1 Overview
- 1.1 Installation
  - 1.1.1 Installer Resources
  - 1.1.2 Permissions Required To Deploy The CloudFormation Template

Overview

The Data Theorem Installer manages AWS resources for the security, discovery, testing, and protection of serverless APIs. Once a day, the installer inspects your AWS environment for unprotected serverless APIs then it adds a Lambda extension to protect them.

Installation

The Data Theorem AWS Installer is packaged as a CloudFormation template that installs a Step Function and state machine to coordinate the discovery and protection of serverless APIs. The Step Function looks for new or unprotected serverless APIs and adds a Lambda Extension to monitor and protect them.

Template Source

Installer Resources

All resources created by the AWS Installer are named and tagged to easily identify and managed them in your AWS accounts.

Logical ID	Type

Logical ID	Type
DataTheoremAwsInstallerAPIConnector	AWS::Events::Connection
DataTheoremAwsInstallerSecret	AWS::SecretsManager::Secret
DataTheoremAwsInstallerStateMachine	AWS::StepFunctions::StateMachine
DataTheoremAwsInstallerStateMachineDataTheoremInstallerExecutionSchedule	AWS::Events::Rule
DataTheoremAwsInstallerStateMachineDataTheoremInstallerExecutionScheduleRole	AWS::IAM::Role
DataTheoremAwsInstallerStateMachineRole	AWS::IAM::Role
ExecuteInstallerOnCreateOrUpdate	AWS::CloudFormation::CustomResource
InstallerFunction	AWS::Lambda::Function
InstallerFunctionRole	AWS::IAM::Role
PlannerFunction	AWS::Lambda::Function
PlannerFunctionRole	AWS::IAM::Role
TriggerFunction	AWS::Lambda::Function
TriggerFunctionRole	AWS::IAM::Role

Permissions Required To Deploy The CloudFormation Template

The resources required for the Data Theorem Installer are named to facilitate the scoping of required permissions.

{
 "Version": "2012-10-17",
 "Statement": [
  {
   "Effect": "Allow",
   "Action": [
    "events:DescribeRule",
    "events:ListTargetsByRule",
    "states:ListTagsForResource"
   ],
   "Resource": "*"
  },
        {
   "Effect": "Allow",
   "Action": [
    "events:DeleteRule",
    "events:PutRule",
    "events:PutTargets"
   ],
   "Resource": "arn:aws:events:us-east-1:${Account}:rule/DataTheoremAWSInstaller*"
  },
  {
   "Effect": "Allow",
   "Action": [
    "events:CreateConnection",
    "events:DeleteConnection",
    "events:DescribeConnection"
   ],
   "Resource": "arn:aws:events:us-east-1:${Account}:connection/DataTheoremAWSInstaller*"
  },
  {
   "Effect": "Allow",
   "Action": [
    "iam:AttachRolePolicy",
    "iam:CreateRole",
    "iam:DeleteRole",
    "iam:DeleteRolePolicy",
    "iam:DetachRolePolicy",
    "iam:GetRole",
    "iam:GetRolePolicy",
    "iam:ListAttachedRolePolicies",
    "iam:ListRolePolicies",
    "iam:PutRolePolicy"
   ],
   "Resource": "arn:aws:iam::${Account}:role/DataTheoremAWSInstaller*"
  },
  {
   "Effect": "Allow",
   "Action": [
    "lambda:CreateFunction",
    "lambda:DeleteFunction",
    "lambda:GetFunction",
    "lambda:GetFunctionCodeSigningConfig",
    "lambda:GetRuntimeManagementConfig"
   ],
   "Resource": "arn:aws:lambda:us-east-1:${Account}:function:DataTheoremAWSInstaller*"
  },
  {
   "Effect": "Allow",
   "Action": [
    "secretsmanager:CreateSecret",
    "secretsmanager:DeleteSecret",
    "secretsmanager:DescribeSecret",
    "secretsmanager:GetSecretValue"
   ],
   "Resource": "arn:aws:secretsmanager:us-east-1:${Account}:secret:DataTheoremAWSInstaller*"
  },
  {
   "Effect": "Allow",
   "Action": [
    "states:CreateStateMachine",
    "states:DeleteStateMachine",
    "states:DescribeStateMachine",
    "states:PublishStateMachineVersion"
   ],
   "Resource": "arn:aws:states:us-east-1:${Account}:stateMachine:DataTheoremAWSInstaller*"
  }
 ]
}

Public Knowledge Base

Data Theorem AWS Installer For Severless APIs

Analytics

Overview

Installation

Installer Resources

Permissions Required To Deploy The CloudFormation Template

Related content