diff --git a/DataConnectors/AWS-S3/ConfigAwsConnector.ps1 b/DataConnectors/AWS-S3/ConfigAwsConnector.ps1 index 01d0682e69..dc34921eb5 100644 --- a/DataConnectors/AWS-S3/ConfigAwsConnector.ps1 +++ b/DataConnectors/AWS-S3/ConfigAwsConnector.ps1 @@ -34,6 +34,7 @@ param ( . ".\Utils\CommonAwsPolicies.ps1" . ".\Utils\AwsPoliciesUpdate.ps1" . ".\Utils\AwsSentinelTag.ps1" +. ".\Enviornment\EnviornmentConstants.ps1" # Verify that the AWS CLI is available if ($null -eq (Get-Command "aws" -ErrorAction SilentlyContinue)) diff --git a/DataConnectors/AWS-S3/ConfigAwsS3DataConnectorScripts.zip b/DataConnectors/AWS-S3/ConfigAwsS3DataConnectorScripts.zip index 4c06cab52d..c6fd779493 100644 Binary files a/DataConnectors/AWS-S3/ConfigAwsS3DataConnectorScripts.zip and b/DataConnectors/AWS-S3/ConfigAwsS3DataConnectorScripts.zip differ diff --git a/DataConnectors/AWS-S3/ConfigAwsS3DataConnectorScriptsGov.zip b/DataConnectors/AWS-S3/ConfigAwsS3DataConnectorScriptsGov.zip new file mode 100644 index 0000000000..cdf3ae35cf Binary files /dev/null and b/DataConnectors/AWS-S3/ConfigAwsS3DataConnectorScriptsGov.zip differ diff --git a/DataConnectors/AWS-S3/ConfigCloudTrailDataConnector.ps1 b/DataConnectors/AWS-S3/ConfigCloudTrailDataConnector.ps1 index 6600f8d050..41077acd1a 100644 --- a/DataConnectors/AWS-S3/ConfigCloudTrailDataConnector.ps1 +++ b/DataConnectors/AWS-S3/ConfigCloudTrailDataConnector.ps1 @@ -237,6 +237,10 @@ Write-Log -Message "Starting CloudTrail data connector configuration script" -Lo Write-Log -Message "This script creates an Assume Role with minimal permissions to grant Azure Sentinel access to your logs in a designated S3 bucket & SQS of your choice, enable CloudTrail Logs, S3 bucket, SQS Queue, and S3 notifications." -LogFileName $LogFileName -Severity Information -LinePadding 2 Write-ScriptNotes +# Add an Identity Provider +if($CloudEnv -eq "Gov"){ + New-OidcProvider +} New-ArnRole Write-Log -Message "Executing: aws iam get-role --role-name $roleName" -LogFileName $LogFileName -Severity Verbose diff --git a/DataConnectors/AWS-S3/ConfigCloudWatchDataConnector.ps1 b/DataConnectors/AWS-S3/ConfigCloudWatchDataConnector.ps1 index 03a5c8671c..c9a37c847b 100644 --- a/DataConnectors/AWS-S3/ConfigCloudWatchDataConnector.ps1 +++ b/DataConnectors/AWS-S3/ConfigCloudWatchDataConnector.ps1 @@ -75,6 +75,10 @@ Write-Log -Message "Starting data connector configuration script" -LogFileName $ Write-Log -Message "This script creates an Assume Role with minimal permissions to grant Azure Sentinel access to your logs in a designated S3 bucket & SQS of your choice, enable S3 bucket, SQS Queue, and S3 notifications." -LogFileName $LogFileName -LinePadding 2 Write-ScriptNotes +# Add an Identity Provider +if($CloudEnv -eq "Gov"){ + New-OidcProvider +} New-ArnRole Write-Log -Message "Executing: aws iam get-role --role-name $roleName" -LogFileName $LogFileName -Severity Verbose $roleArnObject = aws iam get-role --role-name $roleName diff --git a/DataConnectors/AWS-S3/ConfigCustomLogDataConnector.ps1 b/DataConnectors/AWS-S3/ConfigCustomLogDataConnector.ps1 index 187abaeb62..6d44759a22 100644 --- a/DataConnectors/AWS-S3/ConfigCustomLogDataConnector.ps1 +++ b/DataConnectors/AWS-S3/ConfigCustomLogDataConnector.ps1 @@ -7,6 +7,10 @@ Write-Log -Message "Starting data connector configuration script" -LogFileName $ Write-Log -Message "This script creates an Assume Role with minimal permissions to grant Azure Sentinel access to your logs in a designated S3 bucket & SQS of your choice, enable S3 bucket, SQS Queue, and S3 notifications." -LogFileName $LogFileName -LinePadding 2 Write-ScriptNotes +# Add an Identity Provider +if($CloudEnv -eq "Gov"){ + New-OidcProvider +} New-ArnRole Write-Log -Message "Executing: aws iam get-role --role-name $roleName" -LogFileName $LogFileName -Severity Verbose $roleArnObject = aws iam get-role --role-name $roleName diff --git a/DataConnectors/AWS-S3/ConfigGuardDutyDataConnector.ps1 b/DataConnectors/AWS-S3/ConfigGuardDutyDataConnector.ps1 index 83e611c537..cea3010255 100644 --- a/DataConnectors/AWS-S3/ConfigGuardDutyDataConnector.ps1 +++ b/DataConnectors/AWS-S3/ConfigGuardDutyDataConnector.ps1 @@ -273,6 +273,10 @@ Write-Log -Message "Starting GuardDuty data connector configuration script" -Log Write-Log -Message "This script creates an Assume Role with minimal permissions to grant Azure Sentinel access to your logs in a designated S3 bucket & SQS of your choice, enable GuardDuty Logs, S3 bucket, SQS Queue, and S3 notifications." -LogFileName $LogFileName -LinePadding 2 Write-ScriptNotes +# Add an Identity Provider +if($CloudEnv -eq "Gov"){ + New-OidcProvider +} New-ArnRole Write-Log -Message "Executing: aws iam get-role --role-name $roleName" -LogFileName $LogFileName -Severity Verbose $roleArnObject = aws iam get-role --role-name $roleName diff --git a/DataConnectors/AWS-S3/ConfigVpcFlowDataConnector.ps1 b/DataConnectors/AWS-S3/ConfigVpcFlowDataConnector.ps1 index 6c2b1816d9..39d0f02e6d 100644 --- a/DataConnectors/AWS-S3/ConfigVpcFlowDataConnector.ps1 +++ b/DataConnectors/AWS-S3/ConfigVpcFlowDataConnector.ps1 @@ -5,6 +5,10 @@ Write-Log -Message "Starting Vpc flow data connector configuration script" -LogF Write-Log -Message "This script creates an Assume Role with minimal permissions to grant Azure Sentinel access to your logs in a designated S3 bucket & SQS of your choice, enable VPCFlow Logs, S3 bucket, SQS Queue, and S3 notifications." -LogFileName $LogFileName Write-ScriptNotes +# Add an Identity Provider +if($CloudEnv -eq "Gov"){ + New-OidcProvider +} # Create new Arn Role New-ArnRole Write-Log -Message "Executing: aws iam get-role --role-name $roleName" -LogFileName $LogFileName -Severity Verbose diff --git a/DataConnectors/AWS-S3/Enviornment/EnviornmentConstants.ps1 b/DataConnectors/AWS-S3/Enviornment/EnviornmentConstants.ps1 new file mode 100644 index 0000000000..61ee3bb512 --- /dev/null +++ b/DataConnectors/AWS-S3/Enviornment/EnviornmentConstants.ps1 @@ -0,0 +1,3 @@ +$script:SentinelClientId = 'api://21f935c0-8092-4b62-a772-5a2afd714569' +$script:SentinelTenantId = '33e01921-4d64-4f8c-a055-5bdaffd5e33d' +$script:CloudEnv = 'Com' \ No newline at end of file diff --git a/DataConnectors/AWS-S3/README.md b/DataConnectors/AWS-S3/README.md index c6790209d5..7ab246daab 100644 --- a/DataConnectors/AWS-S3/README.md +++ b/DataConnectors/AWS-S3/README.md @@ -29,8 +29,8 @@ You must have PowerShell and the AWS CLI installed before using these scripts. - Run from PowerShell `aws configure`. For more details please see [AWS configure documentation](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-quickstart.html) ## Using the scripts - -Download the scripts in this folder and subfolders or download and extract the `ConfigAwsS3DataConnectorScripts.zip` file to your computer. +For Microsoft Azure, please download and extract the `ConfigAwsS3DataConnectorScripts.zip` file to your computer. +For Microsoft Azure Government, please download and extract the `ConfigAwsS3DataConnectorGOVScripts.zip` file to your computer. Make sure that you have PowerShell and the AWS CLI installed. > IMPORTANT diff --git a/DataConnectors/AWS-S3/Utils/AwsResourceCreator.ps1 b/DataConnectors/AWS-S3/Utils/AwsResourceCreator.ps1 index 8bb3c8da53..8221ad4139 100644 --- a/DataConnectors/AWS-S3/Utils/AwsResourceCreator.ps1 +++ b/DataConnectors/AWS-S3/Utils/AwsResourceCreator.ps1 @@ -1,3 +1,73 @@ +function New-OidcProvider +{ + <# + .SYNOPSIS + Checks if an OIDC provider already exists, gets a list of the approved client IDs, and adds a new client ID if it's not already there. + if the OIDC provider doesn't exists creates an IAM entity to describe an identity provider (IdP) that supports OpenID Connect (OIDC) provider for Sentinel Application. + #> + + Write-Log -Message "Checking existing OIDC provider" -LogFileName $LogFileName -Severity Information -LinePadding 2 + Write-Log -Message "Executing Set-RetryAction" -LogFileName $LogFileName -Severity Verbose + + Set-RetryAction({ + + Write-Log -Message "Executing: aws sts get-caller-identity --query 'Account' --output text" -LogFileName $LogFileName -Severity Verbose + $CustomerAWSAccountId = aws sts get-caller-identity --query "Account" --output text + Write-Log -Message $CustomerAWSAccountId -LogFileName $LogFileName -Severity Verbose + + Write-Log -Message "Executing: aws iam get-open-id-connect-provider --open-id-connect-provider-arn 'arn:aws:iam::$($CustomerAWSAccountId):oidc-provider/sts.windows.net/$($SentinelTenantId)' 2>&1" -LogFileName $LogFileName -Severity Verbose + $providerInfo = aws iam get-open-id-connect-provider --open-id-connect-provider-arn "arn:aws:iam::$($CustomerAWSAccountId):oidc-provider/sts.windows.net/$($SentinelTenantId)" 2>&1 + Write-Log -Message $providerInfo -LogFileName $LogFileName -Severity Verbose + + # If the provider was retrieved then the provider already exists + $OIDCProviderExists = $lastexitcode -eq 0 + if ($OIDCProviderExists) + { + Write-Log -Message "OIDC provider already exists" -LogFileName $LogFileName -Severity Information -Indent 2 + + # Get the list of client IDs + $clientIds = $providerInfo | ConvertFrom-Json | Select-Object -ExpandProperty ClientIDList + Write-Log -Message "Approved client IDs: $clientIds" -LogFileName $LogFileName -Severity Information -Indent 2 + # Check if the new client ID is already in the list + if ($clientIds -contains $SentinelClientId) + { + Write-Log -Message "Client ID $SentinelClientId is already approved" -LogFileName $LogFileName -Severity Information -Indent 2 + } + else + { + Write-Log -Message "Adding new client ID $SentinelClientId" -LogFileName $LogFileName -Severity Information -Indent 2 + Write-Log -Message "Executing: aws iam add-client-id-to-open-id-connect-provider --open-id-connect-provider-arn 'arn:aws:iam::$($CustomerAWSAccountId):oidc-provider/sts.windows.net/$($SentinelTenantId)' --client-id $SentinelClientId 2>&1" -LogFileName $LogFileName -Severity Verbose + aws iam add-client-id-to-open-id-connect-provider --open-id-connect-provider-arn "arn:aws:iam::$($CustomerAWSAccountId):oidc-provider/sts.windows.net/$($SentinelTenantId)" --client-id $SentinelClientId 2>&1 + + # If the client ID was added then the operation was successful + if ($lastexitcode -eq 0) + { + Write-Log -Message "Client ID $SentinelClientId added successfully" -LogFileName $LogFileName -Severity Information -Indent 2 + } + } + } + # If the provider doesn't exist + else + { + Write-Log -Message "Creating OpenID Connect provider" -LogFileName $LogFileName -Severity Information -LinePadding 2 + Write-Log -Message "Executing Set-RetryAction" -LogFileName $LogFileName -Severity Verbose + + Set-RetryAction({ + + Write-Log -Message "Executing: aws iam create-open-id-connect-provider --url 'https://sts.windows.net/$($SentinelTenantId)' --ThumbprintList '626d44e704d1ceabe3bf0d53397464ac8080142c' --client-id-list $SentinelClientId 2>&1" -LogFileName $LogFileName -Severity Verbose + $tempForOutput = aws iam create-open-id-connect-provider --url "https://sts.windows.net/$($SentinelTenantId)" --thumbprint-list "626d44e704d1ceabe3bf0d53397464ac8080142c" --client-id-list $SentinelClientId 2>&1 + Write-Log -Message $tempForOutput -LogFileName $LogFileName -Severity Verbose + + # If the provider was created then the operation was successful + if ($lastexitcode -eq 0) + { + Write-Log -Message "OpenID Connect provider created successfully" -LogFileName $LogFileName -Severity Information -Indent 2 + } + }) + } + }) +} + function New-ArnRole { <# @@ -26,7 +96,16 @@ function New-ArnRole $workspaceId = Read-ValidatedHost -Prompt "Please enter your Azure Sentinel External ID (Workspace ID)" Write-Log "Using Azure Sentinel Workspace ID: $workspaceId" -LogFileName $LogFileName -Severity Information -Indent 2 - $rolePolicy = Get-RoleArnPolicy -WorkspaceId $workspaceId + if($CloudEnv -eq "Gov") + { + + $CustomerAWSAccountId = aws sts get-caller-identity --query "Account" --output text + $rolePolicy = Get-OIDCRoleArnPolicy -WorkspaceId $workspaceId -CustomerAWSAccountId $CustomerAWSAccountId + } + else + { + $rolePolicy = Get-RoleArnPolicy -WorkspaceId $workspaceId + } Write-Log "Executing: aws iam create-role --role-name $roleName --assume-role-policy-document $rolePolicy --tags $(Get-SentinelTagInJsonFormat) 2>&1" -LogFileName $LogFileName -Severity Verbose $tempForOutput = aws iam create-role --role-name $roleName --assume-role-policy-document $rolePolicy --tags [$(Get-SentinelTagInJsonFormat)] 2>&1 diff --git a/DataConnectors/AWS-S3/Utils/CommonAwsPolicies.ps1 b/DataConnectors/AWS-S3/Utils/CommonAwsPolicies.ps1 index 7751889f4f..53b4e16833 100644 --- a/DataConnectors/AWS-S3/Utils/CommonAwsPolicies.ps1 +++ b/DataConnectors/AWS-S3/Utils/CommonAwsPolicies.ps1 @@ -34,6 +34,49 @@ param ( return $arnRolePolicy.Replace("'",'\"') } +function Get-OIDCRoleArnPolicy +{ + <# + .SYNOPSIS + Returns a customized Arn policy using the Sentinel Workspace Id + .PARAMETER WorkspaceId + Specifies the Azure Sentinel workspace id + .PARAMETER CustomerAWSAccountId + Specifies the customer AWS account id + #> +[OutputType([string])] +[CmdletBinding()] +param ( + [Parameter(position=0)] + [ValidateNotNullOrEmpty()] + [string] + $WorkspaceId, + [Parameter(position=1)] + [ValidateNotNullOrEmpty()] + [string] + $CustomerAWSAccountId +) + $arnRolePolicy = "{ + 'Version': '2012-10-17', + 'Statement': [ + { + 'Effect': 'Allow', + 'Principal': { + 'Federated': 'arn:aws:iam::$($CustomerAWSAccountId):oidc-provider/sts.windows.net/$($SentinelTenantId)/' + }, + 'Action': 'sts:AssumeRoleWithWebIdentity', + 'Condition': { + 'StringEquals': { + 'sts.windows.net/$($SentinelTenantId)/:aud': '$($SentinelClientId)', + 'sts:RoleSessionName': 'MicrosoftDefenderForClouds_$WorkspaceId' + } + } + } + ] + }" + return $arnRolePolicy.Replace("'",'\"') +} + function Get-S3AndRuleSQSPolicies { <#