Skip to content

Commit

Permalink
Merge branch 'master' of github.e.it.census.gov:terraform/cloud-infor…
Browse files Browse the repository at this point in the history 
…mation
  • Loading branch information
@badra001
badra001 committed Jan 8, 2025
2 parents df3b665 + e1eb1b4 commit 6247d6c
Showing 1 changed file with 308 additions and 0 deletions.
308 changes: 308 additions & 0 deletions aws/projects/ois-axonius/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,308 @@
# Axonius

Axonius is a cybersecurity asset management suite

This describes the setup necessary ...

<!-- add additional information here -->

# Links

* [Product link](https://www.axonius.com/)
* [Product Link for AWS](https://www.axonius.com/aws)
* [Technical link for AWS](https://docs.axonius.com/docs/amazon-web-services-aws)
* [IAM configuration link](https://docs.axonius.com/docs/connecting-aws-adapter-using-iam-user)
* [Orgs configuration link](https://docs.axonius.com/docs/configuring-the-aws-adapter-using-organizations)

# Product Implementation Questionnaire

1) From where are these api calls originating?
* Axonius is deployed in our Azure environment in the production subscription.

2) Is it able to handle govcloud?
* Yes.

3) Can it handle multiple organizations?
Do we create a service account for each org,
or can it use a role from an external account and external idIt can handle multiple accounts,
I would need to look into the documentation or ask about multiple orgs

4) Is this running from a system on prem or is it SaaS?
* Virtual machine in azure

5) What aws services/endpoints does it need
* The link I provided to Roy shows the list of services

6) Why (what's the purpose of this service)?
Why can't it be handled with other existing tools (aws config)?
* Axonius is a free offering provided by DoC. It is how OIS intends to meet CDM requirements and the purpose is to automate and centralize asset inventory.
This will allow OIS to identify missing requirements in the environment.

7) Is this a POC or is it purchased?
* Purchased at 0 cost

8) I see in the docs talking about s3 buckets, is that needed too?
* No. We will grab information about s3 buckets but we do not need one.


<!-- list product documentation links which apply to this setup -->
<!-- list any internal links to other portions of documentaiton, such as sharepoint -->

# Why
Data retrieved by AWS
The AWS adapter is capable of pulling in both device and user data.
There are many options available to fine-tune what data is collected.

Axonius can fetch device and user data from the following AWS services:
*Elastic Cloud Compute (EC2)
*Identity and Access Management (IAM)
*Elastic Kubernetes Service/Elastic Container Service (EKS/ECS)
*ElasticSearch
*Elastic Load Balancers
*AWS Systems Manager (SSM)
*Relational Database Service (RDS)
*Simple Storage Service (S3)
*Cloudtrail
*Workspaces
*Lambda
*Route53
*Organizations
*WAF/WAFv2
*Amazon Certificate Manager (ACM)
*DynamoDB
*Inspector
*SecurityHub
*API Gateway


<!-- describe the reasoning behind this setup, what the applijcaiton will do with these things, etc -->

# What
IAM configuration
[IAM User](https://docs.axonius.com/docs/connecting-aws-adapter-using-iam-user)
[Orgs]https://docs.axonius.com/docs/configuring-the-aws-adapter-using-organizations)
Create a service account s-ois-inventory in appropriate sectools account
Grant the ability to assume a role r-ois-inventory in every account in its respective org (org permission) from a single location
```
Create a stackset
Indicate the source account from which to allow assume role
Create role with proper permissions:
```
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "axonius",
"Effect": "Allow",
"Action": [
"acm:DescribeCertificate",
"acm:ListCertificates",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribePolicies",
"autoscaling:DescribeAutoScalingInstances",
"apigateway:GET",
"appstream:DescribeFleets",
"appstream:DescribeStacks",
"appstream:DescribeUserStackAssociations",
"appstream:DescribeUsers",
"appstream:ListAssociatedFleets",
"backup:ListBackupPlans",
"backup:ListBackupVaults",
"cloudfront:GetDistribution",
"cloudfront:ListDistributions",
"dynamodb:DescribeGlobalTable",
"dynamodb:DescribeGlobalTableSettings",
"dynamodb:DescribeTable",
"dynamodb:ListGlobalTables",
"dynamodb:ListTables",
"ec2:DescribeAddresses",
"ec2:DescribeFlowLogs",
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeInternetGateways",
"ec2:DescribeNatGateways",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSnapshotAttribute",
"ec2:DescribeSnapshots",
"ec2:DescribeSubnets",
"ec2:DescribeTags",
"ec2:DescribeVolumes",
"ec2:DescribeVpcPeeringConnections",
"ec2:DescribeVpcs",
"ecr-public:DescribeImages",
"ecr-public:DescribeRegistries",
"ecr-public:DescribeRepositories",
"ecr:DescribeImages",
"ecr:DescribeRegistry",
"ecr:DescribeRepositories",
"ecs:DescribeClusters",
"ecs:DescribeContainerInstances",
"ecs:DescribeServices",
"ecs:DescribeTasks",
"ecs:ListClusters",
"ecs:ListContainerInstances",
"ecs:ListServices",
"ecs:ListTagsForResource",
"ecs:ListTasks",
"eks:DescribeCluster",
"eks:ListClusters",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeLoadBalancerPolicies",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeSSLPolicies",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetHealth",
"es:DescribeElasticsearchDomain",
"es:ListDomainNames",
"fsx:DescribeFileSystems",
"guardduty:GetDetector",
"guardduty:GetFilter",
"guardduty:GetFindings",
"guardduty:GetMembers",
"guardduty:ListDetectors",
"guardduty:ListFilters",
"guardduty:ListFindings",
"guardduty:ListMembers",
"iam:GenerateCredentialReport",
"iam:GenerateServiceLastAccessedDetails",
"iam:GetAccessKeyLastUsed",
"iam:GetAccountPasswordPolicy",
"iam:GetAccountSummary",
"iam:GetCredentialReport",
"iam:GetLoginProfile",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:GetServiceLastAccessedDetails",
"iam:GetUser",
"iam:GetUserPolicy",
"iam:ListAccessKeys",
"iam:ListAccountAliases",
"iam:ListAttachedGroupPolicies",
"iam:ListAttachedRolePolicies",
"iam:ListAttachedUserPolicies",
"iam:ListEntitiesForPolicy",
"iam:ListGroups",
"iam:ListGroupsForUser",
"iam:ListInstanceProfilesForRole",
"iam:ListMFADevices",
"iam:ListPolicies",
"iam:ListRolePolicies",
"iam:ListRoles",
"iam:ListUserPolicies",
"iam:ListUserTags",
"iam:ListUsers",
"iam:ListVirtualMFADevices",
"inspector2:ListFindings",
"inspector2:ListMembers",
"inspector:ListMembers",
"inspector:DescribeFindings",
"inspector:ListFindings",
"lambda:GetFunctionUrlConfig",
"lambda:GetPolicy",
"lambda:ListFunctions",
"lambda:ListTags",
"macie2:GetFindings",
"macie2:ListFindings",
"macie2:ListMembers",
"organizations:DescribeAccount",
"organizations:DescribeEffectivePolicy",
"organizations:DescribeOrganization",
"organizations:DescribePolicy",
"organizations:ListAccounts",
"organizations:ListPoliciesForTarget",
"organizations:ListTagsForResource",
"rds:DescribeDBClusters",
"rds:DescribeDBInstances",
"rds:DescribeOptionGroups",
"route53:ListHostedZones",
"route53:ListResourceRecordSets",
"s3:GetAccountPublicAccessBlock",
"s3:GetBucketAcl",
"s3:GetBucketLocation",
"s3:GetBucketLogging",
"s3:GetBucketPolicy",
"s3:GetBucketPolicyStatus",
"s3:GetBucketPublicAccessBlock",
"s3:GetBucketTagging",
"s3:GetEncryptionConfiguration",
"s3:ListAllMyBuckets",
"s3:ListBucket",
"secretsmanager:GetResourcePolicy",
"secretsmanager:ListSecrets",
"securityhub:DescribeHub",
"securityhub:GetFindings",
"securityhub:ListMembers",
"securityhub:ListTagsForResource",
"sns:ListSubscriptionsByTopic",
"ssm:DescribeAvailablePatches",
"ssm:DescribeInstanceInformation",
"ssm:DescribeInstancePatches",
"ssm:DescribePatchGroups",
"ssm:GetInventorySchema",
"ssm:ListInventoryEntries",
"ssm:ListResourceComplianceSummaries",
"ssm:ListTagsForResource",
"waf-regional:GetWebACL",
"waf-regional:GetWebACLForResource",
"waf-regional:ListWebACLs",
"waf:GetWebACL",
"waf:ListWebACLs",
"wafv2:GetWebACL",
"wafv2:GetWebACLForResource",
"wafv2:ListWebACLs",
"workspaces:DescribeTags",
"workspaces:DescribeWorkspaceDirectories",
"workspaces:DescribeWorkspaces",
"workspaces:DescribeWorkspacesConnectionStatus"
],
"Resource": "*"
}
]
}
```


<!-- describe what this will be doing. For example, we need an IAM policy and an IAM role with that policy,
distributed to each account. A central AWS account (list details) will use an instance role
and is able to assume the created role in every account. etc. -->

# Where

* ent-gov
* ent-ew (commercial)
* lab-gov

<!-- describe where this setup needs to be executed. We have multiple AWS organizations: ent-ew (commercial),
ent-gov (primary one), and lab-gov (not addressed here, nor visable from the ent-gov). We will need to
accomodate all of them. Also separate stuff that runs in the morpheus account(s) and stuff in target accounts -->

# When

<!-- list notional dates for when this sort of thing is needed -->

# Who
```
POC:
Dustin Short
short343
edward.d.short@census.gov
CENSUS/OIS CTR
```
<!-- describe the user base, where they access from, how frequently it is used, how the users access it, etc. -->

# How

<!-- describe technical detail, as needed, how one implements in TF or whatever. Some of this will be split out
into stacksets in another account. Provide a diagram if you have one, clean with simple boxes and arrows. -->

<!-- add other sections which seem to make sense -->

# CHANGELOG

* 1.0.0 -- 2023-12-18

- initial draft

0 comments on commit 6247d6c

Please sign in to comment.