terraform · badra001 · Jan 8, 2025 · Dec 15, 2023 · Dec 15, 2023 · Dec 18, 2023
diff --git a/aws/projects/ois-axonius/README.md b/aws/projects/ois-axonius/README.md
@@ -0,0 +1,302 @@
+# Axonius
+
+Axonius is a cybersecurity asset management suite
+
+This describes the setup necessary ...
+
+<!-- add additional information here -->
+
+# Links
+
+Product link :           https://www.axonius.com/
+Product link for AWS:    https://www.axonius.com/aws
+Technical link for AWS:  https://docs.axonius.com/docs/amazon-web-services-aws
+IAM configuration link:  https://docs.axonius.com/docs/connecting-aws-adapter-using-iam-user
+Orgs configuration link: https://docs.axonius.com/docs/configuring-the-aws-adapter-using-organizations
+
+# Product Implementation Questionnaire
+
+1) Q: Where are these api calls originating? 
+   A: Axonius is deployed in our Azure environment in the production subscription.
+
+2) Q: Is it able to handle govcloud?
+   A: Yes.
+
+3) Q: Can it handle multiple organizations?
+   Do we create a service account for each org, 
+   or can it use a role from an external account and external idIt can handle multiple accounts, 
+   I would need to look into the documentation or ask about multiple orgs
+
+4) Q: Is this running from a system on prem or is it SaaS?
+   A: Virtual machine in azure
+
+5) Q: What aws services/endpoints does it need
+   A: The link I provided to Roy shows the list of services
+
+6) Q: Why (what's the purpose of this service)?  
+      Why can't it be handled with other existing tools (aws config)?
+   A: Axonius is a free offering provided by DoC. It is how OIS intends to meet CDM requirements and the purpose is to automate and centralize asset inventory. 
+      This will allow OIS to identify missing requirements in the environment.
+
+7) Q: Is this a POC or is it purchased? purchased at 0 cost
+
+8) I see in the docs talking about s3 buckets, is that needed too? no. We will grab information about s3 buckets but we do not need one.
+
+
+<!-- list product documentation links which apply to this setup -->
+<!-- list any internal links to other portions of documentaiton, such as sharepoint -->
+
+# Why
+Data retrieved by AWS
+The AWS adapter is capable of pulling in both device and user data. 
+There are many options available to fine-tune what data is collected. 
+
+Axonius can fetch device and user data from the following AWS services:
+Elastic Cloud Compute (EC2)
+Identity and Access Management (IAM)
+Elastic Kubernetes Service/Elastic Container Service (EKS/ECS)
+ElasticSearch
+Elastic Load Balancers
+AWS Systems Manager (SSM)
+Relational Database Service (RDS)
+Simple Storage Service (S3)
+Cloudtrail
+Workspaces
+Lambda
+Route53
+Organizations
+WAF/WAFv2
+Amazon Certificate Manager (ACM)
+DynamoDB
+Inspector
+SecurityHub
+API Gateway
+
+
+<!-- describe the reasoning behind this setup, what the applijcaiton will do with these things, etc -->
+
+# What
+IAM configuration
+  https://docs.axonius.com/docs/connecting-aws-adapter-using-iam-user
+  https://docs.axonius.com/docs/configuring-the-aws-adapter-using-organizations
+Create a service account s-ois-inventory in appropriate sectools account
+Grant the ability to assume a role r-ois-inventory in every account in its respective org (org permission) from a single location
+Create a stackset
+Indicate the source account from which to allow assume role
+Create role with proper permissions:
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "axonius",
+            "Effect": "Allow",
+            "Action": [
+				"acm:DescribeCertificate",
+				"acm:ListCertificates",
+                                "autoscaling:DescribeAutoScalingGroups",
+                                "autoscaling:DescribePolicies",
+                                "autoscaling:DescribeAutoScalingInstances",
+				"apigateway:GET",
+				"appstream:DescribeFleets",
+				"appstream:DescribeStacks",
+				"appstream:DescribeUserStackAssociations",
+				"appstream:DescribeUsers",
+				"appstream:ListAssociatedFleets",
+                                "backup:ListBackupPlans",
+                                "backup:ListBackupVaults",
+				"cloudfront:GetDistribution",
+				"cloudfront:ListDistributions",
+				"dynamodb:DescribeGlobalTable",
+				"dynamodb:DescribeGlobalTableSettings",
+				"dynamodb:DescribeTable",
+				"dynamodb:ListGlobalTables",
+				"dynamodb:ListTables",
+				"ec2:DescribeAddresses",
+				"ec2:DescribeFlowLogs",
+				"ec2:DescribeImages",
+				"ec2:DescribeInstances",
+				"ec2:DescribeInternetGateways",
+				"ec2:DescribeNatGateways",
+				"ec2:DescribeRouteTables",
+				"ec2:DescribeSecurityGroups",
+				"ec2:DescribeSnapshotAttribute",
+				"ec2:DescribeSnapshots",
+				"ec2:DescribeSubnets",
+				"ec2:DescribeTags",
+				"ec2:DescribeVolumes",
+				"ec2:DescribeVpcPeeringConnections",
+				"ec2:DescribeVpcs",
+				"ecr-public:DescribeImages",
+				"ecr-public:DescribeRegistries",
+				"ecr-public:DescribeRepositories",
+				"ecr:DescribeImages",
+				"ecr:DescribeRegistry",
+				"ecr:DescribeRepositories",
+				"ecs:DescribeClusters",
+				"ecs:DescribeContainerInstances",
+				"ecs:DescribeServices",
+				"ecs:DescribeTasks",
+				"ecs:ListClusters",
+				"ecs:ListContainerInstances",
+				"ecs:ListServices",
+				"ecs:ListTagsForResource",
+				"ecs:ListTasks",
+				"eks:DescribeCluster",
+				"eks:ListClusters",
+				"elasticloadbalancing:DescribeListeners",
+				"elasticloadbalancing:DescribeLoadBalancerPolicies",
+				"elasticloadbalancing:DescribeLoadBalancers",
+				"elasticloadbalancing:DescribeSSLPolicies",
+				"elasticloadbalancing:DescribeTargetGroups",
+				"elasticloadbalancing:DescribeTargetHealth",
+				"es:DescribeElasticsearchDomain",
+				"es:ListDomainNames",
+				"fsx:DescribeFileSystems",
+				"guardduty:GetDetector",
+				"guardduty:GetFilter",
+				"guardduty:GetFindings",
+				"guardduty:GetMembers",
+				"guardduty:ListDetectors",
+				"guardduty:ListFilters",
+				"guardduty:ListFindings",
+				"guardduty:ListMembers",
+				"iam:GenerateCredentialReport",
+				"iam:GenerateServiceLastAccessedDetails",
+				"iam:GetAccessKeyLastUsed",
+				"iam:GetAccountPasswordPolicy",
+				"iam:GetAccountSummary",
+				"iam:GetCredentialReport",
+				"iam:GetLoginProfile",
+				"iam:GetPolicy",
+				"iam:GetPolicyVersion",
+				"iam:GetRole",
+				"iam:GetRolePolicy",
+				"iam:GetServiceLastAccessedDetails",
+				"iam:GetUser",
+				"iam:GetUserPolicy",
+				"iam:ListAccessKeys",
+				"iam:ListAccountAliases",
+				"iam:ListAttachedGroupPolicies",
+				"iam:ListAttachedRolePolicies",
+				"iam:ListAttachedUserPolicies",
+				"iam:ListEntitiesForPolicy",
+				"iam:ListGroups",
+				"iam:ListGroupsForUser",
+				"iam:ListInstanceProfilesForRole",
+				"iam:ListMFADevices",
+				"iam:ListPolicies",
+				"iam:ListRolePolicies",
+				"iam:ListRoles",
+				"iam:ListUserPolicies",
+				"iam:ListUserTags",
+				"iam:ListUsers",
+				"iam:ListVirtualMFADevices",
+				"inspector2:ListFindings",
+                                "inspector2:ListMembers",
+                                "inspector:ListMembers",
+				"inspector:DescribeFindings",
+				"inspector:ListFindings",
+				"lambda:GetFunctionUrlConfig",
+				"lambda:GetPolicy",
+				"lambda:ListFunctions",
+				"lambda:ListTags",
+				"macie2:GetFindings",
+				"macie2:ListFindings",
+				"macie2:ListMembers",
+				"organizations:DescribeAccount",
+				"organizations:DescribeEffectivePolicy",
+				"organizations:DescribeOrganization",
+				"organizations:DescribePolicy",
+				"organizations:ListAccounts",
+				"organizations:ListPoliciesForTarget",
+				"organizations:ListTagsForResource",
+				"rds:DescribeDBClusters",
+				"rds:DescribeDBInstances",
+				"rds:DescribeOptionGroups",
+				"route53:ListHostedZones",
+				"route53:ListResourceRecordSets",
+				"s3:GetAccountPublicAccessBlock",
+				"s3:GetBucketAcl",
+				"s3:GetBucketLocation",
+				"s3:GetBucketLogging",
+				"s3:GetBucketPolicy",
+				"s3:GetBucketPolicyStatus",
+				"s3:GetBucketPublicAccessBlock",
+				"s3:GetBucketTagging",
+				"s3:GetEncryptionConfiguration",
+				"s3:ListAllMyBuckets",
+				"s3:ListBucket",
+				"secretsmanager:GetResourcePolicy",
+				"secretsmanager:ListSecrets",
+				"securityhub:DescribeHub",
+				"securityhub:GetFindings",
+				"securityhub:ListMembers",
+				"securityhub:ListTagsForResource",
+				"sns:ListSubscriptionsByTopic",
+				"ssm:DescribeAvailablePatches",
+				"ssm:DescribeInstanceInformation",
+				"ssm:DescribeInstancePatches",
+				"ssm:DescribePatchGroups",
+				"ssm:GetInventorySchema",
+				"ssm:ListInventoryEntries",
+				"ssm:ListResourceComplianceSummaries",
+				"ssm:ListTagsForResource",
+				"waf-regional:GetWebACL",
+				"waf-regional:GetWebACLForResource",
+				"waf-regional:ListWebACLs",
+				"waf:GetWebACL",
+				"waf:ListWebACLs",
+				"wafv2:GetWebACL",
+				"wafv2:GetWebACLForResource",
+				"wafv2:ListWebACLs",
+				"workspaces:DescribeTags",
+				"workspaces:DescribeWorkspaceDirectories",
+				"workspaces:DescribeWorkspaces",
+				"workspaces:DescribeWorkspacesConnectionStatus"
+            ],
+            "Resource": "*"
+        }
+    ]
+}
+
+
+
+<!-- describe what this will be doing. For example, we need an IAM policy and an IAM role with that policy,
+distributed to each account. A central AWS account (list details) will use an instance role
+and is able to assume the created role in every account. etc.  -->
+
+# Where
+
+ent-gov
+ent-ew (commercial)
+lab-gov
+
+<!-- describe where this setup needs to be executed.  We have multiple AWS organizations: ent-ew (commercial),
+ent-gov (primary one), and lab-gov (not addressed here, nor visable from the ent-gov).  We will need to 
+accomodate all of them.  Also separate stuff that runs in the morpheus account(s) and stuff in target accounts -->
+
+# When
+
+<!-- list notional dates for when this sort of thing is needed -->
+
+# Who
+
+POC: Dustin Short  edward.d.short@census.gov CENSUS/OIS CTR
+Organizational Unit: OIS
+
+<!-- describe the user base, where they access from, how frequently it is used, how the users access it, etc. -->
+
+# How
+
+<!-- describe technical detail, as needed, how one implements in TF or whatever.  Some of this will be split out
+into stacksets in another account.  Provide a diagram if you have one, clean with simple boxes and arrows.  -->
+
+<!-- add other sections which seem to make sense -->
+
+# CHANGELOG
+
+* 1.0.0 -- 2023-12-15
+
+  - initial draft
+
+