From e1eb1b49e941f57daca66df5629c285776567f3f Mon Sep 17 00:00:00 2001
From: Roy D Ashley Jr <roy.d.ashley.jr@census.gov>
Date: Wed, 8 Jan 2025 10:52:14 -0500
Subject: [PATCH] create draft README.md (#253)

* create draft README.md

* make requested changes

* fix formatting

* fix formatting

* fix poc
---
 aws/projects/ois-axonius/README.md | 308 +++++++++++++++++++++++++++++
 1 file changed, 308 insertions(+)
 create mode 100644 aws/projects/ois-axonius/README.md

diff --git a/aws/projects/ois-axonius/README.md b/aws/projects/ois-axonius/README.md
new file mode 100644
index 00000000..38b3df53
--- /dev/null
+++ b/aws/projects/ois-axonius/README.md
@@ -0,0 +1,308 @@
+# Axonius
+
+Axonius is a cybersecurity asset management suite
+
+This describes the setup necessary ...
+
+<!-- add additional information here -->
+
+# Links
+
+* [Product link](https://www.axonius.com/)
+* [Product Link for AWS](https://www.axonius.com/aws)
+* [Technical link for AWS](https://docs.axonius.com/docs/amazon-web-services-aws)
+* [IAM configuration link](https://docs.axonius.com/docs/connecting-aws-adapter-using-iam-user)
+* [Orgs configuration link](https://docs.axonius.com/docs/configuring-the-aws-adapter-using-organizations)
+
+# Product Implementation Questionnaire
+
+1) From where are these api calls originating? 
+   * Axonius is deployed in our Azure environment in the production subscription.
+
+2) Is it able to handle govcloud?
+   * Yes.
+
+3) Can it handle multiple organizations?
+   Do we create a service account for each org, 
+   or can it use a role from an external account and external idIt can handle multiple accounts, 
+   I would need to look into the documentation or ask about multiple orgs
+
+4) Is this running from a system on prem or is it SaaS?
+   * Virtual machine in azure
+
+5) What aws services/endpoints does it need
+   * The link I provided to Roy shows the list of services
+
+6) Why (what's the purpose of this service)?  
+      Why can't it be handled with other existing tools (aws config)?
+   * Axonius is a free offering provided by DoC. It is how OIS intends to meet CDM requirements and the purpose is to automate and centralize asset inventory. 
+     This will allow OIS to identify missing requirements in the environment.
+
+7) Is this a POC or is it purchased? 
+   * Purchased at 0 cost
+
+8) I see in the docs talking about s3 buckets, is that needed too? 
+   * No. We will grab information about s3 buckets but we do not need one.
+
+
+<!-- list product documentation links which apply to this setup -->
+<!-- list any internal links to other portions of documentaiton, such as sharepoint -->
+
+# Why
+Data retrieved by AWS
+The AWS adapter is capable of pulling in both device and user data. 
+There are many options available to fine-tune what data is collected. 
+
+Axonius can fetch device and user data from the following AWS services:
+*Elastic Cloud Compute (EC2)
+*Identity and Access Management (IAM)
+*Elastic Kubernetes Service/Elastic Container Service (EKS/ECS)
+*ElasticSearch
+*Elastic Load Balancers
+*AWS Systems Manager (SSM)
+*Relational Database Service (RDS)
+*Simple Storage Service (S3)
+*Cloudtrail
+*Workspaces
+*Lambda
+*Route53
+*Organizations
+*WAF/WAFv2
+*Amazon Certificate Manager (ACM)
+*DynamoDB
+*Inspector
+*SecurityHub
+*API Gateway
+ 
+
+<!-- describe the reasoning behind this setup, what the applijcaiton will do with these things, etc -->
+
+# What
+IAM configuration
+  [IAM User](https://docs.axonius.com/docs/connecting-aws-adapter-using-iam-user)
+  [Orgs]https://docs.axonius.com/docs/configuring-the-aws-adapter-using-organizations)
+Create a service account s-ois-inventory in appropriate sectools account
+Grant the ability to assume a role r-ois-inventory in every account in its respective org (org permission) from a single location
+```
+Create a stackset
+Indicate the source account from which to allow assume role
+Create role with proper permissions:
+```
+```
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "axonius",
+            "Effect": "Allow",
+            "Action": [
+				"acm:DescribeCertificate",
+				"acm:ListCertificates",
+                                "autoscaling:DescribeAutoScalingGroups",
+                                "autoscaling:DescribePolicies",
+                                "autoscaling:DescribeAutoScalingInstances",
+				"apigateway:GET",
+				"appstream:DescribeFleets",
+				"appstream:DescribeStacks",
+				"appstream:DescribeUserStackAssociations",
+				"appstream:DescribeUsers",
+				"appstream:ListAssociatedFleets",
+                                "backup:ListBackupPlans",
+                                "backup:ListBackupVaults",
+				"cloudfront:GetDistribution",
+				"cloudfront:ListDistributions",
+				"dynamodb:DescribeGlobalTable",
+				"dynamodb:DescribeGlobalTableSettings",
+				"dynamodb:DescribeTable",
+				"dynamodb:ListGlobalTables",
+				"dynamodb:ListTables",
+				"ec2:DescribeAddresses",
+				"ec2:DescribeFlowLogs",
+				"ec2:DescribeImages",
+				"ec2:DescribeInstances",
+				"ec2:DescribeInternetGateways",
+				"ec2:DescribeNatGateways",
+				"ec2:DescribeRouteTables",
+				"ec2:DescribeSecurityGroups",
+				"ec2:DescribeSnapshotAttribute",
+				"ec2:DescribeSnapshots",
+				"ec2:DescribeSubnets",
+				"ec2:DescribeTags",
+				"ec2:DescribeVolumes",
+				"ec2:DescribeVpcPeeringConnections",
+				"ec2:DescribeVpcs",
+				"ecr-public:DescribeImages",
+				"ecr-public:DescribeRegistries",
+				"ecr-public:DescribeRepositories",
+				"ecr:DescribeImages",
+				"ecr:DescribeRegistry",
+				"ecr:DescribeRepositories",
+				"ecs:DescribeClusters",
+				"ecs:DescribeContainerInstances",
+				"ecs:DescribeServices",
+				"ecs:DescribeTasks",
+				"ecs:ListClusters",
+				"ecs:ListContainerInstances",
+				"ecs:ListServices",
+				"ecs:ListTagsForResource",
+				"ecs:ListTasks",
+				"eks:DescribeCluster",
+				"eks:ListClusters",
+				"elasticloadbalancing:DescribeListeners",
+				"elasticloadbalancing:DescribeLoadBalancerPolicies",
+				"elasticloadbalancing:DescribeLoadBalancers",
+				"elasticloadbalancing:DescribeSSLPolicies",
+				"elasticloadbalancing:DescribeTargetGroups",
+				"elasticloadbalancing:DescribeTargetHealth",
+				"es:DescribeElasticsearchDomain",
+				"es:ListDomainNames",
+				"fsx:DescribeFileSystems",
+				"guardduty:GetDetector",
+				"guardduty:GetFilter",
+				"guardduty:GetFindings",
+				"guardduty:GetMembers",
+				"guardduty:ListDetectors",
+				"guardduty:ListFilters",
+				"guardduty:ListFindings",
+				"guardduty:ListMembers",
+				"iam:GenerateCredentialReport",
+				"iam:GenerateServiceLastAccessedDetails",
+				"iam:GetAccessKeyLastUsed",
+				"iam:GetAccountPasswordPolicy",
+				"iam:GetAccountSummary",
+				"iam:GetCredentialReport",
+				"iam:GetLoginProfile",
+				"iam:GetPolicy",
+				"iam:GetPolicyVersion",
+				"iam:GetRole",
+				"iam:GetRolePolicy",
+				"iam:GetServiceLastAccessedDetails",
+				"iam:GetUser",
+				"iam:GetUserPolicy",
+				"iam:ListAccessKeys",
+				"iam:ListAccountAliases",
+				"iam:ListAttachedGroupPolicies",
+				"iam:ListAttachedRolePolicies",
+				"iam:ListAttachedUserPolicies",
+				"iam:ListEntitiesForPolicy",
+				"iam:ListGroups",
+				"iam:ListGroupsForUser",
+				"iam:ListInstanceProfilesForRole",
+				"iam:ListMFADevices",
+				"iam:ListPolicies",
+				"iam:ListRolePolicies",
+				"iam:ListRoles",
+				"iam:ListUserPolicies",
+				"iam:ListUserTags",
+				"iam:ListUsers",
+				"iam:ListVirtualMFADevices",
+				"inspector2:ListFindings",
+                                "inspector2:ListMembers",
+                                "inspector:ListMembers",
+				"inspector:DescribeFindings",
+				"inspector:ListFindings",
+				"lambda:GetFunctionUrlConfig",
+				"lambda:GetPolicy",
+				"lambda:ListFunctions",
+				"lambda:ListTags",
+				"macie2:GetFindings",
+				"macie2:ListFindings",
+				"macie2:ListMembers",
+				"organizations:DescribeAccount",
+				"organizations:DescribeEffectivePolicy",
+				"organizations:DescribeOrganization",
+				"organizations:DescribePolicy",
+				"organizations:ListAccounts",
+				"organizations:ListPoliciesForTarget",
+				"organizations:ListTagsForResource",
+				"rds:DescribeDBClusters",
+				"rds:DescribeDBInstances",
+				"rds:DescribeOptionGroups",
+				"route53:ListHostedZones",
+				"route53:ListResourceRecordSets",
+				"s3:GetAccountPublicAccessBlock",
+				"s3:GetBucketAcl",
+				"s3:GetBucketLocation",
+				"s3:GetBucketLogging",
+				"s3:GetBucketPolicy",
+				"s3:GetBucketPolicyStatus",
+				"s3:GetBucketPublicAccessBlock",
+				"s3:GetBucketTagging",
+				"s3:GetEncryptionConfiguration",
+				"s3:ListAllMyBuckets",
+				"s3:ListBucket",
+				"secretsmanager:GetResourcePolicy",
+				"secretsmanager:ListSecrets",
+				"securityhub:DescribeHub",
+				"securityhub:GetFindings",
+				"securityhub:ListMembers",
+				"securityhub:ListTagsForResource",
+				"sns:ListSubscriptionsByTopic",
+				"ssm:DescribeAvailablePatches",
+				"ssm:DescribeInstanceInformation",
+				"ssm:DescribeInstancePatches",
+				"ssm:DescribePatchGroups",
+				"ssm:GetInventorySchema",
+				"ssm:ListInventoryEntries",
+				"ssm:ListResourceComplianceSummaries",
+				"ssm:ListTagsForResource",
+				"waf-regional:GetWebACL",
+				"waf-regional:GetWebACLForResource",
+				"waf-regional:ListWebACLs",
+				"waf:GetWebACL",
+				"waf:ListWebACLs",
+				"wafv2:GetWebACL",
+				"wafv2:GetWebACLForResource",
+				"wafv2:ListWebACLs",
+				"workspaces:DescribeTags",
+				"workspaces:DescribeWorkspaceDirectories",
+				"workspaces:DescribeWorkspaces",
+				"workspaces:DescribeWorkspacesConnectionStatus"
+            ],
+            "Resource": "*"
+        }
+    ]
+}
+```
+
+ 
+<!-- describe what this will be doing. For example, we need an IAM policy and an IAM role with that policy,
+distributed to each account. A central AWS account (list details) will use an instance role
+and is able to assume the created role in every account. etc.  -->
+
+# Where
+
+* ent-gov
+* ent-ew (commercial)
+* lab-gov
+
+<!-- describe where this setup needs to be executed.  We have multiple AWS organizations: ent-ew (commercial),
+ent-gov (primary one), and lab-gov (not addressed here, nor visable from the ent-gov).  We will need to 
+accomodate all of them.  Also separate stuff that runs in the morpheus account(s) and stuff in target accounts -->
+
+# When
+
+<!-- list notional dates for when this sort of thing is needed -->
+
+# Who
+```
+POC: 
+Dustin Short 
+short343 
+edward.d.short@census.gov 
+CENSUS/OIS CTR
+```
+<!-- describe the user base, where they access from, how frequently it is used, how the users access it, etc. -->
+
+# How
+
+<!-- describe technical detail, as needed, how one implements in TF or whatever.  Some of this will be split out
+into stacksets in another account.  Provide a diagram if you have one, clean with simple boxes and arrows.  -->
+
+<!-- add other sections which seem to make sense -->
+
+# CHANGELOG
+
+* 1.0.0 -- 2023-12-18
+
+  - initial draft