You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: reference-artifacts/Add-ons/opensiem/README.md
+25-20Lines changed: 25 additions & 20 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -12,6 +12,10 @@ At a highlevel, the deployment steps consist of the following:
12
12
13
13
The total deployment time takes approximately 30 minutes (+ ASEA State Machine execution time). The AWS resources deployed extend beyond the AWS Free tier; you will incur AWS charges when this solution is deployed.
14
14
15
+
The following diagram details the ASEA + OpenSIEM Add-On logging architecture. The OpenSIEM Add-On components are documented in turquoise on the right side of the diagram in both the log-archive and the operations accounts.
| operationsAccountId | This is the AWS Account ID for the Operations account |
97
-
| logArchiveAccountId | This is the AWS Account ID for the Log Archive account |
98
-
| vpcId | This is the VPC Id, within the Operations account, where the OpenSearch Domain will be deployed |
99
-
| region | This is the ASEA primary or home region |
100
-
| s3LogBuckets | This contains a string array of the S3 Bucket names, in the Log Archive account, that will have S3 Notifications configured. In the default ASEA architecture, there are 2 S3 buckets that should be added here. |
101
-
| securityGroups | This structure is similar to what is used in the ASEA config file, but with reduced implementation. The security groups here will be applied to the Lambda Functions and OpenSearch domain. The Security Groups will be created by this project. |
102
-
| appSubnets | These are the SubnetIds of existing subnets within the VPC. The Lambda Functions and OpenSearch domain will be deployed into the Subnets defined here. |
103
-
| lambdaLogProcessingRoleArn | This is the IAM Role that the **Lambda Processor** will use to download S3 Objects from the Log Archive and write documents to OpenSearch. This is a protected role that is referenced by this project, but created by the ASEA. More details below. This value must be an IAM ARN. |
104
-
| cognitoDomainPrefix | Amazon Cognito is used to provision user access to the OpenSearch Dashboards. The value specified here will be used as the domain; it must be regionally unique. (You can't use the text aws, amazon, or cognito, in the domain prefix) |
105
-
| openSearchDomainName | This is the name for the OpenSearch domain |
106
-
| openSearchInstanceTypeMainNodes | This specifies the OpenSearch instance type for the main nodes. ([Supported Types](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/supported-instance-types.html)) |
107
-
| openSearchInstanceTypeDataNodes | This specifies the OpenSearch instance type for the data nodes. ([Supported Types](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/supported-instance-types.html)) |
108
-
| openSearchCapacityMainNodes | This specifies the number of OpenSearch main nodes to provision. |
109
-
| openSearchInstanceTypeDataNodes | This specifies the number of OpenSearch data nodes to provision. |
110
-
| openSearchVolumeSize | This specifies the amount of storage (GB) provisioned for the data nodes. This impacts the amount of available storage for the Domain. Note there are [limits](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/limits.html) for EBS size for instance types. |
111
-
| openSearchConfiguration | This is the file name of the SIEM search configuration. This file should reside in the _config_ folder. This json file mirrors the content found in the _SIEM on Amazon OpenSearch Service_ corresponding INI file. |
112
-
| maxmindLicense | This is the file name of the MaxMind license file. This file should reside in the _config_ folder. This is an optional configuration that enables IP to Geo which enables map visualizations. Leave blank ("") to skip the deployment of this functionality. |
113
-
| siemVersion | This is a label used to identitfy the _SIEM on Amazon OpenSearch Service_ or your own version/configuration of the Lambdas. This applies an environment variable to the Lambdas and a change to this value will execute the lambdas on CDK deployment. |
| operationsAccountId | This is the AWS Account ID for the Operations account |
102
+
| logArchiveAccountId | This is the AWS Account ID for the Log Archive account |
103
+
| vpcId | This is the VPC Id, within the Operations account, where the OpenSearch Domain will be deployed |
104
+
| region | This is the ASEA primary or home region |
105
+
| s3LogBuckets | This contains a string array of the S3 Bucket names, in the Log Archive account, that will have S3 Notifications configured. In the default ASEA architecture, there are 2 S3 buckets that should be added here. |
106
+
| securityGroups | This structure is similar to what is used in the ASEA config file, but with reduced implementation. The security groups here will be applied to the Lambda Functions and OpenSearch domain. The Security Groups will be created by this project. The inbound rules should be updated to reflect the allowed IPs. In the example, the IP range is the VPC CIDR in the Operations AWS account.|
107
+
| appSubnets | These are the SubnetIds of existing subnets within the VPC. The Lambda Functions and OpenSearch domain will be deployed into the Subnets defined here. |
108
+
| lambdaLogProcessingRoleArn | This is the IAM Role that the **Lambda Processor** will use to download S3 Objects from the Log Archive and write documents to OpenSearch. This is a protected role that is referenced by this project, but created by the ASEA. More details below. This value must be an IAM ARN. |
109
+
| cognitoDomainPrefix | Amazon Cognito is used to provision user access to the OpenSearch Dashboards. The value specified here will be used as the domain; it must be regionally unique. (You can't use the text aws, amazon, or cognito, in the domain prefix) |
110
+
| openSearchDomainName | This is the name for the OpenSearch domain |
111
+
| openSearchInstanceTypeMainNodes | This specifies the OpenSearch instance type for the main nodes. ([Supported Types](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/supported-instance-types.html)) |
112
+
| openSearchInstanceTypeDataNodes | This specifies the OpenSearch instance type for the data nodes. ([Supported Types](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/supported-instance-types.html)) |
113
+
| openSearchCapacityMainNodes | This specifies the number of OpenSearch main nodes to provision. |
114
+
| openSearchInstanceTypeDataNodes | This specifies the number of OpenSearch data nodes to provision. |
115
+
| openSearchVolumeSize | This specifies the amount of storage (GB) provisioned for the data nodes. This impacts the amount of available storage for the Domain. Note there are [limits](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/limits.html) for EBS size for instance types. |
116
+
| openSearchConfiguration | This is the file name of the SIEM search configuration. This file should reside in the _config_ folder. This json file mirrors the content found in the _SIEM on Amazon OpenSearch Service_ corresponding INI file. |
117
+
| maxmindLicense | This is the file name of the MaxMind license file. This file should reside in the _config_ folder. This is an optional configuration that enables IP to Geo which enables map visualizations. Leave blank ("") to skip the deployment of this functionality. |
118
+
| siemVersion | This is a label used to identitfy the _SIEM on Amazon OpenSearch Service_ or your own version/configuration of the Lambdas. This applies an environment variable to the Lambdas and a change to this value will execute the lambdas on CDK deployment. |
0 commit comments