Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Current »

Overview

The Data Theorem Installer manages integrations for security, discovery, testing, and protection of serverless APIs. Once a day, the installer inspects your AWS environment for unprotected serverless APIs then it adds a Lambda extension to protect them.

Screenshot 2024-03-27 at 22.07.00.png

AWS Installer CloudFormation Template

Template Source

Resources Created

Logical ID

Type

DataTheoremAwsInstallerAPIConnector

AWS::Events::Connection

DataTheoremAwsInstallerSecret

AWS::SecretsManager::Secret

DataTheoremAwsInstallerStateMachine

AWS::StepFunctions::StateMachine

DataTheoremAwsInstallerStateMachineDataTheoremInstallerExecutionSchedule

AWS::Events::Rule

DataTheoremAwsInstallerStateMachineDataTheoremInstallerExecutionScheduleRole

AWS::IAM::Role

DataTheoremAwsInstallerStateMachineRole

AWS::IAM::Role

ExecuteInstallerOnCreateOrUpdate

AWS::CloudFormation::CustomResource

InstallerFunction

AWS::Lambda::Function

InstallerFunctionRole

AWS::IAM::Role

PlannerFunction

AWS::Lambda::Function

PlannerFunctionRole

AWS::IAM::Role

TriggerFunction

AWS::Lambda::Function

TriggerFunctionRole

AWS::IAM::Role

Permissions Required

The resources required for the Data Theorem Installer are named to facilitate the scoping of required permissions.

 Example AWS IAM Permissions For CloudFormation Template
{
 "Version": "2012-10-17",
 "Statement": [
  {
   "Effect": "Allow",
   "Action": [
    "events:DescribeRule",
    "events:ListTargetsByRule",
    "states:ListTagsForResource"
   ],
   "Resource": "*"
  },
        {
   "Effect": "Allow",
   "Action": [
    "events:DeleteRule",
    "events:PutRule",
    "events:PutTargets"
   ],
   "Resource": "arn:aws:events:us-east-1:${Account}:rule/DataTheoremAWSInstaller*"
  },
  {
   "Effect": "Allow",
   "Action": [
    "events:CreateConnection",
    "events:DeleteConnection",
    "events:DescribeConnection"
   ],
   "Resource": "arn:aws:events:us-east-1:${Account}:connection/DataTheoremAWSInstaller*"
  },
  {
   "Effect": "Allow",
   "Action": [
    "iam:AttachRolePolicy",
    "iam:CreateRole",
    "iam:DeleteRole",
    "iam:DeleteRolePolicy",
    "iam:DetachRolePolicy",
    "iam:GetRole",
    "iam:GetRolePolicy",
    "iam:ListAttachedRolePolicies",
    "iam:ListRolePolicies",
    "iam:PutRolePolicy"
   ],
   "Resource": "arn:aws:iam::${Account}:role/DataTheoremAWSInstaller*"
  },
  {
   "Effect": "Allow",
   "Action": [
    "lambda:CreateFunction",
    "lambda:DeleteFunction",
    "lambda:GetFunction",
    "lambda:GetFunctionCodeSigningConfig",
    "lambda:GetRuntimeManagementConfig"
   ],
   "Resource": "arn:aws:lambda:us-east-1:${Account}:function:DataTheoremAWSInstaller*"
  },
  {
   "Effect": "Allow",
   "Action": [
    "secretsmanager:CreateSecret",
    "secretsmanager:DeleteSecret",
    "secretsmanager:DescribeSecret",
    "secretsmanager:GetSecretValue"
   ],
   "Resource": "arn:aws:secretsmanager:us-east-1:${Account}:secret:DataTheoremAWSInstaller*"
  },
  {
   "Effect": "Allow",
   "Action": [
    "states:CreateStateMachine",
    "states:DeleteStateMachine",
    "states:DescribeStateMachine",
    "states:PublishStateMachineVersion"
   ],
   "Resource": "arn:aws:states:us-east-1:${Account}:stateMachine:DataTheoremAWSInstaller*"
  }
 ]
}

  • No labels