Release 4.10.0

dome9 · Jan 31, 2023 · e775253 · e775253
1 parent 3c4b312
commit e775253
Show file tree

Hide file tree

Showing 6 changed files with 402 additions and 45 deletions.
diff --git a/cft/generated/templates/role_based/onboarding.yml b/cft/generated/templates/role_based/onboarding.yml
@@ -1,7 +1,7 @@
 AWSTemplateFormatVersion: 2010-09-09
 Description: Check Point CloudGuard Dome9 unified onboarding
 Metadata:
-  Version: 4.8.0
+  Version: 4.9.0
 Parameters:
   OnboardingId:
     Description: The id of the onboarding process
@@ -275,7 +275,13 @@ Resources:
                   - !Sub >-
                     arn:${AWS::Partition}:iam::${AWS::AccountId}:role/CloudGuardServerlessCrossAccountRole
                   - !Sub >-
-                    arn:${AWS::Partition}:iam::${AWS::AccountId}:role/CloudGuardServerlessCodeAnalysisLambdaExecutionRole
+                    arn:${AWS::Partition}:iam::${AWS::AccountId}:role/CloudGuardServerlessCodeAnalysisPython3LambdaExecutionRole
+                  - !Sub >-
+                    arn:${AWS::Partition}:iam::${AWS::AccountId}:role/CloudGuardServerlessCodeAnalysisJavaLambdaExecutionRole
+                  - !Sub >-
+                    arn:${AWS::Partition}:iam::${AWS::AccountId}:role/CloudGuardServerlessCodeAnalysisNode14LambdaExecutionRole
+                  - !Sub >-
+                    arn:${AWS::Partition}:iam::${AWS::AccountId}:role/CloudGuardServerlessCodeAnalysisCSharpLambdaExecutionRole
                   - !Sub >-
                     arn:${AWS::Partition}:iam::${AWS::AccountId}:role/CloudGuardServerlessFSPInjectorLambdaExecutionRole
               - Sid: CloudGuardOnboardingOrchestratorIntelligenceCloudtrail
@@ -369,6 +375,13 @@ Resources:
                 Resource:
                   - !Sub arn:aws:s3:::protego-fsp-${AWS::AccountId}
                   - !Sub arn:aws:s3:::protego-fsp-${AWS::AccountId}/*
+              - Sid: CloudGuardOnboardingOrchestratorServelessKms
+                Action:
+                  - kms:CreateKey
+                  - kms:CreateAlias
+                  - kms:DeleteAlias
+                Effect: Allow
+                Resource: '*'
               - Sid: CloudGuardOnboardingOrchestratorServelessSns
                 Action:
                   - sns:Publish

diff --git a/cft/generated/templates/role_based/serverless_cft.yml b/cft/generated/templates/role_based/serverless_cft.yml
@@ -1,7 +1,7 @@
 AWSTemplateFormatVersion: 2010-09-09
 Description: Create a cross account role that authorizes access for Cloudguard BE.
 Metadata:
-  Version: 4.8.0
+  Version: 4.9.0
 Parameters:
   CloudGuardAwsAccountId:
     Description: CloudGuard instance AWS AccountId that is requiring external trust
@@ -178,10 +178,10 @@ Resources:
       RetentionInDays: 30
     DependsOn:
       - PreDeployPhoneHomeCustomResource
-  CodeAnalysisLambdaExecutionRole:
+  CodeAnalysisPython3LambdaExecutionRole:
     Type: AWS::IAM::Role
     Properties:
-      RoleName: CloudGuardServerlessCodeAnalysisLambdaExecutionRole
+      RoleName: CloudGuardServerlessCodeAnalysisPython3LambdaExecutionRole
       Path: /
       AssumeRolePolicyDocument:
         Version: 2012-10-17
@@ -193,7 +193,7 @@ Resources:
             Action:
               - sts:AssumeRole
       Policies:
-        - PolicyName: CodeAnalysisLambdaExecutionPolicy
+        - PolicyName: CodeAnalysisPython3LambdaExecutionPolicy
           PolicyDocument:
             Version: 2012-10-17
             Statement:
@@ -203,8 +203,101 @@ Resources:
                   - logs:PutLogEvents
                 Resource:
                   - !GetAtt ProtegoPython3CodeAnalysisLogGroup.Arn
+              - Effect: Allow
+                Action:
+                  - lambda:GetFunction
+                  - lambda:ListLayers
+                  - lambda:GetLayerVersion
+                  - lambda:ListLayerVersions
+                Resource: '*'
+  CodeAnalysisJavaLambdaExecutionRole:
+    Type: AWS::IAM::Role
+    Properties:
+      RoleName: CloudGuardServerlessCodeAnalysisJavaLambdaExecutionRole
+      Path: /
+      AssumeRolePolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Principal:
+              Service:
+                - lambda.amazonaws.com
+            Action:
+              - sts:AssumeRole
+      Policies:
+        - PolicyName: CodeAnalysisJavaLambdaExecutionPolicy
+          PolicyDocument:
+            Version: 2012-10-17
+            Statement:
+              - Effect: Allow
+                Action:
+                  - logs:CreateLogStream
+                  - logs:PutLogEvents
+                Resource:
                   - !GetAtt ProtegoJavaCodeAnalysisLogGroup.Arn
+              - Effect: Allow
+                Action:
+                  - lambda:GetFunction
+                  - lambda:ListLayers
+                  - lambda:GetLayerVersion
+                  - lambda:ListLayerVersions
+                Resource: '*'
+  CodeAnalysisNode14LambdaExecutionRole:
+    Type: AWS::IAM::Role
+    Properties:
+      RoleName: CloudGuardServerlessCodeAnalysisNode14LambdaExecutionRole
+      Path: /
+      AssumeRolePolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Principal:
+              Service:
+                - lambda.amazonaws.com
+            Action:
+              - sts:AssumeRole
+      Policies:
+        - PolicyName: CodeAnalysisNode14LambdaExecutionPolicy
+          PolicyDocument:
+            Version: 2012-10-17
+            Statement:
+              - Effect: Allow
+                Action:
+                  - logs:CreateLogStream
+                  - logs:PutLogEvents
+                Resource:
                   - !GetAtt ProtegoNode14CodeAnalysisLogGroup.Arn
+              - Effect: Allow
+                Action:
+                  - lambda:GetFunction
+                  - lambda:ListLayers
+                  - lambda:GetLayerVersion
+                  - lambda:ListLayerVersions
+                Resource: '*'
+  CodeAnalysisCSharpLambdaExecutionRole:
+    Type: AWS::IAM::Role
+    Properties:
+      RoleName: CloudGuardServerlessCodeAnalysisCSharpLambdaExecutionRole
+      Path: /
+      AssumeRolePolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Principal:
+              Service:
+                - lambda.amazonaws.com
+            Action:
+              - sts:AssumeRole
+      Policies:
+        - PolicyName: CodeAnalysisCSharpLambdaExecutionPolicy
+          PolicyDocument:
+            Version: 2012-10-17
+            Statement:
+              - Effect: Allow
+                Action:
+                  - logs:CreateLogStream
+                  - logs:PutLogEvents
+                Resource:
                   - !GetAtt ProtegoCSharpCodeAnalysisLogGroup.Arn
               - Effect: Allow
                 Action:
@@ -246,7 +339,6 @@ Resources:
                   - lambda:GetLayerVersion
                   - lambda:ListLayerVersions
                   - lambda:UpdateFunctionConfiguration
-                  - lambda:UpdateFunctionCode
                   - logs:GetQueryResults
                 Resource: '*'
               - Effect: Allow
@@ -258,7 +350,7 @@ Resources:
     Properties:
       Handler: function_code_analysis_python.lambda_handler
       FunctionName: CloudGuardPy3CodeAnalysis
-      Role: !GetAtt CodeAnalysisLambdaExecutionRole.Arn
+      Role: !GetAtt CodeAnalysisPython3LambdaExecutionRole.Arn
       Code:
         S3Bucket: !Sub ${ServerlessStage}-protego
         S3Key: !Sub >-
@@ -271,13 +363,13 @@ Resources:
         - Key: Owner
           Value: Cloudguard Serverless Security
     DependsOn:
-      - CodeAnalysisLambdaExecutionRole
+      - CodeAnalysisPython3LambdaExecutionRole
   ProtegoJavaCodeAnalysisFunction:
     Type: AWS::Lambda::Function
     Properties:
       Handler: io.protego.lambda.Handler
       FunctionName: CloudGuardJavaCodeAnalysis
-      Role: !GetAtt CodeAnalysisLambdaExecutionRole.Arn
+      Role: !GetAtt CodeAnalysisJavaLambdaExecutionRole.Arn
       Code:
         S3Bucket: !Sub ${ServerlessStage}-protego
         S3Key: code_analysis_functions/function_api_usage_java-1.0.jar
@@ -289,13 +381,13 @@ Resources:
         - Key: Owner
           Value: Cloudguard Serverless Security
     DependsOn:
-      - CodeAnalysisLambdaExecutionRole
+      - CodeAnalysisJavaLambdaExecutionRole
   ProtegoNode14CodeAnalysisFunction:
     Type: AWS::Lambda::Function
     Properties:
       Handler: index.handler
       FunctionName: CloudGuardNode14CodeAnalysis
-      Role: !GetAtt CodeAnalysisLambdaExecutionRole.Arn
+      Role: !GetAtt CodeAnalysisNode14LambdaExecutionRole.Arn
       Code:
         S3Bucket: !Sub ${ServerlessStage}-protego
         S3Key: !Sub >-
@@ -311,14 +403,14 @@ Resources:
         - !Sub >-
           arn:aws:lambda:${AWS::Region}:985618988812:layer:aws-lambda-layer-java:1
     DependsOn:
-      - CodeAnalysisLambdaExecutionRole
+      - CodeAnalysisNode14LambdaExecutionRole
   ProtegoCSharpCodeAnalysisFunction:
     Type: AWS::Lambda::Function
     Properties:
       Handler: >-
         function_api_usage_c_sharp::function_api_usage_c_sharp.Handler::HandleRequest
       FunctionName: CloudGuardCsCodeAnalysis
-      Role: !GetAtt CodeAnalysisLambdaExecutionRole.Arn
+      Role: !GetAtt CodeAnalysisCSharpLambdaExecutionRole.Arn
       Code:
         S3Bucket: !Sub ${ServerlessStage}-protego
         S3Key: code_analysis_functions/function_api_usage_c_sharp.zip
@@ -330,7 +422,7 @@ Resources:
         - Key: Owner
           Value: Cloudguard Serverless Security
     DependsOn:
-      - CodeAnalysisLambdaExecutionRole
+      - CodeAnalysisCSharpLambdaExecutionRole
   ProtegoFSPInjectorFunction:
     Type: AWS::Lambda::Function
     Properties:
@@ -362,14 +454,85 @@ Resources:
       BucketEncryption:
         ServerSideEncryptionConfiguration:
           - ServerSideEncryptionByDefault:
-              SSEAlgorithm: AES256
+              SSEAlgorithm: aws:kms
+              KMSMasterKeyID: alias/CloudGuardServerlessAgentBucketKey
       PublicAccessBlockConfiguration:
         BlockPublicAcls: true
         BlockPublicPolicy: true
         RestrictPublicBuckets: true
         IgnorePublicAcls: true
     DependsOn:
       - PreDeployPhoneHomeCustomResource
+  CloudGuardServerlessAgentBucketKey:
+    Type: AWS::KMS::Key
+    Properties:
+      Description: Key for encryption of serverless agent bucket
+      MultiRegion: false
+      PendingWindowInDays: 7
+      KeyPolicy:
+        Version: 2012-10-17
+        Id: cloud-guard-serverless-agent-bucket-key
+        Statement:
+          - Sid: Enable IAM User Permissions
+            Effect: Allow
+            Principal:
+              AWS: !Sub arn:aws:iam::${AWS::AccountId}:root
+            Action: kms:*
+            Resource: '*'
+          - Sid: Allow access for Key Administrators
+            Effect: Allow
+            Principal:
+              AWS: !Sub arn:aws:iam::${AWS::AccountId}:root
+            Action:
+              - kms:ReplicateKey
+              - kms:Create*
+              - kms:Describe*
+              - kms:Enable*
+              - kms:List*
+              - kms:Put*
+              - kms:Update*
+              - kms:Revoke*
+              - kms:Disable*
+              - kms:Get*
+              - kms:Delete*
+              - kms:ScheduleKeyDeletion
+              - kms:CancelKeyDeletion
+            Resource: '*'
+          - Sid: Allow usage of the key
+            Effect: Allow
+            Principal: '*'
+            Action:
+              - kms:DescribeKey
+              - kms:Encrypt
+              - kms:Decrypt
+              - kms:ReEncrypt*
+              - kms:GenerateDataKey*
+              - kms:PutKeyPolicy
+              - kms:ScheduleKeyDeletion
+              - kms:CancelKeyDeletion
+            Resource: '*'
+            Condition:
+              StringEquals:
+                aws:PrincipalAccount: !Ref AWS::AccountId
+          - Sid: Allow attachment of persistent resources
+            Effect: Allow
+            Principal:
+              AWS: !Sub arn:aws:iam::${AWS::AccountId}:root
+            Action:
+              - kms:CreateGrant
+              - kms:ListGrants
+              - kms:RevokeGrant
+            Resource: '*'
+            Condition:
+              Bool:
+                kms:GrantIsForAWSResource: true
+    DependsOn:
+      - PreDeployPhoneHomeCustomResource
+  CloudGuardServerlessAgentBucketKeyAlias:
+    Type: AWS::KMS::Alias
+    Properties:
+      AliasName: alias/CloudGuardServerlessAgentBucketKey
+      TargetKeyId: !GetAtt CloudGuardServerlessAgentBucketKey.Arn
   ProtegoAgentBucketPolicy:
     Type: AWS::S3::BucketPolicy
     Properties:
@@ -502,7 +665,7 @@ Resources:
         arn:aws:sns:${AWS::Region}:${CloudGuardAwsAccountId}:${ServerlessStage}-${AWS::AccountId}-notifications
       AccountID: !Ref AWS::AccountId
       TimeStamp: !Ref TimeStamp
-      CFTemplateVersion: 26
+      CFTemplateVersion: 27
   PhoneHomeCustomResourceNew:
     Type: Custom::PhoneHomeCustomResource
     Version: '1.0'
@@ -518,7 +681,7 @@ Resources:
       RoleArn: !GetAtt CrossAccountRole.Arn
       AccountID: !Ref AWS::AccountId
       TimeStamp: !Ref TimeStamp
-      CFTemplateVersion: 26
+      CFTemplateVersion: 27
       ProtegoFSPLambdaRoleARN: !GetAtt ProtegoFSPLogsSenderRole.Arn
       Features:
         ProtegoBase: true
@@ -543,8 +706,3 @@ Outputs:
       The ARN of the role that is used by fsp injector lambda in customer
       account.
     Value: !GetAtt FSPInjectorLambdaExecutionRole.Arn
-  CodeAnalysisLambdaRoleARN:
-    Description: >-
-      The ARN of the role that is used by all code analysis lambdas in customer
-      account.
-    Value: !GetAtt CodeAnalysisLambdaExecutionRole.Arn
diff --git a/cft/generated/templates/user_based/onboarding.yml b/cft/generated/templates/user_based/onboarding.yml
@@ -1,7 +1,7 @@
 AWSTemplateFormatVersion: 2010-09-09
 Description: Check Point CloudGuard Dome9 unified onboarding
 Metadata:
-  Version: 4.8.0
+  Version: 4.9.0
 Parameters:
   OnboardingId:
     Description: The id of the onboarding process

diff --git a/cft/replacements/metadata.yml b/cft/replacements/metadata.yml
@@ -1,2 +1,2 @@
 Metadata:
-  Version: 4.8.0
+  Version: 4.9.0