View this page in Japanese (日本語) | Chinese (简体中文) | Back to README
- Conditions that require advanced deployment
- Loading an existing S3 bucket
- Deploying with the AWS CDK
- Updating SIEM with the AWS CDK
Run the AWS Cloud Development Kit (AWS CDK) to deploy SIEM on Amazon OpenSearch Service without using AWS CloudFormation if any of the following is true:
- I want to deploy Amazon OpenSearch Service to an Amazon VPC private subnet
- Deployment to an Amazon VPC public subnet is not supported
- I want to aggregate and analyze logs in a multi-account environment
- I want to import an existing Amazon Simple Storage Service (Amazon S3) bucket into a CloudFormation stack to automatically configure the S3 bucket policy with the AWS CDK for receiving multi-account logs. (Existing S3 bucket policy will be overwritten)
- I want to load logs from an existing S3 bucket into SIEM on OpenSearch Service. I manage the S3 bucket policy myself
- I want to decrypt logs that are stored encrypted in an S3 bucket with an existing AWS Key Management Service (AWS KMS) customer-managed key. I manage the key policy for AWS KMS myself
- I want to change the default S3 bucket name or SIEM on OpenSearch Service domain name when deploying it
- SIEM on OpenSearch Service domain name: aes-siem
- S3 bucket name for logs: aes-siem-[AWS Account ID]-log
- S3 bucket name for snapshots: aes-siem-[AWS Account ID]-snapshot
- S3 bucket name for GeoIP download: aes-siem-[AWS Account ID]-geo
You can load your existing S3 bucket into the CloudFormation stack of SIEM on OpenSearch Service and manage it with the AWS CDK. To do this, you need to add or modify the S3 bucket policy. Note that by following the steps below, the S3 bucket policy and other bucket configurations will be overwritten. Also, you can perform the steps below only during the initial installation of SIEM on OpenSearch Service. Skip these steps if you want to send logs from your existing S3 bucket to SIEM on OpenSearch Service, but still want to manage your S3 bucket policy, etc. by yourself.
- Check the name of the S3 bucket you want to load into the CloudFormation stack
- You can either git clone a set of source code from Github, or download a CloudFormation template that imports a bucket from here
- Edit
deployment/siem-on-amazon-opensearch-service-import-exist-s3bucket.template
in the CloudFormation template that you have cloned from GitHub or downloaded. Change [change-me-to-your-bucket] in BucketName to the name of the S3 bucket you want to load into the stack - Navigate to CloudFormation in the AWS Management Console
- From the [Stacks] menu, choose [Create stack] --> [With existing resources (import resources)] from the top-right drop-down menu.
- Chooose [Next], and on the [Specify template] screen, upload the edited template
siem-on-amazon-opensearch-service-import-exist-s3bucket.template
, and choose [Next] - On the [Identify resources] screen, navigate to [Identifier value] and enter [the name of the S3 bucket you want to import] into the stack and choose [Next]
- On the [Specify stack details] screen, enter the stack name [aes-siem] and then choose [Next]
- On the [Import overview] screen, choose [Import resources] to complete
- Edit cdk.json in the next section: [Deploying with AWS CDK] --> [5-3. Other common configurations] Set the name of the S3 bucket you want to import into the stack to s3_bucket_name.log.
- The subnet you deploy is a private subnet
- Select three different Availability Zones for the subnet. (Only one instance is deployed per AZ)
- In Amazon VPC, enable both [DNS hostnames] and [DNS resolution]
cdk.json
andcdk.context.json
are created during the deployment, and ensure to backup these files in AWS Systems Manager Parameter Store or somewhere. It will be required to rerun the CDK used for the deployment of SIEM on OpenSearch Service
-
Deploy an Amazon Elastic Compute Cloud (Amazon EC2) instance that runs Amazon Linux 2023 or Amazon Linux 2. The EC instance require at least 2 GB RAM
-
Create a role with Admin permissions in AWS Identity and Access Management (IAM) and attach it to the Amazon EC2 instance
-
Log in to the shell; install the development tools, Python 3.8 or 3.9 and development files, git, jq and tar; and get the source code from GitHub
For Amazon Linux 2023
export GIT_ROOT=$HOME cd ${GIT_ROOT} sudo dnf install -y python3.11 python3.11-devel python3.11-pip git jq tar git clone https://github.com/aws-samples/siem-on-amazon-opensearch-service.git
For Amazon Linux 2
Note: With this solution, deployment with CDK on Amazon Linux 2 is deprecated
export GIT_ROOT=$HOME cd ${GIT_ROOT} sudo yum install -y amazon-linux-extras sudo amazon-linux-extras enable python3.8 sudo yum install -y python38 python38-devel git jq tar sudo update-alternatives --install /usr/bin/python3 python3 /usr/bin/python3.8 1 git clone https://github.com/aws-samples/siem-on-amazon-opensearch-service.git
export CDK_DEFAULT_ACCOUNT=<AWS_ACCOUNT> # your AWS account
export AWS_DEFAULT_REGION=<AWS_REGION> # region where the distributable is deployed
The AWS Lambda functions that you use in SIEM on OpenSearch Service make use of third party libraries. The script below will download these libraries and create a deployment package locally. Ensure that you have Python 3 installed.
cd ${GIT_ROOT}/siem-on-amazon-opensearch-service/deployment/cdk-solution-helper/
deactive 2>/dev/null
chmod +x ./step1-build-lambda-pkg.sh && ./step1-build-lambda-pkg.sh
The script below will install a variety of software in user mode which is needed to run the AWS CDK.
chmod +x ./step2-setup-cdk-env.sh && ./step2-setup-cdk-env.sh
source ~/.bashrc
Software to be installed:
- Node Version Manager (nvm)
- Node.js
- AWS SDK for Python (Boto3)
- AWS Cloud Development Kit (AWS CDK)
From the root directory of the repository, navigate to the directory containing the AWS CDK code to prepare for configuration of options and installation
cd ${GIT_ROOT}/siem-on-amazon-opensearch-service/ && source .venv/bin/activate
cd source/cdk && cdk bootstrap $CDK_DEFAULT_ACCOUNT/$AWS_DEFAULT_REGION
If the execution fails with an error, verify that your Amazon EC2 instance has the appropriate permissions role assigned.
If you are deploying SIEM on OpenSearch Service in an Amazon VPC, copy and edit the AWS CDK sample file for Amazon VPC:
cp cdk.json.vpc.sample cdk.json
Edit cdk.json.
Parameters and descriptions for Amazon VPC:
Parameter | Description |
---|---|
vpc_typ | If you create a new Amazon VPC, enter [new], and if you use an existing Amazon VPC, enter [import]. The parameter to edit is new_vpc_xxxx for a new VPC and imported_vpc_xxxx for an existing VPC |
imported_vpc_id | Enter the ID of the Amazon VPC where you want to deploy SIEM on OpenSearch Service |
imported_vpc_subnets | Enter three or more “VPC subnet IDs” in list form |
imported_vpc_subnetX | (Deprecated) Enter three parameters, namely [VPC subnet ID], [Availability Zone], and [route table ID] |
new_vpc_nw_cidr_block | Enter the IP and CIDR block for the new Amazon VPC that you create. The format is the IP address/the number of subnet masks. Example) 192.0.2.0/24 |
new_vpc_subnet_cidr_mask | Subnet CIDR block. For scalability, we recommend /27 or larger. |
If you want to deploy SIEM on OpenSearch Service in a public access environment:
cp cdk.json.public.sample cdk.json
There’s no public-access-specific configuration
You can change the following parameters as common configurations. No modification is required if there are no changes.
Parameter | Initial value | Description |
---|---|---|
aes_domain_name | aes-siem | Changes the SIEM on OpenSearch Service domain |
s3_bucket_name | Changes the S3 bucket name from the initial value | |
log | aes-siem-[AWS Account ID]-log | S3 bucket name for logs |
snapshot | aes-siem-[AWS Account ID]-snapshot | S3 bucket name for snapshots |
geo | aes-siem-[AWS Account ID]-geo | S3 bucket name for GeoIP downloads |
kms_cmk_alias | aes-siem-key | Changes the alias name of the AWS KMS customer-managed key |
organizations | Automatically generates an S3 bucket policy by using the AWS Organizations information entered here. No input is required if you manage another S3 bucket by yourself | |
.org_id | Organizations ID. Example) o-12345678 | |
.management_id | The AWS account ID that is the administrator account in Organizations | |
.member_ids | The AWS account IDs that are member accounts in Organizations, separated by commas | |
no_organizations | Automatically generates a bucket policy for accounts that are not managed by Organizations, by using the account information entered here. No input is required if you manage another S3 bucket by yourself | |
.aws_accounts | Enter comma-separated AWS account IDs that are not managed by Organizations | |
additional_s3_buckets | Enumerates S3 bucket names separated by commas | |
additional_kms_cmks | Enumerates the ARNs of AWS KMS customer-managed keys, separated by commas |
Finally, validate the JSON file. If JSON is displayed after execution and there is no error, the syntax of the JSON file is fine.
cdk context --j
Deploy the AWS CDK:
cdk deploy
You can specify the same parameters as for the CloudFormation template. The parameters can also be changed from the CloudFormation console after deployment with the CDK command. During the initial installation, you can deploy without any parameters.
Parameter | Description |
---|---|
Initial Deployment Parameters | |
AllowedSourceIpAddresses | The IP addresses that you want to allow access from when deploying SIEM on OpenSearch Service outside of your Amazon VPC. Multiple addresses are space-separated |
Basic Configuration | |
DeploymentTarget | Where would you like to deploy the SIEM solution? Value is opensearch_managed_cluster (default) or opensearch_serverless . Serverless is experimental option |
DomainOrCollectionName | Amazon OpenSearch Service Domain name or OpenSearch Serverless Collection name |
SnsEmail | Email address. Alerts detected by SIEM on OpenSearch Service will be sent to this email address via SNS |
ReservedConcurrency | The maximum number of concurrency executions for es-loader. The default value is 10 . Increase this value if you see delays in loading logs or if you see constant throttling occur even though there are no errors |
Log Enrichment - optional | |
GeoLite2LicenseKey | Maxmind license key. It will add country information to each IP address |
OtxApiKey | If you wolud like to download IoC from AlienVault OTX, please enter OTX API Key. |
EnableTor | Would you like to download Tor IoC? Value is true or false (default) |
EnableAbuseCh | Would you like to download IoC from abuse.ch? Value is true or false (default) |
IocDownloadInterval | Specify interval in minute to download IoC, default is 720 minutes |
Advanced Configuration - optional | |
LogBucketPolicyUpdate | Select update_and_override (default) or keep for the current policy of the Log bucket. Be sure to select update_and_override for the first deployment. If you select update_and_override when updating, you need to create and manage the bucket policy for writing logs to your S3 Log bucket by yourself |
VpcEndpointId | Specify VPC Endpoint for OpenSearch managed cluster or OpenSearch Serverless. This should be manually created before deployment. If you specify VPC Endpoint, a few lambda functions and other resources will be deployed into VPC |
CreateS3VpcEndpoint | Create new S3 VPC Endpoint with SIEM solution. Value is true (default) or false . If you use existing VPC and already have S3 VPC Endpoint, select false |
CreateSqsVpcEndpoint | Create new SQS VPC Endpoint with SIEM solution. Value is true (default) or false . If you use existing VPC and already have SQS VPC Endpoint, select false |
CreateSsmVpcEndpoint | Create new Systems Manager VPC Endpoint with SIEM solution. Value is true (default) or false . If you use existing VPC and already have Systems Manager VPC Endpoint, select false |
CreateStsVpcEndpoint | Create new STS VPC Endpoint with SIEM solution. An STS VPC Endpoint is created only if you choose to integrate with Control Tower or Security Lake. Value is true (default) or false . If you use existing VPC and already have STS VPC Endpoint, select false |
Control Tower Integration - optional | AWS Control Tower Integration |
ControlTowerLogBucketNameList | Specify S3 log bucket names in the Log Archive account. Comma separated list. (e.g., aws-controltower-logs-123456789012-ap-northeast-1, aws-controltower-s3-access-logs-123456789012-ap-northeast-1 ) |
ControlTowerSqsForLogBuckets | Specify SQS ARN for S3 log buckets in Log Archive Account. (e.g., arn:aws:sqs:ap-northeast-1:12345678902:aes-siem-ct ) |
ControlTowerRoleArnForEsLoader | Specify IAM Role ARN to be assumed by aes-siem-es-loader. (e.g., arn:aws:iam::123456789012:role/ct-role-for-siem ) |
Security Lake Integration - optional | Amazon Security Lake Integration |
SecurityLakeSubscriberSqs | Specify SQS ARN of Security Lake Subscriber. (e.g., arn:aws:sqs:us-east-1:12345678902:AmazonSecurityLake-00001111-2222-3333-5555-666677778888-Main-Queue ` ) |
SecurityLakeRoleArn | Specify IAM Role ARN to be assumed by aes-siem-es-loader. (e.g., arn:aws:iam::123456789012:role/AmazonSecurityLake-00001111-2222-3333-5555-666677778888 ) |
SecurityLakeExternalId | Specify Security Lake external ID for cross account. (e.g., externalid123 ) |
Syntax) --parameters Option1=Parameter1 --parameters Option2=Parameter2
If you have more than one parameter, repeat --parameters
Example of deployment with parameters)
cdk deploy \
--parameters AllowedSourceIpAddresses="10.0.0.0/8 192.168.0.1" \
--parameters GeoLite2LicenseKey=xxxxxxxxxxxxxxxx
The deployment takes about 30 minutes. When you're done, go back to README and proceed to “2. Configuring OpenSearch Dashboards.”
Make a backup of cdk.json and cdk.context.json.
Example of backing up to AWS Systems Manager Parameter Store
aws ssm put-parameter \
--overwrite \
--type String \
--name /siem/cdk/cdk.json \
--value file://cdk.json
if [ -f cdk.context.json ]; then
aws ssm put-parameter \
--overwrite \
--type String \
--name /siem/cdk/cdk.context.json \
--value file://cdk.context.json
fi
You can update the SIEM repository with the AWS CDK. Ensure that the cdk.json you used during the initial installation is stored in the CDK directory.
Note: When you update SIEM, Global tenant settings, dashboards, etc. will be overwritten automatically. The configuration files and dashboards used before the update will be backed up to aes-siem-[AWS_Account]-snapshot/saved_objects/ in the S3 bucket, so restore them manually if you want to restore the original settings.
Note: S3 bucket policy, KMS key policy, IAM policy, etc. are automatically generated by CDK/CloudFormation. Manual modification is not recommended, but if you have modified it, it will be overwritten, so please back up each and update the difference after updating.
export GIT_ROOT=$HOME
cd ${GIT_ROOT}/siem-on-amazon-opensearch-service/ && git stash && git checkout main
git pull --rebase
Go back to the [Deploying with the AWS CDK] section and rerun [2. Setting Environment Variables], [3. Creating an AWS Lambda Deployment Package], and [4. Setting Up the Environment for AWS Cloud Development Kit (AWS CDK).]
Note that [5. Setting Installation Options with the AWS CDK] and the subsequent steps do not need to be followed. Instead, execute the commands below:
Restore cdk.json
and cdk.context.json
saved during installation to ${GIT_ROOT}/siem-on-amazon-opensearch-service/source/cdk/
. There may be no cdk.context.json
.
Example of restoring from AWS Systems Manager Parameter Store
cd ${GIT_ROOT}/siem-on-amazon-opensearch-service/source/cdk/
if [ -s cdk.json ]; then
cp cdk.json cdk.json.`date "+%Y%m%d%H%M%S"`
fi
aws ssm get-parameter \
--name /siem/cdk/cdk.json \
--query "Parameter.Value" \
--output text > cdk.json
if [ -s cdk.context.json ]; then
cp cdk.context.json cdk.context.json.`date "+%Y%m%d%H%M%S"`
fi
aws ssm get-parameter \
--name /siem/cdk/cdk.context.json \
--query "Parameter.Value" \
--output text > cdk.context.json.new 2> /dev/null
if [ -s cdk.context.json.new ]; then
mv cdk.context.json.new cdk.context.json
else
rm cdk.context.json.new
fi
Note) When updating from v2.8.0d prior version, it is necessary to migrate from CDK v1 to CDK v2. Run cdk bootstrap again
cd ${GIT_ROOT}/siem-on-amazon-opensearch-service/ && source .venv/bin/activate
cd source/cdk
# Also run `cdk bootstrap` if updating from v2.8.0d or prior version
# cdk bootstrap
cdk deploy
Updated diffs will be displayed. Enter [y] to confirm. The update will be complete in a few minutes.