update org readme and diagram

examples/organizational/README.md

@@ -2,8 +2,6 @@
 
 Deploy Sysdig Secure for Cloud sharing the Trail within an organization.
 
-_Note: CSPM/Compliance through cloud-bench module is not supported yet_
-
 * In the **management account**
   * An Organizational Cloutrail will be deployed  (with required S3,SNS)
   * An additional role `SysdigSecureForCloudRole` will be created
@@ -20,6 +18,7 @@ Minimum requirements:
 
 1. Have an existing AWS account as the organization management account
     * Organizational CloudTrail service must be enabled
+    * [Organizational CloudFormation StackSets](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-orgs-enable-trusted-access.html) service must be enabled
 2. AWS profile credentials configuration of the `management` account of the organization
     * This account credentials must be [able to manage cloudtrail creation](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-trail-organization.html)
       > You must be logged in with the management account for the organization to create an organization trail. You must also have sufficient permissions for the IAM user or role in the management account to successfully create an organization trail.

examples/organizational/diagram-org.py

@@ -4,7 +4,7 @@
 from diagrams.aws.devtools import Codebuild
 from diagrams.aws.general import General
 from diagrams.aws.integration import SNS, SQS
-from diagrams.aws.management import Cloudtrail, Cloudwatch
+from diagrams.aws.management import Cloudtrail, Cloudwatch, CloudformationStack
 from diagrams.aws.security import IAM, IAMRole
 from diagrams.aws.storage import S3
 from diagrams.custom import Custom
@@ -23,6 +23,7 @@
 color_event="firebrick"
 color_scanning = "dark-green"
 color_permission="red"
+color_creates="darkblue"
 color_non_important="gray"
 color_sysdig="lightblue"
 
@@ -32,34 +33,44 @@
 
     with Cluster("AWS organization"):
 
-
         with Cluster("management account"):
 
-            cloudtrail              = Cloudtrail("cloudtrail", shape="plaintext")
-
+            with Cluster("Events"):
+                cloudtrail              = Cloudtrail("cloudtrail", shape="plaintext")
+                cloudtrail_s3           = S3("cloudtrail-s3-events")
+                sns                     = SNS("cloudtrail-sns-events", comment="i'm a graph")
 
             management_credentials  = IAM("credentials \npermissions: cloudtrail, role creation,...", fontsize="10")
-            secure_for_cloud_role   = IAMRole("SysdigSecureForCloudRole\n\(enabled to assumeRole on `OrganizationAccountAccessRole`)", **role_attr)
-            cloudtrail_s3           = S3("cloudtrail-s3-events")
-            sns                     = SNS("cloudtrail-sns-events", comment="i'm a graph")
+            secure_for_cloud_role   = IAMRole("SysdigSecureForCloudRole\n\(enabled to assumeRole on \n`OrganizationAccountAccessRole`)", **role_attr)
+            cft_stack_set           = CloudformationStack("cloudformation-stackset")
 
             cloudtrail >> Edge(color=color_event, style="dashed") >> cloudtrail_s3 >> Edge(color=color_event, style="dashed") >> sns
+            # cloudtrail_s3 >> Edge(style="invis") >> cft_stack_set
 
         with Cluster("member accounts (main targets)", graph_attr={"bgcolor":"lightblue"}):
             member_accounts = General("account-1..n")
-            org_member_role_1 = IAMRole("OrganizationAccountAccessRole\n(created by AWS for org. member accounts)", **role_attr)
+            org_member_role_1 = IAMRole("OrganizationAccountAccessRole\n(created by AWS for org. \nmember accounts)", **role_attr)
             ecr = ECR("container-registry\n *within any account")
 
+            with Cluster("CFT StackSet Instance"):
+                cft_stack = CloudformationStack("cloudformation-stack")
+                cloud_bench_role = IAMRole("SysdigCloudBench\n(aws:SecurityAudit policy)", **role_attr)
+                cft_stack >> Edge(color=color_creates) >> cloud_bench_role
 
         with Cluster("member account (secure for cloud)", graph_attr={"bgcolor":"seashell2"}):
 
-            org_member_role_2 = IAMRole("OrganizationAccountAccessRole\n(created by AWS for org. member accounts)", **role_attr)
+            org_member_role_2 = IAMRole("OrganizationAccountAccessRole\n(created by AWS for org. \nmember accounts)", **role_attr)
 
             sqs         = SQS("cloudtrail-sqs")
             s3_config   = S3("cloud-connector-config")
             cloudwatch  = Cloudwatch("cloudwatch\nlogs and alarms")
             codebuild   = Codebuild("codebuild project")
 
+            with Cluster("CFT StackSet Instance"):
+                cft_stack_2 = CloudformationStack("cloudformation-stack")
+                cloud_bench_role_2 = IAMRole("SysdigCloudBench\n(aws:SecurityAudit policy)", **role_attr)
+                cft_stack_2 >> Edge(color=color_creates) >> cloud_bench_role_2
+
             with Cluster("ecs-cluster"):
                 cloud_connector = ElasticContainerServiceService("cloud-connector")
                 cloud_scanning = ElasticContainerServiceService("cloud-scanning")
@@ -81,6 +92,8 @@
 #        (cloudtrail_s3 << Edge(color=color_event) <<
 
 
+        cft_stack_set >> Edge(color=color_creates) >> cft_stack
+        cft_stack_set >> Edge(color=color_creates) >> cft_stack_2
 
     with Cluster("AWS account (sysdig)"):
         sds = Custom("Sysdig Secure", "../../resources/diag-sysdig-icon.png")
@@ -89,6 +102,14 @@
     cloud_connector >> Edge(color=color_sysdig) >> sds
     codebuild >> Edge(color=color_sysdig) >>  sds
 
+    sds >> Edge(color=color_permission) >> cloud_bench_role
+    sds >> Edge(color=color_permission) >> cloud_bench_role_2
+
+    # Invisible edges to help with layout
+    s3_config >> Edge(style="invis") >> member_accounts
+    sns >> Edge(style="invis") >> org_member_role_2
+
+
 #    secure_for_cloud_role >> Edge(color=color_permission, fontcolor=color_permission, xlable="assumeRole") >>  org_member_role_1