Automated AWS Deployment

The purpose of this guide is to enable seamless deployment and configuration of Alert Logic Managed Detection and Response (MDR) in an AWS account while taking full advantage of Alert Logic and AWS automation.

This guide helps you understand how Alert Logic interacts with AWS resources by providing a reference deployment architecture. It then outlines the steps required to automate deployment of that architecture. An alternative automated deployment architecture is available using AWS Control Tower.

To automate Alert Logic deployment in AWS , you must use both Alert Logic and AWS automation tools. This document outlines the complete process:

  1. Retrieve Alert Logic IAM policy
  2. Create IAM policy and third-party role using AWS Cloud Formation
  3. Provide Alert Logic the third-party role
  4. Create an Alert Logic deployment
  5. Automatic deployment of AWS protection

After you complete this process, your AWS account will be fully protected by the Alert Logic MDR platform.

Supported subscription types

  • Managed Detection and Response Essentials
  • Managed Detection and Response Professional

Deployment architecture

The Alert Logic deployment architecture in AWS provides three levels of service:

  • Asset discovery and continuous security protection
  • Vulnerability scanning
  • Network traffic and log analysis

Automating deployment of Alert Logic in AWS uses services and integrations in each protected AWS account. All interactions with AWS services follow best practices, such as minimum privilege delegation, use of third-party IAM roles, and strong encryption.

Asset discovery

Click image to expand

Alert Logic provides robust tools to automate the deployment process, and these tools enable a fully automated, hands-off deployment of Alert Logic in AWS. Alert Logic develops and maintains a real-time asset model of your AWS  resources such as instances, containers, and security groups.

Automated protection of an AWS account requires integration with the following AWS services:

  • AWS IAM—Create a third party IAM role delegating permission to Alert Logic
  • AWS CloudTrail—Create a Cloud Trail audit source, used to monitor changes to the environment
  • AWS S3, SNS, SQS—Retrieve Cloud Trail log updates

Alert Logic MDR Essentials

Click image to expand

Alert Logic Essentials protection can be applied to individual VPCs, and it includes configuration auditing for common AWS security issues and host-based vulnerability scanning. In addition to the requirements for Asset Discovery, an EC2 instance is used to perform the vulnerability scanning.

The Alert Logic automation selects the most cost-effective scanning appliance for your environment and automatically shuts it down when there are no hosts to be scanned. This automation results in low overhead for providing security evaluation in your network.

Automated protection of an AWS VPC with Essentials requires integration with the following AWS services:

  • AWS EC2—Alert Logic scanning appliance
  • AWS VPC— Security groups, route tables, and network ACLs to allow communication with Alert Logic and between the scanning appliance and target hosts

Alert Logic MDR Professional

Click image to expand

Alert Logic Professional protection can be applied to individual VPCs and includes all features of Essentials, plus log collection, integration with AWS GuardDuty, and network traffic analysis.

Automated protection of an AWS VPC with Professional requires integration with the following AWS  services:

  • AWS EC2—Alert Logic IDS appliance
  • AWS VPC—Security groups, route tables, and network ACLs to allow communication with Alert Logic and between the IDS appliance and protected hosts
  • AWS GuardDuty, AWS Config, AWS VPC Flow Logs—To configure protection of this account with AWS GuardDuty  and provide security findings to Alert Logic

Deployment automation in AWS  and Alert Logic

To protect an AWS account, you must create a deployment in the Alert Logic MDR platform. This deployment object references to AWS IAM policies used to interact with your environment and serves as the primary container for the assets contained in that AWS account. Automating deployment requires the following steps, each of which can be automated.

Retrieve IAM policy

Use the Alert Logic CLI to retrieve the latest full deployment policy for AWS. For details on other options, like minimal permission and policies for manual deployment, consult the Cloud Policies (themis) service reference.

Copy
alcli themis get_role --account_id 12345678 --platform_type aws --role_type ci_full --role_version latest

This command returns a JSON document including:

aws_account_id The Alert Logic account ID to establish a third-party trust relationship with
cft References to download a Cloud Formation template that creates an IAM policy and third-party role as described here
external_id Identifier used in the role to prevent confused deputy attacks from reusing this role for any other purpose
policy_document IAM policy to be created

Sample response:

Copy

    "aws_account_id": "733251395267", 
    "cft": { 
        "s3_bucket": "alertlogic-cloud-formation-templates-733251395267", 
        "s3_key": "ci_full/2020-01-10", 
        "s3_url": "https://alertlogic-cloud-formation-templates-733251395267.s3.amazonaws.com/ci_full/2020-01-10" 
    }, 
    "external_id": "12345678", 
    "platform_type": "aws", 
    "policy_document": { 
        "Statement": [ 
            { 
                "Action": [ 
                    "autoscaling:Describe*", 
                    "cloudformation:DescribeStack*", 
                    "cloudformation:GetTemplate", 
                    "cloudformation:ListStack*", 
                    "cloudfront:Get*", 
                    "cloudfront:List*", 
                    "cloudwatch:Describe*", 
                    "config:DeliverConfigSnapshot", 
[…] 
                "Action": [ 
                    "iam:CreateServiceLinkedRole" 
                ], 
                "Effect": "Allow", 
                "Resource": "arn:aws:iam::*:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling*", 
                "Sid": "EnableCreationOfServiceLinkedRoleForAutoscaling" 
            } 
        ], 
        "Version": "2012-10-17" 
    }, 
    "type": "ci_full", 
    "version": "2020-01-10" 

Create IAM policy and third-party role using AWS CloudFormation

The simplest way to create the IAM policy and role is using the AWS Cloud Formation CLI; however, this task can be automated with many tools, including directly creating resources with the AWS CLI or using tools like Terraform. You can also use the AWS Console directly.

Run the following command to create the IAM policy and role:

Copy
aws --region us-east-1 cloudformation create-stack --stack-name "mystack" --template-url https://alertlogic-cloud-formation-templates-733251395267.s3.amazonaws.com/ci_full/2020-01-10

Sample output:

Copy

    "StackId": "arn:aws:cloudformation:us-east-1:123456789012:stack/myteststack/466df9e0-0dff-08e3-8e2f-5088487c4896"
}

Using the CLI, describe the stack and retrieve the IAMRole output key:

Copy

aws cloudformation describe-stacks --stack-name myteststack 

Sample output:

Copy
    "Stacks":  [ 
        { 
[…] 
            "Outputs": [ 
                { 
                    "Description": "IAM role", 
                    "OutputKey": "IAMRole", 
                    "OutputValue": "myteststack-iamrole-jsfai1zie2w" 
                } 
            ], 
[…] 
    ] 

The value of IAMRole will be used to create the credentials in the next step.

Provide Alert Logic the third-party role

Use the Alert Logic CLI to save the Amazon resource of the role that was created. For more information, see the Credential Storage Service.

Run the following command to store the IAM role ARN:

Copy
alcli credentials create_credential --account_id 12345678 --name "IAM policy" --secrets '{ "arn": "arn:aws:iam::123412341234:role/alertlogic-iam-role-ci-full", "type": "aws_iam_role" }'

Sample output:

Copy
    { 
        "created": { 
            "at": 1592170189, 
            "by": "0CC0ED48-22EA-407F-A6AA-89D802129067" 
        }, 
        "id": "6D85344C-660D-418E-9514-D248D558E7A8", 
        "name": "IAM Policy", 
        "secrets": { 
            "arn": "arn:aws:iam::123412341234:role/alertlogic-iam-role-ci-full", 
            "external_id": "12345678", 
            "type": "aws_iam_role" 
        }     
    } 

The IAM policy credential is identified by the id field, which will be used in the next step.

Create an Alert Logic deployment

Use the Alert Logic CLI to create a deployment record. This record describes the AWS account that will be protected and will include:

  • Human-readable name
  • Reference to the credential for the IAM role created in the previous step
  • Scope of protection: all VPCs in region us-east-1, with Alert Logic Professional
  • Deployment mode, “automatic” indicating that Alert Logic will automatically install Cloud Trail and appliances as detailed in the architecture above

For details on other options, such as manual deployment modes, see the Deployments service reference.

Run the following command:

Copy
alcli deployments create_deployment --account_id 12345678 --name "My Deployment" --credentials '{"id": “3009DAAC-BEDF-4663-9A9D-EF19FDBEA964”, "purpose": "discover"}' --mode automatic --scope '{"exclude": [], "include": "key": "/aws/us-east-1", "policy": { "id": "D12D5E67-166C-474F-87AA-6F86FC9FB9BC" }, "type": "region" }'

Sample output:

Copy
{
        "account_id": "12345678",
        "cloud_defender": {
            "enabled": false,
            "location_id": "defender-us-ashburn"
        },
        "created": {
            "at": 1592170376,
            "by": "6D85344C-660D-418E-9514-D248D558E7A8"
        },
        "credentials": [
            {
                "id": "3009DAAC-BEDF-4663-9A9D-EF19FDBEA964",
                "purpose": "discover",
                "version": "2020-01-10"
            }
        ],
        "discover": true,
        "enabled": true,
        "id": "2D7DA803-6C82-4C14-8604-7392F2D4E53D",
        "mode": "automatic",
        "modified": {
            "at": 1592170376,
            "by": "6D85344C-660D-418E-9514-D248D558E7A8"
        },
        "name": "My Deployment",
        "platform": {
            "id": "123412341234",
            "monitor": {
                "ct_install_region": "us-east-1",
                "enabled": true
            },
            "type": "aws"
        },
        "scan": true,
        "scope": {
            "exclude": [],
            "include": [                { 
                    "key": "/aws/us-east-1",
                    "policy": {
                        "id": "D12D5E67-166C-474F-87AA-6F86FC9FB9BC"
                    },
                    "type": "region"
                }]
        },
        "status": {
            "status": "ok",
            "updated": 1592170376
        },
        "version": 1
    }

Deploy AWS protection automatically

In the previous step, an automatic mode deployment was created. Following creation, Alert Logic services will create all required resources using the third-party IAM role that was provided. An IDS and scan appliance will be installed on each VPC in us-east-1 that contains at least one running EC2 instance.