From e683eee4af2706ff4f9836e2bd6890bef0793bca Mon Sep 17 00:00:00 2001 From: ashle001 Date: Fri, 15 Dec 2023 13:38:22 -0500 Subject: [PATCH 1/5] create draft README.md --- aws/projects/ois-axonius/README.md | 302 +++++++++++++++++++++++++++++ 1 file changed, 302 insertions(+) create mode 100644 aws/projects/ois-axonius/README.md diff --git a/aws/projects/ois-axonius/README.md b/aws/projects/ois-axonius/README.md new file mode 100644 index 00000000..6f227a70 --- /dev/null +++ b/aws/projects/ois-axonius/README.md @@ -0,0 +1,302 @@ +# Axonius + +Axonius is a cybersecurity asset management suite + +This describes the setup necessary ... + + + +# Links + +Product link : https://www.axonius.com/ +Product link for AWS: https://www.axonius.com/aws +Technical link for AWS: https://docs.axonius.com/docs/amazon-web-services-aws +IAM configuration link: https://docs.axonius.com/docs/connecting-aws-adapter-using-iam-user +Orgs configuration link: https://docs.axonius.com/docs/configuring-the-aws-adapter-using-organizations + +# Product Implementation Questionnaire + +1) Q: Where are these api calls originating? + A: Axonius is deployed in our Azure environment in the production subscription. + +2) Q: Is it able to handle govcloud? + A: Yes. + +3) Q: Can it handle multiple organizations? + Do we create a service account for each org, + or can it use a role from an external account and external idIt can handle multiple accounts, + I would need to look into the documentation or ask about multiple orgs + +4) Q: Is this running from a system on prem or is it SaaS? + A: Virtual machine in azure + +5) Q: What aws services/endpoints does it need + A: The link I provided to Roy shows the list of services + +6) Q: Why (what's the purpose of this service)? + Why can't it be handled with other existing tools (aws config)? + A: Axonius is a free offering provided by DoC. It is how OIS intends to meet CDM requirements and the purpose is to automate and centralize asset inventory. + This will allow OIS to identify missing requirements in the environment. + +7) Q: Is this a POC or is it purchased? purchased at 0 cost + +8) I see in the docs talking about s3 buckets, is that needed too? no. We will grab information about s3 buckets but we do not need one. + + + + + +# Why +Data retrieved by AWS +The AWS adapter is capable of pulling in both device and user data. +There are many options available to fine-tune what data is collected. + +Axonius can fetch device and user data from the following AWS services: +Elastic Cloud Compute (EC2) +Identity and Access Management (IAM) +Elastic Kubernetes Service/Elastic Container Service (EKS/ECS) +ElasticSearch +Elastic Load Balancers +AWS Systems Manager (SSM) +Relational Database Service (RDS) +Simple Storage Service (S3) +Cloudtrail +Workspaces +Lambda +Route53 +Organizations +WAF/WAFv2 +Amazon Certificate Manager (ACM) +DynamoDB +Inspector +SecurityHub +API Gateway + + + + +# What +IAM configuration + https://docs.axonius.com/docs/connecting-aws-adapter-using-iam-user + https://docs.axonius.com/docs/configuring-the-aws-adapter-using-organizations +Create a service account s-ois-inventory in appropriate sectools account +Grant the ability to assume a role r-ois-inventory in every account in its respective org (org permission) from a single location +Create a stackset +Indicate the source account from which to allow assume role +Create role with proper permissions: +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "axonius", + "Effect": "Allow", + "Action": [ + "acm:DescribeCertificate", + "acm:ListCertificates", + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribePolicies", + "autoscaling:DescribeAutoScalingInstances", + "apigateway:GET", + "appstream:DescribeFleets", + "appstream:DescribeStacks", + "appstream:DescribeUserStackAssociations", + "appstream:DescribeUsers", + "appstream:ListAssociatedFleets", + "backup:ListBackupPlans", + "backup:ListBackupVaults", + "cloudfront:GetDistribution", + "cloudfront:ListDistributions", + "dynamodb:DescribeGlobalTable", + "dynamodb:DescribeGlobalTableSettings", + "dynamodb:DescribeTable", + "dynamodb:ListGlobalTables", + "dynamodb:ListTables", + "ec2:DescribeAddresses", + "ec2:DescribeFlowLogs", + "ec2:DescribeImages", + "ec2:DescribeInstances", + "ec2:DescribeInternetGateways", + "ec2:DescribeNatGateways", + "ec2:DescribeRouteTables", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSnapshotAttribute", + "ec2:DescribeSnapshots", + "ec2:DescribeSubnets", + "ec2:DescribeTags", + "ec2:DescribeVolumes", + "ec2:DescribeVpcPeeringConnections", + "ec2:DescribeVpcs", + "ecr-public:DescribeImages", + "ecr-public:DescribeRegistries", + "ecr-public:DescribeRepositories", + "ecr:DescribeImages", + "ecr:DescribeRegistry", + "ecr:DescribeRepositories", + "ecs:DescribeClusters", + "ecs:DescribeContainerInstances", + "ecs:DescribeServices", + "ecs:DescribeTasks", + "ecs:ListClusters", + "ecs:ListContainerInstances", + "ecs:ListServices", + "ecs:ListTagsForResource", + "ecs:ListTasks", + "eks:DescribeCluster", + "eks:ListClusters", + "elasticloadbalancing:DescribeListeners", + "elasticloadbalancing:DescribeLoadBalancerPolicies", + "elasticloadbalancing:DescribeLoadBalancers", + "elasticloadbalancing:DescribeSSLPolicies", + "elasticloadbalancing:DescribeTargetGroups", + "elasticloadbalancing:DescribeTargetHealth", + "es:DescribeElasticsearchDomain", + "es:ListDomainNames", + "fsx:DescribeFileSystems", + "guardduty:GetDetector", + "guardduty:GetFilter", + "guardduty:GetFindings", + "guardduty:GetMembers", + "guardduty:ListDetectors", + "guardduty:ListFilters", + "guardduty:ListFindings", + "guardduty:ListMembers", + "iam:GenerateCredentialReport", + "iam:GenerateServiceLastAccessedDetails", + "iam:GetAccessKeyLastUsed", + "iam:GetAccountPasswordPolicy", + "iam:GetAccountSummary", + "iam:GetCredentialReport", + "iam:GetLoginProfile", + "iam:GetPolicy", + "iam:GetPolicyVersion", + "iam:GetRole", + "iam:GetRolePolicy", + "iam:GetServiceLastAccessedDetails", + "iam:GetUser", + "iam:GetUserPolicy", + "iam:ListAccessKeys", + "iam:ListAccountAliases", + "iam:ListAttachedGroupPolicies", + "iam:ListAttachedRolePolicies", + "iam:ListAttachedUserPolicies", + "iam:ListEntitiesForPolicy", + "iam:ListGroups", + "iam:ListGroupsForUser", + "iam:ListInstanceProfilesForRole", + "iam:ListMFADevices", + "iam:ListPolicies", + "iam:ListRolePolicies", + "iam:ListRoles", + "iam:ListUserPolicies", + "iam:ListUserTags", + "iam:ListUsers", + "iam:ListVirtualMFADevices", + "inspector2:ListFindings", + "inspector2:ListMembers", + "inspector:ListMembers", + "inspector:DescribeFindings", + "inspector:ListFindings", + "lambda:GetFunctionUrlConfig", + "lambda:GetPolicy", + "lambda:ListFunctions", + "lambda:ListTags", + "macie2:GetFindings", + "macie2:ListFindings", + "macie2:ListMembers", + "organizations:DescribeAccount", + "organizations:DescribeEffectivePolicy", + "organizations:DescribeOrganization", + "organizations:DescribePolicy", + "organizations:ListAccounts", + "organizations:ListPoliciesForTarget", + "organizations:ListTagsForResource", + "rds:DescribeDBClusters", + "rds:DescribeDBInstances", + "rds:DescribeOptionGroups", + "route53:ListHostedZones", + "route53:ListResourceRecordSets", + "s3:GetAccountPublicAccessBlock", + "s3:GetBucketAcl", + "s3:GetBucketLocation", + "s3:GetBucketLogging", + "s3:GetBucketPolicy", + "s3:GetBucketPolicyStatus", + "s3:GetBucketPublicAccessBlock", + "s3:GetBucketTagging", + "s3:GetEncryptionConfiguration", + "s3:ListAllMyBuckets", + "s3:ListBucket", + "secretsmanager:GetResourcePolicy", + "secretsmanager:ListSecrets", + "securityhub:DescribeHub", + "securityhub:GetFindings", + "securityhub:ListMembers", + "securityhub:ListTagsForResource", + "sns:ListSubscriptionsByTopic", + "ssm:DescribeAvailablePatches", + "ssm:DescribeInstanceInformation", + "ssm:DescribeInstancePatches", + "ssm:DescribePatchGroups", + "ssm:GetInventorySchema", + "ssm:ListInventoryEntries", + "ssm:ListResourceComplianceSummaries", + "ssm:ListTagsForResource", + "waf-regional:GetWebACL", + "waf-regional:GetWebACLForResource", + "waf-regional:ListWebACLs", + "waf:GetWebACL", + "waf:ListWebACLs", + "wafv2:GetWebACL", + "wafv2:GetWebACLForResource", + "wafv2:ListWebACLs", + "workspaces:DescribeTags", + "workspaces:DescribeWorkspaceDirectories", + "workspaces:DescribeWorkspaces", + "workspaces:DescribeWorkspacesConnectionStatus" + ], + "Resource": "*" + } + ] +} + + + + + +# Where + +ent-gov +ent-ew (commercial) +lab-gov + + + +# When + + + +# Who + +POC: Dustin Short edward.d.short@census.gov CENSUS/OIS CTR +Organizational Unit: OIS + + + +# How + + + + + +# CHANGELOG + +* 1.0.0 -- 2023-12-15 + + - initial draft + + From 84021f74edf608c66c4491efe772e74dce6b9621 Mon Sep 17 00:00:00 2001 From: ashle001 Date: Fri, 15 Dec 2023 14:28:17 -0500 Subject: [PATCH 2/5] make requested changes --- aws/projects/ois-axonius/README.md | 100 +++++++++++++++-------------- 1 file changed, 53 insertions(+), 47 deletions(-) diff --git a/aws/projects/ois-axonius/README.md b/aws/projects/ois-axonius/README.md index 6f227a70..0912a56d 100644 --- a/aws/projects/ois-axonius/README.md +++ b/aws/projects/ois-axonius/README.md @@ -8,39 +8,41 @@ This describes the setup necessary ... # Links -Product link : https://www.axonius.com/ -Product link for AWS: https://www.axonius.com/aws -Technical link for AWS: https://docs.axonius.com/docs/amazon-web-services-aws -IAM configuration link: https://docs.axonius.com/docs/connecting-aws-adapter-using-iam-user -Orgs configuration link: https://docs.axonius.com/docs/configuring-the-aws-adapter-using-organizations +* [Product link:](https://www.axonius.com/) +* [Product Link for AWS:](https://www.axonius.com/aws) +* [Technical link for AWS:]https://docs.axonius.com/docs/amazon-web-services-aws) +* [IAM configuration link:](https://docs.axonius.com/docs/connecting-aws-adapter-using-iam-user) +* [Orgs configuration link:](https://docs.axonius.com/docs/configuring-the-aws-adapter-using-organizations) # Product Implementation Questionnaire -1) Q: Where are these api calls originating? - A: Axonius is deployed in our Azure environment in the production subscription. +1) From where are these api calls originating? + * Axonius is deployed in our Azure environment in the production subscription. -2) Q: Is it able to handle govcloud? - A: Yes. +2) Is it able to handle govcloud? + * Yes. -3) Q: Can it handle multiple organizations? +3) Can it handle multiple organizations? Do we create a service account for each org, or can it use a role from an external account and external idIt can handle multiple accounts, I would need to look into the documentation or ask about multiple orgs -4) Q: Is this running from a system on prem or is it SaaS? - A: Virtual machine in azure +4) Is this running from a system on prem or is it SaaS? + * Virtual machine in azure -5) Q: What aws services/endpoints does it need - A: The link I provided to Roy shows the list of services +5) What aws services/endpoints does it need + * The link I provided to Roy shows the list of services -6) Q: Why (what's the purpose of this service)? +6) Why (what's the purpose of this service)? Why can't it be handled with other existing tools (aws config)? - A: Axonius is a free offering provided by DoC. It is how OIS intends to meet CDM requirements and the purpose is to automate and centralize asset inventory. - This will allow OIS to identify missing requirements in the environment. + * Axonius is a free offering provided by DoC. It is how OIS intends to meet CDM requirements and the purpose is to automate and centralize asset inventory. + This will allow OIS to identify missing requirements in the environment. -7) Q: Is this a POC or is it purchased? purchased at 0 cost +7) Is this a POC or is it purchased? + * Purchased at 0 cost -8) I see in the docs talking about s3 buckets, is that needed too? no. We will grab information about s3 buckets but we do not need one. +8) I see in the docs talking about s3 buckets, is that needed too? + * No. We will grab information about s3 buckets but we do not need one. @@ -52,38 +54,41 @@ The AWS adapter is capable of pulling in both device and user data. There are many options available to fine-tune what data is collected. Axonius can fetch device and user data from the following AWS services: -Elastic Cloud Compute (EC2) -Identity and Access Management (IAM) -Elastic Kubernetes Service/Elastic Container Service (EKS/ECS) -ElasticSearch -Elastic Load Balancers -AWS Systems Manager (SSM) -Relational Database Service (RDS) -Simple Storage Service (S3) -Cloudtrail -Workspaces -Lambda -Route53 -Organizations -WAF/WAFv2 -Amazon Certificate Manager (ACM) -DynamoDB -Inspector -SecurityHub -API Gateway +*Elastic Cloud Compute (EC2) +*Identity and Access Management (IAM) +*Elastic Kubernetes Service/Elastic Container Service (EKS/ECS) +*ElasticSearch +*Elastic Load Balancers +*AWS Systems Manager (SSM) +*Relational Database Service (RDS) +*Simple Storage Service (S3) +*Cloudtrail +*Workspaces +*Lambda +*Route53 +*Organizations +*WAF/WAFv2 +*Amazon Certificate Manager (ACM) +*DynamoDB +*Inspector +*SecurityHub +*API Gateway # What IAM configuration - https://docs.axonius.com/docs/connecting-aws-adapter-using-iam-user - https://docs.axonius.com/docs/configuring-the-aws-adapter-using-organizations + [IAM User](https://docs.axonius.com/docs/connecting-aws-adapter-using-iam-user) + [Orgs]https://docs.axonius.com/docs/configuring-the-aws-adapter-using-organizations) Create a service account s-ois-inventory in appropriate sectools account Grant the ability to assume a role r-ois-inventory in every account in its respective org (org permission) from a single location +``` Create a stackset Indicate the source account from which to allow assume role Create role with proper permissions: +``` +``` { "Version": "2012-10-17", "Statement": [ @@ -258,7 +263,7 @@ Create role with proper permissions: } ] } - +``` # Who - -POC: Dustin Short edward.d.short@census.gov CENSUS/OIS CTR -Organizational Unit: OIS - +``` +POC: +Dustin Short +short343 +dward.d.short@census.gov +CENSUS/OIS CTR +``` # How @@ -298,5 +306,3 @@ into stacksets in another account. Provide a diagram if you have one, clean wit * 1.0.0 -- 2023-12-15 - initial draft - - From df03afec219cae87e6e1bf10f4772695613fadbf Mon Sep 17 00:00:00 2001 From: ashle001 Date: Mon, 18 Dec 2023 08:21:08 -0500 Subject: [PATCH 3/5] fix formatting --- aws/projects/ois-axonius/README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/aws/projects/ois-axonius/README.md b/aws/projects/ois-axonius/README.md index 0912a56d..cefe6942 100644 --- a/aws/projects/ois-axonius/README.md +++ b/aws/projects/ois-axonius/README.md @@ -10,7 +10,7 @@ This describes the setup necessary ... * [Product link:](https://www.axonius.com/) * [Product Link for AWS:](https://www.axonius.com/aws) -* [Technical link for AWS:]https://docs.axonius.com/docs/amazon-web-services-aws) +* [Technical link for AWS:](https://docs.axonius.com/docs/amazon-web-services-aws) * [IAM configuration link:](https://docs.axonius.com/docs/connecting-aws-adapter-using-iam-user) * [Orgs configuration link:](https://docs.axonius.com/docs/configuring-the-aws-adapter-using-organizations) @@ -272,9 +272,9 @@ and is able to assume the created role in every account. etc. --> # Where -ent-gov -ent-ew (commercial) -lab-gov +*ent-gov +*ent-ew (commercial) +*lab-gov # Where -*ent-gov -*ent-ew (commercial) -*lab-gov +* ent-gov +* ent-ew (commercial) +* lab-gov @@ -303,6 +303,6 @@ into stacksets in another account. Provide a diagram if you have one, clean wit # CHANGELOG -* 1.0.0 -- 2023-12-15 +* 1.0.0 -- 2023-12-18 - initial draft