- 'health:DescribeEventDetails'
- 'glacier:GetVaultNotifications'
- 'glue:ListRegistries'
- 'health:DescribeAffectedEntities'
- 'kinesis:List*'
- 'health:DescribeEventDetails'
- 'health:DescribeEvents'
- 'kinesis:Describe*'
- 'kinesis:List*'
- 'lambda:GetPolicy'
- 'lambda:List*'
- 'lightsail:GetInstancePortStates'
- 'logs:DeleteSubscriptionFilter'
- 'logs:DescribeLogGroups'
- 'logs:DescribeLogStreams'
- 'logs:DescribeSubscriptionFilters'
- 'logs:FilterLogEvents'
- 'logs:PutSubscriptionFilter'
- 'logs:TestMetricFilter'
- 'oam:ListSinks'
- 'oam:ListAttachedLinks'
- 'oam:ListSinks'
- 'organizations:Describe*'
- 'organizations:List*'
- 'rds:Describe*'
- 'rds:List*'
- 'redshift:DescribeClusters'
- 'redshift:DescribeLoggingStatus'
- 'route53:List*'
- 's3:GetBucketLogging'
- 's3:GetBucketLocation'
- 's3:GetBucketLogging'
- 's3:GetBucketNotification'
- 's3:GetBucketTagging'
- 's3:ListAccessGrants'
- 's3:ListAllMyBuckets'
- 's3:PutBucketNotification'
- 'savingsplans:DescribeSavingsPlanRates'
- 'savingsplans:DescribeSavingsPlans'
- 'ses:Get*'
- 'sns:GetSubscriptionAttributes'
- 'sns:List*'
- 'sns:Publish'
- 'sns:GetSubscriptionAttributes'
- 'sqs:ListQueues'
- 'states:ListStateMachines'
- 'states:DescribeStateMachine'
- 'states:ListStateMachines'
- 'support:DescribeTrustedAdvisor*'
- 'support:RefreshTrustedAdvisorCheck'
- 'tag:GetResources'
- 'tag:GetTagKeys'
- 'tag:GetTagValues'
- 'wafv2:ListLoggingConfigurations'
- 'timestream:DescribeEndpoints'
- 'waf-regional:ListRuleGroups'
- 'waf-regional:ListRules'
- 'waf:ListRuleGroups'
- 'waf:ListRules'
- 'wafv2:GetIPSet'
- 'wafv2:GetLoggingConfiguration'
- 'wafv2:GetRegexPatternSet'
- 'wafv2:GetRuleGroup'
- 'wafv2:ListLoggingConfigurations'
- 'xray:BatchGetTraces'
- 'xray:GetTraceSummaries'
Metadata:
Expand All @@ -366,6 +409,7 @@ Metadata:
Parameters:
- IAMRoleName
- DisableMetricCollection
- DisableResourceCollection
ParameterLabels:
DatadogApiKey:
default: "DatadogApiKey *"
Expand Down