added documentation

binxio · Jun 28, 2019 · 84605f3 · 84605f3
1 parent 932f912
commit 84605f3
Show file tree

Hide file tree

Showing 2 changed files with 119 additions and 11 deletions.
diff --git a/docs/deepsecurity-aws-cloudaccount.md b/docs/deepsecurity-aws-cloudaccount.md
@@ -44,5 +44,87 @@ You can specify the properties as defined by the DeepSecurity Legacy API
 [UpdateAwsAccountRequest](https://automation.deepsecurity.trendmicro.com/legacy-rest/11_3/index.html?env=dsaas#modify_aws_account).
 
 We recommend the crossAccountRole configuration to avoid hardcoded access keys in your 
-CloudFormation template.
+CloudFormation template, as shown in the template snippet below. Note that this snippet depends on
+the [Custom::Secret](https://github.com/binxio/cfn-secret-provider) provider.
 
+```
+DeepSecurityAWSCloudAccount:
+  Type: Custom::DeepSecurityAWSCloudAccount
+  DependsOn:
+    - CFNDeepSecurityProvider
+  Properties:
+    AWSAccountRequest:
+      crossAccountRole:
+        roleArn: !GetAtt 'DeepSecurityRole.Arn'
+        externalId: !GetAtt 'StsExternalId.Secret'
+    ServiceToken: !Sub 'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:cfn-deep-security-provider'
+
+StsExternalId:
+  Type: Custom::Secret
+  Properties:
+    Name: /cfn-deep-security-provider/sts-external-id
+    Description: deep security STS external id
+    Alphabet: '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ'
+    Length: 32
+    RefreshOnUpdate: false
+    ReturnSecret: true
+    ServiceToken: !Sub 'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:binxio-cfn-secret-provider'
+
+DeepSecurityRole:
+  Type: AWS::IAM::Role
+  Properties:
+    RoleName: DeepSecurity
+    ManagedPolicyArns:
+      - !Ref 'DeepSecurityPolicy'
+    AssumeRolePolicyDocument:
+      Version: '2012-10-17'
+      Statement:
+        - Effect: Allow
+          Principal:
+            AWS: arn:aws:iam::147995105371:root
+          Action:
+            - sts:AssumeRole
+          Condition:
+            StringEquals:
+              sts:ExternalId:
+                - !GetAtt 'StsExternalId.Secret'
+
+DeepSecurityPolicy:
+  Type: AWS::IAM::ManagedPolicy
+  Properties:
+    ManagedPolicyName: DeepSecurityPolicy
+    Description: TrendMicro DeepSecurity access policy
+    PolicyDocument:
+      Version: '2012-10-17'
+      Statement:
+        - Sid: '1'
+          Effect: Allow
+          Action:
+            - ec2:DescribeRegions
+            - ec2:DescribeImages
+            - ec2:DescribeInstances
+            - ec2:DescribeTags
+            - ec2:DescribeAvailabilityZones
+            - ec2:DescribeSecurityGroups
+            - ec2:DescribeSubnets
+            - ec2:DescribeVpcs
+            - iam:ListAccountAliases
+          Resource:
+            - '*'
+        - Sid: '2'
+          Effect: Allow
+          Action:
+            - iam:GetRole
+            - iam:GetRolePolicy
+          Resource:
+            - arn:aws:iam::*:role/DeepSecurity*
+        - Sid: '3'
+          Effect: Allow
+          Action:
+            - workspaces:DescribeWorkspaces
+            - workspaces:DescribeWorkspaceDirectories
+            - workspaces:DescribeWorkspaceBundles
+            - workspaces:DescribeTags
+          Resource:
+            - '*'
+```
diff --git a/docs/deepsecurity.md b/docs/deepsecurity.md
@@ -5,20 +5,46 @@ The `Custom::DeepSecurity` resource provider for the standard resources from the
 To create a DeepSecurity resource using your your AWS CloudFormation template, use the following syntax:
 
 ```yaml
-  Client:
-    Type: Custom::DeepSecurity<ResourceType> 
-    Properties:
-      Value:
-        ### value as defined by the [DeepSecurity API](https://automation.deepsecurity.trendmicro.com/article/11_3/api-reference)
+Client:
+  Type: Custom::DeepSecurity<ResourceType> 
+  Properties:
+    Value:
+      ### value as defined by the [DeepSecurity API](https://automation.deepsecurity.trendmicro.com/article/11_3/api-reference)
 
-      Connection:
-        URL: 'https://app.deepsecurity.trendmicro.com/api'
-        ApiKeyParameterName: '/cfn-deep-security-provider/api_key'
+    Connection:
+      URL: 'https://app.deepsecurity.trendmicro.com/api'
+      ApiKeyParameterName: '/cfn-deep-security-provider/api_key'
 
-      ServiceToken: !Sub 'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:cfn-deep-security-provider'
+    ServiceToken: !Sub 'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:cfn-deep-security-provider'
 ```
 
-## Supported Types
+## ID lookup support
+To create custom security policies in DeepSecurity, you can use existing rules. To ease this process we support lookup references as shown below:
+
+```yaml
+ContainerHostPolicy:
+  Type: Custom::DeepSecurityPolicy
+  Properties:
+    Value:
+      parentID: !Ref 'BasePolicy'
+      name: !Sub '${Environment}ContainerHostPolicy"
+      description: Policy for container instances in ${Environment}
+      intrusionPrevention:
+        state: detect
+        ruleIDs:
+          - '{{lookup "intrusionPreventionRule" "HTTP Protocol Decoding"}}'
+          - '{{lookup "intrusionPreventionRule" "Identified Possible Ransomware File Rename Activity Over Network Share"}}'
+          - '{{lookup "intrusionPreventionRule" "Identified Possible Ransomware File Extension Rename Activity Over Network Share"}}'
+          - '{{lookup "intrusionPreventionRule" "Identified Usage Of PsExec Command Line Tool"}}'
+```
+
+the syntax to lookup an id, is:
+
+```
+{{lookup "<type-name>" "name-of-resource"}}
+```
+The lookup result in exactly one match.
+## Supported Types`
 Supported DeepSecurity resource types are:
 
 ## Connection