AWS aad script (#9759)

* very first draft * very first draft * pr changes * new version * change zips * readme change * gov fix * small fixes * default is Com
2024-01-22 11:00:14 +02:00 · 2024-01-22 11:00:14 +02:00 · 3bfb0e11f3
--- a/DataConnectors/AWS-S3/ConfigAwsConnector.ps1
+++ b/DataConnectors/AWS-S3/ConfigAwsConnector.ps1
@ -34,6 +34,7 @@ param (
 . ".\Utils\CommonAwsPolicies.ps1"
 . ".\Utils\AwsPoliciesUpdate.ps1"
 . ".\Utils\AwsSentinelTag.ps1"
+. ".\Enviornment\EnviornmentConstants.ps1"

 # Verify that the AWS CLI is available
 if ($null -eq (Get-Command "aws" -ErrorAction SilentlyContinue)) 
--- a/DataConnectors/AWS-S3/ConfigAwsS3DataConnectorScripts.zip
+++ b/DataConnectors/AWS-S3/ConfigAwsS3DataConnectorScripts.zip
--- a/DataConnectors/AWS-S3/ConfigAwsS3DataConnectorScriptsGov.zip
+++ b/DataConnectors/AWS-S3/ConfigAwsS3DataConnectorScriptsGov.zip
--- a/DataConnectors/AWS-S3/ConfigCloudTrailDataConnector.ps1
+++ b/DataConnectors/AWS-S3/ConfigCloudTrailDataConnector.ps1
@ -237,6 +237,10 @@ Write-Log -Message "Starting CloudTrail data connector configuration script" -Lo
 Write-Log -Message "This script creates an Assume Role with minimal permissions to grant Azure Sentinel access to your logs in a designated S3 bucket & SQS of your choice, enable CloudTrail Logs, S3 bucket, SQS Queue, and S3 notifications." -LogFileName $LogFileName -Severity Information -LinePadding 2
 Write-ScriptNotes

+# Add an Identity Provider
+if($CloudEnv -eq "Gov"){
+    New-OidcProvider
+}
 New-ArnRole

 Write-Log -Message "Executing: aws iam get-role --role-name $roleName" -LogFileName $LogFileName -Severity Verbose
--- a/DataConnectors/AWS-S3/ConfigCloudWatchDataConnector.ps1
+++ b/DataConnectors/AWS-S3/ConfigCloudWatchDataConnector.ps1
@ -75,6 +75,10 @@ Write-Log -Message "Starting data connector configuration script" -LogFileName $
 Write-Log -Message "This script creates an Assume Role with minimal permissions to grant Azure Sentinel access to your logs in a designated S3 bucket & SQS of your choice, enable S3 bucket, SQS Queue, and S3 notifications." -LogFileName $LogFileName -LinePadding 2
 Write-ScriptNotes

+# Add an Identity Provider
+if($CloudEnv -eq "Gov"){
+    New-OidcProvider
+}
 New-ArnRole
 Write-Log -Message "Executing: aws iam get-role --role-name $roleName" -LogFileName $LogFileName -Severity Verbose
 $roleArnObject = aws iam get-role --role-name $roleName
--- a/DataConnectors/AWS-S3/ConfigCustomLogDataConnector.ps1
+++ b/DataConnectors/AWS-S3/ConfigCustomLogDataConnector.ps1
@ -7,6 +7,10 @@ Write-Log -Message "Starting data connector configuration script" -LogFileName $
 Write-Log -Message "This script creates an Assume Role with minimal permissions to grant Azure Sentinel access to your logs in a designated S3 bucket & SQS of your choice, enable S3 bucket, SQS Queue, and S3 notifications." -LogFileName $LogFileName -LinePadding 2
 Write-ScriptNotes

+# Add an Identity Provider
+if($CloudEnv -eq "Gov"){
+    New-OidcProvider
+}
 New-ArnRole
 Write-Log -Message "Executing: aws iam get-role --role-name $roleName" -LogFileName $LogFileName -Severity Verbose
 $roleArnObject = aws iam get-role --role-name $roleName
--- a/DataConnectors/AWS-S3/ConfigGuardDutyDataConnector.ps1
+++ b/DataConnectors/AWS-S3/ConfigGuardDutyDataConnector.ps1
@ -273,6 +273,10 @@ Write-Log -Message "Starting GuardDuty data connector configuration script" -Log
 Write-Log -Message "This script creates an Assume Role with minimal permissions to grant Azure Sentinel access to your logs in a designated S3 bucket & SQS of your choice, enable GuardDuty Logs, S3 bucket, SQS Queue, and S3 notifications." -LogFileName $LogFileName -LinePadding 2
 Write-ScriptNotes

+# Add an Identity Provider
+if($CloudEnv -eq "Gov"){
+    New-OidcProvider
+}
 New-ArnRole
 Write-Log -Message "Executing: aws iam get-role --role-name $roleName" -LogFileName $LogFileName -Severity Verbose
 $roleArnObject = aws iam get-role --role-name $roleName
--- a/DataConnectors/AWS-S3/ConfigVpcFlowDataConnector.ps1
+++ b/DataConnectors/AWS-S3/ConfigVpcFlowDataConnector.ps1
@ -5,6 +5,10 @@ Write-Log -Message "Starting Vpc flow data connector configuration script" -LogF
 Write-Log -Message "This script creates an Assume Role with minimal permissions to grant Azure Sentinel access to your logs in a designated S3 bucket & SQS of your choice, enable VPCFlow Logs, S3 bucket, SQS Queue, and S3 notifications." -LogFileName $LogFileName
 Write-ScriptNotes

+# Add an Identity Provider
+if($CloudEnv -eq "Gov"){
+    New-OidcProvider
+}
 # Create new Arn Role
 New-ArnRole
 Write-Log -Message "Executing: aws iam get-role --role-name $roleName" -LogFileName $LogFileName -Severity Verbose
--- a/DataConnectors/AWS-S3/Enviornment/EnviornmentConstants.ps1
+++ b/DataConnectors/AWS-S3/Enviornment/EnviornmentConstants.ps1
@ -0,0 +1,3 @@
+$script:SentinelClientId = 'api://21f935c0-8092-4b62-a772-5a2afd714569'
+$script:SentinelTenantId = '33e01921-4d64-4f8c-a055-5bdaffd5e33d'
+$script:CloudEnv = 'Com'
--- a/DataConnectors/AWS-S3/README.md
+++ b/DataConnectors/AWS-S3/README.md
@ -29,8 +29,8 @@ You must have PowerShell and the AWS CLI installed before using these scripts.
  - Run from PowerShell `aws configure`. For more details please see [AWS configure documentation](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-quickstart.html)

 ## Using the scripts
-
-Download the scripts in this folder and subfolders or download and extract the `ConfigAwsS3DataConnectorScripts.zip` file to your computer. 
+For Microsoft Azure, please download and extract the `ConfigAwsS3DataConnectorScripts.zip` file to your computer.
+For Microsoft Azure Government, please download and extract the `ConfigAwsS3DataConnectorGOVScripts.zip` file to your computer.
 Make sure that you have PowerShell and the AWS CLI installed.

 > IMPORTANT 
--- a/DataConnectors/AWS-S3/Utils/AwsResourceCreator.ps1
+++ b/DataConnectors/AWS-S3/Utils/AwsResourceCreator.ps1
@ -1,3 +1,73 @@
+function New-OidcProvider
+{
+    <#
+    .SYNOPSIS
+        Checks if an OIDC provider already exists, gets a list of the approved client IDs, and adds a new client ID if it's not already there.
+        if the OIDC provider doesn't exists creates an IAM entity to describe an identity provider (IdP) that supports OpenID Connect (OIDC) provider for Sentinel Application.
+    #>
+
+    Write-Log -Message "Checking existing OIDC provider" -LogFileName $LogFileName -Severity Information -LinePadding 2
+    Write-Log -Message "Executing Set-RetryAction" -LogFileName $LogFileName -Severity Verbose
+
+    Set-RetryAction({
+        
+        Write-Log -Message "Executing: aws sts get-caller-identity --query 'Account' --output text" -LogFileName $LogFileName -Severity Verbose
+        $CustomerAWSAccountId = aws sts get-caller-identity --query "Account" --output text
+        Write-Log -Message $CustomerAWSAccountId -LogFileName $LogFileName -Severity Verbose
+         
+        Write-Log -Message "Executing: aws iam get-open-id-connect-provider --open-id-connect-provider-arn 'arn:aws:iam::$($CustomerAWSAccountId):oidc-provider/sts.windows.net/$($SentinelTenantId)' 2>&1" -LogFileName $LogFileName -Severity Verbose
+        $providerInfo = aws iam get-open-id-connect-provider --open-id-connect-provider-arn "arn:aws:iam::$($CustomerAWSAccountId):oidc-provider/sts.windows.net/$($SentinelTenantId)" 2>&1
+        Write-Log -Message $providerInfo -LogFileName $LogFileName -Severity Verbose
+
+        # If the provider was retrieved then the provider already exists
+        $OIDCProviderExists = $lastexitcode -eq 0
+        if ($OIDCProviderExists)
+        {
+            Write-Log -Message "OIDC provider already exists" -LogFileName $LogFileName -Severity Information -Indent 2
+
+            # Get the list of client IDs
+            $clientIds = $providerInfo | ConvertFrom-Json | Select-Object -ExpandProperty ClientIDList
+            Write-Log -Message "Approved client IDs: $clientIds" -LogFileName $LogFileName -Severity Information -Indent 2
+            # Check if the new client ID is already in the list
+            if ($clientIds -contains $SentinelClientId)
+            {
+                Write-Log -Message "Client ID $SentinelClientId is already approved" -LogFileName $LogFileName -Severity Information -Indent 2
+            }
+            else
+            {
+                Write-Log -Message "Adding new client ID $SentinelClientId" -LogFileName $LogFileName -Severity Information -Indent 2
+                Write-Log -Message "Executing: aws iam add-client-id-to-open-id-connect-provider --open-id-connect-provider-arn 'arn:aws:iam::$($CustomerAWSAccountId):oidc-provider/sts.windows.net/$($SentinelTenantId)' --client-id $SentinelClientId 2>&1" -LogFileName $LogFileName -Severity Verbose
+                aws iam add-client-id-to-open-id-connect-provider --open-id-connect-provider-arn "arn:aws:iam::$($CustomerAWSAccountId):oidc-provider/sts.windows.net/$($SentinelTenantId)" --client-id $SentinelClientId 2>&1
+
+                # If the client ID was added then the operation was successful
+                if ($lastexitcode -eq 0)
+                {
+                    Write-Log -Message "Client ID $SentinelClientId added successfully" -LogFileName $LogFileName -Severity Information -Indent 2
+                }
+            }
+        }
+        # If the provider doesn't exist
+        else
+        {
+            Write-Log -Message "Creating OpenID Connect provider" -LogFileName $LogFileName -Severity Information -LinePadding 2
+            Write-Log -Message "Executing Set-RetryAction" -LogFileName $LogFileName -Severity Verbose
+        
+            Set-RetryAction({
+        
+                Write-Log -Message "Executing: aws iam create-open-id-connect-provider --url 'https://sts.windows.net/$($SentinelTenantId)' --ThumbprintList '626d44e704d1ceabe3bf0d53397464ac8080142c' --client-id-list $SentinelClientId 2>&1" -LogFileName $LogFileName -Severity Verbose
+                $tempForOutput = aws iam create-open-id-connect-provider --url "https://sts.windows.net/$($SentinelTenantId)" --thumbprint-list "626d44e704d1ceabe3bf0d53397464ac8080142c"  --client-id-list $SentinelClientId 2>&1
+                Write-Log -Message $tempForOutput -LogFileName $LogFileName -Severity Verbose
+        
+                # If the provider was created then the operation was successful
+                if ($lastexitcode -eq 0)
+                {
+                    Write-Log -Message "OpenID Connect provider created successfully" -LogFileName $LogFileName -Severity Information -Indent 2
+                }
+            })
+        }
+    })
+}
+
 function New-ArnRole
 {
   <#
@ -26,7 +96,16 @@ function New-ArnRole
            $workspaceId = Read-ValidatedHost -Prompt "Please enter your Azure Sentinel External ID (Workspace ID)"
            Write-Log "Using Azure Sentinel Workspace ID: $workspaceId" -LogFileName $LogFileName -Severity Information -Indent 2

-            $rolePolicy = Get-RoleArnPolicy -WorkspaceId $workspaceId
+            if($CloudEnv -eq "Gov")
+            {
+
+                $CustomerAWSAccountId = aws sts get-caller-identity --query "Account" --output text
+                $rolePolicy = Get-OIDCRoleArnPolicy -WorkspaceId $workspaceId -CustomerAWSAccountId $CustomerAWSAccountId
+            }
+            else
+            {
+                $rolePolicy = Get-RoleArnPolicy -WorkspaceId $workspaceId
+            }
            
            Write-Log "Executing: aws iam create-role --role-name $roleName --assume-role-policy-document $rolePolicy --tags $(Get-SentinelTagInJsonFormat) 2>&1" -LogFileName $LogFileName -Severity Verbose
            $tempForOutput = aws iam create-role --role-name $roleName --assume-role-policy-document $rolePolicy --tags [$(Get-SentinelTagInJsonFormat)] 2>&1
--- a/DataConnectors/AWS-S3/Utils/CommonAwsPolicies.ps1
+++ b/DataConnectors/AWS-S3/Utils/CommonAwsPolicies.ps1
@ -34,6 +34,49 @@ param (
 	return $arnRolePolicy.Replace("'",'\"')
 }

+function Get-OIDCRoleArnPolicy
+{
+   <#
+	.SYNOPSIS
+		Returns a customized Arn policy using the Sentinel Workspace Id
+	.PARAMETER WorkspaceId
+		Specifies the Azure Sentinel workspace id 
+	.PARAMETER CustomerAWSAccountId
+		Specifies the customer AWS account id
+   #>
+[OutputType([string])]
+[CmdletBinding()]
+param (
+	[Parameter(position=0)]
+	[ValidateNotNullOrEmpty()]
+	[string]
+	$WorkspaceId,
+	[Parameter(position=1)]
+	[ValidateNotNullOrEmpty()]
+	[string]
+	$CustomerAWSAccountId
+)  
+   $arnRolePolicy = "{
+            'Version': '2012-10-17',
+            'Statement': [
+                {
+                    'Effect': 'Allow',
+					'Principal': {
+						'Federated': 'arn:aws:iam::$($CustomerAWSAccountId):oidc-provider/sts.windows.net/$($SentinelTenantId)/'
+					},
+                    'Action': 'sts:AssumeRoleWithWebIdentity',
+					'Condition': {
+						'StringEquals': {
+							'sts.windows.net/$($SentinelTenantId)/:aud': '$($SentinelClientId)',
+							'sts:RoleSessionName': 'MicrosoftDefenderForClouds_$WorkspaceId'
+						}
+					}
+                }
+            ]
+        }"
+	return $arnRolePolicy.Replace("'",'\"')
+}
+
 function Get-S3AndRuleSQSPolicies
 {
   	<#