Data Theorem AWS Installer For Severless APIs

Owned by John Gerlock
Last updated: Mar 28, 2024
2 min read

Overview

The Data Theorem Installer manages AWS resources for the security, discovery, testing, and protection of serverless APIs. Once a day, the installer inspects your AWS environment for unprotected serverless APIs then it adds a Lambda extension to protect them.

Screenshot 2024-03-27 at 22.07.00.png

 

Installation

The Data Theorem AWS Installer is packaged as a CloudFormation template that installs a Step Function and state machine to coordinate the discovery and protection of serverless APIs. The Step Function looks for new or unprotected serverless APIs and adds a Lambda Extension to monitor and protect them.

Template Source

Installer Resources

All resources created by the AWS Installer are named and tagged to easily identify and managed them in your AWS accounts.

Logical ID

Type

Logical ID

Type

DataTheoremAwsInstallerAPIConnector

AWS::Events::Connection

DataTheoremAwsInstallerSecret

AWS::SecretsManager::Secret

DataTheoremAwsInstallerStateMachine

AWS::StepFunctions::StateMachine

DataTheoremAwsInstallerStateMachineDataTheoremInstallerExecutionSchedule

AWS::Events::Rule

DataTheoremAwsInstallerStateMachineDataTheoremInstallerExecutionScheduleRole

AWS::IAM::Role

DataTheoremAwsInstallerStateMachineRole

AWS::IAM::Role

ExecuteInstallerOnCreateOrUpdate

AWS::CloudFormation::CustomResource

InstallerFunction

AWS::Lambda::Function

InstallerFunctionRole

AWS::IAM::Role

PlannerFunction

AWS::Lambda::Function

PlannerFunctionRole

AWS::IAM::Role

TriggerFunction

AWS::Lambda::Function

TriggerFunctionRole

AWS::IAM::Role

Permissions Required To Deploy The CloudFormation Template

The resources required for the Data Theorem Installer are named to facilitate the scoping of required permissions.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "events:DescribeRule", "events:ListTargetsByRule", "states:ListTagsForResource" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "events:DeleteRule", "events:PutRule", "events:PutTargets" ], "Resource": "arn:aws:events:us-east-1:${Account}:rule/DataTheoremAWSInstaller*" }, { "Effect": "Allow", "Action": [ "events:CreateConnection", "events:DeleteConnection", "events:DescribeConnection" ], "Resource": "arn:aws:events:us-east-1:${Account}:connection/DataTheoremAWSInstaller*" }, { "Effect": "Allow", "Action": [ "iam:AttachRolePolicy", "iam:CreateRole", "iam:DeleteRole", "iam:DeleteRolePolicy", "iam:DetachRolePolicy", "iam:GetRole", "iam:GetRolePolicy", "iam:ListAttachedRolePolicies", "iam:ListRolePolicies", "iam:PutRolePolicy" ], "Resource": "arn:aws:iam::${Account}:role/DataTheoremAWSInstaller*" }, { "Effect": "Allow", "Action": [ "lambda:CreateFunction", "lambda:DeleteFunction", "lambda:GetFunction", "lambda:GetFunctionCodeSigningConfig", "lambda:GetRuntimeManagementConfig" ], "Resource": "arn:aws:lambda:us-east-1:${Account}:function:DataTheoremAWSInstaller*" }, { "Effect": "Allow", "Action": [ "secretsmanager:CreateSecret", "secretsmanager:DeleteSecret", "secretsmanager:DescribeSecret", "secretsmanager:GetSecretValue" ], "Resource": "arn:aws:secretsmanager:us-east-1:${Account}:secret:DataTheoremAWSInstaller*" }, { "Effect": "Allow", "Action": [ "states:CreateStateMachine", "states:DeleteStateMachine", "states:DescribeStateMachine", "states:PublishStateMachineVersion" ], "Resource": "arn:aws:states:us-east-1:${Account}:stateMachine:DataTheoremAWSInstaller*" } ] }