Versions Compared

Old Version 1

changes.mady.by.user John Gerlock

Saved on

compared with

New Version 2

changes.mady.by.user John Gerlock

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
stylenone

Overview

The Data Theorem Installer manages integrations for security, discovery, testing, and protection of serverless APIs. Once a day, the installer inspects your AWS environment for unprotected serverless APIs then it adds a Lambda extension to protect them.

Screenshot 2024-03-27 at 22.07.00.pngImage Added

AWS Installer CloudFormation Template

Template Source

Resources Created

Logical ID

Type

DataTheoremAwsInstallerAPIConnector

AWS::Events::Connection

DataTheoremAwsInstallerSecret

AWS::SecretsManager::Secret

DataTheoremAwsInstallerStateMachine

AWS::StepFunctions::StateMachine

DataTheoremAwsInstallerStateMachineDataTheoremInstallerExecutionSchedule

AWS::Events::Rule

DataTheoremAwsInstallerStateMachineDataTheoremInstallerExecutionScheduleRole

AWS::IAM::Role

DataTheoremAwsInstallerStateMachineRole

AWS::IAM::Role

ExecuteInstallerOnCreateOrUpdate

AWS::CloudFormation::CustomResource

InstallerFunction

AWS::Lambda::Function

InstallerFunctionRole

AWS::IAM::Role

PlannerFunction

AWS::Lambda::Function

PlannerFunctionRole

AWS::IAM::Role

TriggerFunction

AWS::Lambda::Function

TriggerFunctionRole

AWS::IAM::Role

Permissions Required

The resources required for the Data Theorem Installer are named to facilitate the scoping of required permissions.

Expand
titleExample AWS IAM Permissions For CloudFormation Template
Code Block
languagejson
{
 "Version": "2012-10-17",
 "Statement": [
  {
   "Effect": "Allow",
   "Action": [
    "events:DescribeRule",
    "events:ListTargetsByRule",
    "states:ListTagsForResource"
   ],
   "Resource": "*"
  },
        {
   "Effect": "Allow",
   "Action": [
    "events:DeleteRule",
    "events:PutRule",
    "events:PutTargets"
   ],
   "Resource": "arn:aws:events:us-east-1:${Account}:rule/DataTheoremAWSInstaller*"
  },
  {
   "Effect": "Allow",
   "Action": [
    "events:CreateConnection",
    "events:DeleteConnection",
    "events:DescribeConnection"
   ],
   "Resource": "arn:aws:events:us-east-1:${Account}:connection/DataTheoremAWSInstaller*"
  },
  {
   "Effect": "Allow",
   "Action": [
    "iam:AttachRolePolicy",
    "iam:CreateRole",
    "iam:DeleteRole",
    "iam:DeleteRolePolicy",
    "iam:DetachRolePolicy",
    "iam:GetRole",
    "iam:GetRolePolicy",
    "iam:ListAttachedRolePolicies",
    "iam:ListRolePolicies",
    "iam:PutRolePolicy"
   ],
   "Resource": "arn:aws:iam::${Account}:role/DataTheoremAWSInstaller*"
  },
  {
   "Effect": "Allow",
   "Action": [
    "lambda:CreateFunction",
    "lambda:DeleteFunction",
    "lambda:GetFunction",
    "lambda:GetFunctionCodeSigningConfig",
    "lambda:GetRuntimeManagementConfig"
   ],
   "Resource": "arn:aws:lambda:us-east-1:${Account}:function:DataTheoremAWSInstaller*"
  },
  {
   "Effect": "Allow",
   "Action": [
    "secretsmanager:CreateSecret",
    "secretsmanager:DeleteSecret",
    "secretsmanager:DescribeSecret",
    "secretsmanager:GetSecretValue"
   ],
   "Resource": "arn:aws:secretsmanager:us-east-1:${Account}:secret:DataTheoremAWSInstaller*"
  },
  {
   "Effect": "Allow",
   "Action": [
    "states:CreateStateMachine",
    "states:DeleteStateMachine",
    "states:DescribeStateMachine",
    "states:PublishStateMachineVersion"
   ],
   "Resource": "arn:aws:states:us-east-1:${Account}:stateMachine:DataTheoremAWSInstaller*"
  }
 ]
}