Initial commit of guide, plus some minor re-shuffling of README.md (#21)

* updated/re-shuffle of README.md

* initial commit of guide

README.md

@@ -10,7 +10,7 @@ This solution utilizes CloudFormation to deploy three solutions as one:
 - Solution B: A CloudFormation Nested Stack that enables GuardDuty for all existing AWS accounts in an AWS Organization and turns on the Auto-Enable feature for future accounts. The solution allows you to choose the regions in which to enable GuardDuty and delegates the GuardDuty administrator role to the organization's Audit account. It creates an S3 bucket in the logging account to collect aggregated findings from all accounts and assigns a lifecycle policy to transition data to Glacier storage after 365 days. The solution also enables GuardDuty S3 and EKS protection by default. 
 - Solution C: A StackSet in the logging account account where the previous solutions were configured to store logs to and sets ups all of the resources required to begin ingesting those logs to the Deepwatch Managed Detection & Response platform, including all necessary Lambdas, SNS Topics, SQS Queues, S3 Event Notifications, and IAM Roles & Policies. The outputs of this StackSet are all that is needed to finish setting up ingestion of your organizations CloudTrail and GuardDuty logs.
 
-## Getting Started
+## Deployment Steps
 
 To deploy this CloudFormation Stack via the AWS Console follow these steps:
 
@@ -34,7 +34,9 @@ To deploy the CloudFormation stack using the AWS CLI follow these steps:
 
    Be sure to replace `<YOUR_STACK_NAME>`, `<PARAMETER_NAME>`, and `<PARAMETER_VALUE>` with your desired values for the stack name and parameters.
 
-5. Wait for the stack to finish deploying. You can check the status of the deployment by running the following command:
+## Post-Deployment Steps
+
+Wait for the stack to finish deploying. You can check the status of the deployment by running the following command:
 
    ```
    aws cloudformation describe-stacks --stack-name <YOUR_STACK_NAME>
@@ -44,7 +46,13 @@ To deploy the CloudFormation stack using the AWS CLI follow these steps:
 
 Once the stack has finished deploying, you can access the resources created by the stack via the AWS Management Console or the AWS CLI.
 
-## Deepwatch StackSet Resources 
+Following the deployment of the solution, please provide your Deepwatch engineer with the following outputs from the Deepwatch template:
+
+- `oCloudTrailQueueArn`
+- `oGuardDutyQueueArn`
+- `oDeepwatchRoleArn`
+
+## Architecture 
 
 <img width="1081" height="801" src="images/resources-architecture.jpg" alt="Resources Architecture">
 
@@ -67,10 +75,3 @@ The Deepwatch CloudFormation StackSet creates several AWS resources:
 
 Additionally there is a custom resource that will place an event notification configuration on the GuardDuty and CloudTrail buckets to forward all new objectcreate events to the respective SQS queue/SNS Topic.
 
-## Post-Deployment Steps
-
-Following the deployment of the solution, please provide your Deepwatch engineer with the following outputs from the Deepwatch template:
-
-- `oCloudTrailQueueArn`
-- `oGuardDutyQueueArn`
-- `oDeepwatchRoleArn`

guide/content/additional-resources.md

@@ -6,13 +6,13 @@ description: Additional Resources
 
 ## Partner documentation
 
-* Reference-1
-* Reference-2
+* [Deepwatch](https://www.deepwatch.com/)
 
 ## AWS Services
 
-* Reference-1
-* Reference-2
+* [Deepwatch MDR ABI](https://github.com/aws-ia/cfn-abi-deepwatch-mdr)
+* [AWS SRA GuardDuty](https://github.com/aws-ia/cfn-abi-amazon-guardduty)
+* [AWS SRA CloudTrail](https://github.com/aws-ia/cfn-abi-aws-cloudtrail)
 
 ## Frequently asked questions (FAQs)
 

guide/content/architecture.md

@@ -6,21 +6,17 @@ description: Solution architecture.
 
 Deploying this ABI package with default parameters builds the following architecture.
 
-![Architecture diagram](/images/architecture.png)
+![Architecture diagram](/images/overview-architecture.jpg)
 
 As shown in the diagram, the Quick Start sets up the following:
 
-* In all current and AWS accounts in your AWS organization:
-    * <Amazon CloudWatch Events rules> to <detect changes in AWS Config configuration items (CIs)> and <trigger AWS Lambda functions>.
-    * <Service> to perform <Action-1> and <Action-2>.
+This solution utilizes CloudFormation to deploy three solutions as one:
 
-* In the management account:
-    * <Service> to perform <Action-1> and <Action-2>.
+* Solution A: A CloudFormation Nested Stack that deploys an Organization CloudTrail solution that will create an Organization CloudTrail within the Organization Management Account that is encrypted with a Customer Managed KMS Key managed in the Audit Account and logs delivered to the Log Archive Account. An Organization CloudTrail logs all events for all AWS accounts in the AWS Organization.
 
-* In the log archive account:
-    * <Service> to perform <Action-1> and <Action-2>.
+* Solution B: A CloudFormation Nested Stack that enables GuardDuty for all existing AWS accounts in an AWS Organization and turns on the Auto-Enable feature for future accounts. The solution allows you to choose the regions in which to enable GuardDuty and delegates the GuardDuty administrator role to the organization's Audit account. It creates an S3 bucket in the logging account to collect aggregated findings from all accounts and assigns a lifecycle policy to transition data to Glacier storage after 365 days. The solution also enables GuardDuty S3 and EKS protection by default. 
+
+* Solution C: A StackSet in the logging account account where the previous solutions were configured to store logs to and sets ups all of the resources required to begin ingesting those logs to the Deepwatch Managed Detection & Response platform, including all necessary Lambdas, SNS Topics, SQS Queues, S3 Event Notifications, and IAM Roles & Policies. The outputs of this StackSet are all that is needed to finish setting up ingestion of your organizations CloudTrail and GuardDuty logs.
 
-* In the security tooling account:
-    * <Service> to perform <Action-1> and <Action-2>.
 
 **Next:** Choose [Deployment Options](/deployment-options/index.html) to get started.

guide/content/costandlicenses.md

@@ -4,14 +4,16 @@ title: Cost and licenses
 description: Cost of the solution and licenses required.
 ---
 
-<partner cost>
+The only costs occurred with the deployment of this solution are those for the AWS resources used. For a complete pricing detailed breakdown, please see the AWS pricing pages in your deployed regions for the following solutions:
 
-<AWS Service cost>
+* [GuardDuty](https://aws.amazon.com/guardduty/pricing/)
 
-<Any other costs>
+* [CloudTrail](https://aws.amazon.com/cloudtrail/pricing/)
 
-<Partner license>
+* [Lambda](https://aws.amazon.com/lambda/pricing/)
 
-<ABI license>
+* [SQS](https://aws.amazon.com/sqs/pricing/)
+
+* [SNS](https://aws.amazon.com/sns/pricing/)
 
 **Next:** Choose [Architecture](/architecture/index.html) to get started.

guide/content/deployment-options.md

@@ -6,9 +6,9 @@ description:
 
 This ABI package provides one deployment option:
 
-* [Deploy [[Partner Name-Product Name]] for AWS Organizations](quick-link)
+* [Deploy [[Deepwatch MDR]] for AWS Organizations](quick-link)
 
-This option builds <>.
+This option builds all of the CloudTrail, GuardDuty and supporting resources needed to begin ingestion of AWS security logs in to the Deepwatch MDR platform. During the deployment you can choose what sort of options to enable within the indidivual services.
 
 
 #### Deployment options supported by this ABI package

guide/content/deployment-steps.md

@@ -8,15 +8,19 @@ description: Deployment steps
 ## Launch the CloudFormation Template in the Management Account
 
 
-1. Download the cloudformation template from source: https://<abi-template-location>
+1. Download the cloudformation template from source: https://github.com/aws-ia/cfn-abi-deepwatch-mdr
 2. Launch CloudFormation template in your AWS Control Tower home region.
-    * Stack name: `template-<partner-name>-enable-integrations`
+    * Stack name: `template-deepwatch-enable-integrations`
     * List Parameters with [call out default values and update below example as needed]
-        * **EnableIntegrationsStackName**: `template-<partner-name>-enable-integrations`
-        * **EnableIntegrationsStackRegion**: `us-east-1`
-        * **EnableIntegrationsStackSetAdminRoleName**: `AWSCloudFormationStackSetAdministrationRole`
-        * **EnableIntegrationsStackSetExecutionRoleName**: `AWSCloudFormationStackSetExecutionRole`
-        * **EnableIntegrationsStackSetExecutionRoleArn**: `arn:aws:iam::<account-id>:role/AWSCloudFormationStackSetExecutionRole`
+        * **pDeepwatchRoleName**: `deepwatch-mdr-role`
+        * **pSraTestingFlag**: `false`
+        * **pSRASolutionName**: `sra-guardduty-org`
+        * **pAutoEnableMalwareProtection**: `false`
+        * **pAutoEnableK8sLogs**: `false`
+        * **pAutoEnableS3Logs**: `true`
+        * **pSRAS3BucketRegion**: `true`
+        * **pSRASourceS3BucketName**: `aws-abi-pilot`
+        * **pSRAStagingS3KeyPrefix**: `cfn-abi-deepwatch-mdr`
 
 3. Choose both the **Capabilities** and select **Submit** to launch the stack.
 

guide/content/overview.md

@@ -5,7 +5,7 @@ description:
 ---
 
 
-This ABI deploys <Partner project name> Integrations for AWS Organizations on the AWS Cloud. It’s for <persona-1> and <persona-2> that want to provide <partner-product-functionality> across multiple AWS accounts. If you are unfamiliar with AWS Built In, refer to the [AWS Built in](https://aws.amazon.com/builtin).
+This ABI deploys cfn-abi-deepwatch-mdr Integrations for AWS Organizations on the AWS Cloud. It’s for Deepwatch customers using AWS CloudTrail and Deepwatch customers using GuardDuty that want to provide all of the necessary resources and steps to begin ingestion of log sources for these use cases with their Deepwatch MDR servic across multiple AWS accounts. If you are unfamiliar with AWS Built In, refer to the [AWS Built in](https://aws.amazon.com/builtin).
 
 Deploying this ABI package does not guarantee an organization’s compliance with any laws, certifications, policies, or other regulations.
 

guide/content/post-deployment-steps.md

@@ -5,10 +5,21 @@ description: Post deployment options
 ---
 
 ## Verifying the solution functionality
+Wait for the stack to finish deploying. You can check the status of the deployment by running the following command:
 
-## Parnter capability 1
+   ```
+   aws cloudformation describe-stacks --stack-name <YOUR_STACK_NAME>
+   ```
 
-## Parnter capability 2
+   The stack status will be returned in the output.
+
+Once the stack has finished deploying, you can access the resources created by the stack via the AWS Management Console or the AWS CLI.
+
+Following the deployment of the solution, please provide your Deepwatch engineer with the following outputs from the Deepwatch template:
+
+- `oCloudTrailQueueArn`
+- `oGuardDutyQueueArn`
+- `oDeepwatchRoleArn`
 
 
 **Next:** Choose [Test the Deployment](/test-deployment/index.html) to get started.

guide/content/pre-deployment-steps.md

@@ -7,8 +7,12 @@ description: Pre Deployment Options
 Before deploying this ABI package, complete the following steps:
 
 * Subscribe to partner product from AWS Marketplace using <AWS Marketplace Listing>
-* Any things to be done before deployment
-* Any other pre-deployment steps
+* Be a Deepwatch MDR customer
+* If you don’t already have an AWS organization, create one. For more information, refer to Tutorial: Creating and configuring an organization.
+* Ensure that your IAM user has sufficient permissions for the IAM user or role in your organization management account to create an organization trail and enable GuardDuty.
+* Enable trusted access with AWS Organizations. For more information, refer to Enable trusted access with AWS Organizations. Otherwise, since this is a multi-account deployment, AWS CloudFormation won’t run.
+* If you don’t already have them, create separate security tooling and log archive accounts in your AWS organization.
+* Ensure that GuardDuty has not been enabled by the security tooling account (delegated administrator). For more information, refer to Managing GuardDuty accounts with AWS Organizations.
 * Become familiar with the [additional resources](https://link), later in this guide.
 
 **Next:** Choose **[Deployment Steps](/deployment-steps/index.html)** to get started.

guide/content/terminologies.md

@@ -7,6 +7,8 @@ description: Terminolgies used in this guide.
 * **ABI :**   AWS Built In (ABI)  as explained above.
 * **ABI Modules :** The GitHub repositories based of AWS SRA, which provide templates for enabling AWS foundational services like CloudTrail, GuardDuty, SecurityHub and more security services.
 * **ABI Projects :** The GitHub repositories built by Partners in partnership with AWS. While building these projects, partners leverage ABI Modules provided to enable AWS services as needed before creating partner specific assets. The project contains 1\ IaC templates to automate enablement of both AWS and Partner services, 2\ Wrappers for most common formats like CfCT manifest, SC Baselines and more to allow customers to easily pick and choose from the services available. For Pilot, we will focus only on including CfCT manifest file in the package.
-* [[Add more terminologies here]]
+* **Deepwatch MDR :** The Deepwatch Managed Detection & Response service. This solution is applicable only for Deepwatch customers that have this service.
+* **Deepwatch MDR AWS Account :** The AWS account that the Deepwatch MDR service, and requisite resources are hosted in. This account will be referenced in various architectures and diagrams located throughout.
+* **Customer AWS Resources :** The resources deployed in the Deepwatch customer's AWS account to facilitate log-ingestion, including all necessary Lambdas, SNS Topics, SQS Queues, S3 Event Notifications, and IAM Roles & Policies.
 
 **Next:** Choose [Cost and licenses](/costandlicenses/index.html) to get started.

guide/content/test-deployment.md

@@ -4,11 +4,11 @@ title: Test the deployment
 description: Test the deployment
 ---
 
-## Step-1
+After the deployment completes, in the Control Tower Manager account you should see the root stack and all nested stacks successfully deployed.
+![Control Tower Manager Account Stacks](/images/test-deployment.png)
 
-## Step-2
-
-## Step-3
+If you log in to the Control Tower log archive account, you will see similar, take note of the output values of the "StackSet-deepwatch-logging-resource-configuration-*uuid*" stack. Your Deepwatch engineer will need these values to finish setting up ingestion.
+![Control Tower Log Archive Account Stacks](/images/test-deployment2.png)
 
 
 **Next:** Choose [Additonal Resources](/additional-resources/index.html) to get started.