Description: SIEM on Amazon OpenSearch Service v2.10.0
Metadata:
AWS::CloudFormation::Interface:
ParameterGroups:
- Label:
default: Initial Deployment Parameters
Parameters:
- AllowedSourceIpAddresses
- Label:
default: Basic Configuration
Parameters:
- DeploymentTarget
- DomainOrCollectionName
- SnsEmail
- ReservedConcurrency
- Label:
default: Log Enrichment - optional
Parameters:
- GeoLite2LicenseKey
- OtxApiKey
- EnableTor
- EnableAbuseCh
- IocDownloadInterval
- Label:
default: Advanced Configuration - optional
Parameters:
- VpcEndpointId
- CreateS3VpcEndpoint
- CreateSqsVpcEndpoint
- Label:
default: Control Tower Integration - optional
Parameters:
- ControlTowerLogBucketNameList
- ControlTowerSqsForLogBuckets
- ControlTowerRoleArnForEsLoader
- Label:
default: Security Lake Integration - optional
Parameters:
- SecurityLakeSubscriberSqs
- SecurityLakeRoleArn
- SecurityLakeExternalId
- Label:
default: Other parameters
Parameters: []
Mappings:
RegionMap:
af-south-1:
ElbV2AccountId: '098369216593'
LambdaArch: arm64
ap-east-1:
ElbV2AccountId: '754344448648'
LambdaArch: arm64
ap-northeast-1:
ElbV2AccountId: '582318560864'
LambdaArch: arm64
ap-northeast-2:
ElbV2AccountId: '600734575887'
LambdaArch: arm64
ap-northeast-3:
ElbV2AccountId: '383597477331'
LambdaArch: arm64
ap-south-1:
ElbV2AccountId: '718504428378'
LambdaArch: arm64
ap-southeast-1:
ElbV2AccountId: '114774131450'
LambdaArch: arm64
ap-southeast-2:
ElbV2AccountId: '783225319266'
LambdaArch: arm64
ap-southeast-3:
ElbV2AccountId: '589379963580'
LambdaArch: arm64
ca-central-1:
ElbV2AccountId: '985666609251'
LambdaArch: arm64
cn-north-1:
ElbV2AccountId: '638102146993'
LambdaArch: x86_64
cn-northwest-1:
ElbV2AccountId: '037604701340'
LambdaArch: x86_64
eu-central-1:
ElbV2AccountId: '054676820928'
LambdaArch: arm64
eu-north-1:
ElbV2AccountId: '897822967062'
LambdaArch: arm64
eu-south-1:
ElbV2AccountId: '635631232127'
LambdaArch: arm64
eu-west-1:
ElbV2AccountId: '156460612806'
LambdaArch: arm64
eu-west-2:
ElbV2AccountId: '652711504416'
LambdaArch: arm64
eu-west-3:
ElbV2AccountId: '009996457667'
LambdaArch: arm64
me-south-1:
ElbV2AccountId: '076674570225'
LambdaArch: arm64
sa-east-1:
ElbV2AccountId: '507241528517'
LambdaArch: arm64
us-east-1:
ElbV2AccountId: '127311923021'
LambdaArch: arm64
us-east-2:
ElbV2AccountId: '033677994240'
LambdaArch: arm64
us-gov-east-1:
ElbV2AccountId: '190560391635'
LambdaArch: x86_64
us-gov-west-1:
ElbV2AccountId: '048591011584'
LambdaArch: x86_64
us-iso-east-1:
ElbV2AccountId: '770363063475'
LambdaArch: x86_64
us-iso-west-1:
ElbV2AccountId: '121062877647'
LambdaArch: x86_64
us-isob-east-1:
ElbV2AccountId: '740734521339'
LambdaArch: x86_64
us-west-1:
ElbV2AccountId: '027434742980'
LambdaArch: arm64
us-west-2:
ElbV2AccountId: '797873946194'
LambdaArch: arm64
ap-south-2:
ElbV2AccountId: '999999999999'
LambdaArch: x86_64
ap-southeast-4:
ElbV2AccountId: '999999999999'
LambdaArch: x86_64
eu-central-2:
ElbV2AccountId: '999999999999'
LambdaArch: x86_64
eu-south-2:
ElbV2AccountId: '999999999999'
LambdaArch: x86_64
me-central-1:
ElbV2AccountId: '999999999999'
LambdaArch: x86_64
Parameters:
DeploymentTarget:
Type: String
Default: opensearch_managed_cluster
AllowedValues:
- opensearch_managed_cluster
- opensearch_serverless
Description: Where would you like to deploy the SIEM solution? Amazon OpenSearch managed cluster or serverless? Serverless is experimental option
DomainOrCollectionName:
Type: String
Default: aes-siem
AllowedPattern: ^[0-9a-zA-Z_-]*
Description: Amazon OpenSearch Service Domain name or OpenSearch Serverless Collection name
VpcEndpointId:
Type: String
Default: ''
AllowedPattern: (^vpce-[0-9a-z]*|aos-[0-9a-z]*|)
Description: (Optional) Specify VPC Endpoint for OpenSearch managed cluster or OpenSearch Serverless. This should be manually created before deployment. If you specify VPC Endpoint, a few lambda functions
and other resources will be deploy into VPC
AllowedSourceIpAddresses:
Type: String
Default: 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
AllowedPattern: ^[0-9./\s]*
Description: Space-delimited list of CIDR blocks. This parameter applies only during the initial deployment
SnsEmail:
Type: String
Default: ''
AllowedPattern: ^([0-9a-zA-Z@_\-\+\.]*|)
Description: (Optional) Input your email as SNS topic, where Amazon OpenSearch Service will send alerts to
GeoLite2LicenseKey:
Type: String
Default: ''
AllowedPattern: ^([0-9a-zA-Z]{6}_[0-9a-zA-Z]{29}_mmk|[0-9a-zA-Z]{16}|)$
Description: (Optional) If you wolud like to enrich geoip locaiton such as IP address's country, get a license key from MaxMind and input the key. The license is a string of 16 or 40 digits
MaxLength: 40
ReservedConcurrency:
Type: Number
Default: 10
Description: Input lambda reserved concurrency for es-loader. Increase this value if there are steady logs delay despite withou errors
OtxApiKey:
Type: String
Default: ''
AllowedPattern: ^([0-9a-f,x]{64}|)$
Description: '(Optional) If you wolud like to download IoC from AlienVault OTX, please enter OTX API Key. See details: https://otx.alienvault.com'
MaxLength: 64
EnableTor:
Type: String
Default: 'false'
AllowedValues:
- 'true'
- 'false'
Description: 'Would you like to download TOR IoC? See details: https://check.torproject.org/api/bulk'
EnableAbuseCh:
Type: String
Default: 'false'
AllowedValues:
- 'true'
- 'false'
Description: 'Would you like to download IoC from abuse.ch? See details: https://feodotracker.abuse.ch/blocklist/'
IocDownloadInterval:
Type: Number
Default: 720
Description: Specify interval in minute to download IoC, default is 720 miniutes ( = 12 hours ).min is 30 minutes. max is 10080 minutes ( = 7 days ).
MaxValue: 10080
MinValue: 30
CreateS3VpcEndpoint:
Type: String
Default: 'true'
AllowedValues:
- 'true'
- 'false'
Description: Create new SQS VPC Endpoint with SIEM solution. If you use existing VPC and already have S3 VPC Endpoint, select false
CreateSqsVpcEndpoint:
Type: String
Default: 'true'
AllowedValues:
- 'true'
- 'false'
Description: Create new S3 VPC Endpoint with SIEM solution. If you use existing VPC and already have S3 VPC Endpoint, select false
ControlTowerLogBucketNameList:
Type: String
Default: ''
AllowedPattern: ^[-0-9a-z.\s,]*$
Description: Specify S3 log bucket names in the Log Archive account. Comma separated list. (e.g., aws-controltower-logs-123456789012-ap-northeast-1, aws-controltower-s3-access-logs-123456789012-ap-northeast-1
)
ControlTowerRoleArnForEsLoader:
Type: String
Default: ''
AllowedPattern: ^(arn:aws.*:iam::[0-9]{12}:role/.*|)$
Description: Specify IAM Role ARN to be assumed by aes-siem-es-loader. (e.g., arn:aws:iam::123456789012:role/ct-role-for-siem )
ControlTowerSqsForLogBuckets:
Type: String
Default: ''
AllowedPattern: ^(arn:aws[0-9a-zA-Z:/_-]*|)$
Description: Specify SQS ARN for S3 log buckets in Log Archive Account. (e.g., arn:aws:sqs:ap-northeast-1:12345678902:aes-siem-ct )
SecurityLakeRoleArn:
Type: String
Default: ''
AllowedPattern: ^(arn:aws.*:iam::[0-9]{12}:role/AmazonSecurityLake-[0-9a-f-]*|)$
Description: Specify IAM Role ARN to be assumed by aes-siem-es-loader. (e.g., arn:aws:iam::123456789012:role/AmazonSecurityLake-00001111-2222-3333-5555-666677778888 )
SecurityLakeExternalId:
Type: String
Default: ''
AllowedPattern: ^([0-9a-zA-Z]*|)$
Description: Specify Security Lake external ID for cross account. (e.g., externalid123 )
SecurityLakeSubscriberSqs:
Type: String
Default: ''
AllowedPattern: ^(arn:aws.*:sqs:.*:[0-9]{12}:AmazonSecurityLake-[0-9a-f-]*-Main-Queue|)$
Description: Specify SQS ARN of Security Lake Subscriber. (e.g., arn:aws:sqs:us-east-1:12345678902:AmazonSecurityLake-00001111-2222-3333-5555-666677778888-Main-Queue )
Conditions:
isGlobalRegion: !Not
- !Or
- !Equals
- !Ref 'AWS::Region'
- cn-north-1
- !Equals
- !Ref 'AWS::Region'
- cn-northwest-1
- !Equals
- !Ref 'AWS::Region'
- us-gov-east-1
- !Equals
- !Ref 'AWS::Region'
- us-gov-west-1
HasLambdaArchitecturesProp: !Not
- !Or
- !Equals
- !Ref 'AWS::Region'
- ap-south-2
- !Equals
- !Ref 'AWS::Region'
- ap-southeast-4
- !Equals
- !Ref 'AWS::Region'
- eu-central-2
- !Equals
- !Ref 'AWS::Region'
- eu-south-2
- !Equals
- !Ref 'AWS::Region'
- me-central-1
IsServerless: !Equals
- !Ref 'DeploymentTarget'
- opensearch_serverless
IsManagedCluster: !Equals
- !Ref 'DeploymentTarget'
- opensearch_managed_cluster
hasVpce: !Not
- !Equals
- !Ref 'VpcEndpointId'
- ''
IsInVpc: !Or
- !Equals
- false
- true
- !Condition 'hasVpce'
HasGeoipLicense: !Not
- !Equals
- !Ref 'GeoLite2LicenseKey'
- ''
EnableIOC: !Or
- !Not
- !Equals
- !Ref 'OtxApiKey'
- ''
- !Equals
- !Ref 'EnableTor'
- 'true'
- !Equals
- !Ref 'EnableAbuseCh'
- 'true'
HasSnsEmail: !Not
- !Equals
- !Ref 'SnsEmail'
- ''
SqsVpceIsRequired: !And
- !Equals
- !Ref 'CreateS3VpcEndpoint'
- 'true'
- !Condition 'IsInVpc'
S3VpceIsRequired: !And
- !Equals
- !Ref 'CreateSqsVpcEndpoint'
- 'true'
- !Condition 'IsInVpc'
IsControlTowerAcccess: !And
- !Not
- !Equals
- !Ref 'ControlTowerLogBucketNameList'
- ''
- !Not
- !Equals
- !Ref 'ControlTowerRoleArnForEsLoader'
- ''
- !Not
- !Equals
- !Ref 'ControlTowerSqsForLogBuckets'
- ''
IsSecurityLakeAcccess: !And
- !Not
- !Equals
- !Ref 'SecurityLakeExternalId'
- ''
- !Not
- !Equals
- !Ref 'SecurityLakeRoleArn'
- ''
- !Not
- !Equals
- !Ref 'SecurityLakeSubscriberSqs'
- ''
Resources:
LambdaResourceValidatorServiceRole8BE4D6B0:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service: lambda.amazonaws.com
Version: '2012-10-17'
ManagedPolicyArns:
- !Sub 'arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole'
LambdaResourceValidatorE0EF57CE:
Type: AWS::Lambda::Function
Properties:
Code:
S3Bucket: '%%BUCKET_NAME%%'
S3Key: '%%SOLUTION_NAME%%/%%VERSION%%/assets/deploy_es.zip'
Role: !GetAtt 'LambdaResourceValidatorServiceRole8BE4D6B0.Arn'
Architectures: !If
- HasLambdaArchitecturesProp
- - !FindInMap
- RegionMap
- !Ref 'AWS::Region'
- LambdaArch
- !Ref 'AWS::NoValue'
Description: SIEM on Amazon OpenSearch Service v2.10.0 / resource validator for deployment
Environment:
Variables:
ACCOUNT_ID: !Ref 'AWS::AccountId'
AOS_SUBNET_IDS: ''
DEPLOYMENT_TARGET: !Ref 'DeploymentTarget'
DOMAIN_OR_COLLECTION_NAME: !Ref 'DomainOrCollectionName'
S3_LOG: !Sub 'aes-siem-${AWS::AccountId}-log'
S3_SNAPSHOT: !Sub 'aes-siem-${AWS::AccountId}-snapshot'
SOLUTION_PREFIX: aes-siem
VPCE_ID: !Ref 'VpcEndpointId'
FunctionName: aes-siem-resource-validator
Handler: index.resource_validator_handler
MemorySize: 128
ReservedConcurrentExecutions: 1
Runtime: python3.9
Timeout: 30
DependsOn:
- LambdaResourceValidatorServiceRole8BE4D6B0
LambdaResourceValidatorCurrentVersion1C9DB5C1386d40e64504275b8d67bc70d088c8cc:
Type: AWS::Lambda::Version
Properties:
FunctionName: !Ref 'LambdaResourceValidatorE0EF57CE'
Description: 2.10.0
UpdateReplacePolicy: Retain
DeletionPolicy: Retain
aessiempolicyforvpcvalidation724B105E:
Type: AWS::IAM::Policy
Properties:
PolicyDocument:
Statement:
- Action:
- ec2:CreateNetworkInterface
- ec2:DescribeNetworkInterfaces
- ec2:DeleteNetworkInterface
- ec2:AssignPrivateIpAddresses
- ec2:UnassignPrivateIpAddresses
Effect: Allow
Resource: '*'
- Action:
- aoss:BatchGetCollection
- aoss:BatchGetVpcEndpoint
- ec2:DescribeRouteTables
- ec2:DescribeSubnets
- ec2:DescribeVpcEndpoints
- ec2:DescribeVpcs
- es:DescribeVpcEndpoints
- iam:GetRole
Effect: Allow
Resource: '*'
- Action: s3:GetBucketPolicy
Effect: Allow
Resource: !Sub 'arn:aws:s3:::aes-siem-${AWS::AccountId}-log'
Sid: ToGetBucektPolicy
- Action: s3:PutObject
Effect: Allow
Resource: !Sub 'arn:aws:s3:::aes-siem-${AWS::AccountId}-snapshot/*'
Sid: ToUploadPolicy
Version: '2012-10-17'
PolicyName: aes-siem-policy-for-vpc-validation
Roles:
- !Ref 'LambdaResourceValidatorServiceRole8BE4D6B0'
ExecCustomResourceValidator:
Type: AWS::CloudFormation::CustomResource
Properties:
ServiceToken: !GetAtt 'LambdaResourceValidatorE0EF57CE.Arn'
ConfigVersion: 2.10.0
vpce: !Ref 'VpcEndpointId'
DeploymentTarget: !Ref 'DeploymentTarget'
DeletionPolicy: Retain
KmsAesSiemLog44B26597:
Type: AWS::KMS::Key
Properties:
KeyPolicy:
Statement:
- Action: kms:*
Effect: Allow
Principal:
AWS: !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:root'
Resource: '*'
- Action: kms:GenerateDataKey
Effect: Allow
Principal:
Service: guardduty.amazonaws.com
Resource: '*'
Sid: Allow GuardDuty to use the key
- Action:
- kms:Encrypt
- kms:Decrypt
- kms:ReEncrypt*
- kms:GenerateDataKey*
- kms:DescribeKey
Effect: Allow
Principal:
Service: delivery.logs.amazonaws.com
Resource: '*'
Sid: Allow VPC Flow Logs to use the key
- Action:
- kms:DescribeKey
- kms:ReEncryptFrom
Effect: Allow
Principal:
AWS: !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:root'
Resource: '*'
Sid: Allow principals in the account to decrypt log files
- Action:
- kms:Decrypt
- kms:DescribeKey
- kms:Encrypt
- kms:GenerateDataKey*
- kms:ReEncrypt*
Condition:
ForAnyValue:StringEquals:
aws:CalledVia: athena.amazonaws.com
Effect: Allow
Principal:
AWS: !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:root'
Resource: '*'
Sid: Allow Athena to query s3 objects with this key
- Action: kms:DescribeKey
Effect: Allow
Principal:
Service: cloudtrail.amazonaws.com
Resource: '*'
Sid: Allow CloudTrail to describe key
- Action: kms:GenerateDataKey*
Condition:
StringLike:
kms:EncryptionContext:aws:cloudtrail:arn:
- !Sub 'arn:aws:cloudtrail:*:${AWS::AccountId}:trail/*'
Effect: Allow
Principal:
Service: cloudtrail.amazonaws.com
Resource: '*'
Sid: Allow CloudTrail to encrypt logs
- Action:
- kms:Decrypt
- kms:GenerateDataKey
Effect: Allow
Principal:
Service: events.amazonaws.com
Resource: '*'
Version: '2012-10-17'
Description: CMK for SIEM solution
UpdateReplacePolicy: Retain
DeletionPolicy: Retain
KmsAesSiemLogAliasE0A4C571:
Type: AWS::KMS::Alias
Properties:
AliasName: alias/aes-siem-key
TargetKeyId: !GetAtt 'KmsAesSiemLog44B26597.Arn'
UpdateReplacePolicy: Retain
DeletionPolicy: Retain
S3BucketForGeoip04B5F171:
Type: AWS::S3::Bucket
Properties:
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
BucketName: !Sub 'aes-siem-${AWS::AccountId}-geo'
LifecycleConfiguration:
Rules:
- ExpirationInDays: 8
Id: delete-ioc-temp-files
Prefix: IOC/tmp/
Status: Enabled
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true
UpdateReplacePolicy: Retain
DeletionPolicy: Retain
S3BucketForGeoipPolicy854C0CB1:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref 'S3BucketForGeoip04B5F171'
PolicyDocument:
Statement:
- Action: s3:*
Condition:
Bool:
aws:SecureTransport: 'false'
Effect: Deny
Principal:
AWS: '*'
Resource:
- !GetAtt 'S3BucketForGeoip04B5F171.Arn'
- !Sub '${S3BucketForGeoip04B5F171.Arn}/*'
Version: '2012-10-17'
S3BucketForLog20898FE4:
Type: AWS::S3::Bucket
Properties:
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
BucketName: !Sub 'aes-siem-${AWS::AccountId}-log'
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true
VersioningConfiguration:
Status: Enabled
DependsOn:
- ExecCustomResourceValidator
UpdateReplacePolicy: Retain
DeletionPolicy: Retain
S3BucketForLogPolicy546D5712:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref 'S3BucketForLog20898FE4'
PolicyDocument:
Statement:
- Action: s3:*
Condition:
Bool:
aws:SecureTransport: 'false'
Effect: Deny
Principal:
AWS: '*'
Resource:
- !GetAtt 'S3BucketForLog20898FE4.Arn'
- !Sub '${S3BucketForLog20898FE4.Arn}/*'
- Action: s3:PutObject
Effect: Allow
Principal:
AWS: !Sub
- arn:${AWS::Partition}:iam::${Param1}:root
- Param1: !FindInMap
- RegionMap
- !Ref 'AWS::Region'
- ElbV2AccountId
Resource:
- !Sub '${S3BucketForLog20898FE4.Arn}/AWSLogs/${AWS::AccountId}/*'
- !Sub '${S3BucketForLog20898FE4.Arn}/*/AWSLogs/${AWS::AccountId}/*'
Sid: ALB,CLB Policy
- Action:
- s3:GetBucketAcl
- s3:ListBucket
- s3:PutObject
Condition:
StringEquals:
aws:SourceAccount:
- !Ref 'AWS::AccountId'
Effect: Allow
Principal:
Service: delivery.logs.amazonaws.com
Resource:
- !GetAtt 'S3BucketForLog20898FE4.Arn'
- !Sub '${S3BucketForLog20898FE4.Arn}/*'
Sid: AWSLogDelivery For NLB,R53Resolver,Flowlogs
- Action:
- s3:GetBucketAcl
- s3:ListBucket
Effect: Allow
Principal:
Service:
- cloudtrail.amazonaws.com
- config.amazonaws.com
Resource: !GetAtt 'S3BucketForLog20898FE4.Arn'
Sid: AWSLogDeliveryAclCheck For Cloudtrail, Config
- Action: s3:PutObject
Condition:
StringEquals:
aws:SourceAccount:
- !Ref 'AWS::AccountId'
Effect: Allow
Principal:
Service:
- cloudtrail.amazonaws.com
- config.amazonaws.com
Resource: !Sub '${S3BucketForLog20898FE4.Arn}/*/*'
Sid: AWSLogDeliveryWrite For CloudTrail, Config
- Action:
- s3:GetBucketLocation
- s3:PutObject
Condition:
StringEquals:
aws:SourceAccount:
- !Ref 'AWS::AccountId'
Effect: Allow
Principal:
Service: guardduty.amazonaws.com
Resource:
- !GetAtt 'S3BucketForLog20898FE4.Arn'
- !Sub '${S3BucketForLog20898FE4.Arn}/*'
Sid: Allow GuardDuty to put objects
Version: '2012-10-17'
DependsOn:
- ExecCustomResourceValidator
S3BucketForLogNotificationsAEE88E1E:
Type: Custom::S3BucketNotifications
Properties:
ServiceToken: !GetAtt 'BucketNotificationsHandler050a0587b7544547bf325f094a3db8347ECC3691.Arn'
BucketName: !Ref 'S3BucketForLog20898FE4'
NotificationConfiguration:
LambdaFunctionConfigurations:
- Events:
- s3:ObjectCreated:*
LambdaFunctionArn: !GetAtt 'LambdaEsLoader4B1E2DD9.Arn'
Managed: true
DependsOn:
- ExecCustomResourceValidator
- S3BucketForLogAllowBucketNotificationsToaessiemLambdaEsLoaderEBF3B9FB7766EAA3
S3BucketForLogAllowBucketNotificationsToaessiemLambdaEsLoaderEBF3B9FB7766EAA3:
Type: AWS::Lambda::Permission
Properties:
Action: lambda:InvokeFunction
FunctionName: !GetAtt 'LambdaEsLoader4B1E2DD9.Arn'
Principal: s3.amazonaws.com
SourceAccount: !Ref 'AWS::AccountId'
SourceArn: !GetAtt 'S3BucketForLog20898FE4.Arn'
DependsOn:
- ExecCustomResourceValidator
S3BucketForSnapshot40E67D36:
Type: AWS::S3::Bucket
Properties:
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
BucketName: !Sub 'aes-siem-${AWS::AccountId}-snapshot'
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true
UpdateReplacePolicy: Retain
DeletionPolicy: Retain
S3BucketForSnapshotPolicy3DEBD2C0:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref 'S3BucketForSnapshot40E67D36'
PolicyDocument:
Statement:
- Action: s3:*
Condition:
Bool:
aws:SecureTransport: 'false'
Effect: Deny
Principal:
AWS: '*'
Resource:
- !GetAtt 'S3BucketForSnapshot40E67D36.Arn'
- !Sub '${S3BucketForSnapshot40E67D36.Arn}/*'
- Action:
- s3:PutObject
- s3:GetObject
- s3:DeleteObject
Effect: Allow
Principal:
AWS: !GetAtt 'AesSiemSnapshotRoleF313ED39.Arn'
Resource: !Sub '${S3BucketForSnapshot40E67D36.Arn}/*'
Sid: Allow OpenSearch Service to store snapshot
Version: '2012-10-17'
AesSiemSnapshotRoleF313ED39:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service: opensearchservice.amazonaws.com
Version: '2012-10-17'
Policies:
- PolicyDocument:
Statement:
- Action: s3:ListBucket
Effect: Allow
Resource: !GetAtt 'S3BucketForSnapshot40E67D36.Arn'
- Action:
- s3:GetObject
- s3:PutObject
- s3:DeleteObject
Effect: Allow
Resource: !Sub '${S3BucketForSnapshot40E67D36.Arn}/*'
Version: '2012-10-17'
PolicyName: s3access
RoleName: aes-siem-snapshot-role
AesSiemSnsRole64262F46:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service: opensearchservice.amazonaws.com
Version: '2012-10-17'
RoleName: aes-siem-sns-role
AesSiemSnsRoleDefaultPolicy7B8095B5:
Type: AWS::IAM::Policy
Properties:
PolicyDocument:
Statement:
- Action:
- kms:Decrypt
- kms:GenerateDataKey
Effect: Allow
Resource: !GetAtt 'KmsAesSiemLog44B26597.Arn'
- Action: sns:Publish
Effect: Allow
Resource: !Ref 'SnsTopic2C1570A4'
Version: '2012-10-17'
PolicyName: AesSiemSnsRoleDefaultPolicy7B8095B5
Roles:
- !Ref 'AesSiemSnsRole64262F46'
AesSiemEsLoaderEC2RoleFE3F9F00:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service: ec2.amazonaws.com
Version: '2012-10-17'
RoleName: aes-siem-es-loader-for-ec2
AesSiemEsLoaderEC2RoleDefaultPolicyAF44001A:
Type: AWS::IAM::Policy
Properties:
PolicyDocument:
Statement:
- Action:
- sqs:GetQueue*
- sqs:ListQueues*
- sqs:ReceiveMessage*
- sqs:DeleteMessage*
Effect: Allow
Resource: !GetAtt 'AesSiemDlq1CD8439D.Arn'
- Action: kms:Decrypt
Effect: Allow
Resource: !GetAtt 'KmsAesSiemLog44B26597.Arn'
- Action:
- s3:GetObject*
- s3:GetBucket*
- s3:List*
Effect: Allow
Resource:
- !GetAtt 'S3BucketForGeoip04B5F171.Arn'
- !Sub '${S3BucketForGeoip04B5F171.Arn}/*'
- Action:
- s3:GetObject*
- s3:GetBucket*
- s3:List*
Effect: Allow
Resource:
- !GetAtt 'S3BucketForLog20898FE4.Arn'
- !Sub '${S3BucketForLog20898FE4.Arn}/*'
Version: '2012-10-17'
PolicyName: AesSiemEsLoaderEC2RoleDefaultPolicyAF44001A
Roles:
- !Ref 'AesSiemEsLoaderEC2RoleFE3F9F00'
AesSiemEsLoaderEC2InstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Roles:
- !Ref 'AesSiemEsLoaderEC2RoleFE3F9F00'
InstanceProfileName: !Ref 'AesSiemEsLoaderEC2RoleFE3F9F00'
AesSiemVpcNoinboundSecurityGroup58555CE0:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: aes-siem/AesSiemVpcNoinboundSecurityGroup
VpcId: !GetAtt 'ExecCustomResourceValidator.vpc_id'
UpdateReplacePolicy: Retain
DeletionPolicy: Retain
Condition: IsInVpc
AesSiemVpcSecurityGroup2nd:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: aes-siem/AesSiemVpcSecurityGroup2nd
GroupName: aes-siem-vpc-sg2
SecurityGroupIngress:
- CidrIp: !GetAtt 'ExecCustomResourceValidator.cidr_block0'
FromPort: 443
IpProtocol: tcp
ToPort: 443
- CidrIp: !GetAtt 'ExecCustomResourceValidator.cidr_block1'
FromPort: 443
IpProtocol: tcp
ToPort: 443
- CidrIp: !GetAtt 'ExecCustomResourceValidator.cidr_block2'
FromPort: 443
IpProtocol: tcp
ToPort: 443
- CidrIp: !GetAtt 'ExecCustomResourceValidator.cidr_block3'
FromPort: 443
IpProtocol: tcp
ToPort: 443
VpcId: !GetAtt 'ExecCustomResourceValidator.vpc_id'
Condition: IsInVpc
VpcAesSiemSQSEndpoint8BFF7847:
Type: AWS::EC2::VPCEndpoint
Properties:
ServiceName: !Sub 'com.amazonaws.${AWS::Region}.sqs'
VpcId: !GetAtt 'ExecCustomResourceValidator.vpc_id'
PrivateDnsEnabled: true
SecurityGroupIds:
- !GetAtt 'AesSiemVpcSecurityGroup2nd.GroupId'
SubnetIds: !GetAtt 'ExecCustomResourceValidator.subnets'
VpcEndpointType: Interface
Condition: SqsVpceIsRequired
VpcAesSiemS3Endpoint003F70DF:
Type: AWS::EC2::VPCEndpoint
Properties:
ServiceName: !Sub 'com.amazonaws.${AWS::Region}.s3'
VpcId: !GetAtt 'ExecCustomResourceValidator.vpc_id'
RouteTableIds: !GetAtt 'ExecCustomResourceValidator.route_table_ids'
VpcEndpointType: Gateway
Condition: S3VpceIsRequired
AesSiemDlq1CD8439D:
Type: AWS::SQS::Queue
Properties:
KmsDataKeyReusePeriodSeconds: 86400
KmsMasterKeyId: alias/aws/sqs
MessageRetentionPeriod: 1209600
QueueName: aes-siem-dlq
UpdateReplacePolicy: Delete
DeletionPolicy: Delete
AesSiemSqsSplitLogs0191F431:
Type: AWS::SQS::Queue
Properties:
KmsDataKeyReusePeriodSeconds: 86400
KmsMasterKeyId: alias/aws/sqs
MessageRetentionPeriod: 1209600
QueueName: aes-siem-sqs-splitted-logs
RedrivePolicy:
deadLetterTargetArn: !GetAtt 'AesSiemDlq1CD8439D.Arn'
maxReceiveCount: 20
VisibilityTimeout: 600
UpdateReplacePolicy: Delete
DeletionPolicy: Delete
LambdaEsLoaderServiceRoleFFD43869:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service: lambda.amazonaws.com
Version: '2012-10-17'
ManagedPolicyArns:
- !Sub 'arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole'
LambdaEsLoaderServiceRoleDefaultPolicyB7A386B3:
Type: AWS::IAM::Policy
Properties:
PolicyDocument:
Statement:
- Action:
- ec2:CreateNetworkInterface
- ec2:DescribeNetworkInterfaces
- ec2:DeleteNetworkInterface
- ec2:AssignPrivateIpAddresses
- ec2:UnassignPrivateIpAddresses
Effect: Allow
Resource: '*'
- Action: sqs:SendMessage
Effect: Allow
Resource: !GetAtt 'AesSiemDlq1CD8439D.Arn'
- Action:
- sqs:SendMessage
- sqs:ReceiveMessage
- sqs:DeleteMessage
- sqs:GetQueueAttributes
Effect: Allow
Resource: !GetAtt 'AesSiemDlq1CD8439D.Arn'
- Action:
- sqs:SendMessage
- sqs:ReceiveMessage
- sqs:DeleteMessage
- sqs:GetQueueAttributes
Effect: Allow
Resource: !GetAtt 'AesSiemSqsSplitLogs0191F431.Arn'
- Action:
- sqs:ReceiveMessage
- sqs:ChangeMessageVisibility
- sqs:GetQueueUrl
- sqs:DeleteMessage
- sqs:GetQueueAttributes
Effect: Allow
Resource: !GetAtt 'AesSiemSqsSplitLogs0191F431.Arn'
- Action: kms:Decrypt
Effect: Allow
Resource: !GetAtt 'KmsAesSiemLog44B26597.Arn'
- Action:
- s3:GetObject*
- s3:GetBucket*
- s3:List*
Effect: Allow
Resource:
- !GetAtt 'S3BucketForGeoip04B5F171.Arn'
- !Sub '${S3BucketForGeoip04B5F171.Arn}/*'
- Action:
- s3:GetObject*
- s3:GetBucket*
- s3:List*
Effect: Allow
Resource:
- !GetAtt 'S3BucketForLog20898FE4.Arn'
- !Sub '${S3BucketForLog20898FE4.Arn}/*'
Version: '2012-10-17'
PolicyName: LambdaEsLoaderServiceRoleDefaultPolicyB7A386B3
Roles:
- !Ref 'LambdaEsLoaderServiceRoleFFD43869'
LambdaEsLoader4B1E2DD9:
Type: AWS::Lambda::Function
Properties:
Code:
S3Bucket: '%%BUCKET_NAME%%'
S3Key: '%%SOLUTION_NAME%%/%%VERSION%%/assets/es_loader.zip'
Role: !GetAtt 'LambdaEsLoaderServiceRoleFFD43869.Arn'
Architectures: !If
- HasLambdaArchitecturesProp
- - !FindInMap
- RegionMap
- !Ref 'AWS::Region'
- LambdaArch
- !Ref 'AWS::NoValue'
DeadLetterConfig:
TargetArn: !GetAtt 'AesSiemDlq1CD8439D.Arn'
Description: SIEM on Amazon OpenSearch Service v2.10.0 / es-loader
Environment:
Variables:
AOSS_TYPE: !GetAtt 'AesSiemDomainDeployedR2.aoss_type'
CONTROL_TOWER_LOG_BUCKETS: !Ref 'ControlTowerLogBucketNameList'
CONTROL_TOWER_ROLE_ARN: !Ref 'ControlTowerRoleArnForEsLoader'
CONTROL_TOWER_ROLE_SESSION_NAME: aes-siem-es-loader
ENDPOINT: !GetAtt 'AesSiemDomainDeployedR2.endpoint'
GEOIP_BUCKET: !Sub 'aes-siem-${AWS::AccountId}-geo'
LOG_LEVEL: info
POWERTOOLS_LOGGER_LOG_EVENT: 'false'
POWERTOOLS_METRICS_NAMESPACE: SIEM
POWERTOOLS_SERVICE_NAME: es-loader
SECURITY_LAKE_EXTERNAL_ID: !Ref 'SecurityLakeExternalId'
SECURITY_LAKE_ROLE_ARN: !Ref 'SecurityLakeRoleArn'
SECURITY_LAKE_ROLE_SESSION_NAME: aes-siem-es-loader
SQS_SPLITTED_LOGS_URL: !Ref 'AesSiemSqsSplitLogs0191F431'
FunctionName: aes-siem-es-loader
Handler: index.lambda_handler
MemorySize: 2048
ReservedConcurrentExecutions: !Ref 'ReservedConcurrency'
Runtime: python3.8
Timeout: 600
VpcConfig:
SubnetIds: !GetAtt 'ExecCustomResourceValidator.subnets'
SecurityGroupIds: !If
- IsInVpc
- - !GetAtt 'AesSiemVpcNoinboundSecurityGroup58555CE0.GroupId'
- []
DependsOn:
- LambdaEsLoaderServiceRoleDefaultPolicyB7A386B3
- LambdaEsLoaderServiceRoleFFD43869
LambdaEsLoaderCurrentVersion9DFE69550483136678b0fb8ed271a79421bcb99a:
Type: AWS::Lambda::Version
Properties:
FunctionName: !Ref 'LambdaEsLoader4B1E2DD9'
Description: 2.10.0
UpdateReplacePolicy: Retain
DeletionPolicy: Retain
LambdaEsLoaderSqsEventSourceaessiemAesSiemSqsSplitLogs506AFFA6A7D8B2E9:
Type: AWS::Lambda::EventSourceMapping
Properties:
FunctionName: !Ref 'LambdaEsLoader4B1E2DD9'
BatchSize: 1
EventSourceArn: !GetAtt 'AesSiemSqsSplitLogs0191F431.Arn'
LambdaAddPandasLayerRoleDCA80237:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service: lambda.amazonaws.com
Version: '2012-10-17'
ManagedPolicyArns:
- !Sub 'arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole'
Policies:
- PolicyDocument:
Statement:
- Action:
- lambda:UpdateFunctionConfiguration
- lambda:GetFunction
Effect: Allow
Resource: !GetAtt 'LambdaEsLoader4B1E2DD9.Arn'
- Action: lambda:PublishLayerVersion
Effect: Allow
Resource:
- arn:aws:lambda:*:*:layer:AWSDataWrangler-*
- arn:aws:lambda:*:*:layer:AWSSDKPandas-*
- Action:
- lambda:ListLayers
- lambda:GetLayerVersion
Effect: Allow
Resource: '*'
- Action:
- s3:Get*
- s3:List*
Effect: Allow
Resource: '*'
Version: '2012-10-17'
PolicyName: add-pandas-layer-policy
LambdaAddPandasLayerRoleDefaultPolicy6A268C17:
Type: AWS::IAM::Policy
Properties:
PolicyDocument:
Statement:
- Action:
- s3:GetObject*
- s3:GetBucket*
- s3:List*
- s3:DeleteObject*
- s3:PutObject
- s3:PutObjectLegalHold
- s3:PutObjectRetention
- s3:PutObjectTagging
- s3:PutObjectVersionTagging
- s3:Abort*
Effect: Allow
Resource:
- !GetAtt 'S3BucketForGeoip04B5F171.Arn'
- !Sub '${S3BucketForGeoip04B5F171.Arn}/*'
Version: '2012-10-17'
PolicyName: LambdaAddPandasLayerRoleDefaultPolicy6A268C17
Roles:
- !Ref 'LambdaAddPandasLayerRoleDCA80237'
LambdaAddPandasLayer8F3F6957:
Type: AWS::Lambda::Function
Properties:
Code:
S3Bucket: '%%BUCKET_NAME%%'
S3Key: '%%SOLUTION_NAME%%/%%VERSION%%/assets/add_pandas_layer.zip'
Role: !GetAtt 'LambdaAddPandasLayerRoleDCA80237.Arn'
Architectures: !If
- HasLambdaArchitecturesProp
- - !FindInMap
- RegionMap
- !Ref 'AWS::Region'
- LambdaArch
- !Ref 'AWS::NoValue'
Description: SIEM on Amazon OpenSearch Service v2.10.0 / add-pandas-layer
Environment:
Variables:
GEOIP_BUCKET: !Sub 'aes-siem-${AWS::AccountId}-geo'
FunctionName: aes-siem-add-pandas-layer
Handler: lambda_function.lambda_handler
MemorySize: 128
ReservedConcurrentExecutions: 1
Runtime: python3.9
Timeout: 300
DependsOn:
- LambdaAddPandasLayerRoleDefaultPolicy6A268C17
- LambdaAddPandasLayerRoleDCA80237
LambdaAddPandasLayerCurrentVersion52D075434f01b1fd65646a928c8322ec5ef2c616:
Type: AWS::Lambda::Version
Properties:
FunctionName: !Ref 'LambdaAddPandasLayer8F3F6957'
Description: 2.10.0
UpdateReplacePolicy: Retain
DeletionPolicy: Retain
ExecLambdaAddPandasLayer:
Type: AWS::CloudFormation::CustomResource
Properties:
ServiceToken: !GetAtt 'LambdaAddPandasLayer8F3F6957.Arn'
ConfigVersion: 2.10.0
DependsOn:
- LambdaAddPandasLayerRoleDefaultPolicy6A268C17
- LambdaAddPandasLayerRoleDCA80237
- LambdaEsLoaderCurrentVersion9DFE69550483136678b0fb8ed271a79421bcb99a
- LambdaEsLoader4B1E2DD9
- LambdaEsLoaderServiceRoleDefaultPolicyB7A386B3
- LambdaEsLoaderServiceRoleFFD43869
- LambdaEsLoaderSqsEventSourceaessiemAesSiemSqsSplitLogs506AFFA6A7D8B2E9
DeletionPolicy: Retain
LambdaEsLoaderStopperServiceRole83AABC1A:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service: lambda.amazonaws.com
Version: '2012-10-17'
ManagedPolicyArns:
- !Sub 'arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole'
LambdaEsLoaderStopperServiceRoleDefaultPolicyCC98CC06:
Type: AWS::IAM::Policy
Properties:
PolicyDocument:
Statement:
- Action: lambda:PutFunctionConcurrency
Effect: Allow
Resource: !GetAtt 'LambdaEsLoader4B1E2DD9.Arn'
- Action: sns:Publish
Effect: Allow
Resource: !Ref 'SnsTopic2C1570A4'
Version: '2012-10-17'
PolicyName: LambdaEsLoaderStopperServiceRoleDefaultPolicyCC98CC06
Roles:
- !Ref 'LambdaEsLoaderStopperServiceRole83AABC1A'
LambdaEsLoaderStopper35C1D57B:
Type: AWS::Lambda::Function
Properties:
Code:
S3Bucket: '%%BUCKET_NAME%%'
S3Key: '%%SOLUTION_NAME%%/%%VERSION%%/assets/es_loader_stopper.zip'
Role: !GetAtt 'LambdaEsLoaderStopperServiceRole83AABC1A.Arn'
Architectures: !If
- HasLambdaArchitecturesProp
- - !FindInMap
- RegionMap
- !Ref 'AWS::Region'
- LambdaArch
- !Ref 'AWS::NoValue'
Description: SIEM on Amazon OpenSearch Service v2.10.0 / es-loader-stopper
Environment:
Variables:
AES_SIEM_ALERT_TOPIC_ARN: !Ref 'SnsTopic2C1570A4'
ES_LOADER_FUNCTION_ARN: !GetAtt 'LambdaEsLoader4B1E2DD9.Arn'
ES_LOADER_RESERVED_CONCURRENCY: !Ref 'ReservedConcurrency'
FunctionName: aes-siem-es-loader-stopper
Handler: index.lambda_handler
MemorySize: 128
ReservedConcurrentExecutions: 1
Runtime: python3.9
Timeout: 300
DependsOn:
- LambdaEsLoaderStopperServiceRoleDefaultPolicyCC98CC06
- LambdaEsLoaderStopperServiceRole83AABC1A
LambdaEsLoaderStopperCurrentVersion312AA850c573dcca153a704a50da1e59f91d4e7b:
Type: AWS::Lambda::Version
Properties:
FunctionName: !Ref 'LambdaEsLoaderStopper35C1D57B'
Description: 2.10.0
UpdateReplacePolicy: Retain
DeletionPolicy: Retain
LambdaMetricsExporterServiceRoleDDE0BD95:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service: lambda.amazonaws.com
Version: '2012-10-17'
ManagedPolicyArns:
- !Sub 'arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole'
LambdaMetricsExporterServiceRoleDefaultPolicy5F0A7AC4:
Type: AWS::IAM::Policy
Properties:
PolicyDocument:
Statement:
- Action:
- ec2:CreateNetworkInterface
- ec2:DescribeNetworkInterfaces
- ec2:DeleteNetworkInterface
- ec2:AssignPrivateIpAddresses
- ec2:UnassignPrivateIpAddresses
Effect: Allow
Resource: '*'
Sid: ForVpcAccess
- Action:
- kms:Encrypt
- kms:ReEncrypt*
- kms:GenerateDataKey*
Effect: Allow
Resource: !GetAtt 'KmsAesSiemLog44B26597.Arn'
- Action:
- s3:DeleteObject*
- s3:PutObject
- s3:PutObjectLegalHold
- s3:PutObjectRetention
- s3:PutObjectTagging
- s3:PutObjectVersionTagging
- s3:Abort*
Effect: Allow
Resource:
- !GetAtt 'S3BucketForLog20898FE4.Arn'
- !Sub '${S3BucketForLog20898FE4.Arn}/*'
Version: '2012-10-17'
PolicyName: LambdaMetricsExporterServiceRoleDefaultPolicy5F0A7AC4
Roles:
- !Ref 'LambdaMetricsExporterServiceRoleDDE0BD95'
LambdaMetricsExporter2737F589:
Type: AWS::Lambda::Function
Properties:
Code:
S3Bucket: '%%BUCKET_NAME%%'
S3Key: '%%SOLUTION_NAME%%/%%VERSION%%/assets/index_metrics_exporter.zip'
Role: !GetAtt 'LambdaMetricsExporterServiceRoleDDE0BD95.Arn'
Architectures: !If
- HasLambdaArchitecturesProp
- - !FindInMap
- RegionMap
- !Ref 'AWS::Region'
- LambdaArch
- !Ref 'AWS::NoValue'
Description: SIEM on Amazon OpenSearch Service v2.10.0 / index-metrics-exporter
Environment:
Variables:
COLLECTION_NAME: !Ref 'DomainOrCollectionName'
ENDPOINT: !GetAtt 'AesSiemDomainDeployedR2.endpoint'
LOG_BUCKET: !Sub 'aes-siem-${AWS::AccountId}-log'
PERIOD_HOUR: '1'
FunctionName: aes-siem-index-metrics-exporter
Handler: index.lambda_handler
MemorySize: 256
ReservedConcurrentExecutions: 1
Runtime: python3.9
Timeout: 300
VpcConfig:
SubnetIds: !GetAtt 'ExecCustomResourceValidator.subnets'
SecurityGroupIds: !If
- IsInVpc
- - !GetAtt 'AesSiemVpcNoinboundSecurityGroup58555CE0.GroupId'
- []
DependsOn:
- LambdaMetricsExporterServiceRoleDefaultPolicy5F0A7AC4
- LambdaMetricsExporterServiceRoleDDE0BD95
LambdaMetricsExporterCurrentVersion79B0413F645e22a550159959c60a5f88fd6ed2b2:
Type: AWS::Lambda::Version
Properties:
FunctionName: !Ref 'LambdaMetricsExporter2737F589'
Description: 2.10.0
UpdateReplacePolicy: Retain
DeletionPolicy: Retain
EventBridgeRuleLambdaMetricsExporterE956E7F2:
Type: AWS::Events::Rule
Properties:
ScheduleExpression: rate(1 hour)
State: ENABLED
Targets:
- Arn: !GetAtt 'LambdaMetricsExporter2737F589.Arn'
Id: Target0
EventBridgeRuleLambdaMetricsExporterAllowEventRuleaessiemLambdaMetricsExporterCD618C3523DA2D6A:
Type: AWS::Lambda::Permission
Properties:
Action: lambda:InvokeFunction
FunctionName: !GetAtt 'LambdaMetricsExporter2737F589.Arn'
Principal: events.amazonaws.com
SourceArn: !GetAtt 'EventBridgeRuleLambdaMetricsExporterE956E7F2.Arn'
LambdaGeoipDownloaderServiceRoleE37FB908:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service: lambda.amazonaws.com
Version: '2012-10-17'
ManagedPolicyArns:
- !Sub 'arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole'
LambdaGeoipDownloaderServiceRoleDefaultPolicyE7B8AE65:
Type: AWS::IAM::Policy
Properties:
PolicyDocument:
Statement:
- Action:
- s3:GetObject*
- s3:GetBucket*
- s3:List*
- s3:DeleteObject*
- s3:PutObject
- s3:PutObjectLegalHold
- s3:PutObjectRetention
- s3:PutObjectTagging
- s3:PutObjectVersionTagging
- s3:Abort*
Effect: Allow
Resource:
- !GetAtt 'S3BucketForGeoip04B5F171.Arn'
- !Sub '${S3BucketForGeoip04B5F171.Arn}/*'
Version: '2012-10-17'
PolicyName: LambdaGeoipDownloaderServiceRoleDefaultPolicyE7B8AE65
Roles:
- !Ref 'LambdaGeoipDownloaderServiceRoleE37FB908'
LambdaGeoipDownloaderA5EFF97E:
Type: AWS::Lambda::Function
Properties:
Code:
S3Bucket: '%%BUCKET_NAME%%'
S3Key: '%%SOLUTION_NAME%%/%%VERSION%%/assets/geoip_downloader.zip'
Role: !GetAtt 'LambdaGeoipDownloaderServiceRoleE37FB908.Arn'
Architectures: !If
- HasLambdaArchitecturesProp
- - !FindInMap
- RegionMap
- !Ref 'AWS::Region'
- LambdaArch
- !Ref 'AWS::NoValue'
Description: SIEM on Amazon OpenSearch Service v2.10.0 / geoip-downloader
Environment:
Variables:
license_key: !Ref 'GeoLite2LicenseKey'
s3bucket_name: !Sub 'aes-siem-${AWS::AccountId}-geo'
FunctionName: aes-siem-geoip-downloader
Handler: index.lambda_handler
MemorySize: 320
ReservedConcurrentExecutions: 1
Runtime: python3.9
Timeout: 300
DependsOn:
- LambdaGeoipDownloaderServiceRoleDefaultPolicyE7B8AE65
- LambdaGeoipDownloaderServiceRoleE37FB908
LambdaGeoipDownloaderCurrentVersion7F1CD34F168d0c32bbb5f780439e5136bb51456c:
Type: AWS::Lambda::Version
Properties:
FunctionName: !Ref 'LambdaGeoipDownloaderA5EFF97E'
Description: 2.10.0
UpdateReplacePolicy: Retain
DeletionPolicy: Retain
ExecLambdaGeoipDownloader:
Type: AWS::CloudFormation::CustomResource
Properties:
ServiceToken: !GetAtt 'LambdaGeoipDownloaderA5EFF97E.Arn'
License: !Ref 'GeoLite2LicenseKey'
DeletionPolicy: Retain
EventBridgeRuleLambdaGeoipDownloaderAFA87072:
Type: AWS::Events::Rule
Properties:
ScheduleExpression: rate(12 hours)
State: !If
- HasGeoipLicense
- ENABLED
- DISABLED
Targets:
- Arn: !GetAtt 'LambdaGeoipDownloaderA5EFF97E.Arn'
Id: Target0
EventBridgeRuleLambdaGeoipDownloaderAllowEventRuleaessiemLambdaGeoipDownloaderC2D21D002CAED82D:
Type: AWS::Lambda::Permission
Properties:
Action: lambda:InvokeFunction
FunctionName: !GetAtt 'LambdaGeoipDownloaderA5EFF97E.Arn'
Principal: events.amazonaws.com
SourceArn: !GetAtt 'EventBridgeRuleLambdaGeoipDownloaderAFA87072.Arn'
LambdaIocPlanServiceRole6CDE7C5D:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service: lambda.amazonaws.com
Version: '2012-10-17'
ManagedPolicyArns:
- !Sub 'arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole'
LambdaIocPlanServiceRoleDefaultPolicyBAE5ADEE:
Type: AWS::IAM::Policy
Properties:
PolicyDocument:
Statement:
- Action:
- s3:GetObject*
- s3:GetBucket*
- s3:List*
- s3:DeleteObject*
- s3:PutObject
- s3:PutObjectLegalHold
- s3:PutObjectRetention
- s3:PutObjectTagging
- s3:PutObjectVersionTagging
- s3:Abort*
Effect: Allow
Resource:
- !GetAtt 'S3BucketForGeoip04B5F171.Arn'
- !Sub '${S3BucketForGeoip04B5F171.Arn}/*'
Version: '2012-10-17'
PolicyName: LambdaIocPlanServiceRoleDefaultPolicyBAE5ADEE
Roles:
- !Ref 'LambdaIocPlanServiceRole6CDE7C5D'
LambdaIocPlan6E369BFB:
Type: AWS::Lambda::Function
Properties:
Code:
S3Bucket: '%%BUCKET_NAME%%'
S3Key: '%%SOLUTION_NAME%%/%%VERSION%%/assets/ioc_database.zip'
Role: !GetAtt 'LambdaIocPlanServiceRole6CDE7C5D.Arn'
Architectures: !If
- HasLambdaArchitecturesProp
- - !FindInMap
- RegionMap
- !Ref 'AWS::Region'
- LambdaArch
- !Ref 'AWS::NoValue'
Description: SIEM on Amazon OpenSearch Service v2.10.0 / ioc-plan
Environment:
Variables:
ABUSE_CH: !Ref 'EnableAbuseCh'
GEOIP_BUCKET: !Sub 'aes-siem-${AWS::AccountId}-geo'
LOG_LEVEL: INFO
OTX_API_KEY: !Ref 'OtxApiKey'
TOR: !Ref 'EnableTor'
FunctionName: aes-siem-ioc-plan
Handler: lambda_function.plan
MemorySize: 128
ReservedConcurrentExecutions: 1
Runtime: python3.9
Timeout: 300
DependsOn:
- LambdaIocPlanServiceRoleDefaultPolicyBAE5ADEE
- LambdaIocPlanServiceRole6CDE7C5D
LambdaIocPlanCurrentVersion1BAA7B4C3cd4c3ab065e3d10f76917db06a8ca5e:
Type: AWS::Lambda::Version
Properties:
FunctionName: !Ref 'LambdaIocPlan6E369BFB'
Description: 2.10.0
UpdateReplacePolicy: Retain
DeletionPolicy: Retain
LambdaIocDownloadServiceRoleEB9001C6:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service: lambda.amazonaws.com
Version: '2012-10-17'
ManagedPolicyArns:
- !Sub 'arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole'
LambdaIocDownloadServiceRoleDefaultPolicy9EDF8942:
Type: AWS::IAM::Policy
Properties:
PolicyDocument:
Statement:
- Action:
- s3:ListAllMyBuckets
- s3:PutFunctionConcurrency
Effect: Allow
Resource: '*'
- Action:
- s3:GetObject*
- s3:GetBucket*
- s3:List*
- s3:DeleteObject*
- s3:PutObject
- s3:PutObjectLegalHold
- s3:PutObjectRetention
- s3:PutObjectTagging
- s3:PutObjectVersionTagging
- s3:Abort*
Effect: Allow
Resource:
- !GetAtt 'S3BucketForGeoip04B5F171.Arn'
- !Sub '${S3BucketForGeoip04B5F171.Arn}/*'
Version: '2012-10-17'
PolicyName: LambdaIocDownloadServiceRoleDefaultPolicy9EDF8942
Roles:
- !Ref 'LambdaIocDownloadServiceRoleEB9001C6'
LambdaIocDownload5519716E:
Type: AWS::Lambda::Function
Properties:
Code:
S3Bucket: '%%BUCKET_NAME%%'
S3Key: '%%SOLUTION_NAME%%/%%VERSION%%/assets/ioc_database.zip'
Role: !GetAtt 'LambdaIocDownloadServiceRoleEB9001C6.Arn'
Architectures: !If
- HasLambdaArchitecturesProp
- - !FindInMap
- RegionMap
- !Ref 'AWS::Region'
- LambdaArch
- !Ref 'AWS::NoValue'
Description: SIEM on Amazon OpenSearch Service v2.10.0 / ioc-download
Environment:
Variables:
GEOIP_BUCKET: !Sub 'aes-siem-${AWS::AccountId}-geo'
LOG_LEVEL: INFO
OTX_API_KEY: !Ref 'OtxApiKey'
FunctionName: aes-siem-ioc-download
Handler: lambda_function.download
MemorySize: 384
Runtime: python3.9
Timeout: 900
DependsOn:
- LambdaIocDownloadServiceRoleDefaultPolicy9EDF8942
- LambdaIocDownloadServiceRoleEB9001C6
LambdaIocDownloadCurrentVersion48773E6B25d00c408dbf835f063b066d2f8b4258:
Type: AWS::Lambda::Version
Properties:
FunctionName: !Ref 'LambdaIocDownload5519716E'
Description: 2.10.0
UpdateReplacePolicy: Retain
DeletionPolicy: Retain
LambdaIocCreatedbServiceRole555565C0:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service: lambda.amazonaws.com
Version: '2012-10-17'
ManagedPolicyArns:
- !Sub 'arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole'
LambdaIocCreatedbServiceRoleDefaultPolicyA06805A4:
Type: AWS::IAM::Policy
Properties:
PolicyDocument:
Statement:
- Action:
- s3:GetObject*
- s3:GetBucket*
- s3:List*
- s3:DeleteObject*
- s3:PutObject
- s3:PutObjectLegalHold
- s3:PutObjectRetention
- s3:PutObjectTagging
- s3:PutObjectVersionTagging
- s3:Abort*
Effect: Allow
Resource:
- !GetAtt 'S3BucketForGeoip04B5F171.Arn'
- !Sub '${S3BucketForGeoip04B5F171.Arn}/*'
Version: '2012-10-17'
PolicyName: LambdaIocCreatedbServiceRoleDefaultPolicyA06805A4
Roles:
- !Ref 'LambdaIocCreatedbServiceRole555565C0'
LambdaIocCreatedb04F35777:
Type: AWS::Lambda::Function
Properties:
Code:
S3Bucket: '%%BUCKET_NAME%%'
S3Key: '%%SOLUTION_NAME%%/%%VERSION%%/assets/ioc_database.zip'
Role: !GetAtt 'LambdaIocCreatedbServiceRole555565C0.Arn'
Architectures: !If
- HasLambdaArchitecturesProp
- - !FindInMap
- RegionMap
- !Ref 'AWS::Region'
- LambdaArch
- !Ref 'AWS::NoValue'
Description: SIEM on Amazon OpenSearch Service v2.10.0 / ioc-createdb
Environment:
Variables:
GEOIP_BUCKET: !Sub 'aes-siem-${AWS::AccountId}-geo'
LOG_LEVEL: INFO
FunctionName: aes-siem-ioc-createdb
Handler: lambda_function.createdb
MemorySize: 1024
Runtime: python3.9
Timeout: 900
DependsOn:
- LambdaIocCreatedbServiceRoleDefaultPolicyA06805A4
- LambdaIocCreatedbServiceRole555565C0
LambdaIocCreatedbCurrentVersionD9D04E9Cc6a582bf5661dc7434b1a73c2714ec23:
Type: AWS::Lambda::Version
Properties:
FunctionName: !Ref 'LambdaIocCreatedb04F35777'
Description: 2.10.0
UpdateReplacePolicy: Retain
DeletionPolicy: Retain
IocStateMachineLogGroupC1AB417E:
Type: AWS::Logs::LogGroup
Properties:
LogGroupName: /aws/vendedlogs/states/aes-siem-ioc-logs
RetentionInDays: 30
UpdateReplacePolicy: Delete
DeletionPolicy: Delete
IocStateMachineRole095AC46F:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service: states.amazonaws.com
Version: '2012-10-17'
IocStateMachineRoleDefaultPolicy2B85C920:
Type: AWS::IAM::Policy
Properties:
PolicyDocument:
Statement:
- Action:
- logs:CreateLogDelivery
- logs:GetLogDelivery
- logs:UpdateLogDelivery
- logs:DeleteLogDelivery
- logs:ListLogDeliveries
- logs:PutResourcePolicy
- logs:DescribeResourcePolicies
- logs:DescribeLogGroups
Effect: Allow
Resource: '*'
- Action: lambda:InvokeFunction
Effect: Allow
Resource:
- !GetAtt 'LambdaIocPlan6E369BFB.Arn'
- !Sub '${LambdaIocPlan6E369BFB.Arn}:*'
- Action: lambda:InvokeFunction
Effect: Allow
Resource:
- !GetAtt 'LambdaIocCreatedb04F35777.Arn'
- !Sub '${LambdaIocCreatedb04F35777.Arn}:*'
- Action: lambda:InvokeFunction
Effect: Allow
Resource:
- !GetAtt 'LambdaIocDownload5519716E.Arn'
- !Sub '${LambdaIocDownload5519716E.Arn}:*'
Version: '2012-10-17'
PolicyName: IocStateMachineRoleDefaultPolicy2B85C920
Roles:
- !Ref 'IocStateMachineRole095AC46F'
IocStateMachine01BE6E56:
Type: AWS::StepFunctions::StateMachine
Properties:
RoleArn: !GetAtt 'IocStateMachineRole095AC46F.Arn'
DefinitionString: !Sub '{"StartAt":"IocPlan","States":{"IocPlan":{"Next":"need to download?","Retry":[{"ErrorEquals":["Lambda.ServiceException","Lambda.AWSLambdaException","Lambda.SdkClientException"],"IntervalSeconds":2,"MaxAttempts":6,"BackoffRate":2}],"Type":"Task","OutputPath":"$.Payload","Resource":"arn:${AWS::Partition}:states:::lambda:invoke","Parameters":{"FunctionName":"${LambdaIocPlan6E369BFB.Arn}","Payload":""}},"need
to download?":{"Type":"Choice","Choices":[{"Variable":"$.mapped[0].ioc","IsPresent":false,"Next":"SkipDownload"}],"Default":"MapDownload"},"MapDownload":{"Type":"Map","Next":"IocCreatedb","Parameters":{"mapped.$":"$$.Map.Item.Value"},"Iterator":{"StartAt":"IocDownload","States":{"IocDownload":{"End":true,"Retry":[{"ErrorEquals":["Lambda.ServiceException","Lambda.AWSLambdaException","Lambda.SdkClientException"],"IntervalSeconds":2,"MaxAttempts":6,"BackoffRate":2}],"Catch":[{"ErrorEquals":["States.Timeout","States.TaskFailed"],"ResultPath":"$.catcher","Next":"IgnoreTimeout"}],"Type":"Task","TimeoutSeconds":899,"OutputPath":"$.Payload","Resource":"arn:${AWS::Partition}:states:::lambda:invoke","Parameters":{"FunctionName":"${LambdaIocDownload5519716E.Arn}","Payload.$":"$"}},"IgnoreTimeout":{"Type":"Pass","End":true}}},"ItemsPath":"$.mapped","MaxConcurrency":4},"IocCreatedb":{"End":true,"Retry":[{"ErrorEquals":["Lambda.ServiceException","Lambda.AWSLambdaException","Lambda.SdkClientException"],"IntervalSeconds":2,"MaxAttempts":6,"BackoffRate":2}],"Type":"Task","Resource":"arn:${AWS::Partition}:states:::lambda:invoke","Parameters":{"FunctionName":"${LambdaIocCreatedb04F35777.Arn}","Payload.$":"$"}},"SkipDownload":{"Type":"Pass","End":true}},"TimeoutSeconds":3600}'
LoggingConfiguration:
Destinations:
- CloudWatchLogsLogGroup:
LogGroupArn: !GetAtt 'IocStateMachineLogGroupC1AB417E.Arn'
Level: ALL
StateMachineName: aes-siem-ioc-state-machine
DependsOn:
- IocStateMachineRoleDefaultPolicy2B85C920
- IocStateMachineRole095AC46F
UpdateReplacePolicy: Delete
DeletionPolicy: Delete
IocStateMachineEventsRoleC1BF1919:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service: events.amazonaws.com
Version: '2012-10-17'
IocStateMachineEventsRoleDefaultPolicyC412ACCE:
Type: AWS::IAM::Policy
Properties:
PolicyDocument:
Statement:
- Action: states:StartExecution
Effect: Allow
Resource: !Ref 'IocStateMachine01BE6E56'
Version: '2012-10-17'
PolicyName: IocStateMachineEventsRoleDefaultPolicyC412ACCE
Roles:
- !Ref 'IocStateMachineEventsRoleC1BF1919'
EventBridgeRuleStepFunctionsIoc6CE991F5:
Type: AWS::Events::Rule
Properties:
ScheduleExpression: !Sub 'rate(${IocDownloadInterval} minutes)'
State: !If
- EnableIOC
- ENABLED
- DISABLED
Targets:
- Arn: !Ref 'IocStateMachine01BE6E56'
Id: Target0
RoleArn: !GetAtt 'IocStateMachineEventsRoleC1BF1919.Arn'
AesSiemDeployRoleForLambda654D64F2:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service: lambda.amazonaws.com
Version: '2012-10-17'
ManagedPolicyArns:
- !Sub 'arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole'
Policies:
- PolicyDocument:
Statement:
- Action:
- logs:PutResourcePolicy
- logs:DescribeLogGroups
- logs:DescribeLogStreams
Effect: Allow
Resource: !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:*'
- Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
- logs:PutRetentionPolicy
Effect: Allow
Resource:
- !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/aes/domains/${DomainOrCollectionName}/*'
- !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/OpenSearchService/domains/${DomainOrCollectionName}/*'
- !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/aes-siem-*'
Version: '2012-10-17'
PolicyName: cwl_loggroup
- PolicyDocument:
Statement:
- Action:
- ec2:DescribeVpcEndpoints
- es:CreateDomain
- es:DescribeDomain
- es:ESHttp*
- es:UpdateDomainConfig
- iam:GetRole
Effect: Allow
Resource: '*'
- Action: iam:CreateServiceLinkedRole
Effect: Allow
Resource:
- !Sub 'arn:aws:iam::${AWS::AccountId}:role/aws-service-role/observability.aoss.amazonaws.com/AWSServiceRoleForAmazonOpenSearchServerless'
- !Sub 'arn:aws:iam::${AWS::AccountId}:role/aws-service-role/opensearchservice.amazonaws.com/AWSServiceRoleForAmazonOpenSearchService'
- !Sub 'arn:aws:iam::${AWS::AccountId}:role/aws-service-role/es.amazonaws.com/AWSServiceRoleForAmazonElasticsearchService'
- Action:
- aoss:APIAccessAll
- aoss:DashboardsAccessAll
- aoss:BatchGetCollection
- aoss:BatchGetVpcEndpoint
- aoss:CreateCollection
- aoss:CreateSecurityPolicy
- aoss:GetSecurityPolicy
- aoss:UpdateSecurityPolicy
Effect: Allow
Resource: '*'
Version: '2012-10-17'
PolicyName: opensearch_deployment
- PolicyDocument:
Statement:
- Action:
- events:DeleteRule
- events:ListRules
- events:PutRule
- events:PutTargets
- events:RemoveTargets
- lambda:AddPermission
- lambda:RemovePermission
Effect: Allow
Resource: '*'
Version: '2012-10-17'
PolicyName: crhelper
- PolicyDocument:
Statement:
- Action: iam:PassRole
Effect: Allow
Resource: !GetAtt 'AesSiemSnapshotRoleF313ED39.Arn'
Version: '2012-10-17'
PolicyName: assume_snapshotrole
- PolicyDocument:
Statement:
- Action: s3:ListBucket
Effect: Allow
Resource: !GetAtt 'S3BucketForSnapshot40E67D36.Arn'
- Action:
- s3:GetObject
- s3:PutObject
Effect: Allow
Resource: !Sub '${S3BucketForSnapshot40E67D36.Arn}/*'
Version: '2012-10-17'
PolicyName: s3access
RoleName: aes-siem-deploy-role-for-lambda
AesSiemDeployRoleForLambdaDefaultPolicy4129DE4C:
Type: AWS::IAM::Policy
Properties:
PolicyDocument:
Statement:
- Action:
- ec2:CreateNetworkInterface
- ec2:DescribeNetworkInterfaces
- ec2:DeleteNetworkInterface
- ec2:AssignPrivateIpAddresses
- ec2:UnassignPrivateIpAddresses
Effect: Allow
Resource: '*'
Version: '2012-10-17'
PolicyName: AesSiemDeployRoleForLambdaDefaultPolicy4129DE4C
Roles:
- !Ref 'AesSiemDeployRoleForLambda654D64F2'
AossDataAccessPolicyForDeployment:
Type: AWS::OpenSearchServerless::AccessPolicy
Properties:
Name: siem-data-access-for-deploymet
Policy: !Sub '[{"Description":"For SIEM Deployment","Principal":["${AesSiemDeployRoleForLambda654D64F2.Arn}"],"Rules":[{"Resource":["collection/${DomainOrCollectionName}"],"Permission":["aoss:CreateCollectionItems","aoss:UpdateCollectionItems"],"ResourceType":"collection"},{"Resource":["index/${DomainOrCollectionName}/*"],"Permission":["aoss:*"],"ResourceType":"index"}]},{"Description":"For
SIEM Deployment2","Principal":["${AesSiemDeployRoleForLambda654D64F2.Arn}"],"Rules":[{"Resource":["collection/*"],"Permission":["aoss:DescribeCollectionItems"],"ResourceType":"collection"}]}]'
Type: data
Description: Created By SIEM Solution. DO NOT EDIT
Condition: IsServerless
AossDataAccessPolicyForLoader:
Type: AWS::OpenSearchServerless::AccessPolicy
Properties:
Name: siem-data-access-for-loader
Policy: !Sub '[{"Description":"For SIEM Loader","Principal":["${LambdaEsLoaderServiceRoleFFD43869.Arn}"],"Rules":[{"Resource":["index/${DomainOrCollectionName}/log-*","index/${DomainOrCollectionName}/metrics-*"],"Permission":["aoss:CreateIndex","aoss:UpdateIndex","aoss:ReadDocument","aoss:WriteDocument"],"ResourceType":"index"}]},{"Description":"For
SIEM metrics exporter","Principal":["${LambdaMetricsExporterServiceRoleDDE0BD95.Arn}"],"Rules":[{"Resource":["index/${DomainOrCollectionName}/*"],"Permission":["aoss:DescribeIndex"],"ResourceType":"index"}]}]'
Type: data
Description: Created By SIEM Solution. DO NOT EDIT
Condition: IsServerless
LambdaDeployAES636B5079:
Type: AWS::Lambda::Function
Properties:
Code:
S3Bucket: '%%BUCKET_NAME%%'
S3Key: '%%SOLUTION_NAME%%/%%VERSION%%/assets/deploy_es.zip'
Role: !GetAtt 'AesSiemDeployRoleForLambda654D64F2.Arn'
Architectures: !If
- HasLambdaArchitecturesProp
- - !FindInMap
- RegionMap
- !Ref 'AWS::Region'
- LambdaArch
- !Ref 'AWS::NoValue'
Description: SIEM on Amazon OpenSearch Service v2.10.0 / opensearch domain deployment
Environment:
Variables:
ACCOUNT_ID: !Ref 'AWS::AccountId'
ALLOWED_SOURCE_ADDRESSES: !Ref 'AllowedSourceIpAddresses'
DEPLOYMENT_TARGET: !Ref 'DeploymentTarget'
DOMAIN_OR_COLLECTION_NAME: !Ref 'DomainOrCollectionName'
ROLE_AOS_ADMIN: !GetAtt 'AesSiemDeployRoleForLambda654D64F2.Arn'
S3_SNAPSHOT: !Ref 'S3BucketForSnapshot40E67D36'
SOLUTION_PREFIX: aes-siem
VPCE_ID: !Ref 'VpcEndpointId'
FunctionName: aes-siem-deploy-aes
Handler: index.aes_domain_handler
MemorySize: 128
ReservedConcurrentExecutions: 1
Runtime: python3.9
Timeout: 300
DependsOn:
- AesSiemDeployRoleForLambdaDefaultPolicy4129DE4C
- AesSiemDeployRoleForLambda654D64F2
LambdaDeployAESCurrentVersion047915F1ce3da89df1ffa0da78c111b3a75f8916:
Type: AWS::Lambda::Version
Properties:
FunctionName: !Ref 'LambdaDeployAES636B5079'
Description: 2.10.0
UpdateReplacePolicy: Retain
DeletionPolicy: Retain
AesSiemDomainDeployedR2:
Type: AWS::CloudFormation::CustomResource
Properties:
ServiceToken: !GetAtt 'LambdaDeployAES636B5079.Arn'
ConfigVersion: 2.10.0
Target: !Ref 'DeploymentTarget'
Name: !Ref 'DomainOrCollectionName'
vpce: !Ref 'VpcEndpointId'
DependsOn:
- AesSiemDeployRoleForLambdaDefaultPolicy4129DE4C
- AesSiemDeployRoleForLambda654D64F2
LambdaConfigureAESA0471961:
Type: AWS::Lambda::Function
Properties:
Code:
S3Bucket: '%%BUCKET_NAME%%'
S3Key: '%%SOLUTION_NAME%%/%%VERSION%%/assets/deploy_es.zip'
Role: !GetAtt 'AesSiemDeployRoleForLambda654D64F2.Arn'
Architectures: !If
- HasLambdaArchitecturesProp
- - !FindInMap
- RegionMap
- !Ref 'AWS::Region'
- LambdaArch
- !Ref 'AWS::NoValue'
Description: SIEM on Amazon OpenSearch Service v2.10.0 / opensearch configuration
Environment:
Variables:
ACCOUNT_ID: !Ref 'AWS::AccountId'
DOMAIN_OR_COLLECTION_NAME: !Ref 'DomainOrCollectionName'
ENDPOINT: !GetAtt 'AesSiemDomainDeployedR2.endpoint'
ROLE_AOS_ADMIN: !GetAtt 'AesSiemDeployRoleForLambda654D64F2.Arn'
ROLE_ES_LOADER: !GetAtt 'LambdaEsLoaderServiceRoleFFD43869.Arn'
ROLE_METRICS_EXPORTER: !GetAtt 'LambdaMetricsExporterServiceRoleDDE0BD95.Arn'
ROLE_SNAPSHOT: !GetAtt 'AesSiemSnapshotRoleF313ED39.Arn'
S3_SNAPSHOT: !Ref 'S3BucketForSnapshot40E67D36'
SOLUTION_PREFIX: aes-siem
FunctionName: aes-siem-configure-aes
Handler: index.aes_config_handler
MemorySize: 128
ReservedConcurrentExecutions: 1
Runtime: python3.9
Timeout: 600
VpcConfig:
SubnetIds: !GetAtt 'ExecCustomResourceValidator.subnets'
SecurityGroupIds: !If
- IsInVpc
- - !GetAtt 'AesSiemVpcNoinboundSecurityGroup58555CE0.GroupId'
- []
DependsOn:
- AesSiemDeployRoleForLambdaDefaultPolicy4129DE4C
- AesSiemDeployRoleForLambda654D64F2
LambdaConfigureAESCurrentVersion65114768b51be324d3f92d1e341a6842ba118176:
Type: AWS::Lambda::Version
Properties:
FunctionName: !Ref 'LambdaConfigureAESA0471961'
Description: 2.10.0
UpdateReplacePolicy: Retain
DeletionPolicy: Retain
AesSiemDomainConfiguredR2:
Type: AWS::CloudFormation::CustomResource
Properties:
ServiceToken: !GetAtt 'LambdaConfigureAESA0471961.Arn'
ConfigVersion: 2.10.0
Target: !Ref 'DeploymentTarget'
Name: !Ref 'DomainOrCollectionName'
DependsOn:
- AesSiemDomainDeployedR2
DeletionPolicy: Retain
aessiempolicytoloadentriestoesE6506021:
Type: AWS::IAM::Policy
Properties:
PolicyDocument:
Statement:
- Action: es:ESHttp*
Effect: Allow
Resource: !Sub 'arn:aws:es:${AWS::Region}:${AWS::AccountId}:domain/${DomainOrCollectionName}/*'
- Action: aoss:APIAccessAll
Effect: Allow
Resource: !Sub
- arn:aws:aoss:${AWS::Region}:${AWS::AccountId}:collection/${Param1}
- Param1: !Select
- 0
- !Split
- .
- !GetAtt 'AesSiemDomainDeployedR2.endpoint'
Version: '2012-10-17'
PolicyName: aes-siem-policy-to-load-entries-to-es
Roles:
- !Ref 'LambdaEsLoaderServiceRoleFFD43869'
- !Ref 'AesSiemEsLoaderEC2RoleFE3F9F00'
- !Ref 'LambdaMetricsExporterServiceRoleDDE0BD95'
aessiempolicytogetparametersbypathB5BFC6F0:
Type: AWS::IAM::Policy
Properties:
PolicyDocument:
Statement:
- Action: ssm:GetParametersByPath
Effect: Allow
Resource: !Sub 'arn:aws:ssm:*:${AWS::AccountId}:parameter/siem/exclude-logs/*'
Version: '2012-10-17'
PolicyName: aes-siem-policy-to-get-parameters-by-path
Roles:
- !Ref 'LambdaEsLoaderServiceRoleFFD43869'
BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleB6FB88EC:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service: lambda.amazonaws.com
Version: '2012-10-17'
ManagedPolicyArns:
- !Sub 'arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole'
BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleDefaultPolicy2CF63D36:
Type: AWS::IAM::Policy
Properties:
PolicyDocument:
Statement:
- Action: s3:PutBucketNotification
Effect: Allow
Resource: '*'
Version: '2012-10-17'
PolicyName: BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleDefaultPolicy2CF63D36
Roles:
- !Ref 'BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleB6FB88EC'
BucketNotificationsHandler050a0587b7544547bf325f094a3db8347ECC3691:
Type: AWS::Lambda::Function
Properties:
Description: AWS CloudFormation handler for "Custom::S3BucketNotifications" resources (@aws-cdk/aws-s3)
Code:
ZipFile: |
import boto3 # type: ignore
import json
import logging
import urllib.request
s3 = boto3.client("s3")
EVENTBRIDGE_CONFIGURATION = 'EventBridgeConfiguration'
CONFIGURATION_TYPES = ["TopicConfigurations", "QueueConfigurations", "LambdaFunctionConfigurations"]
def handler(event: dict, context):
response_status = "SUCCESS"
error_message = ""
try:
props = event["ResourceProperties"]
bucket = props["BucketName"]
notification_configuration = props["NotificationConfiguration"]
request_type = event["RequestType"]
managed = props.get('Managed', 'true').lower() == 'true'
stack_id = event['StackId']
if managed:
config = handle_managed(request_type, notification_configuration)
else:
config = handle_unmanaged(bucket, stack_id, request_type, notification_configuration)
put_bucket_notification_configuration(bucket, config)
except Exception as e:
logging.exception("Failed to put bucket notification configuration")
response_status = "FAILED"
error_message = f"Error: {str(e)}. "
finally:
submit_response(event, context, response_status, error_message)
def handle_managed(request_type, notification_configuration):
if request_type == 'Delete':
return {}
return notification_configuration
def handle_unmanaged(bucket, stack_id, request_type, notification_configuration):
external_notifications = find_external_notifications(bucket, stack_id)
if request_type == 'Delete':
return external_notifications
def with_id(notification):
notification['Id'] = f"{stack_id}-{hash(json.dumps(notification, sort_keys=True))}"
return notification
notifications = {}
for t in CONFIGURATION_TYPES:
external = external_notifications.get(t, [])
incoming = [with_id(n) for n in notification_configuration.get(t, [])]
notifications[t] = external + incoming
if EVENTBRIDGE_CONFIGURATION in notification_configuration:
notifications[EVENTBRIDGE_CONFIGURATION] = notification_configuration[EVENTBRIDGE_CONFIGURATION]
elif EVENTBRIDGE_CONFIGURATION in external_notifications:
notifications[EVENTBRIDGE_CONFIGURATION] = external_notifications[EVENTBRIDGE_CONFIGURATION]
return notifications
def find_external_notifications(bucket, stack_id):
existing_notifications = get_bucket_notification_configuration(bucket)
external_notifications = {}
for t in CONFIGURATION_TYPES:
external_notifications[t] = [n for n in existing_notifications.get(t, []) if not n['Id'].startswith(f"{stack_id}-")]
if EVENTBRIDGE_CONFIGURATION in existing_notifications:
external_notifications[EVENTBRIDGE_CONFIGURATION] = existing_notifications[EVENTBRIDGE_CONFIGURATION]
return external_notifications
def get_bucket_notification_configuration(bucket):
return s3.get_bucket_notification_configuration(Bucket=bucket)
def put_bucket_notification_configuration(bucket, notification_configuration):
s3.put_bucket_notification_configuration(Bucket=bucket, NotificationConfiguration=notification_configuration)
def submit_response(event: dict, context, response_status: str, error_message: str):
response_body = json.dumps(
{
"Status": response_status,
"Reason": f"{error_message}See the details in CloudWatch Log Stream: {context.log_stream_name}",
"PhysicalResourceId": event.get("PhysicalResourceId") or event["LogicalResourceId"],
"StackId": event["StackId"],
"RequestId": event["RequestId"],
"LogicalResourceId": event["LogicalResourceId"],
"NoEcho": False,
}
).encode("utf-8")
headers = {"content-type": "", "content-length": str(len(response_body))}
try:
req = urllib.request.Request(url=event["ResponseURL"], headers=headers, data=response_body, method="PUT")
with urllib.request.urlopen(req) as response:
print(response.read().decode("utf-8"))
print("Status code: " + response.reason)
except Exception as e:
print("send(..) failed executing request.urlopen(..): " + str(e))
Handler: index.handler
Role: !GetAtt 'BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleB6FB88EC.Arn'
Runtime: python3.9
Timeout: 300
DependsOn:
- BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleDefaultPolicy2CF63D36
- BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleB6FB88EC
SnsTopic2C1570A4:
Type: AWS::SNS::Topic
Properties:
DisplayName: AES SIEM
KmsMasterKeyId: !GetAtt 'KmsAesSiemLog44B26597.Arn'
TopicName: aes-siem-alert
SnsTopicPolicy520DD923:
Type: AWS::SNS::TopicPolicy
Properties:
PolicyDocument:
Statement:
- Action: sns:Publish
Effect: Allow
Principal:
Service: events.amazonaws.com
Resource: !Ref 'SnsTopic2C1570A4'
Sid: '0'
Version: '2012-10-17'
Topics:
- !Ref 'SnsTopic2C1570A4'
SnsTopicTokenSubscriptionD7374A11:
Type: AWS::SNS::Subscription
Properties:
Protocol: email
TopicArn: !Ref 'SnsTopic2C1570A4'
Endpoint: !Ref 'SnsEmail'
Condition: HasSnsEmail
EventBridgeRuleAosNotificationsC282068B:
Type: AWS::Events::Rule
Properties:
EventPattern:
resources:
- !Sub 'arn:aws:es:${AWS::Region}:${AWS::AccountId}:domain/${DomainOrCollectionName}'
source:
- aws.es
State: ENABLED
Targets:
- Arn: !Ref 'SnsTopic2C1570A4'
Id: Target0
Condition: HasSnsEmail
accesstocontroltowerlogbucketsDFC3958F:
Type: AWS::IAM::Policy
Properties:
PolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Resource: !Ref 'ControlTowerRoleArnForEsLoader'
- Action:
- sqs:ReceiveMessage
- sqs:ChangeMessageVisibility
- sqs:GetQueueUrl
- sqs:DeleteMessage
- sqs:GetQueueAttributes
Effect: Allow
Resource: !Sub
- arn:aws:sqs:*:${Param1}:*
- Param1: !Select
- 4
- !Split
- ':'
- !Ref 'ControlTowerRoleArnForEsLoader'
Version: '2012-10-17'
PolicyName: access_to_control_tower
Roles:
- !Ref 'LambdaEsLoaderServiceRoleFFD43869'
Condition: IsControlTowerAcccess
EventSourceMappingForCT63FDE1BA:
Type: AWS::Lambda::EventSourceMapping
Properties:
FunctionName: !Ref 'LambdaEsLoader4B1E2DD9'
EventSourceArn: !Ref 'ControlTowerSqsForLogBuckets'
Condition: IsControlTowerAcccess
accesstosecuritylakelogbuckets32CCAD02:
Type: AWS::IAM::Policy
Properties:
PolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Resource: !Ref 'SecurityLakeRoleArn'
- Action:
- sqs:ReceiveMessage
- sqs:ChangeMessageVisibility
- sqs:GetQueueUrl
- sqs:DeleteMessage
- sqs:GetQueueAttributes
Effect: Allow
Resource: !Sub
- arn:aws:sqs:*:${Param1}:*
- Param1: !Select
- 4
- !Split
- ':'
- !Ref 'SecurityLakeRoleArn'
Version: '2012-10-17'
PolicyName: access_to_security_lake
Roles:
- !Ref 'LambdaEsLoaderServiceRoleFFD43869'
Condition: IsSecurityLakeAcccess
EventSourceMappingForCT230540116:
Type: AWS::Lambda::EventSourceMapping
Properties:
FunctionName: !Ref 'LambdaEsLoader4B1E2DD9'
EventSourceArn: !Ref 'SecurityLakeSubscriberSqs'
Condition: IsSecurityLakeAcccess
TotalFreeStorageSpaceRemainsLowAlarm3888040E:
Type: AWS::CloudWatch::Alarm
Properties:
ComparisonOperator: LessThanOrEqualToThreshold
EvaluationPeriods: 30
AlarmDescription: Triggered when total free space for the cluster remains less 200MB for 30 minutes.
Dimensions:
- Name: ClientId
Value: !Ref 'AWS::AccountId'
- Name: DomainName
Value: !Ref 'DomainOrCollectionName'
MetricName: FreeStorageSpace
Namespace: AWS/ES
Period: 60
Statistic: Sum
Threshold: 200
EsLoaderStopperRule2C1D9F30:
Type: AWS::Events::Rule
Properties:
EventPattern:
detail-type:
- CloudWatch Alarm State Change
resources:
- !GetAtt 'TotalFreeStorageSpaceRemainsLowAlarm3888040E.Arn'
source:
- aws.cloudwatch
State: ENABLED
Targets:
- Arn: !GetAtt 'LambdaEsLoaderStopper35C1D57B.Arn'
Id: Target0
EsLoaderStopperRuleAllowEventRuleaessiemLambdaEsLoaderStopper325F7AA593386C47:
Type: AWS::Lambda::Permission
Properties:
Action: lambda:InvokeFunction
FunctionName: !GetAtt 'LambdaEsLoaderStopper35C1D57B.Arn'
Principal: events.amazonaws.com
SourceArn: !GetAtt 'EsLoaderStopperRule2C1D9F30.Arn'
SIEMDashboard35199390:
Type: AWS::CloudWatch::Dashboard
Properties:
DashboardBody: !Sub '{"widgets":[{"type":"text","width":24,"height":1,"x":0,"y":0,"properties":{"markdown":"# CloudWatch Alarm"}},{"type":"metric","width":6,"height":6,"x":0,"y":1,"properties":{"view":"timeSeries","title":"${TotalFreeStorageSpaceRemainsLowAlarm3888040E}","region":"${AWS::Region}","annotations":{"alarms":["${TotalFreeStorageSpaceRemainsLowAlarm3888040E.Arn}"]},"yAxis":{}}},{"type":"text","width":24,"height":1,"x":0,"y":7,"properties":{"markdown":"#
Lambda Function: ${LambdaEsLoader4B1E2DD9}"}},{"type":"metric","width":12,"height":4,"x":0,"y":8,"properties":{"view":"timeSeries","title":"Error count and success rate (%)","region":"${AWS::Region}","metrics":[["AWS/Lambda","Errors","FunctionName","${LambdaEsLoader4B1E2DD9}",{"color":"#d13212","label":"Errors
(Count)","stat":"Sum","id":"errors"}],[{"label":"Success rate (%)","color":"#2ca02c","expression":"100 - 100 * errors / MAX([errors, invocations])","yAxis":"right"}],["AWS/Lambda","Invocations","FunctionName","${LambdaEsLoader4B1E2DD9}",{"stat":"Sum","visible":false,"id":"invocations"}]],"yAxis":{"left":{"showUnits":false},"right":{"max":100,"showUnits":false}},"period":60}},{"type":"metric","width":12,"height":4,"x":12,"y":8,"properties":{"view":"timeSeries","title":"Invocations
(Count)","region":"${AWS::Region}","metrics":[["AWS/Lambda","Invocations","FunctionName","${LambdaEsLoader4B1E2DD9}",{"stat":"Sum"}]],"yAxis":{"left":{"showUnits":false}},"legend":{"position":"hidden"},"period":60}},{"type":"metric","width":12,"height":4,"x":0,"y":12,"properties":{"view":"timeSeries","title":"Duration
(Milliseconds)","region":"${AWS::Region}","metrics":[["AWS/Lambda","Duration","FunctionName","${LambdaEsLoader4B1E2DD9}",{"stat":"Minimum"}],["AWS/Lambda","Duration","FunctionName","${LambdaEsLoader4B1E2DD9}"],["AWS/Lambda","Duration","FunctionName","${LambdaEsLoader4B1E2DD9}",{"stat":"Maximum"}]],"yAxis":{"left":{"showUnits":false}},"period":60}},{"type":"metric","width":12,"height":4,"x":12,"y":12,"properties":{"view":"timeSeries","title":"Throttles
(Count)","region":"${AWS::Region}","metrics":[["AWS/Lambda","Throttles","FunctionName","${LambdaEsLoader4B1E2DD9}",{"stat":"Sum"}]],"yAxis":{"left":{"showUnits":false}},"legend":{"position":"hidden"},"period":60}},{"type":"log","width":12,"height":4,"x":0,"y":16,"properties":{"view":"table","title":"Longest
5 invocations","region":"${AWS::Region}","query":"SOURCE ''/aws/lambda/${LambdaEsLoader4B1E2DD9}'' | fields @timestamp, @duration, @requestId\n | sort @duration desc\n |
head 5"}},{"type":"metric","width":12,"height":4,"x":12,"y":16,"properties":{"view":"timeSeries","title":"ConcurrentExecutions (Count)","region":"${AWS::Region}","metrics":[["AWS/Lambda","ConcurrentExecutions","FunctionName","${LambdaEsLoader4B1E2DD9}",{"stat":"Maximum"}]],"yAxis":{"left":{"showUnits":false}},"legend":{"position":"hidden"},"period":60}},{"type":"text","width":24,"height":1,"x":0,"y":20,"properties":{"markdown":"#
OpenSearch Service: ${DomainOrCollectionName} domain"}},{"type":"metric","width":12,"height":4,"x":0,"y":21,"properties":{"view":"timeSeries","title":"Data Node CPUUtilization (Cluster Max Percentage)","region":"${AWS::Region}","metrics":[["AWS/ES","CPUUtilization","ClientId","${AWS::AccountId}","DomainName","${DomainOrCollectionName}",{"stat":"Maximum"}]],"yAxis":{"left":{"max":100,"showUnits":false}},"legend":{"position":"hidden"}}},{"type":"metric","width":12,"height":4,"x":12,"y":21,"properties":{"view":"timeSeries","title":"Data
Node JVMMemoryPressure (Cluster Max Percentage)","region":"${AWS::Region}","metrics":[["AWS/ES","JVMMemoryPressure","ClientId","${AWS::AccountId}","DomainName","${DomainOrCollectionName}"]],"yAxis":{"left":{"max":100,"showUnits":false}},"legend":{"position":"hidden"}}},{"type":"metric","width":12,"height":4,"x":0,"y":25,"properties":{"view":"timeSeries","title":"HTTP
requests by error response code (Cluster Total Count)","region":"${AWS::Region}","metrics":[["AWS/ES","4xx","ClientId","${AWS::AccountId}","DomainName","${DomainOrCollectionName}",{"stat":"Sum"}],["AWS/ES","5xx","ClientId","${AWS::AccountId}","DomainName","${DomainOrCollectionName}",{"stat":"Sum"}]],"yAxis":{"left":{"showUnits":false}}}},{"type":"metric","width":12,"height":4,"x":12,"y":25,"properties":{"view":"timeSeries","title":"Active
Shards Count","region":"${AWS::Region}","metrics":[["AWS/ES","Shards.active","ClientId","${AWS::AccountId}","DomainName","${DomainOrCollectionName}"],["AWS/ES","Shards.activePrimary","ClientId","${AWS::AccountId}","DomainName","${DomainOrCollectionName}"]],"yAxis":{"left":{"showUnits":false}}}},{"type":"metric","width":12,"height":4,"x":0,"y":29,"properties":{"view":"timeSeries","title":"Cluster
DiskThroughputThrottle","region":"${AWS::Region}","metrics":[["AWS/ES","ThroughputThrottle","ClientId","${AWS::AccountId}","DomainName","${DomainOrCollectionName}",{"label":"Cluster Disk ThroughputThrottle","stat":"Maximum"}]],"annotations":{"horizontal":[{"value":1,"yAxis":"left"}]},"yAxis":{"left":{"showUnits":false}}}},{"type":"metric","width":12,"height":4,"x":12,"y":29,"properties":{"view":"timeSeries","title":"ClusterIndexWritesBlocked
(Cluster Max Count)","region":"${AWS::Region}","metrics":[["AWS/ES","ClusterIndexWritesBlocked","ClientId","${AWS::AccountId}","DomainName","${DomainOrCollectionName}"]],"yAxis":{"left":{"showUnits":false}},"legend":{"position":"hidden"}}},{"type":"text","width":12,"height":1,"x":0,"y":33,"properties":{"markdown":"#
Read / Search"}},{"type":"text","width":12,"height":1,"x":12,"y":33,"properties":{"markdown":"# Write / Indexing"}},{"type":"metric","width":12,"height":4,"x":0,"y":34,"properties":{"view":"timeSeries","title":"EBS
Read Throughput / IOPS","region":"${AWS::Region}","metrics":[["AWS/ES","ReadThroughput","ClientId","${AWS::AccountId}","DomainName","${DomainOrCollectionName}",{"label":"ReadThroughput (Bytes/Second)","stat":"Maximum"}],["AWS/ES","ReadIOPS","ClientId","${AWS::AccountId}","DomainName","${DomainOrCollectionName}",{"label":"ReadIOPS
(Count/Second)","stat":"Maximum","yAxis":"right"}]],"yAxis":{"left":{"showUnits":false},"right":{"showUnits":false}}}},{"type":"metric","width":12,"height":4,"x":12,"y":34,"properties":{"view":"timeSeries","title":"EBS
Write Throughput / IOPS","region":"${AWS::Region}","metrics":[["AWS/ES","WriteThroughput","ClientId","${AWS::AccountId}","DomainName","${DomainOrCollectionName}",{"label":"WriteThroughput (Bytes/Second)","stat":"Maximum"}],["AWS/ES","WriteIOPS","ClientId","${AWS::AccountId}","DomainName","${DomainOrCollectionName}",{"label":"WriteIOPS
(Count/Second)","stat":"Maximum","yAxis":"right"}]],"yAxis":{"left":{"showUnits":false},"right":{"showUnits":false}}}},{"type":"metric","width":12,"height":4,"x":0,"y":38,"properties":{"view":"timeSeries","title":"EBS
Read Latency / Disk Queue","region":"${AWS::Region}","metrics":[["AWS/ES","ReadLatency","ClientId","${AWS::AccountId}","DomainName","${DomainOrCollectionName}",{"label":"ReadLatency (Seconds)","stat":"Maximum"}],["AWS/ES","DiskQueueDepth","ClientId","${AWS::AccountId}","DomainName","${DomainOrCollectionName}",{"label":"DiskQueueDepth
(Count)","stat":"Maximum","yAxis":"right"}]],"yAxis":{"left":{"showUnits":false},"right":{"showUnits":false}}}},{"type":"metric","width":12,"height":4,"x":12,"y":38,"properties":{"view":"timeSeries","title":"EBS
Write Latency / Disk Queue","region":"${AWS::Region}","metrics":[["AWS/ES","WriteLatency","ClientId","${AWS::AccountId}","DomainName","${DomainOrCollectionName}",{"label":"WriteLatency (Seconds)","stat":"Maximum"}],["AWS/ES","DiskQueueDepth","ClientId","${AWS::AccountId}","DomainName","${DomainOrCollectionName}",{"label":"DiskQueueDepth
(Count)","stat":"Maximum","yAxis":"right"}]],"yAxis":{"left":{"showUnits":false},"right":{"showUnits":false}}}},{"type":"metric","width":12,"height":4,"x":0,"y":42,"properties":{"view":"timeSeries","title":"Search
Rate / Latency (Node Average)","region":"${AWS::Region}","metrics":[["AWS/ES","SearchRate","ClientId","${AWS::AccountId}","DomainName","${DomainOrCollectionName}",{"label":"SearchRate (Count)"}],["AWS/ES","SearchLatency","ClientId","${AWS::AccountId}","DomainName","${DomainOrCollectionName}",{"label":"SearchLatency
(Milliseconds)","yAxis":"right"}]],"yAxis":{"left":{"showUnits":false},"right":{"showUnits":false}}}},{"type":"metric","width":12,"height":4,"x":12,"y":42,"properties":{"view":"timeSeries","title":"Indexing
Rate / Latency (Node Average)","region":"${AWS::Region}","metrics":[["AWS/ES","IndexingRate","ClientId","${AWS::AccountId}","DomainName","${DomainOrCollectionName}",{"label":"IndexingRate (Count)"}],["AWS/ES","IndexingLatency","ClientId","${AWS::AccountId}","DomainName","${DomainOrCollectionName}",{"label":"IndexingLatency
(Milliseconds)","yAxis":"right"}]],"yAxis":{"left":{"showUnits":false},"right":{"showUnits":false}}}},{"type":"metric","width":12,"height":4,"x":0,"y":46,"properties":{"view":"timeSeries","title":"ThreadpoolReadQueue
(Node Average Count)","region":"${AWS::Region}","metrics":[["AWS/ES","ThreadpoolSearchQueue","ClientId","${AWS::AccountId}","DomainName","${DomainOrCollectionName}"]],"annotations":{"horizontal":[{"value":1000,"yAxis":"left"}]},"yAxis":{"left":{"showUnits":false}},"legend":{"position":"hidden"}}},{"type":"metric","width":12,"height":4,"x":12,"y":46,"properties":{"view":"timeSeries","title":"ThreadpoolWriteQueue
(Node Average Count)","region":"${AWS::Region}","metrics":[["AWS/ES","ThreadpoolWriteQueue","ClientId","${AWS::AccountId}","DomainName","${DomainOrCollectionName}"]],"annotations":{"horizontal":[{"value":10000,"yAxis":"left"}]},"yAxis":{"left":{"showUnits":false}},"legend":{"position":"hidden"}}},{"type":"metric","width":12,"height":4,"x":0,"y":50,"properties":{"view":"timeSeries","title":"Threadpool
Search Rejected Count (Node Total Count)","region":"${AWS::Region}","metrics":[["AWS/ES","ThreadpoolSearchRejected","ClientId","${AWS::AccountId}","DomainName","${DomainOrCollectionName}",{"stat":"Sum"}]],"yAxis":{"left":{"showUnits":false}}}},{"type":"metric","width":12,"height":4,"x":12,"y":50,"properties":{"view":"timeSeries","title":"Threadpool
Indexing Rejected Count (Node Total Count)","region":"${AWS::Region}","metrics":[["AWS/ES","ThreadpoolWriteRejected","ClientId","${AWS::AccountId}","DomainName","${DomainOrCollectionName}",{"stat":"Sum"}],["AWS/ES","CoordinatingWriteRejected","ClientId","${AWS::AccountId}","DomainName","${DomainOrCollectionName}",{"stat":"Sum"}],["AWS/ES","PrimaryWriteRejected","ClientId","${AWS::AccountId}","DomainName","${DomainOrCollectionName}",{"stat":"Sum"}],["AWS/ES","ReplicaWriteRejected","ClientId","${AWS::AccountId}","DomainName","${DomainOrCollectionName}",{"stat":"Sum"}]],"yAxis":{"left":{"showUnits":false}}}},{"type":"text","width":24,"height":1,"x":0,"y":54,"properties":{"markdown":"#
SQS"}},{"type":"metric","width":12,"height":4,"x":0,"y":55,"properties":{"view":"timeSeries","title":"${AesSiemSqsSplitLogs0191F431.QueueName}: NumberOfMessagesReceived (Count)","region":"${AWS::Region}","metrics":[["AWS/SQS","NumberOfMessagesReceived","QueueName","${AesSiemSqsSplitLogs0191F431.QueueName}",{"stat":"Sum"}]],"yAxis":{"left":{"showUnits":false}},"legend":{"position":"hidden"}}},{"type":"metric","width":12,"height":4,"x":12,"y":55,"properties":{"view":"timeSeries","title":"${AesSiemDlq1CD8439D.QueueName}:
ApproximateNumberOfMessagesVisible (Count)","region":"${AWS::Region}","metrics":[["AWS/SQS","ApproximateNumberOfMessagesVisible","QueueName","${AesSiemDlq1CD8439D.QueueName}",{"stat":"Maximum"}]],"yAxis":{"left":{"showUnits":false}},"legend":{"position":"hidden"}}},{"type":"text","width":24,"height":1,"x":0,"y":59,"properties":{"markdown":"#
Lambda Function Logs: ${LambdaEsLoader4B1E2DD9}"}},{"type":"log","width":24,"height":6,"x":0,"y":60,"properties":{"view":"table","title":"CRITICAL Logs","region":"${AWS::Region}","query":"SOURCE
''/aws/lambda/${LambdaEsLoader4B1E2DD9}'' | fields @timestamp, message, s3_key\n | filter level == \"CRITICAL\"\n | sort @timestamp desc\n | limit 100"}},{"type":"log","width":24,"height":6,"x":0,"y":66,"properties":{"view":"table","title":"ERROR
Logs","region":"${AWS::Region}","query":"SOURCE ''/aws/lambda/${LambdaEsLoader4B1E2DD9}'' | fields @timestamp, message, s3_key\n | filter level == \"ERROR\"\n | sort
@timestamp desc\n | limit 100"}},{"type":"text","width":12,"height":3,"x":0,"y":72,"properties":{"markdown":"## Sample query\nTo investigate critical/error log with CloudWatch Logs
Insights\n\n```\nfields @timestamp, @message\n| filter s3_key == \"copy s3_key and paste here\"\nOR @requestId == \"copy function_request_id and paste here\"```"}},{"type":"log","width":24,"height":6,"x":0,"y":75,"properties":{"view":"table","title":"Exception
Logs","region":"${AWS::Region}","query":"SOURCE ''/aws/lambda/${LambdaEsLoader4B1E2DD9}'' | fields @timestamp, @message\n | filter @message =~ /^\\[ERROR]/\n | filter
@message not like /No active exception to reraise/\n # exclude raise without Exception\n | sort @timestamp desc\n | limit 100"}}]}'
DashboardName: SIEM
Condition: IsManagedCluster
SIEMDashboardServerlessC64B983C:
Type: AWS::CloudWatch::Dashboard
Properties:
DashboardBody: !Sub
- '{"widgets":[{"type":"text","width":24,"height":1,"x":0,"y":0,"properties":{"markdown":"# Lambda Function: ${LambdaEsLoader4B1E2DD9}"}},{"type":"metric","width":12,"height":4,"x":0,"y":1,"properties":{"view":"timeSeries","title":"Error
count and success rate (%)","region":"${AWS::Region}","metrics":[["AWS/Lambda","Errors","FunctionName","${LambdaEsLoader4B1E2DD9}",{"color":"#d13212","label":"Errors (Count)","stat":"Sum","id":"errors"}],[{"label":"Success
rate (%)","color":"#2ca02c","expression":"100 - 100 * errors / MAX([errors, invocations])","yAxis":"right"}],["AWS/Lambda","Invocations","FunctionName","${LambdaEsLoader4B1E2DD9}",{"stat":"Sum","visible":false,"id":"invocations"}]],"yAxis":{"left":{"showUnits":false},"right":{"max":100,"showUnits":false}},"period":60}},{"type":"metric","width":12,"height":4,"x":12,"y":1,"properties":{"view":"timeSeries","title":"Invocations
(Count)","region":"${AWS::Region}","metrics":[["AWS/Lambda","Invocations","FunctionName","${LambdaEsLoader4B1E2DD9}",{"stat":"Sum"}]],"yAxis":{"left":{"showUnits":false}},"legend":{"position":"hidden"},"period":60}},{"type":"metric","width":12,"height":4,"x":0,"y":5,"properties":{"view":"timeSeries","title":"Duration
(Milliseconds)","region":"${AWS::Region}","metrics":[["AWS/Lambda","Duration","FunctionName","${LambdaEsLoader4B1E2DD9}",{"stat":"Minimum"}],["AWS/Lambda","Duration","FunctionName","${LambdaEsLoader4B1E2DD9}"],["AWS/Lambda","Duration","FunctionName","${LambdaEsLoader4B1E2DD9}",{"stat":"Maximum"}]],"yAxis":{"left":{"showUnits":false}},"period":60}},{"type":"metric","width":12,"height":4,"x":12,"y":5,"properties":{"view":"timeSeries","title":"Throttles
(Count)","region":"${AWS::Region}","metrics":[["AWS/Lambda","Throttles","FunctionName","${LambdaEsLoader4B1E2DD9}",{"stat":"Sum"}]],"yAxis":{"left":{"showUnits":false}},"legend":{"position":"hidden"},"period":60}},{"type":"log","width":12,"height":4,"x":0,"y":9,"properties":{"view":"table","title":"Longest
5 invocations","region":"${AWS::Region}","query":"SOURCE ''/aws/lambda/${LambdaEsLoader4B1E2DD9}'' | fields @timestamp, @duration, @requestId\n | sort @duration desc\n |
head 5"}},{"type":"metric","width":12,"height":4,"x":12,"y":9,"properties":{"view":"timeSeries","title":"ConcurrentExecutions (Count)","region":"${AWS::Region}","metrics":[["AWS/Lambda","ConcurrentExecutions","FunctionName","${LambdaEsLoader4B1E2DD9}",{"stat":"Maximum"}]],"yAxis":{"left":{"showUnits":false}},"legend":{"position":"hidden"},"period":60}},{"type":"text","width":24,"height":1,"x":0,"y":13,"properties":{"markdown":"#
OpenSearch Serverless: ${DomainOrCollectionName} collection"}},{"type":"metric","width":12,"height":4,"x":0,"y":14,"properties":{"view":"timeSeries","title":"HTTP requests by response code 2xs,
3xx","region":"${AWS::Region}","metrics":[["AWS/AOSS","2xx","ClientId","${AWS::AccountId}","CollectionId","${Param1}","CollectionName","${DomainOrCollectionName}",{"period":60,"stat":"Sum"}],["AWS/AOSS","3xx","ClientId","${AWS::AccountId}","CollectionId","${Param1}","CollectionName","${DomainOrCollectionName}",{"period":60,"stat":"Sum"}]],"yAxis":{"left":{"showUnits":false}}}},{"type":"text","width":12,"height":1,"x":12,"y":14,"properties":{"markdown":"#
Write / Indexing"}},{"type":"metric","width":12,"height":4,"x":0,"y":18,"properties":{"view":"timeSeries","title":"HTTP requests by error response code 4xx, 5xx","region":"${AWS::Region}","metrics":[["AWS/AOSS","4xx","ClientId","${AWS::AccountId}","CollectionId","${Param1}","CollectionName","${DomainOrCollectionName}",{"period":60,"stat":"Sum"}],["AWS/AOSS","5xx","ClientId","${AWS::AccountId}","CollectionId","${Param1}","CollectionName","${DomainOrCollectionName}",{"period":60,"stat":"Sum"}]],"yAxis":{"left":{"showUnits":false}}}},{"type":"metric","width":12,"height":4,"x":12,"y":18,"properties":{"view":"timeSeries","title":"IngestionDataRate:
The indexing rate per second to a collection (Bytes/s)","region":"${AWS::Region}","metrics":[["AWS/AOSS","IngestionDataRate","ClientId","${AWS::AccountId}","CollectionId","${Param1}","CollectionName","${DomainOrCollectionName}",{"period":60,"stat":"Sum"}]],"yAxis":{"left":{"showUnits":false}}}},{"type":"text","width":12,"height":4,"x":0,"y":22,"properties":{"markdown":""}},{"type":"metric","width":12,"height":4,"x":12,"y":22,"properties":{"view":"timeSeries","title":"IngestionDocumentRate:
The rate per second at which documents are being ingested to a collection (Counts)","region":"${AWS::Region}","metrics":[["AWS/AOSS","IngestionDocumentRate","ClientId","${AWS::AccountId}","CollectionId","${Param1}","CollectionName","${DomainOrCollectionName}",{"period":60,"stat":"Sum"}]],"yAxis":{"left":{"showUnits":false}}}},{"type":"text","width":12,"height":1,"x":0,"y":26,"properties":{"markdown":"#
Read / Search"}},{"type":"metric","width":12,"height":4,"x":12,"y":26,"properties":{"view":"timeSeries","title":"IngestionDocumentErrors: The total number of document errors during ingestion (counts)","region":"${AWS::Region}","metrics":[["AWS/AOSS","IngestionDocumentErrors","ClientId","${AWS::AccountId}","CollectionId","${Param1}","CollectionName","${DomainOrCollectionName}",{"color":"#d13212","period":60,"stat":"Sum"}]],"yAxis":{"left":{"showUnits":false}}}},{"type":"metric","width":12,"height":4,"x":0,"y":30,"properties":{"view":"timeSeries","title":"SearchOCU:
The number of OCUs used to search collection data","region":"${AWS::Region}","metrics":[["AWS/AOSS","SearchOCU","ClientId","${AWS::AccountId}",{"period":3600,"stat":"Sum"}]],"yAxis":{"left":{"showUnits":false}}}},{"type":"metric","width":12,"height":4,"x":12,"y":30,"properties":{"view":"timeSeries","title":"IndexingOCU:
The number of OCUs used to ingest collection data","region":"${AWS::Region}","metrics":[["AWS/AOSS","IndexingOCU","ClientId","${AWS::AccountId}",{"period":3600,"stat":"Sum"}]],"yAxis":{"left":{"showUnits":false}}}},{"type":"metric","width":12,"height":4,"x":0,"y":34,"properties":{"view":"timeSeries","title":"SearchRequestRate:
The total number of search requests (Counts/min)","region":"${AWS::Region}","metrics":[["AWS/AOSS","SearchRequestRate","ClientId","${AWS::AccountId}","CollectionId","${Param1}","CollectionName","${DomainOrCollectionName}",{"period":60,"stat":"Sum"}]],"yAxis":{"left":{"showUnits":false}}}},{"type":"metric","width":12,"height":4,"x":12,"y":34,"properties":{"view":"timeSeries","title":"IngestionRequestRate:
The total number of bulk write operations (Counts/min)","region":"${AWS::Region}","metrics":[["AWS/AOSS","IngestionRequestRate","ClientId","${AWS::AccountId}","CollectionId","${Param1}","CollectionName","${DomainOrCollectionName}",{"period":60,"stat":"Sum"}]],"yAxis":{"left":{"showUnits":false}}}},{"type":"metric","width":12,"height":4,"x":0,"y":38,"properties":{"view":"timeSeries","title":"SearchRequestLatency:
The time to complete a search operation (milliseconds)","region":"${AWS::Region}","metrics":[["AWS/AOSS","SearchRequestLatency","ClientId","${AWS::AccountId}","CollectionId","${Param1}","CollectionName","${DomainOrCollectionName}",{"period":60}]],"yAxis":{"left":{"showUnits":false}}}},{"type":"metric","width":12,"height":4,"x":12,"y":38,"properties":{"view":"timeSeries","title":"IngestionRequestLatency:
The time to complete bulk write operations (milliseconds)","region":"${AWS::Region}","metrics":[["AWS/AOSS","IngestionRequestLatency","ClientId","${AWS::AccountId}","CollectionId","${Param1}","CollectionName","${DomainOrCollectionName}",{"period":60}]],"yAxis":{"left":{"showUnits":false}}}},{"type":"metric","width":12,"height":4,"x":0,"y":42,"properties":{"view":"timeSeries","title":"SearchRequestErrors:
The total number of query errors (Counts/min)","region":"${AWS::Region}","metrics":[["AWS/AOSS","SearchRequestErrors","ClientId","${AWS::AccountId}","CollectionId","${Param1}","CollectionName","${DomainOrCollectionName}",{"color":"#d13212","period":60,"stat":"Sum"}]],"yAxis":{"left":{"showUnits":false}}}},{"type":"metric","width":12,"height":4,"x":12,"y":42,"properties":{"view":"timeSeries","title":"IngestionRequestErrors:
The total number of bulk indexing request errors (counts)","region":"${AWS::Region}","metrics":[["AWS/AOSS","IngestionRequestErrors","ClientId","${AWS::AccountId}","CollectionId","${Param1}","CollectionName","${DomainOrCollectionName}",{"color":"#d13212","period":60,"stat":"Sum"}]],"yAxis":{"left":{"showUnits":false}}}},{"type":"text","width":24,"height":1,"x":0,"y":46,"properties":{"markdown":"#
SQS"}},{"type":"metric","width":12,"height":4,"x":0,"y":47,"properties":{"view":"timeSeries","title":"${AesSiemSqsSplitLogs0191F431.QueueName}: NumberOfMessagesReceived (Count)","region":"${AWS::Region}","metrics":[["AWS/SQS","NumberOfMessagesReceived","QueueName","${AesSiemSqsSplitLogs0191F431.QueueName}",{"stat":"Sum"}]],"yAxis":{"left":{"showUnits":false}},"legend":{"position":"hidden"}}},{"type":"metric","width":12,"height":4,"x":12,"y":47,"properties":{"view":"timeSeries","title":"${AesSiemDlq1CD8439D.QueueName}:
ApproximateNumberOfMessagesVisible (Count)","region":"${AWS::Region}","metrics":[["AWS/SQS","ApproximateNumberOfMessagesVisible","QueueName","${AesSiemDlq1CD8439D.QueueName}",{"stat":"Maximum"}]],"yAxis":{"left":{"showUnits":false}},"legend":{"position":"hidden"}}},{"type":"text","width":24,"height":1,"x":0,"y":51,"properties":{"markdown":"#
Lambda Function Logs: ${LambdaEsLoader4B1E2DD9}"}},{"type":"log","width":24,"height":6,"x":0,"y":52,"properties":{"view":"table","title":"CRITICAL Logs","region":"${AWS::Region}","query":"SOURCE
''/aws/lambda/${LambdaEsLoader4B1E2DD9}'' | fields @timestamp, message, s3_key\n | filter level == \"CRITICAL\"\n | sort @timestamp desc\n | limit
100"}},{"type":"log","width":24,"height":6,"x":0,"y":58,"properties":{"view":"table","title":"ERROR Logs","region":"${AWS::Region}","query":"SOURCE ''/aws/lambda/${LambdaEsLoader4B1E2DD9}'' |
fields @timestamp, message, s3_key\n | filter level == \"ERROR\"\n | sort @timestamp desc\n | limit 100"}},{"type":"text","width":12,"height":3,"x":0,"y":64,"properties":{"markdown":"##
Sample query\nTo investigate critical/error log with CloudWatch Logs Insights\n\n```\nfields @timestamp, @message\n| filter s3_key == \"copy s3_key and paste here\"\nOR @requestId == \"copy function_request_id
and paste here\"```"}},{"type":"log","width":24,"height":6,"x":0,"y":67,"properties":{"view":"table","title":"Exception Logs","region":"${AWS::Region}","query":"SOURCE ''/aws/lambda/${LambdaEsLoader4B1E2DD9}''
| fields @timestamp, @message\n | filter @message =~ /^\\[ERROR]/\n | filter @message not like /No active exception to reraise/\n # exclude raise without
Exception\n | sort @timestamp desc\n | limit 100"}}]}'
- Param1: !Select
- 0
- !Split
- .
- !GetAtt 'AesSiemDomainDeployedR2.endpoint'
DashboardName: SIEM-Serverless
Condition: IsServerless
Outputs:
RoleDeploy:
Value: !GetAtt 'AesSiemDeployRoleForLambda654D64F2.Arn'
Export:
Name: role-deploy
DashboardsUrl:
Value: !Sub 'https://${AesSiemDomainDeployedR2.endpoint}/_dashboards/'
Export:
Name: dashboards-url
DashboardsPassword:
Description: Please change the password in OpenSearch Dashboards ASAP
Value: !GetAtt 'AesSiemDomainDeployedR2.kibanapass'
Export:
Name: dashboards-pass
DashboardsAdminID:
Value: !GetAtt 'AesSiemDomainDeployedR2.kibanaadmin'
Export:
Name: dashboards-admin
Rules: {}