Updated to support AWS CT LZ 3.0

lacework-alliances · Dec 11, 2022 · 416a6c1 · 416a6c1
1 parent 2710b7a
commit 416a6c1
Show file tree

Hide file tree

Showing 9 changed files with 46 additions and 18 deletions.
diff --git a/functions/packages/account/LaceworkCTAccount3.0.0.zip b/functions/packages/account/LaceworkCTAccount3.0.0.zip
diff --git a/functions/packages/auth/LaceworkCTAuth.zip b/functions/packages/auth/LaceworkCTAuth.zip
diff --git a/functions/packages/setup/LaceworkCTSetup3.0.0.zip b/functions/packages/setup/LaceworkCTSetup3.0.0.zip
diff --git a/functions/source/account/Makefile b/functions/source/account/Makefile
@@ -1,6 +1,6 @@
 PROJECT = LaceworkCTAccount
 DIR_NAME = account
-FUNCTION = $(PROJECT)1.4.5
+FUNCTION = $(PROJECT)3.0.0
 DIST_DIR ?= "$(BASE)"/functions/packages/$(DIR_NAME)
 HONEY_DATASET = $(DATASET)
 

diff --git a/functions/source/common/aws.py b/functions/source/common/aws.py
@@ -188,6 +188,21 @@ def wait_for_stack_set_operation(stack_set_name, operation_id):
         return True
 
 
+def stack_set_exists(stack_set_name):
+    logger.info("aws.stack_set_exists called.")
+    try:
+        cfn_client = boto3.client("cloudformation")
+        stack_set_result = cfn_client.describe_stack_set(
+            StackSetName=stack_set_name,
+        )
+
+        logger.info("stack_set_result: {}".format(stack_set_result))
+        return True
+    except Exception as e:
+        logger.error("Describe Stack Set error: {}.".format(e))
+        return False
+
+
 def stack_set_instance_exists(stack_set_name, account_id):
     logger.info("aws.stack_set_instance_exists called.")
     try:

diff --git a/functions/source/common/lacework.py b/functions/source/common/lacework.py
@@ -4,6 +4,8 @@
 import boto3
 import json
 
+import time
+
 import requests
 
 from util import error_exception
@@ -167,8 +169,8 @@ def add_lw_cloud_account_for_ct(integration_name, lacework_url, sub_account, acc
 
 def add_lw_cloud_account_for_cfg(integration_name, lacework_url, account_name, access_token,
                                  external_id,
-                                 role_arn, aws_account_id):
-    logger.info("lacework.add_lw_cloud_account_for_cfg")
+                                 role_arn, aws_account_id, retry_count=0):
+    logger.info("lacework.add_lw_cloud_account_for_cfg: retry {}".format(retry_count))
 
     request_payload = '''
     {{
@@ -195,6 +197,12 @@ def add_lw_cloud_account_for_cfg(integration_name, lacework_url, account_name, a
     else:
         logger.warning("API response error adding Config account {} {}".format(add_response.status_code,
                                                                                add_response.text))
+        if retry_count < 3:
+            retry_count += 1
+            time.sleep(5)
+            return add_lw_cloud_account_for_cfg(integration_name, lacework_url, account_name, access_token,
+                                                external_id,
+                                                role_arn, aws_account_id, retry_count)
         return False
 
 

diff --git a/functions/source/setup/Makefile b/functions/source/setup/Makefile
@@ -1,6 +1,6 @@
 PROJECT = LaceworkCTSetup
 DIR_NAME = setup
-FUNCTION = $(PROJECT)1.4.6
+FUNCTION = $(PROJECT)3.0.0
 DIST_DIR ?= "$(BASE)"/functions/packages/$(DIR_NAME)
 HONEY_DATASET = $(DATASET)
 

diff --git a/functions/source/setup/setup.py b/functions/source/setup/setup.py
@@ -15,21 +15,22 @@
 # OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
 # SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 #
+import json
+import logging
+import os
 import random
 import string
 
 import boto3
-import json
-import logging
-import os
 import urllib3
 from crhelper import CfnResource
 
 from aws import is_account_active, wait_for_stack_set_operation, get_account_id_by_name, send_cfn_fail, \
-    send_cfn_success, get_org_for_account, create_stack_set_instances, delete_stack_set_instances, get_stack_tags
+    send_cfn_success, get_org_for_account, create_stack_set_instances, delete_stack_set_instances, get_stack_tags, \
+    stack_set_exists
 from honeycomb import send_honeycomb_event
 from lacework import setup_initial_access_token, get_access_token, add_lw_cloud_account_for_ct, delete_lw_cloud_account, \
-    lw_cloud_account_exists_in_orgs, delete_lw_cloud_account_in_orgs, get_lacework_environment_variables
+    get_lacework_environment_variables
 from util import error_exception
 
 HONEY_API_KEY = "$HONEY_KEY"
@@ -571,12 +572,16 @@ def setup_config(lacework_aws_account_id, lacework_url, lacework_account_name, l
         if existing_accounts == "Yes":
             logger.info("Chose to deploy to existing accounts.")
             try:
-                account_list = []
+                ct_cloudtrail_stack = "AWSControlTowerBP-BASELINE-CONFIG"  # LZ3.0
+                if not stack_set_exists(ct_cloudtrail_stack):
+                    ct_cloudtrail_stack = "AWSControlTowerBP-BASELINE-CLOUDTRAIL"
+                account_set = set()
                 paginator = cloudformation_client.get_paginator('list_stack_instances')
-                page_iterator = paginator.paginate(StackSetName="AWSControlTowerBP-BASELINE-CLOUDTRAIL")
+                page_iterator = paginator.paginate(StackSetName=ct_cloudtrail_stack)
                 for page in page_iterator:
                     for inst in page['Summaries']:
-                        account_list.append(inst['Account'])
+                        account_set.add(inst['Account'])
+                account_list = list(account_set)
                 if len(account_list) > 0:
                     send_honeycomb_event(HONEY_API_KEY, DATASET, BUILD_VERSION, lacework_account_name,
                                          "add {} existing".format(len(account_list)), lacework_sub_account_name)

diff --git a/templates/control-tower-integration.template.yml b/templates/control-tower-integration.template.yml
@@ -1,5 +1,5 @@
 AWSTemplateFormatVersion: 2010-09-09
-Description: "Lacework AWS Control Tower Integration: Add the Lacework Cloud Security Platform for cloud-native threat detection, compliance, behavioral anomaly detection, and automated AWS security monitoring. v1.4.6"
+Description: "Lacework AWS Control Tower Integration: Add the Lacework Cloud Security Platform for cloud-native threat detection, compliance, behavioral anomaly detection, and automated AWS security monitoring. v3.0.0 Supports CT LZ 3.0"
 Metadata:
   AWS::CloudFormation::Interface: 
     ParameterGroups:
@@ -190,8 +190,8 @@ Resources:
       Prefix: !Ref 'S3KeyPrefix'
       Objects:
         - '/lambda/LaceworkCTAuth.zip'
-        - '/lambda/LaceworkCTSetup1.4.6.zip'
-        - '/lambda/LaceworkCTAccount1.4.5.zip'
+        - '/lambda/LaceworkCTSetup3.0.0.zip'
+        - '/lambda/LaceworkCTAccount3.0.0.zip'
 
   CopyZipsRole:
     Type: AWS::IAM::Role
@@ -290,7 +290,7 @@ Resources:
     Properties:
       Code:
         S3Bucket: !Ref LambdaZipsBucket
-        S3Key: !Join ['', [!Ref 'S3KeyPrefix', '/lambda/LaceworkCTSetup1.4.6.zip']]
+        S3Key: !Join ['', [!Ref 'S3KeyPrefix', '/lambda/LaceworkCTSetup3.0.0.zip']]
       Handler: setup.lambda_handler
       Runtime: python3.7
       Timeout: 900
@@ -367,7 +367,7 @@ Resources:
             - cloudformation:CreateStackSet
             - cloudformation:DescribeStackSet
             Resource:
-              !Join ['', ['arn:aws:cloudformation:', '*', ':', '*', ':stackset/Lacework-*' ]]
+              !Join ['', ['arn:aws:cloudformation:', '*', ':', '*', ':stackset/', '*' ]]
           - Sid: S3Ops
             Effect: Allow
             Action:
@@ -520,7 +520,7 @@ Resources:
     Properties:
       Code:
         S3Bucket: !Ref LambdaZipsBucket
-        S3Key: !Join ['', [!Ref 'S3KeyPrefix', '/lambda/LaceworkCTAccount1.4.5.zip']]
+        S3Key: !Join ['', [!Ref 'S3KeyPrefix', '/lambda/LaceworkCTAccount3.0.0.zip']]
       Handler: account.lambda_handler
       Runtime: python3.7
       Timeout: 900