isabella232 / garrison-agent-aws-cloudformation Goto Github PK

Garrison Agent - AWS CloudFormation

This is a part of the Garrison security project. This agent provides various AWS CloudFormation compliance checks.

Checks Provided

Installation & Example

Docker Hub - https://hub.docker.com/r/forward3d/garrison-agent-aws-cloudformation/

docker pull forward3d/garrison-agent-aws-cloudformation
docker run --rm -e "GARRISON_URL=https://garrison.internal.acme.com" forward3d/garrison-agent-aws-cloudformation check_encryption
docker run --rm -e "GARRISON_URL=https://garrison.internal.acme.com" -e "GARRISON_AWS_REGIONS=eu-west-1,us-west-2" forward3d/garrison-agent-aws-cloudformation check_drift

Agent Specific Configuration

These are additional specific configuration options for this agent. Global agent configurations still apply.

1. Standard AWS Regions as returned by the AWS SDK at runtime for CloudFormation.

AWS Authentication

As this requires access to the AWS API you will need this IAM policy as a minimum for it to operate correctly.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
              "cloudformation:ListStacks",
              "cloudformation:ListStackResources",
              "cloudformation:DetectStackDrift",
              "cloudformation:DetectStackResourceDrift",
              "cloudformation:DescribeStackDriftDetectionStatus"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

We recommend using EC2/ECS Task roles so that you don't need to send credentials into the container, however if you can't use those or want to send in specific Access Keys and Secret keys, please see the AWS Documentation as to how you do that.

Cross-Account Authentication (STS AssumeRole)

If you run Garrison agents in one account, and want to reach into other AWS accounts you need to send in extra environmental variables to support that.