diff --git a/modules/Makefile b/modules/Makefile index b7ccc20..8450de2 100644 --- a/modules/Makefile +++ b/modules/Makefile @@ -11,6 +11,7 @@ PARAM_TRUSTED_IDENTITY ?= arn:aws:iam:::role/$(PARAM_NAME_SUFFIX) PARAM_API_KEY ?= PARAM_INGESTION_URL ?= https://app-staging.sysdigcloud.com/api/cloudingestion/webhooks/eventbridge/v1/64616366-3130-6163-3665-346636653537 PARAM_RATE_LIMIT ?= 300 +PARAM_TARGET_EVENT_BUS_ARN ?= arn:aws:events:us-east-1::event-bus/default PARAM_BUCKET_ARN ?= arn:aws:s3:::cloudtrail-$(PARAM_NAME_SUFFIX) PARAM_REGIONS ?= us-east-1 PARAM_LAMBDA_SCANNING_ENABLED ?= true @@ -20,6 +21,7 @@ validate: export AWS_PAGER="" validate: aws --region us-east-1 cloudformation validate-template --template-body file://./foundational.cft.yaml aws --region us-east-1 cloudformation validate-template --template-body file://./log_ingestion.events.cft.yaml + aws --region us-east-1 cloudformation validate-template --template-body file://./log_ingestion.legacy_events.cft.yaml aws --region us-east-1 cloudformation validate-template --template-body file://./log_ingestion.s3.cft.yaml aws --region us-east-1 cloudformation validate-template --template-body file://./volume_access.cft.yaml aws --region us-east-1 cloudformation validate-template --template-body file://./vm_workload_scanning.cft.yaml @@ -30,6 +32,9 @@ lint: yq '.Resources.EventBridgeRuleStackSet.Properties.TemplateBody' log_ingestion.events.cft.yaml | cfn-lint - yq '.Resources.OrganizationRoleStackSet.Properties.TemplateBody' log_ingestion.events.cft.yaml | cfn-lint - yq '.Resources.OrganizationRuleStackSet.Properties.TemplateBody' log_ingestion.events.cft.yaml | cfn-lint - + yq '.Resources.EventBridgeRuleStackSet.Properties.TemplateBody' log_ingestion.legacy_events.cft.yaml | cfn-lint - + yq '.Resources.OrganizationRoleStackSet.Properties.TemplateBody' log_ingestion.legacy_events.cft.yaml | cfn-lint - + yq '.Resources.OrganizationRuleStackSet.Properties.TemplateBody' log_ingestion.legacy_events.cft.yaml | cfn-lint - yq '.Resources.AccountStackSet.Properties.TemplateBody' volume_access.cft.yaml | cfn-lint - yq '.Resources.OrganizationStackSet.Properties.TemplateBody' volume_access.cft.yaml | cfn-lint - yq '.Resources.ScanningOrgStackSet.Properties.TemplateBody' vm_workload_scanning.cft.yaml | cfn-lint - @@ -38,6 +43,7 @@ publish: aws s3 cp foundational.cft.yaml s3://$(S3_BUCKET)/modules/$(S3_PREFIX)/foundational.cft.yaml aws s3 cp log_ingestion.s3.cft.yaml s3://$(S3_BUCKET)/modules/$(S3_PREFIX)/log_ingestion.s3.cft.yaml aws s3 cp log_ingestion.events.cft.yaml s3://$(S3_BUCKET)/modules/$(S3_PREFIX)/log_ingestion.events.cft.yaml + aws s3 cp log_ingestion.legacy_events.cft.yaml s3://$(S3_BUCKET)/modules/$(S3_PREFIX)/log_ingestion.legacy_events.cft.yaml aws s3 cp volume_access.cft.yaml s3://$(S3_BUCKET)/modules/$(S3_PREFIX)/volume_access.cft.yaml aws s3 cp vm_workload_scanning.cft.yaml s3://$(S3_BUCKET)/modules/$(S3_PREFIX)/vm_workload_scanning.cft.yaml @@ -52,7 +58,7 @@ deploy: "TrustedIdentity=$(PARAM_TRUSTED_IDENTITY)" \ "IsOrganizational=$(PARAM_IS_ORGANIZATIONAL)" \ "OrganizationalUnitIDs=$(PARAM_ORGANIZATIONAL_UNIT_IDS)" \ - "Partition=${PARAM_PARTITION}" \ + "Partition=$(PARAM_PARTITION)" \ "RootOUID=$(PARAM_ROOT_OU_ID)" \ "IncludeOUIDs=$(PARAM_INCLUDE_OU_IDS)" \ "IncludeAccounts=$(PARAM_INCLUDE_ACCOUNTS)" \ @@ -71,7 +77,24 @@ deploy: "RateLimit=$(PARAM_RATE_LIMIT)" \ "IsOrganizational=$(PARAM_IS_ORGANIZATIONAL)" \ "OrganizationalUnitIDs=$(PARAM_ORGANIZATIONAL_UNIT_IDS)" \ - "Partition=${PARAM_PARTITION}" \ + "Partition=$(PARAM_PARTITION)" \ + "RootOUID=$(PARAM_ROOT_OU_ID)" \ + "IncludeOUIDs=$(PARAM_INCLUDE_OU_IDS)" \ + "IncludeAccounts=$(PARAM_INCLUDE_ACCOUNTS)" \ + "ExcludeAccounts=$(PARAM_EXCLUDE_ACCOUNTS)" + aws cloudformation deploy \ + --stack-name $(STACK_NAME)-LogIngestion-LegacyEventBridge-$(PARAM_NAME_SUFFIX) \ + --template-file log_ingestion.legacy_events.cft.yaml \ + --capabilities "CAPABILITY_NAMED_IAM" "CAPABILITY_AUTO_EXPAND" \ + --parameter-overrides \ + "NameSuffix=$(PARAM_NAME_SUFFIX)" \ + "ExternalID=$(PARAM_EXTERNAL_ID)" \ + "TrustedIdentity=$(PARAM_TRUSTED_IDENTITY)" \ + "Regions=$(PARAM_REGIONS)" \ + "TargetEventBusARN=$(PARAM_TARGET_EVENT_BUS_ARN)" \ + "IsOrganizational=$(PARAM_IS_ORGANIZATIONAL)" \ + "OrganizationalUnitIDs=$(PARAM_ORGANIZATIONAL_UNIT_IDS)" \ + "Partition=$(PARAM_PARTITION)" \ "RootOUID=$(PARAM_ROOT_OU_ID)" \ "IncludeOUIDs=$(PARAM_INCLUDE_OU_IDS)" \ "IncludeAccounts=$(PARAM_INCLUDE_ACCOUNTS)" \ @@ -126,6 +149,7 @@ deploy: clean: aws cloudformation delete-stack --stack-name $(STACK_NAME)-Foundational-$(PARAM_NAME_SUFFIX) aws cloudformation delete-stack --stack-name $(STACK_NAME)-LogIngestion-EventBridge-$(PARAM_NAME_SUFFIX) + aws cloudformation delete-stack --stack-name $(STACK_NAME)-LogIngestion-LegacyEventBridge-$(PARAM_NAME_SUFFIX) aws cloudformation delete-stack --stack-name $(STACK_NAME)-LogIngestion-S3-$(PARAM_NAME_SUFFIX) aws cloudformation delete-stack --stack-name $(STACK_NAME)-VolumeAccess-$(PARAM_NAME_SUFFIX) aws cloudformation delete-stack --stack-name $(STACK_NAME)-VMWorkloadScanning-$(PARAM_NAME_SUFFIX) diff --git a/modules/log_ingestion.legacy_events.cft.yaml b/modules/log_ingestion.legacy_events.cft.yaml new file mode 100644 index 0000000..57f6f88 --- /dev/null +++ b/modules/log_ingestion.legacy_events.cft.yaml @@ -0,0 +1,545 @@ +AWSTemplateFormatVersion: "2010-09-09" +Description: EventBridge resources that forward CloudTrail logs to Sysdig Secure +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: "" + Parameters: + - RuleEventPattern + - Label: + default: "Sysdig Settings (Do not change)" + Parameters: + - NameSuffix + - ExternalID + - TrustedIdentity + - TargetEventBusARN + - Regions + - RuleState + - IsOrganizational + - OrganizationalUnitIDs + - Partition + - RootOUID + - IncludeOUIDs + - IncludeAccounts + - ExcludeAccounts + ParameterLabels: + NameSuffix: + default: Name Suffix + ExternalID: + default: External ID + TrustedIdentity: + default: Trusted Identity + TargetEventBusARN: + default: Target Event Bus + Regions: + default: Instrumented Regions + RuleState: + default: EventBridge Rule state + RuleEventPattern: + default: EventBridge Rule event pattern + IsOrganizational: + default: Is Organizational + OrganizationalUnitIDs: + default: (TO BE DEPRECATED Please work with Sysdig to migrate and use IncludeOUIDs) Organizational Unit IDs + Partition: + default: AWS Partition (GovCloud Only) + RootOUID: + default: Root Organization Unit ID + IncludeOUIDs: + default: Include Organizational Unit IDs + IncludeAccounts: + default: Include AWS accounts + ExcludeAccounts: + default: Exclude AWS accounts +Parameters: + NameSuffix: + Type: String + Description: Suffix to append to the resource name identifiers + AllowedPattern: '[0-9a-z]+' + MaxLength: 8 + MinLength: 4 + ExternalID: + Type: String + Description: Sysdig assigned token that proves you own this account + TrustedIdentity: + Type: String + Description: The Role in Sysdig's AWS Account with permissions to your account + TargetEventBusARN: + Type: String + Description: The destination in Sysdig's AWS account where your events are sent + AllowedPattern: "^arn:aws-us-gov:events:.*" + ConstraintDescription: Must be a valid GovCloud EventBridge ARN (arn:aws-us-gov:events:...) + Regions: + Type: CommaDelimitedList + Description: Comma separated list of regions to monitor with EventBridge + OrganizationalUnitIDs: + Type: CommaDelimitedList + Description: (WARNING - TO BE DEPRECATED Please work with Sysdig to migrate your installs to use IncludeOUIDs instead) Comma separated list of organizational unit IDs to deploy + RuleState: + Type: String + Description: The state of the EventBridge Rule + Default: ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS + AllowedValues: + - ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS + - ENABLED + - DISABLED + RuleEventPattern: + Type: String + Description: JSON pattern for the EventBridge rule's event pattern + Default: | + { + "detail-type": [ + "AWS API Call via CloudTrail", + "AWS Console Sign In via CloudTrail", + "AWS Service Event via CloudTrail", + "Object Access Tier Changed", + "Object ACL Updated", + "Object Created", + "Object Deleted", + "Object Restore Completed", + "Object Restore Expired", + "Object Restore Initiated", + "Object Storage Class Changed", + "Object Tags Added", + "Object Tags Deleted", + "GuardDuty Finding" + ] + } + IsOrganizational: + Type: String + Description: Install into an organization + Default: 'false' + AllowedValues: + - 'true' + - 'false' + Partition: + Type: String + Description: AWS Partition - This template is designed for AWS GovCloud only + Default: 'aws-us-gov' + AllowedValues: + - 'aws-us-gov' + RootOUID: + Type: CommaDelimitedList + Description: Root Organizational Unit ID of your AWS organization + IncludeOUIDs: + Type: CommaDelimitedList + Description: Comma separated list of organizational unit IDs to be included for deployment + IncludeAccounts: + Type: CommaDelimitedList + Description: Comma separated list of AWS accounts in your organization to be included for deployment + ExcludeAccounts: + Type: CommaDelimitedList + Description: Comma separated list of AWS accounts in your organization to be excluded for deployment +Conditions: + IsOrganizational: + Fn::Equals: + - Ref: IsOrganizational + - 'true' + # First check if old param OrganizationalUnitIDs configured - support till we DEPRECATE it + IsOldOuidConfigured: + !And + - !Condition IsOrganizational + - !Not + - !Equals + - !Join ["", !Ref OrganizationalUnitIDs] + - '' + + # Else, check for new Inclusion and Exclusion params + # INCLUSIONS + OUInclusionsConfigured: + !And + - !Condition IsOrganizational + - !Not + - !Equals + - !Join ["", !Ref IncludeOUIDs] + - '' + AccountInclusionsConfigured: + !And + - !Condition IsOrganizational + - !Not + - !Equals + - !Join ["", !Ref IncludeAccounts] + - '' + # ----------------------------------------------------------------------------------------------------- + # Remove below condition once AWS issue is fixed and replace with using UNION filter - + # https://github.com/aws-cloudformation/aws-cloudformation-resource-providers-cloudformation/issues/100 + # ----------------------------------------------------------------------------------------------------- + # XXX: due to AWS bug of not having UNION filter fully working, there is no way to add those extra accounts requested. + # to not miss out on those extra accounts, deploy the cloud resources across entire org and noop the UNION filter. + # i.e till we can't deploy UNION, we deploy it all + AllowedInclusions: + !And + - !Condition OUInclusionsConfigured + - !Not + - !Condition AccountInclusionsConfigured + + # EXCLUSIONS + # cannot do OU exclusions from ExcludeOUIDs since CFT templates are static and don't have a way to fetch dynamic data from AWS + AccountExclusionsConfigured: + !And + - !Condition IsOrganizational + - !Equals + - !Join ["", !Ref IncludeAccounts] + - '' + - !Not + - !Equals + - !Join ["", !Ref ExcludeAccounts] + - '' +Resources: + AdministrationRole: + Type: AWS::IAM::Role + Properties: + RoleName: !Sub sysdig-secure-events-stackset-administration-${NameSuffix} + AssumeRolePolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Principal: + Service: cloudformation.amazonaws.com + Action: + - sts:AssumeRole + Policies: + - PolicyName: !Sub sysdig-secure-events-stackset-execution-${NameSuffix} + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: + - sts:AssumeRole + Resource: + - !Sub arn:${Partition}:iam:::role/sysdig-secure-events-stackset-execution-${NameSuffix} + ExecutionRole: + Type: AWS::IAM::Role + Properties: + RoleName: !Sub sysdig-secure-events-stackset-execution-${NameSuffix} + AssumeRolePolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Principal: + AWS: + - !GetAtt AdministrationRole.RoleId + Action: + - sts:AssumeRole + ManagedPolicyArns: + - !Sub arn:${Partition}:iam::aws:policy/AmazonEventBridgeFullAccess + - !Sub arn:${Partition}:iam::aws:policy/AWSCloudFormationFullAccess + EventBridgeRole: + Type: AWS::IAM::Role + Properties: + RoleName: !Sub sysdig-secure-events-${NameSuffix} + AssumeRolePolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: Allow + Principal: + Service: events.amazonaws.com + Action: 'sts:AssumeRole' + - Effect: "Allow" + Principal: + AWS: !Ref TrustedIdentity + Action: "sts:AssumeRole" + Condition: + StringEquals: + sts:ExternalId: !Sub ${ExternalID} + Policies: + - PolicyName: !Sub sysdig-secure-events-${NameSuffix} + PolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: Allow + Action: 'events:PutEvents' + Resource: !Ref TargetEventBusARN + - Effect: Allow + Action: + - "events:DescribeRule" + - "events:ListTargetsByRule" + Resource: + - !Sub arn:${Partition}:events:*:*:rule/sysdig-secure-events-${NameSuffix} + EventBridgeRuleStackSet: + Type: AWS::CloudFormation::StackSet + Metadata: + cfn-lint: + config: + ignore_checks: + - W3005 + DependsOn: + - ExecutionRole + - AdministrationRole + - EventBridgeRole + Properties: + StackSetName: !Sub sysdig-secure-events-rules-${NameSuffix} + AdministrationRoleARN: !GetAtt AdministrationRole.Arn + ExecutionRoleName: !Ref ExecutionRole + Description: EventBridge Resources that forward CloudTrail logs to Sysdig Secure + PermissionModel: SELF_MANAGED + ManagedExecution: + Active: true + Capabilities: + - CAPABILITY_NAMED_IAM + OperationPreferences: + MaxConcurrentPercentage: 100 + FailureTolerancePercentage: 90 + ConcurrencyMode: SOFT_FAILURE_TOLERANCE + RegionConcurrencyType: PARALLEL + Parameters: + - ParameterKey: Name + ParameterValue: !Sub sysdig-secure-events-${NameSuffix} + - ParameterKey: TargetEventBusARN + ParameterValue: !Ref TargetEventBusARN + - ParameterKey: RuleState + ParameterValue: !Ref RuleState + - ParameterKey: RuleEventPattern + ParameterValue: !Ref RuleEventPattern + - ParameterKey: Partition + ParameterValue: !Ref Partition + StackInstancesGroup: + - DeploymentTargets: + Accounts: + - !Ref AWS::AccountId + Regions: !Ref Regions + TemplateBody: | + AWSTemplateFormatVersion: "2010-09-09" + Description: EventBridge Resources that forward CloudTrail logs to Sysdig Secure + Parameters: + Name: + Type: String + Description: resource name identifier + TargetEventBusARN: + Type: String + Description: The destination in Sysdig's AWS account where your events are sent + RuleState: + Type: String + Description: The state of the EventBridge Rule + Default: ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS + AllowedValues: + - ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS + - ENABLED + - DISABLED + RuleEventPattern: + Type: String + Description: JSON pattern for the EventBridge rule's event pattern + Partition: + Type: String + Description: AWS Partition of your account or organization to create resources in + Resources: + EventBridgeRule: + Type: "AWS::Events::Rule" + Properties: + Name: !Ref Name + Description: Capture all CloudTrail events + EventPattern: !Ref RuleEventPattern + State: !Sub ${RuleState} + Targets: + - Id: !Ref Name + Arn: !Sub ${TargetEventBusARN} + RoleArn: !Sub arn:${Partition}:iam::${AWS::AccountId}:role/${Name} + OrganizationRoleStackSet: + Type: AWS::CloudFormation::StackSet + Condition: IsOrganizational + Properties: + StackSetName: !Sub sysdig-secure-events-organization-roles-${NameSuffix} + Description: IAM Role used to forward CloudTrail logs to Sysdig Secure + PermissionModel: SERVICE_MANAGED + Capabilities: + - "CAPABILITY_NAMED_IAM" + AutoDeployment: + Enabled: true + RetainStacksOnAccountRemoval: false + ManagedExecution: + Active: true + OperationPreferences: + MaxConcurrentPercentage: 100 + FailureTolerancePercentage: 90 + ConcurrencyMode: SOFT_FAILURE_TOLERANCE + Parameters: + - ParameterKey: Name + ParameterValue: !Sub sysdig-secure-events-${NameSuffix} + - ParameterKey: TrustedIdentity + ParameterValue: !Ref TrustedIdentity + - ParameterKey: ExternalID + ParameterValue: !Ref ExternalID + - ParameterKey: TargetEventBusARN + ParameterValue: !Ref TargetEventBusARN + - ParameterKey: Partition + ParameterValue: !Ref Partition + StackInstancesGroup: + - DeploymentTargets: + OrganizationalUnitIds: + Fn::If: + - IsOldOuidConfigured + - !Ref OrganizationalUnitIDs + - Fn::If: + - AllowedInclusions + - !Ref IncludeOUIDs + - !Ref RootOUID + AccountFilterType: + Fn::If: + - IsOldOuidConfigured + - !Ref 'AWS::NoValue' + - Fn::If: + - AccountExclusionsConfigured + - "DIFFERENCE" + - "NONE" + Accounts: + Fn::If: + - IsOldOuidConfigured + - !Ref 'AWS::NoValue' + - Fn::If: + - AccountExclusionsConfigured + - !Ref ExcludeAccounts + - !Ref 'AWS::NoValue' + Regions: [!Ref "AWS::Region"] + TemplateBody: | + AWSTemplateFormatVersion: "2010-09-09" + Description: IAM Role used to forward CloudTrail logs to Sysdig Secure + Parameters: + TrustedIdentity: + Type: String + Description: The Role in Sysdig's AWS Account with permissions to your account + ExternalID: + Type: String + Description: Sysdig ExternalID required for the policy creation + Name: + Type: String + Description: A unique identifier used to create and reference resources + TargetEventBusARN: + Type: String + Description: The destination in Sysdig's AWS account where your events are sent + Partition: + Type: String + Description: AWS Partition of your account or organization to create resources in + Resources: + EventBridgeRole: + Type: AWS::IAM::Role + Properties: + RoleName: !Sub ${Name} + AssumeRolePolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: Allow + Principal: + Service: events.amazonaws.com + Action: 'sts:AssumeRole' + - Effect: "Allow" + Principal: + AWS: !Sub ${TrustedIdentity} + Action: "sts:AssumeRole" + Condition: + StringEquals: + sts:ExternalId: !Sub ${ExternalID} + Policies: + - PolicyName: !Sub ${Name} + PolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: Allow + Action: 'events:PutEvents' + Resource: !Sub ${TargetEventBusARN} + - Effect: Allow + Action: + - "events:DescribeRule" + - "events:ListTargetsByRule" + Resource: + - !Sub arn:${Partition}:events:*:*:rule/${Name} + OrganizationRuleStackSet: + Type: AWS::CloudFormation::StackSet + Condition: IsOrganizational + DependsOn: + - OrganizationRoleStackSet + Properties: + StackSetName: !Sub sysdig-secure-events-organization-rules-${NameSuffix} + Description: EventBridge Resources that forward CloudTrail logs to Sysdig Secure + PermissionModel: SERVICE_MANAGED + Capabilities: + - "CAPABILITY_NAMED_IAM" + AutoDeployment: + Enabled: true + RetainStacksOnAccountRemoval: false + ManagedExecution: + Active: true + OperationPreferences: + MaxConcurrentPercentage: 100 + FailureTolerancePercentage: 90 + ConcurrencyMode: SOFT_FAILURE_TOLERANCE + RegionConcurrencyType: PARALLEL + Parameters: + - ParameterKey: Name + ParameterValue: !Sub sysdig-secure-events-${NameSuffix} + - ParameterKey: TargetEventBusARN + ParameterValue: !Ref TargetEventBusARN + - ParameterKey: RuleState + ParameterValue: !Ref RuleState + - ParameterKey: RuleEventPattern + ParameterValue: !Ref RuleEventPattern + - ParameterKey: Partition + ParameterValue: !Ref Partition + StackInstancesGroup: + - DeploymentTargets: + OrganizationalUnitIds: + Fn::If: + - IsOldOuidConfigured + - !Ref OrganizationalUnitIDs + - Fn::If: + - AllowedInclusions + - !Ref IncludeOUIDs + - !Ref RootOUID + AccountFilterType: + Fn::If: + - IsOldOuidConfigured + - !Ref 'AWS::NoValue' + - Fn::If: + - AccountExclusionsConfigured + - "DIFFERENCE" + - "NONE" + Accounts: + Fn::If: + - IsOldOuidConfigured + - !Ref 'AWS::NoValue' + - Fn::If: + - AccountExclusionsConfigured + - !Ref ExcludeAccounts + - !Ref 'AWS::NoValue' + Regions: !Ref Regions + TemplateBody: | + AWSTemplateFormatVersion: "2010-09-09" + Description: EventBridge Resources that forward CloudTrail logs to Sysdig Secure + Parameters: + Name: + Type: String + Description: A unique identifier used to create and reference resources + TargetEventBusARN: + Type: String + Description: The destination in Sysdig's AWS account where your events are sent + RuleState: + Type: String + Description: The state of the EventBridge Rule + Default: ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS + AllowedValues: + - ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS + - ENABLED + - DISABLED + RuleEventPattern: + Type: String + Description: JSON pattern for the EventBridge rule's event pattern + Partition: + Type: String + Description: AWS Partition of your account or organization to create resources in + Resources: + EventBridgeRule: + Type: "AWS::Events::Rule" + Properties: + Name: !Ref Name + Description: Capture all CloudTrail events + EventPattern: !Ref RuleEventPattern + State: !Ref RuleState + Targets: + - Id: !Ref Name + Arn: !Ref TargetEventBusARN + RoleArn: !Sub "arn:${Partition}:iam::${AWS::AccountId}:role/${Name}" +Outputs: + EventBridgeRoleARN: + Description: Sysdig Secure EventBridge Role ARN + Value: + Fn::Sub: ${EventBridgeRole.Arn}