AWSTemplateFormatVersion: 2010-09-09
Description: >-
  Configures services and resources for CloudTrail and GuardDuty logging in
  Deepwatch cloud MDR (abp-1kirFQBF75MfEQ3RbMQHRb-5Qgs4qOsPgbXnTtlFjeTTo-ln8886kt)
Metadata:
  'AWS::CloudFormation::Interface':
    ParameterGroups:
      - Label:
          default: Source location details
        Parameters:
          - pSRASourceS3BucketName
          - pSRAS3BucketRegion
          - pRepoURL
          - pRepoBranch
      - Label:
          default: General Properties
        Parameters:
          - pDeepwatchRoleName
          - pSRAAlarmEmail
      - Label:
          default: GuardDuty Configuration Properties
        Parameters:
          - pDisableGuardDuty
          - pAutoEnableS3Logs
          - pAutoEnableKubernetesAuditLogs
          - pAutoEnableMalwareProtection
          - pEnableRdsLoginEvents
          - pEnableEksRuntimeMonitoring
          - pEnableEksAddonManagement
          - pEnableLambdaNetworkLogs
          - pGuardDutyFindingPublishingFrequency
      - Label:
          default: CloudTrail Configuration Properties
        Parameters:
          - pEnableLambdaDataEvents
          - pEnableS3DataEvents
      - Label:
          default: Advanced Configuration Properties
        Parameters:
          - pControlTower
          - pGovernedRegions
          - pSecurityAccountId
          - pLogArchiveAccountId
          - pCreateAWSControlTowerExecutionRole
          - pAdminRoleName
          - pExecRoleName

    ParameterLabels:
      pSRASourceS3BucketName:
        default: SRA Source S3 Location
      pSRAS3BucketRegion:
        default: SRA Bucket Region
      pDisableGuardDuty:
        default: pDisableGuardDuty
      pAutoEnableS3Logs:
        default: pAutoEnableS3Logs
      pAutoEnableKubernetesAuditLogs:
        default: pAutoEnableKubernetesAuditLogs
      pAutoEnableMalwareProtection:
        default: pAutoEnableMalwareProtection
      pEnableRdsLoginEvents:
        default: pEnableRdsLoginEvents
      pEnableEksRuntimeMonitoring:
        default: pEnableEksRuntimeMonitoring
      pEnableEksAddonManagement:
        default: pEnableEksAddonManagement
      pEnableLambdaNetworkLogs:
        default: pEnableLambdaNetworkLogs
      pGuardDutyFindingPublishingFrequency:
        default: pGuardDutyFindingPublishingFrequency
      pDeepwatchRoleName:
        default: IAM Role name for Deepwatch solution access
      pEnableLambdaDataEvents:
        default: Enable Cloud Trail Data Events for all Lambda functions
      pEnableS3DataEvents:
        default: Enable Cloud Trail S3 Data Events for all buckets
      pRepoURL:
        default: URL of the AWS SRA Repository
      pRepoBranch:
        default: A tag version to use with in the SRA repository
      pSRAAlarmEmail:
        default: (Optional) SRA Alarm Email
      pControlTower:
        default: pControlTower
      pGovernedRegions:
        default: pGovernedRegions
      pSecurityAccountId:
        default: pSecurityAccountId
      pLogArchiveAccountId:
        default: pLogArchiveAccountId
Parameters:
  pSRASourceS3BucketName:
    AllowedPattern: '^([\w.-]{1,900})$|^(\/[\w.-]{1,900})*[\w.-]{1,900}$'
    ConstraintDescription: >-
      Must be alphanumeric or special characters [., _, -]. In addition, the
      slash character ( / ) used to delineate hierarchies in parameter names.
    Default: aws-abi
    Description: >-
      Source bucket for all templates and artefacts that will get copied into
      staging bucket
    Type: String
  pSRAS3BucketRegion:
    AllowedPattern: '^[a-z][a-z]-[a-z]*-[0-9]*$'
    Type: String
    Default: us-east-1
  pDeepwatchRoleName:
    AllowedPattern: '^([\w.-]{1,900})$|^(\/[\w.-]{1,900})*[\w.-]{1,900}$'
    ConstraintDescription: 'Must be alphanumeric or special characters [., _, -].'
    Default: deepwatch-mdr-role
    Description: The name of the role that will be created to provide access to ingest logs
    Type: String
  pRepoURL:
    Default: "https://github.com/aws-samples/aws-security-reference-architecture-examples.git"
    Description: AWS Security Reference Architecture examples repository URL
    Type: String
  pRepoBranch:
    Default: "tags/v3.0.4"
    Description: SRA version to tag
    Type: String

  pEnableLambdaDataEvents:
    AllowedValues: ['true', 'false']
    Default: 'true'
    Description: Enable Cloud Trail Data Events for all Lambda functions
    Type: String
  pEnableS3DataEvents:
    AllowedValues: ['true', 'false']
    Default: 'true'
    Description: Enable Cloud Trail S3 Data Events for all buckets
    Type: String

  pDisableGuardDuty:
    AllowedValues: ['Yes', 'No']
    Default: 'No'
    Description: Disable the GuardDuty solution in all accounts and regions before deleting the stack.
    Type: String
  pAutoEnableS3Logs:
    AllowedValues: ['true', 'false']
    Default: 'true'
    Description: Auto enable S3 logs
    Type: String
  pAutoEnableKubernetesAuditLogs:
    AllowedValues: ['true', 'false']
    Default: 'true'
    Description: Auto enable Kubernetes Audit Logs
    Type: String
  pAutoEnableMalwareProtection:
    AllowedValues: ['true', 'false']
    Default: 'true'
    Description: Auto enable Malware Protection
    Type: String
  pEnableRdsLoginEvents:
    AllowedValues: ['true', 'false']
    Default: 'true'
    Description: Auto enable RDS Login Events
    Type: String   
  pEnableEksRuntimeMonitoring:
    AllowedValues: ['true', 'false']
    Default: 'true'
    Description: Auto enable EKS Runtime Monitoring
    Type: String   
  pEnableEksAddonManagement:
    AllowedValues: ['true', 'false']
    Default: 'true'
    Description: Auto enable EKS Add-on Management
    Type: String
  pEnableLambdaNetworkLogs:
    AllowedValues: ['true', 'false']
    Default: 'true'
    Description: Auto enable Lambda Network Logs
    Type: String
  pGuardDutyFindingPublishingFrequency:
    AllowedValues: [FIFTEEN_MINUTES, ONE_HOUR, SIX_HOURS]
    Default: FIFTEEN_MINUTES
    Description: Finding publishing frequency
    Type: String
  pSRAAlarmEmail:
    AllowedPattern: '^$|^([a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+)$'
    ConstraintDescription: Must be a valid email address.
    Default: ''
    Description: (Optional) Email address for receiving SRA alarms
    Type: String
  pControlTower:
    AllowedValues: ['true', 'false']
    Default: 'true'
    Description:
      Indicates whether AWS Control Tower is deployed and being used for this AWS environment.
    Type: String
  pSecurityAccountId:
    AllowedPattern: '^\d{12}$'
    Default: 111111111111
    ConstraintDescription: Must be 12 digits.
    Description: AWS Account ID of the Security Tooling account (ignored for AWS Control Tower environments).
    Type: String
  pLogArchiveAccountId:
    AllowedPattern: '^\d{12}$'
    Default: 222222222222
    ConstraintDescription: Must be 12 digits.
    Description: AWS Account ID of the Log Archive account (ignored for AWS Control Tower environments).
    Type: String
  pGovernedRegions:
    AllowedPattern: '^(ct-regions)|((\b(?<!@)(af-south-1|ap-east-1|ap-northeast-1|ap-northeast-2|ap-northeast-3|ap-south-1|ap-south-2|ap-southeast-1|ap-southeast-2|ap-southeast-3|ap-southeast-4|ca-central-1|cn-north-1|cn-northwest-1|eu-central-1|eu-central-2|eu-north-1|eu-south-1|eu-south-2|eu-west-1|eu-west-2|eu-west-3|me-central-1|me-south-1|sa-east-1|us-east-1|us-east-2|us-gov-east-1|us-gov-west-1|us-west-1|us-west-2)\b,{0,1})*)$'
    ConstraintDescription:
      For AWS Control Tower, set to ct-regions (default).  If not using AWS Control Tower, specify comma separated list of regions (e.g. us-west-2,us-east-1,ap-south-1) in lower case.
    Default: ct-regions
    Description: AWS regions (comma separated) if not using AWS Control Tower (leave set to ct-regions for AWS Control Tower environments)
    Type: String
  pCreateAWSControlTowerExecutionRole:
    AllowedValues: ['true', 'false']
    Default: 'true'
    Description: Indicates whether the AWSControlTowerExecution role should be created in the management account. (Only when AWS Control Tower landing zone is deployed. The 'pControlTower' must be set to 'true')
    Type: String
  pAdminRoleName:
    Default: 'AWSCloudFormationStackSetAdministrationRole'
    Description: IAM role in the Management account, used to deploy stacks in other account/regions. Needed only when 'pControlTower' is set to 'false'
    Type: String
  pExecRoleName:
    Default: 'AWSCloudFormationStackSetExecutionRole'
    Description: IAM role in the AWS accounts, which allows trusted access to 'pAdminRoleName'. Needed only when 'pControlTower' is set to 'false'
    Type: String

Conditions:
  cControlTowerEnabled: !Equals [!Ref pControlTower, 'true']

Resources:
  CloudTrailStack:
    Type: 'AWS::CloudFormation::Stack'
    Properties:
      TemplateURL: !Sub >-
        https://${pSRASourceS3BucketName}.s3.${pSRAS3BucketRegion}.${AWS::URLSuffix}/cfn-abi-deepwatch-mdr/submodules/aws-security-reference-architecture-examples/aws_sra_examples/modules/cloudtrail-org-module/templates/sra-cloudtrail-org-module-main.yaml
      Parameters:
        pRepoURL: !Ref pRepoURL
        pRepoBranch: !Ref pRepoBranch
        pEnableDataEventsOnly: false
        pEnableS3DataEvents: !Ref pEnableS3DataEvents
        pEnableLambdaDataEvents: !Ref pEnableLambdaDataEvents
        pCreateAWSControlTowerExecutionRole: !Ref pCreateAWSControlTowerExecutionRole
        pControlTower: !Ref pControlTower
        pGovernedRegions: !Ref pGovernedRegions
        pSecurityAccountId: !Ref pSecurityAccountId
        pLogArchiveAccountId: !Ref pLogArchiveAccountId

  GuardDutyStack:
    Type: 'AWS::CloudFormation::Stack'
    DependsOn:
         - "CloudTrailStack"
    Properties:
      TemplateURL: !Sub >-
        https://${pSRASourceS3BucketName}.s3.${pSRAS3BucketRegion}.${AWS::URLSuffix}/cfn-abi-deepwatch-mdr/submodules/aws-security-reference-architecture-examples/aws_sra_examples/modules/guardduty-org-module/templates/sra-guardduty-org-module-main.yaml
      Parameters:
        pRepoURL: !Ref pRepoURL
        pRepoBranch: !Ref pRepoBranch
        pSRAAlarmEmail: !Ref pSRAAlarmEmail
        pDisableGuardDuty: !Ref pDisableGuardDuty
        pAutoEnableS3Logs: !Ref pAutoEnableS3Logs
        pAutoEnableKubernetesAuditLogs: !Ref pAutoEnableKubernetesAuditLogs
        pAutoEnableMalwareProtection: !Ref pAutoEnableMalwareProtection
        pEnableRdsLoginEvents: !Ref pEnableRdsLoginEvents
        pEnableEksRuntimeMonitoring: !Ref pEnableEksRuntimeMonitoring
        pEnableEksAddonManagement: !Ref pEnableEksAddonManagement
        pEnableLambdaNetworkLogs: !Ref pEnableLambdaNetworkLogs
        pGuardDutyFindingPublishingFrequency: !Ref pGuardDutyFindingPublishingFrequency
        pControlTower: !Ref pControlTower
        pGovernedRegions: !Ref pGovernedRegions
        pSecurityAccountId: !Ref pSecurityAccountId
        pLogArchiveAccountId: !Ref pLogArchiveAccountId

  DeepwatchResourceConfigurationStack:
    Type: AWS::CloudFormation::StackSet
    Properties:
      StackSetName: deepwatch-logging-resource-configuration
      AdministrationRoleARN: 
        !If
          - cControlTowerEnabled
          - !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/service-role/AWSControlTowerStackSetRole
          - !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${pAdminRoleName}
      CallAs: SELF
      Capabilities:
        - CAPABILITY_NAMED_IAM
      Description: Creates and configures all of the resources needed to begin ingestion of logs into Deepwatch MDR
      ExecutionRoleName:
        !If
          - cControlTowerEnabled
          - "AWSControlTowerExecution"
          - !Ref pExecRoleName
      ManagedExecution:
        Active: true
      OperationPreferences:
        FailureTolerancePercentage: 0
        MaxConcurrentPercentage: 100
        RegionConcurrencyType: PARALLEL
      PermissionModel: SELF_MANAGED
      StackInstancesGroup:
        - DeploymentTargets:
            Accounts:
              - !GetAtt [CloudTrailStack, Outputs.oLogArchiveAccountId]
          Regions:
            - !Ref AWS::Region
      TemplateURL: !Sub >-
        https://${pSRASourceS3BucketName}.s3.${pSRAS3BucketRegion}.${AWS::URLSuffix}/cfn-abi-deepwatch-mdr/templates/deepwatch-logging-resource-configuration.yaml
      Parameters:
        - ParameterKey: pGuardDutyBucketName
          ParameterValue: !GetAtt [GuardDutyStack, Outputs.oPublishingDestinationBucketName]
        - ParameterKey: pCloudTrailBucketName
          ParameterValue: !GetAtt [CloudTrailStack, Outputs.oOrganizationCloudTrailS3BucketName]
        - ParameterKey: pDeepwatchRoleName
          ParameterValue: !Ref pDeepwatchRoleName