Skip to content
Jump to bottom

create draft README.md #253

Merged
merged 5 commits into from
Jan 8, 2025
Merged

create draft README.md #253

Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
e683eee
create draft README.md
ashle001 Dec 15, 2023
84021f7
make requested changes
ashle001 Dec 15, 2023
df03afe
fix formatting
ashle001 Dec 18, 2023
8c9ec36
fix formatting
ashle001 Dec 18, 2023
d879685
fix poc
ashle001 Dec 18, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
308 changes: 308 additions & 0 deletions aws/projects/ois-axonius/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,308 @@
# Axonius

Axonius is a cybersecurity asset management suite

This describes the setup necessary ...

<!-- add additional information here -->

# Links

* [Product link](https://www.axonius.com/)
* [Product Link for AWS](https://www.axonius.com/aws)
* [Technical link for AWS](https://docs.axonius.com/docs/amazon-web-services-aws)
* [IAM configuration link](https://docs.axonius.com/docs/connecting-aws-adapter-using-iam-user)
* [Orgs configuration link](https://docs.axonius.com/docs/configuring-the-aws-adapter-using-organizations)

# Product Implementation Questionnaire

1) From where are these api calls originating?
* Axonius is deployed in our Azure environment in the production subscription.

2) Is it able to handle govcloud?
* Yes.

3) Can it handle multiple organizations?
Do we create a service account for each org,
or can it use a role from an external account and external idIt can handle multiple accounts,
I would need to look into the documentation or ask about multiple orgs

4) Is this running from a system on prem or is it SaaS?
* Virtual machine in azure

5) What aws services/endpoints does it need
* The link I provided to Roy shows the list of services

6) Why (what's the purpose of this service)?
Why can't it be handled with other existing tools (aws config)?
* Axonius is a free offering provided by DoC. It is how OIS intends to meet CDM requirements and the purpose is to automate and centralize asset inventory.
This will allow OIS to identify missing requirements in the environment.

7) Is this a POC or is it purchased?
* Purchased at 0 cost

8) I see in the docs talking about s3 buckets, is that needed too?
* No. We will grab information about s3 buckets but we do not need one.


<!-- list product documentation links which apply to this setup -->
<!-- list any internal links to other portions of documentaiton, such as sharepoint -->

# Why
Data retrieved by AWS
The AWS adapter is capable of pulling in both device and user data.
There are many options available to fine-tune what data is collected.

Axonius can fetch device and user data from the following AWS services:
*Elastic Cloud Compute (EC2)
*Identity and Access Management (IAM)
*Elastic Kubernetes Service/Elastic Container Service (EKS/ECS)
*ElasticSearch
*Elastic Load Balancers
*AWS Systems Manager (SSM)
*Relational Database Service (RDS)
*Simple Storage Service (S3)
*Cloudtrail
*Workspaces
*Lambda
*Route53
*Organizations
*WAF/WAFv2
*Amazon Certificate Manager (ACM)
*DynamoDB
*Inspector
*SecurityHub
*API Gateway


<!-- describe the reasoning behind this setup, what the applijcaiton will do with these things, etc -->

# What
IAM configuration
[IAM User](https://docs.axonius.com/docs/connecting-aws-adapter-using-iam-user)
[Orgs]https://docs.axonius.com/docs/configuring-the-aws-adapter-using-organizations)
Create a service account s-ois-inventory in appropriate sectools account
Grant the ability to assume a role r-ois-inventory in every account in its respective org (org permission) from a single location
```
Create a stackset
Indicate the source account from which to allow assume role
Create role with proper permissions:
```
```
{
ashle001 marked this conversation as resolved.
Show resolved Hide resolved
"Version": "2012-10-17",
"Statement": [
{
"Sid": "axonius",
"Effect": "Allow",
"Action": [
"acm:DescribeCertificate",
"acm:ListCertificates",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribePolicies",
"autoscaling:DescribeAutoScalingInstances",
"apigateway:GET",
"appstream:DescribeFleets",
"appstream:DescribeStacks",
"appstream:DescribeUserStackAssociations",
"appstream:DescribeUsers",
"appstream:ListAssociatedFleets",
"backup:ListBackupPlans",
"backup:ListBackupVaults",
"cloudfront:GetDistribution",
"cloudfront:ListDistributions",
"dynamodb:DescribeGlobalTable",
"dynamodb:DescribeGlobalTableSettings",
"dynamodb:DescribeTable",
"dynamodb:ListGlobalTables",
"dynamodb:ListTables",
"ec2:DescribeAddresses",
"ec2:DescribeFlowLogs",
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeInternetGateways",
"ec2:DescribeNatGateways",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSnapshotAttribute",
"ec2:DescribeSnapshots",
"ec2:DescribeSubnets",
"ec2:DescribeTags",
"ec2:DescribeVolumes",
"ec2:DescribeVpcPeeringConnections",
"ec2:DescribeVpcs",
"ecr-public:DescribeImages",
"ecr-public:DescribeRegistries",
"ecr-public:DescribeRepositories",
"ecr:DescribeImages",
"ecr:DescribeRegistry",
"ecr:DescribeRepositories",
"ecs:DescribeClusters",
"ecs:DescribeContainerInstances",
"ecs:DescribeServices",
"ecs:DescribeTasks",
"ecs:ListClusters",
"ecs:ListContainerInstances",
"ecs:ListServices",
"ecs:ListTagsForResource",
"ecs:ListTasks",
"eks:DescribeCluster",
"eks:ListClusters",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeLoadBalancerPolicies",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeSSLPolicies",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetHealth",
"es:DescribeElasticsearchDomain",
"es:ListDomainNames",
"fsx:DescribeFileSystems",
"guardduty:GetDetector",
"guardduty:GetFilter",
"guardduty:GetFindings",
"guardduty:GetMembers",
"guardduty:ListDetectors",
"guardduty:ListFilters",
"guardduty:ListFindings",
"guardduty:ListMembers",
"iam:GenerateCredentialReport",
"iam:GenerateServiceLastAccessedDetails",
"iam:GetAccessKeyLastUsed",
"iam:GetAccountPasswordPolicy",
"iam:GetAccountSummary",
"iam:GetCredentialReport",
"iam:GetLoginProfile",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:GetServiceLastAccessedDetails",
"iam:GetUser",
"iam:GetUserPolicy",
"iam:ListAccessKeys",
"iam:ListAccountAliases",
"iam:ListAttachedGroupPolicies",
"iam:ListAttachedRolePolicies",
"iam:ListAttachedUserPolicies",
"iam:ListEntitiesForPolicy",
"iam:ListGroups",
"iam:ListGroupsForUser",
"iam:ListInstanceProfilesForRole",
"iam:ListMFADevices",
"iam:ListPolicies",
"iam:ListRolePolicies",
"iam:ListRoles",
"iam:ListUserPolicies",
"iam:ListUserTags",
"iam:ListUsers",
"iam:ListVirtualMFADevices",
"inspector2:ListFindings",
"inspector2:ListMembers",
"inspector:ListMembers",
"inspector:DescribeFindings",
"inspector:ListFindings",
"lambda:GetFunctionUrlConfig",
"lambda:GetPolicy",
"lambda:ListFunctions",
"lambda:ListTags",
"macie2:GetFindings",
"macie2:ListFindings",
"macie2:ListMembers",
"organizations:DescribeAccount",
"organizations:DescribeEffectivePolicy",
"organizations:DescribeOrganization",
"organizations:DescribePolicy",
"organizations:ListAccounts",
"organizations:ListPoliciesForTarget",
"organizations:ListTagsForResource",
"rds:DescribeDBClusters",
"rds:DescribeDBInstances",
"rds:DescribeOptionGroups",
"route53:ListHostedZones",
"route53:ListResourceRecordSets",
"s3:GetAccountPublicAccessBlock",
"s3:GetBucketAcl",
"s3:GetBucketLocation",
"s3:GetBucketLogging",
"s3:GetBucketPolicy",
"s3:GetBucketPolicyStatus",
"s3:GetBucketPublicAccessBlock",
"s3:GetBucketTagging",
"s3:GetEncryptionConfiguration",
"s3:ListAllMyBuckets",
"s3:ListBucket",
"secretsmanager:GetResourcePolicy",
"secretsmanager:ListSecrets",
"securityhub:DescribeHub",
"securityhub:GetFindings",
"securityhub:ListMembers",
"securityhub:ListTagsForResource",
"sns:ListSubscriptionsByTopic",
"ssm:DescribeAvailablePatches",
"ssm:DescribeInstanceInformation",
"ssm:DescribeInstancePatches",
"ssm:DescribePatchGroups",
"ssm:GetInventorySchema",
"ssm:ListInventoryEntries",
"ssm:ListResourceComplianceSummaries",
"ssm:ListTagsForResource",
"waf-regional:GetWebACL",
"waf-regional:GetWebACLForResource",
"waf-regional:ListWebACLs",
"waf:GetWebACL",
"waf:ListWebACLs",
"wafv2:GetWebACL",
"wafv2:GetWebACLForResource",
"wafv2:ListWebACLs",
"workspaces:DescribeTags",
"workspaces:DescribeWorkspaceDirectories",
"workspaces:DescribeWorkspaces",
"workspaces:DescribeWorkspacesConnectionStatus"
],
"Resource": "*"
}
]
}
```


<!-- describe what this will be doing. For example, we need an IAM policy and an IAM role with that policy,
distributed to each account. A central AWS account (list details) will use an instance role
and is able to assume the created role in every account. etc. -->

# Where

* ent-gov
* ent-ew (commercial)
* lab-gov

<!-- describe where this setup needs to be executed. We have multiple AWS organizations: ent-ew (commercial),
ent-gov (primary one), and lab-gov (not addressed here, nor visable from the ent-gov). We will need to
accomodate all of them. Also separate stuff that runs in the morpheus account(s) and stuff in target accounts -->

# When

<!-- list notional dates for when this sort of thing is needed -->

# Who
```
POC:
Dustin Short
short343
edward.d.short@census.gov
CENSUS/OIS CTR
```
<!-- describe the user base, where they access from, how frequently it is used, how the users access it, etc. -->

# How

<!-- describe technical detail, as needed, how one implements in TF or whatever. Some of this will be split out
into stacksets in another account. Provide a diagram if you have one, clean with simple boxes and arrows. -->

<!-- add other sections which seem to make sense -->

# CHANGELOG

* 1.0.0 -- 2023-12-18

ashle001 marked this conversation as resolved.
Show resolved Hide resolved
- initial draft