Deployment steps
Launch the CloudFormation template in the AWS Organizations management account
This option creates all of the necessary resources for ingestion of AWS security logs into the DeepWatch MDR platform. During the deployment, you can choose which options to enable for the individual services.
-
Download the CloudFormation template
-
Launch the CloudFormation template from your AWS Control Tower home Region.
- Stack name:
template-deepwatch-enable-integrations- pDeepwatchRoleName:
deepwatch-mdr-role - pSRAS3BucketRegion:
us-east-1 - pSRASourceS3BucketName:
aws-abi - pAutoEnableMalwareProtection:
false - pAutoEnableKubernetesAuditLogs:
false - pAutoEnableS3Logs:
true - pEnableS3DataEvents:
true - pEnableLambdaDataEvents:
true - pCreateAWSControlTowerExecutionRole:
true# Set to false if you have already created the AWSControlTowerExecution role in the management account Note: Include below parameters if you are deploying this solution in an Organization with no Control Tower. - pControlTower:
false - pLogArchiveAccountId: 111111111111 # Your log-archive-account-id
- pSecurityAccountId: 222222222222 # Your audit-account-id
- pGovernedRegions: ‘us-east-1,us-east-2’ # List of regions
- pSRASourceS3BucketName:
aws-abi - pAdminRoleName: ‘AWSCloudFormationStackSetAdministrationRole’ # Replace with your admin role name
- pExecRoleName: ‘AWSCloudFormationStackSetExecutionRole’ # Replace with your exec role name
- pDeepwatchRoleName:
- Stack name:
-
To launch the stack, choose the Capabilities and then Submit.
[x] I acknowledge that AWS CloudFormation might create IAM resources with custom names.
[x] I acknowledge that AWS CloudFormation might require the following capability: CAPABILITY_AUTO_EXPAND
Wait for the CloudFormation status to change to CREATE_COMPLETE.
Launch using Customizations for Control Tower
Customizations for AWS Control Tower combines AWS Control Tower and other highly available, trusted AWS services to help customers set up a secure, multiaccount AWS environment according to AWS best practices. You can add customizations to your AWS Control Tower landing zone using an AWS CloudFormation template and service control policies (SCPs). You can deploy the custom template and policies to individual accounts and organizational units (OUs) within your organization.
CfCT also integrates with AWS Control Tower lifecycle events to hlep ensure that resource deployments stay in sync with your landing zone. For example, when you create a new account using AWS Control Tower account factory, CfCT deploys all of the resources that are attached to the account.
The templates provided by this ABI package are deployable through CfCT.
Prerequisites
The CfCT solution can’t launch resources in the management account by default. You need select pCreateAWSControlTowerExecutionRole : true to allow the stack to create the role or must manually create a role in that account that has necessary permissions.
How it works
To deploy this sample partner integration page using CfCT, add the following blurb to the manifest.yaml file from your CfCT solution and update the account names as needed.
resources:
- name: deepwatch-logging-top-level
resource_file: https://aws-abi.s3.us-east-1.amazonaws.com/cfn-abi-deepwatch-mdr/templates/deepwatch-root-stack.yaml
deploy_method: stack_set
parameters:
- parameter_key: pSRASourceS3BucketName
parameter_value: aws-abi
- parameter_key: pSRAS3BucketRegion
parameter_value: us-east-1
- parameter_key: pAutoEnableS3Logs
parameter_value: 'true'
- parameter_key: pAutoEnableKubernetesAuditLogs
parameter_value: 'false'
- parameter_key: pAutoEnableMalwareProtection
parameter_value: 'false'
- parameter_key: pDeepwatchRoleName
parameter_value: 'deepwatch-mdr-role'
- parameter_key: pEnableLambdaDataEvents
parameter_value: 'false'
- parameter_key: pEnableS3DataEvents
parameter_value: 'true'
deployment_targets:
accounts:
- [[MANAGEMENT-AWS-ACCOUNT-ID]]
Next: Postdeployment options