/fullstop

Audit reporting: collect violations across all AWS accounts

Primary LanguageJavaApache License 2.0Apache-2.0

Hex.pm Build Status codecov.io swagger-editor Issues in progress Join the chat at https://gitter.im/zalando-stups/fullstop

swagger-validator

Fullstop - Audit reporting

Fullstop AWS overview

Fullstop

Fullstop Architecture overview

Fullstop Architecture

Aim of the project is to enrich CloudTrail log events.

In our scenario we have multiple AWS accounts that need to be handled.

Each of this account has CloudTrail activated and is configured to write in a bucket that resides in the account where also fullstop is running. (Right now in AWS it's not possible to read CloudTrail logs from a different account)

Fullstop will then process events collected from CloudTrail.

To enrich CloudTrail log events with information that comes from other systems than AWS, we should only configure fullstop to do so.

Fullstop can even call the AWS API of a different account, by using a cross-account role. The account that is running fullstop should therefore be trusted by all other accounts in order to perform this operations.

Fullstop-Cross-Account-Role

Plugins

Jobs

In addition to listening on cloudtrail events, Fullstop. runs jobs as well. A list of jobs can be found here.

Application lifecycle

Fullstop. also keeps record of your application lifecycles. for more information, see the [fullstop-application-lifecycle-plugin] (fullstop-plugins/fullstop-application-lifecycle-plugin) and the Application lifecycle API

Information sources

Fullstop uses different source to gather information.

information-sources

Configuration

This environment variables should be set:

FULLSTOP_LOGS
FULLSTOP_SQS_URL
FULLSTOP_SQS_REGION
FULLSTOP_S3_REGION
FULLSTOP_TAUPAGE_OWNERS
FULLSTOP_TAUPAGE_NAME_PREFIX
FULLSTOP_S3_BUCKET
FULLSTOP_KIO_URL
FULLSTOP_PIERONE_URLS
FULLSTOP_TEAM_SERVICE_URL
DATABASE_URL
DATABASE_USER
DATABASE_PASSWORD
DATABASE_DRIVER
INSTANCE_LOGS_S3_BUCKET
ACCESS_TOKEN_URI
CREDENTIALS_DIR
TOKEN_INFO_URI
FULLSTOP_UNAPPROVED_SERVICES_AND_ROLE_BUCKET_NAME
FULLSTOP_UNAPPROVED_SERVICES_AND_ROLE_PREFIX

Example:

$ export FULLSTOP_LOGS=/fullstop_logs_dir
$ export FULLSTOP_SQS_URL=https://sqs.eu-central-1.amazonaws.com/ACCOUNT_ID/fullstop
$ export FULLSTOP_SQS_REGION=eu-central-1
$ export FULLSTOP_S3_REGION=eu-west-1
$ export FULLSTOP_TAUPAGE_OWNERS=999999999999
$ export FULLSTOP_TAUPAGE_NAME_PREFIX=Taupage
$ export FULLSTOP_S3_BUCKET=fullstop-bucket
$ export FULLSTOP_KIO_URL: https://application.registry.address
$ export FULLSTOP_PIERONE_URLS: https://docker.repository.address
$ export FULLSTOP_TEAM_SERVICE_URL: https://team.service.address
$ export DATABASE_URL='jdbc:postgresql://localhost:5432/fullstop'
$ export DATABASE_USER=postgres
$ export DATABASE_PASSWORD='{cipher}234laksnfdlF83NHALF'
$ export DATABASE_DRIVER=org.postgresql.Driver
$ export INSTANCE_LOGS_S3_BUCKET=my-s3-bucket
$ export ACCESS_TOKEN_URI=accessTokenUri
$ export CREDENTIALS_DIR=/location/credentials
$ export TOKEN_INFO_URI=tokenInfoUri
$ export FULLSTOP_UNAPPROVED_SERVICES_AND_ROLE_BUCKET_NAME=fullstop-bucket-policy
$ export FULLSTOP_UNAPPROVED_SERVICES_AND_ROLE_PREFIX=folder_containing_templates_files

Disable CloudTrail Processing

Set the parameter fullstop.container.autoStart=false either as program argument, or as system property to start Fullstop without CloudTrail processing.

Scopes

In order to create violations and save them to the database, your application which is responsible for that, needs this oAuth2 scope for the POST method on "/api/violations" endpoint

fullstop.violation.write

Database setup

Fullstop will store the violations in a RDBMS. Once you start Fullstop, it will create the necessary schema and tables for you. The database itself, however, has to be created by you. Your database password is encrypted with AWS KMS. We are using Taupage to decrypt the password on the fly. To use Amazons KMS for de/encryption, you need to to provide a region and the key id for your key. In Fullstop, both will be provided via environment variables.

The password should be already encrypted, when you store it in the DATABASE_PASSWORD environment variable. An encrypted password always starts with aws:kms:. You can use our CLI tool for encryption or you use Amazons AWS CLI.

Propose API changes

Important all changes should be swagger 2.0 spec compliant.

How to build

Needs Java 1.8. Newer jdks are not supported yet.

$ ./mvnw clean install

Run entire test suite (requires a local docker environment)

$ ./mvnw clean verify -Pintegration-test

How to run

You need a locally running PostgreSQL 9.4 server (database "fullstop", host "localhost", user "postgres", password "postgres").

$ # set env variables first
$ cd fullstop
$ mvn spring-boot:run -Dfullstop.container.autoStart=false

How to build a docker image

Build fullstop:

$ mvn clean package -U

Build scm-source.json:

$ ./scm-source.sh

Build docker image:

$ docker build -t registry/fullstop:0.1 fullstop

Show images:

$ docker images

Run with docker:

$ docker run -it registry/fullstop:0.1

Push docker image:

$ docker push registry/fullstop:0.1

License

Copyright © 2015 Zalando SE

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.