[IT-3950] Deploy Microsoft Defender for cloud resources (#1267)

This PR is a continuation of PR Sage-Bionetworks/infra-utils#66

This will setup resources to allow Microsoft Defender for cloud service to do security scans on our AWS accounts.  The cloudformation template was provided by StackArmor.

Co-authored-by: Fawad Siraj <[email protected]>

org-formation/650-identity-providers/README.md

@@ -1,6 +1,11 @@
 ### Purpose of these templates
 
-The templates in this folder enable OIDC for CI systems.
+The templates in this folder are used to setup access between AWS
+and other third party services.
+
+#### Continuous Integration Services
+
+There are templates to enable OIDC for CI systems.
 
 A common use-case is to setup [Github OIDC](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services)
 for a more secure integration between github action and AWS.
@@ -56,3 +61,30 @@ Example using [configure-aws-credentials GH action](https://github.com/aws-actio
       role-session-name: GitHubActions-${{ github.repository_owner }}-${{ github.event.repository.name }}-${{ github.run_id }}
       role-duration-seconds: 1200
 ```
+
+
+#### Security Services
+
+[Defender for Cloud](https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-cloud-introduction)
+for AWS is a comprehensive security solution designed to monitor, protect, and manage
+cloud environments within AWS. It provides real-time threat detection, vulnerability
+assessments, and compliance management to ensure the security of cloud  workloads and
+infrastructure.
+
+The Defender for Cloud for AWS CloudFormation template deploys resources needed to
+integrate AWS environments with Microsoft Defender for Cloud. It creates IAM roles
+and permissions, enabling security monitoring, data collection, and communication
+with Defender for Cloud for continuous threat detection and security posture management.
+This streamlines the onboarding of AWS accounts to Defender for Cloud. Specifically,
+the roles that will be created for the Sage account are the following:
+
+Defender for Cloud generates a CloudFormation template based on the Cloud Security Posture
+Management features used by Defender for Cloud to asses, monitor, and improve the security
+posture. The template configures security configurations for protecting AWS environments.
+When you integrate AWS accounts with Defender for Cloud, it provides the option to download
+a CloudFormation template that automates the process of creating required roles, policies,
+and permissions in your AWS account.
+
+__Note__: An Azure subscription along with a Defender for Cloud plan is required
+to [generate the cloudformation template](https://learn.microsoft.com/en-us/azure/defender-for-cloud/quickstart-onboard-aws).
+The template was provided by our managed security service provider  [StackArmor](https://stackarmor.com/)

org-formation/650-identity-providers/_tasks.yaml

@@ -5,6 +5,22 @@ Parameters:
     Type: String
     Default: 'github-oidc'
 
+##################################################################################
+# Resources needed to integrate AWS environments with Microsoft Defender for Cloud
+##################################################################################
+
+MicrosoftDefenderCloudRoles:
+  Type: update-stacks
+  Template: microsoft-defender-cloud-roles.yaml
+  StackName: !Sub ${resourcePrefix}-microsoft-defender-cloud-roles
+  DefaultOrganizationBinding:
+    Account: !Ref SynapseProdAccount
+    Region: us-east-1
+
+#####################################################
+# Resources to allow Github CI to access AWS accounts
+#####################################################
+
 GithubOidcSageBionetworks:
   Type: update-stacks
   Template: https://raw.githubusercontent.com/Sage-Bionetworks/aws-infra/v0.7.6/templates/IAM/oidc-provider.yaml