Fix 0325

README.md

@@ -1,5 +1,8 @@
 ![](https://raw.githubusercontent.com/CrowdStrike/falconpy/main/docs/asset/cs-logo.png)
 
+> [!IMPORTANT]
+> CrowdStrike CSPM uses an IAM Role with read-only permissions to collect the asset inventory and detect IOMs in your cloud environment.  To stay ahead of the adversary CrowdStrike may periodically add to the required permissions of this role.  To see the process for updating this role across your environment after initial deployment, please click [here](https://aws-abi.s3.amazonaws.com/guide/cfn-abi-crowdstrike-fcs/post-deployment-steps/index.html).
+
 # CrowdStrike Cloud Security with AWS Built-in
 
 CrowdStrike now supports AWS Organization registration through the AWS Built-In (ABI) program.  ABI is a differentiation program that validates AWS Partner solutions that have automated their integrations with relevant AWS foundational services such as identity, management, security, and operations.

guide/content/post-deployment-steps.md

@@ -18,4 +18,47 @@ description: Postdeployment options.
 3. Verify that your AWS Instances begin to appear in the host management list with a Host status of "Online".
 4. After waiting several minutes, choose **Refresh** to retrieve the latest host status.
 
+## Update the IAM Role with Latest IOM Permissions
+
+Update the IAM Role in the master account.
+1. Download the latest main template [here](https://raw.githubusercontent.com/aws-ia/cfn-abi-crowdstrike-fcs/main/templates/crowdstrike_init_stack.yaml).
+3. Sign in to the AWS Account in which you deployed the main stack for this solution.
+3. Navigate to `CloudFormation` > `Stacks`
+4. Select the main stack for this solution.
+5. Click `Stack Actions` > `create change set`
+6. Select `Replace existing template` and `Upload a template file`.
+7. Upload the latest template you downloaded in step 1.
+8. Click `next`.
+9. Leave all parameters the same and click `next`.
+10. Check the boxes under `Capabilities` and click `next`.
+11. Click `submit`.
+12. Once the change set is generated, click `Execute`.
+
+Update the IAM Role in the member accounts.
+1. Sign in to the AWS Account in which you deployed the main stack for this solution.
+2. Navigate to `CloudFormation` > `StackSets` > `CrowdStrike-Cloud-Security-Stackset`
+3. Click `Actions` > `Edit StackSet details`
+4. Select `Replace Current Template` and paste the S3 url: https://aws-abi.s3.us-east-1.amazonaws.com/cfn-abi-crowdstrike-fcs/templates/aws_cspm_cloudformation_v2.json
+5. Click `Next`
+6. Leave all parameters the same and click `next`.
+7. Check the box under Capabilities and click `next`.
+8. Enter your `AWS OU Id` to define the scope (this should match the scope of your deployment, ie. if you deployed to the root ou `r-******`, enter that same value here).
+9. Select the `region` (there should only be one).
+10. Click `Next` and Click `Submit`.
+
+## Create change set for bug fixes and other updates
+
+1. Download the latest main template [here](https://raw.githubusercontent.com/aws-ia/cfn-abi-crowdstrike-fcs/main/templates/crowdstrike_init_stack.yaml).
+3. Sign in to the AWS Account in which you deployed the main stack for this solution.
+3. Navigate to `CloudFormation` > `Stacks`
+4. Select the main stack for this solution.
+5. Click `Stack Actions` > `create change set`
+6. Select `Replace existing template` and `Upload a template file`.
+7. Upload the latest template you downloaded in step 1.
+8. Click `next`.
+9. Leave all parameters the same and click `next`.
+10. Check the boxes under `Capabilities` and click `next`.
+11. Click `submit`.
+12. Once the change set is generated, click `Execute`.
+
 **Next:** Choose [Test the deployment](/test-deployment/index.html).

lambda_functions/source/register-organization-v2/lambda.py

@@ -293,4 +293,7 @@ def lambda_handler(event, context):
     except Exception as err:  # noqa: E722
         # We can't communicate with the endpoint
         logger.info('Registration Failed %s' % err)
-        cfnresponse_send(event, FAILED, err, "CustomResourcePhysicalID")
+        response_d = {
+                        "reason": err
+                     }
+        cfnresponse_send(event, FAILED, response_d, "CustomResourcePhysicalID")

templates/aws_cspm_cloudformation_v2.json

@@ -285,10 +285,25 @@
                     "grafana:DescribeWorkspace",
                     "grafana:DescribeWorkspaceAuthentication",
                     "grafana:DescribeWorkspaceConfiguration",
+                    "lambda:GetEventSourceMapping",
                     "lambda:GetFunction",
                     "lambda:GetLayerVersion",
-                    "memorydb:DescribeParameterGroups",
+                    "lightsail:GetBucketAccessKeys",
+                    "lightsail:GetContainerServiceDeployments",
+                    "lightsail:GetContainerServiceMetricData",
+                    "lightsail:GetDisk",
+                    "lightsail:GetInstance",
+                    "lightsail:GetInstanceAccessDetails",
+                    "lightsail:GetInstancePortStates",
+                    "lightsail:GetInstanceState",
+                    "lightsail:GetKeyPair",
+                    "lightsail:GetKeyPairs",
+                    "memorydb:DescribeACLs",
                     "memorydb:DescribeParameters",
+                    "memorydb:DescribeParameterGroups",
+                    "memorydb:DescribeSnapshots",
+                    "memorydb:DescribeSubnetGroups",
+                    "memorydb:DescribeUsers",
                     "memorydb:ListTags",
                     "sns:GetSubscriptionAttributes",
                     "waf-regional:GetIPSet",
@@ -304,7 +319,10 @@
                 },
                 {
                   "Effect": "Allow",
-                  "Resource": "arn:aws:apigateway:*::/restapis/*",
+                  "Resource": [
+                    "arn:aws:apigateway:*::/restapis/*",
+                    "arn:aws:apigateway:*::/apis/*"
+                  ],
                   "Action": [
                     "apigateway:Get"
                   ]

templates/crowdstrike_init_stack.yaml

@@ -628,6 +628,7 @@ Resources:
         Enabled: true
         RetainStacksOnAccountRemoval: true
       OperationPreferences:
+        ConcurrencyMode: SOFT_FAILURE_TOLERANCE
         MaxConcurrentPercentage: 100
         FailureTolerancePercentage: 50
         RegionConcurrencyType: PARALLEL
@@ -709,6 +710,7 @@ Resources:
         Enabled: true
         RetainStacksOnAccountRemoval: true
       OperationPreferences:
+        ConcurrencyMode: SOFT_FAILURE_TOLERANCE
         MaxConcurrentPercentage: 100
         FailureTolerancePercentage: 50
         RegionConcurrencyType: PARALLEL
@@ -757,6 +759,7 @@ Resources:
         Enabled: true
         RetainStacksOnAccountRemoval: true
       OperationPreferences:
+        ConcurrencyMode: SOFT_FAILURE_TOLERANCE
         MaxConcurrentPercentage: 100
         FailureTolerancePercentage: 50
         RegionConcurrencyType: PARALLEL
@@ -867,6 +870,7 @@ Resources:
           ParameterValue: !GetAtt TriggerRegisterAccountLambda.eventbus_name
       PermissionModel: SELF_MANAGED
       OperationPreferences:
+        ConcurrencyMode: SOFT_FAILURE_TOLERANCE
         MaxConcurrentPercentage: 100
         FailureTolerancePercentage: 50
         RegionConcurrencyType: PARALLEL
@@ -894,6 +898,7 @@ Resources:
           ParameterValue: !Ref AWSAccountType
       PermissionModel: SELF_MANAGED
       OperationPreferences:
+        ConcurrencyMode: SOFT_FAILURE_TOLERANCE
         MaxConcurrentPercentage: 100
         FailureTolerancePercentage: 50
         RegionConcurrencyType: PARALLEL
@@ -920,6 +925,7 @@ Resources:
           ParameterValue: !Ref AWS::Region
       PermissionModel: SELF_MANAGED
       OperationPreferences:
+        ConcurrencyMode: SOFT_FAILURE_TOLERANCE
         MaxConcurrentPercentage: 100
         FailureTolerancePercentage: 50
         RegionConcurrencyType: PARALLEL
@@ -958,6 +964,7 @@ Resources:
         Enabled: true
         RetainStacksOnAccountRemoval: true
       OperationPreferences:
+        ConcurrencyMode: SOFT_FAILURE_TOLERANCE
         MaxConcurrentPercentage: 100
         FailureTolerancePercentage: 50
         RegionConcurrencyType: PARALLEL
@@ -983,6 +990,7 @@ Resources:
       PermissionModel: SERVICE_MANAGED
       CallAs: !If [ IsDelegatedAdmin, 'DELEGATED_ADMIN', 'SELF' ]
       OperationPreferences:
+        ConcurrencyMode: SOFT_FAILURE_TOLERANCE
         MaxConcurrentPercentage: 100
         FailureTolerancePercentage: 50
         RegionConcurrencyType: PARALLEL
@@ -1010,6 +1018,7 @@ Resources:
       PermissionModel: SERVICE_MANAGED
       CallAs: !If [ IsDelegatedAdmin, 'DELEGATED_ADMIN', 'SELF' ]
       OperationPreferences:
+        ConcurrencyMode: SOFT_FAILURE_TOLERANCE
         MaxConcurrentPercentage: 100
         FailureTolerancePercentage: 50
         RegionConcurrencyType: PARALLEL
@@ -1041,6 +1050,7 @@ Resources:
       PermissionModel: SERVICE_MANAGED
       CallAs: !If [ IsDelegatedAdmin, 'DELEGATED_ADMIN', 'SELF' ]
       OperationPreferences:
+        ConcurrencyMode: SOFT_FAILURE_TOLERANCE
         MaxConcurrentPercentage: 100
         FailureTolerancePercentage: 50
         RegionConcurrencyType: PARALLEL
@@ -1521,6 +1531,7 @@ Resources:
         Enabled: true
         RetainStacksOnAccountRemoval: false
       OperationPreferences:
+        ConcurrencyMode: SOFT_FAILURE_TOLERANCE
         MaxConcurrentPercentage: 100
         FailureTolerancePercentage: 50
         RegionConcurrencyType: PARALLEL
@@ -1587,6 +1598,7 @@ Resources:
         Enabled: true
         RetainStacksOnAccountRemoval: true
       OperationPreferences:
+        ConcurrencyMode: SOFT_FAILURE_TOLERANCE
         MaxConcurrentPercentage: 100
         FailureTolerancePercentage: 50
         RegionConcurrencyType: PARALLEL
@@ -1602,6 +1614,8 @@ Resources:
     Type: AWS::CloudFormation::StackSet
     Properties:
       StackSetName: crowdstrike-ecr-connections-stackset
+      Capabilities:
+        - CAPABILITY_NAMED_IAM
       Parameters:
         - ParameterKey: S3Bucket
           ParameterValue: !Ref SourceS3BucketName
@@ -1627,6 +1641,7 @@ Resources:
         Enabled: true
         RetainStacksOnAccountRemoval: true
       OperationPreferences:
+        ConcurrencyMode: SOFT_FAILURE_TOLERANCE
         MaxConcurrentPercentage: 100
         FailureTolerancePercentage: 50
         RegionConcurrencyType: PARALLEL