diff --git a/README.md b/README.md index 14f84f9..51e5977 100644 --- a/README.md +++ b/README.md @@ -10,7 +10,7 @@ This solution utilizes CloudFormation to deploy three solutions as one: - Solution B: A CloudFormation Nested Stack that enables GuardDuty for all existing AWS accounts in an AWS Organization and turns on the Auto-Enable feature for future accounts. The solution allows you to choose the regions in which to enable GuardDuty and delegates the GuardDuty administrator role to the organization's Audit account. It creates an S3 bucket in the logging account to collect aggregated findings from all accounts and assigns a lifecycle policy to transition data to Glacier storage after 365 days. The solution also enables GuardDuty S3 and EKS protection by default. - Solution C: A StackSet in the logging account account where the previous solutions were configured to store logs to and sets ups all of the resources required to begin ingesting those logs to the Deepwatch Managed Detection & Response platform, including all necessary Lambdas, SNS Topics, SQS Queues, S3 Event Notifications, and IAM Roles & Policies. The outputs of this StackSet are all that is needed to finish setting up ingestion of your organizations CloudTrail and GuardDuty logs. -## Getting Started +## Deployment Steps To deploy this CloudFormation Stack via the AWS Console follow these steps: @@ -34,7 +34,9 @@ To deploy the CloudFormation stack using the AWS CLI follow these steps: Be sure to replace ``, ``, and `` with your desired values for the stack name and parameters. -5. Wait for the stack to finish deploying. You can check the status of the deployment by running the following command: +## Post-Deployment Steps + +Wait for the stack to finish deploying. You can check the status of the deployment by running the following command: ``` aws cloudformation describe-stacks --stack-name @@ -44,7 +46,13 @@ To deploy the CloudFormation stack using the AWS CLI follow these steps: Once the stack has finished deploying, you can access the resources created by the stack via the AWS Management Console or the AWS CLI. -## Deepwatch StackSet Resources +Following the deployment of the solution, please provide your Deepwatch engineer with the following outputs from the Deepwatch template: + +- `oCloudTrailQueueArn` +- `oGuardDutyQueueArn` +- `oDeepwatchRoleArn` + +## Architecture Resources Architecture @@ -67,10 +75,3 @@ The Deepwatch CloudFormation StackSet creates several AWS resources: Additionally there is a custom resource that will place an event notification configuration on the GuardDuty and CloudTrail buckets to forward all new objectcreate events to the respective SQS queue/SNS Topic. -## Post-Deployment Steps - -Following the deployment of the solution, please provide your Deepwatch engineer with the following outputs from the Deepwatch template: - -- `oCloudTrailQueueArn` -- `oGuardDutyQueueArn` -- `oDeepwatchRoleArn` diff --git a/guide/content/additional-resources.md b/guide/content/additional-resources.md index 7a70162..3477ed9 100644 --- a/guide/content/additional-resources.md +++ b/guide/content/additional-resources.md @@ -6,13 +6,13 @@ description: Additional Resources ## Partner documentation -* Reference-1 -* Reference-2 +* [Deepwatch](https://www.deepwatch.com/) ## AWS Services -* Reference-1 -* Reference-2 +* [Deepwatch MDR ABI](https://github.com/aws-ia/cfn-abi-deepwatch-mdr) +* [AWS SRA GuardDuty](https://github.com/aws-ia/cfn-abi-amazon-guardduty) +* [AWS SRA CloudTrail](https://github.com/aws-ia/cfn-abi-aws-cloudtrail) ## Frequently asked questions (FAQs) diff --git a/guide/content/architecture.md b/guide/content/architecture.md index 7c15752..c50de0d 100644 --- a/guide/content/architecture.md +++ b/guide/content/architecture.md @@ -6,21 +6,17 @@ description: Solution architecture. Deploying this ABI package with default parameters builds the following architecture. -![Architecture diagram](/images/architecture.png) +![Architecture diagram](/images/overview-architecture.jpg) As shown in the diagram, the Quick Start sets up the following: -* In all current and AWS accounts in your AWS organization: - * to and . - * to perform and . +This solution utilizes CloudFormation to deploy three solutions as one: -* In the management account: - * to perform and . +* Solution A: A CloudFormation Nested Stack that deploys an Organization CloudTrail solution that will create an Organization CloudTrail within the Organization Management Account that is encrypted with a Customer Managed KMS Key managed in the Audit Account and logs delivered to the Log Archive Account. An Organization CloudTrail logs all events for all AWS accounts in the AWS Organization. -* In the log archive account: - * to perform and . +* Solution B: A CloudFormation Nested Stack that enables GuardDuty for all existing AWS accounts in an AWS Organization and turns on the Auto-Enable feature for future accounts. The solution allows you to choose the regions in which to enable GuardDuty and delegates the GuardDuty administrator role to the organization's Audit account. It creates an S3 bucket in the logging account to collect aggregated findings from all accounts and assigns a lifecycle policy to transition data to Glacier storage after 365 days. The solution also enables GuardDuty S3 and EKS protection by default. + +* Solution C: A StackSet in the logging account account where the previous solutions were configured to store logs to and sets ups all of the resources required to begin ingesting those logs to the Deepwatch Managed Detection & Response platform, including all necessary Lambdas, SNS Topics, SQS Queues, S3 Event Notifications, and IAM Roles & Policies. The outputs of this StackSet are all that is needed to finish setting up ingestion of your organizations CloudTrail and GuardDuty logs. -* In the security tooling account: - * to perform and . **Next:** Choose [Deployment Options](/deployment-options/index.html) to get started. \ No newline at end of file diff --git a/guide/content/costandlicenses.md b/guide/content/costandlicenses.md index e06f49a..96f6726 100644 --- a/guide/content/costandlicenses.md +++ b/guide/content/costandlicenses.md @@ -4,14 +4,16 @@ title: Cost and licenses description: Cost of the solution and licenses required. --- - +The only costs occurred with the deployment of this solution are those for the AWS resources used. For a complete pricing detailed breakdown, please see the AWS pricing pages in your deployed regions for the following solutions: - +* [GuardDuty](https://aws.amazon.com/guardduty/pricing/) - +* [CloudTrail](https://aws.amazon.com/cloudtrail/pricing/) - +* [Lambda](https://aws.amazon.com/lambda/pricing/) - +* [SQS](https://aws.amazon.com/sqs/pricing/) + +* [SNS](https://aws.amazon.com/sns/pricing/) **Next:** Choose [Architecture](/architecture/index.html) to get started. diff --git a/guide/content/deployment-options.md b/guide/content/deployment-options.md index 428bb60..f5a3a02 100644 --- a/guide/content/deployment-options.md +++ b/guide/content/deployment-options.md @@ -6,9 +6,9 @@ description: This ABI package provides one deployment option: -* [Deploy [[Partner Name-Product Name]] for AWS Organizations](quick-link) +* [Deploy [[Deepwatch MDR]] for AWS Organizations](quick-link) -This option builds <>. +This option builds all of the CloudTrail, GuardDuty and supporting resources needed to begin ingestion of AWS security logs in to the Deepwatch MDR platform. During the deployment you can choose what sort of options to enable within the indidivual services. #### Deployment options supported by this ABI package diff --git a/guide/content/deployment-steps.md b/guide/content/deployment-steps.md index 7ccc3fc..5e244d8 100644 --- a/guide/content/deployment-steps.md +++ b/guide/content/deployment-steps.md @@ -8,15 +8,19 @@ description: Deployment steps ## Launch the CloudFormation Template in the Management Account -1. Download the cloudformation template from source: https:// +1. Download the cloudformation template from source: https://github.com/aws-ia/cfn-abi-deepwatch-mdr 2. Launch CloudFormation template in your AWS Control Tower home region. - * Stack name: `template--enable-integrations` + * Stack name: `template-deepwatch-enable-integrations` * List Parameters with [call out default values and update below example as needed] - * **EnableIntegrationsStackName**: `template--enable-integrations` - * **EnableIntegrationsStackRegion**: `us-east-1` - * **EnableIntegrationsStackSetAdminRoleName**: `AWSCloudFormationStackSetAdministrationRole` - * **EnableIntegrationsStackSetExecutionRoleName**: `AWSCloudFormationStackSetExecutionRole` - * **EnableIntegrationsStackSetExecutionRoleArn**: `arn:aws:iam:::role/AWSCloudFormationStackSetExecutionRole` + * **pDeepwatchRoleName**: `deepwatch-mdr-role` + * **pSraTestingFlag**: `false` + * **pSRASolutionName**: `sra-guardduty-org` + * **pAutoEnableMalwareProtection**: `false` + * **pAutoEnableK8sLogs**: `false` + * **pAutoEnableS3Logs**: `true` + * **pSRAS3BucketRegion**: `true` + * **pSRASourceS3BucketName**: `aws-abi-pilot` + * **pSRAStagingS3KeyPrefix**: `cfn-abi-deepwatch-mdr` 3. Choose both the **Capabilities** and select **Submit** to launch the stack. diff --git a/guide/content/images/overview-architecture.jpg b/guide/content/images/overview-architecture.jpg new file mode 100644 index 0000000..a27896f Binary files /dev/null and b/guide/content/images/overview-architecture.jpg differ diff --git a/guide/content/images/resources-architecture.jpg b/guide/content/images/resources-architecture.jpg new file mode 100644 index 0000000..d62c42f Binary files /dev/null and b/guide/content/images/resources-architecture.jpg differ diff --git a/guide/content/images/test-deployment.png b/guide/content/images/test-deployment.png new file mode 100644 index 0000000..9b97fa5 Binary files /dev/null and b/guide/content/images/test-deployment.png differ diff --git a/guide/content/images/test-deployment2.png b/guide/content/images/test-deployment2.png new file mode 100644 index 0000000..15b63f5 Binary files /dev/null and b/guide/content/images/test-deployment2.png differ diff --git a/guide/content/overview.md b/guide/content/overview.md index fa8f28a..68cc53c 100644 --- a/guide/content/overview.md +++ b/guide/content/overview.md @@ -5,7 +5,7 @@ description: --- -This ABI deploys Integrations for AWS Organizations on the AWS Cloud. It’s for and that want to provide across multiple AWS accounts. If you are unfamiliar with AWS Built In, refer to the [AWS Built in](https://aws.amazon.com/builtin). +This ABI deploys cfn-abi-deepwatch-mdr Integrations for AWS Organizations on the AWS Cloud. It’s for Deepwatch customers using AWS CloudTrail and Deepwatch customers using GuardDuty that want to provide all of the necessary resources and steps to begin ingestion of log sources for these use cases with their Deepwatch MDR servic across multiple AWS accounts. If you are unfamiliar with AWS Built In, refer to the [AWS Built in](https://aws.amazon.com/builtin). Deploying this ABI package does not guarantee an organization’s compliance with any laws, certifications, policies, or other regulations. diff --git a/guide/content/post-deployment-steps.md b/guide/content/post-deployment-steps.md index 476b671..d26d93f 100644 --- a/guide/content/post-deployment-steps.md +++ b/guide/content/post-deployment-steps.md @@ -5,10 +5,21 @@ description: Post deployment options --- ## Verifying the solution functionality +Wait for the stack to finish deploying. You can check the status of the deployment by running the following command: -## Parnter capability 1 + ``` + aws cloudformation describe-stacks --stack-name + ``` -## Parnter capability 2 + The stack status will be returned in the output. + +Once the stack has finished deploying, you can access the resources created by the stack via the AWS Management Console or the AWS CLI. + +Following the deployment of the solution, please provide your Deepwatch engineer with the following outputs from the Deepwatch template: + +- `oCloudTrailQueueArn` +- `oGuardDutyQueueArn` +- `oDeepwatchRoleArn` **Next:** Choose [Test the Deployment](/test-deployment/index.html) to get started. \ No newline at end of file diff --git a/guide/content/pre-deployment-steps.md b/guide/content/pre-deployment-steps.md index 87d0345..a23ac39 100644 --- a/guide/content/pre-deployment-steps.md +++ b/guide/content/pre-deployment-steps.md @@ -7,8 +7,12 @@ description: Pre Deployment Options Before deploying this ABI package, complete the following steps: * Subscribe to partner product from AWS Marketplace using -* Any things to be done before deployment -* Any other pre-deployment steps +* Be a Deepwatch MDR customer +* If you don’t already have an AWS organization, create one. For more information, refer to Tutorial: Creating and configuring an organization. +* Ensure that your IAM user has sufficient permissions for the IAM user or role in your organization management account to create an organization trail and enable GuardDuty. +* Enable trusted access with AWS Organizations. For more information, refer to Enable trusted access with AWS Organizations. Otherwise, since this is a multi-account deployment, AWS CloudFormation won’t run. +* If you don’t already have them, create separate security tooling and log archive accounts in your AWS organization. +* Ensure that GuardDuty has not been enabled by the security tooling account (delegated administrator). For more information, refer to Managing GuardDuty accounts with AWS Organizations. * Become familiar with the [additional resources](https://link), later in this guide. **Next:** Choose **[Deployment Steps](/deployment-steps/index.html)** to get started. \ No newline at end of file diff --git a/guide/content/terminologies.md b/guide/content/terminologies.md index 2bcc22f..50de838 100644 --- a/guide/content/terminologies.md +++ b/guide/content/terminologies.md @@ -7,6 +7,8 @@ description: Terminolgies used in this guide. * **ABI :** AWS Built In (ABI) as explained above. * **ABI Modules :** The GitHub repositories based of AWS SRA, which provide templates for enabling AWS foundational services like CloudTrail, GuardDuty, SecurityHub and more security services. * **ABI Projects :** The GitHub repositories built by Partners in partnership with AWS. While building these projects, partners leverage ABI Modules provided to enable AWS services as needed before creating partner specific assets. The project contains 1\ IaC templates to automate enablement of both AWS and Partner services, 2\ Wrappers for most common formats like CfCT manifest, SC Baselines and more to allow customers to easily pick and choose from the services available. For Pilot, we will focus only on including CfCT manifest file in the package. -* [[Add more terminologies here]] +* **Deepwatch MDR :** The Deepwatch Managed Detection & Response service. This solution is applicable only for Deepwatch customers that have this service. +* **Deepwatch MDR AWS Account :** The AWS account that the Deepwatch MDR service, and requisite resources are hosted in. This account will be referenced in various architectures and diagrams located throughout. +* **Customer AWS Resources :** The resources deployed in the Deepwatch customer's AWS account to facilitate log-ingestion, including all necessary Lambdas, SNS Topics, SQS Queues, S3 Event Notifications, and IAM Roles & Policies. **Next:** Choose [Cost and licenses](/costandlicenses/index.html) to get started. diff --git a/guide/content/test-deployment.md b/guide/content/test-deployment.md index 052c10e..f33c81a 100644 --- a/guide/content/test-deployment.md +++ b/guide/content/test-deployment.md @@ -4,11 +4,11 @@ title: Test the deployment description: Test the deployment --- -## Step-1 +After the deployment completes, in the Control Tower Manager account you should see the root stack and all nested stacks successfully deployed. +![Control Tower Manager Account Stacks](/images/test-deployment.png) -## Step-2 - -## Step-3 +If you log in to the Control Tower log archive account, you will see similar, take note of the output values of the "StackSet-deepwatch-logging-resource-configuration-*uuid*" stack. Your Deepwatch engineer will need these values to finish setting up ingestion. +![Control Tower Log Archive Account Stacks](/images/test-deployment2.png) **Next:** Choose [Additonal Resources](/additional-resources/index.html) to get started. \ No newline at end of file