AUTOMATED DEPLOYMENT OF DETECTIVE CONTROLS

  • AWS ACCOUNT IS REQUIRED
  • *Many of the below steps are outside of the AWS free tier

In this lab, we will automate the creation of CloudTrail including a new trail, an S3 bucket, and a CloudWatch Logs group for CloudTrail logs. You can optionally configure AWS Config and Amazon GuardDuty by setting the CloudFormation parameter for each.

  1. Log in to the AWS Management Console
  2. Navigate to the CloudFormation dashboard

Click “Create Stack”

Navigate to: https://github.com/bmwitcher/awslabdemos/blob/master/cloudtrail-config-guardduty.yaml for the template file, we will upload it in the next step.

Click “Next”

Parameters

  • Look over the Parameters and their default values.
  • Under the General section only enable the service if you have not configured them already. CloudTrail is enabled by default, if you have enabled already this will create another trail and S3 bucket.
  • CloudTrailBucketName: The name of the new S3 bucket to create for CloudTrail to send logs to.
  • IMPORTANT: Bucket names need to be unique across all AWS buckets, and only contain lowercase letters, numbers, and hyphens.
  • ConfigBucketName: The name of the new S3 bucket to create for Config to save config snapshots to.
  • GuardDutyEmailAddress: The email address you own that will receive the alerts, you must have access to this address for testing.

*DO NOT COPY MY NAMES AS YOURS NEED TO BE UNIQUE

Click “Next”

Tags are recommended so I entered a sample tag. Here you would use your email address or username to identify it in your environment and the resources it creates.

Click “Next”

Review all of the details of your stack then click acknowledge in the blue box as you see above and click “Create stack.”

Once your stack is complete you have now automated the deployment of detective controls for your AWS account.

*When you receive a rollback error as I did on the first attempt, it is related to the S3 target bucket. You must create an S3 bucket for the Cloudformation template to target (in the parameters section). In addition to creating the bucket, you must also give permissions for read and write access under the ACL (Access Control List). My bucket is a publicly accessible bucket for ease of use however is not a best practice. After this step, you will be able to deploy your cloud formation template successfully.

*Now check your AWS account to verify that all the resources deployed (S3, CloudWatch, CloudTrail, GuardDuty..etc).

TEAR DOWN

Go to S3 and empty both buckets created during this lab and then delete them (you can not delete a bucket with contents). Then return back to the CloudFormation dashboard and select the stack we just created and delete it.

DevOps Engineer at ThreatConnect Inc. — AWS Certified DevOps Professional/Security Specialty/SAA, Gitlab Certified, Terraform Associate GCP-ACE Certfied.