template.yaml

AWSTemplateFormatVersion: 2010-09-09
Transform: AWS::Serverless-2016-10-31

Metadata:
  AWS::ServerlessRepo::Application:
    Name: cloudone-application-security-sns-to-aws-securityhub
    Description: >-
      Serverless application to publish findings from Trend Micro's Cloud One Application Security to AWS Security Hub
    Author: Tom Ryan
    SpdxLicenseId: MIT
    LicenseUrl: LICENSE
    ReadmeUrl: README.md
    Labels:
      [trendmicro, cloudone, applicationsecurity, securityhub, findings, plugin]
    HomePageUrl: https://github.com/TomRyan-321/Cloud-One-Application-Security-SNS-to-Security-Hub
    SemanticVersion: 1.0.0
    SourceCodeUrl: https://github.com/TomRyan-321/Cloud-One-Application-Security-SNS-to-Security-Hub

Parameters:
  ExternalID:
    Description: External ID from Application Security console
    Default: ""
    Type: String
  UseExistingSNSTopic:
    Description: 'Use existing SNS Topic or Create New. Allowed Values: "true" / "false"'
    Type: String
    AllowedValues:
      - "true"
      - "false"
    Default: "false"
  ExistingSNSTopicARN:
    Description: Optional, input the ARN of your existing Application Security SNS Topic or leave as None
    Type: String
    Default: "None"

Conditions:
  UseExistingTopic:
    !Equals [true, !Ref UseExistingSNSTopic]
  CreateTopicResources:
    !Equals [false, !Ref UseExistingSNSTopic]

Resources:
  C1AStoSecurityHubFunction:
    Type: AWS::Serverless::Function
    Properties:
      CodeUri: ./src
      Handler: handler.lambda_handler
      Runtime: python3.8
      MemorySize: 128
      Timeout: 300
      Tracing: Active
      Policies:
        - Statement:
            - Sid: SecurityHubBatchImportFindingsPolicy
              Effect: Allow
              Action:
                - securityhub:BatchImportFindings
              Resource: "arn:aws:securityhub:*:*:*"
      Events:
        ScanResult:
          Type: SNS
          Properties:
            Topic: !If [UseExistingTopic, !Ref ExistingSNSTopicARN, !Ref C1AStoSecurityHubSNSTopic]

  C1AStoSecurityHubSNSTopic:
    Type: AWS::SNS::Topic
    Condition: CreateTopicResources

  CrossAccountIAMRole:
    Type: AWS::IAM::Role
    Condition: CreateTopicResources
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              AWS: arn:aws:iam::800880067056:root
            Action: sts:AssumeRole
            Condition:
              StringEquals:
                sts:ExternalId: !Ref ExternalID
      ManagedPolicyArns:
        - !Ref CrossAccountIAMPolicy
  CrossAccountIAMPolicy:
    Type: AWS::IAM::ManagedPolicy
    Condition: CreateTopicResources
    Properties:
      Description: Permissions required for Cloud One Application Security to publish to SNS
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Action: sns:Publish
            Resource: !Ref C1AStoSecurityHubSNSTopic

Outputs:
  SNSTopicName:
    Condition: CreateTopicResources
    Value: !GetAtt C1AStoSecurityHubSNSTopic.TopicName
  IAMRoleName:
    Condition: CreateTopicResources
    Value: !Ref CrossAccountIAMRole
  AWSRegion:
    Condition: CreateTopicResources
    Value: !Sub '${AWS::Region}'
  AWSAccountID:
    Condition: CreateTopicResources
    Value: !Sub '${AWS::AccountId}'
  FunctionARN:
    Value: !GetAtt C1AStoSecurityHubFunction.Arn