Updated config role permissions and fixes.

Makefile

@@ -6,7 +6,7 @@ CFT_PREFIX := templates
 CFT_DIR := templates
 DATASET := lacework-alliances-prod
 
-PROFILE ?= ct
+PROFILE ?= alliances-admin
 REGION ?= us-west-2
 
 BUCKET_NAME ?= service_not_defined

lambda_functions/source/account/Makefile

@@ -1,7 +1,7 @@
 PROJECT = LaceworkCTAccount
 DIR_NAME = account
-FUNCTION = $(PROJECT)3.0.0
-DIST_DIR ?= "$(BASE)"/functions/packages/$(DIR_NAME)
+FUNCTION = $(PROJECT)3.0.1
+DIST_DIR ?= "$(BASE)"/lambda_functions/packages/$(DIR_NAME)
 HONEY_DATASET = $(DATASET)
 
 all: build

lambda_functions/source/account/account.py

@@ -167,12 +167,6 @@ def cfn_stack_set_processing(messages):
                 if len(create_stack_instance_list) > 0:
                     response = create_stack_set_instances(config_stack_set_name, create_stack_instance_list,
                                                           param_regions, [
-                                                              {
-                                                                  "ParameterKey": "AccessToken",
-                                                                  "ParameterValue": access_token,
-                                                                  "UsePreviousValue": False,
-                                                                  "ResolvedValue": "string"
-                                                              },
                                                               {
                                                                   "ParameterKey": "ExternalID",
                                                                   "ParameterValue": external_id,

lambda_functions/source/account/requirements.txt

@@ -1,2 +1,3 @@
 crhelper
-requests
+requests
+urllib3==1.26.15

lambda_functions/source/auth/Makefile

@@ -1,7 +1,7 @@
 PROJECT = LaceworkCTAuth
 DIR_NAME = auth
-FUNCTION = $(PROJECT)
-DIST_DIR ?= "$(BASE)"/functions/packages/$(DIR_NAME)
+FUNCTION = $(PROJECT)3.0.1
+DIST_DIR ?= "$(BASE)"/lambda_functions/packages/$(DIR_NAME)
 
 all: build
 

lambda_functions/source/auth/requirements.txt

@@ -1,2 +1,3 @@
 crhelper
-requests
+requests
+urllib3==1.26.15

lambda_functions/source/setup/Makefile

@@ -1,7 +1,7 @@
 PROJECT = LaceworkCTSetup
 DIR_NAME = setup
-FUNCTION = $(PROJECT)3.0.0
-DIST_DIR ?= "$(BASE)"/functions/packages/$(DIR_NAME)
+FUNCTION = $(PROJECT)3.0.1
+DIST_DIR ?= "$(BASE)"/lambda_functions/packages/$(DIR_NAME)
 HONEY_DATASET = $(DATASET)
 
 all: build

lambda_functions/source/setup/requirements.txt

@@ -1,2 +1,3 @@
 crhelper
-requests
+requests
+urllib3==1.26.15

lambda_functions/source/setup/setup.py

@@ -529,18 +529,6 @@ def setup_config(lacework_aws_account_id, lacework_url, lacework_account_name, l
                     "UsePreviousValue": False,
                     "ResolvedValue": "string"
                 },
-                {
-                    "ParameterKey": "AccessToken",
-                    "ParameterValue": access_token,
-                    "UsePreviousValue": False,
-                    "ResolvedValue": "string"
-                },
-                {
-                    "ParameterKey": "ServiceToken",
-                    "ParameterValue": service_token,
-                    "UsePreviousValue": False,
-                    "ResolvedValue": "string"
-                },
                 {
                     "ParameterKey": "LaceworkAWSAccountId",
                     "ParameterValue": lacework_aws_account_id,

templates/cfn-abi-control-tower-integration.template.yaml

@@ -186,9 +186,9 @@ Resources:
     Properties:
       Code:
         S3Bucket: !Ref S3BucketName
-        S3Key: !Join ['', [!Ref 'S3KeyPrefix', '/submodules/lacework-control-tower-cfn/lambda_functions/packages/setup/LaceworkCTSetup3.0.0.zip']]
+        S3Key: !Join ['', [!Ref 'S3KeyPrefix', '/submodules/lacework-control-tower-cfn/lambda_functions/packages/setup/LaceworkCTSetup3.0.1.zip']]
       Handler: setup.lambda_handler
-      Runtime: python3.7
+      Runtime: python3.9
       Timeout: 900
       Environment:
         Variables:
@@ -418,9 +418,9 @@ Resources:
     Properties:
       Code:
         S3Bucket: !Ref S3BucketName
-        S3Key: !Join ['', [!Ref 'S3KeyPrefix', '/submodules/lacework-control-tower-cfn/lambda_functions/packages/account/LaceworkCTAccount3.0.0.zip']]
+        S3Key: !Join ['', [!Ref 'S3KeyPrefix', '/submodules/lacework-control-tower-cfn/lambda_functions/packages/account/LaceworkCTAccount3.0.1.zip']]
       Handler: account.lambda_handler
-      Runtime: python3.7
+      Runtime: python3.9
       Timeout: 900
       Environment:
         Variables:
@@ -463,9 +463,9 @@ Resources:
     Properties:
       Code:
         S3Bucket: !Ref S3BucketName
-        S3Key: !Join ['', [!Ref 'S3KeyPrefix', '/submodules/lacework-control-tower-cfn/lambda_functions/packages/auth/LaceworkCTAuth.zip']]
+        S3Key: !Join ['', [!Ref 'S3KeyPrefix', '/submodules/lacework-control-tower-cfn/lambda_functions/packages/auth/LaceworkCTAuth3.0.1.zip']]
       Handler: auth.lambda_handler
-      Runtime: python3.7
+      Runtime: python3.9
       Timeout: 120
       Environment:
         Variables:

templates/control-tower-integration.template.yaml

@@ -191,9 +191,9 @@ Resources:
       SourceBucket: !Ref 'S3BucketName'
       Prefix: !Ref 'S3KeyPrefix'
       Objects:
-        - '/lambda/LaceworkCTAuth.zip'
-        - '/lambda/LaceworkCTSetup3.0.0.zip'
-        - '/lambda/LaceworkCTAccount3.0.0.zip'
+        - '/lambda/LaceworkCTAuth3.0.1.zip'
+        - '/lambda/LaceworkCTSetup3.0.1.zip'
+        - '/lambda/LaceworkCTAccount3.0.1.zip'
 
   CopyZipsRole:
     Type: AWS::IAM::Role
@@ -232,7 +232,7 @@ Resources:
     Properties:
       Description: Copies objects from the S3 bucket to a new location.
       Handler: index.handler
-      Runtime: python3.7
+      Runtime: python3.9
       Role: !GetAtt 'CopyZipsRole.Arn'
       Timeout: 240
       Code:
@@ -294,9 +294,9 @@ Resources:
     Properties:
       Code:
         S3Bucket: !Ref LambdaZipsBucket
-        S3Key: !Join ['', [!Ref 'S3KeyPrefix', '/lambda/LaceworkCTSetup3.0.0.zip']]
+        S3Key: !Join ['', [!Ref 'S3KeyPrefix', '/lambda/LaceworkCTSetup3.0.1.zip']]
       Handler: setup.lambda_handler
-      Runtime: python3.7
+      Runtime: python3.9
       Timeout: 900
       Environment:
         Variables:
@@ -525,9 +525,9 @@ Resources:
     Properties:
       Code:
         S3Bucket: !Ref LambdaZipsBucket
-        S3Key: !Join ['', [!Ref 'S3KeyPrefix', '/lambda/LaceworkCTAccount3.0.0.zip']]
+        S3Key: !Join ['', [!Ref 'S3KeyPrefix', '/lambda/LaceworkCTAccount3.0.1.zip']]
       Handler: account.lambda_handler
-      Runtime: python3.7
+      Runtime: python3.9
       Timeout: 900
       Environment:
         Variables:
@@ -570,9 +570,9 @@ Resources:
     Properties:
       Code:
         S3Bucket: !Ref LambdaZipsBucket
-        S3Key: !Join ['', [!Ref 'S3KeyPrefix', '/lambda/LaceworkCTAuth.zip']]
+        S3Key: !Join ['', [!Ref 'S3KeyPrefix', '/lambda/LaceworkCTAuth3.0.1.zip']]
       Handler: auth.lambda_handler
-      Runtime: python3.7
+      Runtime: python3.9
       Timeout: 120
       Environment:
         Variables:

templates/lacework-aws-cfg-member.template.yaml

@@ -52,3 +52,98 @@ Resources:
                 'sts:ExternalId': !Ref ExternalID
       ManagedPolicyArns:
         - 'arn:aws:iam::aws:policy/SecurityAudit'
+  LaceworkCWSPolicy:
+    Type: 'AWS::IAM::Policy'
+    Properties:
+      PolicyName: LaceworkCWSPolicy
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Sid: GetEc2DefaultEncryption
+            Action:
+              - 'ec2:GetEbsEncryptionByDefault'
+            Effect: Allow
+            Resource: '*'
+          - Sid: EksListTagsForResource
+            Action:
+              - 'eks:ListTagsForResource'
+            Effect: Allow
+            Resource: '*'
+          - Sid: EfsPolicies
+            Action:
+              - 'elasticfilesystem:DescribeFileSystemPolicy'
+              - 'elasticfilesystem:DescribeLifecycleConfiguration'
+              - 'elasticfilesystem:DescribeAccessPoints'
+              - 'elasticfilesystem:DescribeAccountPreferences'
+              - 'elasticfilesystem:DescribeBackupPolicy'
+              - 'elasticfilesystem:DescribeReplicationConfigurations'
+            Effect: Allow
+            Resource: '*'
+          - Sid: SagemakerPolicies
+            Action:
+              - 'sagemaker:GetLineageGroupPolicy'
+              - 'sagemaker:GetModelPackageGroupPolicy'
+            Effect: Allow
+            Resource: '*'
+          - Sid: IdentityStoreReadOnly
+            Action:
+              - 'identitystore:DescribeGroup'
+              - 'identitystore:DescribeGroupMembership'
+              - 'identitystore:DescribeUser'
+              - 'identitystore:ListGroupMemberships'
+              - 'identitystore:ListGroupMembershipsForMember'
+              - 'identitystore:ListGroups'
+              - 'identitystore:ListUsers'
+            Effect: Allow
+            Resource: '*'
+          - Sid: SSOReadOnly
+            Action:
+              - 'sso:DescribeAccountAssignmentDeletionStatus'
+              - 'sso:DescribeInstanceAccessControlAttributeConfiguration'
+              - 'sso:GetInlinePolicyForPermissionSet'
+            Effect: Allow
+            Resource: '*'
+          - Sid: APIGATEWAY
+            Action:
+              - 'apigateway:GetApiKeys'
+              - 'apigateway:GetAuthorizers'
+              - 'apigateway:GetBasePathMappings'
+              - 'apigateway:GetClientCertificates'
+              - 'apigateway:GetDeployments'
+              - 'apigateway:GetDocumentationParts'
+              - 'apigateway:GetDocumentationVersions'
+              - 'apigateway:GetDomainNames'
+              - 'apigateway:GetGatewayResponses'
+              - 'apigateway:GetModels'
+              - 'apigateway:GetModelTemplate'
+              - 'apigateway:GetRequestValidators'
+              - 'apigateway:GetResources'
+              - 'apigateway:GetRestApis'
+              - 'apigateway:GetSdk'
+              - 'apigateway:GetSdkTypes'
+              - 'apigateway:GetStages'
+              - 'apigateway:GetTags'
+              - 'apigateway:GetUsagePlanKeys'
+              - 'apigateway:GetUsagePlans'
+              - 'apigateway:GetVpcLinks'
+            Effect: Allow
+            Resource: '*'
+          - Sid: APIGATEWAYV2
+            Action:
+              - 'apigatewayv2:GetApis'
+              - 'apigatewayv2:GetApiMappings'
+              - 'apigatewayv2:GetAuthorizers'
+              - 'apigatewayv2:GetDeployments'
+              - 'apigatewayv2:GetDomainNames'
+              - 'apigatewayv2:GetIntegrations'
+              - 'apigatewayv2:GetIntegrationResponses'
+              - 'apigatewayv2:GetModelTemplate'
+              - 'apigatewayv2:GetModels'
+              - 'apigatewayv2:GetRoute'
+              - 'apigatewayv2:GetRouteResponses'
+              - 'apigatewayv2:GetStages'
+              - 'apigatewayv2:GetVpcLinks'
+            Effect: Allow
+            Resource: '*'
+      Roles:
+        - !Ref LaceworkCrossAccountAccessRole